Jianhua Sun,Kun Sun,Qi Li

DOI: https://doi.org/10.1109/CNS.2017.8228642

2017-01-01

Abstract:Traditional deception-based cyber defenses often undertake reactive strategies that utilize decoy systems or services for attack detection and information gathering. Unfortunately, the effectiveness of these defense mechanisms has been largely constrained by the low decoy fidelity, the poor scalability of decoy platform, and the static decoy configurations, which allow the attackers to identify and bypass the deployed decoys. In this paper, we develop a decoy-enhanced defense framework that can proactively protect critical servers against targeted remote attacks through deception. To achieve both high fidelity and good scalability, our system follows a hybrid architecture that separates lightweight yet versatile front-end proxies from back-end high-fidelity decoy servers. Moreover, our system can further invalidate the attackers' reconnaissance through dynamic proxy address shuffling. To guarantee service availability, we develop a transparent connection translation strategy to maintain existing connections during shuffling. Our evaluation on a prototype implementation demonstrates the effectiveness of our approach in defeating attacker reconnaissance and shows that it only introduces small performance overhead.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Palvi Aggarwal,Yinuo Du,Kuldeep Singh,Cleotilde Gonzalez

DOI: https://doi.org/10.48550/arXiv.2108.11037

2021-08-25

Abstract:One of the widely used cyber deception techniques is decoying, where defenders create fictitious machines (i.e., honeypots) to lure attackers. Honeypots are deployed to entice attackers, but their effectiveness depends on their configuration as that would influence whether attackers will judge them as "real" machines or not. In this work, we study two-sided deception, where we manipulate the observed configuration of both honeypots and real machines. The idea is to improve cyberdefense by either making honeypots ``look like'' real machines or by making real machines ``look like honeypots.'"We identify the modifiable features of both real machines and honeypots and conceal these features to different degrees. In an experiment, we study three conditions: default features on both honeypot and real machines, concealed honeypots only, and concealed both honeypots and real machines. We use a network with 40 machines where 20 of them are honeypots. We manipulate the features of the machines, and using an experimental testbed (HackIT), we test the effectiveness of the decoying strategies against humans attackers. Results indicate that: Any of the two forms of deception (conceal honeypots and conceal both honeypots and real machines) is better than no deception at all. We observe that attackers attempted more exploits on honeypots and exfiltrated more data from honeypots in the two forms of deception conditions. However, the attacks on honeypots and data exfiltration were not different within the deception conditions. Results inform cybersecurity defenders on how to manipulate the observable features of honeypots and real machines to create uncertainty for attackers and improve cyberdefense.

Cryptography and Security

Pedro Beltran Lopez,Pantaleone Nespoli,Manuel Gil Perez

2024-02-20

Abstract:Cybersecurity is developing rapidly, and new methods of defence against attackers are appearing, such as Cyber Deception (CYDEC). CYDEC consists of deceiving the enemy who performs actions without realising that he/she is being deceived. This article proposes designing, implementing, and evaluating a deception mechanism based on the stealthy redirection of TCP communications to an on-demand honey server with the same characteristics as the victim asset, i.e., it is a clone. Such a mechanism ensures that the defender fools the attacker, thanks to stealth redirection. In this situation, the attacker will focus on attacking the honey server while enabling the recollection of relevant information to generate threat intelligence. The experiments in different scenarios show how the proposed solution can effectively redirect an attacker to a copied asset on demand, thus protecting the real asset. Finally, the results obtained by evaluating the latency times ensure that the redirection is undetectable by humans and very difficult to detect by a machine.

