Honeyquest: Rapidly Measuring the Enticingness of Cyber Deception Techniques with Code-based Questionnaires
Pages 317 - 336
Abstract
Fooling adversaries with traps such as honeytokens can slow down cyber attacks and create strong indicators of compromise. Unfortunately, cyber deception techniques are often poorly specified. Also, realistically measuring their effectiveness requires a well-exposed software system together with a production-ready implementation of these techniques. This makes rapid prototyping challenging. Our work translates 13 previously researched and 12 self-defined techniques into a high-level, machine-readable specification. Our open-source tool, Honeyquest, allows researchers to quickly evaluate the enticingness of deception techniques without implementing them. We test the enticingness of 25 cyber deception techniques and 19 true security risks in an experiment with 47 humans. We successfully replicate the goals of previous work with many consistent findings, but without a time-consuming implementation of these techniques on real computer systems. We provide valuable insights for the design of enticing deception and also show that the presence of cyber deception can significantly reduce the risk that adversaries will find a true security risk by about 22% on average.
Supplemental Material
ZIP File
Dataset
- Download
- 515.07 KB
References
[1]
Stefan Achleitner, Thomas F. La Porta, Patrick McDaniel, Shridatt Sugrim, Srikanth V. Krishnamurthy, and Ritu Chadha. 2016. Cyber Deception: Virtual Networks to Defend Insider Reconnaissance. In Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats(MIST ’16). Association for Computing Machinery, Vienna, Austria, 57–68. https://doi.org/10.1145/2995959.2995962
[2]
Stefan Achleitner, Thomas F. La Porta, Patrick McDaniel, Shridatt Sugrim, Srikanth V. Krishnamurthy, and Ritu Chadha. 2017. Deceiving Network Reconnaissance Using SDN-Based Virtual Topologies. IEEE Transactions on Network and Service Management 14, 4 (Dec. 2017), 1098–1112. https://doi.org/10.1109/tnsm.2017.2724239
[3]
Jaime C. Acosta, Anjon Basak, Christopher Kiekintveld, Nandi Leslie, and Charles Kamhoua. 2020. Cybersecurity Deception Experimentation System. In 2020 IEEE Secure Development(SecDev ’20). IEEE, Atlanta, GA, USA, 34–40. https://doi.org/10.1109/secdev45635.2020.00022
[4]
Palvi Aggarwal, Yinuo Du, Kuldeep Singh, and Cleotilde Gonzalez. 2021. Decoys in Cybersecurity: An Exploratory Study to Test the Effectiveness of 2-Sided Deception. In Proceedings of the 1st International Workshop on Adaptive Cyber Defense(IJCAI-ACD ’21, arXiv:2108.11037). arXiv, Montreal, Canada, 1–11. https://doi.org/10.48550/arxiv.2108.11037 arxiv:2108.11037 [cs]
[5]
Palvi Aggarwal, Aksh Gautam, Vaibhav Agarwal, Cleotilde Gonzalez, and Varun Dutt. 2019. HackIT: A Human-in-the-Loop Simulation Tool for Realistic Cyber Deception Experiments. In Advances in Human Factors in Cybersecurity(AHFE ’19). Springer International Publishing, Cham, 109–121. https://doi.org/10.1007/978-3-030-20488-4_11
[6]
Palvi Aggarwal, Cleotilde Gonzalez, and Varun Dutt. 2020. HackIT: A Real-Time Simulation Tool for Studying Real-World Cyberattacks in the Laboratory. In Handbook of Computer Networks and Cyber Security: Principles and Paradigms. Springer International Publishing, Cham, 949–959. https://doi.org/10.1007/978-3-030-22277-2_39
[7]
Palvi Aggarwal, Shahin Jabbari, Omkar Thakoor, Edward A. Cranford, Phebe Vayanos, Christian Lebiere, Milind Tambe, and Cleotilde Gonzalez. 2022. Human-Subject Experiments on Risk-Based Cyber Camouflage Games. In Cyber Deception: Techniques, Strategies, and Human Aspects. Springer International Publishing, Cham, 25–40. https://doi.org/10.1007/978-3-031-16613-6_2
[8]
Palvi Aggarwal, Omkar Thakoor, Shahin Jabbari, Edward A. Cranford, Christian Lebiere, Milind Tambe, and Cleotilde Gonzalez. 2022. Designing Effective Masking Strategies for Cyberdefense Through Human Experimentation and Cognitive Models. Computers & Security 117 (June 2022), 102671. https://doi.org/10.1016/j.cose.2022.102671
[9]
Palvi Aggarwal, Omkar Thakoor, Aditya Mate, Milind Tambe, Edward A. Cranford, Christian Lebiere, and Cleotilde Gonzalez. 2020. An Exploratory Study of a Masking Strategy of Cyberdeception Using CyberVAN. Proceedings of the Human Factors and Ergonomics Society Annual Meeting 64, 1 (Dec. 2020), 446–450. https://doi.org/10.1177/1071181320641100
