Three decades of deception techniques in active cyber defense - Retrospect and outlook

Zhang, Li; Thing, Vrizlynn L. L.

doi:10.1016/j.cose.2021.102288

Cited by 52 publications

(10 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A large number of research results have appeared in the field of active defense. Zhang et al 19 reviewed representative techniques in honeypots, honeytokens, and moving target defense, over the past 30 years, and outlooked on future research directions are presented, including dynamic merging of various deception techniques, quantified cheating results and costs of deception operations, hardware‐enabled deception techniques, as well as techniques developed based on better integration of the human factors. Reference 20 proposed that network threats facing malicious nodes can be countered by node authentication schemes.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

An active defense model based on situational awareness and firewalls

Xiao

et al. 2023

Concurrency and Computation

View full text Add to dashboard Cite

With the rapid development of the internet, cyberspace security issues have become increasingly prominent. The importance of constructing a cyberspace security system is self-evident, but compared with attackers, defenders in cyberspace are in a castle-like passive defense state in most cases. Therefore, building a reliable, accurate, timely, and active defense system is challenging. The key is to accurately focus on defense priorities, the anticipation of attackers who will likely succeed, and blocking attacks in a timely manner. In this article, we propose an active defense model based on the interaction of situational awareness and firewalls. First, by biasing the integrity, confidentiality, and availability of assets to get the score of assets, and using the Common Vulnerability Scoring System to assess the threat level of assets, we combine the two to determine the maximum system damage that the asset will suffer if it is lost, and then focus on defense. Meanwhile, log analysis of the network situational awareness platform can predict successful attackers, and then the linked firewall strategy can block these attacks in time before the attackers obtain attack gains. After that, we force the attackers to give up their attacks on the target by increasing the attack cost.We compared our model with iptables auto-blocking and nginx auto-blocking, and our model excelled them across the board in terms of comprehensiveness and false positive rate. The experimental results verify thar our active defense model proposed in this article can better reduce the defense cost and increase the attack cost, thus achieving the relatively defense goal. K E Y W O R D Sactive defense, cyber attack and defense, defense cost, game theory INTRODUCTIONWith the development of information technology, cyberspace has become the fifth space after "land, sea, air, and sky", and the security of cyberspace is directly related to the sovereign security of the country. Cyber attack and defense have become hot spots in current cybersecurity research. The objectives of cyber attackers include collecting information about a target, paralyzing the target service, entering the target and stealing data, while the objectives of cyber defenders are to keep the service running normally and stop attackers. Scanning of the target system is something that a cyber attacker must do before launching cyber attacks, which helps the attacker gain access to exploitable vulnerabilities in the target system to compromise the network. The purpose of such a scan is to understand the configurations of target systems, including but not limited to the target system's operating system, IP address, running services, software versions, existing common vulnerabilities & exposures(CVEs), weak passwords, and so on. How to prevent attackers from obtaining the scan results or prevent the attacker from using the scan results for other benefits is the goal

show abstract

Section: Related Workmentioning

confidence: 99%

“…A large number of research results have appeared in the field of active defense. Zhang et al 19 effectively and comprehensively assess the overall situation of cyberspace security. Zhao et al 22 described common passive and active defense techniques, and builded a network security system combining active defense and passive defense.…”

Section: Active Defensementioning

confidence: 99%

An active defense model based on situational awareness and firewalls

Xiao

et al. 2023

Concurrency and Computation

View full text Add to dashboard Cite

show abstract

“…They classify deception techniques depending on which phase of the Cyber Kill-Chain they can deceive an attacker. Honeytokens can be used in eight out of twelve phases to deceive attackers [27].…”

Section: Honeytoken Fingerprintingmentioning

confidence: 99%

Honeysweeper: Towards Stealthy Honeytoken Fingerprinting Techniques

et al. 2022

View full text Add to dashboard Cite

The increased number of data breaches and sophisticated attacks have created a need for early detection mechanisms. Reports indicate that it may take up to 200 days to identify a data breach and entail average costs of up to $4.85 million. To cope with cyber-deception approaches like honeypots have been used for proactive attack detection and as a source of data for threat analysis. Honeytokens are a subset of honeypots that aim at creating deceptive layers for digital entities in the form of files and folders. Honeytokens are an important tool in the proactive identification of data breaches and intrusion detection as they raise an alert the moment a deceptive entity is accessed. In such deceptionbased defensive tools, it is key that the adversary does not detect the presence of deception. However, recent research shows that honeypots and honeytokens may be fingerprinted by adversaries. Honeytoken fingerprinting is the process of detecting the presence of honeytokens in a system without triggering an alert. In this work, we explore potential fingerprinting attacks against the most common open-source honeytokens. Our findings suggest that an advanced attacker can identify the majority of honeytokens without triggering an alert. Furthermore, we propose methods that help in improving the deception layer, the information received from the alerts, and the design of honeytokens.

show abstract

“…Decoys must appear realistic to engage the attacker and increase the likelihood of interaction. Traditionally, decoys are general-purpose (possibly vulnerable) applications that are created a-priori and shipped to customers and, as such, they might have little or no fit within the defender ecosystem [4]. Moreover, when prompted by an attacker they cannot ensure the same degree of similarity or interactivity level as the original applications [5] [6] [7].…”

Section: Introductionmentioning

confidence: 99%

“…Although research on decoy placement schemes has addressed some of the challenges related to this allocation problem, it has limitations. Most of the proposed strategies assume that decoys can be located near the organization's network perimeter and thus cannot handle threats that elude the first line of defences or insider attacks propagating within the production environment [4]. Additionally, these schemes often consider a fixed number of decoys that need to be allocated on a predetermined number of system assets.…”

Section: Introductionmentioning

confidence: 99%

Resource-aware Cyber Deception in Cloud-Native Environments

Zambianco¹,

Facchinetti²,

Doriguzzi-Corin³

et al. 2023

Preprint

View full text Add to dashboard Cite

Cyber deception can be a valuable addition to traditional cyber defense mechanisms, especially for modern cloudnative environments with a fading security perimeter. However, pre-built decoys used in classical computer networks are not effective in detecting and mitigating malicious actors due to their inability to blend with the variety of applications in such environments. On the other hand, decoys cloning the deployed microservices of an application can offer a high-fidelity deception mechanism to intercept ongoing attacks within production environments. However, to fully benefit from this approach, it is essential to use a limited amount of decoy resources and devise a suitable cloning strategy to minimize the impact on legitimate services performance. Following this observation, we formulate a non-linear integer optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget. Attack paths represent the attacker's movements within the infrastructure as a sequence of violated microservices. We also design a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation. We evaluate the performance of the optimal and heuristic solutions against other schemes that use local vulnerability metrics to select which microservices to clone as decoys. Our results show that the proposed allocation strategy achieves a higher number of intercepted attack paths compared to these schemes while requiring approximately the same number of decoys.

show abstract

Three decades of deception techniques in active cyber defense - Retrospect and outlook

Cited by 52 publications

References 45 publications

An active defense model based on situational awareness and firewalls

An active defense model based on situational awareness and firewalls

Honeysweeper: Towards Stealthy Honeytoken Fingerprinting Techniques

Resource-aware Cyber Deception in Cloud-Native Environments

Contact Info

Product

Resources

About