Zhan Shu
ABSTRACT
As evidenced by numerous high-profile security incidents such as the Target data breach and the Equifax hack, APTs (Advanced Persistent Threats) can significantly compromise the trustworthiness of cyber space. This work explores how to improve the effectiveness of cyber deception in hardening FTP (File Transfer Protocol) services against APTs. The main objective of our work is to ensure deception consistency: when the attackers are trapped, they can only make observations that are consistent with what they have seen already so that they cannot recognize the deceptive environment. To achieve deception consistency, we use logic constraints to characterize an attacker's best knowledge (either positive, negative, or uncertain). When migrating the attacker's FTP connection into a contained environment, we use these logic constraints to instantiate a new FTP file system that is guaranteed free of inconsistency. We performed deception experiments with student participants who just completed a computer security course. Following the design of Turing tests, we find that the participants' chances of recognizing deceptive environments are close to random guesses. Our experiments also confirm the importance of observation consistency in identifying deception.
- https://www.equifaxsecurity2017.com/.Google Scholar
- Bftpd. http://bftpd.sourceforge.net/.Google Scholar
- CRIU. https://criu.org/.Google Scholar
- CVE Details. https://www.cvedetails.com/.Google Scholar
- File Transfer Protocol. https://en.wikipedia.org/wiki/File_Transfer_Protocol.Google Scholar
- gFTP. https://www.gftp.org/.Google Scholar
- Kippo - SSH Honeypot. https://github.com/desaster/kippo.Google Scholar
- Papers from the Honeynet project. https://www.honeynet.org/papers.Google Scholar
- ProFTPD. http://www.proftpd.org/.Google Scholar
- Scapy. http://www.secdev.org/projects/scapy/.Google Scholar
- CVE-2013--4730. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013--4730, 2013.Google Scholar
- F. Araujo, K. W. Hamlen, S. Biedermann, and S. Katzenbeisser. From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation. In Proceedings of ACM CCS'14, 2014. Google ScholarDigital Library
- Archlinux. Sparse file. https://wiki.archlinux.org/index.php/sparse_file.Google Scholar
- K. Borders, L. Falk, and A. Prakash. Openfire: Using deception to reduce network attacks. In Proceedings of SecureComm'07. IEEE, 2007.Google ScholarCross Ref
- B. Cheswick. An evening with berferd in which a cracker is lured, endured, and studied. In Proceedings of the Winter USENIX Conference, 1992.Google Scholar
- F. Cohen. The use of deception techniques: Honeypots and decoys. 3, 2006.Google Scholar
- P. Ford-Hutchinson. Securing ftp with tls (rfc 4217). 2005.Google Scholar
- X. Han, N. Kheir, and D. Balzarotti. Evaluation of deception-based web attacks detection. In Proceedings of ACM Workshop on Moving Target Defense, 2017. Google ScholarDigital Library
- M. Horowitz and S. Lunt. Ftp security extensions (RFC 2228), 1997. Google ScholarDigital Library
- S. Jajodia, V. Subrahmanian, V. Swarup, and C. Wang. Cyber Deception: Building the Scientific Foundation. Springer, 2016. Google ScholarDigital Library
- J. Jones. Cyber deception via system manipulation. In Proceedings of the 12th International Conference on Cyber Warfare and Security, 2017.Google Scholar
- M. Korolov. Deception technology grows and evolves. https://www.csoonline.com/article/3113055/security/deception-technology-grows-and-evolves.html.Google Scholar
- K. McCoy. Target to pay $18.5M for 2013 data breach that affected 41 million consumers. https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/.Google Scholar
- V. Neagoe and M. Bishop. Inconsistency in deception for defense. In Proceedings of the 2006 Workshop on New Security Paradigms. ACM, 2006. Google ScholarDigital Library
- T. H. Project. Sebek: A kernel based data capture tool, 2003.Google Scholar
- N. Provos. Honeyd-a virtual honeypot daemon. In 10th DFN-CERT Workshop, Hamburg, Germany, volume 2, page 4, 2003.Google Scholar
- N. Rowe, H. Goh, S. Lim, and B. Duong. Experiments with a testbed for automated defensive deception planning for cyber-attacks. In Proceedings of the 2nd International Conference on I-Warfare and Security (ICIW'07), 2007.Google Scholar
- N. C. Rowe. Deception in defense of computer systems from cyber attack. Cyber Warfare and Cyber Terrorism, page 97, 2007.Google Scholar
- J. Sun and K. Sun. Desir: Decoy-enhanced seamless ip randomization. In Proceedings of INFOCOM'16. IEEE, 2016.Google ScholarCross Ref
- J. Sun, K. Sun, and Q. Li. Cybermoat: Camouflaging critical server infrastructures with large scale decoy farms. In Proceedings of IEEE CNS'17. IEEE, 2017.Google ScholarCross Ref
- J. Yuill, D. Denning, and F. Feer. Using deception to hide things from hackers: Processes, principles, and techniques. Journal of Information Warfare, 5(3), 2006.Google Scholar
- J. J. Yuill. Defensive computer-security deception operations: Processes, principles and techniques. In Ph.D. Dissertation, North Carolina State University, 2006. Google ScholarDigital Library
Index Terms
- Ensuring Deception Consistency for FTP Services Hardened against Advanced Persistent Threats
Recommendations
Threat led advanced persistent threat penetration test
Cyber security attacks have been on the rise in recent years. One of the most destructive attacks are known as advanced persistent threat (APT) attacks which can inflict massive damages to a network. A common approach of testing the security of an IT ...
Cyber Deception Against Zero-Day Attacks: A Game Theoretic Approach
Decision and Game Theory for SecurityAbstractReconnaissance activities precedent other attack steps in the cyber kill chain. Zero-day attacks exploit unknown vulnerabilities and give attackers the upper hand against conventional defenses. Honeypots have been used to deceive attackers by ...
Game Theory Approaches for Evaluating the Deception-based Moving Target Defense
MTD'22: Proceedings of the 9th ACM Workshop on Moving Target DefenseMoving target defense (MTD) is a proactive defensive mechanism proposed to disrupt and disable potential attacks, thus reversing the defender's disadvantages. Cyber deception is a complementary technique that is often used to enhance MTD by utilizing ...
Comments