Abstract
Deception has been proposed in the literature as an effective defense mechanism to address Advanced Persistent Threats (APT). However, administering deception in a cost-effective manner requires a good understanding of the attack landscape. The attacks mounted by APT groups are highly diverse and sophisticated in nature and can render traditional signature based intrusion detection systems useless. This necessitates the development of behavior oriented defense mechanisms. In this paper, we develop Decepticon (Deception-based countermeasure), a Hidden Markov Model based framework where the indicators of compromise (IoC) are used as the observable features to aid in detection. This theoretical framework also includes several models to represent the spread of APTs in a computer system. The presented framework can be used to select an appropriate deception script when faced with APTs or other similar malware and trigger an appropriate defensive response. The effectiveness of the models in a networked system is illustrated by considering a real APT type ransomware.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Baksi, R. P., & Upadhyaya, S. J. (2017). Kidemonas: The silent guardian. arXiv:1712.00841.
Baksi, R. P., & Upadhyaya, S. J. (2018). A comprehensive model for elucidating advanced persistent threats (apt). In Proceedings of the International Conference on Security and Management (SAM) (pp. 245–251): The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp).
Bencsáth, B., Pék, G., Buttyán, L., & Felegyhazi, M. (2012). The cousins of stuxnet: duqu, flame, and gauss. Future Internet, 4(4), 971–1003.
Bennett, J. T., Moran, N., & Villeneuve, N. (2013). Poison ivy: Assessing damage and extracting intelligence. FireEye Threat Research Blog.
Bishop, M., & Gates, C. (2008). Defining the insider threat. In Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead (pp. 1–3).
Bizga, A. (2020). Ransomware attack confirmed by australia-based beverage manufacturer. Security Boulevard. https://securityboulevard.com/2020/06/ransomware-attack-confirmed-by-australia-based-beverage-manufacturer/ .
Ċeker, H., Zhuang, J., Upadhyaya, S., La, Q. D., & Soong, B. H. (2016). Deception-based game theoretical approach to mitigate dos attacks. In International conference on decision and game theory for security (pp. 18–38): Springer.
Chen, M. Y., Kundu, A., & Zhou, J. (1994). Off-line handwritten word recognition using a hidden markov model type stochastic network. IEEE Transactions on Pattern Analysis & Machine Intelligence, 16(5), 481–496.
Clark, Z. (2017). The worm that spreads wanacrypt0r. Malwarebytes Labs. https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreadswanacrypt0r/.
Correspondent, T. (2020). Fact check: Iit madras servers were under ransomware attack? Times of India. https://timesofindia.indiatimes.com/times-fact-check/news/fact-check-iit-madras-servers-were-under-ransomware-attack/articleshow/74319280.cms.
Costan, V., & Devadas, S. (2016). Intel sgx explained. IACR Cryptology ePrint Archive, 2016 (086), 1–118.
Daemen, J., & Rijmen, V. (1999). Aes proposal: Rijndael.
Daley, D., & Gani, J. (1999). Cambridge studies in mathematical biology Epidemic modelling: an introduction.
De, P., Liu, Y., & Das, S. K. (2008). An epidemic theoretic framework for vulnerability analysis of broadcast protocols in wireless sensor networks. IEEE Transactions on Mobile Computing, 8(3), 413–425.
Di Pietro, R., & Verde, N. V. (2011). Introducing epidemic models for data survivability in unattended wireless sensor networks. In 2011 IEEE International symposium on a world of wireless, mobile and multimedia networks (pp. 1–6): IEEE.
Endgame. (2017). Wcry/wannacry technical analysis. elastic. https://www.elastic.co/blog/wcrywanacry-ransomware-technical-analysis.
Faghani, M. R., & Nugyen, U. T. (2017). Modeling the propagation of trojan malware in online social networks. arXiv:1708.00969.
Falliere, N., Murchu, L. O., & Chien, E. (2011). W32. stuxnet dossier. White paper, Symantec Corp. Security Response, 5(6), 29.
Forney, G. D. (1973). The viterbi algorithm. Proceedings of the IEEE, 61(3), 268–278.
Greenberg, A. (2017). Hackers are trying to reignite wannacry with nonstop botnet attacks. Wired Security. https://www.wired.com/2017/05/wannacry-ransomware-ddos-attack/.
Greitzer, F.L., Moore, A.P., Cappelli, D.M., Andrews, D.H., Carroll, L.A., & Hull, T.D. (2008). Combating the insider cyber threat. IEEE Security Privacy, 6(1), 61–64.
Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 1(1), 80.
Jang, J., Choi, C., Lee, J., Kwak, N., Lee, S., Choi, Y., & Kang, B. B. (2016). Privatezone: Providing a private execution environment using arm trustzone. IEEE Transactions on Dependable and Secure Computing, 15(5), 797–810.
Kumar Sasidharan, S., & Thomas, C. (2018). A survey on metamorphic malware detection based on hidden markov model. In 2018 International conference on advances in computing, communications and informatics (ICACCI) (pp. 357–362): IEEE.
Langner, R. (2011). Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy, 9(3), 49–51.
Leonard, C. (2015). 2015 threat report. Websense Security Labs.
Ljolje, A., & Levinson, S. E. (1991). Development of an acoustic-phonetic hidden markov model for continuous speech recognition. IEEE Transactions on signal processing, 39(1), 29–39.