[10]
Ron Alford and Andy Applebaum. 2021. Towards Causal Models for Adversary Distractions. In Proceedings of the 2021 SIAM AI/ML for Cybersecurity Workshop(AI4CS-SDM ’21, arXiv:2104.10575). arXiv, Online, 1–6. https://doi.org/10.48550/arxiv.2104.10575 arxiv:2104.10575 [cs]
[11]
Asmaa Aljohani and James Jones. 2022. The Pitfalls of Evaluating Cyber Defense Techniques by an Anonymous Population. In HCI for Cybersecurity, Privacy and Trust(HCII ’22). Springer International Publishing, Virtual Event, 307–325. https://doi.org/10.1007/978-3-031-05563-8_20
[12]
Mohammed H. Almeshekah and Eugene H. Spafford. 2014. Planning and Integrating Deception into Computer Security Defenses. In Proceedings of the 2014 New Security Paradigms Workshop(NSPW ’14). Association for Computing Machinery, Victoria, British Columbia, Canada, 127–138. https://doi.org/10.1145/2683467.2683482
[13]
Tillmann Angeli, Daniel Reti, Daniel Schneider, and Hans D. Schotten. 2024. False Flavor Honeypot: Deceiving Vulnerability Scanning Tools. In 2024 IEEE European Symposium on Security and Privacy Workshops(EuroS&PW ’24). IEEE, Vienna, Austria, 399–406. https://doi.org/10.1109/EuroSPW61312.2024.00051
[14]
Frederico Araujo, Gbadebo Ayoade, Khaled Al-Naami, Yang Gao, Kevin W. Hamlen, and Latifur Khan. 2019. Improving Intrusion Detectors by Crook-sourcing. In Proceedings of the 35th Annual Computer Security Applications Conference(ACSAC ’19). Association for Computing Machinery, San Juan, Puerto Rico, USA, 245–256. https://doi.org/10.1145/3359789.3359822
[15]
Frederico Araujo and Kevin W. Hamlen. 2016. Embedded Honeypotting. In Cyber Deception: Building the Scientific Foundation. Springer International Publishing, Cham, 201–231. https://doi.org/10.1007/978-3-319-32699-3_9
[16]
Frederico Araujo, Kevin W. Hamlen, Sebastian Biedermann, and Stefan Katzenbeisser. 2014. From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security(CCS ’14). Association for Computing Machinery, Scottsdale, Arizona, USA, 942–953. https://doi.org/10.1145/2660267.2660329
[17]
Frederico Araujo, Mohammad Shapouri, Sonakshi Pandey, and Kevin Hamlen. 2015. Experiences with Honey-Patching in Active Cyber Security Education. In Proceedings of the 8th USENIX Conference on Cyber Security Experimentation and Test(CSET ’15). USENIX Association, Washington, DC, USA, 1–7. https://www.usenix.org/conference/cset15/workshop-program/presentation/araujo
[18]
Stefan Axelsson. 2000. The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Transactions on Information and System Security 3, 3 (Aug. 2000), 186–205. https://doi.org/10.1145/357830.357849
[19]
Gbadebo Ayoade, Frederico Araujo, Khaled Al-Naami, Ahmad M. Mustafa, Yang Gao, Kevin W. Hamlen, and Latifur Khan. 2020. Automating Cyberdeception Evaluation with Deep Learning. In Proceedings of the 53rd Hawaii International Conference on System Sciences(HICSS ’20). ScholarSpace, Maui, Hawaii, 1–10. https://doi.org/10.24251/hicss.2020.236
[20]
Sean Barnum and Amit Sethi. 2007. Attack Patterns as a Knowledge Resource for Building Secure Software. Technical Report. Cigital, Inc., Washington DC, USA. 1–31 pages. https://api.semanticscholar.org/CorpusID:18455387
[21]
Timothy Barron, Johnny So, and Nick Nikiforakis. 2021. Click This, Not That: Extending Web Authentication with Deception. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security(ASIA CCS ’21). Association for Computing Machinery, Virtual Event, Hong Kong, 462–474. https://doi.org/10.1145/3433210.3453088
[22]
Malek Ben Salem and Salvatore J. Stolfo. 2011. Decoy Document Deployment for Effective Masquerade Attack Detection. In Proceedings of the 8th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment(DIMVA ’11). Springer, Amsterdam, The Netherlands, 35–54. https://doi.org/10.1007/978-3-642-22424-9_3
[23]
Maya Bercovitch, Meir Renford, Lior Hasson, Asaf Shabtai, Lior Rokach, and Yuval Elovici. 2011. HoneyGen: An Automated Honeytokens Generator. In Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics(ISI ’11). IEEE, Beijing, China, 131–136. https://doi.org/10.1109/isi.2011.5984063
[24]
