Eric Nunes,Paulo Shakarian,Gerardo I. Simari,Andrew Ruef

DOI: https://doi.org/10.48550/arXiv.1607.02171

2016-07-08

Abstract:A major challenge in cyber-threat analysis is combining information from different sources to find the person or the group responsible for the cyber-attack. It is one of the most important technical and policy challenges in cyber-security. The lack of ground truth for an individual responsible for an attack has limited previous studies. In this paper, we take a first step towards overcoming this limitation by building a dataset from the capture-the-flag event held at DEFCON, and propose an argumentation model based on a formal reasoning framework called DeLP (Defeasible Logic Programming) designed to aid an analyst in attributing a cyber-attack. We build models from latent variables to reduce the search space of culprits (attackers), and show that this reduction significantly improves the performance of classification-based approaches from 37% to 62% in identifying the attacker.

Artificial Intelligence

Georgel Savin,Ammar Asseri,Josiah Dykstra,Jonathan Goohs,Anthony Melarano,William Casey

DOI: https://doi.org/10.1145/3607505.3607524

2023-07-20

Abstract:Industry standard frameworks are now widespread for labeling the high-level stages and granular actions of attacker and defender behavior in cyberspace. While these labels are used for atomic actions, and to some extent for sequences of actions, there remains a need for labeled data from realistic full-scale attacks. This data is valuable for better understanding human actors' decisions, behaviors, and individual attributes. The analysis could lead to more effective attribution and disruption of attackers. We present a methodological approach and exploratory case study for systematically analyzing human behavior during a cyber offense/defense capture-the-flag (CTF) game. We describe the data collection and analysis to derive a metric called keystroke accuracy. After collecting players' commands, we label them using the MITRE ATT&CK framework using a new tool called Pathfinder. We present results from preliminary analysis of participants' keystroke accuracy and its relation to score outcome in CTF games. We describe frequency of action classification within the MITRE ATT&CK framework and discuss some of the mathematical trends suggested by our observations. We conclude with a discussion of extensions for the methodology, including performance evaluation during games and the potential use of this methodology for training artificial intelligence.

Cryptography and Security

Paulo Shakarian,Gerardo I. Simari,Geoffrey Moores,Simon Parsons,Marcelo A. Falappa

DOI: https://doi.org/10.48550/arXiv.1404.6699

2014-04-27

Abstract:Attributing a cyber-operation through the use of multiple pieces of technical evidence (i.e., malware reverse-engineering and source tracking) and conventional intelligence sources (i.e., human or signals intelligence) is a difficult problem not only due to the effort required to obtain evidence, but the ease with which an adversary can plant false evidence. In this paper, we introduce a formal reasoning system called the InCA (Intelligent Cyber Attribution) framework that is designed to aid an analyst in the attribution of a cyber-operation even when the available information is conflicting and/or uncertain. Our approach combines argumentation-based reasoning, logic programming, and probabilistic models to not only attribute an operation but also explain to the analyst why the system reaches its conclusions.

Cryptography and Security,Artificial Intelligence,Logic in Computer Science

Edward A. Cranford,Cleotilde Gonzalez,Palvi Aggarwal,Milind Tambe,Sarah Cooney,Christian Lebiere

