Thwarting Cyber-Attack Reconnaissance with Inconsistency and Deception

One of the best ways to defend a computer system is to make attackers think it is not worth attacking. Deception or inconsistency during attacker reconnaissance can be an effective way to encourage this. We provide some theory of its advantages and present some data from a honeypot that suggests ways it could be fruitfully employed. We then report on experiments that manipulated packets of attackers of a honeypot using Snort Inline. Results show that attackers definitely responded to deceptive manipulations, although not all the responses helped defenders. We conclude with some preliminary results on analysis of "last packets" of a session which indicate more precisely what clues turn attackers away.

[1]  Hideki Koike,et al.  Visualizing cyber attacks using IP matrix , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[2]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[3]  F. Jahanian,et al.  Practical Darknet Measurement , 2006, 2006 40th Annual Conference on Information Sciences and Systems.

[4]  Kevin Curran,et al.  Monitoring hacker activity with a Honeynet , 2005 .

[5]  Xuejun Tan,et al.  On Recognizing Virtual Honeypots and Countermeasures , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.

[6]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[7]  Neil C. Rowe,et al.  Two Taxonomies of Deception for Attacks on Information Systems , 2004 .

[8]  Donald F. Towsley,et al.  The monitoring and early detection of Internet worms , 2005, IEEE/ACM Transactions on Networking.

[9]  Fred Cohen,et al.  Leading attackers through attack graphs with deceptions , 2003, Comput. Secur..

[10]  Peng Liu,et al.  Incentive-based modeling and inference of attacker intent, objectives, and strategies , 2005, ACM Trans. Inf. Syst. Secur..

[11]  N.C. Rowe,et al.  Fake Honeypots: A Defensive Tactic for Cyberspace , 2006, 2006 IEEE Information Assurance Workshop.

[12]  Bill McCarty The Honeynet Arms Race , 2003, IEEE Secur. Priv..

[13]  Kevin Curran,et al.  Monitoring hacker activity with a Honeynet , 2005, Int. J. Netw. Manag..

[14]  John Heidemann,et al.  A tool for RApid model parameterization and its applications , 2003, MoMeTools '03.