Brian M. Bowen, Shlomo Hershkop, Angelos D. Keromytis, and Salvatore J. Stolfo. 2009. Baiting Inside Attackers Using Decoy Documents. In Security and Privacy in Communication Networks 2009(SecureComm ’09). Springer, Berlin, Heidelberg, 51–70. https://doi.org/10.1007/978-3-642-05284-2_4
[25]
Brian M. Bowen, Vasileios P. Kemerlis, Pratap Prabhu, Angelos D. Keromytis, and Salvatore J. Stolfo. 2010. Automating the Injection of Believable Decoys to Detect Snooping. In Proceedings of the Third ACM Conference on Wireless Network Security(WiSec ’10). Association for Computing Machinery, Hoboken, New Jersey, USA, 81–86. https://doi.org/10.1145/1741866.1741880
[26]
Matthew L. Bringer, Christopher A. Chelmecki, and Hiroshi Fujinoki. 2012. A Survey: Recent Advances and Future Trends in Honeypot Research. International Journal of Computer Network and Information Security 4, 10 (Sept. 2012), 63–75. https://doi.org/10.5815/ijcnis.2012.10.07
[27]
Ritu Chadha, Thomas Bowen, Cho-Yu J. Chiang, Yitzchak M. Gottlieb, Alex Poylisher, Angello Sapello, Constantin Serban, Shridatt Sugrim, Gary Walther, Lisa M. Marvel, E. Allison Newcomb, and Jonathan Santos. 2016. CyberVAN: A Cyber Security Virtual Assured Network Testbed. In 2016 IEEE Military Communications Conference(MILCOM ’16). IEEE, Baltimore, MD, USA, 1125–1130. https://doi.org/10.1109/milcom.2016.7795481
[28]
Fred Cohen. 2006. The Use of Deception Techniques: Honeypots and Decoys. Handbook of Information Security 3, 1 (2006), 646–655. http://all.net/journal/deception/Deception_Techniques_.pdf
[29]
Edward A. Cranford, Cleotilde Gonzalez, Palvi Aggarwal, Sarah Cooney, Milind Tambe, and Christian Lebiere. 2020. Adaptive Cyber Deception: Cognitively Informed Signaling for Cyber Defense. In Proceedings of the 53rd Hawaii International Conference on System Sciences(HICSS ’20). ScholarSpace, Maui, Hawaii, 1–10. https://doi.org/10.24251/hicss.2020.232
[30]
Edward A. Cranford, Cleotilde Gonzalez, Palvi Aggarwal, Milind Tambe, Sarah Cooney, and Christian Lebiere. 2021. Towards a Cognitive Theory of Cyber Deception. Cognitive Science 45, 7 (2021), e13013. https://doi.org/10.1111/cogs.13013
[31]
Edward A. Cranford, Christian Lebiere, Cleotilde Gonzalez, Sarah Cooney, Phebe Vayanos, and Milind Tambe. 2018-07-25/2018-07-28. Learning About Cyber Deception Through Simulations: Predictions of Human Decision Making With Deceptive Signals in Stackelberg Security Games. In Proceedings of the 40th Annual Meeting of the Cognitive Science Society(CogSci ’18). Curran Associates, Inc., Madison, WI, USA, 256–261. https://mindmodeling.org/cogsci2018/papers/0067/index.html
[32]
Sundar Dorai-Raj. 2022. Binomial Confidence Intervals for Several Parameterizations. https://cran.r-project.org/web/packages/binom/binom.pdf
[33]
A. I. Mohd Efendi, Z. Ibrahim, M. N. Ahmad Zawawi, F. Abdul Rahim, N. A. Mohamad Pahri, and Anuar Ismail. 2019. A Survey on Deception Techniques for Securing Web Application. In 2019 IEEE 5th International Conference on Big Data Security on Cloud, High Performance and Smart Computing and Intelligent Data and Security(BigDataSecurity & HPSC & IDS ’19). IEEE, Washington, DC, USA, 328–331. https://doi.org/10.1109/bigdatasecurity-hpsc-ids.2019.00066
[34]
European Commission. 2021. EU Grants: How To Complete Your Ethics Self-Assessment. https://ec.europa.eu/info/funding-tenders/opportunities/docs/2021-2027/common/guidance/how-to-complete-your-ethics-self-assessment_en.pdf
[35]
Wenjun Fan, Zhihui Du, David Fernández, and Víctor A. Villagrá. 2018. Enabling an Anatomic View to Investigate Honeypot Systems: A Survey. IEEE Systems Journal 12, 4 (Dec. 2018), 3906–3919. https://doi.org/10.1109/jsyst.2017.2762161
[36]
Michael P. Fay. 2014. Exact McNemar’s Test and Matching Confidence Intervals. Technical Report. MRAN. https://mran.microsoft.com/snapshot/2015-02-24/web/packages/exact2x2/vignettes/exactMcNemar.pdf
[37]
Kimberly J. Ferguson-Walter. 2020. An Empirical Assessment of the Effectiveness of Deception for Cyber Defense. Ph. D. Dissertation. University of Massachusetts Amherst, Amherst, Massachusetts. https://doi.org/10.7275/z0rb-ek46
[38]
Kimberly J. Ferguson-Walter, Maxine Major, Dirk Van Bruggen, Sunny Fugate, and Robert Gutzwiller. 2019. The World (of CTF) Is Not Enough Data: Lessons Learned from a Cyber Deception Experiment. In 2019 IEEE 5th International Conference on Collaboration and Internet Computing(CIC ’19). IEEE, Los Angeles, CA, USA, 346–353. https://doi.org/10.1109/cic48465.2019.00048
