Mu Zhu,Ahmed H. Anwar,Zelin Wan,Jin-Hee Cho,Charles Kamhoua,Munindar P. Singh

DOI: https://doi.org/10.48550/arXiv.2101.10121

2021-05-09

Abstract:Defensive deception is a promising approach for cyber defense. Via defensive deception, the defender can anticipate attacker actions; it can mislead or lure attacker, or hide real resources. Although defensive deception is increasingly popular in the research community, there has not been a systematic investigation of its key components, the underlying principles, and its tradeoffs in various problem settings. This survey paper focuses on defensive deception research centered on game theory and machine learning, since these are prominent families of artificial intelligence approaches that are widely employed in defensive deception. This paper brings forth insights, lessons, and limitations from prior work. It closes with an outline of some research directions to tackle major gaps in current defensive deception research.

Cryptography and Security,Computer Science and Game Theory,Machine Learning

Jeffrey Pawlick,Edward Colbert,Quanyan Zhu

DOI: https://doi.org/10.1145/3337772

IF: 16.6

2020-07-31

ACM Computing Surveys

Abstract:Cyberattacks on both databases and critical infrastructure have threatened public and private sectors. Ubiquitous tracking and wearable computing have infringed upon privacy. Advocates and engineers have recently proposed using defensive deception as a means to leverage the information asymmetry typically enjoyed by attackers as a tool for defenders. The term deception, however, has been employed broadly and with a variety of meanings. In this article, we survey 24 articles from 2008 to 2018 that use game theory to model defensive deception for cybersecurity and privacy. Then, we propose a taxonomy that defines six types of deception: perturbation, moving target defense, obfuscation, mixing, honey-x, and attacker engagement. These types are delineated by their information structures, agents, actions, and duration: precisely concepts captured by game theory. Our aims are to rigorously define types of defensive deception, to capture a snapshot of the state of the literature, to provide a menu of models that can be used for applied research, and to identify promising areas for future work. Our taxonomy provides a systematic foundation for understanding different types of defensive deception commonly encountered in cybersecurity and privacy.

computer science, theory & methods

Li Zhang,Vrizlynn L. L. Thing

DOI: https://doi.org/10.1016/j.cose.2021.102288

2021-04-08

Abstract:Deception techniques have been widely seen as a game changer in cyber defense. In this paper, we review representative techniques in honeypots, honeytokens, and moving target defense, spanning from the late 1980s to the year 2021. Techniques from these three domains complement with each other and may be leveraged to build a holistic deception based defense. However, to the best of our knowledge, there has not been a work that provides a systematic retrospect of these three domains all together and investigates their integrated usage for orchestrated deceptions. Our paper aims to fill this gap. By utilizing a tailored cyber kill chain model which can reflect the current threat landscape and a four-layer deception stack, a two-dimensional taxonomy is developed, based on which the deception techniques are classified. The taxonomy literally answers which phases of a cyber attack campaign the techniques can disrupt and which layers of the deception stack they belong to. Cyber defenders may use the taxonomy as a reference to design an organized and comprehensive deception plan, or to prioritize deception efforts for a budget conscious solution. We also discuss two important points for achieving active and resilient cyber defense, namely deception in depth and deception lifecycle, where several notable proposals are illustrated. Finally, some outlooks on future research directions are presented, including dynamic integration of different deception techniques, quantified deception effects and deception operation cost, hardware-supported deception techniques, as well as techniques developed based on better understanding of the human element.

Cryptography and Security

Duohe Ma,Zhimin Tang,Xiaoyan Sun,Lu Guo,Liming Wang,Kai Chen

DOI: https://doi.org/10.1145/3560828.3563995

2022-01-01

Abstract:Moving target defense (MTD) is a proactive defensive mechanism proposed to disrupt and disable potential attacks, thus reversing the defender's disadvantages. Cyber deception is a complementary technique that is often used to enhance MTD by utilizing misinformation to deceive and mislead attackers. Deception elements, such as honeypot, honey bait, honey token, breadcrumb, and well-constructed deception scenes, can significantly increase the uncertainties for attackers. Deception-based MTD techniques can change the asymmetry situation between defenders and attackers through affecting the attacker's perception of the system. However, there is still a lack of understanding about the role of cyber deception in MTD, and few research works have evaluated the effectiveness of cyber deception. In this paper, we propose a concept of deception attack surface to illustrate deception-based moving target defense. Moreover, we propose a quantitative method to measure deception, which includes two core concepts: exposed falseness degree and hidden truth degree. We further formulate a deception game model between an attacker and a defender, in which the defender attempts to protect the entry points on the attack surface by creating or changing a deception attack surface. Furthermore, we provide a detailed example scenario and analyze the deception game's equilibrium. Finally We verify the effectiveness of our proposed method through a real attack and defense experiment.

