Automating Adaptive Deception in Endpoint Detection and Response Systems and Optimizing Decoy Placement

Thomas, Devyesh Jayhan

Automating Adaptive Deception in Endpoint Detection and Response Systems and Optimizing Decoy Placement

Tools

Thomas, Devyesh Jayhan (2025) Automating Adaptive Deception in Endpoint Detection and Response Systems and Optimizing Decoy Placement. Masters thesis, Dublin, National College of Ireland.

Preview	PDF (Master of Science) Download (1MB) \| Preview
Preview	PDF (Configuration Manual) Download (1MB) \| Preview

Abstract

The increasing complexity of cyber threats requires proactive and adaptive defense mechanisms that can mislead attackers while still protecting critical assets. This research explores an adaptive cyber deception framework that is tuned for Endpoint Detection and Response (EDR) systems, which addresses detection coverage and detection time without degrading system performance. The system implements decoys after determining the context, such as false credentials, configuration files, and scripts, that dynamically deploy based on risk scores calculated from threat logs simulated along with the MITRE ATT&CK framework. The risk-scoring model uses asset criticality and attack severity weighting, allowing the targeted placement of decoys.

The implementation was simulated via three python scripts those generate and process synthetic datasets, calculating risk scores, decoy mappings, and attacker–decoy interaction logs in CSV format. The DeTTECT framework was used to measure detection coverage and visibility and benchmark simulated performance across tools such as Sysmon, Zeek, ELK and Canarytokens. Results indicate high mapping accuracy with consistency in the rate of detection and scalability in a simulated environment, all while acknowledging limitations in real-world variability and the absence of live deployment.

The study finds that adaptive, risk-based decoy implementation is promising in its benefits to EDR systems especially when it is combined with real-time threat intelligence and evolving mapping approaches. Work in the future will centre around operational testing, performance optimisation and automated adaptation to the changing behaviours of the adversaries.

Item Type:	Thesis (Masters)
Supervisors:	Name Email Pantridge, Michael UNSPECIFIED
Subjects:	Q Science > QA Mathematics > Electronic computers. Computer science T Technology > T Technology (General) > Information Technology > Electronic computers. Computer science Q Science > QA Mathematics > Computer software > Computer Security T Technology > T Technology (General) > Information Technology > Computer software > Computer Security
Divisions:	School of Computing > Master of Science in Cyber Security
Depositing User:	Ciara O'Brien
Date Deposited:	17 Jun 2026 09:29
Last Modified:	17 Jun 2026 09:29
URI:	https://norma.ncirl.ie/id/eprint/9381

Actions (login required)

View Item