Annual Computer Security Applications Conference (ACSAC) 2021

Full Program »

SODA: A System for Cyber Deception Orchestration and Automation

Active Cyber Deception (ACD) has emerged as an effective proactive cyber defense techniques that can mislead adversaries by presenting falsified data and allows opportunities for engaging with them to learn novel attack techniques. Adversaries often implement their attack techniques within malware and use it as the medium to steal valuable information. Comprehensive malware analysis is required to understand the malware behaviors at technical and tactical levels to create the honey resources and appropriate ploys that can leverage this behavior and mislead malware and APT adversaries. This paper presents SODA, a cyber deception orchestration framework that analyzes real-world malware, discovers attack techniques, creates Deception Playbooks - a set of deception actions, and finally orchestrates the environment to deceive malware. SODA extracts Malicious Sub-graphs (MSGs) consisting of WinAPIs from real-world malware and maps them to MITRE ATT&CK techniques. This MSG-to-MITRE mapping describes how ATT&CK techniques are implemented in malware and, as a result, guides the construction of appropriate deception actions. We conducted comprehensive evaluations on SODA with 255 recent malware samples to demonstrate end-to-end deception effectiveness. We observed an average accuracy of 95% in deceiving the malware with negligible overhead for specified deception goals and strategies. Furthermore, our approach successfully extracted MSGs with a 97% recall and our MSG-to-MITRE mapping achieved a top-5 accuracy of 85.5%. More importantly, SODA can serve as general purpose malware deception factory to automatically produce customized deception playbooks against arbitrary malware.

Md Sajidul Islam Sajid
University of North Carolina at Charlotte

Jinpeng Wei
University of North Carolina at Charlotte

Basel Abdeen
University of Texas at Dallas

Ehab Al-Shaer
Carnegie Mellon University

Md Mazharul Islam
University of North Carolina at Charlotte

Walter Diong
Carnegie Mellon University

Latifur Khan
University of Texas at Dallas

Paper (ACM DL)

Slides

Video

 



Powered by OpenConf®
Copyright©2002-2021 Zakon Group LLC