DOI: https://doi.org/10.1111/cogs.13013

IF: 2.617

2021-07-01

Cognitive Science

Abstract:<p>This work is an initial step toward developing a cognitive theory of cyber deception. While widely studied, the psychology of deception has largely focused on physical cues of deception. Given that present-day communication among humans is largely electronic, we focus on the cyber domain where physical cues are unavailable and for which there is less psychological research. To improve cyber defense, researchers have used signaling theory to extended algorithms developed for the optimal allocation of limited defense resources by using deceptive signals to trick the human mind. However, the algorithms are designed to protect against adversaries that make perfectly rational decisions. In behavioral experiments using an abstract cybersecurity game (i.e., Insider Attack Game), we examined human decision-making when paired against the defense algorithm. We developed an instance-based learning (IBL) model of an attacker using the Adaptive Control of Thought-Rational (ACT-R) cognitive architecture to investigate how humans make decisions under deception in cyber-attack scenarios. Our results show that the defense algorithm is more effective at reducing the probability of attack and protecting assets when using deceptive signaling, compared to no signaling, but is less effective than predicted against a perfectly rational adversary. Also, the IBL model replicates human attack decisions accurately. The IBL model shows how human decisions arise from experience, and how memory retrieval dynamics can give rise to cognitive biases, such as confirmation bias. The implications of these findings are discussed in the perspective of informing theories of deception and designing more effective signaling schemes that consider human bounded rationality.</p>

psychology, experimental

Jacob Quibell

2024-05-19

Abstract:Cybercrime is estimated to cost the global economy almost \$10 trillion annually and with businesses and governments reporting an ever-increasing number of successful cyber-attacks there is a growing demand to rethink the strategy towards cyber security. The traditional, perimeter security approach to cyber defence has so far proved inadequate to combat the growing threat of cybercrime. Cyber deception offers a promising alternative by creating a dynamic defence environment. Deceptive techniques aim to mislead attackers, diverting them from critical assets whilst simultaneously gathering cyber threat intelligence on the threat actor. This article presents a proof-of-concept (POC) cyber deception system that has been developed to capture the profile of an attacker in-situ, during a simulated cyber-attack in real time. By dynamically and autonomously generating deception material based on the observed attacker behaviour and analysing how the attacker interacts with the deception material, the system outputs a prediction on the attacker's motive. The article also explores how this POC can be expanded to infer other features of the attacker's profile such as psychological characteristics. By dynamically and autonomously generating deception material based on observed attacker behaviour and analysing how the attacker interacts with the deception material, the system outputs a prediciton on the attacker's motive. The article also explores how this POC can be expanded to infer other features of the attacker's profile such as psychological characteristics.

Cryptography and Security

Yinan Hu,Quanyan Zhu

2023-09-23

Abstract:The concept of cyber deception has been receiving emerging attention. The development of cyber defensive deception techniques requires interdisciplinary work, among which cognitive science plays an important role. In this work, we adopt a signaling game framework between a defender and a human agent to develop a cyber defensive deception protocol that takes advantage of the cognitive biases of human decision-making using quantum decision theory to combat insider attacks (IA). The defender deceives an inside human attacker by luring him to access decoy sensors via generators producing perceptions of classical signals to manipulate the human attacker's psychological state of mind. Our results reveal that even without changing the classical traffic data, strategically designed generators can result in a worse performance for defending against insider attackers in identifying decoys than the ones in the deceptive scheme without generators, which generate random information based on input signals. The proposed framework leads to fundamental theories in designing more effective signaling schemes.

Cryptography and Security

Palvi Aggarwal,Yinuo Du,Kuldeep Singh,Cleotilde Gonzalez

DOI: https://doi.org/10.48550/arXiv.2108.11037

2021-08-25

Abstract:One of the widely used cyber deception techniques is decoying, where defenders create fictitious machines (i.e., honeypots) to lure attackers. Honeypots are deployed to entice attackers, but their effectiveness depends on their configuration as that would influence whether attackers will judge them as "real" machines or not. In this work, we study two-sided deception, where we manipulate the observed configuration of both honeypots and real machines. The idea is to improve cyberdefense by either making honeypots ``look like'' real machines or by making real machines ``look like honeypots.'"We identify the modifiable features of both real machines and honeypots and conceal these features to different degrees. In an experiment, we study three conditions: default features on both honeypot and real machines, concealed honeypots only, and concealed both honeypots and real machines. We use a network with 40 machines where 20 of them are honeypots. We manipulate the features of the machines, and using an experimental testbed (HackIT), we test the effectiveness of the decoying strategies against humans attackers. Results indicate that: Any of the two forms of deception (conceal honeypots and conceal both honeypots and real machines) is better than no deception at all. We observe that attackers attempted more exploits on honeypots and exfiltrated more data from honeypots in the two forms of deception conditions. However, the attacks on honeypots and data exfiltration were not different within the deception conditions. Results inform cybersecurity defenders on how to manipulate the observable features of honeypots and real machines to create uncertainty for attackers and improve cyberdefense.

