Abstract
Increased cloud adoption in healthcare has amplified ransomware and malware threats, accounting for 19% of global breaches in 2024. Despite this, the behavior of attackers exploiting healthcare systems remains under-explored in academic literature. This paper addresses this gap by deploying a scalable and stealthy deception network tailored to healthcare environments. The network comprises 30 real-world vulnerable healthcare web applications, mimicking domain-specific workflows across multicloud infrastructures, such as patient registration and billing. We utilized ATTACK-BERT to generate semantic embeddings and co-regularized spectral clustering with normalized cuts to analyze multi-protocol attack data. Our approach uncovered nuanced attack patterns, including regional and protocol-specific variations, the exploitation of healthcare-specific protocols such as HL7, and the use of encryption to evade detection. A comparative sub-study revealed that attackers exhibit deliberate engagement with vulnerable systems, underscoring the importance of deception strategies in security frameworks. By focusing on attacker behavior in healthcare-specific environments, this study establishes a foundation for integrating deception-based defenses into critical infrastructure security, addressing emerging threats with precision.
| Original language | English |
|---|---|
| Pages | 1-21 |
| Number of pages | 21 |
| Publication status | Submitted - 15 May 2025 |
| Event | International Symposium on Research in Attacks, Intrusions, and Defenses - Gold Coast, Australia, Gold Coast, Australia Duration: 19 Oct 2025 → 22 Oct 2025 Conference number: 28 https://raid2025.github.io/ |
Conference
| Conference | International Symposium on Research in Attacks, Intrusions, and Defenses |
|---|---|
| Abbreviated title | RAID |
| Country/Territory | Australia |
| City | Gold Coast |
| Period | 19/10/25 → 22/10/25 |
| Internet address |