Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Jichao Bi,Shibo He,Fengji Luo,Wenchao Meng,Luyue Ji,Da-Wen Huang

DOI: https://doi.org/10.1109/TII.2022.3231406

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial Internet of Things (IIoT) is vulnerable to advanced persistent threat (APT). In this article, we study a scenario in which APT is launched to attack IIoT devices. Considering the APTs lateral movement, a node-level state evolution model is established to calculate the probability of every device in an IIoT system to be compromised by APT. Based on this, a Stackelberg game model is proposed for the APT attacker and defender, which can accurately describe the gaming process. An effective computational approach is developed to obtain the potential Stackelberg equilibrium strategy pair of the game. Extensive case studies and comparison studies are conducted to validate the effectiveness of the proposed method.

Duohe Ma,Zhimin Tang,Xiaoyan Sun,Lu Guo,Liming Wang,Kai Chen

DOI: https://doi.org/10.1145/3560828.3563995

2022-01-01

Abstract:Moving target defense (MTD) is a proactive defensive mechanism proposed to disrupt and disable potential attacks, thus reversing the defender's disadvantages. Cyber deception is a complementary technique that is often used to enhance MTD by utilizing misinformation to deceive and mislead attackers. Deception elements, such as honeypot, honey bait, honey token, breadcrumb, and well-constructed deception scenes, can significantly increase the uncertainties for attackers. Deception-based MTD techniques can change the asymmetry situation between defenders and attackers through affecting the attacker's perception of the system. However, there is still a lack of understanding about the role of cyber deception in MTD, and few research works have evaluated the effectiveness of cyber deception. In this paper, we propose a concept of deception attack surface to illustrate deception-based moving target defense. Moreover, we propose a quantitative method to measure deception, which includes two core concepts: exposed falseness degree and hidden truth degree. We further formulate a deception game model between an attacker and a defender, in which the defender attempts to protect the entry points on the attack surface by creating or changing a deception attack surface. Furthermore, we provide a detailed example scenario and analyze the deception game's equilibrium. Finally We verify the effectiveness of our proposed method through a real attack and defense experiment.

Abhishek N. Kulkarni,Matthew S. Cohen,Charles A. Kamhoua,Jie Fu

2024-07-20

Abstract:Deception plays a crucial role in strategic interactions with incomplete information. Motivated by security applications, we study a class of two-player turn-based deterministic games with one-sided incomplete information, in which player 1 (P1) aims to prevent player 2 (P2) from reaching a set of target states. In addition to actions, P1 can place two kinds of deception resources: "traps" and "fake targets" to disinform P2 about the transition dynamics and payoff of the game. Traps "hide the real" by making trap states appear normal, while fake targets "reveal the fiction" by advertising non-target states as targets. We are interested in jointly synthesizing optimal decoy placement and deceptive defense strategies for P1 that exploits P2's misinformation. We introduce a novel hypergame on graph model and two solution concepts: stealthy deceptive sure winning and stealthy deceptive almost-sure winning. These identify states from which P1 can prevent P2 from reaching the target in a finite number of steps or with probability one without allowing P2 to become aware that it is being deceived. Consequently, determining the optimal decoy placement corresponds to maximizing the size of P1's deceptive winning region. Considering the combinatorial complexity of exploring all decoy allocations, we utilize compositional synthesis concepts to show that the objective function for decoy placement is monotone, non-decreasing, and, in certain cases, sub- or super-modular. This leads to a greedy algorithm for decoy placement, achieving a $(1 - 1/e)$-approximation when the objective function is sub- or super-modular. The proposed hypergame model and solution concepts contribute to understanding the optimal deception resource allocation and deception strategies in various security applications.

Computer Science and Game Theory

Yongjin Hu,Han Zhang,Yuanbo Guo,Tao Li,Jun Ma

DOI: https://doi.org/10.1155/2020/8850356

2020-01-01

Wireless Communications and Mobile Computing

Abstract:Increasingly, more administrators (defenders) are using defense strategies with deception such as honeypots to improve the IoT network security in response to attacks. Using game theory, the signaling game is leveraged to describe the confrontation between attacks and defenses. However, the traditional approach focuses only on the defender; the analysis from the attacker side is ignored. Moreover, insufficient analysis has been conducted on the optimal defense strategy with deception when the model is established with the signaling game. In our work, the signaling game model is extended to a novel two-way signaling game model to describe the game from the perspectives of both the defender and the attacker. First, the improved model is formally defined, and an algorithm is proposed for identifying the refined Bayesian equilibrium. Then, according to the calculated benefits, optimal strategies choice for both the attacker and the defender in the game are analyzed. Last, a simulation is conducted to evaluate the performance of the proposed model and to demonstrate that the defense strategy with deception is optimal for the defender.