Cryptography and Security

Sang-Yoon Chang,Kay Yoon,Simeon Wuthier,Kelei Zhang

DOI: https://doi.org/10.48550/arXiv.2206.08971

2022-06-17

Computers and Society

Abstract:Team collaboration among individuals with diverse sets of expertise and skills is essential for solving complex problems. As part of an interdisciplinary effort, we studied the effects of Capture the Flag (CTF) game, a popular and engaging education/training tool in cybersecurity and engineering, in enhancing team construction and collaboration. We developed a framework to incorporate CTF as part of a computer-human process for expertise recognition and role assignment and evaluated and tested its effectiveness through a study with cybersecurity students enrolled in a Virtual Teams course. In our computer-human process framework, the post-CTF algorithm using the CTF outcomes assembles the team (assigning individuals to teams) and provides the initial role assignments, which then gets updated by human-based team discussions. This paper shares our insights, design choices/rationales, and analyses of our CTF-incorporated computer-human process framework. The students' evaluations revealed that the computer-human process framework was helpful in learning about their team members' backgrounds and expertise and assigning roles accordingly made a positive impact on the learning outcomes for the team collaboration skills in the course. This experience report showcases the utility of CTF as a tool for expertise recognition and role assignments in teams and highlights the complementary roles of CTF-based and discussion-based processes for an effective team collaboration among engineering students.

Erich Walter,Kimberly Ferguson-Walter,Ahmad Ridley

DOI: https://doi.org/10.48550/arXiv.2108.13980

2021-09-01

Abstract:Deceptive elements, including honeypots and decoys, were incorporated into the Microsoft CyberBattleSim experimentation and research platform. The defensive capabilities of the deceptive elements were tested using reinforcement learning based attackers in the provided capture the flag environment. The attacker's progress was found to be dependent on the number and location of the deceptive elements. This is a promising step toward reproducibly testing attack and defense algorithms in a simulated enterprise network with deceptive defensive elements.

Cryptography and Security,Artificial Intelligence

Jeffrey Pawlick,Edward Colbert,Quanyan Zhu

DOI: https://doi.org/10.1145/3337772

IF: 16.6

2020-07-31

ACM Computing Surveys

Abstract:Cyberattacks on both databases and critical infrastructure have threatened public and private sectors. Ubiquitous tracking and wearable computing have infringed upon privacy. Advocates and engineers have recently proposed using defensive deception as a means to leverage the information asymmetry typically enjoyed by attackers as a tool for defenders. The term deception, however, has been employed broadly and with a variety of meanings. In this article, we survey 24 articles from 2008 to 2018 that use game theory to model defensive deception for cybersecurity and privacy. Then, we propose a taxonomy that defines six types of deception: perturbation, moving target defense, obfuscation, mixing, honey-x, and attacker engagement. These types are delineated by their information structures, agents, actions, and duration: precisely concepts captured by game theory. Our aims are to rigorously define types of defensive deception, to capture a snapshot of the state of the literature, to provide a menu of models that can be used for applied research, and to identify promising areas for future work. Our taxonomy provides a systematic foundation for understanding different types of defensive deception commonly encountered in cybersecurity and privacy.

