Honeypot Allocation for Cyber Deception in Dynamic Tactical Networks: A Game Theoretic Approach

Honeypots play a crucial role in implementing various cyber deception techniques as they possess the capability to divert attackers away from valuable assets. Careful strategic placement of honeypots in networks should consider not only network aspects but also attackers' preferences. The allocation of honeypots in tactical networks under network mobility is of great interest. To achieve this objective, we present a game-theoretic approach that generates optimal honeypot allocation strategies within an attack/defense scenario. Our proposed approach takes into consideration the changes in network connectivity. In particular, we introduce a two-player dynamic game model that explicitly incorporates the future state evolution resulting from changes in network connectivity. The defender's objective is twofold: to maximize the likelihood of the attacker hitting a honeypot and to minimize the cost associated with deception and reconfiguration due to changes in network topology. We present an iterative algorithm to find Nash equilibrium strategies and analyze the scalability of the algorithm. Finally, we validate our approach and present numerical results based on simulations, demonstrating that our game model successfully enhances network security. Additionally, we have proposed additional enhancements to improve the scalability of the proposed approach.Comment: This paper accepted in 14th International Conference on Decision and Game Theory for Security, GameSec 202

Resource-aware Cyber Deception in Cloud-Native Environments

Cyber deception can be a valuable addition to traditional cyber defense mechanisms, especially for modern cloud-native environments with a fading security perimeter. However, pre-built decoys used in classical computer networks are not effective in detecting and mitigating malicious actors due to their inability to blend with the variety of applications in such environments. On the other hand, decoys cloning the deployed microservices of an application can offer a high-fidelity deception mechanism to intercept ongoing attacks within production environments. However, to fully benefit from this approach, it is essential to use a limited amount of decoy resources and devise a suitable cloning strategy to minimize the impact on legitimate services performance. Following this observation, we formulate a non-linear integer optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget. Attack paths represent the attacker's movements within the infrastructure as a sequence of violated microservices. We also design a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation. We evaluate the performance of the optimal and heuristic solutions against other schemes that use local vulnerability metrics to select which microservices to clone as decoys. Our results show that the proposed allocation strategy achieves a higher number of intercepted attack paths compared to these schemes while requiring approximately the same number of decoys

HoneyCar: a framework to configure honeypot vulnerabilities on the internet of vehicles

The Internet of Vehicles (IoV), whereby interconnected vehicles that communicate with each other and with road infrastructure on a common network, has promising socio-economic benefits but also poses new cyber-physical threats. To protect these entities and learn about adversaries, data on attackers can be realistically gathered using decoy systems like honeypots. Admittedly, honeypots introduces a trade-off between the level of honeypot-attacker interactions and incurred overheads and costs for implementing and monitoring these systems. Deception through honeypots can be achieved by strategically configuring the honeypots to represent components of the IoV to engage attackers and collect cyber threat intelligence. Here, we present HoneyCar, a novel decision support framework for honeypot deception in IoV. HoneyCar benefits from the repository of known vulnerabilities of the autonomous and connected vehicles found in the Common Vulnerabilities and Exposure (CVE) database to compute optimal honeypot configuration strategies. The adversarial interaction is modelled as a repeated imperfect-information zero-sum game where the IoV network administrator strategically chooses a set of vulnerabilities to offer in a honeypot and a strategic attacker chooses a vulnerability to exploit under uncertainty. Our investigation examines two different versions of the game, with and without the re-configuration cost, to empower the network administrator to determine optimal honeypot investment strategies given a budget. We show the feasibility of this approach in a case study that consists of the vulnerabilities in autonomous and connected vehicles gathered from the CVE database and data extracted from the Common Vulnerability Scoring System (CVSS)

