Abstract
The lack of agility in cyber defense gives adversaries a significant advantage for discovering cyber targets and planning their attacks in stealthy and undetectable manner. While it is very hard to detect or predict attacks, adversaries can always scan the network, learn about countermeasures, and develop new evasion techniques. Active Cyber Deception (ACD) has emerged as effective means to reverse this asymmetry in cyber warfare by dynamically orchestrating the cyber deception environment to mislead attackers and corrupting their decision-making process. However, developing an efficient active deception environment usually requires human intelligence and analysis to characterize the attackers’ behaviors (e.g., malware actions). This manual process significantly limits the capability of cyber deception to actively respond to new attacks (malware) and in a timely manner.
In this chapter, we present a new analytic framework and an implemented tool, called gExtractor, to analyze the malware behavior and automatically extract the deception parameters using symbolic execution in order to enable the automated creation of cyber deception plans. The deception parameters are environmental variables on which attackers depend to discover the target system and reach their goals; yet, they can be reconfigured and/or misrepresented by the defender in the cyber environment. Our gExtractor approach contributes to the scientific and system foundations of reasoning about autonomous cyber deception. Our prototype was developed based on customizing symbolic execution engine for analyzing Microsoft Windows malware. Our analysis of over fifty of recent malware instances shows that gExtractor has successfully identified various critical parameters that are effective for cyber deception.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Change history
01 February 2020
This book was inadvertently published as an authored work with the chapter authors mentioned in the footnotes of the chapter opening pages. This has now been updated and the chapter authors have been mentioned in the respective chapter opening pages as mentioned below:
References
E. Al-Shaer and M. A. Rahman. Attribution, temptation, and expectation: A formal framework for defense-by-deception in cyberwarfare. In Cyber Warfare, pages 57–80. Springer, 2015.
S. Antonatos, P. Akritidis, E. P. Markatos, and K. G. Anagnostakis. Defending against hitlist worms using network address space randomization. Computer Networks, 51(12):3471–3490, 2007.
F. Araujo, K. W. Hamlen, S. Biedermann, and S. Katzenbeisser. From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, pages 942–953, New York, NY, USA, 2014. ACM.
D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna. Efficient detection of split personalities in malware. In Proc of NDSS’10, 2010.
D. Brumley, C. Hartwig, Z. Liang, J. Newsome, P. Poosankam, D. Song, and H. Yin. Automatically identifying trigger-based behavior in malware. In W. Lee, C. Wang, and D. Dagon, editors, Botnet Analysis and Defense, volume 36, pages 65–88. Springer, 2008.
P. R. C. Song and W. Lee. Impeding automated malware analysis with environment-sensitive malware. In Proc. of HotSec’12, 2012.
V. Chipounov, V. Kuznetsov, and G. Candea. The s2e platform: Design, implementation, and applications. ACM Transactions on Computer Systems (TOCS), 30(1):2, 2012.
M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on The Foundations of Software Engineering, ESEC-FSE ’07, pages 5–14, New York, NY, USA, 2007. ACM.
P. M. Comparetti, G. Salvaneschi, E. Kirda, C. Kolbitsch, C. Krugel, and S. Zanero. Identifying dormant functionality in malware programs. In Proc. of S&P’10, 2010.
O. E. David and N. S. Netanyahu. Deepsign: Deep learning for automatic malware signature generation and classification. In Neural Networks (IJCNN), 2015 International Joint Conference on, pages 1–8. IEEE, 2015.
N. Falliere. Windows anti-debug reference. https://www.symantec.com/connect/articles/windows-anti-debug-reference. [Online; accessed 04-February-2018].
S. F. H. Gillani, E. Al-Shaer, S. Lo, Q. Duan, M. Ammar, and Ellen Zegura. Agile virtualized infrastructure to proactively defend against cyber attacks. In Infocom, 2015.
H. Goldman, R. McQuaid, and J. Picciotto. Cyber resilience for mission assurance. In Technologies for Homeland Security (HST), 2011 IEEE International Conference on, pages 236–241. IEEE, 2011.
K. E. Heckman, F. J. Stech, R. K. Thomas, B. Schmoker, and A. W. Tsow. Cyber denial, deception and counter deception. Springer, 2015.
T. Jackson, B. Salamat, A. Homescu, K. Manivannan, G. Wagner, A. Gal, S. Brunthaler, C. Wimmer, and M. Franz. Compiler-generated software diversity. In Moving Target Defense, pages 77–98. Springer, 2011.
H. Jafarian, Q. Duan, and E. Al-Shaer. Effective address mutation approach for disrupting reconnaissance attacks. To appear in IEEE Transactions on Information Forensics and Security, 2016.
J. H. Jafarian, E. Al-Shaer, and Q. Duan. Formal approach for route agility against persistent attackers. In Computer Security - ESORICS 2013 - 18th European Symposium on Research in Computer Security, Egham, UK, September 9–13, 2013. Proceedings, pages 237–254, 2013.
J. H. Jafarian, E. Al-Shaer, and Q. Duan. An effective address mutation approach for disrupting reconnaissance attacks. IEEE Transactions on Information Forensics and Security, 10(12):2562–2577, Dec 2015.
