More Web Proxy on the site http://driver.im/

research-article

Public Access

A Scalable High Fidelity Decoy Framework against Sophisticated Cyber Attacks

Authors:

Kun SunAuthors Info & Claims

MTD'19: Proceedings of the 6th ACM Workshop on Moving Target Defense

Pages 37 - 46

https://doi.org/10.1145/3338468.3356826

Published: 11 November 2019 Publication History

Abstract

Recent years have witnessed a surging trend of leveraging deception technique to detect and defeat sophisticated cyber attacks such as the advanced persistent threat. Deception typically employs a decoy network to entrap the attackers and divert the firepower away from the real protected assets. Unfortunately, existing decoy systems failed to achieve a balanced tradeoff between the decoy fidelity and scalability, which potentially undermines the effectiveness of attacker deception. In this paper, we propose a hybrid decoy architecture that separates lightweight front-end decoys from high-fidelity back-end decoy servers. To enhance the deception effectiveness, we introduce dynamics into the decoy system design to make the decoy a moving target, where the front-end decoys constrain attackers by transparently intercepting and forwarding the malicious commands to the heterogeneous back-end decoys for real execution. We implement two prototypes of the hybrid decoy architecture based on Linux Bash shell and Windows PowerShell. The experimental results demonstrate that our system can effectively misdirect and disinform attackers with small network and system overhead.

References

[1]

2019. Command and Control Tactic. https://attack.mitre.org/wiki/Command_and_Control.

[2]

2019. HonSSH. https://github.com/tnich/honssh.

[3]

2019. Metasploit Meterpreter. https://github.com/rapid7/metasploit-framework/wiki/Meterpreter.

[4]

2019. PowerShell. https://github.com/PowerShell/PowerShell.

[5]

2019. Sandbox Evasion. http://unprotect.tdgt.org/index.php/Sandbox_Evasion

[6]

M. Albanese, E. Battista, and S. Jajodia. 2015. A deception based approach for defeating OS and service fingerprinting. In Communications and Network Security (CNS), 2015 IEEE Conference on.

[7]

Allure Security. 2016. Decoys and the Security of Deception. https://www.uresecurity.com/blog/use-your-illusion-decoys-the-security-of-deception/.

[8]

Werner Almesberger et almbox. 1999. Linux network traffic control-implementation overview.

[9]

Hassan Artail, Ha"i dar Safa, Malek Sraj, Iyad Kuwatly, and Zaid Al Masri. 2006. A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks. Computers & Security, Vol. 25, 4 (2006), 274--288.

Digital Library

[10]

M. Beham, M. Vlad, and H. P. Reiser. 2013. Intrusion detection and honeypots in nested virtualization environments. In 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[11]

Brian M. Bowen, Shlomo Hershkop, Angelos D. Keromytis, and Salvatore J. Stolfo. 2009. Baiting Inside Attackers Using Decoy Documents. In Security and Privacy in Communication Networks - 5th International ICST Conference, SecureComm 2009, Athens, Greece, September 14--18, 2009, Revised Selected Papers. 51--70.

[12]

Yuriy Bulygin. 2008. CPU side-channels vs. virtualization rootkits: the good, the bad, or the ugly (ToorCon).

[13]

Carolyn Crandall. 2016. The ins and outs of deception for cyber security. http://www.networkworld.com/article/3019760/network-security/the-ins-and-outs-of-deception-for-cyber-security.html.

[14]

David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, Julian B. Grizzard, John G. Levine, and Henry L. Owen. 2004. HoneyStat: Local Worm Detection Using Honeypots. In Recent Advances in Intrusion Detection: 7th International Symposium, RAID 2004, Sophia Antipolis, France, September 15-17, 2004. Proceedings. 39--58.

[15]

P. Defibaugh-Chavez, R. Veeraghattam, M. Kannappa, S. Mukkamala, and A. H. Sung. 2006. Network Based Detection of Virtual Environments and Low Interaction Honeypots. In 2006 IEEE Information Assurance Workshop.

[16]

Dilshan Keragala. 2016. Detecting Malware and Sandbox Evasion Techniques. SANS Institute InfoSec Reading Room (2016).

[17]

Peter Ferrie. 2008. Attacks on virtual machine emulators. https://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf.

[18]

Xinwen Fu, Wei Yu, Dan Cheng, Xuejun Tan, Kevin Streff, and Steve Graham. 2006. On Recognizing Virtual Honeypots and Countermeasures. In Second International Symposium on Dependable Autonomic and Secure Computing (DASC 2006), 29 September - 1 October 2006, Indianapolis, Indiana, USA. 211--218.

[19]

Tal Garfinkel and Mendel Rosenblum. 2003. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2003, San Diego, California, USA.

