Chaochao Liu,Degang Sun,Zhixin Shi,Ning Zhang

DOI: https://doi.org/10.1109/iscc61673.2024.10733695

2024-01-01

Abstract:New network attacks such as Advanced Persistent Threats (APTs) have created an asymmetric dynamic between attackers and defenders. Traditional defense mechanisms typically focus on perimeter security, rendering them ineffective once attackers infiltrate the network. Cyber deception defense, on the other hand, proactively establishes a deceptive environment to manipulate attackers’ perceptions and decisions, thereby delaying, detecting, and potentially thwarting attacks. This paper introduces a novel approach rooted in cyber deception defense, utilizing FPGA technology. By harnessing network packet rewriting techniques on FPGA, this method rapidly generates numerous disguised hosts and ports. The implementation of this approach on an FPGA hardware platform allows for the evaluation of its effectiveness. In simulated environments, the method demonstrates remarkable efficiency in constructing deceptive environments, with a policy query time of approximately 50ns. Transitioning to real-world network scenarios, the prototype system extends the time required for attackers to identify genuine hosts by a factor of 4.5. Moreover, the average delay time of the prototype system in processing 64-byte data packets is approximately 5.68us, showcasing consistent performance across various deception strategies. Crucially, the system’s overhead remains minimal, effectively confounding and deterring attackers while increasing the complexity and cost associated with mounting successful attacks.

Duohe Ma,Zhimin Tang,Xiaoyan Sun,Lu Guo,Liming Wang,Kai Chen

DOI: https://doi.org/10.1145/3560828.3563995

2022-01-01

Abstract:Moving target defense (MTD) is a proactive defensive mechanism proposed to disrupt and disable potential attacks, thus reversing the defender's disadvantages. Cyber deception is a complementary technique that is often used to enhance MTD by utilizing misinformation to deceive and mislead attackers. Deception elements, such as honeypot, honey bait, honey token, breadcrumb, and well-constructed deception scenes, can significantly increase the uncertainties for attackers. Deception-based MTD techniques can change the asymmetry situation between defenders and attackers through affecting the attacker's perception of the system. However, there is still a lack of understanding about the role of cyber deception in MTD, and few research works have evaluated the effectiveness of cyber deception. In this paper, we propose a concept of deception attack surface to illustrate deception-based moving target defense. Moreover, we propose a quantitative method to measure deception, which includes two core concepts: exposed falseness degree and hidden truth degree. We further formulate a deception game model between an attacker and a defender, in which the defender attempts to protect the entry points on the attack surface by creating or changing a deception attack surface. Furthermore, we provide a detailed example scenario and analyze the deception game's equilibrium. Finally We verify the effectiveness of our proposed method through a real attack and defense experiment.

Hampei Sasahara,Henrik Sandberg

DOI: https://doi.org/10.1109/TAC.2023.3340978

2023-12-07

Abstract:This paper addresses the question whether model knowledge can guide a defender to appropriate decisions, or not, when an attacker intrudes into control systems. The model-based defense scheme considered in this study, namely Bayesian defense mechanism, chooses reasonable reactions through observation of the system's behavior using models of the system's stochastic dynamics, the vulnerability to be exploited, and the attacker's objective. On the other hand, rational attackers take deceptive strategies for misleading the defender into making inappropriate decisions. In this paper, their dynamic decision making is formulated as a stochastic signaling game. It is shown that the belief of the true scenario has a limit in a stochastic sense at an equilibrium based on martingale analysis. This fact implies that there are only two possible cases: the defender asymptotically detects the attack with a firm belief, or the attacker takes actions such that the system's behavior becomes nominal after a finite time step. Consequently, if different scenarios result in different stochastic behaviors, the Bayesian defense mechanism guarantees the system to be secure in an asymptotic manner provided that effective countermeasures are implemented. As an application of the finding, a defensive deception utilizing asymmetric recognition of vulnerabilities exploited by the attacker is analyzed. It is shown that the attacker possibly stops the attack even if the defender is unaware of the exploited vulnerabilities as long as the defender's unawareness is concealed by the defensive deception.

