Baiting Inside Attackers using Decoy Documents

Abstract

The insider threat remains one of the most vexing problems in computer security. A number of approaches have been proposed to detect nefarious insider actions including user modeling and profiling techniques, policy and access enforcement techniques, and misuse detection. In this work we propose trap-based defense mechanisms for the case where insiders attempt to exfiltrate and use sensitive information. Our goal is to confuse and confound the attacker requiring far more effort to identify real information from bogus information and to provide a means of detecting when an inside attacker attempts to exploit sensitive information. "Decoy Documents" are automatically generated and stored on a file system with the aim of enticing a malicious insider to open and review the contents of the documents. The decoy documents contain several different types of bogus credentials that when used, trigger an alert. We also embed "stealthy beacons" inside the documents that cause a signal to be emitted to a server indicating when and where the particular decoy was opened. We evaluate decoy documents on honeypots penetrated by attackers demonstrating the feasibility of the method.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Sep 16, 2008
Accession Number
ADA500672

Entities

People

  • Angelos Dennis Keromytis
  • Brian M. Bowen
  • Salvatore J. Stolfo
  • Shlomo Hershkop

Organizations

  • Columbia University

Tags

Communities of Interest

  • Biomedical
  • Cyber

DTIC Thesaurus Topics

  • Basic Programming Language
  • Computer Crime
  • Computers
  • Control Systems
  • Cybersecurity
  • Defense Systems
  • Detection
  • Detectors
  • Digital Media
  • Electronic Mail
  • Insider Threats
  • Network Protocols
  • Security
  • Security Personnel
  • Universities
  • Warning Systems
  • Word Processors

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Educational Psychology

Technology Areas

  • Cyber