Skip to main content
SpringerLink
Log in

gExtractor: Automated Extraction of Malware Deception Parameters for Autonomous Cyber Deception

  • Chapter
  • First Online:
Autonomous Cyber Deception

  • 1351 Accesses

Abstract

The lack of agility in cyber defense gives adversaries a significant advantage for discovering cyber targets and planning their attacks in stealthy and undetectable manner. While it is very hard to detect or predict attacks, adversaries can always scan the network, learn about countermeasures, and develop new evasion techniques. Active Cyber Deception (ACD) has emerged as effective means to reverse this asymmetry in cyber warfare by dynamically orchestrating the cyber deception environment to mislead attackers and corrupting their decision-making process. However, developing an efficient active deception environment usually requires human intelligence and analysis to characterize the attackers’ behaviors (e.g., malware actions). This manual process significantly limits the capability of cyber deception to actively respond to new attacks (malware) and in a timely manner.

In this chapter, we present a new analytic framework and an implemented tool, called gExtractor, to analyze the malware behavior and automatically extract the deception parameters using symbolic execution in order to enable the automated creation of cyber deception plans. The deception parameters are environmental variables on which attackers depend to discover the target system and reach their goals; yet, they can be reconfigured and/or misrepresented by the defender in the cyber environment. Our gExtractor approach contributes to the scientific and system foundations of reasoning about autonomous cyber deception. Our prototype was developed based on customizing symbolic execution engine for analyzing Microsoft Windows malware. Our analysis of over fifty of recent malware instances shows that gExtractor has successfully identified various critical parameters that are effective for cyber deception.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 79.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Change history

  • 01 February 2020

    This book was inadvertently published as an authored work with the chapter authors mentioned in the footnotes of the chapter opening pages. This has now been updated and the chapter authors have been mentioned in the respective chapter opening pages as mentioned below:

References

  1. E. Al-Shaer and M. A. Rahman. Attribution, temptation, and expectation: A formal framework for defense-by-deception in cyberwarfare. In Cyber Warfare, pages 57–80. Springer, 2015.

    Google Scholar 

  2. S. Antonatos, P. Akritidis, E. P. Markatos, and K. G. Anagnostakis. Defending against hitlist worms using network address space randomization. Computer Networks, 51(12):3471–3490, 2007.

    Article  Google Scholar 

  3. F. Araujo, K. W. Hamlen, S. Biedermann, and S. Katzenbeisser. From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, pages 942–953, New York, NY, USA, 2014. ACM.

    Google Scholar 

  4. D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, E. Kirda, and G. Vigna. Efficient detection of split personalities in malware. In Proc of NDSS’10, 2010.

    Google Scholar 

  5. D. Brumley, C. Hartwig, Z. Liang, J. Newsome, P. Poosankam, D. Song, and H. Yin. Automatically identifying trigger-based behavior in malware. In W. Lee, C. Wang, and D. Dagon, editors, Botnet Analysis and Defense, volume 36, pages 65–88. Springer, 2008.

    Google Scholar 

  6. P. R. C. Song and W. Lee. Impeding automated malware analysis with environment-sensitive malware. In Proc. of HotSec’12, 2012.

    Google Scholar 

  7. V. Chipounov, V. Kuznetsov, and G. Candea. The s2e platform: Design, implementation, and applications. ACM Transactions on Computer Systems (TOCS), 30(1):2, 2012.

    Article  Google Scholar 

  8. M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior. In Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on The Foundations of Software Engineering, ESEC-FSE ’07, pages 5–14, New York, NY, USA, 2007. ACM.

    Google Scholar 

  9. P. M. Comparetti, G. Salvaneschi, E. Kirda, C. Kolbitsch, C. Krugel, and S. Zanero. Identifying dormant functionality in malware programs. In Proc. of S&P’10, 2010.

    Google Scholar 

  10. O. E. David and N. S. Netanyahu. Deepsign: Deep learning for automatic malware signature generation and classification. In Neural Networks (IJCNN), 2015 International Joint Conference on, pages 1–8. IEEE, 2015.

    Google Scholar 

  11. N. Falliere. Windows anti-debug reference. https://www.symantec.com/connect/articles/windows-anti-debug-reference. [Online; accessed 04-February-2018].

