Ri-gude BU,Wei-hua LI,Bo ZHANG,Ju-hou HE

DOI: https://doi.org/10.3969/j.issn.1671-654X.2005.03.035

2005-01-01

Abstract:This article introduces initiative network topology and the operating system camouflage technology based on cheating in detail.Through Linux system,kernel drive's programming hold up TCP/IP stack data packet,and rewrite header information according to operating system fingerprint storehouse and network camouflage strategy,and track record information,come true data transparent transmission.Through a mass of pseudo the IP address hide away information to flow to.Protects the important computer.At the same time traps the intruder.Discovers the intruder early.Accomplish that camouflaged mission need camouflaged the IP address management,the dynamic allocation and the micro route technology work together.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

WU Xin,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.11.031

2006-01-01

Abstract:Honeypots take several deception technology to protect network.This paper will explain actively the deception technology,including it's definition,purpose,category and development.It analyzes the principles of most kinds of deception technology,including banner simulation,random server,redirection,cage and virtual command.It discusses how to choose proper deception technology to deploy deception policy baesd on different deception purposes.

Jianhua Sun,Kun Sun,Qi Li

DOI: https://doi.org/10.1109/cns48642.2020.9162163

2020-01-01

Abstract:Recently cyber deception has emerged as a promising defense approach for detecting and defeating advanced persistent threat. By leveraging deceptive decoys, the defenders seek to proactively engage with the attackers and entice them away from the protected server infrastructure. The effectiveness of such decoy-based deception largely relies on the decoy fidelity. In this paper, we observe that realistic server system inevitably experiences wearoff from service request processing and regular maintenance, resulting in characteristic access pattern, running states, and system artifacts. Accordingly, we identify two deception evasion attacks, namely, traffic fingerprinting and system fingerprinting, which enable sophisticated adversaries to accurately distinguish decoys from real servers. To protect web server decoys against those evasion attacks, we develop Mirage, a seamless real-time network traffic replay framework to generate network traffic and system artifacts on the decoy server based on the normal clients' interactions with the real server. Mirage works as a TLS-capable reverse proxy that transparently replays real traffic towards decoys. To resolve the inconsistent states between the real and decoy servers, we integrate a decoy client emulator into the reverse proxy to maintain the stateful data features and caching logic of a decoy session. Moreover, we employ format preserving encryption technique to obfuscate sensitive data before being sent to the decoy server. Implementations and evaluations of a prototype demonstrate that Mirage can effectively mitigate deception evasion attacks with acceptable performance overhead.

Xifeng AN,Weihua LI,Zun LIU

DOI: https://doi.org/10.3321/j.issn:0253-987X.2008.12.013

2008-01-01

Abstract:A novel network security cooperative defense technology is studied and a cooperative control framework based on agent mechanism is proposed to solve the lack of cooperative control and whole effect in traditional defense systems. The technology supports both IPv4 and IPv6 protocols and security modules in the framework are associated with each other to accomplish communication and work together. Furthermore, a network security cooperative defense system is composed and the key functions that support the early-alert, audit, accident recovery, network camouflage and so on are also achieved. The pivotal research is emphasized on the key technologies of system call sequences audit model based on machine learning and cooperative accident recovery. Under the condition of 100 M Data flow speed, the NSCDS software's false negative is less than 6% and its false positive is less than 8%. Besides, all module functions work normally and the system can be used to carry out cooperative defense capability.

Jason Landsborough,Neil C. Rowe,Thuy D. Nguyen,Sunny Fugate

2024-12-21

Abstract:Deception is being increasingly explored as a cyberdefense strategy to protect operational systems. We are studying implementation of deception-in-depth strategies with initially three logical layers: network, host, and data. We draw ideas from military deception, network orchestration, software deception, file deception, fake honeypots, and moving-target defenses. We are building a prototype representing our ideas and will be testing it in several adversarial environments. We hope to show that deploying a broad range of deception techniques can be more effective in protecting systems than deploying single techniques. Unlike traditional deception methods that try to encourage active engagement from attackers to collect intelligence, we focus on deceptions that can be used on real machines to discourage attacks.

Cryptography and Security

Guanding Yu

2005-01-01

Abstract:A distributed IP spoof detection system in Intranet is proposed, which can efficiently detect IP spoof behaviors in Intranet. Current techniques of defending IP spoof are analyzed. Aimed at characteristics of Intranet, the design of the system is introduced in detail. The determination method of IP spoof and the design of the monitor, which is a key component of the system, are presented. The implementation of data capture model is also presented. From the experimentation result, it is concluded that the system has the characteristics of high accuracy and real-time performance, but little data traffic. It can be generalized in Intranet of different scales and in other network security systems.

Zheng Minjiao,Ma Yufeng,Wu Bo,Qian Zhang

DOI: https://doi.org/10.1109/iccbd56965.2022.10080304

2022-01-01

Abstract:Honeynet, as a representative network deception technology, can protect the network while attracting attackers to understand their patterns, strategies and behaviors. The new honeynet based on the latest bility, but the ability to construct honeynet scene dynamically is still a little bit insufficient at the moment. We propose a dynamic deception honeynet architecture combining virtual and real honeypot, which is used to dynamically generate a real network according to the cyber situation and the attack behavior to attract attackers. It redirects the advanced attacker to the environment that he is more interested, in order to capture the attacker and conduct further analysis. This improves the lack of dynamic and inductivity in the existing honeynet. Finally, we de-veloped the prototype system and set up the experimental environment. The result shows that the system has a high degree of intelligence and strong in-ductivity.

