Skip to main content
main-content

Über dieses Buch

This edited volume features a wide spectrum of the latest computer science research relating to cyber deception. Specifically, it features work from the areas of artificial intelligence, game theory, programming languages, graph theory, and more. The work presented in this book highlights the complex and multi-facted aspects of cyber deception, identifies the new scientific problems that will emerge in the domain as a result of the complexity, and presents novel approaches to these problems.
This book can be used as a text for a graduate-level survey/seminar course on cutting-edge computer science research relating to cyber-security, or as a supplemental text for a regular graduate-level course on cyber-security.

Inhaltsverzeichnis

Frontmatter

Integrating Cyber-D&D into Adversary Modeling for Active Cyber Defense

This chapter outlines a concept for integrating cyber denial and deception (cyber-D&D) tools, tactics, techniques, and procedures (TTTPs) into an adversary modeling system to support active cyber defenses (ACD) for critical enterprise networks. We describe a vision for cyber-D&D and outline a general concept of operation for the use of D&D TTTPs in ACD. We define the key elements necessary for integrating cyber-D&D into an adversary modeling system. One such recently developed system, the Adversarial Tactics, Techniques and Common Knowledge (ATT&CK™) Adversary Model is being enhanced by adding cyber-D&D TTTPs that defenders might use to detect and mitigate attacker tactics, techniques, and procedures (TTPs). We describe general D&D types and tactics, and relate these to a relatively new concept, the cyber-deception chain. We describe how defenders might build and tailor a cyber-deception chain to mitigate an attacker’s actions within the cyber attack lifecycle. While we stress that this chapter describes a concept and not an operational system, we are currently engineering components of this concept for ACD and enabling defenders to apply such a system.
Frank J. Stech, Kristin E. Heckman, Blake E. Strom

Cyber Security Deception

Our physical and digital worlds are converging at a rapid pace, putting a lot of our valuable information in digital formats. Currently, most computer systems’ predictable responses provide attackers with valuable information on how to infiltrate them. In this chapter, we discuss how the use of deception can play a prominent role in enhancing the security of current computer systems. We show how deceptive techniques have been used in many successful computer breaches. Phishing, social engineering, and drive-by-downloads are some prime examples. We discuss why deception has only been used haphazardly in computer security. Additionally, we discuss some of the unique advantages deception-based security mechanisms bring to computer security. Finally, we present a framework where deception can be planned and integrated into computer defenses.
Mohammed H. Almeshekah, Eugene H. Spafford

Quantifying Covertness in Deceptive Cyber Operations

A deception is often enabled by cloaking or disguising the true intent and corresponding actions of the perpetrating actor. In cyber deception, the degree to which actions are disguised or cloaked is typically called “covertness.” In this chapter, we describe a novel approach to quantifying cyber covertness, a specific attribute of malware relative to specific alert logic that the defender uses. We propose that the covertness of an offensive cyber operation in an adversarial environment is derived from the probability that the operation is detected by the defender. We show that this quantitative concept can be computed using Covertness Block Diagrams that are related to classical reliability block diagrams used for years in the reliability engineering community. This requires methods for modeling the malware and target network defenses that allow us to calculate a quantitative measure of covertness which is interpreted as the probability of detection. Called the Covertness Score, this measure can be used by attackers to design a stealthier method of completing their mission as well as by defenders to understand the detection limitations of their defenses before they are exploited.
George Cybenko, Gabriel Stocco, Patrick Sweeney

Design Considerations for Building Cyber Deception Systems

Cyber deception can become an essential component of organizing cyber operations in the modern cyber landscape. Cyber defenders and mission commanders can use cyber deception as an effective means for protecting mission cyber assets and ensuring mission success, through deceiving and diverting adversaries during the course of planning and execution of cyber operations and missions. To enable effective integration of cyber deception, it would be necessary to create a systematic design process for building a robust and sustainable deception system with extensible deception capabilities guided by a Command and Control interface compatible with current Department of Defense and civilian cyber operational practices and standards. In this chapter, the authors discuss various design aspects of designing cyber deception systems that meet a wide range of cyber operational requirements and are appropriately aligned with mission objectives. These design aspects include general deception goals, deception design taxonomy, tradeoff analysis, deception design process, design considerations such as modularity, interfaces and effect to cyber defenders, interoperability with current tools, deception scenarios, adversary engagement, roles of deception in cyber kill chains, and metrics such as adversary work factor. The authors expect to present the challenges and opportunities of designing cyber deception systems and to trigger further thoughts and discussions in the broader research community.
Greg Briskin, Dan Fayette, Nick Evancich, Vahid Rajabian-Schwart, Anthony Macera, Jason Li

