Deception via honeypots, computers that pretend to be real, may provide effective ways of countering cyberattacks in computer networks. Although prior research has investigated the effectiveness of timing and amount of deception via deceptionbased games, it is unclear as to how the size of the network (i.e., the number of computer systems in the network) influences adversarial decisions. In this research, using a deception game (DG), we evaluate the influence of network size on adversary's cyberattack decisions. The DG has two sequential stages, probe and attack, and it is defined as DG (n, k, γ), where n is the number of servers, k is the number of honeypots, and γ is the number of probes that the adversary makes before attacking the network. In the probe stage, participants may probe a few web servers or may not probe the network. In the attack stage, participants may attack any one of the web servers or decide not to attack the network. In a laboratory experiment, participants were randomly assigned to a repeated DG across three different between-subject conditions: small (20 participants), medium (20 participants), and large (20 participants). The small, medium, and large conditions used DG (2, 1, 1), DG (6, 3, 3), and DG (12, 6, 6) games, respectively (thus, the proportion of honeypots was kept constant at 50% in all three conditions). Results revealed that in the small network, the proportions of honeypot and no-attack actions were 0.20 and 0.52, whereas in the medium (large) network, the proportions of honeypot and no-attack actions were 0.50 (0.50) and 0.06 (0.03), respectively. There was also an effect of probing actions on attack actions across all three network sizes. We highlight the implications of our results for networks of different sizes involving deception via honeypots.
Cyberattacks are proliferating, and deception via honeypots may provide efficient strategies for combating cyberattacks. Although prior research has examined deception and network factors using deception-based games, it is still unknown how the proportion of honeypots in a network influences the adversarial decision. This study evaluates the influence of different honeypot proportions on the adversary’s decisions using a deception game (DG). DG has two consecutive stages, probe and attack. In the probe stage, participants may probe a few webservers or not probe the network. In the attack stage, participants may attack any of the webservers or decide not to attack the webservers. Participants were randomly assigned to one of three between-subject conditions containing different honeypot proportions: small, medium, and large. With an increase in the proportion of honeypots, the honeypot and no-attack actions increased dramatically. We show how our findings are applicable in deception-based cyber scenarios.
Cyber-attacks, an intentional effort to steal information or interrupt the network, are growing dramatically. It is of great importance to understand how an adversary’s behavior might impact the detection of threats. Prior research in adversarial cybersecurity has investigated the effect of different honeypot variations on adversarial decisions in a deception-based game experimentally. However, it is unknown how different honeypot variation affects adversarial decisions using cognitive models. The primary objective of this research is to develop the cognitive model using Instance-based learning theory (IBLT) to make predictions for decisions for networks with different honeypot proportions. The experimental study involved the use of a deception game (DG): small, medium, and large. The DG is defined as DG (n, k, γ), where n is the number of servers, k is the number of honeypots, and γ is the number of probes that the opponent makes before attacking the network. The DG had three between-subject conditions, which denoted three different honeypot proportions. Human data in the experimental study was collected by recruiting 60 participants who were randomly assigned one of the three between-subject conditions of the deception game (N = 20 per condition). The results revealed with an increase in the proportion of honeypots, the honeypot and no-attack actions increased significantly. Next, we built two Instance-based Learning (IBL) models, an IBL model with calibrated parameters (IBL-calibrated) and an IBL model with ACT-R parameters (IBL-ACT-R), to account for human decisions in conditions involving different honeypot proportions in a deception-based security game. It was found that both IBL-calibrated and IBL-ACT-R models were able to account for human behavior across different experimental conditions. In addition, results revealed a greater reliance on the recent and frequent occurrence of events among the human participants. We highlight the key importance of our research for the field of cognitive modelling.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.