[39]
Kimberly J. Ferguson-Walter, Maxine M. Major, Chelsea K. Johnson, Craig J. Johnson, Dakota D. Scott, Robert S. Gutzwiller, and Temmie Shade. 2023. Cyber Expert Feedback: Experiences, Expectations, and Opinions about Cyber Deception. Computers & Security 130 (July 2023), 103268. https://doi.org/10.1016/j.cose.2023.103268
[40]
Kimberly J. Ferguson-Walter, Maxine M. Major, Chelsea K. Johnson, and Daniel H. Muhleman. 2021. Examining the Efficacy of Decoy-based and Psychological Cyber Deception. In Proceedings of the 30th USENIX Security Symposium(USENIX Security ’21). USENIX Association, Online, 1127–1144. https://www.usenix.org/conference/usenixsecurity21/presentation/ferguson-walter
[41]
Kimberly J. Ferguson-Walter, Temmie Shade, Andrew Rogers, Elizabeth Niedbala, Michael Trumbo, Kevin Nauer, Kristin Divis, Aaron Jones, Angela Combs, and Robert Abbott. 2019. The Tularosa Study: An Experimental Design and Implementation to Quantify the Effectiveness of Cyber Deception. In Proceedings of the 52nd Hawaii International Conference on System Sciences(HICSS ’19). ScholarSpace, Maui, Hawaii, 1–10. https://doi.org/10.24251/hicss.2019.874
[42]
Javier Franco, Ahmet Aris, Berk Canberk, and A. Selcuk Uluagac. 2021. A Survey of Honeypots and Honeynets for Internet of Things, Industrial Internet of Things, and Cyber-Physical Systems. IEEE Communications Surveys & Tutorials 23, 4 (2021), 2351–2383. https://doi.org/10.1109/comst.2021.3106669
[43]
Daniel Fraunholz, Simon Duque Anton, Christoph Lipps, Daniel Reti, Daniel Krohmer, Frederic Pohl, Matthias Tammen, and Hans Dieter Schotten. 2018. Demystifying Deception Technology: A Survey. https://doi.org/10.48550/arXiv.1804.06196 arxiv:1804.06196 [cs]
[44]
Daniel Fraunholz, Daniel Reti, Simon Duque Anton, and Hans Dieter Schotten. 2018. Cloxy: A Context-aware Deception-as-a-Service Reverse Proxy for Web Services. In Proceedings of the 5th ACM Workshop on Moving Target Defense(MTD ’18). Association for Computing Machinery, Toronto, Canada, 40–47. https://doi.org/10.1145/3268966.3268973
[45]
Daniel Fraunholz and Hans D. Schotten. 2018. Defending Web Servers with Feints, Distraction and Obfuscation. In 2018 International Conference on Computing, Networking and Communications(ICNC ’18). IEEE, Maui, HI, USA, 21–25. https://doi.org/10.1109/iccnc.2018.8390365
[46]
Ryan Gabrys, Anu Venkatesh, Daniel Silva, Mark Bilinski, Maxine Major, Justin Mauger, Daniel Muhleman, and Kimberly J. Ferguson-Walter. 2023. Emotional State Classification and Related Behaviors Among Cyber Attackers. In Proceedings of the 56th Hawaii International Conference on System Sciences(HICSS ’23). ScholarSpace, Maui, Hawaii, 1–10. https://doi.org/10.24251/hicss.2023.106
[47]
Nandan Garg and Daniel Grosu. 2007. Deception in Honeynets: A Game-Theoretic Analysis. In 2007 IEEE SMC Information Assurance and Security Workshop(IAW ’07). IEEE, West Point, NY, USA, 107–113. https://doi.org/10.1109/iaw.2007.381921
[48]
Dimitris Gavrilis, Ioannis Chatzis, and Evangelos Dermatas. 2007. Flash Crowd Detection Using Decoy Hyperlinks. In 2007 IEEE International Conference on Networking, Sensing and Control(ICNSC ’07). IEEE, London, UK, 466–470. https://doi.org/10.1109/icnsc.2007.372823
[49]
Cleotilde Gonzalez, Palvi Aggarwal, Christian Lebiere, and Edward A. Cranford. 2020. Design of Dynamic and Personalized Deception: A Research Framework and New Insights. In Proceedings of the 53rd Hawaii International Conference on System Sciences(HICSS ’20). ScholarSpace, Maui, Hawaii, 1–10. https://doi.org/10.24251/hicss.2020.226
[50]
Robert Gutzwiller, Kimberly J. Ferguson-Walter, Sunny Fugate, and Andrew Rogers. 2018. “Oh, Look, A Butterfly!” A Framework For Distracting Attackers To Improve Cyber Defense. Proceedings of the Human Factors and Ergonomics Society Annual Meeting 62, 1 (Sept. 2018), 272–276. https://doi.org/10.1177/1541931218621063
[51]
Robert S. Gutzwiller, Kimberly J. Ferguson-Walter, and Sunny J. Fugate. 2019. Are Cyber Attackers Thinking Fast and Slow? Exploratory Analysis Reveals Evidence of Decision-Making Biases in Red Teamers. Proceedings of the Human Factors and Ergonomics Society Annual Meeting 63, 1 (Nov. 2019), 427–431. https://doi.org/10.1177/1071181319631096
[52]
