Baiting Inside Attackers Using Decoy Documents

Bowen, Brian M.; Hershkop, Shlomo; Keromytis, Angelos D.; Stolfo, Salvatore J.

doi:10.1007/978-3-642-05284-2_4

Cited by 135 publications

(78 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A thorough evaluation of the right model checking and alerting frequency in light of average search times on a file system inter alia is the subject of ongoing research. Another focus of ongoing research is the correlation of search behavior anomaly detection with trap-based decoy files such as [2]. This should provide stronger evidence of malfeasance, and therefore improve the detector's accuracy.…”

Section: Accuracy Results Discussionmentioning

confidence: 99%

Modeling User Search Behavior for Masquerade Detection

Salem

Stolfo

2011

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Masquerade attacks are a common security problem that is a consequence of identity theft. This paper extends prior work by modeling user search behavior to detect deviations indicating a masquerade attack. We hypothesize that each individual user knows their own file system well enough to search in a limited, targeted and unique fashion in order to find information germane to their current task. Masqueraders, on the other hand, will likely not know the file system and layout of another user's desktop, and would likely search more extensively and broadly in a manner that is different than the victim user being impersonated. We identify actions linked to search and information access activities, and use them to build user models. The experimental results show that modeling search behavior reliably detects all masqueraders with a very low false positive rate of 1.1%, far better than prior published results. The limited set of features used for search behavior modeling also results in large performance gains over the same modeling techniques that use larger sets of features. *

show abstract

Section: Accuracy Results Discussionmentioning

confidence: 99%

Modeling User Search Behavior for Masquerade Detection

Salem

Stolfo

2011

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…The inputs will contain automatically generated enticing and believable deceptive information (DI) whose misuse by an adversary can be subsequently detected. Examples of such enticing bait information include documents with built-in "beacons" [9], URLs and username/passwords to honeypots or sites whose access can be directly or indirectly monitored [10], credit card and bank account numbers with triggers [11], etc. Other types of DI that we plan to use include deceptive documents in the filesystem and entries in database tables (or entire databases).…”

Section: Digit: Deceptive Information Generation Injection and Tmentioning

confidence: 99%

The MEERKATS Cloud Security Architecture

Keromytis

Geambasu

Sethumadhavan

et al. 2012

2012 32nd International Conference on Distributed Computing Systems Workshops

Self Cite

View full text Add to dashboard Cite

Abstract-MEERKATS is a novel architecture for cloud environments that elevates continuous system evolution and change as first-rate design principles. Our goal is to enable an environment for cloud services that constantly changes along several dimensions, toward creating an unpredictable target for an adversary. This unpredictability will both impede the adversary's ability to achieve an initial system compromise and, if a compromise occurs, to detect, disrupt, and/or otherwise impede his ability to exploit this success. Thus, we envision an environment where cloud services and data are constantly in flux, using adaptive (both proactive and reactive) protection mechanisms and distributed monitoring at various levels of abstraction. A key element of MEERKATS is the focus on both the software and the data in the cloud, not just protecting but leveraging both to improve mission resilience. MEERKATS seeks to effectively exploit "economies of scale" (in resources available) to provide higher flexibility and effectiveness in the deployment and use of protection mechanisms as and where needed, focusing on current and anticipated application and mission needs instead of an inefficient, "blanket" approach to protecting "everything the same way, all the time". We outline our vision for MEERKATS and describe our approach toward prototyping it.

show abstract

“…These credentials could be exposed to Tor exits via canned protocol interactions. Combined with decoy information generation services [8], this infrastructure could be used as a composable eavesdrop detection system [27].…”

Section: Eavesdropping Detection As a Network Servicementioning

confidence: 99%

“…The decoy credentials used in our approach can thus be viewed as particular instance of honeytokens. Bowen et al [8] proposed the use of decoy documents to detect misbehaving entities within the perimeter of an organization. The decoy documents contain embedded "beacons," such as scripts or macros, which are executed when the document is opened.…”

Section: Related Workmentioning

confidence: 99%

“…The use of fake information, or honeytokens [29], for the detection of unauthorized use of sensitive data is not new. Decoy information has been previously used to to detect eavesdropping on unprotected wireless networks [9] and warn of insider threats [8]. The idea behind these systems is that eavesdroppers will probably try to use the collected information in some way.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Detecting Traffic Snooping in Tor Using Decoys

Chakravarty

Portokalidis

Polychronakis

et al. 2011

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Anonymous communication networks like Tor partially protect the confidentiality of their users' traffic by encrypting all intraoverlay communication. However, when the relayed traffic reaches the boundaries of the overlay network towards its actual destination, the original user traffic is inevitably exposed. At this point, unless end-toend encryption is used, sensitive user data can be snooped by a malicious or compromised exit node, or by any other rogue network entity on the path towards the actual destination. We explore the use of decoy traffic for the detection of traffic interception on anonymous proxying systems. Our approach is based on the injection of traffic that exposes bait credentials for decoy services that require user authentication. Our aim is to entice prospective eavesdroppers to access decoy accounts on servers under our control using the intercepted credentials. We have deployed our prototype implementation in the Tor network using decoy IMAP and SMTP servers. During the course of ten months, our system detected ten cases of traffic interception that involved ten different Tor exit nodes. We provide a detailed analysis of the detected incidents, discuss potential improvements to our system, and outline how our approach can be extended for the detection of HTTP session hijacking attacks.

show abstract

Baiting Inside Attackers Using Decoy Documents

Cited by 135 publications

References 9 publications

Modeling User Search Behavior for Masquerade Detection

Modeling User Search Behavior for Masquerade Detection

The MEERKATS Cloud Security Architecture

Detecting Traffic Snooping in Tor Using Decoys

Contact Info

Product

Resources

About