computer science, theory & methods

Karan Sikka,Indranil Sur,Susmit Jha,Anirban Roy,Ajay Divakaran

DOI: https://doi.org/10.48550/arXiv.2012.02275

2020-12-04

Abstract:We target the problem of detecting Trojans or backdoors in DNNs. Such models behave normally with typical inputs but produce specific incorrect predictions for inputs poisoned with a Trojan trigger. Our approach is based on a novel observation that the trigger behavior depends on a few ghost neurons that activate on trigger pattern and exhibit abnormally higher relative attribution for wrong decisions when activated. Further, these trigger neurons are also active on normal inputs of the target class. Thus, we use counterfactual attributions to localize these ghost neurons from clean inputs and then incrementally excite them to observe changes in the model's accuracy. We use this information for Trojan detection by using a deep set encoder that enables invariance to the number of model classes, architecture, etc. Our approach is implemented in the TrinityAI tool that exploits the synergies between trustworthiness, resilience, and interpretability challenges in deep learning. We evaluate our approach on benchmarks with high diversity in model architectures, triggers, etc. We show consistent gains (+10%) over state-of-the-art methods that rely on the susceptibility of the DNN to specific adversarial attacks, which in turn requires strong assumptions on the nature of the Trojan attack.

Machine Learning,Artificial Intelligence,Computer Vision and Pattern Recognition,Information Theory

Valdemar Švábenský,Pavel Čeleda,Jan Vykopal,Silvia Brišáková

DOI: https://doi.org/10.1016/j.cose.2020.102154

2021-01-05

Abstract:Capture the Flag challenges are a popular form of cybersecurity education, where students solve hands-on tasks in an informal, game-like setting. The tasks feature diverse assignments, such as exploiting websites, cracking passwords, and breaching unsecured networks. However, it is unclear how the skills practiced by these challenges match formal cybersecurity curricula defined by security experts. We explain the significance of Capture the Flag challenges in cybersecurity training and analyze their 15,963 textual solutions collected since 2012. Based on keywords in the solutions, we map them to well-established ACM/IEEE curricular guidelines to understand which skills the challenges teach. We study the distribution of cybersecurity topics, their variance in different challenge formats, and their development over the past years. The analysis showed the prominence of technical knowledge about cryptography and network security, but human aspects, such as social engineering and cybersecurity awareness, are neglected. We discuss the implications of these results and relate them to contemporary literature. Our results indicate that future Capture the Flag challenges should include non-technical aspects to address the current advanced cyber threats and attract a broader audience to cybersecurity.

Cryptography and Security

Pedro Beltran Lopez,Pantaleone Nespoli,Manuel Gil Perez

2024-02-20

Abstract:Cybersecurity is developing rapidly, and new methods of defence against attackers are appearing, such as Cyber Deception (CYDEC). CYDEC consists of deceiving the enemy who performs actions without realising that he/she is being deceived. This article proposes designing, implementing, and evaluating a deception mechanism based on the stealthy redirection of TCP communications to an on-demand honey server with the same characteristics as the victim asset, i.e., it is a clone. Such a mechanism ensures that the defender fools the attacker, thanks to stealth redirection. In this situation, the attacker will focus on attacking the honey server while enabling the recollection of relevant information to generate threat intelligence. The experiments in different scenarios show how the proposed solution can effectively redirect an attacker to a copied asset on demand, thus protecting the real asset. Finally, the results obtained by evaluating the latency times ensure that the redirection is undetectable by humans and very difficult to detect by a machine.

Cryptography and Security,Networking and Internet Architecture,Performance,Systems and Control

