A Scalable High Fidelity Decoy Framework against Decoy Evasion Techniques

Abstract

A decoy network may effectively trap attackers into believing that they have succeeded in penetrating the real system, while they actually only penetrate one or more of the decoy mirage nodes. However, the attackers may exploit various decoy evasion techniques to distinguish decoys from the real systems. In general, the decoy evasion techniques can be classified into two majorcategories: pre-exploitation techniques and post-exploitation techniques. In the pre-exploitation phase, before compromising the targeted system with exploits, the attackers majorly rely on network reconnaissance techniques, which conduct either fingerprint-based or timing-based network traffic analysis, to remotely identify decoy systems. As defender, we are facing one challenge to provide a number of high interaction decoys distributed in different subnetworks withlimited system resource and strict access control constraints. In the post-exploitation phase, after breaking into the targeted system and gaining system resource access privileges (e.g., user privilege or root privilege), the attackers can further identify decoys by using decoy evasion techniques, which are generally based on two critical design and implementation gaps betweendecoys and real systems. In this work, we propose to design and develop a scalable high fidelity decoy framework that integrates believable user activities and network activities to defeat the decoy evasion techniques in both pre-exploitation and post-exploitation phases.

Document Details

Document Type

DoD Grant Award

Publication Date

Oct 17, 2018

Source ID

N000141812893

Entities

Tags