Detecting Targeted Attacks By Multilayer Deception

Authors

  • Wei Wang AT&T Security Research Center, New York, USA
  • Jeffrey Bickford AT&T Security Research Center, New York, USA
  • Ilona Murynets AT&T Security Research Center, New York, USA
  • Ramesh Subbaraman AT&T Security Research Center, New York, USA
  • Andrea G. Forte AT&T Security Research Center, New York, USA
  • Gokul Singaraju AT&T Security Research Center, New York, USA

DOI:

https://doi.org/10.13052/jcsm2245-1439.224

Keywords:

deception, honeypot, honeynet, optimization

Abstract

Over the past few years, enterprises are facing a growing number of highly customized and targeted attacks that use sophisticated techniques and seek after important company assets, such as customer data and intellectual property. Unlike conventional attacks, targeted attacks are operated by experts who use multiple steps to gain access to sensitive assets, and most of time, leave very few network traces behind for detection. In this paper, we propose a multi-layer deception system that provides an in depth defense against such sophisticated targeted attacks. Specifically, based on previous knowledge and patterns of such attacks, we model the attacker as trying to compromising an enterprise network via multiple stages of penetration and propose defenses at each of these layers using deception based detection. Due to multiple layers of deception, the probability of detecting such an attack will be greatly enhanced. We present a proof of concept implementation of one of the key deception methods proposed. Due to various financial constraints of an enterprise, we also model the design of the deception system as an optimization problem in order to minimize the total expected loss due to system deployment and asset compromise.We find that there is an optimal solution to deploy deception entities,and even over spending budget on more entities will only increase the total expected loss to the enterprise. Such a system can be coupled with existing detection techniques to protect enterprises from sophisticated attacks.

Downloads

Download data is not yet available.

Author Biographies

Wei Wang, AT&T Security Research Center, New York, USA

Wei Wang finished her Ph.D. degree from Stevens Institute of Technology in 2010. Now she is a Member of Technical Staff in AT&T Security Research Center. Her research interests are mainly in data analysis, intrusion detection and prevention, and applying machine learning techniques in network security, especially in mobile networks.

Jeffrey Bickford, AT&T Security Research Center, New York, USA

Jeffrey Bickford is a researcher with the Chief Security Office at AT&T. He is currently completing his M.S. at the Rutgers University Department of Computer Science. He is interested in mobile device security with a focus on using virtualization techniques to create a secure and robust mobile platform. Prior to joining the Security Research Lab he was a summer intern at AT&T Research in Florham Park.

Ilona Murynets, AT&T Security Research Center, New York, USA

Ilona Murynets is a scientist at the Chief Security Office at AT&T. She obtained her Ph.D. in Systems Engineering, Stevens Institute of Technology. Ilona holds B.Sc. degree in Mathematics and M.S. degree in Statistics, Financial & Actuarial Mathematics from Kiev National Taras Shevchenko University, Ukraine. Ilona’s research is in the area of data mining, optimization and statistical analysis in application to fraud detection, malware propagation, mobile and network security.

Ramesh Subbaraman, AT&T Security Research Center, New York, USA

Ramesh Subbaraman is a Member of Technical Staff at the AT&T Chief Security Office’s Security Research Center. His research interests are in communication network design and architecture, networking protocols design & analysis, network data mining & analytics, and network security.In addition to traditional approaches, he is very interested in using principles from mathematical optimization, machine learning and mechanism design in networking.

Andrea G. Forte, AT&T Security Research Center, New York, USA

Andrea G. Forte is a Researcher within the Chief Security Office at AT&T. He earned both his Master’s Degree and Bachelor’s Degree in Telecommunications Engineering at the University of Rome “La Sapienza”in Italy. The paper based on his dissertation work on fast handoffs for real-time media in IEEE 802.11 wireless networks was commercialized by SIPquest Inc. His research interests include mobility, real-time media,location-based services, wireless networks and Internet of Things.

Gokul Singaraju, AT&T Security Research Center, New York, USA

Gokul Singaraju is a developer in AT&T Chief Security Office. His previous experience includes Motorola, NEC Laboratories America, Eulix NetworksInc., Hughes Network Systems, Indotronix International Corp, and Texas Instruments India Ltd. He received Masters in Technology (Computer Science) Indian Statistical Institute, Kolkata 1994.

References

www.wired.com/threatlevel/2011/06/citi-credit-card-breach, 2011.

