Detecting Targeted Attacks By Multilayer Deception

Over the past few years, enterprises are facing a growing number of highly customized and targeted attacks that use sophisticated techniques and seek after important company assets, such as customer data and intellectual property. Unlike conventional attacks, targeted attacks are operated by experts who use multiple steps to gain access to sensitive assets, and most of time, leave very few network traces behind for detection. In this paper, we propose a multi-layer deception system that provides an in depth defense against such sophisticated targeted attacks. Specifically, based on previous knowledge and patterns of such attacks, we model the attacker as trying to compromising an enterprise network via multiple stages of penetration and propose defenses at each of these layers using deception based detection. Due to multiple layers of deception, the probability of detecting such an attack will be greatly enhanced. We present a proof of concept implementation of one of the key deception methods proposed. Due to various financial constraints of an enterprise, we also model the design of the deception system as an optimization problem in order to minimize the total expected loss due to system deployment and asset compromise. We find that there is an optimal solution to deploy deception entities, and even over spending budget on more entities will only increase the total expected loss to the enterprise. Such a system

[1]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[2]  P. Lalitha,et al.  New Filtering Approaches for Phishing Email , 2013 .

[3]  Engin Kirda,et al.  A View on Current Malware Behaviors , 2009, LEET.

[4]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[5]  Gang Xu,et al.  What you see predicts what you get - lightweight agent-based malware detection , 2013, Secur. Commun. Networks.

[6]  Edward Amoroso Cyber Attacks: Protecting National Infrastructure, STUDENT EDITION , 2010 .

[7]  D. Torrieri An efficient algorithm for the calculation of node-pair reliability , 1991, MILCOM 91 - Conference record.

[8]  Collin Mulliner,et al.  Poster : HoneyDroid-Creating a Smartphone Honeypot , 2011 .

[9]  Bharat Bhushan,et al.  Multi Layer Cyber Attack Detection through Honeynet , 2008, 2008 New Technologies, Mobility and Security.

[10]  Salvatore J. Stolfo,et al.  Software decoys for insider threat , 2012, ASIACCS '12.

[11]  B. Cheswick An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied , 1997 .

[12]  Malek Ben Salem,et al.  Modeling User Search Behavior for Masquerade Detection , 2011, RAID.

[13]  J. Yuill,et al.  Honeyfiles: deceptive files for intrusion detection , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[14]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[15]  Clifford Stoll,et al.  The Cuckoo's Egg , 1989 .

[16]  Dorothy E. Denning,et al.  Using Deception to Hide Things from Hackers: Processes, Principles, and Techniques , 2006 .

[17]  Yuelin Gao,et al.  Modified Differential Evolution Algorithm of Constrained Nonlinear Mixed Integer Programming Problems , 2011 .