A Proactive and Deceptive Perspective for Role Detection and Concealment in Wireless Networks

In many wireless networks (e.g., tactical military networks), the one-to-multiple communication model is pervasive due to commanding and control requirements in mission operations. In these networks, the roles of nodes are non-homogeneous; i.e., they are not equally important. This, however, opens a door for an adversary to target important nodes in the network by identifying their roles. In this chapter, we focus on investigating an important open question: how to detect and conceal the roles of nodes in wireless networks? Answers to this question are of essential importance to understand how to identify critical roles and prevent them from being the primary targets. We demonstrate via analysis and simulations that it is feasible and even accurate to identify critical roles of nodes by looking at network traffic patterns. To provide countermeasures against role detection, we propose role concealment methods based on proactive and deceptive network strategies. We use simulations to evaluate the effectiveness and costs of the role concealment methods.
Zhuo Lu, Cliff Wang, Mingkui Wei

Effective Cyber Deception

Cyber deception may be an effective solution to exposing and defeating malicious users of information systems. Malicious users of an information system include cyber intruders, advanced persistent threats, and malicious insiders. Once such users gain unobstructed access to, and use of, the protected information system, it is difficult to distinguish between legitimate and illegitimate users.
We view cyber deception as comprised of two broad categories: active deception and passive deception. Active deception proactively applies strategies and actions to respond to the presence of malicious users of an information system. Actions of a malicious user are anticipated prior to their execution and counter actions are predicted and taken to prevent their successful completion or to misinform the user. Active deception may employ decoy systems and infrastructure to conduct deception of malicious users and sometimes assumes that a malicious user has already been detected and possibly confirmed by sensing systems.
Passive deception employs decoy systems and infrastructure to detect reconnaissance and to expose malicious users of an information system. Decoy systems and services are established within the protected boundary of the information system. Interactions with decoy systems and services may be considered suspicious, if not conclusively malicious. Since reconnaissance and exploration of the information system are the first steps in the process of attacking an information system, detecting reconnaissance enables an active defense system to quickly identify a malicious user and take action. Like active deception, passive deception can provide misinformation to the malicious reconnaissance. We argue that effective cyber deception includes both active and passive techniques.
A. J. Underbrink

Cyber-Deception and Attribution in Capture-the-Flag Exercises

Attributing the culprit of a cyber-attack is widely considered one of the major technical and policy challenges of cyber-security. The lack of ground truth for an individual responsible for a given attack has limited previous studies. Here, we overcome this limitation by leveraging DEFCON capture-the-flag (CTF) exercise data where the actual ground-truth is know. In this work, we use various classification techniques to identify the culprit in a cyberattack and find that deceptive activities account for the majority of misclassified samples. We also explore several heuristics to alleviate some of the misclassification caused by deception.
Eric Nunes, Nimish Kulkarni, Paulo Shakarian, Andrew Ruef, Jay Little

Deceiving Attackers by Creating a Virtual Attack Surface

Cyber attacks are typically preceded by a reconnaissance phase in which attackers aim at collecting valuable information about the target system, including network topology, service dependencies, operating systems, and unpatched vulnerabilities. Unfortunately, when system configurations are static, attackers will always be able, given enough time, to acquire accurate knowledge about the target system through a variety of tools—including operating system and service fingerprinting—and engineer effective exploits. To address this important problem, many techniques have been devised to dynamically change some aspects of a system’s configuration in order to introduce uncertainty for the attacker. In this chapter, we present a graph-based approach for manipulating the attacker’s view of a system’s attack surface, which addresses several limitations of existing techniques. To achieve this objective, we formalize the notions of system view and distance between views. We then define a principled approach to manipulating responses to attacker’s probes so as to induce an external view of the system that satisfies certain desirable properties. In particular, we propose efficient algorithmic solutions to two classes of problems, namely (1) inducing an external view that is at a minimum distance from the internal view, while minimizing the cost for the defender; (2) inducing an external view that maximizes the distance from the internal view, given an upper bound on the cost for the defender. In order to demonstrate practical applicability of the proposed approach, we present deception-based techniques for defeating an attacker’s effort to fingerprint operating systems and services on the target system. These techniques consist in manipulating outgoing traffic so that it resembles traffic generated by a completely different system. Experimental results show that our approach can efficiently and effectively deceive an attacker.
Massimiliano Albanese, Ermanno Battista, Sushil Jajodia

