Secure Cyber Deception Architecture and Decoy Injection to Mitigate the Insider Threat

We propose a novel dynamic host mutation (DHM) architecture based on moving target defense (MTD) that can actively cope with cyberattacks. The goal of the DHM is to break the cyber kill chain, expand the attack surface to increase the attacker’s target analysis cost, and disrupt the attacker’s fingerprinting to disable the server trace. We define the participating entities that share the MTD policy within the enterprise network or the critical infrastructure, and define functional modules of each entity for DHM enforcement. The threat model of this study is an insider threat of a type not considered in previous studies. We define an attack model considering an insider threat and propose a decoy injection mechanism to confuse the attacker. In addition, we analyze the security of the proposed structure and mechanism based on the security requirements and propose a trade-off considering security and availability.

[1]  Peter J. Hawrylak,et al.  Scalable Attack Graph Generation , 2016, CISRC.

[2]  Baosheng Wang,et al.  RPAH: Random Port and Address Hopping for Thwarting Internal and External Adversaries , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[3]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2007, Comput. Networks.

[4]  D. Kewley,et al.  Dynamic approaches to thwart adversary intelligence gathering , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[5]  Radha Poovendran,et al.  Effectiveness of IP address randomization in decoy-based moving target defense , 2013, 52nd IEEE Conference on Decision and Control.

[6]  Ehab Al-Shaer,et al.  A game-theoretic approach for deceiving Remote Operating System Fingerprinting , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[7]  Ehab Al-Shaer,et al.  Random Host Mutation for Moving Target Defense , 2012, SecureComm.

[8]  Meng Li,et al.  A Self-adaptive Hopping Approach of Moving Target Defense to thwart Scanning Attacks , 2016, ICICS.

[9]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[10]  Fikret Sivrikaya,et al.  Distributed Attack Graph Generation , 2016, IEEE Transactions on Dependable and Secure Computing.

[11]  Jianhua Sun,et al.  DESIR: Decoy-enhanced seamless IP randomization , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[12]  Srikanth V. Krishnamurthy,et al.  Cyber Deception: Virtual Networks to Defend Insider Reconnaissance , 2016, MIST@CCS.

[13]  Fenlin Liu,et al.  An SDN-Based Fingerprint Hopping Method to Prevent Fingerprinting Attacks , 2017, Secur. Commun. Networks.

[14]  Salvatore J. Stolfo,et al.  Automating the injection of believable decoys to detect snooping , 2010, WiSec '10.

[15]  Ehab Al-Shaer,et al.  An Effective Address Mutation Approach for Disrupting Reconnaissance Attacks , 2015, IEEE Transactions on Information Forensics and Security.

[16]  Salvatore J. Stolfo,et al.  A system for generating and injecting indistinguishable network decoys , 2012, J. Comput. Secur..

[17]  Ehab Al-Shaer,et al.  Spatio-temporal Address Mutation for Proactive Cyber Agility against Sophisticated Attackers , 2014, MTD '14.

[18]  Zhenhua Liu,et al.  Port and Address Hopping for Active Cyber-Defense , 2007, PAISI.

[19]  Bharti Nagpal,et al.  A Survey on the Detection of SQL Injection Attacks and Their Countermeasures , 2017, Journal of Information Processing Systems.

[20]  Mathias Ekstedt,et al.  pwnPr3d: An Attack-Graph-Driven Probabilistic Threat-Modeling Approach , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[21]  Xiaofeng Wang,et al.  An introduction to network address shuffling , 2016, 2016 18th International Conference on Advanced Communication Technology (ICACT).

[22]  Ehab Al-Shaer,et al.  Adversary-aware IP address randomization for proactive agility against sophisticated attackers , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[23]  Nhan Nguyen,et al.  Designing challenge questions for location‐based authentication systems: a real‐life study , 2015, Human-centric Computing and Information Sciences.

[24]  Joseph G. Tront,et al.  MT6D: A Moving Target IPv6 Defense , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[25]  David Fernández,et al.  Versatile virtual honeynet management framework , 2017, IET Inf. Secur..

[26]  Ehab Al-Shaer,et al.  Multi-dimensional Host Identity Anonymization for Defeating Skilled Attackers , 2016, MTD@CCS.

[27]  Jong Hyuk Park,et al.  XSSClassifier: An Efficient XSS Attack Detection Approach Based on Machine Learning Classifier on SNSs , 2017, J. Inf. Process. Syst..