Attacker Capability based Dynamic Deception Model for Large-Scale Networks

In modern days, cyber networks need continuous monitoring to keep the network secure and available to legitimate users. Cyber attackers use reconnaissance mission to collect critical network information and using that information, they make an advanced level cyber-attack plan. To thwart the reconnaissance mission and counterattack plan, the cyber defender needs to come up with a state-of-the-art cyber defense strategy. In this paper, we model a dynamic deception system (DDS) which will not only thwart reconnaissance mission but also steer the attacker towards fake network to achieve a fake goal state. In our model, we also capture the attacker’s capability using a belief matrix which is a joint probability distribution over the security states and attacker types. Experiments conducted on the prototype implementation of our DDS confirm that the defender can make the decision whether to spend more resources or save resources based on attacker types and thwart reconnaissance mission.

[1]  Patrick McDaniel,et al.  Deceiving Network Reconnaissance Using SDN-Based Virtual Topologies , 2017, IEEE Transactions on Network and Service Management.

[2]  Ehab Al-Shaer,et al.  Efficient Random Route Mutation considering flow and network constraints , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[3]  Joel Veness,et al.  Monte-Carlo Planning in Large POMDPs , 2010, NIPS.

[4]  William H. Sanders,et al.  Ieee Transactions on Parallel and Distributed Systems Rre: a Game-theoretic Intrusion Response and Recovery Engine , 2022 .

[5]  Leslie Pack Kaelbling,et al.  Planning and Acting in Partially Observable Stochastic Domains , 1998, Artif. Intell..

[6]  Keith W. Ross,et al.  Computer networking - a top-down approach featuring the internet , 2000 .

[7]  Haifeng Xu,et al.  Deceiving Cyber Adversaries: A Game Theoretic Approach , 2018, AAMAS.

[8]  Robert Beverly,et al.  A Technique for Network Topology Deception , 2013, MILCOM 2013 - 2013 IEEE Military Communications Conference.

[9]  Donald F. Towsley,et al.  On the performance of Internet worm scanning strategies , 2006, Perform. Evaluation.

[10]  Ehab Al-Shaer,et al.  Adversary-aware IP address randomization for proactive agility against sophisticated attackers , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[11]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[12]  Malek Ben Salem,et al.  Modeling Cost of Countermeasures in Software Defined Networking-enabled Energy Delivery Systems , 2018, 2018 IEEE Conference on Communications and Network Security (CNS).

[13]  Peter Auer,et al.  Finite-time Analysis of the Multiarmed Bandit Problem , 2002, Machine Learning.

[14]  Sushil Jajodia,et al.  Managing attack graph complexity through visual hierarchical aggregation , 2004, VizSEC/DMSEC '04.

[15]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[16]  Demosthenis Teneketzis,et al.  A POMDP Approach to the Dynamic Defense of Large-Scale Cyber Networks , 2018, IEEE Transactions on Information Forensics and Security.

[17]  Joelle Pineau,et al.  Online Planning Algorithms for POMDPs , 2008, J. Artif. Intell. Res..

[18]  Ehab Al-Shaer,et al.  Random Host Mutation for Moving Target Defense , 2012, SecureComm.

[19]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[20]  Karl Johan Åström,et al.  Optimal control of Markov processes with incomplete state information , 1965 .

[21]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[22]  Jianhua Sun,et al.  DESIR: Decoy-enhanced seamless IP randomization , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[23]  Csaba Szepesvári,et al.  Bandit Based Monte-Carlo Planning , 2006, ECML.

[24]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[25]  David Hsu,et al.  SARSOP: Efficient Point-Based POMDP Planning by Approximating Optimally Reachable Belief Spaces , 2008, Robotics: Science and Systems.

[26]  Rémi Coulom,et al.  Efficient Selectivity and Backup Operators in Monte-Carlo Tree Search , 2006, Computers and Games.

[27]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[28]  Sushil Jajodia,et al.  Manipulating the attacker's view of a system's attack surface , 2014, 2014 IEEE Conference on Communications and Network Security.

[29]  Joseph G. Tront,et al.  Implementing an IPv6 Moving Target Defense on a Live Network , 2012 .

[30]  Sachin Shetty,et al.  Online Cyber Deception System Using Partially Observable Monte-Carlo Planning Framework , 2019, SecureComm.

[31]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[32]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[33]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.