Umara Noor,Sawera Shahid,Rimsha Kanwal,Zahid Rashid

2023-07-17

Abstract:Cyber threat attribution is the process of identifying the actor of an attack incident in cyberspace. An accurate and timely threat attribution plays an important role in deterring future attacks by applying appropriate and timely defense mechanisms. Manual analysis of attack patterns gathered by honeypot deployments, intrusion detection systems, firewalls, and via trace-back procedures is still the preferred method of security analysts for cyber threat attribution. Such attack patterns are low-level Indicators of Compromise (IOC). They represent Tactics, Techniques, Procedures (TTP), and software tools used by the adversaries in their campaigns. The adversaries rarely re-use them. They can also be manipulated, resulting in false and unfair attribution. To empirically evaluate and compare the effectiveness of both kinds of IOC, there are two problems that need to be addressed. The first problem is that in recent research works, the ineffectiveness of low-level IOC for cyber threat attribution has been discussed intuitively. An empirical evaluation for the measure of the effectiveness of low-level IOC based on a real-world dataset is missing. The second problem is that the available dataset for high-level IOC has a single instance for each predictive class label that cannot be used directly for training machine learning models. To address these problems in this research work, we empirically evaluate the effectiveness of low-level IOC based on a real-world dataset that is specifically built for comparative analysis with high-level IOC. The experimental results show that the high-level IOC trained models effectively attribute cyberattacks with an accuracy of 95% as compared to the low-level IOC trained models where accuracy is 40%.

Cryptography and Security,Machine Learning

Li Zhang,Vrizlynn L. L. Thing

DOI: https://doi.org/10.1016/j.cose.2021.102288

2021-04-08

Abstract:Deception techniques have been widely seen as a game changer in cyber defense. In this paper, we review representative techniques in honeypots, honeytokens, and moving target defense, spanning from the late 1980s to the year 2021. Techniques from these three domains complement with each other and may be leveraged to build a holistic deception based defense. However, to the best of our knowledge, there has not been a work that provides a systematic retrospect of these three domains all together and investigates their integrated usage for orchestrated deceptions. Our paper aims to fill this gap. By utilizing a tailored cyber kill chain model which can reflect the current threat landscape and a four-layer deception stack, a two-dimensional taxonomy is developed, based on which the deception techniques are classified. The taxonomy literally answers which phases of a cyber attack campaign the techniques can disrupt and which layers of the deception stack they belong to. Cyber defenders may use the taxonomy as a reference to design an organized and comprehensive deception plan, or to prioritize deception efforts for a budget conscious solution. We also discuss two important points for achieving active and resilient cyber defense, namely deception in depth and deception lifecycle, where several notable proposals are illustrated. Finally, some outlooks on future research directions are presented, including dynamic integration of different deception techniques, quantified deception effects and deception operation cost, hardware-supported deception techniques, as well as techniques developed based on better understanding of the human element.

Cryptography and Security

Xiayu Xiang,Hao Liu,Liyi Zeng,Huan Zhang,Zhaoquan Gu

DOI: https://doi.org/10.3390/math12091364

IF: 2.4

2024-05-01

Mathematics

Abstract:In the dynamic landscape of cyberspace, organizations face a myriad of coordinated advanced threats that challenge the traditional defense paradigm. Cyber Threat Intelligence (CTI) plays a crucial role, providing in-depth insights into adversary groups and enhancing the detection and neutralization of complex cyber attacks. However, attributing attacks poses significant challenges due to over-reliance on malware samples or network detection data alone, which falls short of comprehensively profiling attackers. This paper proposes an IPv4-based threat attribution model, IPAttributor, that improves attack characterization by merging a real-world network behavior dataset comprising 39,707 intrusion entries with commercial threat intelligence from three distinct sources, offering a more nuanced context. A total of 30 features were utilized from the enriched dataset for each IP to create a feature matrix to assess the similarities and linkage of associated IPs, and a dynamic weighted threat segmentation algorithm was employed to discern attacker communities. The experiments affirm the efficacy of our method in pinpointing attackers sharing a common origin, achieving the highest accuracy of 88.89%. Our study advances the relatively underexplored line of work of cyber attacker attribution, with a specific interest in IP-based attribution strategies, thereby enhancing the overall understanding of the attacker's group regarding their capabilities and intentions.

