PhantomFS-v2: Dare You to Avoid This Trap

It has been demonstrated that deception technologies are effective in detecting advanced persistent threats and zero-day attacks which cannot be detected by traditional signature-based intrusion detection techniques. Especially, a file-based deception technology is promising because it is very difficult (if not impossible) to commit an attack without reading and modifying any file. It can play as an additional security barrier because malicious file access can be detected even if an adversary succeeds in gaining access to a host. However, PhantomFS still has a problem that is common to deception technologies. Once a deception technology is known to adversaries, it is unlikely to succeed in alluring adversaries. In this paper, we classify adversaries who are aware of PhantomFS according to their knowledge level and permission of PhantomFS. Then we analyze the attack surface and develop a defense strategy to limit the attack vectors. We extend PhantomFS to realize the strategy. Specifically, we introduce multiple hidden interfaces and detection of file execution. We evaluate the security and performance overhead of the proposed technique. We demonstrate that the extended PhantomFS is secure against intelligent adversaries by penetration testing. The extended PhantomFS offers higher detection accuracy with lower false alarm rate compared to existing techniques. It is also demonstrated that the overhead is negligible in terms of response time and CPU time.

[1]  Thomas E. Carroll,et al.  Analysis of network address shuffling as a moving target defense , 2014, 2014 IEEE International Conference on Communications (ICC).

[2]  Stefan Katzenbeisser,et al.  From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation , 2014, CCS.

[3]  Ben Whitham CANARY FILES: GENERATING FAKE FILES TO DETECT CRITICAL DATA LOSS FROM COMPLEX COMPUTER NETWORKS , 2013 .

[4]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[5]  Lior Rokach,et al.  HoneyGen: An automated honeytokens generator , 2011, Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics.

[6]  Somesh Jha,et al.  End-to-End Software Diversification of Internet Services , 2011, Moving Target Defense.

[7]  Hans D. Schotten,et al.  On the Detection and Handling of Security Incidents and Perimeter Breaches - A Modular and Flexible Honeytoken based Framework , 2018, 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS).

[8]  Yuxin Ding,et al.  Host-based intrusion detection using dynamic and static behavioral models , 2003, Pattern Recognit..

[9]  Lance Spitzner,et al.  The Honeynet Project: Trapping the Hackers , 2003, IEEE Secur. Priv..

[10]  Jiankun Hu,et al.  A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns , 2014, IEEE Transactions on Computers.

[11]  Pau-Chen Cheng,et al.  BlueBoX: A policy-driven, host-based intrusion detection system , 2003, TSEC.

[12]  Arputharaj Kannan,et al.  Intelligent feature selection and classification techniques for intrusion detection in networks: a survey , 2013, EURASIP Journal on Wireless Communications and Networking.

[13]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[14]  Jérémy Briffaut,et al.  Security and Results of a Large-Scale High-Interaction Honeypot , 2009, J. Comput..

[15]  Ehab Al-Shaer,et al.  Toward Network Configuration Randomization for Moving Target Defense , 2011, Moving Target Defense.

[16]  Arputharaj Kannan,et al.  An Intelligent Intrusion Detection System for Mobile Ad-Hoc Networks Using Classification Techniques , 2011 .

[17]  Nathanael Paul,et al.  Where's the FEEB? The Effectiveness of Instruction Set Randomization , 2005, USENIX Security Symposium.

[18]  Hans D. Schotten,et al.  Demystifying Deception Technology: A Survey , 2018, ArXiv.

[19]  Ehab Al-Shaer,et al.  Random Host Mutation for Moving Target Defense , 2012, SecureComm.

[20]  Sannasi Ganapathy,et al.  Machine Learning Approach to Combat False Alarms in Wireless Intrusion Detection System , 2018, Comput. Inf. Sci..

[21]  Harry G. Perros,et al.  SDN-based solutions for Moving Target Defense network protection , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[22]  Ben Whitham Automating the Generation of Enticing Text Content for High-Interaction Honeyfiles , 2017, HICSS.

[23]  Hamed Okhravi,et al.  Creating a Cyber Moving Target for Critical Infrastructure Applications , 2011, Critical Infrastructure Protection.

[24]  Yingjiu Li,et al.  Security and Privacy in Communication Networks , 2018, Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering.

[25]  Gianluca Stringhini,et al.  Honey Sheets: What Happens to Leaked Google Spreadsheets? , 2016, CSET @ USENIX Security Symposium.

[26]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[27]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[28]  Scott A. DeLoach,et al.  Towards a Theory of Moving Target Defense , 2014, MTD '14.

[29]  Junghee Lee,et al.  PhantomFS: File-Based Deception Technology for Thwarting Malicious Users , 2020, IEEE Access.

[30]  J. Yuill,et al.  Honeyfiles: deceptive files for intrusion detection , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[31]  Chris Moore,et al.  Detecting Ransomware with Honeypot Techniques , 2016, 2016 Cybersecurity and Cyberforensics Conference (CCC).

[32]  Michael Franz,et al.  Compiler-Generated Software Diversity , 2011, Moving Target Defense.

[33]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[34]  Dawn Song,et al.  Mitigating buffer overflows by operating system randomization , 2002 .

[35]  Helen J. Wang,et al.  RandSys: Thwarting Code Injection Attacks with System Service Interface Randomization , 2007, 2007 26th IEEE International Symposium on Reliable Distributed Systems (SRDS 2007).

[36]  Angelos Stavrou,et al.  MOTAG: Moving Target Defense against Internet Denial of Service Attacks , 2013, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).