Quang Duy La,Tony Q. S. Quek,Jemin Lee,Shi Jin,Hongbo Zhu

DOI: https://doi.org/10.1109/jiot.2016.2547994

IF: 10.6

2016-01-01

IEEE Internet of Things Journal

Abstract:In modern days, breakthroughs in information and communications technologies lead to more and more devices of every imaginable type being connected to the Internet. This also strengthens the need for protection against cyber-attacks, as virtually any devices with a wireless connection could be vulnerable to malicious hacking attempts. Meanwhile, honeypot-based deception mechanism has been considered as one of the methods to ensure security for modern networks in the Internet of Things (IoT). In this paper, we address the problem of defending against attacks in honeypot-enabled networks by looking at a game-theoretic model of deception involving an attacker and a defender. The attacker may try to deceive the defender by employing different types of attacks ranging from a suspicious to a seemingly normal activity, while the defender in turn can make use of honeypots as a tool of deception to trap attackers. The problem is modeled as a Bayesian game of incomplete information, where equilibria are identified for both the one-shot game and the repeated game versions. Our results show that there is a threshold for the frequency of active attackers, above which both players will take deceptive actions and below which the defender can mix up his/her strategy while keeping the attacker's success rate low.

Yinan Hu,Quanyan Zhu

2023-09-23

Abstract:The concept of cyber deception has been receiving emerging attention. The development of cyber defensive deception techniques requires interdisciplinary work, among which cognitive science plays an important role. In this work, we adopt a signaling game framework between a defender and a human agent to develop a cyber defensive deception protocol that takes advantage of the cognitive biases of human decision-making using quantum decision theory to combat insider attacks (IA). The defender deceives an inside human attacker by luring him to access decoy sensors via generators producing perceptions of classical signals to manipulate the human attacker's psychological state of mind. Our results reveal that even without changing the classical traffic data, strategically designed generators can result in a worse performance for defending against insider attackers in identifying decoys than the ones in the deceptive scheme without generators, which generate random information based on input signals. The proposed framework leads to fundamental theories in designing more effective signaling schemes.

Cryptography and Security

Stephanie Milani,Weiran Shen,Kevin S. Chan,S. Venkatesan,Nandi O. Leslie,C. Kamhoua,Fei Fang

DOI: https://doi.org/10.1007/978-3-030-64793-3_8

2020-01-01

Abstract:We study the use of deception in attack graph-based Stackelberg security games. In our setting, in addition to allocating defensive resources to protect important targets from attackers, the defender can strategically manipulate the attack graph through three main types of deceptive actions. We show that finding the optimal deception and defense strategy is at least NP-hard. We provide two techniques for efficiently solving this problem: a mixed-integer linear program for layered directed acyclic graphs (DAGs) and neural architecture search for general DAGs. We empirically demonstrate that using deception on attack graphs gives the defender a significant advantage, and the algorithms we develop scale gracefully to medium-sized problems.

Jeffrey Pawlick,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1503.05458

2015-06-20

Abstract:Deception plays a critical role in the financial industry, online markets, national defense, and countless other areas. Understanding and harnessing deception - especially in cyberspace - is both crucial and difficult. Recent work in this area has used game theory to study the roles of incentives and rational behavior. Building upon this work, we employ a game-theoretic model for the purpose of mechanism design. Specifically, we study a defensive use of deception: implementation of honeypots for network defense. How does the design problem change when an adversary develops the ability to detect honeypots? We analyze two models: cheap-talk games and an augmented version of those games that we call cheap-talk games with evidence, in which the receiver can detect deception with some probability. Our first contribution is this new model for deceptive interactions. We show that the model includes traditional signaling games and complete information games as special cases. We also demonstrate numerically that deception detection sometimes eliminate pure-strategy equilibria. Finally, we present the surprising result that the utility of a deceptive defender can sometimes increase when an adversary develops the ability to detect deception. These results apply concretely to network defense. They are also general enough for the large and critical body of strategic interactions that involve deception.

