304 research outputs found
Malicious User Experience Design Research for Cybersecurity
This paper explores the factors and theory behind the user-centered research
that is necessary to create a successful game-like prototype, and user
experience, for malicious users in a cybersecurity context. We explore what is
known about successful addictive design in the fields of video games and
gambling to understand the allure of breaking into a system, and the joy of
thwarting the security to reach a goal or a reward of data. Based on the
malicious user research, game user research, and using the GameFlow framework,
we propose a novel malicious user experience design approac
Three Decades of Deception Techniques in Active Cyber Defense -- Retrospect and Outlook
Deception techniques have been widely seen as a game changer in cyber
defense. In this paper, we review representative techniques in honeypots,
honeytokens, and moving target defense, spanning from the late 1980s to the
year 2021. Techniques from these three domains complement with each other and
may be leveraged to build a holistic deception based defense. However, to the
best of our knowledge, there has not been a work that provides a systematic
retrospect of these three domains all together and investigates their
integrated usage for orchestrated deceptions. Our paper aims to fill this gap.
By utilizing a tailored cyber kill chain model which can reflect the current
threat landscape and a four-layer deception stack, a two-dimensional taxonomy
is developed, based on which the deception techniques are classified. The
taxonomy literally answers which phases of a cyber attack campaign the
techniques can disrupt and which layers of the deception stack they belong to.
Cyber defenders may use the taxonomy as a reference to design an organized and
comprehensive deception plan, or to prioritize deception efforts for a budget
conscious solution. We also discuss two important points for achieving active
and resilient cyber defense, namely deception in depth and deception lifecycle,
where several notable proposals are illustrated. Finally, some outlooks on
future research directions are presented, including dynamic integration of
different deception techniques, quantified deception effects and deception
operation cost, hardware-supported deception techniques, as well as techniques
developed based on better understanding of the human element.Comment: 19 page
Adaptive Honeypot Engagement through Reinforcement Learning of Semi-Markov Decision Processes
A honeynet is a promising active cyber defense mechanism. It reveals the
fundamental Indicators of Compromise (IoCs) by luring attackers to conduct
adversarial behaviors in a controlled and monitored environment. The active
interaction at the honeynet brings a high reward but also introduces high
implementation costs and risks of adversarial honeynet exploitation. In this
work, we apply infinite-horizon Semi-Markov Decision Process (SMDP) to
characterize a stochastic transition and sojourn time of attackers in the
honeynet and quantify the reward-risk trade-off. In particular, we design
adaptive long-term engagement policies shown to be risk-averse, cost-effective,
and time-efficient. Numerical results have demonstrated that our adaptive
engagement policies can quickly attract attackers to the target honeypot and
engage them for a sufficiently long period to obtain worthy threat information.
Meanwhile, the penetration probability is kept at a low level. The results show
that the expected utility is robust against attackers of a large range of
persistence and intelligence. Finally, we apply reinforcement learning to the
SMDP to solve the curse of modeling. Under a prudent choice of the learning
rate and exploration policy, we achieve a quick and robust convergence of the
optimal policy and value.Comment: The presentation can be found at https://youtu.be/GPKT3uJtXqk. arXiv
admin note: text overlap with arXiv:1907.0139
To What Extent Are Honeypots and Honeynets Autonomic Computing Systems?
Cyber threats, such as advanced persistent threats (APTs), ransomware, and
zero-day exploits, are rapidly evolving and demand improved security measures.
Honeypots and honeynets, as deceptive systems, offer valuable insights into
attacker behavior, helping researchers and practitioners develop innovative
defense strategies and enhance detection mechanisms. However, their deployment
involves significant maintenance and overhead expenses. At the same time, the
complexity of modern computing has prompted the rise of autonomic computing,
aiming for systems that can operate without human intervention. Recent honeypot
and honeynet research claims to incorporate autonomic computing principles,
often using terms like adaptive, dynamic, intelligent, and learning. This study
investigates such claims by measuring the extent to which autonomic principles
principles are expressed in honeypot and honeynet literature. The findings
reveal that autonomic computing keywords are present in the literature sample,
suggesting an evolution from self-adaptation to autonomic computing
implementations. Yet, despite these findings, the analysis also shows low
frequencies of self-configuration, self-healing, and self-protection keywords.
