gExtractor: Automated Extraction of Malware Deception Parameters for Autonomous Cyber Deception

  • Mohammed Noraden Alsaleh
  • Jinpeng WeiEmail author
  • Ehab Al-Shaer
  • Mohiuddin Ahmed


The lack of agility in cyber defense gives adversaries a significant advantage for discovering cyber targets and planning their attacks in stealthy and undetectable manner. While it is very hard to detect or predict attacks, adversaries can always scan the network, learn about countermeasures, and develop new evasion techniques. Active Cyber Deception (ACD) has emerged as effective means to reverse this asymmetry in cyber warfare by dynamically orchestrating the cyber deception environment to mislead attackers and corrupting their decision-making process. However, developing an efficient active deception environment usually requires human intelligence and analysis to characterize the attackers’ behaviors (e.g., malware actions). This manual process significantly limits the capability of cyber deception to actively respond to new attacks (malware) and in a timely manner.

In this chapter, we present a new analytic framework and an implemented tool, called gExtractor, to analyze the malware behavior and automatically extract the deception parameters using symbolic execution in order to enable the automated creation of cyber deception plans. The deception parameters are environmental variables on which attackers depend to discover the target system and reach their goals; yet, they can be reconfigured and/or misrepresented by the defender in the cyber environment. Our gExtractor approach contributes to the scientific and system foundations of reasoning about autonomous cyber deception. Our prototype was developed based on customizing symbolic execution engine for analyzing Microsoft Windows malware. Our analysis of over fifty of recent malware instances shows that gExtractor has successfully identified various critical parameters that are effective for cyber deception.


