Traditional cyber defense approaches lack the necessary agility to effectively counter stealthy and undetectable attacks, placing defenders at a disadvantage. In response, Active Cyber Deception (ACD) has emerged as a promising solution by dynamically orchestrating deceptive environments to mislead and corrupt attackers' decision-making processes. However, the development of efficient and effective deception systems requires the integration of human intelligence and comprehensive malware analysis to understand attack behaviors and automate deception strategies.
This dissertation presents three innovative approaches in the field of ACD. Firstly, DodgeTron combines dynamic analysis using symbolic execution tools and machine learning to automate the creation of deception schemes against malware by categorizing malware into known families and utilizing HoneyThings. Secondly, symbSODA performs dynamic analysis on real-world malware and data flow analysis to extract malicious sub-graphs (MSGs) and map them to the MITRE ATT&CK framework using Natural Language Processing. This enables the creation of a Deception Playbook for deceiving specific malicious behaviors with deceptive API hookings. Finally, ranDecepter integrates active cyber deception to identify ransomware in its early stages and employs binary orchestration methods to repurpose the malware as a channel for exhaustively transmitting encryption information (including keys) to the attacker, effectively depleting their available resources.
Comprehensive evaluations validate the accuracy and effectiveness of these approaches in deceiving adversaries, reducing analysis time, and mitigating malware threats. This research significantly contributes to the field of active cyber deception and offers efficient and scalable solutions for protecting digital systems against sophisticated adversaries.