Robert S. Gutzwiller, Hansol Rheem, Kimberly J. Ferguson-Walter, Christina M. Lewis, Chelsea K. Johnson, and Maxine Major. 2024. Exploratory Analysis of Decision-Making Biases of Professional Red Teamers in a Cyber-Attack Dataset. Journal of Cognitive Engineering and Decision Making 18, 1 (March 2024), 37–51. https://doi.org/10.1177/15553434231217787
[53]
Hacker Target Pty Ltd. 2014. 500K HTTP Headers. https://hackertarget.com/500k-http-headers/
[54]
Xiao Han, Nizar Kheir, and Davide Balzarotti. 2017. Evaluation of Deception-Based Web Attacks Detection. In Proceedings of the 2017 Workshop on Moving Target Defense(MTD ’17). Association for Computing Machinery, Dallas, Texas, USA, 65–73. https://doi.org/10.1145/3140549.3140555
[55]
Xiao Han, Nizar Kheir, and Davide Balzarotti. 2018. Deception Techniques in Computer Security: A Research Perspective. Comput. Surveys 51, 4 (July 2018), 80:1–80:36. https://doi.org/10.1145/3214305
[56]
Kristin E. Heckman, Michael J. Walsh, Frank J. Stech, Todd A. O’Boyle, Stephen R. DiCato, and Audra F. Herber. 2013. Active Cyber Defense with Denial and Deception: A Cyber-Wargame Experiment. Computers & Security 37 (Sept. 2013), 72–77. https://doi.org/10.1016/j.cose.2013.03.015
[57]
Linan Huang, Shumeng Jia, Emily Balcetis, and Quanyan Zhu. 2022. ADVERT: An Adaptive and Data-Driven Attention Enhancement Mechanism for Phishing Prevention. IEEE Transactions on Information Forensics and Security 17 (2022), 2585–2597. https://doi.org/10.1109/tifs.2022.3189530
[58]
Amir Javadpour, Forough Ja’fari, Tarik Taleb, Mohammad Shojafar, and Chafika Benzaïd. 2024. A Comprehensive Survey on Cyber Deception Techniques to Improve Honeypot Performance. Computers & Security 140 (March 2024), 103792. https://doi.org/10.1016/j.cose.2024.103792
[59]
Ari Juels and Ronald L. Rivest. 2013. Honeywords: Making Password-Cracking Detectable. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security(CCS ’13). Association for Computing Machinery, Berlin, Germany, 145–160. https://doi.org/10.1145/2508859.2516671
[60]
Mario Kahlhofer and Stefan Rass. 2024. Application Layer Cyber Deception without Developer Interaction. In 2024 IEEE European Symposium on Security and Privacy Workshops(EuroS&PW ’24). IEEE, Vienna, Austria, 416–429. https://doi.org/10.1109/EuroSPW61312.2024.00053
[61]
Daniel Kahneman. 2011. Thinking, Fast and Slow. Farrar, Straus and Giroux, New York.
[62]
Martin Lazarov, Jeremiah Onaolapo, and Gianluca Stringhini. 2016. Honey Sheets: What Happens to Leaked Google Spreadsheets?. In 9th USENIX Workshop on Cyber Security Experimentation and Test(CSET ’16). University College London, Austin, TX, United States, 1–8. https://www.usenix.org/conference/cset16/workshop-program/presentation/lazarov
[63]
Zhuo Lu, Cliff Wang, and Shangqing Zhao. 2020. Cyber Deception for Computer and Network Security: Survey and Challenges. https://doi.org/10.48550/arXiv.2007.14497 arxiv:2007.14497 [cs]
[64]
Robert Luh, Sebastian Eresheim, Stefanie Größbacher, Thomas Petelin, Florian Mayr, Paul Tavolato, and Sebastian Schrittwieser. 2022. PenQuest Reloaded: A Digital Cyber Defense Game for Technical Education. In 2022 IEEE Global Engineering Education Conference(EDUCON ’22). IEEE, Tunis, Tunisia, 906–914. https://doi.org/10.1109/educon52537.2022.9766700
[65]
Robert Luh, Marlies Temper, Simon Tjoa, Sebastian Schrittwieser, and Helge Janicke. 2020. PenQuest: A Gamified Attacker/Defender Meta Model for Cyber Security Assessment and Education. Journal of Computer Virology and Hacking Techniques 16, 1 (March 2020), 19–61. https://doi.org/10.1007/s11416-019-00342-x
[66]
Mandiant. 2013. APT1: Exposing One of China’s Cyber Espionage Units. Technical Report. Mandiant, Inc.https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
[67]
David E. Mann and Steven M. Christey. 1999. Towards a Common Enumeration of Vulnerabilities. In Final Report of the 2nd Workshop on Research with Security Vulnerability Databases(WVDB ’99). CERIAS, Purdue University, West Lafayette Indiana, 1–13. https://api.semanticscholar.org/CorpusID:250641205
[68]
Robert A. Martin, Steven M. Christey, and J. Jarzombek. 2006. The Case for Common Flaw Enumeration. In Proceedings of Workshop on Software Security Assurance Tools, Techniques, and Metrics(SSATTM ’05). National Institute of Standards and Technology, Gaithersburg, MD, United States, 1–7. https://api.semanticscholar.org/CorpusID:110186969