Cryptography and Security

Jianhua Sun,Songsong Liu,Kun Sun

DOI: https://doi.org/10.1145/3338468.3356826

2019-01-01

Abstract:Recent years have witnessed a surging trend of leveraging deception technique to detect and defeat sophisticated cyber attacks such as the advanced persistent threat. Deception typically employs a decoy network to entrap the attackers and divert the firepower away from the real protected assets. Unfortunately, existing decoy systems failed to achieve a balanced tradeoff between the decoy fidelity and scalability, which potentially undermines the effectiveness of attacker deception. In this paper, we propose a hybrid decoy architecture that separates lightweight front-end decoys from high-fidelity back-end decoy servers. To enhance the deception effectiveness, we introduce dynamics into the decoy system design to make the decoy a moving target, where the front-end decoys constrain attackers by transparently intercepting and forwarding the malicious commands to the heterogeneous back-end decoys for real execution. We implement two prototypes of the hybrid decoy architecture based on Linux Bash shell and Windows PowerShell. The experimental results demonstrate that our system can effectively misdirect and disinform attackers with small network and system overhead.

Shuo Wang,Qingqi Pei,Jianhua Wang,Guangming Tang,Yuchen Zhang,Xiaohu Liu

DOI: https://doi.org/10.1109/ACCESS.2020.2974786

IF: 3.9

2020-01-01

IEEE Access

Abstract:Traditional deception-based cyber defenses (DCD) often adopt the static deployment policy that places the deception resources in some fixed positions in the target network. Unfortunately, the effectiveness of these deception resources has been greatly restricted by the static deployment policy, which also causes the deployed deception resources to be easily identified and bypassed by attackers. Moreover, the existing studies on dynamic deployment policy, which make many strict assumptions and constraints, are too idealistic to be practical. To overcome this limitation, an intelligent deployment policy used to dynamically adjust the locations of these deception resources according to the network security state is developed. Starting with formulating the problem of deception resources deployment, we then model the attacker-defender scenario and the attackers strategy. Next, the preliminary screening method that can derive the effective deployment locations of deception resources based on threat penetration graph (TPG) is proposed. Afterward, we construct the model for finding the optimal policy to deploy the deception resources using reinforcement learning and design the Q-Learning training algorithm with model-free. Finally, we use the real-world network environment for our experiments and conduct in-depth comparisons with state-of-the-art methods. Our evaluations on a large number of attacks show that our method has a high defense success probability of nearly 80%, which is more efficient than existing schemes.

Marco Zambianco,Claudio Facchinetti,Domenico Siracusa

DOI: https://doi.org/10.1016/j.cose.2024.104144

2024-10-16

Abstract:Cyber deception allows compensating the late response of defenders countermeasures to the ever evolving tactics, techniques, and procedures (TTPs) of attackers. This proactive defense strategy employs decoys resembling legitimate system components to lure stealthy attackers within the defender environment, slowing and/or denying the accomplishment of their goals. In this regard, the selection of decoys that can expose the techniques used by malicious users plays a central role to incentivize their engagement. However, this is a difficult task to achieve in practice, since it requires an accurate and realistic modeling of the attacker capabilities and his possible targets. In this work, we tackle this challenge and we design a decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers. We take advantage of a domain-specific threat modelling language using MITRE ATT&CK framework as source of attacker TTPs targeting enterprise systems. In detail, we extract the information about the execution preconditions of each technique as well as its possible effects on the environment to generate attack graphs modeling the adversary capabilities. Based on this, we formulate a graph partition problem that minimizes the number of decoys detecting a corresponding number of techniques employed in various attack paths directed to specific targets. We compare our optimization-based decoy selection approach against several benchmark schemes that ignore the preconditions between the various attack steps. Results reveal that the proposed scheme provides the highest interception rate of attack paths using the lowest amount of decoys.

Cryptography and Security

Jason Landsborough,Neil C. Rowe,Thuy D. Nguyen,Sunny Fugate

2024-12-21

Abstract:Deception is being increasingly explored as a cyberdefense strategy to protect operational systems. We are studying implementation of deception-in-depth strategies with initially three logical layers: network, host, and data. We draw ideas from military deception, network orchestration, software deception, file deception, fake honeypots, and moving-target defenses. We are building a prototype representing our ideas and will be testing it in several adversarial environments. We hope to show that deploying a broad range of deception techniques can be more effective in protecting systems than deploying single techniques. Unlike traditional deception methods that try to encourage active engagement from attackers to collect intelligence, we focus on deceptions that can be used on real machines to discourage attacks.

Cryptography and Security

Dayong Ye,Tianqing Zhu,Shen Sheng,Wanlei Zhou

DOI: https://doi.org/10.48550/arXiv.2008.05629

2020-08-13

Abstract:Cyber deception is one of the key approaches used to mislead attackers by hiding or providing inaccurate system information. There are two main factors limiting the real-world application of existing cyber deception approaches. The first limitation is that the number of systems in a network is assumed to be fixed. However, in the real world, the number of systems may be dynamically changed. The second limitation is that attackers' strategies are simplified in the literature. However, in the real world, attackers may be more powerful than theory suggests. To overcome these two limitations, we propose a novel differentially private game theoretic approach to cyber deception. In this proposed approach, a defender adopts differential privacy mechanisms to strategically change the number of systems and obfuscate the configurations of systems, while an attacker adopts a Bayesian inference approach to infer the real configurations of systems. By using the differential privacy technique, the proposed approach can 1) reduce the impacts on network security resulting from changes in the number of systems and 2) resist attacks regardless of attackers' reasoning power. The experimental results demonstrate the effectiveness of the proposed approach.

Cryptography and Security

Jing Jiang,Xiao Liu

DOI: https://doi.org/10.1109/IEEM.2018.8607827

2018-01-01

Abstract:Critical infrastructures are significant for national security, economic development and social stability. With the development of economic globalization and information technology, the increasing network complexity and dynamic information have brought challenges to generate data-driven defense strategies for an infrastructure network against multiple interdictions. In order to optimize the defense strategy dynamically, we develop a data-driven finite Bayesian Stackelberg game model among a defender and multiple interdictors. In this model, the defender, with incomplete information on the interdictors' risk attitude and objective weight, initiates to improve the network performance in the most cost-effective way; whereas the interdictor, with incomplete information on the valuation of components and effectiveness ratio, follows to destroy the network structure in the most cost-effective way. Over the dynamic interactions among the defender and multiple interdictors, the interdictor's knowledge of the effectiveness ratio is updated by Bayesian updating rule. In order to solve the proposed model, smallest-depth binary-partition based hierarchical algorithm is developed to obtain the strong Stackelberg equilibrium. Finally, the practical applicability is demonstrated by a case study of Zhi Jiang network.

Md Abu Sayed,Ahmed H. Anwar,Christopher Kiekintveld,Charles Kamhoua

2023-09-19

Abstract:Honeypots play a crucial role in implementing various cyber deception techniques as they possess the capability to divert attackers away from valuable assets. Careful strategic placement of honeypots in networks should consider not only network aspects but also attackers' preferences. The allocation of honeypots in tactical networks under network mobility is of great interest. To achieve this objective, we present a game-theoretic approach that generates optimal honeypot allocation strategies within an attack/defense scenario. Our proposed approach takes into consideration the changes in network connectivity. In particular, we introduce a two-player dynamic game model that explicitly incorporates the future state evolution resulting from changes in network connectivity. The defender's objective is twofold: to maximize the likelihood of the attacker hitting a honeypot and to minimize the cost associated with deception and reconfiguration due to changes in network topology. We present an iterative algorithm to find Nash equilibrium strategies and analyze the scalability of the algorithm. Finally, we validate our approach and present numerical results based on simulations, demonstrating that our game model successfully enhances network security. Additionally, we have proposed additional enhancements to improve the scalability of the proposed approach.