Cryptography and Security,Computer Science and Game Theory,Systems and Control

Daniel Reti,Karina Elzer,Daniel Fraunholz,Daniel Schneider,Hans-Dieter Schotten

DOI: https://doi.org/10.1145/3560828.3564006

2023-01-25

Abstract:In the field of network security, with the ongoing arms race between attackers, seeking new vulnerabilities to bypass defense mechanisms and defenders reinforcing their prevention, detection and response strategies, the novel concept of cyber deception has emerged. Starting from the well-known example of honeypots, many other deception strategies have been developed such as honeytokens and moving target defense, all sharing the objective of creating uncertainty for attackers and increasing the chance for the attacker of making mistakes. In this paper a methodology to evaluate the effectiveness of honeypots and moving target defense in a network is presented. This methodology allows to quantitatively measure the effectiveness in a simulation environment, allowing to make recommendations on how many honeypots to deploy and on how quickly network addresses have to be mutated to effectively disrupt an attack in multiple network and attacker configurations. With this optimum, attacks can be detected and slowed down with a minimal resource and configuration overhead. With the provided methodology, the optimal number of honeypots to be deployed and the optimal network address mutation interval can be determined. Furthermore, this work provides guidance on how to optimally deploy and configure them with respect to the attacker model and several network parameters.

Cryptography and Security

Md Abu Sayed,Moqsadur Rahman,Mohammad Ariful Islam Khan,Deepak Tosh

2024-01-08

Abstract:In the evolving landscape of cybersecurity, the utilization of cyber deception has gained prominence as a proactive defense strategy against sophisticated attacks. This paper presents a comprehensive survey that investigates the crucial network requirements essential for the successful implementation of effective cyber deception techniques. With a focus on diverse network architectures and topologies, we delve into the intricate relationship between network characteristics and the deployment of deception mechanisms. This survey provides an in-depth analysis of prevailing cyber deception frameworks, highlighting their strengths and limitations in meeting the requirements for optimal efficacy. By synthesizing insights from both theoretical and practical perspectives, we contribute to a comprehensive understanding of the network prerequisites crucial for enabling robust and adaptable cyber deception strategies.

Cryptography and Security

Marco Zambianco,Claudio Facchinetti,Domenico Siracusa

DOI: https://doi.org/10.1016/j.cose.2024.104144

2024-10-16

Abstract:Cyber deception allows compensating the late response of defenders countermeasures to the ever evolving tactics, techniques, and procedures (TTPs) of attackers. This proactive defense strategy employs decoys resembling legitimate system components to lure stealthy attackers within the defender environment, slowing and/or denying the accomplishment of their goals. In this regard, the selection of decoys that can expose the techniques used by malicious users plays a central role to incentivize their engagement. However, this is a difficult task to achieve in practice, since it requires an accurate and realistic modeling of the attacker capabilities and his possible targets. In this work, we tackle this challenge and we design a decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers. We take advantage of a domain-specific threat modelling language using MITRE ATT&CK framework as source of attacker TTPs targeting enterprise systems. In detail, we extract the information about the execution preconditions of each technique as well as its possible effects on the environment to generate attack graphs modeling the adversary capabilities. Based on this, we formulate a graph partition problem that minimizes the number of decoys detecting a corresponding number of techniques employed in various attack paths directed to specific targets. We compare our optimization-based decoy selection approach against several benchmark schemes that ignore the preconditions between the various attack steps. Results reveal that the proposed scheme provides the highest interception rate of attack paths using the lowest amount of decoys.