[69]
Bill McCarty. 2004. SELinux: NSA’s Open Source Security Enhanced Linux. O’Reilly Media, Inc., Sebastopol, CA. https://www.oreilly.com/library/view/selinux/0596007167/
[70]
Quinn McNemar. 1947. Note on the Sampling Error of the Difference Between Correlated Proportions or Percentages. Psychometrika 12, 2 (June 1947), 153–157. https://doi.org/10.1007/bf02295996
[71]
Pilla Vaishno Mohan, Shriniket Dixit, Amogh Gyaneshwar, Utkarsh Chadha, Kathiravan Srinivasan, and Jung Taek Seo. 2022. Leveraging Computational Intelligence Techniques for Defensive Deception: A Review, Recent Advances, Open Problems and Future Directions. Sensors 22, 6 (Jan. 2022), 2194. https://doi.org/10.3390/s22062194
[72]
Iyatiti Mokube and Michele Adams. 2007. Honeypots: Concepts, Approaches, and Challenges. In Proceedings of the 45th Annual Southeast Regional Conference(ACM-SE ’07). Association for Computing Machinery, Winston-Salem, North Carolina, 321–326. https://doi.org/10.1145/1233341.1233399
[73]
Marcin Nawrocki, Matthias Wählisch, Thomas C. Schmidt, Christian Keil, and Jochen Schönfelder. 2016. A Survey on Honeypot Software and Data Analysis. https://doi.org/10.48550/arXiv.1608.06249 arxiv:1608.06249 [cs]
[74]
Amirreza Niakanlahiji, Jafar Haadi Jafarian, Bei-Tseng Chu, and Ehab Al-Shaer. 2020. HoneyBug: Personalized Cyber Deception for Web Applications. In Proceedings of the 53rd Hawaii International Conference on System Sciences(HICSS ’20). ScholarSpace, Maui, Hawaii, 1–10. https://doi.org/10.24251/hicss.2020.233
[75]
Nick Nikiforakis, Marco Balduzzi, Steven Van Acker, Wouter Joosen, and Davide Balzarotti. 2011. Exposing the Lack of Privacy in File Hosting Services. In Proceedings of the 4th USENIX Conference on Large-scale Exploits and Emergent Threats(LEET ’11). USENIX Association, Boston, MA, United States, 1–8. https://www.usenix.org/conference/leet11/exposing-lack-privacy-file-hosting-services
[76]
Jeffrey Pawlick, Edward Colbert, and Quanyan Zhu. 2019. A Game-theoretic Taxonomy and Survey of Defensive Deception for Cybersecurity and Privacy. Comput. Surveys 52, 4 (Aug. 2019), 82:1–82:28. https://doi.org/10.1145/3337772
[77]
A.B. Robert Petrunić. 2015. Honeytokens as Active Defense. In 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics(MIPRO ’15). IEEE, Opatija, Croatia, 1313–1317. https://doi.org/10.1109/mipro.2015.7160478
[78]
Christoph Pohl, Alf Zugenmaier, Michael Meier, and Hans-Joachim Hof. 2015. B.Hive: A Zero Configuration Forms Honeypot for Productive Web Applications. In ICT Systems Security and Privacy Protection(IFIP SEC ’15). Springer International Publishing, Hamburg, Germany, 267–280. https://doi.org/10.1007/978-3-319-18467-8_18
[79]
Niels Provos. 2004. A Virtual Honeypot Framework. In Proceedings of the 13th USENIX Security Symposium(USENIX Security ’04). USENIX Association, San Diego, CA, USA, 1–14. https://www.usenix.org/legacy/publications/library/proceedings/sec04/tech/provos.html
[80]
Xingsheng Qin, Frank Jiang, Mingcan Cen, and Robin Doss. 2023. Hybrid Cyber Defense Strategies Using Honey-X: A Survey. Computer Networks 230 (July 2023), 109776. https://doi.org/10.1016/j.comnet.2023.109776
[81]
Stefan Rass and Stefan Schauer. 2018. Game Theory for Security and Risk Management: From Theory to Practice. Springer International Publishing, Cham. https://doi.org/10.1007/978-3-319-75268-6
[82]
Neil C. Rowe, E. John Custy, and Binh T. Duong. 2007. Defending Cyberspace with Fake Honeypots. Journal of Computers 2, 2 (April 2007), 25–36. https://doi.org/10.4304/jcp.2.2.25-36
[83]
Neil C. Rowe, Binh T. Duong, and E. John Custy. 2006. Fake Honeypots: A Defensive Tactic for Cyberspace. In Proceedings of the Annual 2006 IEEE SMC Information Assurance Workshop(IAW ’06). IEEE, West Point, NY, USA, 223–230. https://doi.org/10.1109/iaw.2006.1652099
[84]
Neil C. Rowe and Hy S. Rothstein. 2004. Two Taxonomies of Deception for Attacks on Information Systems. Journal of Information Warfare 3, 2 (2004), 27–39. jstor:26502783https://www.jstor.org/stable/26502783
[85]
Neil C. Rowe and Julian Rrushi. 2016. Introduction to Cyberdeception. Springer International Publishing, Cham. https://doi.org/10/d65q
[86]