Interestingly, self-optimization appeared prominently in the literature. While
this study presents a foundation for the convergence of autonomic computing and
deceptive systems, future research could explore technical implementations in
sample articles and test them for autonomic behavior. Additionally,
investigations into the design and implementation of individual autonomic
computing principles in honeypots and determining the necessary ratio of these
principles for a system to exhibit autonomic behavior could provide valuable
insights for both researchers and practitioners.Comment: 18 pages, 3 figures, 5 table
Wide spectrum attribution: Using deception for attribution intelligence in cyber attacks
Modern cyber attacks have evolved considerably. The skill level required to conduct
a cyber attack is low. Computing power is cheap, targets are diverse and plentiful.
Point-and-click crimeware kits are widely circulated in the underground economy, while
source code for sophisticated malware such as Stuxnet is available for all to download
and repurpose. Despite decades of research into defensive techniques, such as firewalls,
intrusion detection systems, anti-virus, code auditing, etc, the quantity of successful
cyber attacks continues to increase, as does the number of vulnerabilities identified.
Measures to identify perpetrators, known as attribution, have existed for as long as there
have been cyber attacks. The most actively researched technical attribution techniques
involve the marking and logging of network packets. These techniques are performed
by network devices along the packet journey, which most often requires modification of
existing router hardware and/or software, or the inclusion of additional devices. These
modifications require wide-scale infrastructure changes that are not only complex and
costly, but invoke legal, ethical and governance issues. The usefulness of these techniques
is also often questioned, as attack actors use multiple stepping stones, often innocent
systems that have been compromised, to mask the true source. As such, this thesis
identifies that no publicly known previous work has been deployed on a wide-scale basis
in the Internet infrastructure.
This research investigates the use of an often overlooked tool for attribution: cyber de-
ception. The main contribution of this work is a significant advancement in the field of
deception and honeypots as technical attribution techniques. Specifically, the design and
implementation of two novel honeypot approaches; i) Deception Inside Credential Engine
(DICE), that uses policy and honeytokens to identify adversaries returning from different
origins and ii) Adaptive Honeynet Framework (AHFW), an introspection and adaptive
honeynet framework that uses actor-dependent triggers to modify the honeynet envi-
ronment, to engage the adversary, increasing the quantity and diversity of interactions.
The two approaches are based on a systematic review of the technical attribution litera-
ture that was used to derive a set of requirements for honeypots as technical attribution
techniques. Both approaches lead the way for further research in this field
Classifying resilience approaches for protecting smart grids against cyber threats
Smart grids (SG) draw the attention of cyber attackers due to their vulnerabilities, which are caused by the usage of heterogeneous communication technologies and their distributed nature. While preventing or detecting cyber attacks is a well-studied field of research, making SG more resilient against such threats is a challenging task. This paper provides a classification of the proposed cyber resilience methods against cyber attacks for SG. This classification includes a set of studies that propose cyber-resilient approaches to protect SG and related cyber-physical systems against unforeseen anomalies or deliberate attacks. Each study is briefly analyzed and is associated with the proper cyber resilience technique which is given by the National Institute of Standards and Technology in the Special Publication 800-160. These techniques are also linked to the different states of the typical resilience curve. Consequently, this paper highlights the most critical challenges for achieving cyber resilience, reveals significant cyber resilience aspects that have not been sufficiently considered yet and, finally, proposes scientific areas that should be further researched in order to enhance the cyber resilience of SG.Open Access funding provided thanks to the CRUE-CSIC agreement with Springer Nature. Funding for open access charge: Universidad de Málaga / CBUA
Modeling Deception for Cyber Security
In the era of software-intensive, smart and connected systems, the growing power and so-
phistication of cyber attacks poses increasing challenges to software security. The reactive
posture of traditional security mechanisms, such as anti-virus and intrusion detection
