A Technique for Presenting a Deceptive Dynamic Network Topology

Adversaries scan Department of Defense networks looking for vulnerabilities that allow surveillance or the embedding of destructive malware weapons. In cyberspace, adversaries either actively probe or passively observe defended computer networks in attempts to determine, among other attributes, the topology of the network. We develop a novel strategic deceptive methodology, based on principles of military deception, for deceiving a malicious traceroute probe in defense of a physical data communications network. We construct a proof-of-concept network to show that a remote adversary who uses traceroute to map the defended network_s topology can be presented with a false route of the defender_s choosing. Akin to military deception operations in the field and at sea, a network that employs a deception scheme implemented on an intelligent border router can present a deceptive topology to an adversary. Our experiments show that a defender using our technique can successfully deceive a traceroute probe, the first in a sequence of steps to mount a credible deception scheme against an adversary.http://archive.org/details/atechniqueforpre1094532911Outstanding ThesisLieutenant, United States NavyApproved for public release; distribution is unlimited

A Technique for Network Topology Deception

Military Communications Conference (MILCOM 2013), San Diego, CA, November 2013.Refereed ArticleCivilian and military networks are continually probed for vulnerabilities. Cyber criminals, and autonomous botnets under their control, regularly scan networks in search of vulnerable systems to co-opt. Military and more sophisticated adversaries may also scan and map networks as part of reconnaissance and intelligence gathering. This paper focuses on adversaries attempting to map a network's \emph{infrastructure}, \ie the critical routers and links supporting a network. We develop a novel methodology, rooted in principles of military deception, for deceiving a malicious traceroute probe and influencing the structure of the network as inferred by a mapping adversary. Our Linux-based implementation runs as a kernel module at a border router to present a deceptive external topology. We construct a proof-of-concept test network to show that a remote adversary using traceroute to map a defended network can be presented with a false topology of the defender's choice