  1. 1.
    E. Al-Shaer and M. A. Rahman. Attribution, temptation, and expectation: A formal framework for defense-by-deception in cyberwarfare. In Cyber Warfare, pages 57–80. Springer, 2015.Google Scholar
  2. 2.
    S. Antonatos, P. Akritidis, E. P. Markatos, and K. G. Anagnostakis. Defending against hitlist worms using network address space randomization. Computer Networks, 51(12):3471–3490, 2007.CrossRefGoogle Scholar
  3. 3.
    F. Araujo, K. W. Hamlen, S. Biedermann, and S. Katzenbeisser. From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, pages 942–953, New York, NY, USA, 2014. ACM.Google Scholar
  4. 4.
    D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna. Efficient detection of split personalities in malware. In Proc of NDSS’10, 2010.Google Scholar
  5. 5.
    D. Brumley, C. Hartwig, Z. Liang, J. Newsome, P. Poosankam, D. Song, and H. Yin. Automatically identifying trigger-based behavior in malware. In W. Lee, C. Wang, and D. Dagon, editors, Botnet Analysis and Defense, volume 36, pages 65–88. Springer, 2008.Google Scholar
  6. 6.
    P. R. C. Song and W. Lee. Impeding automated malware analysis with environment-sensitive malware. In Proc. of HotSec’12, 2012.Google Scholar
  7. 7.
    V. Chipounov, V. Kuznetsov, and G. Candea. The s2e platform: Design, implementation, and applications. ACM Transactions on Computer Systems (TOCS), 30(1):2, 2012.CrossRefGoogle Scholar
  8. 8.
    M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on The Foundations of Software Engineering, ESEC-FSE ’07, pages 5–14, New York, NY, USA, 2007. ACM.Google Scholar
  9. 9.
    P. M. Comparetti, G. Salvaneschi, E. Kirda, C. Kolbitsch, C. Krugel, and S. Zanero. Identifying dormant functionality in malware programs. In Proc. of S&P’10, 2010.Google Scholar
  10. 10.
    O. E. David and N. S. Netanyahu. Deepsign: Deep learning for automatic malware signature generation and classification. In Neural Networks (IJCNN), 2015 International Joint Conference on, pages 1–8. IEEE, 2015.Google Scholar
  11. 11.
    N. Falliere. Windows anti-debug reference. [Online; accessed 04-February-2018].
  12. 12.
    S. F. H. Gillani, E. Al-Shaer, S. Lo, Q. Duan, M. Ammar, and Ellen Zegura. Agile virtualized infrastructure to proactively defend against cyber attacks. In Infocom, 2015.Google Scholar
  13. 13.
    H. Goldman, R. McQuaid, and J. Picciotto. Cyber resilience for mission assurance. In Technologies for Homeland Security (HST), 2011 IEEE International Conference on, pages 236–241. IEEE, 2011.Google Scholar
  14. 14.
    K. E. Heckman, F. J. Stech, R. K. Thomas, B. Schmoker, and A. W. Tsow. Cyber denial, deception and counter deception. Springer, 2015.CrossRefGoogle Scholar
  15. 15.
    T. Jackson, B. Salamat, A. Homescu, K. Manivannan, G. Wagner, A. Gal, S. Brunthaler, C. Wimmer, and M. Franz. Compiler-generated software diversity. In Moving Target Defense, pages 77–98. Springer, 2011.Google Scholar
  16. 16.
    H. Jafarian, Q. Duan, and E. Al-Shaer. Effective address mutation approach for disrupting reconnaissance attacks. To appear in IEEE Transactions on Information Forensics and Security, 2016.Google Scholar
  17. 17.
    J. H. Jafarian, E. Al-Shaer, and Q. Duan. Formal approach for route agility against persistent attackers. In Computer Security - ESORICS 2013 - 18th European Symposium on Research in Computer Security, Egham, UK, September 9–13, 2013. Proceedings, pages 237–254, 2013.Google Scholar
  18. 18.
    J. H. Jafarian, E. Al-Shaer, and Q. Duan. An effective address mutation approach for disrupting reconnaissance attacks. IEEE Transactions on Information Forensics and Security, 10(12):2562–2577, Dec 2015.CrossRefGoogle Scholar
  19. 19.
    S. Jajodia, A. K. Ghosh, V. Subrahmanian, V. Swarup, C. Wang, and X. S. Wang, editors. Moving Target Defense II - Application of Game Theory and Adversarial Modeling, volume 100 of Advances in Information Security. Springer, 2013.Google Scholar
  20. 20.
    M. G. Kang, S. McCamant, P. Poosankam, and D. Song. Dta++: dynamic taint analysis with targeted control-flow propagation. In NDSS, 2011.Google Scholar
  21. 21.
    A. Kaur. Dynamic honeypot construction. 2013.Google Scholar
  22. 22.
    C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proc. of USENIX Security’09, 2009.Google Scholar
  23. 23.
    C. Kolbitsch, E. Kirda, and C. Kruegel. The power of procrastination: Detection and mitigation of execution-stalling malicious code. In Proc. of CCS’11, 2011.Google Scholar
  24. 24.
