Decoy Processes With Optimal Performance Fingerprints

Decoy targets such as honeypots and decoy I/O are characterized by a higher accuracy in detecting intrusions than anomaly, misuse, and specification-based detectors. Unlike these detectors, decoy targets do not attack an activity classification problem, i.e. they do not attempt to discern between normal activity and malicious activity. By design, decoy targets do not initiate system or network activity of their own, consequently any operation on a decoy target is unequivocally detected as malicious. However, we have found that this innate characteristic of decoy targets can be exploited by malware-initiated probes to detect them quite reliably. As a proof of concept, we describe red team tactics that collect and analyze live performance counters to detect decoy targets. To counter these threats on machines in production, we developed a defensive countermeasure that consists of decoy processes, with dynamics that are regulated and guarded by convolutional neural networks. Our deep learning approach characterizes and builds the performance fingerprint of a real process, which is then used to feed a performance profile into its decoy counterpart. Decoy processes emulate the existence of system activity, which is crafted to enable decoy I/O on machines in production to withstand malware probes. We evaluated the interplay between red team tactics and decoy processes integrated with a decoy Object Linking and Embedding for Process Control (OPC) server, and thus discuss our findings in the paper.