Jason Landsborough,Neil C. Rowe,Thuy D. Nguyen,Sunny Fugate

2024-12-21

Abstract:Deception is being increasingly explored as a cyberdefense strategy to protect operational systems. We are studying implementation of deception-in-depth strategies with initially three logical layers: network, host, and data. We draw ideas from military deception, network orchestration, software deception, file deception, fake honeypots, and moving-target defenses. We are building a prototype representing our ideas and will be testing it in several adversarial environments. We hope to show that deploying a broad range of deception techniques can be more effective in protecting systems than deploying single techniques. Unlike traditional deception methods that try to encourage active engagement from attackers to collect intelligence, we focus on deceptions that can be used on real machines to discourage attacks.

Cryptography and Security

Edward A. Cranford,Cleotilde Gonzalez,Palvi Aggarwal,Milind Tambe,Sarah Cooney,Christian Lebiere

DOI: https://doi.org/10.1111/cogs.13013

IF: 2.617

2021-07-01

Cognitive Science

Abstract:<p>This work is an initial step toward developing a cognitive theory of cyber deception. While widely studied, the psychology of deception has largely focused on physical cues of deception. Given that present-day communication among humans is largely electronic, we focus on the cyber domain where physical cues are unavailable and for which there is less psychological research. To improve cyber defense, researchers have used signaling theory to extended algorithms developed for the optimal allocation of limited defense resources by using deceptive signals to trick the human mind. However, the algorithms are designed to protect against adversaries that make perfectly rational decisions. In behavioral experiments using an abstract cybersecurity game (i.e., Insider Attack Game), we examined human decision-making when paired against the defense algorithm. We developed an instance-based learning (IBL) model of an attacker using the Adaptive Control of Thought-Rational (ACT-R) cognitive architecture to investigate how humans make decisions under deception in cyber-attack scenarios. Our results show that the defense algorithm is more effective at reducing the probability of attack and protecting assets when using deceptive signaling, compared to no signaling, but is less effective than predicted against a perfectly rational adversary. Also, the IBL model replicates human attack decisions accurately. The IBL model shows how human decisions arise from experience, and how memory retrieval dynamics can give rise to cognitive biases, such as confirmation bias. The implications of these findings are discussed in the perspective of informing theories of deception and designing more effective signaling schemes that consider human bounded rationality.</p>

psychology, experimental

Md Abu Sayed,Moqsadur Rahman,Mohammad Ariful Islam Khan,Deepak Tosh

2024-01-08

Abstract:In the evolving landscape of cybersecurity, the utilization of cyber deception has gained prominence as a proactive defense strategy against sophisticated attacks. This paper presents a comprehensive survey that investigates the crucial network requirements essential for the successful implementation of effective cyber deception techniques. With a focus on diverse network architectures and topologies, we delve into the intricate relationship between network characteristics and the deployment of deception mechanisms. This survey provides an in-depth analysis of prevailing cyber deception frameworks, highlighting their strengths and limitations in meeting the requirements for optimal efficacy. By synthesizing insights from both theoretical and practical perspectives, we contribute to a comprehensive understanding of the network prerequisites crucial for enabling robust and adaptable cyber deception strategies.

Cryptography and Security

Zhen Guo,Jin-Hee Cho,Ing-Ray Chen,Srijan Sengupta,Michin Hong,Tanushree Mitra

DOI: https://doi.org/10.48550/arXiv.2004.07678

2020-04-16

Cryptography and Security

Abstract:We are living in an era when online communication over social network services (SNSs) have become an indispensable part of people's everyday lives. As a consequence, online social deception (OSD) in SNSs has emerged as a serious threat in cyberspace, particularly for users vulnerable to such cyberattacks. Cyber attackers have exploited the sophisticated features of SNSs to carry out harmful OSD activities, such as financial fraud, privacy threat, or sexual/labor exploitation. Therefore, it is critical to understand OSD and develop effective countermeasures against OSD for building a trustworthy SNSs. In this paper, we conducted an extensive survey, covering (i) the multidisciplinary concepts of social deception; (ii) types of OSD attacks and their unique characteristics compared to other social network attacks and cybercrimes; (iii) comprehensive defense mechanisms embracing prevention, detection, and response (or mitigation) against OSD attacks along with their pros and cons; (iv) datasets/metrics used for validation and verification; and (v) legal and ethical concerns related to OSD research. Based on this survey, we provide insights into the effectiveness of countermeasures and the lessons from existing literature. We conclude this survey paper with an in-depth discussions on the limitations of the state-of-the-art and recommend future research directions in this area.