[20]

Jorrit N. Herder, Herbert Bos, Ben Gras, Philip Homburg, and Andrew S. Tanenbaum. 2006. MINIX 3: A Highly Reliable, Self-repairing Operating System. SIGOPS Oper. Syst. Rev., Vol. 40, 3 (July 2006).

Digital Library

[21]

T. Holz and F. Raynal. 2005. Detecting honeypots and other suspicious environments. In Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop. 29--36.

[22]

Xuxian Jiang, Dongyan Xu, and Yi-Min Wang. 2006. Collapsar: A VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention. J. Parallel Distrib. Comput., Vol. 66, 9 (2006), 1165--1180.

Digital Library

[23]

Ari Juels and Ronald L. Rivest. 2013. Honeywords: Making Password-cracking Detectable. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS '13).

[24]

Ryan Kazanciyan and Matt Hastings. 2014. Investigating PowerShell Attacks. Black Hat (2014), 25.

[25]

Christopher Kruegel. 2015. Evasive malware exposed and deconstructed. In RSA Conference. 12--20.

[26]

I. Kuwatly, M. Sraj, Z. Al Masri, and H. Artail. 2004. A Dynamic Honeypot Design for Intrusion Detection. In The IEEE/ACS International Conference on Pervasive Services.

[27]

Tamas K. Lengyel, Justin Neumann, Steve Maresca, Bryan D. Payne, and Aggelos Kiayias. 2012. Virtual Machine Introspection in a Hybrid Honeypot Architecture. In 5th Workshop on Cyber Security Experimentation and Test, CSET '12, Bellevue, WA, USA, August 6, 2012.

Digital Library

[28]

Anil Madhavapeddy, Richard Mortier, Charalampos Rotsos, David Scott, Balraj Singh, Thomas Gazagnaire, Steven Smith, Steven Hand, and Jon Crowcroft. 2013. Unikernels: Library Operating Systems for the Cloud. In Proceedings of the Eighteenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '13).

Digital Library

[29]

Anil Madhavapeddy and David J. Scott. 2014. Unikernels: the rise of the virtual library operating system. Commun. ACM, Vol. 57, 1 (2014), 61--69.

Digital Library

[30]

Joao Martins, Mohamed Ahmed, Costin Raiciu, Vladimir Olteanu, Michio Honda, Roberto Bifulco, and Felipe Huici. 2014. ClickOS and the Art of Network Function Virtualization. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14).

Digital Library

[31]

N. Miramirkhani, M. P. Appini, N. Nikiforakis, and M. Polychronakis. 2017. Spotless Sandboxes: Evading Malware Analysis Systems Using Wear-and-Tear Artifacts. In 2017 IEEE Symposium on Security and Privacy (SP).

[32]

Nitsan Saddan. 2016. Hacking Team and Defense through Deception. https://securityledger.com/2016/05/opinion-hacking-team-and-defense-through-deception/.

[33]

Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, and Sotiris Ioannidis. 2014. Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. In Proceedings of the Seventh European Workshop on System Security (EuroSec '14).

Digital Library

[34]

Niels Provos and Thorsten Holz. 2008. Virtual Honeypots - From Botnet Tracking to Intrusion Detection. Addison-Wesley.

[35]

Salvatore J. Stolfo, Brian M. Bowen, and Malek Ben Salem. 2011. Insider Threat Defense. In Encyclopedia of Cryptography and Security, 2nd Ed. 609--611.

[36]

J. Sun, K. Sun, and Q. Li. 2017. CyberMoat: Camouflaging critical server infrastructures with large scale decoy farms. In 2017 IEEE Conference on Communications and Network Security (CNS).

[37]

Symantec. 2018. 2018 Internet Security Threat Report. https://www.symantec.com/security-center/threat-report.

[38]

Emmanouil Vasilomanolakis, Shankar Karuppayah, Max Mühlhäuser, and Mathias Fischer. 2015. Taxonomy and survey of collaborative intrusion detection. ACM Computing Surveys (CSUR) (2015).

[39]

Jonathan Voris, Jill Jermyn, Nathaniel Boggs, and Salvatore Stolfo. 2015. Fox in the Trap: Thwarting Masqueraders via Automated Decoy Document Deployment. In Proceedings of the Eighth European Workshop on System Security (EuroSec '15).

Digital Library

[40]

Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage. 2005. Scalability, fidelity, and containment in the potemkin virtual honeyfarm. In Proceedings of the 20th ACM Symposium on Operating Systems Principles 2005, SOSP 2005, Brighton, UK, October 23-26, 2005. 148--162.

Digital Library

[41]

Andrew Whitaker, Marianne Shaw, and Steven D. Gribble. 2002. Scale and Performance in the Denali Isolation Kernel. SIGOPS Oper. Syst. Rev., Vol. 36, SI (Dec. 2002).

