CHIMERA: Autonomous Planning and Orchestration for Malware Deception

Abstract

Cyber deception is a promising defense that can proactively mislead adversaries and enables a unique opportunity to engage with them to learn new attack tactics and techniques. Although cyber deception has been around for more than a decade, static configurations and the lack of automation made many of the existing deception techniques easily discoverable by attackers and too expensive to manage, which diminishes the value of this technology. Sophisticated Advanced Persistent Threats (APTs) are highly dynamic and thereby require a highly adaptive and embedded deception that can dynamically create honey resources and orchestrate the deception environment appropriately according to the adversary behavior in real-time. This paper presents a theoretical framework and implementation for an autonomous goal-oriented cyber deception planner, called CHIMERA, that optimizes deception decision-making. CHIMERA agents can reside in any production machine/server and automatically create and orchestrate the deception ploys to steer and mislead the malware or APT to the desired goal without human interaction. The deception ploys are dynamically composed based on the deception planning while ensuring safe yet fast deployment and orchestration of deceptive course-of-actions. We evaluated our deception framework with real APT attacks for information stealing, ransomware, Remote Access Trojans (RAT), and others. In these case studies with 4,578 real malware samples, we showed that CHIMERA’s adversary-aware dynamic deception strategies were able to effectively accomplish the deception goals within a few seconds and with minimum cost.