Jieling Liu,Zhiliang Wang,Jiahai Yang,Bo Wang,Lin He,Guanglei Song,Xinran Liu

DOI: https://doi.org/10.1109/ICC42927.2021.9500765

2021-01-01

Abstract:The intranets in modern organizations are facing severe data breaches and critical resource misuses. By reusing user credentials from compromised systems, Advanced Persistent Threat (APT) attackers can move laterally within the internal network. A promising new approach called deception technology makes the network administrator (i.e., defender) able to deploy decoys to deceive the attacker in the intranet and trap him into a honeypot. Then the defender ought to reasonably allocate decoys to potentially insecure hosts. Unfortunately, existing APT-related defense resource allocation models are infeasible because of the neglect of many realistic factors. In this paper, we make the decoy deployment strategy feasible by proposing a game-theoretic model called the APT Deception Game to describe interactions between the defender and the attacker. More specifically, we decompose the decoy deployment problem into two subproblems and make the problem solvable. Considering the best response of the attacker who is aware of the defender's deployment strategy, we provide an elitist reservation genetic algorithm to solve this game. Simulation results demonstrate the effectiveness of our deployment strategy compared with other heuristic strategies.

Palvi Aggarwal,Yinuo Du,Kuldeep Singh,Cleotilde Gonzalez

DOI: https://doi.org/10.48550/arXiv.2108.11037

2021-08-25

Abstract:One of the widely used cyber deception techniques is decoying, where defenders create fictitious machines (i.e., honeypots) to lure attackers. Honeypots are deployed to entice attackers, but their effectiveness depends on their configuration as that would influence whether attackers will judge them as "real" machines or not. In this work, we study two-sided deception, where we manipulate the observed configuration of both honeypots and real machines. The idea is to improve cyberdefense by either making honeypots ``look like'' real machines or by making real machines ``look like honeypots.'"We identify the modifiable features of both real machines and honeypots and conceal these features to different degrees. In an experiment, we study three conditions: default features on both honeypot and real machines, concealed honeypots only, and concealed both honeypots and real machines. We use a network with 40 machines where 20 of them are honeypots. We manipulate the features of the machines, and using an experimental testbed (HackIT), we test the effectiveness of the decoying strategies against humans attackers. Results indicate that: Any of the two forms of deception (conceal honeypots and conceal both honeypots and real machines) is better than no deception at all. We observe that attackers attempted more exploits on honeypots and exfiltrated more data from honeypots in the two forms of deception conditions. However, the attacks on honeypots and data exfiltration were not different within the deception conditions. Results inform cybersecurity defenders on how to manipulate the observable features of honeypots and real machines to create uncertainty for attackers and improve cyberdefense.

Cryptography and Security

Wang Shuo,Chu Jiang,Qingqi Pei,Shao Feng,Yuan Shuai,Xiaoge Zhong

DOI: https://doi.org/10.23919/jcc.ea.2020-0384.202401

2024-01-01

China Communications

Abstract:The static and predictable characteristics of cyber systems give attackers an asymmetric advantage in gathering useful information and launching attacks. To reverse this asymmetric advantage, a new defense idea, called Moving Target Defense (MTD), has been proposed to provide additional selectable measures to complement traditional defense. However, MTD is unable to defeat the sophisticated attacker with fingerprint tracking ability. To overcome this limitation, we go one step beyond and show that the combination of MTD and Deception-based Cyber Defense (DCD) can achieve higher performance than either of them. In particular, we first introduce and formalize a novel attacker model named Scan and Foothold Attack (SFA) based on cyber kill chain. Afterwards, we develop probabilistic models for SFA defenses to provide a deeper analysis of the theoretical effect under different defense strategies. These models quantify attack success probability and the probability that the attacker will be deceived under various conditions, such as the size of address space, and the number of hosts, attack analysis time. Finally, the experimental results show that the actual defense effect of each strategy almost perfectly follows its probabilistic model. Also, the defense strategy of combining address mutation and fingerprint camouflage can achieve a better defense effect than the single address mutation.

