Delivering Honeypots as a Service

The effect of honeypots in slowing down attacks and collecting their signatures is well-known. Despite their known effectiveness, these technologies have remained underutilized, especially by small and medium-sized enterprises, because internal hosting and configuration of honeypots requires extensive expertise and infrastructure, which is unjustifiably expensive especially for small or medium-sized enterprises. In this paper, we propose a novel security approach that enables a security service provider to offer honeypot-as-a-service (HaaS) to customer enterprises. The HaaS service is offered by a plug-and-play gateway and incorporates a network of moving high-interaction honeypots into unused address space of client enterprises. These honeypots are configured tailored to the mission and type of services offered by the customer enterprise to blend in the surrounding network for maximum believability while looking vulnerable enough to engage potential attackers. As a contribution, we formulate and solve the problem of strategic configuration planning of a group of honeypots for a given input network. We also provide the necessary infrastructure and mechanisms for realizing the model and offering it to client enterprises without affecting their regular operations. Using experimental and analytical modeling, we evaluate our approach and show its robustness against honeypot mapping attacks, and its effectiveness in slowing down large-scale cyber intrusion attacks on enterprise networks

A Deception Planning Framework for Cyber Defense

The role and significance of deception systems such as honeypots for slowing down attacks and collecting their signatures are well-known. However, the focus has primarily been on developing individual deception systems, and very few works have focused on developing strategies for a synergistic and strategic combination of these systems to achieve more ambitious deception goals. The objective of this paper is to lay a scientific foundation for cyber deception planning, by (1) presenting a formal deception logic for modeling cyber deception, and (2) introducing a deception framework that augments this formal modeling with necessary quantitative reasoning tools to generate coordinated deception plans. To show expressiveness and evaluate effectiveness and overhead of the framework, we use it to model and solve two important deception planning problems: (1) strategic honeypot planning, and (2) deception planning against route identification. Through these case studies, we show that the generated deception plans are highly effective and outperform alternative random and unplanned deception strategies

HoneyBug: Personalized Cyber Deception for Web Applications

Cyber deception is used to reverse cyber warfare asymmetry by diverting adversaries to false targets in order to avoid their attacks, consume their resources, and potentially learn new attack tactics. In practice, effective cyber deception systems must be both attractive, to offer temptation for engagement, and believable, to convince unknown attackers to stay on the course. However, developing such a system is a highly challenging task because attackers have different expectations, expertise levels, and objectives. This makes a deception system with a static configuration only suitable for a specific type of attackers. In order to attract diverse types of attackers and prolong their engagement, we need to dynamically characterize every individual attacker\u27s interactions with the deception system to learn her sophistication level and objectives and personalize the deception system to match with her profile and interest. In this paper, we present an adaptive deception system, called HoneyBug, that dynamically creates a personalized deception plan for web applications to match the attacker\u27s expectation, which is learned by analyzing her behavior over time. Each HoneyBug plan exhibits fake vulnerabilities specifically selected based on the learned attacker\u27s profile. Through evaluation, we show that HoneyBug characterization model can accurately characterize the attacker profile after observing only a few interactions and adapt its cyber deception plan accordingly. The HoneyBug characterization is built on top of a novel and generic evidential reasoning framework for attacker profiling, which is one of the focal contributions of this work

WebMTD: Defeating Cross-Site Scripting Attacks Using Moving Target Defense

Existing mitigation techniques for cross-site scripting attacks have not been widely adopted, primarily due to imposing impractical overheads on developers, Web servers, or Web browsers. They either enforce restrictive coding practices on developers, fail to support legacy Web applications, demand browser code modification, or fail to provide browser backward compatibility. Moving target defense (MTD) is a novel proactive class of techniques that aim to defeat attacks by imposing uncertainty in attack reconnaissance and planning. This uncertainty is achieved by frequent and random mutation (randomization) of system configuration in a manner that is not traceable (predictable) by attackers. In this paper, we present WebMTD, a proactive moving target defense mechanism that thwarts various kinds of cross-site scripting (XSS) attacks on Web applications. Relying on built-in features of modern Web browsers, WebMTD randomizes values of certain attributes of Web elements to differentiate the application code from the injected code and disallow its execution; this is done without requiring Web developer involvement or browser code modification. Through rigorous evaluation, we show that WebMTD has very a low performance overhead. Also, we argue that our technique outperforms all competing approaches due to its broad effectiveness, transparency, backward compatibility, and low overhead