Decepticon: A Hidden Markov Model Approach to Counter Advanced Persistent Threats

  • Rudra Prasad BaksiEmail author
  • Shambhu J. Upadhyaya
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1186)


Deception has been proposed in the literature as an effective defense mechanism to address Advanced Persistent Threats (APT). However, administering deception in a cost-effective manner requires a good understanding of the attack landscape. The attacks mounted by APT groups are highly diverse and sophisticated in nature and can render traditional signature based intrusion detection systems useless. This necessitates the development of behavior oriented defense mechanisms. In this paper, we develop Decepticon (Deception-based countermeasure) a Hidden Markov Model based framework where the indicators of compromise (IoC) are used as the observable features to aid in detection. This framework would help in selecting an appropriate deception script when faced with APTs or other similar malware and trigger an appropriate defensive response. The effectiveness of the model and the associated framework is demonstrated by considering ransomware as the offending APT in a networked system.


Advanced Persistent Threats (APT) Computer security Cyber-security Hidden Markov Model (HMM) Ransomware 



This research is supported in part by the National Science Foundation under Grant No. DGE – 1754085. Usual disclaimers apply.


  1. 1.
    Baksi, R.P., Upadhyaya, S.J.: Kidemonas: the silent guardian. arXiv preprint arXiv:1712.00841 (2017)
  2. 2.
    Baksi, R.P., Upadhyaya, S.J.: A comprehensive model for elucidating advanced persistent threats (APT). In: Proceedings of the International Conference on Security and Management (SAM), pp. 245–251. The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (2018)Google Scholar
  3. 3.
    Bencsáth, B., Pék, G., Buttyán, L., Felegyhazi, M.: The cousins of stuxnet: Duqu, flame, and gauss. Future Internet 4(4), 971–1003 (2012)CrossRefGoogle Scholar
  4. 4.
    Bennett, J.T., Moran, N., Villeneuve, N.: Poison ivy: assessing damage and extracting intelligence. FireEye Threat Research Blog (2013)Google Scholar
  5. 5.
    Çeker, H., Zhuang, J., Upadhyaya, S., La, Q.D., Soong, B.-H.: Deception-based game theoretical approach to mitigate DoS attacks. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds.) GameSec 2016. LNCS, vol. 9996, pp. 18–38. Springer, Cham (2016). Scholar
  6. 6.
    Chen, M.Y., Kundu, A., Zhou, J.: Off-line handwritten word recognition using a hidden Markov model type stochastic network. IEEE Trans. Pattern Anal. Mach. Intell. 16(5), 481–496 (1994)CrossRefGoogle Scholar
  7. 7.
    Clark, Z.: The worm that spreads WanaCrypt0r. Malwarebytes Labs, May 2017.
  8. 8.
    Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptol. ePrint Arch. 2016(086), 1–118 (2016)Google Scholar
  9. 9.
    Falliere, N., Murchu, L.O., Chien, E.: W32. Stuxnet dossier. White paper, Symantec Corporation, Security Response 5(6), 29 (2011)Google Scholar
  10. 10.
    Greenberg, A.: Hackers are trying to reignite WannaCry with nonstop botnet attacks. Wired Security, May 2017.
  11. 11.
    Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warfare Secur. Res. 1(1), 80 (2011)Google Scholar
  12. 12.
    Jang, J., et al.: PrivateZone: providing a private execution environment using arm trustzone. IEEE Trans. Depend. Secure Comput. 15(5), 797–810 (2016)CrossRefGoogle Scholar
  13. 13.
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)CrossRefGoogle Scholar
  14. 14.
    Leonard, C.: 2015 threat report. Websense Security Labs (2015)Google Scholar
  15. 15.
    Ljolje, A., Levinson, S.E.: Development of an acoustic-phonetic hidden Markov model for continuous speech recognition. IEEE Trans. Sig. Process. 39(1), 29–39 (1991)CrossRefGoogle Scholar
  16. 16.
    Ponemon Institute LLC: The state of advanced persistent threats. Ponemon Institute Research Report, December 2013Google Scholar
  17. 17.
    LogRhythm: The APT lifecycle and its log trail. Technical report, July 2013Google Scholar
  18. 18.
    Lorch, J.R., Wang, Y.M., Verbowski, C., Wang, H.J., King, S.: Isolation environment-based information access, 20 September 2011. US Patent 8,024,815Google Scholar
  19. 19.
    Madnick, S.E., Donovan, J.J.: Application and analysis of the virtual machine approach to information system security and isolation. In: Proceedings of the Workshop on Virtual Computer Systems, pp. 210–224. ACM, New York (1973).
  20. 20.
    Mehresh, R.: Schemes for surviving advanced persistent threats. Faculty of the Graduate School of the University at Buffalo, State University of New York (2013)Google Scholar
  21. 21.
    Mehresh, R., Upadhyaya, S.: A deception framework for survivability against next generation cyber attacks. In: Proceedings of the International Conference on Security and Management (SAM). p. 1. The Steering Committee of The World Congress in Computer Science, Computer Computer Engineering and Applied Computing (2012)Google Scholar
  22. 22.
    Messaoud, B.I., Guennoun, K., Wahbi, M., Sadik, M.: Advanced persistent threat: new analysis driven by life cycle phases and their challenges. In: 2016 International Conference on Advanced Communication Systems and Information Security (ACOSIS), pp. 1–6. IEEE (2016)Google Scholar
  23. 23.
    Pauna, A.: Improved self adaptive honeypots capable of detecting rootkit malware. In: 2012 9th International Conference on Communications (COMM), pp. 281–284. IEEE (2012)Google Scholar
  24. 24.
    Piolle, E.: Simplified schema of a trusted platform module (TPM). Wikipedia, September 2008.
  25. 25.
    Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. Proc. IEEE 77(2), 257–286 (1989)CrossRefGoogle Scholar
  26. 26.
    Rashid, A., et al.: Detecting and preventing data exfiltration (2014)Google Scholar
  27. 27.
    Kumar Sasidharan, S., Thomas, C.: A survey on metamorphic malware detection based on hidden Markov model. In: 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 357–362. IEEE (2018)Google Scholar
  28. 28.
    Secureworks: WCry Ransomware Campaign. Secureworks Inc., May 2017.
  29. 29.
    Shepherd, C., et al.: Secure and trusted execution: past, present, and future-a critical review in the context of the internet of things and cyber-physical systems. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp. 168–177. IEEE (2016)Google Scholar
  30. 30.
    TCG: TPM main specification. Trusted Computing Group, March 2011.
  31. 31.
    Vukalović, J., Delija, D.: Advanced persistent threats-detection and defense. In: 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1324–1330. IEEE (2015)Google Scholar
  32. 32.
    Zakaria, W.Z.A., Abdollah, M.F., Mohd, O., Ariffin, A.F.M.: The rise of ransomware. In: Proceedings of the 2017 International Conference on Software and e-Business, pp. 66–70. ACM (2017)Google Scholar
  33. 33.
    Zhao, C., Saifuding, D., Tian, H., Zhang, Y., Xing, C.: On the performance of Intel SGX. In: 2016 13th Web Information Systems and Applications Conference (WISA), pp. 184–187. IEEE (2016)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  1. 1.University at Buffalo, SUNYBuffaloUSA

Personalised recommendations