Abstract
Deception has been proposed in the literature as an effective defense mechanism to address Advanced Persistent Threats (APT). However, administering deception in a cost-effective manner requires a good understanding of the attack landscape. The attacks mounted by APT groups are highly diverse and sophisticated in nature and can render traditional signature based intrusion detection systems useless. This necessitates the development of behavior oriented defense mechanisms. In this paper, we develop Decepticon (Deception-based countermeasure) a Hidden Markov Model based framework where the indicators of compromise (IoC) are used as the observable features to aid in detection. This framework would help in selecting an appropriate deception script when faced with APTs or other similar malware and trigger an appropriate defensive response. The effectiveness of the model and the associated framework is demonstrated by considering ransomware as the offending APT in a networked system.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Baksi, R.P., Upadhyaya, S.J.: Kidemonas: the silent guardian. arXiv preprint arXiv:1712.00841 (2017)
Baksi, R.P., Upadhyaya, S.J.: A comprehensive model for elucidating advanced persistent threats (APT). In: Proceedings of the International Conference on Security and Management (SAM), pp. 245–251. The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (2018)
Bencsáth, B., Pék, G., Buttyán, L., Felegyhazi, M.: The cousins of stuxnet: Duqu, flame, and gauss. Future Internet 4(4), 971–1003 (2012)
Bennett, J.T., Moran, N., Villeneuve, N.: Poison ivy: assessing damage and extracting intelligence. FireEye Threat Research Blog (2013)
Çeker, H., Zhuang, J., Upadhyaya, S., La, Q.D., Soong, B.-H.: Deception-based game theoretical approach to mitigate DoS attacks. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds.) GameSec 2016. LNCS, vol. 9996, pp. 18–38. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47413-7_2
Chen, M.Y., Kundu, A., Zhou, J.: Off-line handwritten word recognition using a hidden Markov model type stochastic network. IEEE Trans. Pattern Anal. Mach. Intell. 16(5), 481–496 (1994)
Clark, Z.: The worm that spreads WanaCrypt0r. Malwarebytes Labs, May 2017. https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreadswanacrypt0r/
Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptol. ePrint Arch. 2016(086), 1–118 (2016)
Falliere, N., Murchu, L.O., Chien, E.: W32. Stuxnet dossier. White paper, Symantec Corporation, Security Response 5(6), 29 (2011)
Greenberg, A.: Hackers are trying to reignite WannaCry with nonstop botnet attacks. Wired Security, May 2017. https://www.wired.com/2017/05/wannacry-ransomware-ddos-attack/
Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warfare Secur. Res. 1(1), 80 (2011)
Jang, J., et al.: PrivateZone: providing a private execution environment using arm trustzone. IEEE Trans. Depend. Secure Comput. 15(5), 797–810 (2016)
Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)
Leonard, C.: 2015 threat report. Websense Security Labs (2015)
Ljolje, A., Levinson, S.E.: Development of an acoustic-phonetic hidden Markov model for continuous speech recognition. IEEE Trans. Sig. Process. 39(1), 29–39 (1991)
Ponemon Institute LLC: The state of advanced persistent threats. Ponemon Institute Research Report, December 2013
LogRhythm: The APT lifecycle and its log trail. Technical report, July 2013
Lorch, J.R., Wang, Y.M., Verbowski, C., Wang, H.J., King, S.: Isolation environment-based information access, 20 September 2011. US Patent 8,024,815
Madnick, S.E., Donovan, J.J.: Application and analysis of the virtual machine approach to information system security and isolation. In: Proceedings of the Workshop on Virtual Computer Systems, pp. 210–224. ACM, New York (1973). https://doi.org/10.1145/800122.803961
Mehresh, R.: Schemes for surviving advanced persistent threats. Faculty of the Graduate School of the University at Buffalo, State University of New York (2013)
Mehresh, R., Upadhyaya, S.: A deception framework for survivability against next generation cyber attacks. In: Proceedings of the International Conference on Security and Management (SAM). p. 1. The Steering Committee of The World Congress in Computer Science, Computer Computer Engineering and Applied Computing (2012)
Messaoud, B.I., Guennoun, K., Wahbi, M., Sadik, M.: Advanced persistent threat: new analysis driven by life cycle phases and their challenges. In: 2016 International Conference on Advanced Communication Systems and Information Security (ACOSIS), pp. 1–6. IEEE (2016)
Pauna, A.: Improved self adaptive honeypots capable of detecting rootkit malware. In: 2012 9th International Conference on Communications (COMM), pp. 281–284. IEEE (2012)
Piolle, E.: Simplified schema of a trusted platform module (TPM). Wikipedia, September 2008. https://commons.wikimedia.org/wiki/File:TPM.svg
Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. Proc. IEEE 77(2), 257–286 (1989)
Rashid, A., et al.: Detecting and preventing data exfiltration (2014)
Kumar Sasidharan, S., Thomas, C.: A survey on metamorphic malware detection based on hidden Markov model. In: 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 357–362. IEEE (2018)
Secureworks: WCry Ransomware Campaign. Secureworks Inc., May 2017. https://www.secureworks.com/blog/wcry-ransomware-campaign
Shepherd, C., et al.: Secure and trusted execution: past, present, and future-a critical review in the context of the internet of things and cyber-physical systems. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp. 168–177. IEEE (2016)
TCG: TPM main specification. Trusted Computing Group, March 2011. https://trustedcomputinggroup.org/tpm-main-specification/
Vukalović, J., Delija, D.: Advanced persistent threats-detection and defense. In: 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1324–1330. IEEE (2015)
Zakaria, W.Z.A., Abdollah, M.F., Mohd, O., Ariffin, A.F.M.: The rise of ransomware. In: Proceedings of the 2017 International Conference on Software and e-Business, pp. 66–70. ACM (2017)
Zhao, C., Saifuding, D., Tian, H., Zhang, Y., Xing, C.: On the performance of Intel SGX. In: 2016 13th Web Information Systems and Applications Conference (WISA), pp. 184–187. IEEE (2016)
Acknowledgment
This research is supported in part by the National Science Foundation under Grant No. DGE – 1754085. Usual disclaimers apply.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Baksi, R.P., Upadhyaya, S.J. (2020). Decepticon: A Hidden Markov Model Approach to Counter Advanced Persistent Threats. In: Sahay, S., Goel, N., Patil, V., Jadliwala, M. (eds) Secure Knowledge Management In Artificial Intelligence Era. SKM 2019. Communications in Computer and Information Science, vol 1186. Springer, Singapore. https://doi.org/10.1007/978-981-15-3817-9_3
Download citation
DOI: https://doi.org/10.1007/978-981-15-3817-9_3
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-3816-2
Online ISBN: 978-981-15-3817-9
eBook Packages: Computer ScienceComputer Science (R0)