Cryptography and Security

Chunling Dong,Yu Feng,Wenqian Shang

DOI: https://doi.org/10.1186/s13677-023-00568-7

2024-01-01

Abstract:In the context of cloud computing, network attackers usually exhibit complex, dynamic, and diverse behavior characteristics. Existing research methods, such as Bayesian attack graphs, lack evidence correlation and real-time reflection of the network attack events, and high computational complexity for attack analysis. To solve these problems, this study proposes a Dynamic Uncertain Causal Attack Graph (DUCAG) model and a Causal Chain-based Risk Probability Calculation (CCRP) algorithm. The DUCAG model is constructed to represent the uncertain underlying causalities among network attack events, and the CCRP algorithm aims at dynamically updating the causality weights among different network attack events and attacker hypotheses based on alarm information and causal chain reasoning process. By causality simplification and causality reasoning methods, the CCRP efficiently predicts the attacker behaviors and potential attack likelihood under uncertain time-varying attack situations, and is robust to the incompleteness and redundancy in alarm information. Four experiments under different attack scenarios demonstrate that, the DUCAG model can effectively characterize and predict the complex and uncertain attack causalities, in a manner of high time efficiency. The proposed method has application significance on cloud computing platforms by dynamically evaluating network security status, predicting the future behaviors of attackers, and assisting in adjusting network defense strategies.

Pedro Beltrán López,Manuel Gil Pérez,Pantaleone Nespoli

2024-09-11

Abstract:The growing interest in cybersecurity has significantly increased articles designing and implementing various Cyber Deception (CYDEC) mechanisms. This trend reflects the urgent need for new strategies to address cyber threats effectively. Since its emergence, CYDEC has established itself as an innovative defense against attackers, thanks to its proactive and reactive capabilities, finding applications in numerous real-life scenarios. Despite the considerable work devoted to CYDEC, the literature still presents significant gaps. In particular, there has not been (i) a comprehensive analysis of the main components characterizing CYDEC, (ii) a generic classification covering all types of solutions, nor (iii) a survey of the current state of the literature in various contexts. This article aims to fill these gaps through a detailed review of the main features that comprise CYDEC, developing a comprehensive classification taxonomy. In addition, the different frameworks used to generate CYDEC are reviewed, presenting a more comprehensive one. Existing solutions in the literature using CYDEC, both without Artificial Intelligence (AI) and with AI, are studied and compared. Finally, the most salient trends of the current state of the art are discussed, offering a list of pending challenges for future research.

Cryptography and Security,Artificial Intelligence,Computer Science and Game Theory

Palvi Aggarwal,Yinuo Du,Kuldeep Singh,Cleotilde Gonzalez

DOI: https://doi.org/10.48550/arXiv.2108.11037

2021-08-25

Abstract:One of the widely used cyber deception techniques is decoying, where defenders create fictitious machines (i.e., honeypots) to lure attackers. Honeypots are deployed to entice attackers, but their effectiveness depends on their configuration as that would influence whether attackers will judge them as "real" machines or not. In this work, we study two-sided deception, where we manipulate the observed configuration of both honeypots and real machines. The idea is to improve cyberdefense by either making honeypots ``look like'' real machines or by making real machines ``look like honeypots.'"We identify the modifiable features of both real machines and honeypots and conceal these features to different degrees. In an experiment, we study three conditions: default features on both honeypot and real machines, concealed honeypots only, and concealed both honeypots and real machines. We use a network with 40 machines where 20 of them are honeypots. We manipulate the features of the machines, and using an experimental testbed (HackIT), we test the effectiveness of the decoying strategies against humans attackers. Results indicate that: Any of the two forms of deception (conceal honeypots and conceal both honeypots and real machines) is better than no deception at all. We observe that attackers attempted more exploits on honeypots and exfiltrated more data from honeypots in the two forms of deception conditions. However, the attacks on honeypots and data exfiltration were not different within the deception conditions. Results inform cybersecurity defenders on how to manipulate the observable features of honeypots and real machines to create uncertainty for attackers and improve cyberdefense.

Cryptography and Security

Gbadebo Ayoade,Frederico Araujo,Khaled Al-Naami,Ahmad M. Mustafa,Yang Gao,Kevin W. Hamlen,Latifur Khan

DOI: https://doi.org/10.24251/hicss.2020.236

2020-01-01

Abstract:A machine learning-based methodology is proposed and implemented for conducting evaluations of cyberdeceptive defenses with minimal human involvement. This avoids impediments associated with deceptive research on humans, maximizing the efficacy of automated evaluation before human subjects research must be undertaken. Leveraging recent advances in deep learning, the approach synthesizes realistic, interactive, and adaptive traffic for consumption by target web services. A case study applies the approach to evaluate an intrusion detection system equipped with application-layer embedded deceptive responses to attacks. Results demonstrate that synthesizing adaptive web traffic laced with evasive attacks powered by ensemble learning, online adaptive metric learning, and novel class detection to simulate skillful adversaries constitutes a challenging and aggressive test of cyberdeceptive defenses.

