Behavioral User-driven Deceptive Activities Framework
Project description
BUDA
Behavioral User-driven Deceptive Activities
📖 Table of Contents
ℹ️ About
BUDA is a cutting-edge experimental cybersecurity solution designed to automate the simulation of realistic user behaviors within decoy environments.
By integrating:
✅ Strategic narratives
✅ Dynamic user profiles
✅ Automated activity simulation
BUDA models credible decoys that mislead attackers and strengthen defense mechanisms.
It recreates normal activity patterns in your environment, enhancing deception strategies through the generation of automated and realistic digital footprints.
🚀 Features
- Extract context from Windows EVTX Logs
- Narrative Management
- User Profiles Management
- Activity generation engine
- LLM Integration for Assisted Generation
- Narrative-Driven Deception
🛠️ Installation & Setup
1️⃣ Create a Virtual Environment
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
2️⃣ Clone & Install BUDA package
pip install BUDA
Or manually clone it
git clone https://github.com/Base4Security/BUDA.git
cd BUDA
pip install .
3️⃣ Verify the installation
python -c "import BUDA;"
buda --version
4️⃣ Start BUDA
python run.py
Here you have your first run.py code for BUDA execution:
from BUDA import start
app = start()
if __name__ == '__main__':
app.run(debug=True)
Now, visit http://127.0.0.1:5000/ in your browser and enjoy!
🔥 How It Works
BUDA operates by simulating realistic user behaviors within a decoy environment to enhance cyber deception strategies. It achieves this through the orchestration of several key components working in concert.
🛠 Process Breakdown
📌 Context Integration
The process begins by integrating real-world environmental data into BUDA through the Global Context. This involves uploading EVTX logs to extract information such as:
- Usernames
- IP addresses
- Device names
These details influence all aspects of activity creation and command execution. The Global Context serves as the foundation for generating realistic simulations.
📖 Narrative Definition
Next, you define Narratives, which act as the strategic backbone of the deception operation. A narrative outlines:
- Operational goals (e.g., diverting attacks, enabling early detection)
- Simulated user profiles participating in the deception
- Attacker profile expectations
- Deception activities (fake resources)
By setting a similarity threshold, you can control how closely the simulated behavior mimics real user activity.
👤 User Profile Creation
With a narrative in place, you configure User Profiles, representing simulated identities. These profiles mimic real users by defining attributes such as:
- Name and role
- Behavioral patterns (work hours, application usage)
- WinRM server details for executing activities
Profiles can be created manually or generated with Language Models (LLMs). Each profile is linked to one or more narratives, defining its role in deception operations.
🎭 Activity Simulation
BUDA then simulates user actions through Activities, creating a credible digital footprint. Activities are defined by:
- Action types (e.g., browsing, logins, file access)
- Action details (e.g., target file, URL)
- Assigned user profiles performing the activity
You can manually create custom activity sequences or use LLM-assisted generation to design effective deception strategies.
🤖 LLM Assistance
Throughout the process, BUDA leverages Language Models (LLMs) for realistic and contextually relevant data generation. You can configure the LLM provider (OpenAI or LM Studio) and the specific model in the BUDA settings.
🚀 Execution and Monitoring
Once narratives, user profiles, and activities are configured, BUDA executes the simulated actions. The resulting activity traces aim to:
- Create a realistic but deceptive environment
- Monitor interactions with decoy elements
- Achieve early detection of adversaries
- Divert attacker attention from real assets
- Calibrate and validate monitoring systems
🔎 Summary
BUDA populates a believable environment with fake user identities engaging in normal-looking activities, making it harder for attackers to distinguish between real and decoy systems. This approach enhances cyber defense by:
✅ Providing early warnings
✅ Diverting threats
✅ Refining deception tactics
Want to contribute? Check out our Contributing Guide to learn how to get involved and make an impact! 🚀
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file BUDA-1.0.0.tar.gz.
File metadata
- Download URL: BUDA-1.0.0.tar.gz
- Upload date:
- Size: 326.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.11.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
aaa8c90da1f88796cae89a9761ade35271bc13fc3d2dd0af6ffbbce9acc669fc
|
|
| MD5 |
ecb9d6cbca14b46bcd607ce1c1023d06
|
|
| BLAKE2b-256 |
14cbc566fdc7a7aa2ba5afea4563bb70e057d9fa2733bcb889a3647e6a3071df
|
File details
Details for the file BUDA-1.0.0-py3-none-any.whl.
File metadata
- Download URL: BUDA-1.0.0-py3-none-any.whl
- Upload date:
- Size: 74.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.11.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
16e944be20853b1f2b196360f944a287a75dad5365bb8f3b1c8f8401cfc1ccfb
|
|
| MD5 |
c008e35466950a7ba27fb906147fecaf
|
|
| BLAKE2b-256 |
d34d44682890af2700fda801b8a753f1a12646ddff7cec095cd9c3265fe985d4
|