LLC, P. I. (2013). The state of advanced persistent threats. Ponemon Institute Research Report.
LogRhythm. (2013). The apt lifecycle and its log trail. Technical Report.
Lorch, J.R., Wang, Y.M., Verbowski, C., Wang, H.J., & King, S. (2011). Isolation environment-based information access. US Patent 8,024,815.
Madnick, S. E., & Donovan, J. J. (1973). Application and analysis of the virtual machine approach to information system security and isolation. In Proceedings of the Workshop on Virtual Computer Systems (pp. 210–224). New York: ACM. https://doi.org/10.1145/800122.803961.
Mehresh, R., & Upadhyaya, S. (2012). A deception framework for survivability against next generation cyber attacks. In Proceedings of the International Conference on Security and Management (SAM) (p. 1): The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp).
Mahajan, P., & Sachdeva, A. (2013a). A study of encryption algorithms AES, DES and RSA for security Global Journal of Computer Science and Technology.
Mehresh, R. (2013b). Schemes for surviving advanced persistent threats. PhD Dissertation, Faculty of the Graduate School of the University at Buffalo State University of New York.
Meskauskas, T. (2020). How to uninstall wannacash ncov ransomware? PC Risk. https://www.pcrisk.com/removal-guides/17477-wannacash-ncov-ransomware.
Messaoud, B. I., Guennoun, K., Wahbi, M., & Sadik, M. (2016). Advanced persistent threat: New analysis driven by life cycle phases and their challenges. In 2016 International conference on advanced communication systems and information security (ACOSIS) (pp. 1–6): IEEE.
Pauna, A. (2012). Improved self adaptive honeypots capable of detecting rootkit malware. In 2012 9Th international conference on communications (COMM) (pp. 281–284): IEEE.
Piolle, E. (2008). Simplified schema of a trusted platform module (tpm). Wikipedia. https://commons.wikimedia.org/wiki/File:TPM.svg.
Rabiner, L., & Juang, B. (1986). An introduction to hidden markov models. IEEE Assp Magazine 3(1), 4–16.
Rabiner, L. R. (1989a). A tutorial on hidden markov models and selected applications in speech recognition. Proceedings of the IEEE, 77(2), 257–286.
Rabiner, L.R. (1989b). A tutorial on hidden markov models and selected applications in speech recognition. Proceedings of the IEEE, 77(2), 257–286.
Rashid, A., Ramdhany, R., Edwards, M., Kibirige Mukisa, S., Ali Babar, M., Hutchison, D., & Chitchyan, R. (2014). Detecting and preventing data exfiltration.
Robbins, M. (2019). Cyberattack hits indian nuclear plant. Arms Control Association. https://www.armscontrol.org/act/2019-12/news/cyberattack-hits-indian-nuclear-plant.
Sanderson, G. Animated math. 3blue1brown https://www.3blue1brown.com/https://www.3blue1brown.com/.
Secureworks. (2017). Wcry ransomware campaign. Secureworks Inc. https://www.secureworks.com/blog/wcry-ransomware-campaign.
Shepherd, C., Arfaoui, G., Gurulian, I., Lee, R. P., Markantonakis, K., Akram, R. N., Sauveron, D., & Conchon, E. (2016). Secure and trusted execution: past, present, and future-a critical review in the context of the internet of things and cyber-physical systems. In 2016 IEEE Trustcom/bigdataSE/ISPA (pp. 168–177): IEEE.
Simhan, T.E.R. (2020). Iit-m’s email servers shut down, raises malware concerns. Business Line. https://www.thehindubusinessline.com/info-tech/cyber-attack-shuts-iit-madras-email-system/article30861902.ece.
Spitzer, F. (2013). Principles of random walk Vol. 34. Berlin: Springer Science & Business Media.
TCG. (2011). Tpm main specification. Trusted Computing Group. https://trustedcomputinggroup.org/tpm-main-specification/.
Vukalović, J., & Delija, D. (2015). Advanced persistent threats-detection and defense. In 2015 38Th international convention on information and communication technology, electronics and microelectronics (MIPRO) (pp. 1324–1330): IEEE.
Zakaria, W. Z. A., Abdollah, M. F., Mohd, O., & Ariffin, A. F. M. (2017). The rise of ransomware. In Proceedings of the 2017 International Conference on Software and e-Business (pp. 66–70): ACM.
Zhao, C., Saifuding, D., Tian, H., Zhang, Y., & Xing, C. (2016). On the performance of intel sgx. In 2016 13Th web information systems and applications conference (WISA) (pp. 184–187): IEEE.
Zyba, G., Voelker, G. M., Liljenstam, M., Méhes, A., & Johansson, P. (2009). Defending mobile phones from proximity malware. In IEEE INFOCOM 2009 (pp. 1503–1511): IEEE.
Acknowledgments
This research is supported in part by the National Science Foundation under Grant No. DGE –1754085. Usual disclaimers apply.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Baksi, R.P., Upadhyaya, S.J. Decepticon: a Theoretical Framework to Counter Advanced Persistent Threats. Inf Syst Front 23, 897–913 (2021). https://doi.org/10.1007/s10796-020-10087-4
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-020-10087-4