12,354 research outputs found
The Moonraker Study: An Experimental Evaluation of Host-Based Deception
Cyber deception has been discussed as providing enhanced cyber defense. This human subjects research, one of the first rigorously controlled studies on this topic, found that host-based deception was effective at preventing completion of a specific exfiltration task against a virtual network. In addition to impeding progress and preventing success, the deception resulted in increased confusion and surprise in the participants. This study provided the necessary rigor to scientifically attest to the effectiveness of cyber deception for cyber defense with computer specialists
Emotional State Classification and Related Behaviors Among Cyber Attackers
Cyber deception is a strategy that defenders can leverage to gain an advantage over cyber attackers. The effects of deception on the attacker however, are not yet well understood. Quantifying the tangible and emotional effects of deception on the attacker’s performance, beliefs, and emotional state are critical to deploying effective, targeted cyber deception. Our work uses data from a human-subjects experiment measuring the impact of cyber and psychological deception on over 100 professional red-teamers. These results demonstrate that an attacker’s cognitive and emotional state can often be inferred from data already observed and collected by cyber defenders world-wide. Future work will leverage this observed data-set to formulate more informed defensive strategies
A Survey of Network Requirements for Enabling Effective Cyber Deception
In the evolving landscape of cybersecurity, the utilization of cyber
deception has gained prominence as a proactive defense strategy against
sophisticated attacks. This paper presents a comprehensive survey that
investigates the crucial network requirements essential for the successful
implementation of effective cyber deception techniques. With a focus on diverse
network architectures and topologies, we delve into the intricate relationship
between network characteristics and the deployment of deception mechanisms.
This survey provides an in-depth analysis of prevailing cyber deception
frameworks, highlighting their strengths and limitations in meeting the
requirements for optimal efficacy. By synthesizing insights from both
theoretical and practical perspectives, we contribute to a comprehensive
understanding of the network prerequisites crucial for enabling robust and
adaptable cyber deception strategies
A Deception Planning Framework for Cyber Defense
The role and significance of deception systems such as honeypots for slowing down attacks and collecting their signatures are well-known. However, the focus has primarily been on developing individual deception systems, and very few works have focused on developing strategies for a synergistic and strategic combination of these systems to achieve more ambitious deception goals. The objective of this paper is to lay a scientific foundation for cyber deception planning, by (1) presenting a formal deception logic for modeling cyber deception, and (2) introducing a deception framework that augments this formal modeling with necessary quantitative reasoning tools to generate coordinated deception plans. To show expressiveness and evaluate effectiveness and overhead of the framework, we use it to model and solve two important deception planning problems: (1) strategic honeypot planning, and (2) deception planning against route identification. Through these case studies, we show that the generated deception plans are highly effective and outperform alternative random and unplanned deception strategies
HoneyBug: Personalized Cyber Deception for Web Applications
Cyber deception is used to reverse cyber warfare asymmetry by diverting adversaries to false targets in order to avoid their attacks, consume their resources, and potentially learn new attack tactics. In practice, effective cyber deception systems must be both attractive, to offer temptation for engagement, and believable, to convince unknown attackers to stay on the course. However, developing such a system is a highly challenging task because attackers have different expectations, expertise levels, and objectives. This makes a deception system with a static configuration only suitable for a specific type of attackers. In order to attract diverse types of attackers and prolong their engagement, we need to dynamically characterize every individual attacker\u27s interactions with the deception system to learn her sophistication level and objectives and personalize the deception system to match with her profile and interest. In this paper, we present an adaptive deception system, called HoneyBug, that dynamically creates a personalized deception plan for web applications to match the attacker\u27s expectation, which is learned by analyzing her behavior over time. Each HoneyBug plan exhibits fake vulnerabilities specifically selected based on the learned attacker\u27s profile. Through evaluation, we show that HoneyBug characterization model can accurately characterize the attacker profile after observing only a few interactions and adapt its cyber deception plan accordingly. The HoneyBug characterization is built on top of a novel and generic evidential reasoning framework for attacker profiling, which is one of the focal contributions of this work