  12. S. F. H. Gillani, E. Al-Shaer, S. Lo, Q. Duan, M. Ammar, and Ellen Zegura. Agile virtualized infrastructure to proactively defend against cyber attacks. In Infocom, 2015.

    Google Scholar 

  13. H. Goldman, R. McQuaid, and J. Picciotto. Cyber resilience for mission assurance. In Technologies for Homeland Security (HST), 2011 IEEE International Conference on, pages 236–241. IEEE, 2011.

    Google Scholar 

  14. K. E. Heckman, F. J. Stech, R. K. Thomas, B. Schmoker, and A. W. Tsow. Cyber denial, deception and counter deception. Springer, 2015.

    Book  Google Scholar 

  15. T. Jackson, B. Salamat, A. Homescu, K. Manivannan, G. Wagner, A. Gal, S. Brunthaler, C. Wimmer, and M. Franz. Compiler-generated software diversity. In Moving Target Defense, pages 77–98. Springer, 2011.

    Google Scholar 

  16. H. Jafarian, Q. Duan, and E. Al-Shaer. Effective address mutation approach for disrupting reconnaissance attacks. To appear in IEEE Transactions on Information Forensics and Security, 2016.

    Google Scholar 

  17. J. H. Jafarian, E. Al-Shaer, and Q. Duan. Formal approach for route agility against persistent attackers. In Computer Security - ESORICS 2013 - 18th European Symposium on Research in Computer Security, Egham, UK, September 9–13, 2013. Proceedings, pages 237–254, 2013.

    Google Scholar 

  18. J. H. Jafarian, E. Al-Shaer, and Q. Duan. An effective address mutation approach for disrupting reconnaissance attacks. IEEE Transactions on Information Forensics and Security, 10(12):2562–2577, Dec 2015.

    Article  Google Scholar 

  19. S. Jajodia, A. K. Ghosh, V. Subrahmanian, V. Swarup, C. Wang, and X. S. Wang, editors. Moving Target Defense II - Application of Game Theory and Adversarial Modeling, volume 100 of Advances in Information Security. Springer, 2013.

    Google Scholar 

  20. M. G. Kang, S. McCamant, P. Poosankam, and D. Song. Dta++: dynamic taint analysis with targeted control-flow propagation. In NDSS, 2011.

    Google Scholar 

  21. A. Kaur. Dynamic honeypot construction. 2013.

    Google Scholar 

  22. C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proc. of USENIX Security’09, 2009.

    Google Scholar 

  23. C. Kolbitsch, E. Kirda, and C. Kruegel. The power of procrastination: Detection and mitigation of execution-stalling malicious code. In Proc. of CCS’11, 2011.

    Google Scholar 

  24. C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-cloaking internet malware. In Proc. of S&P’12, 2012.

    Google Scholar 

  25. S. Kyung, W. Han, N. Tiwari, V. H. Dixit, L. Srinivas, Z. Zhao, A. Doupé, and G.-J. Ahn. Honeyproxy: Design and implementation of next-generation honeynet via SDN. In IEEE Conference on Communications and Network Security (CNS), 2017.

    Google Scholar 

  26. M. L, C. K., and M.Paolo. Detecting Environment-Sensitive Malware. In Proc. of RAID’11, 2011.

    Google Scholar 

  27. K. Lab. Kaspersky security bulletin. overall statistics for 2017. https://securelist.com/ksb-overall-statistics-2017/83453/, 2017.

  28. H. D. Macedo and T. Touili. Mining malware specifications through static reachability analysis. In Computer Security–ESORICS 2013, pages 517–535. Springer, 2013.

    Google Scholar 

  29. W. Maples. Disable windows scripting host (WSH).

    Google Scholar 

  30. A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution Paths for Malware Analysis. In Proc. of S&P’07, 2007.

    Google Scholar 

  31. F. Peng, Z. Deng, X. Zhang, D. Xu, Z. Lin, and Z. Su. X-force: Force-executing binary programs for security applications. In Proceedings of the 2014 USENIX Security Symposium, San Diego, CA, August 2014.

    Google Scholar 

  32. G. Portokalidis and A. D. Keromytis. Global ISR: Toward a comprehensive defense against unauthorized code execution. In Moving Target Defense, pages 49–76. Springer, 2011.

    Google Scholar 

  33. Y. Qiao, Y. Yang, J. He, C. Tang, and Z. Liu. CBM: Free, Automatic Malware Analysis Framework Using API Call Sequences, pages 225–236. Springer Berlin Heidelberg, Berlin, Heidelberg, 2014.

