Active Cyber Deception Against Malware

Malware attacks have evolved to be highly evasive against prevention and detection techniques. A significant number of new malware samples are launched each day and many of them remain undetected for a long period of time (e.g., 66% of breaches remained undiscovered for more than five months).With the limitations of prevention and detection technology, cyber deception becomes an imperative technology to provide a proactive defense that increases the cyber resistance and deterrence. In addition, although malware is considered harmful and most of the effort has been dedicated to detectand prevent it, we argue against this conventional wisdom by considering malware as an opportunity to actively deceive attackers in order to accomplish the strategic active cyber defense goals: (1) deflecting adversaries to false targets, (2) distorting adversaries~ knowledge, (3) depleting or consumingtheir resources (financial, computing, and cognitive), and most importantly, (4) discovering new tactics, techniques, and procedures (TTPs) of adversaries, and strategic goals and intent. In fact, in some cases such as in mission-critical systems (such as DoD systems), detecting and blocking malware canbe harmful because it enables the adversaries to learn about the capabilities of the target systems and allows them to advance their attack techniques (or TTPs).To the best of our knowledge, none of the existing cyber deception approaches or systems are effective against malware because of the following reasons: (1) they are easily discoverable due to their static environment and plans, (2) they do not support customized adaptations based on malware~s actions, (3) they have limited-interaction with the environment, and (4) they are too slow toactively respond to new malware in a timely manner as they require human intelligence to analyze and characterize the malware~s behaviors.In this project, we propose a novel approach and tool implementation, called MalPloy, for accomplishing the following goals: (1) developing a deception-oriented malware symbolic execution analysis engine that is capable of extracting deception parameters that are reconfigurable or misrepresentablein the cyber environment, yet the malware depends on to achieve its goals, (2) mapping these parameters and their corresponding APIs to high level TTP abstraction to understand the tactical malware goals, (3) selecting the optimal deception parameters to achieve the deception goal, (4) analyzing the deception parameters interdependency to construct the valid deception ploys, and (5)constructing dynamically the most cost-effective and scalable Deception Playbook based on the ploys, and (6) translating and orchestrating the deception Playbook into configuration actions to construct a run-time malware deception environment. MalPloy consists of four subagents, namely, detection, dissecting, planning and actuating agents that implement the tasks above. Unlike many malware analysis tools, MalPloy will handle obfuscated malware. When a piece of malware hits the target systems, it will be forwarded by the detection agentto the dissecting agent for extracting the deception parameters and constructing the deception ploys. The results are then used by the planning agent to construct the malware Deception Playbook that will be used by the actuating agent to configure and implement the deception virtual environment. Our MalPloy approach contributes to the scientific and system foundations of reasoning about autonomous cyber deception by automating the process of creation of goal-driven malware deception environment from malware analysis to deception planning and configuration. In our preliminary work, we developed a prototype based on customizing a symbolic execution engine for analyzing Microsoft Windows malware. Although our preliminary prototype validates thefeasibility of tracking malware behavior for deception analysis, it lacks the analysis for extracting cost-effective parameters and construc