    C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-cloaking internet malware. In Proc. of S&P’12, 2012.Google Scholar
  25. 25.
    S. Kyung, W. Han, N. Tiwari, V. H. Dixit, L. Srinivas, Z. Zhao, A. Doupé, and G.-J. Ahn. Honeyproxy: Design and implementation of next-generation honeynet via SDN. In IEEE Conference on Communications and Network Security (CNS), 2017.Google Scholar
  26. 26.
    M. L, C. K., and M.Paolo. Detecting Environment-Sensitive Malware. In Proc. of RAID’11, 2011.Google Scholar
  27. 27.
    K. Lab. Kaspersky security bulletin. overall statistics for 2017., 2017.
  28. 28.
    H. D. Macedo and T. Touili. Mining malware specifications through static reachability analysis. In Computer Security–ESORICS 2013, pages 517–535. Springer, 2013.Google Scholar
  29. 29.
    W. Maples. Disable windows scripting host (WSH).Google Scholar
  30. 30.
    A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution Paths for Malware Analysis. In Proc. of S&P’07, 2007.Google Scholar
  31. 31.
    F. Peng, Z. Deng, X. Zhang, D. Xu, Z. Lin, and Z. Su. X-force: Force-executing binary programs for security applications. In Proceedings of the 2014 USENIX Security Symposium, San Diego, CA, August 2014.Google Scholar
  32. 32.
    G. Portokalidis and A. D. Keromytis. Global ISR: Toward a comprehensive defense against unauthorized code execution. In Moving Target Defense, pages 49–76. Springer, 2011.Google Scholar
  33. 33.
    Y. Qiao, Y. Yang, J. He, C. Tang, and Z. Liu. CBM: Free, Automatic Malware Analysis Framework Using API Call Sequences, pages 225–236. Springer Berlin Heidelberg, Berlin, Heidelberg, 2014.Google Scholar
  34. 34.
    P. Saxena, P. Poosankam, S. McCamant, and D. Song. Loop-extended symbolic execution on binary programs. In Proceedings of the eighteenth international symposium on Software testing and analysis, pages 225–236. ACM, 2009.Google Scholar
  35. 35.
    M. K. Shankarapani, S. Ramamoorthy, R. S. Movva, and S. Mukkamala. Malware detection using assembly and API call sequences. J. Comput. Virol., 7(2):107–119, May 2011.CrossRefGoogle Scholar
  36. 36.
    N. Soule, B. Simidchieva, F. Yaman, R. Watro, J. Loyall, M. Atighetchi, M. Carvalho, D. Last, D. Myers, and C. B. Flatley. Quantifying & minimizing attack surfaces containing moving target defenses.Google Scholar
  37. 37.
    J. Sun, K. Sun, and Q. Li. Cybermoat: Camouflaging critical server infrastructures with large scale decoy farms. In Communications and Network Security (CNS), 2017 IEEE Conference on, pages 1–9. IEEE, 2017.Google Scholar
  38. 38.
    P. Team. PaX address space layout randomization (ASLR)., 2015. [Online; accessed 10-Feburary-2017].
  39. 39.
    S. P. Team. Stratum mining protocol official documentation., 2017.
  40. 40.
    J. Wilhelm and T. Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proc. of RAID’07, 2007.Google Scholar
  41. 41.
    J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. In 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings., pages 260–269, Oct 2003.Google Scholar
  42. 42.
    Z. Xu, L. Chen, G. Gu, and C. Kruegel. PeerPress: Utilizing enemies’ p2p strength against them. In Proc. of CCS’12, 2012.Google Scholar
  43. 43.
    Z. Xu, J. Zhang, G. Gu, and Z. Lin. Goldeneye: Efficiently and effectively unveiling malware’s targeted environment. In Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID’14), September 2014.CrossRefGoogle Scholar
  44. 44.
    Y. Zhang, M. Li, K. Bai, M. Yu, and W. Zang. Incentive compatible moving target defense against VM-colocation attacks in clouds. In D. Gritzalis, S. Furnell, and M. Theoharidou, editors, Information Security and Privacy Research, volume 376 of IFIP Advances in Information and Communication Technology, pages 388–399. Springer Berlin Heidelberg, 2012.CrossRefGoogle Scholar
  45. 45.
    Q. Zhu and T. Başar. Game-theoretic approach to feedback-driven multi-stage moving target defense. In Decision and Game Theory for Security, pages 246–263. Springer, 2013.Google Scholar
  46. 46.
    Q. Zhu, A. Clark, R. Poovendran, and T. Basar. Deceptive routing games. In Decision and Control (CDC), 2012 IEEE 51st Annual Conference on, pages 2704–2711. IEEE, 2012.Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Mohammed Noraden Alsaleh
    • 1
  • Jinpeng Wei
    • 2
    Email author
  • Ehab Al-Shaer
    • 2
  • Mohiuddin Ahmed
    • 2
  1. 1.Eastern Michigan UniversityYpsilantiUSA
  2. 2.Software and Information SystemsUniversity of North Carolina at CharlotteCharlotteUSA

Personalised recommendations