Delivering Honeypots as a Service

The effect of honeypots in slowing down attacks and collecting their signatures is well-known. Despite their known effectiveness, these technologies have remained underutilized, especially by small and medium-sized enterprises, because internal hosting and configuration of honeypots requires extensive expertise and infrastructure, which is unjustifiably expensive especially for small or medium-sized enterprises. In this paper, we propose a novel security approach that enables a security service provider to offer honeypot-as-a-service (HaaS) to customer enterprises. The HaaS service is offered by a plug-and-play gateway and incorporates a network of moving high-interaction honeypots into unused address space of client enterprises. These honeypots are configured tailored to the mission and type of services offered by the customer enterprise to blend in the surrounding network for maximum believability while looking vulnerable enough to engage potential attackers. As a contribution, we formulate and solve the problem of strategic configuration planning of a group of honeypots for a given input network. We also provide the necessary infrastructure and mechanisms for realizing the model and offering it to client enterprises without affecting their regular operations. Using experimental and analytical modeling, we evaluate our approach and show its robustness against honeypot mapping attacks, and its effectiveness in slowing down large-scale cyber intrusion attacks on enterprise networks

A Deception Planning Framework for Cyber Defense

The role and significance of deception systems such as honeypots for slowing down attacks and collecting their signatures are well-known. However, the focus has primarily been on developing individual deception systems, and very few works have focused on developing strategies for a synergistic and strategic combination of these systems to achieve more ambitious deception goals. The objective of this paper is to lay a scientific foundation for cyber deception planning, by (1) presenting a formal deception logic for modeling cyber deception, and (2) introducing a deception framework that augments this formal modeling with necessary quantitative reasoning tools to generate coordinated deception plans. To show expressiveness and evaluate effectiveness and overhead of the framework, we use it to model and solve two important deception planning problems: (1) strategic honeypot planning, and (2) deception planning against route identification. Through these case studies, we show that the generated deception plans are highly effective and outperform alternative random and unplanned deception strategies

An Accurate and Scalable Role Mining Algorithm based on Graph Embedding and Unsupervised Feature Learning

Role-based access control (RBAC) is one of the most widely authorization models used by organizations. In RBAC, accesses are controlled based on the roles of users within the organization. The flexibility and usability of RBAC have encouraged organizations to migrate from traditional discretionary access control (DAC) models to RBAC. The most challenging step in this migration is role mining, which is the process of extracting meaningful roles from existing access control lists. Although various approaches have been proposed to address this NP-complete role mining problem in the literature, they either suffer from low scalability or present heuristics that suffer from low accuracy. In this paper, we propose an accurate and scalable approach to the role mining problem. To this aim, we represent user-permission assignments as a bipartite graph where nodes are users and permissions, and edges are user-permission assignments. Next, we introduce an efficient deep learning algorithm based on random walk sampling to learn low-dimensional representations of the graph, such that permissions that are assigned to similar users are closer in this new space. Then, we use k-means and GMM clustering techniques to cluster permission nodes into roles. We show the effectiveness of our proposed approach by testing it on different datasets. Experimental results show that our approach performs accurate role mining, even for large datasets

HoneyTree: Making Honeywords Sweeter

Cyber deception is an area of cybersecurity based on building detection systems and verification models using decoys or controlled misinformation to confuse or misdirect the adversaries into revealing their presence and/or intentions. In the era of online services where our data is usually protected on the cloud relying on a secret key, even the most secure cyber systems can get compromised, losing highly confidential data to the attackers, including hashed passwords that can be cracked offline. Prior work has been done in carefully placing traps in the systems to detect intrusion activities. The Honeywords project by Juels and Rivest is the most straightforward and successful technique in detecting and deterring offline-password brute force by placing multiple plausible decoy passwords together along with the real password. In this paper, we enhance this approach and combine it with the concept of Merkle tree to build a new model called HoneyTree. Our model achieves twice the level of security as the Honeywords project at the same storage cost. We perform a detailed comparison of our approach to the original Honeywords project and analyze its pros and cons

HoneyBug: Personalized Cyber Deception for Web Applications

Cyber deception is used to reverse cyber warfare asymmetry by diverting adversaries to false targets in order to avoid their attacks, consume their resources, and potentially learn new attack tactics. In practice, effective cyber deception systems must be both attractive, to offer temptation for engagement, and believable, to convince unknown attackers to stay on the course. However, developing such a system is a highly challenging task because attackers have different expectations, expertise levels, and objectives. This makes a deception system with a static configuration only suitable for a specific type of attackers. In order to attract diverse types of attackers and prolong their engagement, we need to dynamically characterize every individual attacker\u27s interactions with the deception system to learn her sophistication level and objectives and personalize the deception system to match with her profile and interest. In this paper, we present an adaptive deception system, called HoneyBug, that dynamically creates a personalized deception plan for web applications to match the attacker\u27s expectation, which is learned by analyzing her behavior over time. Each HoneyBug plan exhibits fake vulnerabilities specifically selected based on the learned attacker\u27s profile. Through evaluation, we show that HoneyBug characterization model can accurately characterize the attacker profile after observing only a few interactions and adapt its cyber deception plan accordingly. The HoneyBug characterization is built on top of a novel and generic evidential reasoning framework for attacker profiling, which is one of the focal contributions of this work