Li Zhang,Vrizlynn L. L. Thing

DOI: https://doi.org/10.1016/j.cose.2021.102288

2021-04-08

Abstract:Deception techniques have been widely seen as a game changer in cyber defense. In this paper, we review representative techniques in honeypots, honeytokens, and moving target defense, spanning from the late 1980s to the year 2021. Techniques from these three domains complement with each other and may be leveraged to build a holistic deception based defense. However, to the best of our knowledge, there has not been a work that provides a systematic retrospect of these three domains all together and investigates their integrated usage for orchestrated deceptions. Our paper aims to fill this gap. By utilizing a tailored cyber kill chain model which can reflect the current threat landscape and a four-layer deception stack, a two-dimensional taxonomy is developed, based on which the deception techniques are classified. The taxonomy literally answers which phases of a cyber attack campaign the techniques can disrupt and which layers of the deception stack they belong to. Cyber defenders may use the taxonomy as a reference to design an organized and comprehensive deception plan, or to prioritize deception efforts for a budget conscious solution. We also discuss two important points for achieving active and resilient cyber defense, namely deception in depth and deception lifecycle, where several notable proposals are illustrated. Finally, some outlooks on future research directions are presented, including dynamic integration of different deception techniques, quantified deception effects and deception operation cost, hardware-supported deception techniques, as well as techniques developed based on better understanding of the human element.

Cryptography and Security

Linan Huang,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1809.02013

2018-09-09

Abstract:Security challenges accompany the efficiency. The pervasive integration of information and communications technologies (ICTs) makes cyber-physical systems vulnerable to targeted attacks that are deceptive, persistent, adaptive and strategic. Attack instances such as Stuxnet, Dyn, and WannaCry ransomware have shown the insufficiency of off-the-shelf defensive methods including the firewall and intrusion detection systems. Hence, it is essential to design up-to-date security mechanisms that can mitigate the risks despite the successful infiltration and the strategic response of sophisticated attackers. In this chapter, we use game theory to model competitive interactions between defenders and attackers. First, we use the static Bayesian game to capture the stealthy and deceptive characteristics of the attacker. A random variable called the \textit{type} characterizes users' essences and objectives, e.g., a legitimate user or an attacker. The realization of the user's type is private information due to the cyber deception. Then, we extend the one-shot simultaneous interaction into the one-shot interaction with asymmetric information structure, i.e., the signaling game. Finally, we investigate the multi-stage transition under a case study of Advanced Persistent Threats (APTs) and Tennessee Eastman (TE) process. Two-Sided incomplete information is introduced because the defender can adopt defensive deception techniques such as honey files and honeypots to create sufficient amount of uncertainties for the attacker. Throughout this chapter, the analysis of the Nash equilibrium (NE), Bayesian Nash equilibrium (BNE), and perfect Bayesian Nash equilibrium (PBNE) enables the policy prediction of the adversary and the design of proactive and strategic defenses to deter attackers and mitigate losses.

Computer Science and Game Theory,Cryptography and Security

Jacob Quibell

2024-05-19

Abstract:Cybercrime is estimated to cost the global economy almost \$10 trillion annually and with businesses and governments reporting an ever-increasing number of successful cyber-attacks there is a growing demand to rethink the strategy towards cyber security. The traditional, perimeter security approach to cyber defence has so far proved inadequate to combat the growing threat of cybercrime. Cyber deception offers a promising alternative by creating a dynamic defence environment. Deceptive techniques aim to mislead attackers, diverting them from critical assets whilst simultaneously gathering cyber threat intelligence on the threat actor. This article presents a proof-of-concept (POC) cyber deception system that has been developed to capture the profile of an attacker in-situ, during a simulated cyber-attack in real time. By dynamically and autonomously generating deception material based on the observed attacker behaviour and analysing how the attacker interacts with the deception material, the system outputs a prediction on the attacker's motive. The article also explores how this POC can be expanded to infer other features of the attacker's profile such as psychological characteristics. By dynamically and autonomously generating deception material based on observed attacker behaviour and analysing how the attacker interacts with the deception material, the system outputs a prediciton on the attacker's motive. The article also explores how this POC can be expanded to infer other features of the attacker's profile such as psychological characteristics.

