SODA: A System for Cyber Deception Orchestration and Automation

Md Sajidul Islam Sajid; Jinpeng Wei; Basel Abdeen; Ehab Al-Shaer; Md Mazharul Islam; Walter Diong; Latifur Khan

doi:10.1145/3485832.3485918

SODA: A System for Cyber Deception Orchestration and Automation

Md Sajidul Islam Sajid^*
, Jinpeng Wei^*
, Basel Abdeen
, Ehab Al-Shaer
, Md Mazharul Islam^*
, Walter Diong
, Latifur Khan^*

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

28 Scopus citations

Abstract

Active Cyber Deception (ACD) has emerged as an effective proactive cyber defense technique that can mislead adversaries by presenting falsified data and allow opportunities for engaging with them to learn novel attack techniques. Adversaries often implement their attack techniques within malware and use it as the medium to steal valuable information. Comprehensive malware analysis is required to understand the malware behaviors at technical and tactical levels to create the honey resources and appropriate ploys that can leverage this behavior and mislead malware and APT adversaries. This paper presents SODA, a cyber deception orchestration system that analyzes real-world malware, discovers attack techniques, creates Deception Playbooks, a set of deception actions, and finally orchestrates the environment to deceive malware. SODA extracts Malicious Sub-graphs (MSGs) consisting of WinAPIs from real-world malware and maps them to MITRE ATT&CK techniques. This MSG-to-MITRE mapping describes how ATT&CK techniques are implemented in malware and, as a result, guides the construction of appropriate deception actions. We conducted comprehensive evaluations on SODA with 255 recent malware samples to demonstrate end-to-end deception effectiveness. We observed an average accuracy of 95% in deceiving the malware with negligible overhead for specified deception goals and strategies. Furthermore, our approach successfully extracted MSGs with a 97% recall and our MSG-to-MITRE mapping achieved a top-1 accuracy of 88.75%. More importantly, SODA can serve as a general purpose malware deception factory to automatically produce customized deception playbooks against arbitrary malware.

Original language	English
Title of host publication	Proceedings - 37th Annual Computer Security Applications Conference, ACSAC 2021
Publisher	Association for Computing Machinery
Pages	675-689
Number of pages	15
ISBN (Electronic)	9781450385794
DOIs	https://doi.org/10.1145/3485832.3485918
State	Published - 6 Dec 2021
Externally published	Yes
Event	37th Annual Computer Security Applications Conference, ACSAC 2021 - Virtual, Online, United States Duration: 6 Dec 2021 → 10 Dec 2021

Publication series

Name	ACM International Conference Proceeding Series

Conference

Conference	37th Annual Computer Security Applications Conference, ACSAC 2021
Country/Territory	United States
City	Virtual, Online
Period	6/12/21 → 10/12/21

Bibliographical note

Publisher Copyright:
© 2021 Association for Computing Machinery.

Keywords

Active cyber deception
Active cyber defense
Malware analysis
NLP
Text mining
Threat intelligence

ASJC Scopus subject areas

Software
Human-Computer Interaction
Computer Vision and Pattern Recognition
Computer Networks and Communications

Access to Document

10.1145/3485832.3485918

Cite this

Sajid, M. S. I., Wei, J., Abdeen, B., Al-Shaer, E., Islam, M. M., Diong, W., & Khan, L. (2021). SODA: A System for Cyber Deception Orchestration and Automation. In Proceedings - 37th Annual Computer Security Applications Conference, ACSAC 2021 (pp. 675-689). (ACM International Conference Proceeding Series). Association for Computing Machinery. https://doi.org/10.1145/3485832.3485918

@inproceedings{8415d431dacf40538b3f949be7d83a73,

title = "SODA: A System for Cyber Deception Orchestration and Automation",

abstract = "Active Cyber Deception (ACD) has emerged as an effective proactive cyber defense technique that can mislead adversaries by presenting falsified data and allow opportunities for engaging with them to learn novel attack techniques. Adversaries often implement their attack techniques within malware and use it as the medium to steal valuable information. Comprehensive malware analysis is required to understand the malware behaviors at technical and tactical levels to create the honey resources and appropriate ploys that can leverage this behavior and mislead malware and APT adversaries. This paper presents SODA, a cyber deception orchestration system that analyzes real-world malware, discovers attack techniques, creates Deception Playbooks, a set of deception actions, and finally orchestrates the environment to deceive malware. SODA extracts Malicious Sub-graphs (MSGs) consisting of WinAPIs from real-world malware and maps them to MITRE ATT\&CK techniques. This MSG-to-MITRE mapping describes how ATT\&CK techniques are implemented in malware and, as a result, guides the construction of appropriate deception actions. We conducted comprehensive evaluations on SODA with 255 recent malware samples to demonstrate end-to-end deception effectiveness. We observed an average accuracy of 95\% in deceiving the malware with negligible overhead for specified deception goals and strategies. Furthermore, our approach successfully extracted MSGs with a 97\% recall and our MSG-to-MITRE mapping achieved a top-1 accuracy of 88.75\%. More importantly, SODA can serve as a general purpose malware deception factory to automatically produce customized deception playbooks against arbitrary malware.",

keywords = "Active cyber deception, Active cyber defense, Malware analysis, NLP, Text mining, Threat intelligence",

author = "Sajid, \{Md Sajidul Islam\} and Jinpeng Wei and Basel Abdeen and Ehab Al-Shaer and Islam, \{Md Mazharul\} and Walter Diong and Latifur Khan",

note = "Publisher Copyright: {\textcopyright} 2021 Association for Computing Machinery.; 37th Annual Computer Security Applications Conference, ACSAC 2021 ; Conference date: 06-12-2021 Through 10-12-2021",

year = "2021",

month = dec,

day = "6",

doi = "10.1145/3485832.3485918",

language = "English",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

pages = "675--689",

booktitle = "Proceedings - 37th Annual Computer Security Applications Conference, ACSAC 2021",