HU Heng-yi,XIA Chun-he

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.11.003

2005-01-01

Abstract:The targets of net attacks could be summed up to data resources, computational resources and connection resources. To resist net attack, which focuses on data resource, an intrusion-deception-based dynamic network defensive system was present in this paper. and redirection technology in the Intrusion Deception System were also discussed, The problems of redirection technology were analyzed and a seamless redirection solution was described, including the technology of redirection base on Socket and Environment States synchronization. The initiative and security of the Intrusion Deception System were assured.

NIU Yong,ZHANG Xin-jia

DOI: https://doi.org/10.3969/j.issn.1671-1815.2007.14.064

2007-01-01

Abstract:Seveval kinds of communication ways used by backdoor in recent years is analyzed. Then a more concealed backdoor communication way is designed. The method has more penetrating force.It based on fake DNS and sniffer. Here,Fake DNS is a newly created communication method. At last, this communication methord is validated in lab.

Pedro Beltran Lopez,Pantaleone Nespoli,Manuel Gil Perez

2024-02-20

Abstract:Cybersecurity is developing rapidly, and new methods of defence against attackers are appearing, such as Cyber Deception (CYDEC). CYDEC consists of deceiving the enemy who performs actions without realising that he/she is being deceived. This article proposes designing, implementing, and evaluating a deception mechanism based on the stealthy redirection of TCP communications to an on-demand honey server with the same characteristics as the victim asset, i.e., it is a clone. Such a mechanism ensures that the defender fools the attacker, thanks to stealth redirection. In this situation, the attacker will focus on attacking the honey server while enabling the recollection of relevant information to generate threat intelligence. The experiments in different scenarios show how the proposed solution can effectively redirect an attacker to a copied asset on demand, thus protecting the real asset. Finally, the results obtained by evaluating the latency times ensure that the redirection is undetectable by humans and very difficult to detect by a machine.

Cryptography and Security,Networking and Internet Architecture,Performance,Systems and Control

Zhong-Hua Pang,Guo-Ping Liu,Donghua Zhou,Dehui Sun

DOI: https://doi.org/10.1007/978-981-13-0520-7_9

2019-01-01

Abstract:In this chapter, a secure networked control scheme is presented based on the data secure transmission scheme designed in Chap. 8, which can deal with deception attacks and packet disorders in the feedback and forward channels. The attacked packets and the out-of-order packets are detected and then discarded. To show the effectiveness of the proposed scheme, practical experiments are performed on an Internet-based DC motor system (an open-loop stable plant) and an inverted pendulum system (an open-loop unstable plant) based on a wireless metropolitan area network, respectively.

Xian-zu SONG,Jun-Zhou LUO

DOI: https://doi.org/10.3969/j.issn.1007-1423-B.2004.02.010

2004-01-01

Abstract:Internet was developed from a friendly, reliable and open environment. The realization of its protocols has its inherent limitation. Clearly mastering the substrate principle of network interconnection and communication is the base and hinge to study the network security. From the working principle of ARP protocol in the network communication of Ethernet, this paper firstly introduces the principles and implements of Active Host Detection and IP Protection in LAN based on ARP. Secondly, it introduces and analyzes the deficiency of ARP protocol and the ARP spoof produced by this deficiency. It also applies this analysis to the switcher net environment and realizes the network monitoring by the bridge method. Finally, it presents the detection of this spoof and the defense measure, and at the same time, a corresponding realized system is also given.

LI Juan,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.06.057

2007-01-01

Abstract:In this paper,an propotype of DiD network system utilizing wireless honeypot is discussed.The advance of wireless networking has been beset by inherent and in-built security problems.Network attack tools that are freely avail-able may intercept network transmissions readily,and by stealth,make organizations highly vulnerable to attack.Decep-tion is an essential element of effective security,which has been used in network to understand attack methods and intrusions.This paper seeks to explore the use of deception for wireless network defence through the deployment of a wireless honeypot.The honeypot has demonstrated the outcome of deceptions in against common wireless network attacks.