Cryptography and Security

LI Jia-rui,LING Xiao-bo,LI Chen-xi,LI Zi-mu,YANG Jia-hai,ZHANG Lei,WU Cheng-nan

DOI: https://doi.org/10.11896/jsjkx.210800107

2022-01-01

Computer Science

Abstract:In order to overcome the difficulties that current attack graph model cannot reflect real-time network attack events,a method is proposed including a forward risk probability update algorithm and a forward-backward combined risk probability update algorithm,which meets the needs of real-time analyzing network security.It first performs specific quantitative analysis on the uncertainty of each node in the graph,and uses Bayesian networks to calculate their static probabilities.After that,it updates the dynamic probability of each node along the forward and backward paths according to the real-time network security events,instantly reflecting the changes of external conditions and assessing real-time risk levels across the network.Experimental results show that the method can calibrate and adjust the risk probability of each node according to the actual situation,which helps the network operator correctly understand the dangerous levels of the network and make better decision for defense and prevention of the next attack.

Yinan Hu,Quanyan Zhu

2023-09-23

Abstract:The concept of cyber deception has been receiving emerging attention. The development of cyber defensive deception techniques requires interdisciplinary work, among which cognitive science plays an important role. In this work, we adopt a signaling game framework between a defender and a human agent to develop a cyber defensive deception protocol that takes advantage of the cognitive biases of human decision-making using quantum decision theory to combat insider attacks (IA). The defender deceives an inside human attacker by luring him to access decoy sensors via generators producing perceptions of classical signals to manipulate the human attacker's psychological state of mind. Our results reveal that even without changing the classical traffic data, strategically designed generators can result in a worse performance for defending against insider attackers in identifying decoys than the ones in the deceptive scheme without generators, which generate random information based on input signals. The proposed framework leads to fundamental theories in designing more effective signaling schemes.

Cryptography and Security

Jianhua Sun,Songsong Liu,Kun Sun

DOI: https://doi.org/10.1145/3338468.3356826

2019-01-01

Abstract:Recent years have witnessed a surging trend of leveraging deception technique to detect and defeat sophisticated cyber attacks such as the advanced persistent threat. Deception typically employs a decoy network to entrap the attackers and divert the firepower away from the real protected assets. Unfortunately, existing decoy systems failed to achieve a balanced tradeoff between the decoy fidelity and scalability, which potentially undermines the effectiveness of attacker deception. In this paper, we propose a hybrid decoy architecture that separates lightweight front-end decoys from high-fidelity back-end decoy servers. To enhance the deception effectiveness, we introduce dynamics into the decoy system design to make the decoy a moving target, where the front-end decoys constrain attackers by transparently intercepting and forwarding the malicious commands to the heterogeneous back-end decoys for real execution. We implement two prototypes of the hybrid decoy architecture based on Linux Bash shell and Windows PowerShell. The experimental results demonstrate that our system can effectively misdirect and disinform attackers with small network and system overhead.

Pedro Beltran Lopez,Pantaleone Nespoli,Manuel Gil Perez

2024-02-20

Abstract:Cybersecurity is developing rapidly, and new methods of defence against attackers are appearing, such as Cyber Deception (CYDEC). CYDEC consists of deceiving the enemy who performs actions without realising that he/she is being deceived. This article proposes designing, implementing, and evaluating a deception mechanism based on the stealthy redirection of TCP communications to an on-demand honey server with the same characteristics as the victim asset, i.e., it is a clone. Such a mechanism ensures that the defender fools the attacker, thanks to stealth redirection. In this situation, the attacker will focus on attacking the honey server while enabling the recollection of relevant information to generate threat intelligence. The experiments in different scenarios show how the proposed solution can effectively redirect an attacker to a copied asset on demand, thus protecting the real asset. Finally, the results obtained by evaluating the latency times ensure that the redirection is undetectable by humans and very difficult to detect by a machine.