Merve Sahin, Cédric Hébert, and Rocio Cabrera Lozoya. 2022. An Approach to Generate Realistic HTTP Parameters for Application Layer Deception. In Applied Cryptography and Network Security(ACNS ’22). Springer International Publishing, Rome, Italy, 337–355. https://doi.org/10.1007/978-3-031-09234-3_17
[87]
Merve Sahin, Cédric Hébert, and Anderson Santana De Oliveira. 2020. Lessons Learned from SunDEW: A Self Defense Environment for Web Applications. In Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web(MADWeb ’20). Internet Society, San Diego, CA, USA, 1–12. https://doi.org/10.14722/madweb.2020.23005
[88]
Merve Sahin, Tolga Ünlü, Cédric Hébert, Lynsay A. Shepherd, Natalie Coull, and Colin Mc Lean. 2022. Measuring Developers’ Web Security Awareness from Attack and Defense Perspectives. In 2022 IEEE Security and Privacy Workshops(SPW ’22). IEEE, San Francisco, CA, USA, 31–43. https://doi.org/10.1109/spw54247.2022.9833858
[89]
Jeff Sauro and James R. Lewis. 2012. Quantifying the User Experience: Practical Statistics for User Research. Elsevier/Morgan Kaufmann, Amsterdam Waltham, MA. https://doi.org/10.1016/C2010-0-65192-3
[90]
Aaron Schlenker, Omkar Thakoor, Haifeng Xu, Fei Fang, Milind Tambe, Long Tran-Thanh, Phebe Vayanos, and Yevgeniy Vorobeychik. 2018. Deceiving Cyber Adversaries: A Game Theoretic Approach. In Proceedings of the 17th International Conference on Autonomous Agents and Multiagent Systems(AAMAS ’18). International Foundation for Autonomous Agents and Multiagent Systems, Richland, SC, 892–900. https://par.nsf.gov/biblio/10050303
[91]
Temmie B. Shade, Andrew V. Rogers, Kimberly J. Ferguson-Walter, Sara Beth Elson, Daniel K. Fayette, and Kristin E. Heckman. 2020. The Moonraker Study: An Experimental Evaluation of Host-Based Deception. In Proceedings of the 53rd Hawaii International Conference on System Sciences(HICSS ’20). ScholarSpace, Maui, Hawaii, 1875–1884. https://doi.org/10.24251/hicss.2020.231
[92]
Lance Spitzner. 2003. Honeypots: Catching the Insider Threat. In Proceedings of the 19th Annual Computer Security Applications Conference(ACSAC ’03). IEEE, Las Vegas, NV, USA, 170–179. https://doi.org/10.1109/csac.2003.1254322
[93]
Lance Spitzner. 2003. Honeytokens: The Other Honeypot. https://www.symantec.com/connect/articles/honeytokens-other-honeypot
[94]
The OWASP Foundation Inc.2014. OWASP Juice Shop. https://owasp.org/www-project-juice-shop/
[95]
The OWASP Foundation Inc.2019. OWASP API Top 10:2019. https://owasp.org/www-project-api-security/
[96]
The OWASP Foundation Inc.2021. OWASP Top 10:2021. https://owasp.org/Top10/
[97]
The OWASP Foundation Inc.2023. OWASP ZAP. https://www.zaproxy.org/
[98]
Walt Tirenin and Don Faatz. 1999. A Concept for Strategic Cyber Defense. In Proceedings of the 1999 IEEE Military Communications Conference Proceedings(MILCOM ’99, Vol. 1). IEEE, Atlantic City, NJ, USA, 458–463. https://doi.org/10.1109/milcom.1999.822725
[99]
A.J. Underbrink. 2016. Effective Cyber Deception. In Cyber Deception: Building the Scientific Foundation. Springer International Publishing, Cham, 115–147. https://doi.org/10.1007/978-3-319-32699-3_6
[100]
Pauli Virtanen, Ralf Gommers, Travis E. Oliphant, Matt Haberland, Tyler Reddy, David Cournapeau, Evgeni Burovski, Pearu Peterson, Warren Weckesser, Jonathan Bright, Stéfan J. van der Walt, Matthew Brett, Joshua Wilson, K. Jarrod Millman, Nikolay Mayorov, Andrew R. J. Nelson, Eric Jones, Robert Kern, Eric Larson, C. J. Carey, İlhan Polat, Yu Feng, Eric W. Moore, Jake VanderPlas, Denis Laxalde, Josef Perktold, Robert Cimrman, Ian Henriksen, E. A. Quintero, Charles R. Harris, Anne M. Archibald, Antônio H. Ribeiro, Fabian Pedregosa, and Paul van Mulbregt. 2020. SciPy 1.0: Fundamental Algorithms for Scientific Computing in Python. Nature Methods 17, 3 (March 2020), 261–272. https://doi.org/10.1038/s41592-019-0686-2
[101]
Jonathan Voris, Jill Jermyn, Nathaniel Boggs, and Salvatore Stolfo. 2015. Fox in the Trap: Thwarting Masqueraders via Automated Decoy Document Deployment. In Proceedings of the Eighth European Workshop on System Security(EuroSec ’15). Association for Computing Machinery, Bordeaux, France, 1–7. https://doi.org/10.1145/2751323.2751326
[102]
Cliff Wang and Zhuo Lu. 2018. Cyber Deception: Overview and the Road Ahead. IEEE Security & Privacy 16, 2 (March 2018), 80–85. https://doi.org/10.1109/msp.2018.1870866
[103]