Yinan Hu,Quanyan Zhu

2023-09-23

Abstract:The concept of cyber deception has been receiving emerging attention. The development of cyber defensive deception techniques requires interdisciplinary work, among which cognitive science plays an important role. In this work, we adopt a signaling game framework between a defender and a human agent to develop a cyber defensive deception protocol that takes advantage of the cognitive biases of human decision-making using quantum decision theory to combat insider attacks (IA). The defender deceives an inside human attacker by luring him to access decoy sensors via generators producing perceptions of classical signals to manipulate the human attacker's psychological state of mind. Our results reveal that even without changing the classical traffic data, strategically designed generators can result in a worse performance for defending against insider attackers in identifying decoys than the ones in the deceptive scheme without generators, which generate random information based on input signals. The proposed framework leads to fundamental theories in designing more effective signaling schemes.

Cryptography and Security

Erik Gartzke,Jon R. Lindsay

DOI: https://doi.org/10.1080/09636412.2015.1038188

2015-04-03

Security Studies

Abstract:It is widely believed that cyberspace is offense dominant because of technical characteristics that undermine deterrence and defense. This argument mistakes the ease of deception on the Internet for a categorical ease of attack. As intelligence agencies have long known, deception is a double-edged sword. Covert attackers must exercise restraint against complex targets in order to avoid compromises resulting in mission failure or retaliation. More importantly, defenders can also employ deceptive concealment and ruses to confuse or ensnare aggressors. Indeed, deception can reinvigorate traditional strategies of deterrence and defense against cyber threats, as computer security practitioners have already discovered. The strategy of deception has other important implications: as deterrence became foundational in the nuclear era, deception should rise in prominence in a world that increasingly depends on technology to mediate interaction.

international relations

WU Xin,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.11.031

2006-01-01

Abstract:Honeypots take several deception technology to protect network.This paper will explain actively the deception technology,including it's definition,purpose,category and development.It analyzes the principles of most kinds of deception technology,including banner simulation,random server,redirection,cage and virtual command.It discusses how to choose proper deception technology to deploy deception policy baesd on different deception purposes.

Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1903.01442

2019-03-03

Abstract:Deceptive and anti-deceptive technologies have been developed for various specific applications. But there is a significant need for a general, holistic, and quantitative framework of deception. Game theory provides an ideal set of tools to develop such a framework of deception. In particular, game theory captures the strategic and self-interested nature of attackers and defenders in cybersecurity. Additionally, control theory can be used to quantify the physical impact of attack and defense strategies. In this tutorial, we present an overview of game-theoretic models and design mechanisms for deception and counter-deception. The tutorial aims to provide a taxonomy of deception and counter-deception and understand how they can be conceptualized, quantified, and designed or mitigated. This tutorial gives an overview of diverse methodologies from game theory that includes games of incomplete information, dynamic games, mechanism design theory to offer a modern theoretic underpinning of cyberdeception. The tutorial will also discuss open problems and research challenges that the HoTSoS community can address and contribute with an objective to build a multidisciplinary bridge between cybersecurity, economics, game and decision theory.

Computer Science and Game Theory,Cryptography and Security

Mahmoud T. Qassrawi,Zhang Hongli

DOI: https://doi.org/10.1109/NSWCTC.2010.266

2010-01-01

Abstract:The great advance in attacks against network has led to outgrowth of interest in more aggressive forms of defense to supplement the existing security approaches. One of these techniques involves the use of the deception to collect information about attacks. A honeypot is a security deception resource whose value lies in being probed, attacked or compromised. In this paper we present an overview of techniques used by honeypots to deceive the attacker and attacking process, and provide a comparison for persons who are interested in study and developing this new technology. We examine various types of honeypots, and deception techniques they use to counter attacks.

