Skip to main content

Über dieses Buch

This textbook surveys the knowledge base in automated and resilient cyber deception. It features four major parts: cyber deception reasoning frameworks, dynamic decision-making for cyber deception, network-based deception, and malware deception.

An important distinguishing characteristic of this book is its inclusion of student exercises at the end of each chapter. Exercises include technical problems, short-answer discussion questions, or hands-on lab exercises, organized at a range of difficulties from easy to advanced,.

This is a useful textbook for a wide range of classes and degree levels within the security arena and other related topics. It’s also suitable for researchers and practitioners with a variety of cyber security backgrounds from novice to experienced.



Cyber Deception Reasoning Frameworks


Chapter 1. Using Deep Learning to Generate Relational HoneyData

Although there has been a plethora of work in generating deceptive applications, generating deceptive data that can easily fool attackers received very little attention. In this book chapter, we discuss our secure deceptive data generation framework that makes it hard for an attacker to distinguish between the real versus deceptive data. Especially, we discuss how to generate such deceptive data using deep learning and differential privacy techniques. In addition, we discuss our formal evaluation framework.
Ehab Al-Shaer, Jinpeng Wei, Kevin W. Hamlen, Cliff Wang

Chapter 2. Towards Intelligent Cyber Deception Systems

The increasingly sophisticated nature of cyberattacks reduces the effectiveness of expert human intervention due to their slow response times. Consequently, interest in automated agents that can make intelligent decisions and plan countermeasures is rapidly growing. In this chapter, we discuss intelligent cyber deception systems. Such systems can dynamically plan the deception strategy and use several actuators to effectively implement the cyber deception measures. We also present a prototype of a framework designed to simplify the development of cyber deception tools to be integrated with such intelligent agents.
Ehab Al-Shaer, Jinpeng Wei, Kevin W. Hamlen, Cliff Wang

Chapter 3. Honeypot Deception Tactics

Honeypots on computer networks are most effective when they use deception to fool cyberadversaries into thinking that they are not actual decoy intelligence collectors. Honeypot deception can be made more effective when applied with variety. We discuss the range of deception tactics of which honeypots can take advantage. Ideas can come from deception theory, and honeypot deceptions can benefit from planning and experimentation.
Ehab Al-Shaer, Jinpeng Wei, Kevin W. Hamlen, Cliff Wang

Dynamic Decision-Making for Cyber Deception


Chapter 4. Modeling and Analysis of Deception Games Based on Hypergame Theory

In this chapter, we discuss a deception game where attackers and defenders can have different perceptions towards a given situation. Although existing game theories have considered incomplete information to consider uncertainty, how players’ different perceptions or misperceptions can affect their decision-making has not been fully addressed. In particular, we discuss hypergame theory which has been used to resolve conflicts under uncertainty. In this chapter, we examine how a player’s perception (or misperception) affects their decision-making in choosing a best strategy based on hypergame theory. To deliver a concrete idea on how the attack–defense game can be modeled based on hypergame theory, we model a simple cybergame scenario and demonstrate an example probability model using Stochastic Petri Nets. Through the evaluation of the model, we show the experimental results to deliver insightful findings in terms of the relationships between perceptions by different players (i.e., an attacker or a defender), their chosen best strategies, and corresponding utilities. Lastly, we measure performance of the attacker and the defender in terms of attack success probability and mean time to security failure.
Ehab Al-Shaer, Jinpeng Wei, Kevin W. Hamlen, Cliff Wang