}

Sajid, MSI, Wei, J, Abdeen, B, Al-Shaer, E, Islam, MM, Diong, W & Khan, L 2021, SODA: A System for Cyber Deception Orchestration and Automation. in Proceedings - 37th Annual Computer Security Applications Conference, ACSAC 2021. ACM International Conference Proceeding Series, Association for Computing Machinery, pp. 675-689, 37th Annual Computer Security Applications Conference, ACSAC 2021, Virtual, Online, United States, 6/12/21. https://doi.org/10.1145/3485832.3485918

SODA: A System for Cyber Deception Orchestration and Automation. / Sajid, Md Sajidul Islam; Wei, Jinpeng; Abdeen, Basel et al.
Proceedings - 37th Annual Computer Security Applications Conference, ACSAC 2021. Association for Computing Machinery, 2021. p. 675-689 (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - SODA

T2 - 37th Annual Computer Security Applications Conference, ACSAC 2021

AU - Sajid, Md Sajidul Islam

AU - Wei, Jinpeng

AU - Abdeen, Basel

AU - Al-Shaer, Ehab

AU - Islam, Md Mazharul

AU - Diong, Walter

AU - Khan, Latifur

PY - 2021/12/6

Y1 - 2021/12/6

N2 - Active Cyber Deception (ACD) has emerged as an effective proactive cyber defense technique that can mislead adversaries by presenting falsified data and allow opportunities for engaging with them to learn novel attack techniques. Adversaries often implement their attack techniques within malware and use it as the medium to steal valuable information. Comprehensive malware analysis is required to understand the malware behaviors at technical and tactical levels to create the honey resources and appropriate ploys that can leverage this behavior and mislead malware and APT adversaries. This paper presents SODA, a cyber deception orchestration system that analyzes real-world malware, discovers attack techniques, creates Deception Playbooks, a set of deception actions, and finally orchestrates the environment to deceive malware. SODA extracts Malicious Sub-graphs (MSGs) consisting of WinAPIs from real-world malware and maps them to MITRE ATT&CK techniques. This MSG-to-MITRE mapping describes how ATT&CK techniques are implemented in malware and, as a result, guides the construction of appropriate deception actions. We conducted comprehensive evaluations on SODA with 255 recent malware samples to demonstrate end-to-end deception effectiveness. We observed an average accuracy of 95% in deceiving the malware with negligible overhead for specified deception goals and strategies. Furthermore, our approach successfully extracted MSGs with a 97% recall and our MSG-to-MITRE mapping achieved a top-1 accuracy of 88.75%. More importantly, SODA can serve as a general purpose malware deception factory to automatically produce customized deception playbooks against arbitrary malware.

AB - Active Cyber Deception (ACD) has emerged as an effective proactive cyber defense technique that can mislead adversaries by presenting falsified data and allow opportunities for engaging with them to learn novel attack techniques. Adversaries often implement their attack techniques within malware and use it as the medium to steal valuable information. Comprehensive malware analysis is required to understand the malware behaviors at technical and tactical levels to create the honey resources and appropriate ploys that can leverage this behavior and mislead malware and APT adversaries. This paper presents SODA, a cyber deception orchestration system that analyzes real-world malware, discovers attack techniques, creates Deception Playbooks, a set of deception actions, and finally orchestrates the environment to deceive malware. SODA extracts Malicious Sub-graphs (MSGs) consisting of WinAPIs from real-world malware and maps them to MITRE ATT&CK techniques. This MSG-to-MITRE mapping describes how ATT&CK techniques are implemented in malware and, as a result, guides the construction of appropriate deception actions. We conducted comprehensive evaluations on SODA with 255 recent malware samples to demonstrate end-to-end deception effectiveness. We observed an average accuracy of 95% in deceiving the malware with negligible overhead for specified deception goals and strategies. Furthermore, our approach successfully extracted MSGs with a 97% recall and our MSG-to-MITRE mapping achieved a top-1 accuracy of 88.75%. More importantly, SODA can serve as a general purpose malware deception factory to automatically produce customized deception playbooks against arbitrary malware.

KW - Active cyber deception

KW - Active cyber defense

KW - Malware analysis

KW - NLP

KW - Text mining

KW - Threat intelligence

UR - https://www.scopus.com/pages/publications/85121575377

U2 - 10.1145/3485832.3485918

DO - 10.1145/3485832.3485918

M3 - Conference contribution

AN - SCOPUS:85121575377

T3 - ACM International Conference Proceeding Series

SP - 675

EP - 689

BT - Proceedings - 37th Annual Computer Security Applications Conference, ACSAC 2021

PB - Association for Computing Machinery

Y2 - 6 December 2021 through 10 December 2021

ER -

SODA: A System for Cyber Deception Orchestration and Automation

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this