Peter S. Park,Simon Goldstein,Aidan O’Gara,Michael Chen,Dan Hendrycks

DOI: https://doi.org/10.1016/j.patter.2024.100988

2024-05-12

Patterns

Abstract:Summary This paper argues that a range of current AI systems have learned how to deceive humans. We define deception as the systematic inducement of false beliefs in the pursuit of some outcome other than the truth. We first survey empirical examples of AI deception, discussing both special-use AI systems (including Meta's CICERO) and general-purpose AI systems (including large language models). Next, we detail several risks from AI deception, such as fraud, election tampering, and losing control of AI. Finally, we outline several potential solutions: first, regulatory frameworks should subject AI systems that are capable of deception to robust risk-assessment requirements; second, policymakers should implement bot-or-not laws; and finally, policymakers should prioritize the funding of relevant research, including tools to detect AI deception and to make AI systems less deceptive. Policymakers, researchers, and the broader public should work proactively to prevent AI deception from destabilizing the shared foundations of our society.

Zhong-Hua Pang,Lan-Zhi Fan,Haibin Guo,Yuntao Shi,Runqi Chai,Jian Sun,Guo-Ping Liu

DOI: https://doi.org/10.1080/00207721.2022.2143735

2022-11-14

Abstract:A networked control system (NCS), which integrates various physical components by utilising communication networks, is a complex intelligent control system with high flexibility and reliability. It has been widely applied in various areas, such as power grids, intelligent transportation, and smart manufacturing. However, compared with traditional control systems, NCSs expose more extra vulnerabilities with the openness of communication networks, leading to long-term concerns for the security of NCSs against cyber attacks. This paper gives a survey in detail on recent developments on the security of NCSs subject to deception attacks from the two domains of information technology (IT) and system control, respectively. First, several security incidents reported in recent years are reviewed and a couple of prevailing cyber attacks are analysed. Besides, the results on IT security with respect to the protection-detection-reaction model are summarised. Then, from the domain of system control, the security issues on attack design, attack detection, secure state estimation and resilient control are surveyed in depth. Furthermore, several novel security topics from the combination of IT and system control are also discussed. Finally, several future research directions are presented on this topic.

Chaochao Liu,Degang Sun,Zhixin Shi,Ning Zhang

DOI: https://doi.org/10.1109/iscc61673.2024.10733695

2024-01-01

Abstract:New network attacks such as Advanced Persistent Threats (APTs) have created an asymmetric dynamic between attackers and defenders. Traditional defense mechanisms typically focus on perimeter security, rendering them ineffective once attackers infiltrate the network. Cyber deception defense, on the other hand, proactively establishes a deceptive environment to manipulate attackers’ perceptions and decisions, thereby delaying, detecting, and potentially thwarting attacks. This paper introduces a novel approach rooted in cyber deception defense, utilizing FPGA technology. By harnessing network packet rewriting techniques on FPGA, this method rapidly generates numerous disguised hosts and ports. The implementation of this approach on an FPGA hardware platform allows for the evaluation of its effectiveness. In simulated environments, the method demonstrates remarkable efficiency in constructing deceptive environments, with a policy query time of approximately 50ns. Transitioning to real-world network scenarios, the prototype system extends the time required for attackers to identify genuine hosts by a factor of 4.5. Moreover, the average delay time of the prototype system in processing 64-byte data packets is approximately 5.68us, showcasing consistent performance across various deception strategies. Crucially, the system’s overhead remains minimal, effectively confounding and deterring attackers while increasing the complexity and cost associated with mounting successful attacks.

Daniel Reti,Karina Elzer,Daniel Fraunholz,Daniel Schneider,Hans-Dieter Schotten

DOI: https://doi.org/10.1145/3560828.3564006

2023-01-25

Abstract:In the field of network security, with the ongoing arms race between attackers, seeking new vulnerabilities to bypass defense mechanisms and defenders reinforcing their prevention, detection and response strategies, the novel concept of cyber deception has emerged. Starting from the well-known example of honeypots, many other deception strategies have been developed such as honeytokens and moving target defense, all sharing the objective of creating uncertainty for attackers and increasing the chance for the attacker of making mistakes. In this paper a methodology to evaluate the effectiveness of honeypots and moving target defense in a network is presented. This methodology allows to quantitatively measure the effectiveness in a simulation environment, allowing to make recommendations on how many honeypots to deploy and on how quickly network addresses have to be mutated to effectively disrupt an attack in multiple network and attacker configurations. With this optimum, attacks can be detected and slowed down with a minimal resource and configuration overhead. With the provided methodology, the optimal number of honeypots to be deployed and the optimal network address mutation interval can be determined. Furthermore, this work provides guidance on how to optimally deploy and configure them with respect to the attacker model and several network parameters.

Cryptography and Security