Deception Game on Decoy Systems and Honeypots

Slide Note
Embed
Share

Deception Game on Decoy Systems and Honeypots explores the use of deception technologies in computer security, focusing on decoy systems like honeypots. It delves into how attackers are lured into fake objects and the monitoring of their behavior to mitigate intrusion. The concept of fake honeypots, attacker-defender games using honeypots, and strategies for protecting against intrusion are discussed.


Uploaded on Jul 30, 2024 | 4 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Deception Game on Decoy Systems Gihyuk Ko gko@andrew.cmu.edu Carnegie Mellon University

  2. Decoy Systems and Honeypots Decoy Systems: One of the deception technologies in computer security Lure attackers into accessing fake objects (i.e., decoys) Monitor attackers behavior, mitigate intrusion Many variations in implementations ofdecoy systems Honeypots, Honeywords, Kamouflage System, etc. Honeypots[Spitzner03]: an information system resource whose value lies in unauthorized or illicit use of that resource A fake server/host which looks like a real server/host Seems as a valuable resource to attack to the attackers No true value to the outsiders 2

  3. Honeypots in the network Attack successful Attacker Actual servers 272.17.31.10 272.17.31.11 272.17.31.12 272.17.31.16 272.17.31.17 Attack fails: becomes monitored Honeypots 272.17.31.13 272.17.31.15 272.17.31.14 3

  4. Fake Honeypots[Rowe06] Attackers became aware that defenders use honeypots Attackers probe the target to avoid attacking honeypots Attackers may collect clues to discover honeypots using heuristics Signature-based approach: look for particular features e.g., well-known honeypot tool name, magic numbers Anomaly-based approach: use metrics on entire system e.g., # of files / subdirectories, # of english-word file names, stdev of length of filename 4

  5. Fake Honeypots[Rowe06](contd) Fake honeypots: Ordinary hosts/servers which are made to appear like honeypots Produced by planting clues into the system e.g., plant well-known honeypot tool s trace in the memory, make the stdev of the filename length close to zero Attackers who discover clues will avoid the system Fake honeypots are protected against intrusion Using decoys, defender can deliberatively deceive attackers in active way 5

  6. Attacker-defender game using honeypots Consider an attacker who wants to attack honeypot network Attacker attacks honeypot node gets detected Attacker would first try to discover (by probing ) honeypots, and avoid attacking them Defender can build fake honeypot to deceive the attacker These interactions can happen multiple times back and forth This can be viewed as a two-playergame! 6

  7. Key Points Many variations in deception techniques which use decoy systems Honeypots, Fake honeypots Some attacker-defender interactions using the decoy systems can be explained as a two- player game Developing a game-theory model can benefit defender in countering attacker with strategy! 7

  8. Objective Develop a game-theoretic model which reflectsinteractions between real world attacker and defender using decoy systems, that involve deceptive actions such as lying . 8

  9. Game Definition Decoy Systems Decoy Systems: True objects: actual valuable resource (e.g., servers) Decoy objects: decoys without any value (e.g., honeypots) Total n objects, ktrue objects, n-kdecoys ... Indicator function: / 9

  10. Game Definition Category We define a two-player non-cooperative complete imperfect information dynamic game Two-player: Attacker A, Defender D Non-cooperative: independent decision-making Complete information: strategy profiles and payoffs(utilities) are known to each other Imperfect information: not all the past actions are known to each party Dynamic: turn-taking manner 10

  11. Game Definition Goals / Moves Goals A s goal: distinguish true objects from all objects Learn D s goal: prevent attacker from learning true objects By lying to an attacker Moves Steps A s move D s move Initialization ; Probe-Respond (repeated) Termination 11

  12. Game Definition Moves (contd) Initialization ... D deploys decoys and true objects D D defines an indicator function 12

  13. Game Definition Moves (contd) Probe-Respond ... A picks an object to probe D A D responds to probe : Tell the Truth: return indicator value of an object Lie: return logical complement of indicator value of an object Repeats until A stops 13

  14. Game Definition Moves (contd) Termination ... D A ... A concludes with k objects to attack 14

  15. Game Definition Moves (contd) Moves (cont d) Multiple probes on the same object: Applying different heuristics to the same object Higher probability to reveal identity of the object Assumption: two probes on the same object reveals whether object is decoy or not 15

  16. Game Definition Utilities Utilities We assume both A s probing and D s lying have per- action costs A s per-probe cost overall cost D s per-lie cost overall cost Incentives depend on attacker s final move (attack): When A picked a true object,A gets When A picked a decoy object, D gets overall incentive Incentives work in zero-sum manner: Overall utility: overall incentive 16

  17. Analysis on Possible Strategies Three possible example attacker strategies All-Round-Probing Attacker No-Probing Attacker Selectively-Probing Attacker 17

  18. Analysis on Possible Strategies All-Round-Probing Attacker Attacker probes all objects twice until it finds k true objects Attacker always gets k true object right Defender s lies doesn t help: defender should not use any lies to maximize its utility Unlikely to be considered as an attacker strategy 18

  19. Analysis on Possible Strategies No-Probing Attacker Attacker might guess k objects without any probing No cost for both A and D Efficiency of decoy systems comes as countermeasure Intuitively, increasing portion of decoys in the network, expected correct guesses decreases Increasing per-object penalty( ) will also benefit defender 19

  20. Analysis on Possible Strategies Selectively-Probing Attacker Attacker may selectively probe twice on the objects where he gets true object response Possible countermeasure for defender: lie in every true objects to deter examination from attacker as much as possible lie in every decoy objects to make attacker waste each probe examining decoy 20

  21. Conclusion Some attacker-defender interactions can be viewed as a two-player game We proposed a game-theoretic model which reflects interaction between attacker and defender using decoy systems Analyzing many other possible strategies using our game will remain as a future work 21

  22. References [Spitzner03] L. Spitzner, Honeypots: Catching the Insider Threat , Computer Security Applications Conference, 2003. [Rowe06] N. C. Rowe and E. J. Custy, Fake Honeypots: A Defensive Tactic for Cyberspace, Proceedings of 2006 IEEE Workshop on Information Assurance, pp. 223-230, 2006. [Roy10] S. Roy et al., A Survey of Game Theory as Applied to Network Security, Proceedings of the 43rd Hawaii International Conference on System Sciences, pp. 1-10, 2010. 22

  23. Game Definition Moves (contd) Moves (cont d) Step 1: Initialization Defender D deploys decoys and true objects Step 2: Probe-Respond Repeated until A stops a: Attacker A picks an object to probe To avoid attacking decoys: to collect clues Assume A uses one heuristic per each probe 23

  24. Game Definition Moves (contd) Moves (cont d) Step 2: Probe-Respond (cont d) b: Defender D responds to A s probe by giving one- digit value to A. Defender can either tell the truth or lie 24

  25. Game Definition Moves (contd) Moves (cont d) Multiple probes on the same object: Applying different heuristics to the same object Higher probability to reveal identity of the object Assumption: two probes on the same object reveals whether object is decoy or not Step 3: Termination Attacker concludes with k objects to attack ; 25

Related


More Related Content