Automated defense against targeted attacks using suspiciousness tracking

Cloud ecosystems, technologies, and paradigms have transformed our world in recent years revolutionizing supply chains, healthcare, energy distribution, as well as our home functions. With everything in our lives so interconnected in these cloud systems, they are now prime targets for targeted attacks such as Advanced Persistent Threats (APTs). The targeted attacks lead to exposure of sensitive data (data exfiltration) as well as stolen computing resources (resource exfiltration). In this thesis, we present a novel methodology, which we call ADAPTs (Automated Defense of Advanced Persistent Threats), developed to assist in defending cloud systems against APTs. We show how ADAPTs can be extended to defend against other targeted attacks such as DDoS and cryptojacking. Using an open cloud testbed, we mimic multiple cloud systems, monitor network traffic between them, and generate a suspiciousness score for devices connected to said cloud networks. Using the suspiciousness scores, we demonstrate how we determine what work that device on the network is participating in, be it data exfiltration, resource exfiltration, or some other unwanted practice. Using these suspiciousness scores, we block the attacks while they are taking place and using pretense, continue to allow the attackers to believe their attack is successful. Our experimental results show how ADAPTs tricks attackers to continue to waste their own resources on an attack which is fruitless, while also protecting the targeted system by keeping the related services working as expected for actual users.