PhantomFS: File-Based Deception Technology for Thwarting Malicious Users

File-based deception technologies can be used as an additional security barrier when adversaries have successfully gained access to a host evading intrusion detection systems. Adversaries are detected if they access fake files. Though previous works have mainly focused on using user data files as decoys, this concept can be applied to system files. If so, it is expected to be effective in detecting malicious users because it is very difficult to commit an attack without accessing a single system file. However, it may suffer from excessive false alarms by legitimate system services such as file indexing and searching. Legitimate users may also access fake files by mistake. This paper addresses this issue by introducing a hidden interface. Legitimate users and applications access files through the hidden interface which does not show fake files. The hidden interface can also be utilized to hide sensitive files by hiding them from the regular interface. By experiments, we demonstrate the proposed technique incurs negligible performance overhead, and it is an effective countermeasure to various attack scenarios and practical in that it does not generate false alarms for legitimate applications and users.

[1]  Gianluca Stringhini,et al.  Honey Sheets: What Happens to Leaked Google Spreadsheets? , 2016, CSET @ USENIX Security Symposium.

[2]  Hans P. Reiser,et al.  Intrusion detection and honeypots in nested virtualization environments , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[3]  Hans D. Schotten,et al.  Demystifying Deception Technology: A Survey , 2018, ArXiv.

[4]  Sannasi Ganapathy,et al.  Machine Learning Approach to Combat False Alarms in Wireless Intrusion Detection System , 2018, Comput. Inf. Sci..

[5]  Pau-Chen Cheng,et al.  BlueBoX: A policy-driven, host-based intrusion detection system , 2003, TSEC.

[6]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[7]  Lance Spitzner,et al.  The Honeynet Project: Trapping the Hackers , 2003, IEEE Secur. Priv..

[8]  William M. S. Stout,et al.  Computer network deception as a Moving Target Defense , 2015, 2015 International Carnahan Conference on Security Technology (ICCST).

[9]  J. Yuill,et al.  Honeyfiles: deceptive files for intrusion detection , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[10]  Gianluca Stringhini,et al.  PayBreak: Defense Against Cryptographic Ransomware , 2017, AsiaCCS.

[11]  Chris Moore,et al.  Detecting Ransomware with Honeypot Techniques , 2016, 2016 Cybersecurity and Cyberforensics Conference (CCC).

[12]  Hans D. Schotten,et al.  On the Detection and Handling of Security Incidents and Perimeter Breaches - A Modular and Flexible Honeytoken based Framework , 2018, 2018 9th IFIP International Conference on New Technologies, Mobility and Security (NTMS).

[13]  Ville Leppänen,et al.  Symbol diversification of linux binaries , 2014, World Congress on Internet Security (WorldCIS-2014).

[14]  Sungjin Lee,et al.  SSD-Insider: Internal Defense of Solid-State Drive against Ransomware with Perfect Data Recovery , 2018, 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS).

[15]  Lior Rokach,et al.  HoneyGen: An automated honeytokens generator , 2011, Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics.

[16]  Xiaolei Wang,et al.  SPEMS: A Stealthy and Practical Execution Monitoring System Based on VMI , 2015, ICCCS.

[17]  Aggelos Kiayias,et al.  Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system , 2014, ACSAC.

[18]  Yuxin Ding,et al.  Host-based intrusion detection using dynamic and static behavioral models , 2003, Pattern Recognit..

[19]  Peng Liu,et al.  FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware , 2017, CCS.

[20]  Stefan Katzenbeisser,et al.  From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation , 2014, CCS.

[21]  Neil C. Rowe,et al.  Defending Cyberspace with Fake Honeypots , 2007, J. Comput..

[22]  Patrick Traynor,et al.  CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[23]  Ben Whitham CANARY FILES: GENERATING FAKE FILES TO DETECT CRITICAL DATA LOSS FROM COMPLEX COMPUTER NETWORKS , 2013 .

[24]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[25]  Ville Leppänen,et al.  An interface diversified honeypot for malware analysis , 2016, ECSA Workshops.

[26]  Jiankun Hu,et al.  A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns , 2014, IEEE Transactions on Computers.

[27]  Ben Whitham Automating the Generation of Enticing Text Content for High-Interaction Honeyfiles , 2017, HICSS.

[28]  Arputharaj Kannan,et al.  An Intelligent Intrusion Detection System for Mobile Ad-Hoc Networks Using Classification Techniques , 2011 .