Digital Library

[42]

Carsten Willems, Ralf Hund, Andreas Fobian, Dennis Felsch, Thorsten Holz, and Amit Vasudevan. 2012. Down to the Bare Metal: Using Processor Features for Binary Analysis. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC '12).

Digital Library

[43]

Vinod Yegneswaran, Paul Barford, and Dave Plonka. 2004. On the Design and Use of Internet Sinks for Network Abuse Monitoring. Springer Berlin Heidelberg.

Cited By

Green JDrew SHeinen CBixler RRowe contact NBarton A(2023)Evaluating a Planning Product for Active Cyberdefense and Cyberdeception2023 Congress in Computer Science, Computer Engineering, & Applied Computing (CSCE)10.1109/CSCE60160.2023.00395(2451-2456)Online publication date: 24-Jul-2023
https://doi.org/10.1109/CSCE60160.2023.00395
Sutton SRrushi J(2023)Decoy Processes With Optimal Performance FingerprintsIEEE Access10.1109/ACCESS.2023.327199911(43216-43237)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3271999
Liu SFeng PCao JHe XChin TSun KLi Q(2022)Consistency is All I Ask: Attacks and Countermeasures on the Network Context of Distributed HoneypotsDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-09484-2_11(197-217)Online publication date: 24-Jun-2022
https://doi.org/10.1007/978-3-031-09484-2_11
Show More Cited By

Index Terms

A Scalable High Fidelity Decoy Framework against Sophisticated Cyber Attacks
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems
    2. Malware and its mitigation

Recommendations

Categorization of cyber security deception events for measuring the severity level of advanced targeted breaches
ECSA '17: Proceedings of the 11th European Conference on Software Architecture: Companion Proceedings

Advanced attackers have become more sophisticated in their target selection, evasion of detection and monetization of breached data. Cyber deception is used for gathering information about botnets and spreading worms, and to detect persistent external ...
Cyber Deception Against Zero-Day Attacks: A Game Theoretic Approach
Decision and Game Theory for Security
Abstract
Reconnaissance activities precedent other attack steps in the cyber kill chain. Zero-day attacks exploit unknown vulnerabilities and give attackers the upper hand against conventional defenses. Honeypots have been used to deceive attackers by ...
Evaluating Deception and Moving Target Defense with Network Attack Simulation
MTD'22: Proceedings of the 9th ACM Workshop on Moving Target Defense

In the field of network security, with the ongoing arms race between attackers, seeking new vulnerabilities to bypass defense mechanisms and defenders reinforcing their prevention, detection and response strategies, the novel concept of cyber deception ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

MTD'19: Proceedings of the 6th ACM Workshop on Moving Target Defense

November 2019

87 pages

ISBN:9781450368285

DOI:10.1145/3338468

General Chair:
Zhuo Lu
University of South Florida

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

ONR

Conference

CCS '19

Sponsor:

SIGSAC

CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security

November 11, 2019

London, United Kingdom

Acceptance Rates

Overall Acceptance Rate 40 of 92 submissions, 43%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
670
Total Downloads

Downloads (Last 12 months)165
Downloads (Last 6 weeks)11

Reflects downloads up to 12 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Green JDrew SHeinen CBixler RRowe contact NBarton A(2023)Evaluating a Planning Product for Active Cyberdefense and Cyberdeception2023 Congress in Computer Science, Computer Engineering, & Applied Computing (CSCE)10.1109/CSCE60160.2023.00395(2451-2456)Online publication date: 24-Jul-2023
https://doi.org/10.1109/CSCE60160.2023.00395
Sutton SRrushi J(2023)Decoy Processes With Optimal Performance FingerprintsIEEE Access10.1109/ACCESS.2023.327199911(43216-43237)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3271999
Liu SFeng PCao JHe XChin TSun KLi Q(2022)Consistency is All I Ask: Attacks and Countermeasures on the Network Context of Distributed HoneypotsDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-09484-2_11(197-217)Online publication date: 24-Jun-2022
https://doi.org/10.1007/978-3-031-09484-2_11
Gao YZhang GXing C(2021)A Multiphase Dynamic Deployment Mechanism of Virtualized Honeypots Based on Intelligent Attack Path PredictionSecurity and Communication Networks10.1155/2021/63782182021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/6378218
Liu SFeng PSun K(2021)HoneyBog: A Hybrid Webshell Honeypot Framework against Command Injection2021 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS53000.2021.9705039(218-226)Online publication date: 4-Oct-2021
https://doi.org/10.1109/CNS53000.2021.9705039
Zhang LThing V(2021)Three decades of deception techniques in active cyber defense - Retrospect and outlookComputers and Security10.1016/j.cose.2021.102288106:COnline publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102288

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents