Multi-dimensional Host Identity Anonymization for Defeating Skilled Attackers

Jafarian, Jafar Haadi; Niakanlahiji, Amirreza; Al-Shaer, Ehab; Duan, Qi

doi:10.1145/2995272.2995278

Cited by 17 publications

(7 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The traffic deception module on the moving server shares the characteristics of the outbound traffic, which are imitated by the traffic generator module on the decoy server to generate similar traffic with decoy processes on the client. Besides, The decoy connection and traffic injection in [155] similar to [156], OS fingerprint mutation is also applied on all servers so that the attack surface is further obfuscated. The SDN based CHAOS system (see Figure 11) in [157] obfuscates the network attack surface by using honeypot (i.e., decoy servers), honeytoken (i.e, fake response to port scanning), and MTD (i.e, random host mutation) techniques.…”

Section: A Deception In Depthmentioning

confidence: 99%

See 1 more Smart Citation

Three Decades of Deception Techniques in Active Cyber Defense -- Retrospect and Outlook

Zhang¹,

Thing²

2021

Preprint

View full text Add to dashboard Cite

Deception techniques have been widely seen as a game changer in cyber defense. In this paper, we review representative techniques in honeypots, honeytokens, and moving target defense, spanning from the late 1980s to the year 2021. Techniques from these three domains complement with each other and may be leveraged to build a holistic deception based defense. However, to the best of our knowledge, there has not been a work that provides a systematic retrospect of these three domains all together and investigates their integrated usage for orchestrated deceptions. Our paper aims to fill this gap. By utilizing a tailored cyber kill chain model which can reflect the current threat landscape and a four-layer deception stack, a twodimensional taxonomy is developed, based on which the deception techniques are classified. The taxonomy literally answers which phases of a cyber attack campaign the techniques can disrupt and which layers of the deception stack they belong to. Cyber defenders may use the taxonomy as a reference to design an organized and comprehensive deception plan, or to prioritize deception efforts for a budget conscious solution. We also discuss two important points for achieving active and resilient cyber defense, namely deception in depth and deception lifecycle, where several notable proposals are illustrated. Finally, some outlooks on future research directions are presented, including dynamic integration of different deception techniques, quantified deception effects and deception operation cost, hardware-supported deception techniques, as well as techniques developed based on better understanding of the human element.

show abstract

Section: A Deception In Depthmentioning

confidence: 99%

“…HT: [68], [88] HT: HT: MTD: [123], [125] MTD: [133], [134] MTD: MTD: Exploitation HP: [77], [167] HP: [55]- [61], [67], [153], [155], [156], [159], [160] HP: [54] HP:…”

Section: B Deception Lifecyclementioning

confidence: 99%

Three Decades of Deception Techniques in Active Cyber Defense -- Retrospect and Outlook

Zhang¹,

Thing²

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Typical examples of MTD research are openflow-random host mutation (OF-RHM) and random host mutation (RHM), which undertake network address mutation operations using SDN(Software Defined Networking) and legacy network operations with the use of virtual IPs [9,10]. HIDE (Host IDEntify anonymization) is an MTD technology that uses a honeypot cloud based on RHM and adds the concepts of fingerprint mutation and decoy node operation [11]. Moving target IPv6 defense (MT6D) is a technology for generating addresses using a cryptographic algorithm with timestamps in an IPv6-based network environment [12].…”

Section: Related Workmentioning

confidence: 99%

Secure Cyber Deception Architecture and Decoy Injection to Mitigate the Insider Threat

et al. 2018

View full text Add to dashboard Cite

Abstract:We propose a novel dynamic host mutation (DHM) architecture based on moving target defense (MTD) that can actively cope with cyberattacks. The goal of the DHM is to break the cyber kill chain, expand the attack surface to increase the attacker's target analysis cost, and disrupt the attacker's fingerprinting to disable the server trace. We define the participating entities that share the MTD policy within the enterprise network or the critical infrastructure, and define functional modules of each entity for DHM enforcement. The threat model of this study is an insider threat of a type not considered in previous studies. We define an attack model considering an insider threat and propose a decoy injection mechanism to confuse the attacker. In addition, we analyze the security of the proposed structure and mechanism based on the security requirements and propose a trade-off considering security and availability.

show abstract

“…Duan et al [5] combine dynamic rotation, diversification, and honeypot technology to improve the effectiveness of cyber deception. Jafarian et al [6] employ IP/MAC addresses, service ports, service names, exploitable vulnerabilities, and others as host identity fingerprints. Then they propose an anonymous active defense system HIDE to continuously change the host's fingerprint.…”

Section: Introductionmentioning

confidence: 99%

A Cyber Deception Method Based on Container Identity Information Anonymity

Zeng

et al. 2021

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Existing cyber deception technologies (e.g., operating system obfuscation) can effectively disturb attackers' network reconnaissance and hide fingerprint information of valuable cyber assets (e.g., containers). However, they exhibit ineffectiveness against skilled attackers. In this study, a proactive fingerprint deception method is proposed, termed as Continuously Anonymizing Containers' Fingerprints (CACF), which modifies the container's fingerprint in the cloud resource pool to satisfy the anonymization standard. As demonstrated by experimental results, the CACF can effectively increase the difficulty for attackers.

show abstract

Multi-dimensional Host Identity Anonymization for Defeating Skilled Attackers

Cited by 17 publications

References 16 publications

Three Decades of Deception Techniques in Active Cyber Defense -- Retrospect and Outlook

Three Decades of Deception Techniques in Active Cyber Defense -- Retrospect and Outlook

Secure Cyber Deception Architecture and Decoy Injection to Mitigate the Insider Threat

A Cyber Deception Method Based on Container Identity Information Anonymity

Contact Info

Product

Resources

About