Embedded Honeypotting

Language-based software cyber deception leverages the science of compiler and programming language theory to equip software products with deceptive capabilities that misdirect and disinform attackers. A flagship example of software cyber deception is embedded honeypots, which arm live, commodity server software with deceptive attack-response and disinformation capabilities. This chapter presents a language-based approach to embedded honeypot design and implementation. Implications related to software architecture, compiler design, program analysis, and programming language semantics are discussed.
Frederico Araujo, Kevin W. Hamlen

Agile Virtual Infrastructure for Cyber Deception Against Stealthy DDoS Attacks

DDoS attacks have been a persistent threat to network availability for many years. Most of the existing mitigation techniques attempt to protect against DDoS by filtering out attack traffic. However, as critical network resources are usually static, adversaries are able to bypass filtering by sending stealthy low traffic from large number of bots that mimic benign traffic behavior. Sophisticated stealthy attacks on critical links can cause a devastating effect such as partitioning domains and networks. Our proposed approach, called MoveNet, defend against DDoS attacks by proactively and reactively changing the footprint of critical resources in an unpredictable fashion to deceive attacker’s knowledge about critical network resources. MoveNet employs virtual networks (VNs) to offer constant, dynamic and threat-aware reallocation of critical network resources (VN migration). Our approach has two components: (1) a correct-by-construction VN migration planning that significantly increases the uncertainty about critical links of multiple VNs while preserving the VN properties, and (2) an efficient VN migration mechanism that identifies the appropriate configuration sequence to enable node migration while maintaining the network integrity (e.g., avoiding session disconnection). We formulate and implement this framework using Satisfiability Modulo Theory (SMT) logic. We also demonstrate the effectiveness of our implemented framework on both PlanetLab and Mininet-based experimentations.
Ehab Al-Shaer, Syed Fida Gillani

Exploring Malicious Hacker Forums

For consumers the increasingly widespread consumer-grade connected (“smart”) devices; growing use of cloud-storage and globally still expanding use of Internet and mobile phones; mobile payment options will pose increasing risk of becoming a victim of cyber-attack. For companies and institutions of all kinds, matters regarding the protection of Intellectual Property (IP) and Personally Identifiable Information (PII) from cyber-breaches and -leaks will demand higher financial investment. With the discovery of Stuxnet, offensive and defensive cyber-capabilities have already become an acknowledged tool in military arsenals worldwide and are at the cusp of shifting the global landscape of military power. With the expanding yield of cyber-related activities, understanding the actors creating, manipulating, and distributing malicious code becomes a paramount task. In this chapter we report on the results of an exploration of black hat hacker forums on both the Internet and crypto-networks (in particular those accessed via the Tor-browser). We report on the structure, content, and standards of behavior within these forums. Throughout we highlight how these activity augment the activities of the black hat hackers who participate.
Jana Shakarian, Andrew T. Gunn, Paulo Shakarian

Anonymity in an Electronic Society: A Survey

In the wake of surveillance scandals in recent years, as well of the continuous deployment of more sophisticated censorship mechanisms, concerns over anonymity and privacy on the Internet are ever growing. In the last decades, researchers have designed and proposed several algorithms and solutions that allow interested parties to maintain anonymity online, even against powerful opponents. In this chapter, we present a survey of the classical anonymity schemes that proved to be most successful, describing how they work and their main shortcomings. Finally, we discuss new directions in Anonymous Communication Networks (ACN) taking advantage of today’s services, like On-Line Social Networks (OSN). OSN offer a vast pool of participants, allowing to effectively disguise traffic in the high volume of daily communications, thus offering high levels of anonymity and good resistance to analysis techniques.
Mauro Conti, Fabio De Gaspari, Luigi Vincenzo Mancini

Erratum to: Integrating Cyber-D&D into Adversary Modeling for Active Cyber Defense

Frank J. Stech, Kristin E. Heckman, Blake E. Strom
Weitere Informationen

Premium Partner

BranchenIndex Online

Die B2B-Firmensuche für Industrie und Wirtschaft: Kostenfrei in Firmenprofilen nach Lieferanten, Herstellern, Dienstleistern und Händlern recherchieren.

Whitepaper

- ANZEIGE -

Best Practices für die Mitarbeiter-Partizipation in der Produktentwicklung

Unternehmen haben das Innovationspotenzial der eigenen Mitarbeiter auch außerhalb der F&E-Abteilung erkannt. Viele Initiativen zur Partizipation scheitern in der Praxis jedoch häufig. Lesen Sie hier  - basierend auf einer qualitativ-explorativen Expertenstudie - mehr über die wesentlichen Problemfelder der mitarbeiterzentrierten Produktentwicklung und profitieren Sie von konkreten Handlungsempfehlungen aus der Praxis.
Jetzt gratis downloaden!

Bildnachweise