    Google Scholar 

  34. P. Saxena, P. Poosankam, S. McCamant, and D. Song. Loop-extended symbolic execution on binary programs. In Proceedings of the eighteenth international symposium on Software testing and analysis, pages 225–236. ACM, 2009.

    Google Scholar 

  35. M. K. Shankarapani, S. Ramamoorthy, R. S. Movva, and S. Mukkamala. Malware detection using assembly and API call sequences. J. Comput. Virol., 7(2):107–119, May 2011.

    Article  Google Scholar 

  36. N. Soule, B. Simidchieva, F. Yaman, R. Watro, J. Loyall, M. Atighetchi, M. Carvalho, D. Last, D. Myers, and C. B. Flatley. Quantifying & minimizing attack surfaces containing moving target defenses.

    Google Scholar 

  37. J. Sun, K. Sun, and Q. Li. Cybermoat: Camouflaging critical server infrastructures with large scale decoy farms. In Communications and Network Security (CNS), 2017 IEEE Conference on, pages 1–9. IEEE, 2017.

    Google Scholar 

  38. P. Team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt, 2015. [Online; accessed 10-Feburary-2017].

  39. S. P. Team. Stratum mining protocol official documentation. https://slushpool.com/help/manual/stratum-protocol/, 2017.

  40. J. Wilhelm and T. Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proc. of RAID’07, 2007.

    Google Scholar 

  41. J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. In 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings., pages 260–269, Oct 2003.

    Google Scholar 

  42. Z. Xu, L. Chen, G. Gu, and C. Kruegel. PeerPress: Utilizing enemies’ p2p strength against them. In Proc. of CCS’12, 2012.

    Google Scholar 

  43. Z. Xu, J. Zhang, G. Gu, and Z. Lin. Goldeneye: Efficiently and effectively unveiling malware’s targeted environment. In Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID’14), September 2014.

    Chapter  Google Scholar 

  44. Y. Zhang, M. Li, K. Bai, M. Yu, and W. Zang. Incentive compatible moving target defense against VM-colocation attacks in clouds. In D. Gritzalis, S. Furnell, and M. Theoharidou, editors, Information Security and Privacy Research, volume 376 of IFIP Advances in Information and Communication Technology, pages 388–399. Springer Berlin Heidelberg, 2012.

    Chapter  Google Scholar 

  45. Q. Zhu and T. Başar. Game-theoretic approach to feedback-driven multi-stage moving target defense. In Decision and Game Theory for Security, pages 246–263. Springer, 2013.

    Google Scholar 

  46. Q. Zhu, A. Clark, R. Poovendran, and T. Basar. Deceptive routing games. In Decision and Control (CDC), 2012 IEEE 51st Annual Conference on, pages 2704–2711. IEEE, 2012.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Eastern Michigan University, Ypsilanti, MI, USA

    Mohammed Noraden Alsaleh

  2. Software and Information Systems, University of North Carolina at Charlotte, Charlotte, NC, USA

    Jinpeng Wei, Ehab Al-Shaer & Mohiuddin Ahmed

Authors
  1. Mohammed Noraden Alsaleh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jinpeng Wei
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ehab Al-Shaer
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mohiuddin Ahmed
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jinpeng Wei .

Editor information

Editors and Affiliations

  1. Department of Software & Information System, University of North Carolina Charlotte, Charlotte, NC, USA

    Ehab Al-Shaer

  2. Department of Software and Information System, University of North Carolina, Charlotte, NC, USA

    Jinpeng Wei

  3. Computer Science Department, University of Texas at Dallas, Richardson, TX, USA

    Kevin W. Hamlen

  4. Computing and Information Science Division, Army Research Office, Durham, NC, USA

    Cliff Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Alsaleh, M.N., Wei, J., Al-Shaer, E., Ahmed, M. (2019). gExtractor: Automated Extraction of Malware Deception Parameters for Autonomous Cyber Deception. In: Al-Shaer, E., Wei, J., Hamlen, K., Wang, C. (eds) Autonomous Cyber Deception. Springer, Cham. https://doi.org/10.1007/978-3-030-02110-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-02110-8_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-02109-2

  • Online ISBN: 978-3-030-02110-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation