Organizations face a persistent challenge detecting malicious insiders as well as outside attackers who compromise legitimate credentials and then masquerade as insiders. No matter how good an organization's perimeter defenses are, eventually they will be compromised or betrayed from the inside. Monitored decoy documents (honey files with enticing names and content) are a promising approach to aid in the detection of malicious masqueraders and insiders. In this paper, we present a new technique for decoy document distribution that can be used to improve the scalability of insider detection. We develop a placement application that automates the deployment of decoy documents and we report on two user studies to evaluate its effectiveness. The first study indicates that our automated decoy distribution tool is capable of strategically placing decoy files in a way that offers comparable security to optimal manual deployment. In the second user study, we measure the frequency that normal users access decoy documents on their own systems and show that decoy files do not significantly interfere with normal user tasks.
[1]
Ronald L. Rivest,et al.
Honeywords: making password-cracking detectable
,
2013,
CCS.
[2]
Salvatore J. Stolfo,et al.
Baiting Inside Attackers Using Decoy Documents
,
2009,
SecureComm.
[3]
Decoy Document Deployment for Effective Masquerade Attack Detection
,
2011,
DIMVA.
[4]
C. Causer.
The Art of War
,
2011,
IEEE Potentials.
[5]
J. Yuill,et al.
Honeyfiles: deceptive files for intrusion detection
,
2004,
Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..
[6]
Clifford Stoll,et al.
The Cuckoo's Egg
,
1989
.
[7]
Stefan Katzenbeisser,et al.
From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation
,
2014,
CCS.