gExtractor: Towards Automated Extraction of Malware Deception Parameters

The lack of agility in cyber defense gives adversaries a significant advantage for discovering cyber targets and planning their attacks in stealthy and undetectable manner. While there has been significant research on detecting or predicting attacks, adversaries can always scan the network, learn about countermeasures, and develop new evasion techniques. Active Cyber Deception (ACD) has emerged as effective means to reverse this asymmetry in cyber warfare by dynamically orchestrating the cyber deception environment to mislead attackers and corrupting their decision-making process. However, developing an efficient active deception environment usually requires human intelligence and analysis to characterize the attackers' behaviors (e.g., malware actions). This manual process significantly limits the capability of cyber deception to actively respond to new attacks (malware) in a timely manner. In this paper, we present a new analytic framework and an implemented prototype, called gExtractor, to analyze the malware behavior and automatically extract the deception parameters using symbolic execution in order to enable the automated creation of cyber deception schemes. The deception parameters are environmental variables on which attackers depend to discover the target system and reach their goals; Yet, they can be reconfigured and/or misrepresented by the defender in the cyber environment. Our gExtractor approach contributes to the scientific and system foundations of reasoning about autonomous cyber deception. Our prototype was developed based on customizing a symbolic execution engine for analyzing Microsoft Windows malware. Our case studies of recent malware instances show that gExtractor can be used to identify various critical parameters effective for cyber deception.

[1]  Ravishankar K. Iyer,et al.  Transparent runtime randomization for security , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[2]  Roshan K. Thomas,et al.  Cyber Denial, Deception and Counter Deception , 2015, Advances in Information Security.

[3]  Guofei Gu,et al.  GoldenEye: Efficiently and Effectively Unveiling Malware's Targeted Environment , 2014, RAID.

[4]  Angelos D. Keromytis,et al.  Global ISR: Toward a Comprehensive Defense Against Unauthorized Code Execution , 2011, Moving Target Defense.

[5]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[6]  Ehab Al-Shaer,et al.  Agile virtualized infrastructure to proactively defend against cyber attacks , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[7]  Benjamin Livshits,et al.  Rozzle: De-cloaking Internet Malware , 2012, 2012 IEEE Symposium on Security and Privacy.

[8]  Stephen McCamant,et al.  Loop-extended symbolic execution on binary programs , 2009, ISSTA.

[9]  Mohammad Ashiqur Rahman,et al.  Attribution, Temptation, and Expectation: A Formal Framework for Defense-by-Deception in Cyberwarfare , 2015, Cyber Warfare.

[10]  Christopher Krügel,et al.  The power of procrastination: detection and mitigation of execution-stalling malicious code , 2011, CCS '11.

[11]  Tzi-cker Chiueh,et al.  A Forced Sampled Execution Approach to Kernel Rootkit Identification , 2007, RAID.

[12]  Wenke Lee,et al.  Impeding Automated Malware Analysis with Environment-sensitive Malware , 2012, HotSec.

[13]  Quanyan Zhu,et al.  Game-Theoretic Approach to Feedback-Driven Multi-stage Moving Target Defense , 2013, GameSec.

[14]  Michael Franz,et al.  Compiler-Generated Software Diversity , 2011, Moving Target Defense.

[15]  Adam Doupé,et al.  HoneyProxy: Design and implementation of next-generation honeynet via SDN , 2017, 2017 IEEE Conference on Communications and Network Security (CNS).

[16]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[17]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2007, Comput. Networks.

[18]  Ehab Al-Shaer,et al.  An Effective Address Mutation Approach for Disrupting Reconnaissance Attacks , 2015, IEEE Transactions on Information Forensics and Security.

[19]  Stefan Katzenbeisser,et al.  From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation , 2014, CCS.

[20]  Jie He,et al.  CBM: Free, Automatic Malware Analysis Framework Using API Call Sequences , 2014 .

[21]  Harriet Goldman,et al.  Cyber resilience for mission assurance , 2011, 2011 IEEE International Conference on Technologies for Homeland Security (HST).

[22]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[23]  Srinivas Mukkamala,et al.  Malware detection using assembly and API call sequences , 2011, Journal in Computer Virology.

[24]  Yulong Zhang,et al.  Incentive Compatible Moving Target Defense against VM-Colocation Attacks in Clouds , 2012, SEC.

[25]  Marco Carvalho,et al.  Quantifying & minimizing attack surfaces containing moving target defenses , 2015, 2015 Resilience Week (RWS).

[26]  Fei Peng,et al.  X-Force: Force-Executing Binary Programs for Security Applications , 2014, USENIX Security Symposium.

[27]  Christopher Krügel,et al.  Identifying Dormant Functionality in Malware Programs , 2010, 2010 IEEE Symposium on Security and Privacy.

[28]  Zhenkai Liang,et al.  Automatically Identifying Trigger-based Behavior in Malware , 2008, Botnet Detection.

[29]  Qi Li,et al.  CyberMoat: Camouflaging critical server infrastructures with large scale decoy farms , 2017, 2017 IEEE Conference on Communications and Network Security (CNS).

[30]  Christopher Krügel,et al.  Efficient Detection of Split Personalities in Malware , 2010, NDSS.

[31]  Sushil Jajodia,et al.  Moving Target Defense II: Application of Game Theory and Adversarial Modeling , 2012 .

[32]  Sushil Jajodia,et al.  Moving Target Defense II , 2013, Advances in Information Security.

[33]  George Candea,et al.  The S2E Platform: Design, Implementation, and Applications , 2012, TOCS.

[34]  Roshan K. Thomas,et al.  Cyber Denial, Deception and Counter Deception: A Framework for Supporting Active Cyber Defense , 2015 .

[35]  Christopher Krügel,et al.  PeerPress: utilizing enemies' P2P strength against them , 2012, CCS.

[36]  Martina Lindorfer,et al.  Detecting Environment-Sensitive Malware , 2011, RAID.