Colin Watson, Dennis Groves, and John Melton. 2015. AppSensor Guide: Application-Specific Real Time Attack Detection & Response. https://web.archive.org/web/20240120084438/https://owasp.org/www-pdf-archive/Owasp-appsensor-guide-v2.pdf
[104]
Barton Whaley. 1982. Toward a General Theory of Deception. Journal of Strategic Studies 5, 1 (March 1982), 178–192. https://doi.org/10.1080/01402398208437106
[105]
Edwin B. Wilson. 1927. Probable Inference, the Law of Succession, and Statistical Inference. J. Amer. Statist. Assoc. 22, 158 (June 1927), 209–212. https://doi.org/10.1080/01621459.1927.10502953
[106]
Hua Wu, Yu Gu, Guang Cheng, and Yuyang Zhou. 2020. Effectiveness Evaluation Method for Cyber Deception Based on Dynamic Bayesian Attack Graph. In Proceedings of the 2020 3rd International Conference on Computer Science and Software Engineering(CSSE ’20). Association for Computing Machinery, Beijing, China, 1–9. https://doi.org/10.1145/3403746.3403897
[107]
Frank Yates. 1934. Contingency Tables Involving Small Numbers and the X2 Test. Supplement to the Journal of the Royal Statistical Society 1, 2 (1934), 217–235. https://doi.org/10.2307/2983604 jstor:2983604
[108]
Jim Yuill, Dorothy Denning, and Fred Feer. 2006. Using Deception to Hide Things from Hackers: Processes, Principles, and Techniques. Journal of Information Warfare 5, 3 (2006), 26–40. jstor:26503456https://www.jstor.org/stable/26503456
[109]
Jim Yuill, Mike Zappe, Dorothy Denning, and Fred Feer. 2004. Honeyfiles: Deceptive Files for Intrusion Detection. In Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop(IAW ’04). IEEE, West Point, NY, USA, 116–122. https://doi.org/10.1109/iaw.2004.1437806
[110]
James Joseph Yuill. 2007. Defensive Computer-Security Deception Operations: Processes, Principles and Techniques. Ph. D. Dissertation. North Carolina State University, Raleigh, NC, USA. https://repository.lib.ncsu.edu/handle/1840.16/5648
[111]
Li Zhang and Vrizlynn. L. L. Thing. 2021. Three Decades of Deception Techniques in Active Cyber Defense - Retrospect and Outlook. Computers & Security 106 (July 2021), 102288. https://doi.org/10.1016/j.cose.2021.102288
[112]
Mu Zhu, Ahmed H. Anwar, Zelin Wan, Jin-Hee Cho, Charles A. Kamhoua, and Munindar P. Singh. 2021. A Survey of Defensive Deception: Approaches Using Game Theory and Machine Learning. IEEE Communications Surveys & Tutorials 23, 4 (2021), 2460–2493. https://doi.org/10.1109/comst.2021.3102874
Index Terms
- Honeyquest: Rapidly Measuring the Enticingness of Cyber Deception Techniques with Code-based Questionnaires
Recommendations
Towards Reconstructing Multi-Step Cyber Attacks in Modern Cloud Environments with Tripwires
EICC '20: Proceedings of the 2020 European Interdisciplinary Cybersecurity ConferenceRapidly-changing cloud environments that consist of heavily interconnected components are difficult to secure. Existing solutions often try to correlate many weak indicators to identify and reconstruct multi-step cyber attacks. The lack of a true, ...
Three decades of deception techniques in active cyber defense - Retrospect and outlook
AbstractDeception techniques have been widely seen as a game changer in cyber defense. In this paper, we review representative techniques in honeypots, honeytokens, and moving target defense, spanning from the late 1980s to the year 2021. ...
Cyber Deception Against Zero-Day Attacks: A Game Theoretic Approach
Decision and Game Theory for SecurityAbstractReconnaissance activities precedent other attack steps in the cyber kill chain. Zero-day attacks exploit unknown vulnerabilities and give attackers the upper hand against conventional defenses. Honeypots have been used to deceive attackers by ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
September 2024
719 pages
ISBN:9798400709593
DOI:10.1145/3678890
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 September 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
RAID '24
RAID '24: The 27th International Symposium on Research in Attacks, Intrusions and Defenses
September 30 - October 2, 2024
Padua, Italy
Acceptance Rates
RAID '24 Paper Acceptance Rate 43 of 173 submissions, 25%;
Overall Acceptance Rate 43 of 173 submissions, 25%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 411Total Downloads
- Downloads (Last 12 months)411
- Downloads (Last 6 weeks)118
Reflects downloads up to 09 Mar 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in