Cryptography and Security,Networking and Internet Architecture,Performance,Systems and Control

Daniel Reti,Daniel Fraunholz,Janis Zemitis,Daniel Schneider,Hans Dieter Schotten

DOI: https://doi.org/10.1109/CyberSecurity49315.2020.9138850

2021-04-08

Abstract:Deception technology has proven to be a sound approach against threats to information systems. Aside from well-established honeypots, decoy elements, also known as honeytokens, are an excellent method to address various types of threats. Decoy elements are causing distraction and uncertainty to an attacker and help detecting malicious activity. Deception is meant to be complementing firewalls and intrusion detection systems. Particularly insider threats may be mitigated with deception methods. While current approaches consider the use of multiple decoy elements as well as context-sensitivity, they do not sufficiently describe a relationship between individual elements. In this work, inter-referencing decoy elements are introduced as a plausible extension to existing deception frameworks, leading attackers along a path of decoy elements. A theoretical foundation is introduced, as well as a stochastic model and a reference implementation. It was found that the proposed system is suitable to enhance current decoy frameworks by adding a further dimension of inter-connectivity and therefore improve intrusion detection and prevention.

Cryptography and Security,Networking and Internet Architecture

Michael Kouremetis,Dean Lawrence,Ron Alford,Zoe Cheuvront,David Davila,Benjamin Geyer,Trevor Haigh,Ethan Michalak,Rachel Murphy,Gianpaolo Russo

DOI: https://doi.org/10.1007/s12243-024-01018-4

2024-03-14

Annals of Telecommunications

Abstract:As the capabilities of cyber adversaries continue to evolve, now in parallel to the explosion of maturing and publicly-available artificial intelligence (AI) technologies, cyber defenders may reasonably wonder when cyber adversaries will begin to also field these AI technologies. In this regard, some promising (read: scary) areas of AI for cyber attack capabilities are search, automated planning, and reinforcement learning. As such, one possible defensive mechanism against future AI-enabled adversaries is that of cyber deception. To that end, in this work, we present and evaluate Mirage, an experimentation system demonstrated in both emulation and simulation forms that allows for the implementation and testing of novel cyber deceptions designed to counter cyber adversaries that use AI search and planning capabilities.

telecommunications

Jieling Liu,Zhiliang Wang,Jiahai Yang,Bo Wang,Lin He,Guanglei Song,Xinran Liu

DOI: https://doi.org/10.1109/ICC42927.2021.9500765

2021-01-01

Abstract:The intranets in modern organizations are facing severe data breaches and critical resource misuses. By reusing user credentials from compromised systems, Advanced Persistent Threat (APT) attackers can move laterally within the internal network. A promising new approach called deception technology makes the network administrator (i.e., defender) able to deploy decoys to deceive the attacker in the intranet and trap him into a honeypot. Then the defender ought to reasonably allocate decoys to potentially insecure hosts. Unfortunately, existing APT-related defense resource allocation models are infeasible because of the neglect of many realistic factors. In this paper, we make the decoy deployment strategy feasible by proposing a game-theoretic model called the APT Deception Game to describe interactions between the defender and the attacker. More specifically, we decompose the decoy deployment problem into two subproblems and make the problem solvable. Considering the best response of the attacker who is aware of the defender's deployment strategy, we provide an elitist reservation genetic algorithm to solve this game. Simulation results demonstrate the effectiveness of our deployment strategy compared with other heuristic strategies.

Marco Zambianco,Claudio Facchinetti,Domenico Siracusa

DOI: https://doi.org/10.1016/j.cose.2024.104144

2024-10-16

Abstract:Cyber deception allows compensating the late response of defenders countermeasures to the ever evolving tactics, techniques, and procedures (TTPs) of attackers. This proactive defense strategy employs decoys resembling legitimate system components to lure stealthy attackers within the defender environment, slowing and/or denying the accomplishment of their goals. In this regard, the selection of decoys that can expose the techniques used by malicious users plays a central role to incentivize their engagement. However, this is a difficult task to achieve in practice, since it requires an accurate and realistic modeling of the attacker capabilities and his possible targets. In this work, we tackle this challenge and we design a decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers. We take advantage of a domain-specific threat modelling language using MITRE ATT&CK framework as source of attacker TTPs targeting enterprise systems. In detail, we extract the information about the execution preconditions of each technique as well as its possible effects on the environment to generate attack graphs modeling the adversary capabilities. Based on this, we formulate a graph partition problem that minimizes the number of decoys detecting a corresponding number of techniques employed in various attack paths directed to specific targets. We compare our optimization-based decoy selection approach against several benchmark schemes that ignore the preconditions between the various attack steps. Results reveal that the proposed scheme provides the highest interception rate of attack paths using the lowest amount of decoys.

Cryptography and Security

Marco Zambianco,Claudio Facchinetti,Roberto Doriguzzi-Corin,Domenico Siracusa

DOI: https://doi.org/10.1109/TSC.2024.3395919

2024-05-06

Abstract:Cyber deception can be a valuable addition to traditional cyber defense mechanisms, especially for modern cloud-native environments with a fading security perimeter. However, pre-built decoys used in classical computer networks are not effective in detecting and mitigating malicious actors due to their inability to blend with the variety of applications in such environments. On the other hand, decoys cloning the deployed microservices of an application can offer a high-fidelity deception mechanism to intercept ongoing attacks within production environments. However, to fully benefit from this approach, it is essential to use a limited amount of decoy resources and devise a suitable cloning strategy to minimize the impact on legitimate services performance. Following this observation, we formulate a non-linear integer optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget. Attack paths represent the attacker's movements within the infrastructure as a sequence of violated microservices. We also design a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation. We evaluate the performance of the optimal and heuristic solutions against other schemes that use local vulnerability metrics to select which microservices to clone as decoys. Our results show that the proposed allocation strategy achieves a higher number of intercepted attack paths compared to these schemes while requiring approximately the same number of decoys.

Cryptography and Security

Yinan Hu,Quanyan Zhu

2023-09-23

Abstract:The concept of cyber deception has been receiving emerging attention. The development of cyber defensive deception techniques requires interdisciplinary work, among which cognitive science plays an important role. In this work, we adopt a signaling game framework between a defender and a human agent to develop a cyber defensive deception protocol that takes advantage of the cognitive biases of human decision-making using quantum decision theory to combat insider attacks (IA). The defender deceives an inside human attacker by luring him to access decoy sensors via generators producing perceptions of classical signals to manipulate the human attacker's psychological state of mind. Our results reveal that even without changing the classical traffic data, strategically designed generators can result in a worse performance for defending against insider attackers in identifying decoys than the ones in the deceptive scheme without generators, which generate random information based on input signals. The proposed framework leads to fundamental theories in designing more effective signaling schemes.

Cryptography and Security

Erich Walter,Kimberly Ferguson-Walter,Ahmad Ridley

DOI: https://doi.org/10.48550/arXiv.2108.13980

2021-09-01

Abstract:Deceptive elements, including honeypots and decoys, were incorporated into the Microsoft CyberBattleSim experimentation and research platform. The defensive capabilities of the deceptive elements were tested using reinforcement learning based attackers in the provided capture the flag environment. The attacker's progress was found to be dependent on the number and location of the deceptive elements. This is a promising step toward reproducibly testing attack and defense algorithms in a simulated enterprise network with deceptive defensive elements.

Cryptography and Security,Artificial Intelligence

Mario Kahlhofer,Stefan Rass

2024-05-21

Abstract:Cyber deception techniques that are tightly intertwined with applications pose significant technical challenges in production systems. Security measures are usually the responsibility of a system operator, but they are typically limited to accessing built software artifacts, not their source code. This limitation makes it particularly challenging to deploy cyber deception techniques at application runtime and without full control over the software development lifecycle. This work reviews 19 technical methods to accomplish this and evaluates them based on technical, topological, operational, and efficacy properties. We find some novel techniques beyond honeypots and reverse proxies that seem to have received little research interest despite their promise for cyber deception. We believe that overcoming these technical challenges can drive the adoption of more dynamic and personalized cyber deception techniques, tailored to specific classes of applications.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Networking and Internet Architecture,Software Engineering

Li Zhang,Vrizlynn L. L. Thing

DOI: https://doi.org/10.1016/j.cose.2021.102288

2021-04-08

Abstract:Deception techniques have been widely seen as a game changer in cyber defense. In this paper, we review representative techniques in honeypots, honeytokens, and moving target defense, spanning from the late 1980s to the year 2021. Techniques from these three domains complement with each other and may be leveraged to build a holistic deception based defense. However, to the best of our knowledge, there has not been a work that provides a systematic retrospect of these three domains all together and investigates their integrated usage for orchestrated deceptions. Our paper aims to fill this gap. By utilizing a tailored cyber kill chain model which can reflect the current threat landscape and a four-layer deception stack, a two-dimensional taxonomy is developed, based on which the deception techniques are classified. The taxonomy literally answers which phases of a cyber attack campaign the techniques can disrupt and which layers of the deception stack they belong to. Cyber defenders may use the taxonomy as a reference to design an organized and comprehensive deception plan, or to prioritize deception efforts for a budget conscious solution. We also discuss two important points for achieving active and resilient cyber defense, namely deception in depth and deception lifecycle, where several notable proposals are illustrated. Finally, some outlooks on future research directions are presented, including dynamic integration of different deception techniques, quantified deception effects and deception operation cost, hardware-supported deception techniques, as well as techniques developed based on better understanding of the human element.

Cryptography and Security

Daniel Reti,Karina Elzer,Daniel Fraunholz,Daniel Schneider,Hans-Dieter Schotten

DOI: https://doi.org/10.1145/3560828.3564006

2023-01-25

Abstract:In the field of network security, with the ongoing arms race between attackers, seeking new vulnerabilities to bypass defense mechanisms and defenders reinforcing their prevention, detection and response strategies, the novel concept of cyber deception has emerged. Starting from the well-known example of honeypots, many other deception strategies have been developed such as honeytokens and moving target defense, all sharing the objective of creating uncertainty for attackers and increasing the chance for the attacker of making mistakes. In this paper a methodology to evaluate the effectiveness of honeypots and moving target defense in a network is presented. This methodology allows to quantitatively measure the effectiveness in a simulation environment, allowing to make recommendations on how many honeypots to deploy and on how quickly network addresses have to be mutated to effectively disrupt an attack in multiple network and attacker configurations. With this optimum, attacks can be detected and slowed down with a minimal resource and configuration overhead. With the provided methodology, the optimal number of honeypots to be deployed and the optimal network address mutation interval can be determined. Furthermore, this work provides guidance on how to optimally deploy and configure them with respect to the attacker model and several network parameters.

Cryptography and Security

Guanding Yu

2005-01-01

Abstract:A distributed IP spoof detection system in Intranet is proposed, which can efficiently detect IP spoof behaviors in Intranet. Current techniques of defending IP spoof are analyzed. Aimed at characteristics of Intranet, the design of the system is introduced in detail. The determination method of IP spoof and the design of the monitor, which is a key component of the system, are presented. The implementation of data capture model is also presented. From the experimentation result, it is concluded that the system has the characteristics of high accuracy and real-time performance, but little data traffic. It can be generalized in Intranet of different scales and in other network security systems.

Sambuddho Chakravarty,Georgios Portokalidis,Michalis Polychronakis,Angelos D. Keromytis

DOI: https://doi.org/10.1007/s10207-014-0256-7

2014-08-18

International Journal of Information Security

Abstract:Anonymous communication networks, like Tor, partially protect the confidentiality of user traffic by encrypting all communications within the overlay network. However, when the relayed traffic reaches the boundaries of the network, toward its destination, the original user traffic is inevitably exposed to the final node on the path. As a result, users transmitting sensitive data, like authentication credentials, over such networks, risk having their data intercepted and exposed, unless end-to-end encryption is used. Eavesdropping can be performed by malicious or compromised relay nodes, as well as any rogue network entity on the path toward the actual destination. Furthermore, end-to-end encryption does not assure defense against man-in-the-middle attacks. In this work, we explore the use of decoys at multiple levels for the detection of traffic interception by malicious nodes of proxy-based anonymous communication systems. Our approach relies on the injection of traffic that exposes bait credentials for decoy services requiring user authentication, and URLs to seemingly sensitive decoy documents which, when opened, invoke scripts alerting about being accessed. Our aim was to entice prospective eavesdroppers to access our decoy servers and decoy documents, using the snooped credentials and URLs. We have deployed our prototype implementation in the Tor network using decoy IMAP, SMTP, and HTTP servers. During the course of over 30 months, our system has detected 18 cases of traffic eavesdropping that involved 14 different Tor exit nodes.

computer science, information systems, theory & methods, software engineering

Daniel Reti,David Klaaßen,Simon Duque Anton,Hans Dieter Schotten

DOI: https://doi.org/10.48550/arXiv.2104.03666

2021-04-08

Abstract:Deceiving an attacker in the network security domain is a well established approach, mainly achieved through deployment of honeypots consisting of open network ports with the sole purpose of raising an alert on a connection. With attackers becoming more careful to avoid honeypots, other decoy elements on real host systems continue to create uncertainty for attackers. This uncertainty makes an attack more difficult, as an attacker cannot be sure whether the system does contain deceptive elements or not. Consequently, each action of an attacker could lead to the discovery. In this paper a framework is proposed for placing decoy elements through an SSH proxy, allowing to deploy decoy elements on-the-fly without the need for a modification of the protected host system.

Cryptography and Security,Networking and Internet Architecture

Mohammad Qasem,Hussain M. J. Almohri

DOI: https://doi.org/10.48550/arXiv.2004.06933

2020-04-15

Cryptography and Security

Abstract:Emerging deceptive systems present a new promise for the uprising security problems in cloud-based virtual networks, especially those operated by small and medium enterprises. The main goal of deceptive systems is to form a layer of defensive nodes in an Internet-accessible cloud-based virtual network to distract and deceive malicious clients. While numerous approaches provide distinct models for developing decisive systems, misery digraphs present a promising decisive model for distracting powerful remote intrusions. Misery digraphs can delay access to targets deep in a cloud-based virtual network. A central challenge to the theory of misery digraphs is verifying their applicability in prominent cloud computing platforms as well as measuring the efficiency of networks that adapt them. Thus, architectural support is needed that can be realized with long-term support technologies and can be deployed for large networks. This work presents and analyzes a high-throughput architecture for misery digraphs, embarking on implementation details and performance analysis. Full implementation of the architecture in Amazon Web Services imposes modest performance delays in the request processing, while highly delaying stealth intrusions in the network.

WU Xin,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.11.031

2006-01-01

Abstract:Honeypots take several deception technology to protect network.This paper will explain actively the deception technology,including it's definition,purpose,category and development.It analyzes the principles of most kinds of deception technology,including banner simulation,random server,redirection,cage and virtual command.It discusses how to choose proper deception technology to deploy deception policy baesd on different deception purposes.

Tao Chen,Lei Wang,Xiaoqiang Ren,Zhitao Liu,Hongye Su

DOI: https://doi.org/10.1109/cdc49753.2023.10383555

2023-01-01

Abstract:In cyber-physical systems, replay attacks are a type of deception attacks that involve replaying previously recorded sensor data while injecting attack signals into the physical plant. The replay attacks are difficult to detect because the data being replayed is normal. To detect replay attacks, authentication signals are commonly used. However, injecting authentication signals may affect the performance of system states that are sensitive to noise or disturbance. To address this issue, the effect of authentication signals on sensitive states is measured in the sense of mean square error, and conditions that the authentication signal has a limited effect or even no effect on sensitive states are presented. Combining these conditions, optimization problems are constructed to design the authentication signal. Finally, the proposed method is validated through simulation results.