Abstract : Modem intrusion detection systems have become highly reliable in identifying a malicious user on a computer system. Their limitations, though, are increasing the need for an intelligent response to an intrusion. In contrast, intelligent software decoys provide autonomous software-based responses to identified intrusions. In this thesis, we explore conducting military deception, focusing on the use of software-driven simulations to respond to the actions of intruders. In particular, this thesis focuses on a model of a simple deceptive response that is intended to protect a search type program from a buffer-overflow attack. During our study, we found that after identifying an attack attempt, simulating system saturation with processing delays worked well to deceive a prospective attacker. We also experimented with providing confusing reactions to an identified attack attempt, such as simulated network login screens and fake root- shells. The results were successful, simple reactions to intrusions that mimicked intended system interaction, and they proved to be adequate at implementing the deception principles we studied.
[1]
R. Sekar,et al.
On Preventing Intrusions by Process Behavior Monitoring
,
1999,
Workshop on Intrusion Detection and Network Monitoring.
[2]
James Bret Michael,et al.
Software Decoys: Intrusion Detection and Countermeasures
,
2002
.
[3]
Aurobindo Sundaram,et al.
An introduction to intrusion detection
,
1996,
CROS.
[4]
Dorothy E. Denning,et al.
Information Warfare And Security
,
1998
.
[5]
Ray Hunt,et al.
Intrusion detection techniques and approaches
,
2002,
Comput. Commun..
[6]
J. Bowyer Bell,et al.
Cheating and Deception
,
1991
.
[7]
Richard Riehle,et al.
Software Decoys for Software Counterintelligence
,
2002
.
[8]
Stephanie Forrest,et al.
Automated response using system-call delays
,
2000
.
[9]
James Lee,et al.
Hacking Linux Exposed: Linux Security Secrets & Solutions
,
2002
.