TESTING DECEPTION WITH A COMMERCIAL TOOL SIMULATING CYBERSPACE
Deception methods have been applied to the traditional domains of war (air, land, sea, and space). In the newest domain of cyber, deception can be studied to see how it can be best used. Cyberspace operations are an essential warfighting domain within the Department of Defense (DOD). Many training exercises and courses have been developed to aid leadership with planning and to execute cyberspace effects that support operations. However, only a few simulations train cyber operators about how to respond to cyberspace threats. This work tested a commercial product from Soar Technologies (Soar Tech) that simulates conflict in cyberspace. The Cyberspace Course of Action Tool (CCAT) is a decision-support tool that evaluates defensive deception in a wargame simulating a local-area network being attacked. Results showed that defensive deception methods of decoys and bait could be effective in cyberspace. This could help military cyber defenses since their digital infrastructure is threatened daily with cyberattacks.Marine Forces Cyberspace CommandChief Petty Officer, United States NavyChief Petty Officer, United States NavyApproved for public release. Distribution is unlimited
Game of Travesty: Decoy-based Psychological Cyber Deception for Proactive Human Agents
The concept of cyber deception has been receiving emerging attention. The
development of cyber defensive deception techniques requires interdisciplinary
work, among which cognitive science plays an important role. In this work, we
adopt a signaling game framework between a defender and a human agent to
develop a cyber defensive deception protocol that takes advantage of the
cognitive biases of human decision-making using quantum decision theory to
combat insider attacks (IA). The defender deceives an inside human attacker by
luring him to access decoy sensors via generators producing perceptions of
classical signals to manipulate the human attacker's psychological state of
mind. Our results reveal that even without changing the classical traffic data,
strategically designed generators can result in a worse performance for
defending against insider attackers in identifying decoys than the ones in the
deceptive scheme without generators, which generate random information based on
input signals. The proposed framework leads to fundamental theories in
designing more effective signaling schemes
DECEPTION BASED TECHNIQUES AGAINST RANSOMWARES: A SYSTEMATIC REVIEW
Ransomware is the most prevalent emerging business risk nowadays. It seriously affects business continuity and operations. According to Deloitte Cyber Security Landscape 2022, up to 4000 ransomware attacks occur daily, while the average number of days an organization takes to identify a breach is 191. Sophisticated cyber-attacks such as ransomware typically must go through multiple consecutive phases (initial foothold, network propagation, and action on objectives) before accomplishing its final objective. This study analyzed decoy-based solutions as an approach (detection, prevention, or mitigation) to overcome ransomware. A systematic literature review was conducted, in which the result has shown that deception-based techniques have given effective and significant performance against ransomware with minimal resources. It is also identified that contrary to general belief, deception techniques mainly involved in passive approaches (i.e., prevention, detection) possess other active capabilities such as ransomware traceback and obstruction (thwarting), file decryption, and decryption key recovery. Based on the literature review, several evaluation methods are also analyzed to measure the effectiveness of these deception-based techniques during the implementation process
Learning-based attacks in cyber-physical systems
We introduce the problem of learning-based attacks in a simple abstraction of
cyber-physical systems---the case of a discrete-time, linear, time-invariant
plant that may be subject to an attack that overrides the sensor readings and
the controller actions. The attacker attempts to learn the dynamics of the
plant and subsequently override the controller's actuation signal, to destroy
the plant without being detected. The attacker can feed fictitious sensor
readings to the controller using its estimate of the plant dynamics and mimic
the legitimate plant operation. The controller, on the other hand, is
constantly on the lookout for an attack; once the controller detects an attack,
it immediately shuts the plant off. In the case of scalar plants, we derive an
upper bound on the attacker's deception probability for any measurable control
policy when the attacker uses an arbitrary learning algorithm to estimate the
system dynamics. We then derive lower bounds for the attacker's deception
probability for both scalar and vector plants by assuming a specific
authentication test that inspects the empirical variance of the system
disturbance. We also show how the controller can improve the security of the
system by superimposing a carefully crafted privacy-enhancing signal on top of
the "nominal control policy." Finally, for nonlinear scalar dynamics that
belong to the Reproducing Kernel Hilbert Space (RKHS), we investigate the
performance of attacks based on nonlinear Gaussian-processes (GP) learning
algorithms
- …