Mario Kahlhofer,Stefan Rass

2024-05-21

Abstract:Cyber deception techniques that are tightly intertwined with applications pose significant technical challenges in production systems. Security measures are usually the responsibility of a system operator, but they are typically limited to accessing built software artifacts, not their source code. This limitation makes it particularly challenging to deploy cyber deception techniques at application runtime and without full control over the software development lifecycle. This work reviews 19 technical methods to accomplish this and evaluates them based on technical, topological, operational, and efficacy properties. We find some novel techniques beyond honeypots and reverse proxies that seem to have received little research interest despite their promise for cyber deception. We believe that overcoming these technical challenges can drive the adoption of more dynamic and personalized cyber deception techniques, tailored to specific classes of applications.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Networking and Internet Architecture,Software Engineering

Jiancong Zhang,Shining Li,Changhao Wang

DOI: https://doi.org/10.1155/2022/6304927

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Named data networking (NDN) is a promising alternative data dissemination technology of TCP/IP communication networks, which can bring out much more cost-effective and resilient communication in a highly mobile environment. However, due to the feature of NDN, content poisoning comes out as a potential threat. Hence, state-of-the-art studies introduce network layer approaches based on name-key binding, in which the producer notifies routers of the bindings of names and key values. Key values include publisher public key digest or content digest. Routers check key values to determine whether incoming data packets have been poisoned. Unfortunately, the approaches lead to more vulnerabilities in dynamic content poisoning because attackers can impersonate the producer to alter or fabricate the bindings. Thus, we introduce a consumer-oriented two-phased lightweight security scheme, which consists of an end-to-end authentication and a packet-level name-key query mechanism. Specifically, the name-key bindings are authenticated via an additional verification by the consumer. Furthermore, we also introduce a novel trust model to help routers to determine and disconnect from the malicious nodes. Finally, our extensive experimental results demonstrate that the scheme can work effectively in improving the vulnerability of existing studies on dynamic content poisoning and lowering the system overhead simultaneously.

Weihua Li,Lan Jiang

DOI: https://doi.org/10.3969/j.issn.1000-2758.2005.03.005

2005-01-01

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University

Abstract:Our aim is to provide many functions in our new multi-function system for dealing with hacker intrusion. These functions include conventional detection and alert, non-conventional hacker deception and trapping, and restoration of damaged files. Our system is a multi-layer comprehensive active defense system, integrating real-time intrusion detection, alert, security accident restoration, and hacker deception. In the full paper, we explain in much detail how to implement the many functions in our new system. Here we give only a briefing. Compared with conventional IDS (Intrusion Detection System), our new system can not only monitor and trap hackers in real-time mode, but also can realize intrusion tolerance better. The detection function of our system can not only monitor hacker attack but also cleverly track the hacker until the hacker's true source is found. The restoration function of our system can restore important files which have been attacked by hacker or infected by virus. Our new system has been employed successfully on several networks; it can deal effectively with 31 categories of known hacker attacks, whose ways of attack number as many as 2045.

Jianhua Sun,Kun Sun,Qi Li

DOI: https://doi.org/10.1109/CNS.2017.8228642

2017-01-01

Abstract:Traditional deception-based cyber defenses often undertake reactive strategies that utilize decoy systems or services for attack detection and information gathering. Unfortunately, the effectiveness of these defense mechanisms has been largely constrained by the low decoy fidelity, the poor scalability of decoy platform, and the static decoy configurations, which allow the attackers to identify and bypass the deployed decoys. In this paper, we develop a decoy-enhanced defense framework that can proactively protect critical servers against targeted remote attacks through deception. To achieve both high fidelity and good scalability, our system follows a hybrid architecture that separates lightweight yet versatile front-end proxies from back-end high-fidelity decoy servers. Moreover, our system can further invalidate the attackers' reconnaissance through dynamic proxy address shuffling. To guarantee service availability, we develop a transparent connection translation strategy to maintain existing connections during shuffling. Our evaluation on a prototype implementation demonstrates the effectiveness of our approach in defeating attacker reconnaissance and shows that it only introduces small performance overhead.

Xin-nan CHEN,Hua-ping Hu,Hong YUE

DOI: https://doi.org/10.3969/j.issn.1007-130X.2010.12.005

2010-01-01

Abstract:In the switch-based LAN environment,the means of defending the ARP spoofing is maturing,leading to the sniffer based on the ARP spoofing is vulnerable to being intercepted and killed by security software,so it lacks sniffing effect.In this paper,one non-ARP spoofing,which is called MAC spoofing,is proposed,and a LAN sniffer prototype based on the MAC spoofing is also designed and implemented.Compared with the traditional ARP spoofing,the MAC spoofing can bypass a variety of ARP spoofing defense tools and succeed to intercept the network data,as well as carrying on the Denial of Service attacks.Through the use of a time-alternate mechanism,a filtering mechanism and other key technologies,the efficiency and accuracy of the sniffer can be highly improved.The testing result shows that the sniffer may be better to break through the interception and killing of security software,and achieve the effect of sniffing.

Daniel Reti,David Klaaßen,Simon Duque Anton,Hans Dieter Schotten

DOI: https://doi.org/10.48550/arXiv.2104.03666

2021-04-08

Abstract:Deceiving an attacker in the network security domain is a well established approach, mainly achieved through deployment of honeypots consisting of open network ports with the sole purpose of raising an alert on a connection. With attackers becoming more careful to avoid honeypots, other decoy elements on real host systems continue to create uncertainty for attackers. This uncertainty makes an attack more difficult, as an attacker cannot be sure whether the system does contain deceptive elements or not. Consequently, each action of an attacker could lead to the discovery. In this paper a framework is proposed for placing decoy elements through an SSH proxy, allowing to deploy decoy elements on-the-fly without the need for a modification of the protected host system.

Cryptography and Security,Networking and Internet Architecture