{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,10]],"date-time":"2026-01-10T03:55:07Z","timestamp":1768017307489,"version":"3.49.0"},"reference-count":50,"publisher":"MDPI AG","issue":"12","license":[{"start":{"date-parts":[[2024,12,4]],"date-time":"2024-12-04T00:00:00Z","timestamp":1733270400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>The current cybersecurity ecosystem is proving insufficient in today\u2019s increasingly sophisticated cyber attacks. Malware authors and intruders have pursued innovative avenues to circumvent emulated monitoring systems (EMSs) such as honeypots, virtual machines, sandboxes and debuggers to continue with their malicious activities while remaining inconspicuous. Cybercriminals are improving their ability to detect EMS, by finding indicators of deception (IoDs) to expose their presence and avoid detection. It is proving a challenge for security analysts to deploy and manage EMS to evaluate their deceptive capability. In this paper, we introduce the Hydrakon framework, which is composed of an EMS controller and several Linux and Windows 10 clients. The EMS controller automates the deployment and management of the clients and EMS for the purpose of measuring EMS deceptive capabilities. Experiments were conducted by applying custom detection vectors to client real machines, virtual machines and sandboxes, where various artifacts were extracted and stored as csv files on the EMS controller. The experiment leverages the cosine similarity metric to compare and identify similar artifacts between a real system and a virtual machine or sandbox. Our results show that Hydrakon offers a valid approach to assess the deceptive capabilities of EMS without the need to target specific IoD within the target system, thereby fostering more robust and effective emulated monitoring systems.<\/jats:p>","DOI":"10.3390\/fi16120455","type":"journal-article","created":{"date-parts":[[2024,12,4]],"date-time":"2024-12-04T04:47:22Z","timestamp":1733287642000},"page":"455","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Hydrakon, a Framework for Measuring Indicators of Deception in Emulated Monitoring Systems"],"prefix":"10.3390","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0656-1277","authenticated-orcid":false,"given":"Kon","family":"Papazis","sequence":"first","affiliation":[{"name":"Department of Computer Science and Information Technology, La Trobe University, Melbourne 3086, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5396-8897","authenticated-orcid":false,"given":"Naveen","family":"Chilamkurti","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Information Technology, La Trobe University, Melbourne 3086, Australia"}]}],"member":"1968","published-online":{"date-parts":[[2024,12,4]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"You, I., and Yim, K. (2010, January 4\u20136). Malware obfuscation techniques: A brief survey. Proceedings of the 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, Fukuoka, Japan.","DOI":"10.1109\/BWCCA.2010.85"},{"key":"ref_2","first-page":"100","article-title":"Challenge of malware analysis: Malware obfuscation techniques","volume":"7","author":"Singh","year":"2018","journal-title":"Int. J. Inf. Secur. Sci."},{"key":"ref_3","unstructured":"Kolbitsch, C. (2019, December 21). Evasive Malware Tricks. Available online: https:\/\/www.isaca.org\/Journal\/archives\/2017\/Volume-6\/Pages\/evasive-malware-tricks.aspx."},{"key":"ref_4","unstructured":"Cavalancia, N. (2019, October 14). Evasive Malware: The Enemy You Can\u2019t See. Available online: https:\/\/www.solarwindsmsp.com\/blog\/evasive-malware-enemy-you-cant-see."},{"key":"ref_5","unstructured":"Matsumoto, T., Kasama, T., Inoue, D., and Rossow, C. (2018). Evasive Malware via Identifier Implanting. Detection of Intrusions and Malware, and Vulnerability Assessment, Proceedings of the 15th International Conference, DIMVA 2018, Saclay, France, 28\u201329 June 2018, Springer. Proceedings."},{"key":"ref_6","unstructured":"Minerva Labser (2020, August 21). Evasive Malware\u2014How and Why your Anti-Malware Strategy Needs to Evolve. Available online: https:\/\/blog.minerva-labs.com\/evasive-malware-learning-by-example."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Jadhav, A., Vidyarthi, D., and Hemavathy, M. (2016, January 11\u201313). Evolution of evasive malwares: A survey. Proceedings of the 2016 International Conference on Computational Techniques in Information and Communication Technologies (ICCTICT), New Delhi, India.","DOI":"10.1109\/ICCTICT.2016.7514657"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1007\/s11416-017-0290-x","article-title":"Trends of anti-analysis operations of malwares observed in API call logs","volume":"14","author":"Oyama","year":"2018","journal-title":"J. Comput. Virol. Hacking Tech."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Bulazel, A., and Yener, B. (2017, January 16\u201317). A survey on automated dynamic malware analysis evasion and counter-evasion: Pc, mobile, and web. Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium, Vienna, Austria.","DOI":"10.1145\/3150376.3150378"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Veerappan, C.S., Keong, P.L.K., Tang, Z., and Tan, F. (2018, January 5\u20138). Taxonomy on malware evasion countermeasures techniques. Proceedings of the 2018 IEEE 4th World Forum on Internet of Things (WF-IoT), Singapore.","DOI":"10.1109\/WF-IoT.2018.8355202"},{"key":"ref_11","unstructured":"CheckPointSW (2021, April 07). Invizzzible. Available online: https:\/\/github.com\/CheckPointSW\/InviZzzible."},{"key":"ref_12","unstructured":"Bremer, J. (2021, April 07). Vmcloak. Available online: https:\/\/github.com\/AdaptiveComputationLab\/vmcloak."},{"key":"ref_13","unstructured":"Ortega, A. (2021, May 25). Paranoid Fish. Available online: https:\/\/github.com\/a0rtega\/pafish."},{"key":"ref_14","unstructured":"LordNoteworthy (2021, May 25). Al-khaser. Available online: https:\/\/github.com\/LordNoteworthy\/al-khaser."},{"key":"ref_15","unstructured":"hfiref0x (2021, May 26). VMDE. Available online: https:\/\/github.com\/hfiref0x\/VMDE."},{"key":"ref_16","unstructured":"Kirat, D., Vigna, G., and Kruegel, C. (2014, January 20\u201322). BareCloud: Bare-metal analysis-based evasive malware detection. Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA, USA."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Kirat, D., Vigna, G., and Kruegel, C. (2011, January 5\u20139). Barebox: Efficient malware analysis on bare-metal. Proceedings of the 27th Annual Computer Security Applications Conference, Orlando, FL, USA.","DOI":"10.1145\/2076732.2076790"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"19","DOI":"10.3390\/jcp1010003","article-title":"Investigating anti-evasion malware triggers using automated sandbox reconfiguration techniques","volume":"1","author":"Mills","year":"2020","journal-title":"J. Cybersecur. Priv."},{"key":"ref_19","unstructured":"Tascon Gutierrez, L. (2020). Malware Sandbox Deployment, Analysis and Development. [Master\u2019s Thesis, Universit\u00e9 catholique de Louvain]."},{"key":"ref_20","unstructured":"Rubio Ayala, S. (2022, September 04). An Automated Behaviour-Based Malware Analysis Method Based on Free Open Source Software. Available online: https:\/\/openaccess.uoc.edu\/bitstream\/10609\/66365\/7\/srubioayTFC0617memoria.pdf."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"945","DOI":"10.1587\/transinf.E92.D.945","article-title":"Automated malware analysis system and its sandbox for revealing malware\u2019s internal and external activities","volume":"92","author":"Inoue","year":"2009","journal-title":"IEICE Trans. Inf. Syst."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Chin, W., Markatos, E.P., Antonatos, S., and Ioannidis, S. (2009, January 19\u201321). HoneyLab: Large-scale honeypot deployment and resource sharing. Proceedings of the 2009 Third International Conference on Network and System Security, Gold Coast, QC, Australia.","DOI":"10.1109\/NSS.2009.65"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Fernandez, G., Nieto, A., and Lopez, J. (2017). Modeling Malware-driven Honeypots. Trust, Privacy and Security in Digital Business, Proceedings of the 14th International Conference, TrustBus 2017, Lyon, France, 30\u201331 August 2017, Springer. Proceedings 14.","DOI":"10.1007\/978-3-319-64483-7_9"},{"key":"ref_24","unstructured":"Kokolakis, G., Ntousakis, G., Karatsoris, I., Antonatos, S., Athanatos, M., and Ioannidis, S. (2022). HoneyChart: Automated Honeypot Management over Kubernetes. Computer Security. ESORICS 2022 International Workshops, Proceedings of the CyberICPS 2022, SECPRE 2022, SPOSE 2022, CPS4CIP 2022, CDT&SECOMANE 2022, EIS 2022, and SecAssure 2022, Copenhagen, Denmark, 26\u201330 September 2022, Springer. European Symposium on Research in Computer Security."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Musch, M., H\u00e4rterich, M., and Johns, M. (2018, January 27\u201330). Towards an automatic generation of low-interaction web application honeypots. Proceedings of the 13th International Conference on Availability, Reliability and Security, Hamburg, Germany.","DOI":"10.1145\/3230833.3230839"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Yu, T., Xin, Y., and Zhang, C. (2024). HoneyFactory: Container-Based Comprehensive Cyber Deception Honeynet Architecture. Electronics, 13.","DOI":"10.3390\/electronics13020361"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Xie, P., Lu, X., Wang, Y., Su, J., and Li, M. (2013). An automatic approach to detect anti-debugging in malware analysis. Trustworthy Computing and Services, Proceedings of the International Conference, ISCTCS 2012, Beijing, China, 28 May\u20132 June 2012, Springer. Revised Selected Papers.","DOI":"10.1007\/978-3-642-35795-4_55"},{"key":"ref_28","unstructured":"Ho, G., Boneh, D., Ballard, L., and Provos, N. (2014, January 19). Tick Tock: Building Browser Red Pills from Timing Side Channels. Proceedings of the 8th USENIX Conference on Offensive Technologies, San Diego, CA, USA."