Adaptive cyber deception
Existing traditional deception techniques (e.g., honeypots) are very limited and easily detectable because they are mostly static, and identifiable. Proactive-based paradigms such as address mutation are effective in slowing down reconnaissance by naive attackers, but they are ineffective in providing true anonymity required by deception.
In this project, our goal is to effectively deceive reconnaissance attacks by skillful attackers by developing multi-dimensional deception strategy that integrates IP mutation, fingerprinting anonymization and diversity. The proposed deception infrastructure provide highly stealthy deception (called HIDE) that can effectively hide the identity, configuration, and vulnerability of end-hosts against sophisticated and persistent attackers.
The project aim is to implement/deploy our approach using a high-fidelity dynamic proxy (called HIDE controller) and interactive honeypots (called HoneyShades) which is a novel proxy that constantly mutates addresses and fingerprints of network hosts and proxy honeypots in a manner that maximally anonymizes identity of network hosts. The objective is to make a host untraceable over time by not letting even skilled attackers reuse discovered attributes of a host in the previous scanning, including its addresses and fingerprint, to identify that host again. The mutations are generated through formal definition and modeling of the problem.
Using a red teaming evaluation with a group of white-hat hackers, we evaluated our five-dimensional defense model and compared its effectiveness with alternative and competing scenarios. These experiments, as well as our analytical evaluation, show that by anonymizing all identifying attributes of a host/honeypot over time, HIDE is able to significantly complicate reconnaissance, even for highly skilled human attackers.
In this project, our goal is to effectively deceive reconnaissance attacks by skillful attackers by developing multi-dimensional deception strategy that integrates IP mutation, fingerprinting anonymization and diversity. The proposed deception infrastructure provide highly stealthy deception (called HIDE) that can effectively hide the identity, configuration, and vulnerability of end-hosts against sophisticated and persistent attackers.
The project aim is to implement/deploy our approach using a high-fidelity dynamic proxy (called HIDE controller) and interactive honeypots (called HoneyShades) which is a novel proxy that constantly mutates addresses and fingerprints of network hosts and proxy honeypots in a manner that maximally anonymizes identity of network hosts. The objective is to make a host untraceable over time by not letting even skilled attackers reuse discovered attributes of a host in the previous scanning, including its addresses and fingerprint, to identify that host again. The mutations are generated through formal definition and modeling of the problem.
Using a red teaming evaluation with a group of white-hat hackers, we evaluated our five-dimensional defense model and compared its effectiveness with alternative and competing scenarios. These experiments, as well as our analytical evaluation, show that by anonymizing all identifying attributes of a host/honeypot over time, HIDE is able to significantly complicate reconnaissance, even for highly skilled human attackers.