S. Jajodia, A. K. Ghosh, V. Subrahmanian, V. Swarup, C. Wang, and X. S. Wang, editors. Moving Target Defense II - Application of Game Theory and Adversarial Modeling, volume 100 of Advances in Information Security. Springer, 2013.
M. G. Kang, S. McCamant, P. Poosankam, and D. Song. Dta++: dynamic taint analysis with targeted control-flow propagation. In NDSS, 2011.
A. Kaur. Dynamic honeypot construction. 2013.
C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proc. of USENIX Security’09, 2009.
C. Kolbitsch, E. Kirda, and C. Kruegel. The power of procrastination: Detection and mitigation of execution-stalling malicious code. In Proc. of CCS’11, 2011.
C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-cloaking internet malware. In Proc. of S&P’12, 2012.
S. Kyung, W. Han, N. Tiwari, V. H. Dixit, L. Srinivas, Z. Zhao, A. Doupé, and G.-J. Ahn. Honeyproxy: Design and implementation of next-generation honeynet via SDN. In IEEE Conference on Communications and Network Security (CNS), 2017.
M. L, C. K., and M.Paolo. Detecting Environment-Sensitive Malware. In Proc. of RAID’11, 2011.
K. Lab. Kaspersky security bulletin. overall statistics for 2017. https://securelist.com/ksb-overall-statistics-2017/83453/, 2017.
H. D. Macedo and T. Touili. Mining malware specifications through static reachability analysis. In Computer Security–ESORICS 2013, pages 517–535. Springer, 2013.
W. Maples. Disable windows scripting host (WSH).
A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution Paths for Malware Analysis. In Proc. of S&P’07, 2007.
F. Peng, Z. Deng, X. Zhang, D. Xu, Z. Lin, and Z. Su. X-force: Force-executing binary programs for security applications. In Proceedings of the 2014 USENIX Security Symposium, San Diego, CA, August 2014.
G. Portokalidis and A. D. Keromytis. Global ISR: Toward a comprehensive defense against unauthorized code execution. In Moving Target Defense, pages 49–76. Springer, 2011.
Y. Qiao, Y. Yang, J. He, C. Tang, and Z. Liu. CBM: Free, Automatic Malware Analysis Framework Using API Call Sequences, pages 225–236. Springer Berlin Heidelberg, Berlin, Heidelberg, 2014.
P. Saxena, P. Poosankam, S. McCamant, and D. Song. Loop-extended symbolic execution on binary programs. In Proceedings of the eighteenth international symposium on Software testing and analysis, pages 225–236. ACM, 2009.
M. K. Shankarapani, S. Ramamoorthy, R. S. Movva, and S. Mukkamala. Malware detection using assembly and API call sequences. J. Comput. Virol., 7(2):107–119, May 2011.
N. Soule, B. Simidchieva, F. Yaman, R. Watro, J. Loyall, M. Atighetchi, M. Carvalho, D. Last, D. Myers, and C. B. Flatley. Quantifying & minimizing attack surfaces containing moving target defenses.
J. Sun, K. Sun, and Q. Li. Cybermoat: Camouflaging critical server infrastructures with large scale decoy farms. In Communications and Network Security (CNS), 2017 IEEE Conference on, pages 1–9. IEEE, 2017.
P. Team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt, 2015. [Online; accessed 10-Feburary-2017].
S. P. Team. Stratum mining protocol official documentation. https://slushpool.com/help/manual/stratum-protocol/, 2017.
J. Wilhelm and T. Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proc. of RAID’07, 2007.
J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. In 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings., pages 260–269, Oct 2003.
Z. Xu, L. Chen, G. Gu, and C. Kruegel. PeerPress: Utilizing enemies’ p2p strength against them. In Proc. of CCS’12, 2012.
Z. Xu, J. Zhang, G. Gu, and Z. Lin. Goldeneye: Efficiently and effectively unveiling malware’s targeted environment. In Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID’14), September 2014.
Y. Zhang, M. Li, K. Bai, M. Yu, and W. Zang. Incentive compatible moving target defense against VM-colocation attacks in clouds. In D. Gritzalis, S. Furnell, and M. Theoharidou, editors, Information Security and Privacy Research, volume 376 of IFIP Advances in Information and Communication Technology, pages 388–399. Springer Berlin Heidelberg, 2012.
Q. Zhu and T. Başar. Game-theoretic approach to feedback-driven multi-stage moving target defense. In Decision and Game Theory for Security, pages 246–263. Springer, 2013.
Q. Zhu, A. Clark, R. Poovendran, and T. Basar. Deceptive routing games. In Decision and Control (CDC), 2012 IEEE 51st Annual Conference on, pages 2704–2711. IEEE, 2012.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Alsaleh, M.N., Wei, J., Al-Shaer, E., Ahmed, M. (2019). gExtractor: Automated Extraction of Malware Deception Parameters for Autonomous Cyber Deception. In: Al-Shaer, E., Wei, J., Hamlen, K., Wang, C. (eds) Autonomous Cyber Deception. Springer, Cham. https://doi.org/10.1007/978-3-030-02110-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-02110-8_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02109-2
Online ISBN: 978-3-030-02110-8
eBook Packages: Computer ScienceComputer Science (R0)