mathematics

Antonia Nisioti,George Loukas,Stefan Rass,Emmanouil Panaousis

DOI: https://doi.org/10.3390/s21165300

2021-08-05

Abstract:The use of anti-forensic techniques is a very common practice that stealthy adversaries may deploy to minimise their traces and make the investigation of an incident harder by evading detection and attribution. In this paper, we study the interaction between a cyber forensic Investigator and a strategic Attacker using a game-theoretic framework. This is based on a Bayesian game of incomplete information played on a multi-host cyber forensics investigation graph of actions traversed by both players. The edges of the graph represent players' actions across different hosts in a network. In alignment with the concept of Bayesian games, we define two Attacker types to represent their ability of deploying anti-forensic techniques to conceal their activities. In this way, our model allows the Investigator to identify the optimal investigating policy taking into consideration the cost and impact of the available actions, while coping with the uncertainty of the Attacker's type and strategic decisions. To evaluate our model, we construct a realistic case study based on threat reports and data extracted from the MITRE ATT&CK STIX repository, Common Vulnerability Scoring System (CVSS), and interviews with cyber-security practitioners. We use the case study to compare the performance of the proposed method against two other investigative methods and three different types of Attackers.

Aditya Shinde,Prashant Doshi,Omid Setayeshfar

DOI: https://doi.org/10.48550/arXiv.2007.09512

2020-07-19

Abstract:This paper presents an intelligent and adaptive agent that employs deception to recognize a cyber adversary's intent. Unlike previous approaches to cyber deception, which mainly focus on delaying or confusing the attackers, we focus on engaging with them to learn their intent. We model cyber deception as a sequential decision-making problem in a two-agent context. We introduce factored finitely nested interactive POMDPs (I-POMDPx) and use this framework to model the problem with multiple attacker types. Our approach models cyber attacks on a single honeypot host across multiple phases from the attacker's initial entry to reaching its adversarial objective. The defending I-POMDPx-based agent uses decoys to engage with the attacker at multiple phases to form increasingly accurate predictions of the attacker's behavior and intent. The use of I-POMDPs also enables us to model the adversary's mental state and investigate how deception affects their beliefs. Our experiments in both simulation and on a real host show that the I-POMDPx-based agent performs significantly better at intent recognition than commonly used deception strategies on honeypots.

Multiagent Systems,Cryptography and Security

Edward A Cranford,Cleotilde Gonzalez,Palvi Aggarwal,Sarah Cooney,Milind Tambe,Christian Lebiere

DOI: https://doi.org/10.1111/tops.12513

Abstract:Recent research in cybersecurity has begun to develop active defense strategies using game-theoretic optimization of the allocation of limited defenses combined with deceptive signaling. These algorithms assume rational human behavior. However, human behavior in an online game designed to simulate an insider attack scenario shows that humans, playing the role of attackers, attack far more often than predicted under perfect rationality. We describe an instance-based learning cognitive model, built in ACT-R, that accurately predicts human performance and biases in the game. To improve defenses, we propose an adaptive method of signaling that uses the cognitive model to trace an individual's experience in real time. We discuss the results and implications of this adaptive signaling method for personalized defense.

Erik Gartzke,Jon R. Lindsay

DOI: https://doi.org/10.1080/09636412.2015.1038188

2015-04-03

Security Studies

Abstract:It is widely believed that cyberspace is offense dominant because of technical characteristics that undermine deterrence and defense. This argument mistakes the ease of deception on the Internet for a categorical ease of attack. As intelligence agencies have long known, deception is a double-edged sword. Covert attackers must exercise restraint against complex targets in order to avoid compromises resulting in mission failure or retaliation. More importantly, defenders can also employ deceptive concealment and ruses to confuse or ensnare aggressors. Indeed, deception can reinvigorate traditional strategies of deterrence and defense against cyber threats, as computer security practitioners have already discovered. The strategy of deception has other important implications: as deterrence became foundational in the nuclear era, deception should rise in prominence in a world that increasingly depends on technology to mediate interaction.

international relations