Cryptography and Security,Networking and Internet Architecture,Performance,Systems and Control

Mario Kahlhofer,Stefan Rass

2024-05-21

Abstract:Cyber deception techniques that are tightly intertwined with applications pose significant technical challenges in production systems. Security measures are usually the responsibility of a system operator, but they are typically limited to accessing built software artifacts, not their source code. This limitation makes it particularly challenging to deploy cyber deception techniques at application runtime and without full control over the software development lifecycle. This work reviews 19 technical methods to accomplish this and evaluates them based on technical, topological, operational, and efficacy properties. We find some novel techniques beyond honeypots and reverse proxies that seem to have received little research interest despite their promise for cyber deception. We believe that overcoming these technical challenges can drive the adoption of more dynamic and personalized cyber deception techniques, tailored to specific classes of applications.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Networking and Internet Architecture,Software Engineering

Jiali Wang,Martin Neil

DOI: https://doi.org/10.48550/arXiv.2106.00471

2021-06-01

Abstract:Cybersecurity risk analysis plays an essential role in supporting organizations make effective decision about how to manage and control cybersecurity risk. Cybersecurity risk is a function of the interplay between the defender, i.e., the organisation, and the attacker: decisions and actions made by the defender second guess the decisions and actions taken by the attacker and vice versa. Insight into this game between these two agents provides a means for the defender to identify and make optimal decisions. To date, the adversarial risk analysis framework has provided a decision-analytical approach to solve such game problems in the presence of uncertainty and uses Monte Carlo simulation to calculate and identify optimal decisions. We propose an alternative framework to construct and solve a serial of sequential Defend-Attack models, that incorporates the adversarial risk analysis approach, but uses a new class of influence diagrams algorithm, called hybrid Bayesian network inference, to identify optimal decision strategies. Compared to Monte Carlo simulation the proposed hybrid Bayesian network inference is more versatile because it provides an automated way to compute hybrid Defend-Attack models and extends their use to involve mixtures of continuous and discrete variables, of any kind. More importantly, the hybrid Bayesian network approach is novel in that it supports dynamic decision making whereby new real-time observations can update the Defend-Attack model in practice. We also extend the Defend-Attack model to support cases involving extra variables and longer decision sequence. Examples are presented, illustrating how the proposed framework can be adjusted for more complicated scenarios, including dynamic decision making.

Computer Science and Game Theory

Zhichen Han,Shengbing Zhang,Zengwang Jin,Yanyan Hu

DOI: https://doi.org/10.1002/asjc.3356

IF: 2.4

2024-03-02

Asian Journal of Control

Abstract:Cyber‐physical systems (CPSs) are increasingly vulnerable to the threat from malicious adversaries owing to the deep integration of networks and facilities; therefore, CPSs' security against cyber attacks has attracted extensive attention. The deception attack is one of the typical cyber attacks targeting CPSs, and a deception attack mode is established to describe the simultaneous occurrence of actuator and sensor attacks in this paper. Compared with single‐target deception attacks with constant value, the designed attack mode that can describe deception attacks against multiple components and embedded random characteristics has higher applicability in practical engineering processes. To counter such attack behavior, a secure estimator is proposed based on the ideology of augmented state to achieve the optimal design of secure state estimation and deception attack identification. Taking the energy shortage problem of CPSs into account, a novel event‐triggered communication mechanism is introduced on the basis of measurement residuals to improve resource efficiency by reducing low‐value information transmission. The communication scheme and the augmented state estimator are co‐designed by adopting the implicit information of the event‐triggered mechanism. Then, the performance of the co‐designed estimator is analyzed by the upper bound of the estimation error covariance matrix. Besides, the reconciliation between estimation performance and communication energy consumption is achieved by the derivation of Pareto equilibrium. Finally, applications of our approaches to a 3D target tracking system are provided to illustrate the effectiveness of the proposed method.

automation & control systems