Deception in Game Theory: A Survey and Multiobjective Model

Game theory is the study of mathematical models of conflict. It provides tools for analyzing dynamic interactions between multiple agents and (in some cases) across multiple interactions. This thesis contains two scholarly articles. The first article is a survey of game-theoretic models of deception. The survey describes the ways researchers use game theory to measure the practicality of deception, model the mechanisms for performing deception, analyze the outcomes of deception, and respond to, or mitigate the effects of deception. The survey highlights several gaps in the literature. One important gap concerns the benefit-cost-risk trade-off made during deception planning. To address this research gap, the second article introduces a novel approach for modeling these trade-offs. The approach uses a game theoretic model of deception to define a new multiobjective optimization problem called the deception design problem (DDP). Solutions to the DDP provide courses of deceptive action that are efficient in terms of their benefit, cost, and risk to the deceiver. A case study based on the output of an air-to-air combat simulator demonstrates the DDP in a 7 x 7 normal form game. This approach is the first to evaluate benefit, cost, and risk in a single game theoretic model of deception

Proactive cybersecurity tailoring through deception techniques

Dissertação de natureza científica para obtenção do grau de Mestre em Engenharia Informática e de ComputadoresUma abordagem proativa à cibersegurança pode complementar uma postura reativa ajudando as empresas a lidar com incidentes de segurança em fases iniciais. As organizações podem proteger-se ativamente contra a assimetria inerente à guerra cibernética através do uso de técnicas proativas, como por exemplo a ciber deception. A implantação intencional de artefactos enganosos para construir uma infraestrutura que permite a investigação em tempo real dos padrões e abordagens de um atacante sem comprometer a rede principal da organização é o propósito da deception cibernética. Esta metodologia pode revelar vulnerabilidades por descobrir, conhecidas como vulnerabilidades de dia-zero, sem interferir com as atividades de rotina da organização. Além disso, permite às empresas a extração de informações vitais sobre o atacante que, de outra forma, seriam difíceis de adquirir. No entanto, colocar estes conceitos em prática em circunstâncias reais constitui problemas de grande ordem. Este estudo propõe uma arquitetura para um sistema informático de deception, que culmina numa implementação que implanta e adapta dinamicamente uma rede enganosa através do uso de técnicas de redes definidas por software e de virtualização de rede. A rede ilusora é uma rede de ativos virtuais com uma topologia e especificações pré-planeadas, coincidentes com uma estratégia de deception. O sistema pode rastrear e avaliar a atividade do atacante através da monitorização contínua dos artefactos da rede. O refinamento em tempo real do plano de deception pode exigir alterações na topologia e nos artefactos da rede, possíveis devido às capacidades de modificação dinâmica das redes definidas por software. As organizações podem maximizar as suas capacidades de deception ao combinar estes processos com componentes avançados de deteção e classificação de ataques informáticos. A eficácia da solução proposta é avaliada usando vários casos de estudo que demonstram a sua utilidade.A proactive approach to cybersecurity can supplement a reactive posture by helping businesses to handle security incidents in the early phases of an attack. Organizations can actively protect against the inherent asymmetry of cyber warfare by using proactive techniques such as cyber deception. The intentional deployment of misleading artifacts to construct an infrastructure that allows real-time investigation of an attacker's patterns and approaches without compromising the organization's principal network is what cyber deception entails. This method can reveal previously undiscovered vulnerabilities, referred to as zero-day vulnerabilities, without interfering with routine corporate activities. Furthermore, it enables enterprises to collect vital information about the attacker that would otherwise be difficult to access. However, putting such concepts into practice in real-world circumstances involves major problems. This study proposes an architecture for a deceptive system, culminating in an implementation that deploys and dynamically customizes a deception grid using Software-Defined Networking (SDN) and network virtualization techniques. The deception grid is a network of virtual assets with a topology and specifications that are pre-planned to coincide with a deception strategy. The system can trace and evaluate the attacker's activity by continuously monitoring the artifacts within the deception grid. Real-time refinement of the deception plan may necessitate changes to the grid's topology and artifacts, which can be assisted by software-defined networking's dynamic modification capabilities. Organizations can maximize their deception capabilities by merging these processes with advanced cyber-attack detection and classification components. The effectiveness of the given solution is assessed using numerous use cases that demonstrate its utility.N/