Autonomous Cyber Deception

Malware attacks have evolved to be highly evasive against prevention and detection techniques. A significant number of new malware samples are launched each day and many of them remain undetected for a long period (e.g., more than five months). Cyber deception has emerged as an effective and complementary defense technique that proactively increases cyber resistance and deterrence. Approaches in this domain deliberately introduce misinformation or misleading functionality into cyberspace in order to trick adversaries in ways that render attacks ineffective or infeasible.

Unfortunately, existing cyber deception approaches or systems are not effective against malware because (1) they are easily discoverable due to their static environment and plans, and (2) they do not support customized adaptations based on malware's action. To overcome the limitations of the state of the art, we propose a novel approach that can construct deception plans against malware on the fly based on automated analysis of the malware's behavior. More specifically, our approach (1) employs deception-oriented malware symbolic execution analysis that is capable of extracting deception parameters that are reconfigurable or misrepresentable in the cyber environment, yet the malware depends on to achieve its goals, (2) dynamically constructs the most cost-effective and scalable deception ploy that manipulates the deception parameters to achieve deception goals, and (3) translates and orchestrates the deception ploys into configuration actions to construct a run-time malware deception environment. We have built a prototype implementation of our approach called gExtractor, and we experimentally confirmed its capability of deceiving hundreds of latest real-world malware samples. For example, using the information provided by gExtractor, we planted files with honey FTP passwords in the environment, such that a FTP credential stealing malware would send the honey passwords to the adversary, which could lure the adversary to a honey FTP server under our monitoring.

Our approach contributes to the scientific and system foundations of reasoning about autonomous cyber deception by automating the creation of goal-driven malware deception environment, from malware analysis to deception planning and configuration.

Publication and Presentation:

  • Mohammed Noraden Alsaleh, Jinpeng Wei, Ehab Al-Shaer, and Mohiuddin Ahmed. gExtractor: Towards Automated Extraction of Malware Deception Parameters. Proceeding of the 8th Software Security, Protection, and Reverse Engineering Workshop (SSPREW 2018), co-located with Annual Computer Security Applications Conference (ACSAC 2018), ACM, New York, NY, USA, December 2018. Paper.
  • Ehab Al-Shaer, Jinpeng Wei, Kevin W. Hamlen, and Cliff Wang. Autonomous Cyber Deception: Reasoning, Adaptive Planning, and Evaluation of HoneyThings, ISBN 978-3-030-02109-2 (print), 978-3-030-02110-8 (online),, Springer, Cham, January 2019. Read the book.  New
  • Acknowledgement: Army Research Office

    Army Research Office