Chapter 5. Dynamic Bayesian Games for Adversarial and Defensive Cyber Deception

Security challenges accompany the efficiency. The pervasive integration of information and communications technologies (ICTs) makes cyber-physical systems vulnerable to targeted attacks that are deceptive, persistent, adaptive, and strategic. Attack instances such as Stuxnet, Dyn, and WannaCry ransomware have shown the insufficiency of off-the-shelf defensive methods including the firewall and intrusion detection systems. Hence, it is essential to design up-to-date security mechanisms that can mitigate the risks despite the successful infiltration and the strategic response of sophisticated attackers.
In this chapter, we use game theory to model competitive interactions between defenders and attackers. First, we use the static Bayesian game to capture the stealthy and deceptive characteristics of the attacker. A random variable called the type characterizes users’ essences and objectives, e.g., a legitimate user or an attacker. The realization of the user’s type is private information due to the cyber deception. Then, we extend the one-shot simultaneous interaction into the one-shot interaction with asymmetric information structure, i.e., the signaling game. Finally, we investigate the multi-stage transition under a case study of Advanced Persistent Threats (APTs) and Tennessee Eastman (TE) process. Two-sided incomplete information is introduced because the defender can adopt defensive deception techniques such as honeyfiles and honeypots to create sufficient amount of uncertainties for the attacker. Throughout this chapter, the analysis of the Nash equilibrium (NE), Bayesian Nash equilibrium (BNE), and perfect Bayesian Nash equilibrium (PBNE) enables the policy prediction of the adversary and the design of proactive and strategic defenses to deter attackers and mitigate losses.
Ehab Al-Shaer, Jinpeng Wei, Kevin W. Hamlen, Cliff Wang

Network-Based Deception


Chapter 6. CONCEAL: A Strategy Composition for Resilient Cyber Deception: Framework, Metrics, and Deployment

Cyber deception is a key proactive cyber resilience technique to reverse the current asymmetry that favors adversaries in cyber warfare by creating a significant confusion in discovering and targeting cyber assets. One of the key objectives for cyber deception is to hide the true identity of the cyber assets in order to effectively deflect adversaries away from critical targets, and detect their activities early in the kill chain.
Although many cyber deception techniques were proposed including using honeypots to represent fake targets and mutating IP addresses to frequently change the ground truth of the network configuration (Jafarian et al., IEEE Transactions on Information Forensics and Security 10(12):2562–2577 (2015)), none of these deception techniques is resilient enough to provide high confidence of concealing the identity of the network assets, particularly against sophisticated attackers. In fact, in this chapter our analytical and experimental work showed that highly resilient cyber deception is unlikely attainable using a single technique, but it requires an optimal composition of various concealment techniques to maximize the deception utility. We, therefore, present a new cyber deception framework, called CONCEAL, which is a composition of mutation, anonymity, and diversity to maximize key deception objectives, namely concealability, detectability, and deterrence, while constraining the overall deployment cost. We formally define the CONCEAL metrics for concealability, detectability, and deterrence to measure the effectiveness of CONCEAL. Finally, we present the deployment of CONCEAL as a service to achieve manageability and cost-effectiveness by automatically generating the optimal deception proxy configuration based on existing host/network configuration, risk constraints of network services, and budget constraints. Our evaluation experiments measure both the deception effectiveness based on the above metrics and the scalability of the CONCEAL framework.
Ehab Al-Shaer, Jinpeng Wei, Kevin W. Hamlen, Cliff Wang

Chapter 7. NetShifter: A Comprehensive Multi-Dimensional Network Obfuscation and Deception Solution

Adaptive defense is a cyber defense strategy in which a set of system configurations are dynamically changed to increase uncertainty and complexity for adversaries that try to discover and exploit vulnerabilities. To improve cyber agility of networks, the NetShifter performs multi-dimensional network-level adaptive defense in full scale beyond physical constraints of the networks by adopting the software-defined network (SDN).
Ehab Al-Shaer, Jinpeng Wei, Kevin W. Hamlen, Cliff Wang

Chapter 8. Deception-Enhanced Threat Sensing for Resilient Intrusion Detection

Enhancing standard web services with deceptive responses to cyberattacks can be a powerful and practical strategy for improved intrusion detection. Such deceptions are particularly helpful for addressing and overcoming barriers to effective machine learning-based intrusion detection encountered in many practical deployments. For example, they can provide a rich source of training data when training data is scarce, they avoid imposing a labeling burden on operators in the context of (semi-)supervised learning, they can be deployed post-decryption on encrypted data streams, and they learn concept differences between honeypot attacks and attacks against genuine assets.
The approach presented in this chapter examines how deceptive web service responses can be realized as software security patches that double as feature extraction engines for a network-level intrusion detection system. The resulting system coordinates multiple levels of the software stack to achieve fast, automatic, and accurate labeling of live web data streams, and thereby detects attacks with higher accuracy and adaptability than comparable non-deceptive defenses.
Ehab Al-Shaer, Jinpeng Wei, Kevin W. Hamlen, Cliff Wang

