Ensuring Deception Consistency for FTP Services Hardened against Advanced Persistent Threats

As evidenced by numerous high-profile security incidents such as the Target data breach and the Equifax hack, APTs (Advanced Persistent Threats) can significantly compromise the trustworthiness of cyber space. This work explores how to improve the effectiveness of cyber deception in hardening FTP (File Transfer Protocol) services against APTs. The main objective of our work is to ensure deception consistency: when the attackers are trapped, they can only make observations that are consistent with what they have seen already so that they cannot recognize the deceptive environment. To achieve deception consistency, we use logic constraints to characterize an attacker's best knowledge (either positive, negative, or uncertain). When migrating the attacker's FTP connection into a contained environment, we use these logic constraints to instantiate a new FTP file system that is guaranteed free of inconsistency. We performed deception experiments with student participants who just completed a computer security course. Following the design of Turing tests, we find that the participants' chances of recognizing deceptive environments are close to random guesses. Our experiments also confirm the importance of observation consistency in identifying deception.

[1]  Jianhua Sun,et al.  DESIR: Decoy-enhanced seamless IP randomization , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[2]  Dorothy E. Denning,et al.  Using Deception to Hide Things from Hackers: Processes, Principles, and Techniques , 2006 .

[3]  Matt Bishop,et al.  Inconsistency in deception for defense , 2006, NSPW '06.

[4]  Stefan Katzenbeisser,et al.  From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation , 2014, CCS.

[5]  Mladen A. Vouk,et al.  Defensive computer-security deception operations: processes, principles and techniques , 2006 .

[6]  Marc Horowitz,et al.  FTP Security Extensions , 1997, RFC.

[7]  N. Rowe Deception in defense of computer systems from cyber-attack , 2007 .

[8]  Sushil Jajodia,et al.  Cyber Deception: Building the Scientific Foundation , 2016 .

[9]  Neil C. Rowe,et al.  Experiments with a Testbed for Automated Defensive Deception Planning for Cyber-Attacks , 2007 .

[10]  F. Cohen The Use of Deception Techniques : Honeypots and Decoys , 2004 .

[11]  Xiao Han,et al.  Evaluation of Deception-Based Web Attacks Detection , 2017, MTD@CCS.

[12]  Qi Li,et al.  CyberMoat: Camouflaging critical server infrastructures with large scale decoy farms , 2017, 2017 IEEE Conference on Communications and Network Security (CNS).

[13]  B. Cheswick An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied , 1997 .

[14]  Kevin Borders,et al.  OpenFire: Using deception to reduce network attacks , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.