Deception against Deception: Toward A Deception Framework for Detection and Characterization of Covert Micro-targeting Campaigns on Online Social Networks

Micro-targeting campaigns on online social networks are an emerging class of social engineering attacks that prime individuals via personalized content for malicious purposes. Detecting micro-targeting campaigns is challenging due to their clandestine nature and the lack of visibility around users’ private communications. Our work aims to devise theories, methods, and tools to detect suspected micro-targeting campaigns. To this end, we propose to design and generate a network of decoy personas with characteristics similar to those of targeted groups in order to trap, engage, and identify micro-targeting campaigns. In this paper, we discuss our motivation to conduct this interdisciplinary research effort and introduce our focal research questions and preliminary design for a network of decoy personas

Cyber Agility for Attack Deterrence and Deception

In recent years, we have witnessed a rise in quantity and sophistication of cyber attacks. Meanwhile, traditional defense techniques have not been adequate in addressing this status quo. This is because the focus has remained mostly on either identifying and patching exploits, or detecting and filtering them. These techniques are only effective when intrusions are known or detectable. However, unknown (zero-day) vulnerabilities are constantly being discovered, and known vulnerabilities are not often patched promptly. Even worse, while defenders need to patch all vulnerabilities and intrusions paths against unknown malicious entities, the attackers only need to discover only one successful intrusion path in a system that is known and static. These asymmetric advantages have constantly kept attackers one step ahead of defenders. To reverse this asymmetry in cyber warfare, we aim to propose new proactive defense paradigms that can deter or deceive cyber attackers without relying on intrusion detection and prevention and by offering cyber agility as a system property. Cyber agility allows for system configuration to be changed dynamically without jeopardizing operational and mission requirements of the system. In this thesis, we introduce two novel cyber agility techniques based on two paradigms of cyber deterrence and cyber deception. Cyber deterrence techniques aim to deter cyber threats by changing system configurations randomly and frequently. In contrast, cyber deception techniques aim to deflect attacks to fake targets by misrepresenting system configurations strategically and adaptively. In the first part of this dissertation, we propose a multi-strategy, multi-parameter and multi-dimensional host identity mutation technique for deterring reconnaissance attacks. This deterrence is achieved by mutating IP addresses and anonymizing fingerprints of network hosts both proactively and adaptively. Through simulation and analytical investigation, we show that our approach significantly increases the attack cost for coordinated scanning worms, advanced network reconnaissance techniques, and multi-stage APT attacks. In the second part, we propose a formal framework to construct active cyber deception plans that are goal-oriented and dynamic. Our framework introduces a deception logic that models consistencies and conflicts among various deception strategies (e.g., lies) and quantifies the benefit and cost of potential deception plans. In the third part, we demonstrate and evaluate our deception planning framework by constructing an effective deception plan against multi-stage attacks. Through our experimentation, we show that the generated deception plans are effective and economical, and outperform existing or random deception plans

WebMTD: Defeating Cross-Site Scripting Attacks Using Moving Target Defense

Existing mitigation techniques for cross-site scripting attacks have not been widely adopted, primarily due to imposing impractical overheads on developers, Web servers, or Web browsers. They either enforce restrictive coding practices on developers, fail to support legacy Web applications, demand browser code modification, or fail to provide browser backward compatibility. Moving target defense (MTD) is a novel proactive class of techniques that aim to defeat attacks by imposing uncertainty in attack reconnaissance and planning. This uncertainty is achieved by frequent and random mutation (randomization) of system configuration in a manner that is not traceable (predictable) by attackers. In this paper, we present WebMTD, a proactive moving target defense mechanism that thwarts various kinds of cross-site scripting (XSS) attacks on Web applications. Relying on built-in features of modern Web browsers, WebMTD randomizes values of certain attributes of Web elements to differentiate the application code from the injected code and disallow its execution; this is done without requiring Web developer involvement or browser code modification. Through rigorous evaluation, we show that WebMTD has very a low performance overhead. Also, we argue that our technique outperforms all competing approaches due to its broad effectiveness, transparency, backward compatibility, and low overhead

A Jamming-Resilient and Scalable Broadcasting Algorithm for Multiple Access Channel Networks

Multiple access channel (MAC) networks use a broadcasting algorithm called the Binary Exponential Backoff (BEB) to mediate access to the shared communication channel by competing nodes and resolve their collisions. While the BEB achieves fair throughput and average packet latency in jamming-free environments and relatively small networks, its performance noticeably degrades when the network is exposed to jamming or its size increases. This paper presents an alternative broadcasting algorithm called the K-tuple Full Withholding (KTFW), which significantly increases MAC networks’ resilience to jamming attacks and network growth. Through simulation, we compare the KTFW with both the BEB and the Queue Backoff (QB), an efficient and high-throughput broadcasting algorithm. We compare the three approaches against two different traffic injection models, each approximating a different environment type. Our results show that the KTFW achieves higher throughput and lower average packet latency against jamming attacks than both the BEB and the QB algorithms. The results also show that the KTFW outperforms the BEB for larger networks with or without jamming