Chapter 9. HONEYSCOPE: IoT Device Protection with Deceptive Network Views

The emergence of IoT has brought many new device manufacturers to the market providing novel products with network connectivity. Unfortunately, many of these new entrants to the market lack security engineering experience and focus heavily on time-to-market. As a result, many home and office networks contain IoT devices with security flaws and no clear path for security updates, making them attractive targets for attacks, e.g., recent IoT-centric malware such as Mirai. In this chapter, we discuss a network centric approach to protecting vulnerable IoT devices. We describe a system called HoneyScope, which seeks to achieve two goals. First, each IoT device has a different view of its local network, which limits the damage when a device is compromised. Second, virtual IoT devices are created to confuse and deceive attacker with sophisticated motivations (e.g., fake WiFi connected cameras). To achieve these goals, HoneyScope uses an SDN-based security gateway to create virtualized views of the network and nodes therein providing fine-grained control over the communications that individual devices may have.
Ehab Al-Shaer, Jinpeng Wei, Kevin W. Hamlen, Cliff Wang

Malware Deception


Chapter 10. gExtractor: Automated Extraction of Malware Deception Parameters for Autonomous Cyber Deception

The lack of agility in cyber defense gives adversaries a significant advantage for discovering cyber targets and planning their attacks in stealthy and undetectable manner. While it is very hard to detect or predict attacks, adversaries can always scan the network, learn about countermeasures, and develop new evasion techniques. Active Cyber Deception (ACD) has emerged as effective means to reverse this asymmetry in cyber warfare by dynamically orchestrating the cyber deception environment to mislead attackers and corrupting their decision-making process. However, developing an efficient active deception environment usually requires human intelligence and analysis to characterize the attackers’ behaviors (e.g., malware actions). This manual process significantly limits the capability of cyber deception to actively respond to new attacks (malware) and in a timely manner.
In this chapter, we present a new analytic framework and an implemented tool, called gExtractor, to analyze the malware behavior and automatically extract the deception parameters using symbolic execution in order to enable the automated creation of cyber deception plans. The deception parameters are environmental variables on which attackers depend to discover the target system and reach their goals; yet, they can be reconfigured and/or misrepresented by the defender in the cyber environment. Our gExtractor approach contributes to the scientific and system foundations of reasoning about autonomous cyber deception. Our prototype was developed based on customizing symbolic execution engine for analyzing Microsoft Windows malware. Our analysis of over fifty of recent malware instances shows that gExtractor has successfully identified various critical parameters that are effective for cyber deception.
Ehab Al-Shaer, Jinpeng Wei, Kevin W. Hamlen, Cliff Wang

Chapter 11. Malware Deception with Automatic Analysis and Generation of HoneyResource

Malware often contains many system-resource-sensitive condition checks to avoid any duplicate infection, make sure to obtain required resources, or try to infect only targeted computers, etc. If we are able to extract the system resource constraints from malware binary code, and manipulate the environment state as HoneyResource, we would then be able to deceive malware for defense purpose, e.g., immunize a computer from infections, or trick malware into believing something. Towards this end, this chapter introduces our preliminary systematic study and a prototype system, AutoVac, for automatically extracting the system resource constraints from malware code and generating HoneyResource (e.g., malware vaccines) based on the system resource conditions.
Ehab Al-Shaer, Jinpeng Wei, Kevin W. Hamlen, Cliff Wang
Weitere Informationen

Premium Partner

BranchenIndex Online

Die B2B-Firmensuche für Industrie und Wirtschaft: Kostenfrei in Firmenprofilen nach Lieferanten, Herstellern, Dienstleistern und Händlern recherchieren.



Best Practices für die Mitarbeiter-Partizipation in der Produktentwicklung

Unternehmen haben das Innovationspotenzial der eigenen Mitarbeiter auch außerhalb der F&E-Abteilung erkannt. Viele Initiativen zur Partizipation scheitern in der Praxis jedoch häufig. Lesen Sie hier  - basierend auf einer qualitativ-explorativen Expertenstudie - mehr über die wesentlichen Problemfelder der mitarbeiterzentrierten Produktentwicklung und profitieren Sie von konkreten Handlungsempfehlungen aus der Praxis.
Jetzt gratis downloaden!