Computer Science and Game Theory

Daniel Reti,Karina Elzer,Daniel Fraunholz,Daniel Schneider,Hans-Dieter Schotten

DOI: https://doi.org/10.1145/3560828.3564006

2023-01-25

Abstract:In the field of network security, with the ongoing arms race between attackers, seeking new vulnerabilities to bypass defense mechanisms and defenders reinforcing their prevention, detection and response strategies, the novel concept of cyber deception has emerged. Starting from the well-known example of honeypots, many other deception strategies have been developed such as honeytokens and moving target defense, all sharing the objective of creating uncertainty for attackers and increasing the chance for the attacker of making mistakes. In this paper a methodology to evaluate the effectiveness of honeypots and moving target defense in a network is presented. This methodology allows to quantitatively measure the effectiveness in a simulation environment, allowing to make recommendations on how many honeypots to deploy and on how quickly network addresses have to be mutated to effectively disrupt an attack in multiple network and attacker configurations. With this optimum, attacks can be detected and slowed down with a minimal resource and configuration overhead. With the provided methodology, the optimal number of honeypots to be deployed and the optimal network address mutation interval can be determined. Furthermore, this work provides guidance on how to optimally deploy and configure them with respect to the attacker model and several network parameters.

Cryptography and Security

Jeffrey Pawlick,Edward Colbert,Quanyan Zhu

DOI: https://doi.org/10.1145/3337772

IF: 16.6

2020-07-31

ACM Computing Surveys

Abstract:Cyberattacks on both databases and critical infrastructure have threatened public and private sectors. Ubiquitous tracking and wearable computing have infringed upon privacy. Advocates and engineers have recently proposed using defensive deception as a means to leverage the information asymmetry typically enjoyed by attackers as a tool for defenders. The term deception, however, has been employed broadly and with a variety of meanings. In this article, we survey 24 articles from 2008 to 2018 that use game theory to model defensive deception for cybersecurity and privacy. Then, we propose a taxonomy that defines six types of deception: perturbation, moving target defense, obfuscation, mixing, honey-x, and attacker engagement. These types are delineated by their information structures, agents, actions, and duration: precisely concepts captured by game theory. Our aims are to rigorously define types of defensive deception, to capture a snapshot of the state of the literature, to provide a menu of models that can be used for applied research, and to identify promising areas for future work. Our taxonomy provides a systematic foundation for understanding different types of defensive deception commonly encountered in cybersecurity and privacy.

computer science, theory & methods

Kun Lv,Yun Chen,Changzhen Hu

DOI: https://doi.org/10.1016/j.inffus.2019.01.001

IF: 18.6

2019-01-01

Information Fusion

Abstract:Advanced persistent threats (APTs) pose a grave threat in cyberspace because of their long latency and concealment. In this paper, we propose a hybrid strategy game-based dynamic defense model to optimally allocate constrained secure resources for the target network. In addition, values of profits of players in this game are computed by a novel data-fusion method called NetF. Based on network protocols and log documents, the NetF deciphers data packets collected from different networks to natural language to make them comparable. Using this algorithm, data observed from the Internet and wireless sensor networks (WSNs) can be fused to calculate the comprehensive payoff of every node precisely. The Nash equilibrium can be computed using the value to detect the possibility of a node being a malicious node. Using this method, the dynamic optimal defense strategy can be allocated to every node at different times, which enhances the security of the target network obviously. In experiments, we illustrate the obtained results via case studies of a cluster of heterogeneous networks. The results guide planning of optimal defense strategies for different kinds of nodes at different times.

MingChu Li,Wanyu Dong,Xiao Zheng,Anil Carie,Yuan Tian

DOI: https://doi.org/10.1007/978-981-19-0604-6_49

2022-01-01

Abstract:This paper proposes a method to enable a risk-averse and resource-constrained network defender to deploy security countermeasures in an optimal way to prevent multiple potential attackers with uncertain budgets. To solve the problem of information asymmetry between the attacker and the defender, a fake countermeasure (FC) is placed on the arc, and the situation of multiple attackers is also taken into consideration. This method is based on the risk aversion bi-level stochastic network interdiction model on the attack graph, which can easily map the path of attackers. Meanwhile, our method can minimize the weighted sum of all losses and minimize the risk of the defender's key nodes being destroyed. At the same time, in order to prevent the key node of the defender from being destroyed, the risk condition value measurement is taken into account in the stochastic programming model. We design a SA-CPLEX algorithm to provide a high-quality approximate optimal solution. And computational results suggest that our method provides better network interdiction decisions than traditional deterministic and risk-neutral models.