Night dragon.blog.industrialdefender.com/?p=725, 2011.

Edward G. Amoroso. Cyber Attacks: Protecting National Infrastructure. Elsevier Sci-ence, 2010.

Ulrich Bayer, Imam Habibi, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. A view on current malware behaviors. In Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More,LEET’09,pages 8–8, Berkeley, CA, USA, USENIX Association, 2009.

Malek ben Salem and Salvatore J. Stolfo. Modeling user search behavior for masquerade detection. In Proceedings of the Fourteenth Symposium on Recent Advances in Intrusion Detection, 2011.

Andre Bergholz, Jan De Beer, Sebastian Glahn, Marie-Francine Moens, Gerhard Paass,and Siehyun Strobel. New filtering approaches for phishing email. Journal of ComputerSecurity, 18:7–35, 2010.

Jagjit S. Bhatia, Rakesh Sehgal, Bharat Bhushan, and Harneet Kaur. Multi layer cy-ber attack detection through honeynet. InNew Technologies, Mobility and Security,(NTMS’08), pages 1–5, 2008.

Brian M. Bowen, Shlomo Hershkop, Angelos D. Keromytis, and Salvatore J. Stolfo.Baiting inside attackers using decoy documents. 2009.

Madhusudhanan Chandrasekaran, Krishnan Narayanan, and Shambhu Upadhyaya.Phishing e-mail detection based on structural properties. In Proceedings NYS CyberSecurity Conference, 2006.

William R. Cheswick. An evening with Berferd, in which a cracker is lured, endured,and studied. In Proceedings of the USENIX, January 1992.

Damballa. The command structure of the aurora botnet.http://www.damballa.com/research/aurora/, March 2010.

Manuel Egele, Theodoor Scholte, Engin Kirda, and Christopher Kruegel. A survey onautomated dynamic malware-analysis techniques and tools. ACM Computing Surveys(CSUR), 44(2):6, 2012.

C. Fiedler. secure your database by building honeypot architecture using a sql databasefirewall.http://archive.is/olTW.

Yuelin Gao, Zaimin Ren, and Yang Gao. Modified differential evolution algorithm ofconstrained nonlinear mixed integer programming problems. Information TechnologyJournal, pages 2068–2075, 2011.

Project HoneyPot. A web based honeypot network.projecthoneypot.org.

Collin Mulliner, Steffen Liebergeld, and Matthias Lange. Honeydroid – Creating asmartphone honeypot. Technical report, Technische Universit ̈at Berlin, 2011.

Younghee Park and Salvatore J. Stolfo. Software decoys for insider threat. In 7th ACMSymposium on Information, Computer and Communications Security, 2012.

Honeynet Project. Know your enemy: Defining virtual honeynets.old.honeynet.org/papers/virtual, 2003.

RSA. RSA security brief: Mobilizing intelligent security operations for advancedpersistent threats, 2011.

Bruce Schneier.www.schneier.com/blog/archives/2011/11/fake_documents.html.

Lance Spitzner. Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing,Boston, MA, 2002.

Clifford Stoll. The Cuckoo’s Egg. Doubleday, New York, 1989.

Don Torrieri. An efficient algorithm forthe calculation of node-pair reliability. In Proceedings IEEE Military Communication Conference, 1991.

Wei Wang, Ilona Murynets, Jeffrey Bickford, Christopher Van Wart, and Gang Xu. Whatyou see predicts what you get – Lightweight agent based malware detection. WileyJournal, Security and Communication Networks, 2012.

J. Yuill, M. Zappe, D. Denning, and F. Feer. Honeyfiles: Deceptive files for intrusiondetection. In Proceedings from the Fifth Annual IEEE SMC Information AssuranceWorkshop, pages 116–122, 2004.

Jim Yuill, Dorothy Denning, and Fred Feer. Using deception to hide things from hackers:Processes, principles, and techniques, 2006.

Downloads

Published

2013-07-25

How to Cite

1.
Wang W, Bickford J, Murynets I, Subbaraman R, G. Forte A, Singaraju G. Detecting Targeted Attacks By Multilayer Deception. JCSANDM [Internet]. 2013 Jul. 25 [cited 2025 Feb. 12];2(2):175-99. Available from: https://journals.riverpublishers.com/index.php/JCSANDM/article/view/6141

Issue

2013: Vol 2 Iss 2

Section

Articles