systems, has not been sufficient to combat a wide range of advanced persistent threats
that currently jeopardize systems operation. To mitigate these extant threats, more ac-
tive defensive approaches are necessary. Such approaches rely on the concept of actively
hindering and deceiving attackers. Deceptive techniques allow for additional defense by
thwarting attackers’ advances through the manipulation of their perceptions. Manipu-
lation is achieved through the use of deceitful responses, feints, misdirection, and other
falsehoods in a system. Of course, such deception mechanisms may result in side-effects
that must be handled. Current methods for planning deception chiefly portray attempts
to bridge military deception to cyber deception, providing only high-level instructions
that largely ignore deception as part of the software security development life cycle. Con-
sequently, little practical guidance is provided on how to engineering deception-based
techniques for defense. This PhD thesis contributes with a systematic approach to specify
and design cyber deception requirements, tactics, and strategies. This deception approach
consists of (i) a multi-paradigm modeling for representing deception requirements, tac-
tics, and strategies, (ii) a reference architecture to support the integration of deception
strategies into system operation, and (iii) a method to guide engineers in deception mod-
eling. A tool prototype, a case study, and an experimental evaluation show encouraging
results for the application of the approach in practice. Finally, a conceptual coverage map-
ping was developed to assess the expressivity of the deception modeling language created.Na era digital o crescente poder e sofisticação dos ataques cibernéticos apresenta constan-
tes desafios para a segurança do software. A postura reativa dos mecanismos tradicionais
de segurança, como os sistemas antivírus e de detecção de intrusão, não têm sido suficien-
tes para combater a ampla gama de ameaças que comprometem a operação dos sistemas
de software actuais. Para mitigar estas ameaças são necessárias abordagens ativas de
defesa. Tais abordagens baseiam-se na ideia de adicionar mecanismos para enganar os
adversários (do inglês deception). As técnicas de enganação (em português, "ato ou efeito
de enganar, de induzir em erro; artimanha usada para iludir") contribuem para a defesa
frustrando o avanço dos atacantes por manipulação das suas perceções. A manipula-
ção é conseguida através de respostas enganadoras, de "fintas", ou indicações erróneas
e outras falsidades adicionadas intencionalmente num sistema. É claro que esses meca-
nismos de enganação podem resultar em efeitos colaterais que devem ser tratados. Os
métodos atuais usados para enganar um atacante inspiram-se fundamentalmente nas
técnicas da área militar, fornecendo apenas instruções de alto nível que ignoram, em
grande parte, a enganação como parte do ciclo de vida do desenvolvimento de software
seguro. Consequentemente, há poucas referências práticas em como gerar técnicas de
defesa baseadas em enganação. Esta tese de doutoramento contribui com uma aborda-
gem sistemática para especificar e desenhar requisitos, táticas e estratégias de enganação
cibernéticas. Esta abordagem é composta por (i) uma modelação multi-paradigma para re-
presentar requisitos, táticas e estratégias de enganação, (ii) uma arquitetura de referência
para apoiar a integração de estratégias de enganação na operação dum sistema, e (iii) um
método para orientar os engenheiros na modelação de enganação. Uma ferramenta protó-
tipo, um estudo de caso e uma avaliação experimental mostram resultados encorajadores
para a aplicação da abordagem na prática. Finalmente, a expressividade da linguagem
de modelação de enganação é avaliada por um mapeamento de cobertura de conceitos
Real-Time Cyber Attack Detection Over HoneyPi Using Machine Learning
The rapid transition of all areas of our lives to the digital environment has kept people away from their intertwined social lives and made them dependent on the isolated cyber environment. This dependency has led to increased cyber threats and, subsequently, cyber-attacks nationally or internationally. Due to the high cost of cybersecurity systems and the expert nature of these systems\u27 management, the cybersecurity component has been mostly ignored, especially in small and medium-sized organizations. In this context, a holistic cybersecurity architecture is designed in which fully open source and free software and hardware-based Raspberry Pi devices with low-cost embedded operating systems are used as a honeypot. In addition, the architectural structure has an integrated, flexible, and easily configurable end-to-end security approach. It is suitable for different platforms by creating end-user screens with personalized software for network security guards and system administrators
- …