},{"key":"ref_29","first-page":"6","article-title":"A close look at a daily dataset of malware samples","volume":"22","author":"Graziano","year":"2019","journal-title":"ACM Trans. Priv. Secur. (TOPS)"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Lindorfer, M., Kolbitsch, C., and Milani Comparetti, P. (2011). Detecting environment-sensitive malware. Recent Advances in Intrusion Detection, Proceedings of the 14th International Symposium, RAID 2011, Menlo Park, CA, USA, 20\u201321 September 2011, Springer. Proceedings 14.","DOI":"10.1007\/978-3-642-23644-0_18"},{"key":"ref_31","unstructured":"Balzarotti, D., Cova, M., Karlberger, C., Kirda, E., Kruegel, C., and Vigna, G. (March, January 28). Efficient detection of split personalities in malware. Proceedings of the NDSS 2010, 17th Annual Network and Distributed System Security Symposium, San Diego, CA, USA."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Dinaburg, A., Royal, P., Sharif, M., and Lee, W. (2008, January 27\u201331). Ether: Malware analysis via hardware virtualization extensions. Proceedings of the 15th ACM Conference on Computer and Communications Security, Alexandria, VA, USA.","DOI":"10.1145\/1455770.1455779"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., and Kiayias, A. (2014, January 8\u201312). Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. Proceedings of the 30th Annual Computer Security Applications Conference, New Orleans, LA, USA.","DOI":"10.1145\/2664243.2664252"},{"key":"ref_34","unstructured":"Spitzner, L. (2002). Honeypots: Tracking Hackers, Addison-Wesley Longman Publishing Co., Inc."},{"key":"ref_35","unstructured":"Provos, N. (2003, January 4). Honeyd-a virtual honeypot daemon. Proceedings of the 10th DFN-CERT Workshop, Hamburg, Germany."},{"key":"ref_36","unstructured":"Haig, L. (2021, March 08). LaBrea\u2014A New Approach To Securing Our Networks. Available online: https:\/\/www.giac.org\/paper\/gsec\/1895\/labrea-approach-securing-networks\/103112."},{"key":"ref_37","unstructured":"DinoTools (2021, April 05). Dionaea\u2014Catches Bugs. Available online: https:\/\/github.com\/DinoTools\/dionaea."},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"181","DOI":"10.1007\/s11416-008-0096-y","article-title":"Measuring virtual machine detection in malware using DSD tracer","volume":"6","author":"Lau","year":"2010","journal-title":"J. Comput. Virol."},{"key":"ref_39","first-page":"8","article-title":"Virtualization with kvm","volume":"2008","author":"Habib","year":"2008","journal-title":"Linux J."},{"key":"ref_40","first-page":"1","article-title":"Virtualbox: Bits and bytes masquerading as machines","volume":"2008","author":"Watson","year":"2008","journal-title":"Linux J."},{"key":"ref_41","unstructured":"Cuckoo Foundation (2021, May 18). Cuckoo. Available online: https:\/\/cuckoosandbox.org\/index.html."},{"key":"ref_42","unstructured":"Sikorski, M., and Honig, A. (2012). Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software, No Starch Press."},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Gao, S., and Lin, Q. (2011, January 9\u201310). Debugging classification and anti-debugging strategies. Proceedings of the Fourth International Conference on Machine Vision (ICMV 2011): Computer Vision and Image Analysis; Pattern Recognition and Basic Technologies, Singapore.","DOI":"10.1117\/12.924835"},{"key":"ref_44","unstructured":"Solutions, P.S. (2022, March 04). Proxmox Virtual Environment. Available online: https:\/\/www.proxmox.com\/en\/proxmox-virtual-environment\/overview."},{"key":"ref_45","unstructured":"Syperski, C., and Zhang, J. (2019, October 04). FOG Project. Available online: https:\/\/fogproject.org\/."},{"key":"ref_46","unstructured":"Hashicorp (2020, January 21). Install Vagrant. Available online: https:\/\/developer.hashicorp.com\/vagrant\/docs\/installation."},{"key":"ref_47","unstructured":"Hashicorp (2020, January 12). Automate Image Builds with Packer. Available online: https:\/\/www.packer.io\/."},{"key":"ref_48","doi-asserted-by":"crossref","unstructured":"Herzog, C., Tong, V.V.T., Wilke, P., Van Straaten, A., and Lanet, J.-L. (2020). Evasive Windows Malware: Impact on Antiviruses and Possible Countermeasures. arXiv.","DOI":"10.5220\/0009816703020309"},{"key":"ref_49","first-page":"126","article-title":"Malware dynamic analysis evasion techniques: A survey","volume":"52","author":"Afianian","year":"2019","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"ref_50","unstructured":"Rahutomo, F., Kitasuka, T., and Aritsugi, M. (2012, January 29\u201330). Semantic cosine similarity. Proceedings of the 7th International Student Conference on Advanced Science and Technology ICAST, Seoul, Republic of Korea."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/16\/12\/455\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T16:46:33Z","timestamp":1760114793000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/16\/12\/455"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,4]]},"references-count":50,"journal-issue":{"issue":"12","published-online":{"date-parts":[[2024,12]]}},"alternative-id":["fi16120455"],"URL":"https:\/\/doi.org\/10.3390\/fi16120455","relation":{},"ISSN":["1999-5903"],"issn-type":[{"value":"1999-5903","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,12,4]]}}}