Cyber Deception for Defense
Permanent URI for this collection
Browse
Recent Submissions
Item Concealing Cyber-Decoys using Two-Sided Feature Deception Games(2020-01-07) Miah, Mohammad Sujan; Gutierrez, Marcus; Veliz, Oscar; Thakoor, Omkar; Kiekintveld, ChristopherAn increasingly important tool for securing computer networks is the use of deceptive decoy objects (e.g., fake hosts, accounts, or files) to detect, confuse, and distract attackers. One of the well-known challenges in using decoys is that it can be difficult to design effective decoys that are hard to distinguish from real objects, especially against sophisticated attackers who may be aware of the use of decoys. A key issue is that both real and decoy objects may have observable features that may give the attacker the ability to distinguish one from the other. However, a defender deploying decoys may be able to modify some features of either the real or decoy objects (at some cost) making the decoys more effective. We present a game-theoretic model of two-sided deception that models this scenario. We present an empirical analysis of this model to show strategies for effectively concealing decoys, as well as some limitations of decoys for cyber security.Item Automating Cyberdeception Evaluation with Deep Learning(2020-01-07) Ayoade, Gbadebo; Araujo, Frederico; Al-Naami, Khaled; Mustafa, Ahmad; Gao, Yang; Hamlen, Kevin; Khan, LatifurA machine learning-based methodology is proposed and implemented for conducting evaluations of cyberdeceptive defenses with minimal human involvement. This avoids impediments associated with deceptive research on humans, maximizing the efficacy of automated evaluation before human subjects research must be undertaken. Leveraging recent advances in deep learning, the approach synthesizes realistic, interactive, and adaptive traffic for consumption by target web services. A case study applies the approach to evaluate an intrusion detection system equipped with application-layer embedded deceptive responses to attacks. Results demonstrate that synthesizing adaptive web traffic laced with evasive attacks powered by ensemble learning, online adaptive metric learning, and novel class detection to simulate skillful adversaries constitutes a challenging and aggressive test of cyberdeceptive defenses.Item A Deception Planning Framework for Cyber Defense(2020-01-07) Jafarian, Jafar Haadi; Niakanlahiji, AmirrezaThe role and significance of deception systems such as honeypots for slowing down attacks and collecting their signatures are well-known. However, the focus has primarily been on developing individual deception systems, and very few works have focused on developing strategies for a synergistic and strategic combination of these systems to achieve more ambitious deception goals. The objective of this paper is to lay a scientific foundation for cyber deception planning, by (1) presenting a formal deception logic for modeling cyber deception, and (2) introducing a deception framework that augments this formal modeling with necessary quantitative reasoning tools to generate coordinated deception plans. To show expressiveness and evaluate effectiveness and overhead of the framework, we use it to model and solve two important deception planning problems: (1) strategic honeypot planning, and (2) deception planning against route identification. Through these case studies, we show that the generated deception plans are highly effective and outperform alternative random and unplanned deception strategies.Item HoneyBug: Personalized Cyber Deception for Web Applications(2020-01-07) Niakanlahiji, Amirreza; Jafarian, Jafar Haadi; Chu, Bei-Tseng; Al-Shaer, EhabCyber deception is used to reverse cyber warfare asymmetry by diverting adversaries to false targets in order to avoid their attacks, consume their resources, and potentially learn new attack tactics. In practice, effective cyber deception systems must be both attractive, to offer temptation for engagement, and believable, to convince unknown attackers to stay on the course. However, developing such a system is a highly challenging task because attackers have different expectations, expertise levels, and objectives. This makes a deception system with a static configuration only suitable for a specific type of attackers. In order to attract diverse types of attackers and prolong their engagement, we need to dynamically characterize every individual attacker's interactions with the deception system to learn her sophistication level and objectives and personalize the deception system to match with her profile and interest. In this paper, we present an adaptive deception system, called HoneyBug, that dynamically creates a personalized deception plan for web applications to match the attacker's expectation, which is learned by analyzing her behavior over time. Each HoneyBug plan exhibits fake vulnerabilities specifically selected based on the learned attacker's profile. Through evaluation, we show that HoneyBug characterization model can accurately characterize the attacker profile after observing only a few interactions and adapt its cyber deception plan accordingly. The HoneyBug characterization is built on top of a novel and generic evidential reasoning framework for attacker profiling, which is one of the focal contributions of this work.Item Adaptive Cyber Deception: Cognitively Informed Signaling for Cyber Defense(2020-01-07) Cranford, Edward; Gonzalez, Cleotilde; Aggarwal, Palvi; Cooney, Sarah; Tambe, Milind; Lebiere , ChristianThis paper improves upon recent game-theoretic deceptive signaling schemes for cyber defense using the insights emerging from a cognitive model of human cognition. One particular defense allocation algorithm that uses a deceptive signaling scheme is the peSSE (Xu et al., 2015). However, this static signaling scheme optimizes the rate of deception for perfectly rational adversaries and is not personalized to individuals. Here we advance this research by developing a dynamic and personalized signaling scheme using cognitive modeling. A cognitive model based on a theory of experiential-choice (Instance-Based Learning Theory; IBLT), implemented in a cognitive architecture (Adaptive Control of Thought – Rational; ACT-R), and validated using human experimentation with deceptive signals informs the development of a cognitive signaling scheme. The predictions of the cognitive model show that the proposed solution increases the compliance to deceptive signals beyond the peSSE. These predictions were verified in human experiments, and the results shed additional light on human reactions towards adaptive deceptive signals.Item The Moonraker Study: An Experimental Evaluation of Host-Based Deception(2020-01-07) Shade, Temmie; Rogers, Andrew; Ferguson-Walter, Kimberly; Elsen, Sara Beth; Fayette, Daniel; Heckman, KristinCyber deception has been discussed as providing enhanced cyber defense. This human subjects research, one of the first rigorously controlled studies on this topic, found that host-based deception was effective at preventing completion of a specific exfiltration task against a virtual network. In addition to impeding progress and preventing success, the deception resulted in increased confusion and surprise in the participants. This study provided the necessary rigor to scientifically attest to the effectiveness of cyber deception for cyber defense with computer specialists.Item Toward a Holistic Model of Deception: Subject Matter Expert Validation(2020-01-07) Black, Rob; Reid, IainSecurity challenges require greater insight and flexibility into the way deception can be identified and responded to. Deception research in interactions has identified behaviors indicative of truth-telling and deceit. Deception in military environments has focused on planning deception, where approaches have been developed to deceive others, but neglecting counter-deception perspectives. To address these challenges a holistic approach to deception is advocated. A literature review of deception was conducted followed by validation interviews with Subject Matter Experts (SMEs). Explanatory thematic analysis of interviews conducted with SMEs (n=19) led to the development of meta-themes related to the ‘deceiver’, their ‘intent; ‘strategies and tactics’ of deception, ‘interpretation’ by the target and ‘target’ decision-making strengths and vulnerabilities. This led to the development of the Holistic Model of Deception (HMD), an approach where strategies reflect context. The implications of this approach are considered alongside the limitations and future directions required to validate the HMD.Item Invasion of the Botnet Snatchers: A Case Study in Applied Malware Cyberdeception(2020-01-07) Chandler, Jared; Fisher, Kathleen; Chapman, Erin; Davis, Eric; Wick, AdamIn this paper, we provide the initial steps towards a botnet deception mechanism, which we call 2face. 2face provides deception capabilities in both directions – upward, to the command and control (CnC) server, and downward, towards the botnet nodes – to provide administrators with the tools they need to discover and eradicate an infestation within their network without alerting the botnet owner that they have been discovered. The key to 2face is a set of mechanisms for rapidly reverse engineering the protocols used within a botnet. The resulting protocol descriptions can then be used with the 2face network deception tool to generate high-quality deceptive messaging, against the attacker. As context for our work, we show how 2face can be used to help reverse engineer and then generate deceptive traffic for the Mirai protocol. We also discuss how this work could be extended to address future threats.Item Creating Convincing Industrial-Control-System Honeypots(2020-01-07) Rowe, Neil; Nguyen, Thuy; Kendrick, Marian; Rucker, Zaky; Hyun, Dahae; Brown, JustinCyberattacks on industrial control systems (ICSs) can be especially damaging since they often target critical infrastructure. Honeypots are valuable network-defense tools, but they are difficult to implement for ICSs because they must then simulate more than familiar protocols. This research compared the performance of the Conpot and GridPot honeypot tools for simulating nodes on an electric grid for live (not recorded) traffic. We evaluated the success of their deceptions by observing their activity types and by scanning them. GridPot received a higher rate of traffic than Conpot, and many visitors to both were deceived as to whether they were dealing with a honeypot. We also tested Shodan’s Honeyscore for finding honeypots, and found it was fooled by our honeypots as well as others when, like most users, it did not take site history into account. This is good news for collecting useful attack intelligence with ICS honeypots.Item Delivering Honeypots as a Service(2020-01-07) Jafarian, Jafar Haadi; Niakanlahiji, AmirrezaThe effect of honeypots in slowing down attacks and collecting their signatures is well-known. Despite their known effectiveness, these technologies have remained underutilized, especially by small and medium-sized enterprises, because internal hosting and configuration of honeypots requires extensive expertise and infrastructure, which is unjustifiably expensive especially for small or medium-sized enterprises. In this paper, we propose a novel security approach that enables a security service provider to offer honeypot-as-a-service (HaaS) to customer enterprises. The HaaS service is offered by a plug-and-play gateway and incorporates a network of moving high-interaction honeypots into unused address space of client enterprises. These honeypots are configured tailored to the mission and type of services offered by the customer enterprise to blend in the surrounding network for maximum believability while looking vulnerable enough to engage potential attackers. As a contribution, we formulate and solve the problem of strategic configuration planning of a group of honeypots for a given input network. We also provide the necessary infrastructure and mechanisms for realizing the model and offering it to client enterprises without affecting their regular operations. Using experimental and analytical modeling, we evaluate our approach and show its robustness against honeypot mapping attacks, and its effectiveness in slowing down large-scale cyber intrusion attacks on enterprise networks.