ABSTRACT
Active defense is a popular defense technique based on systems that hinder an attacker's progress by design, rather than reactively responding to an attack only after its detection. Well-known active defense systems are honeypots. Honeypots are fake systems, designed to look like real production systems, aimed at trapping an attacker, and analyzing his attack strategy and goals. These types of systems suffer from a major weakness: it is extremely hard to design them in such a way that an attacker cannot distinguish them from a real production system. In this paper, we advocate that, instead of adding additional fake systems in the corporate network, the production systems themselves should be instrumented to provide active defense capabilities. This perspective to active defense allows containing costs and complexity, while at the same time provides the attacker with a more realistic-looking target, and gives the Incident Response Team more time to identify the attacker. The proposed proof-of-concept prototype system can be used to implement active defense in any corporate production network, with little upfront work, and little maintenance.
- Artillery. https://github.com/shoreditch-ops/artillery.Google Scholar
- Conpot. https://github.com/mushorg/conpot.Google Scholar
- Decloak. https://github.com/cmlh/decloak.Google Scholar
- Dionaea. https://github.com/rep/dionaea.Google Scholar
- Docker platform. https://www.docker.com/.Google Scholar
- Harbinger distribution. http://www.blackhillsinfosec.com/?page_id=4419.Google Scholar
- Honeybadger. http://github.com/honeybadger-io/honeybadger-ruby.Google Scholar
- Kippo. https://github.com/desaster/kippo.Google Scholar
- Portspoof. https://github.com/drk1wi/portspoof.Google Scholar
- Rubberglue. https://github.com/adhdproject/adhdproject.github.io/blob/master/Tools/Rubberglue.md.Google Scholar
- Webbugserver. https://github.com/adhdproject/adhdproject.github.io/blob/master/Tools/WebBugServer.md.Google Scholar
- Weblabyrinth. https://github.com/mayhemiclabs/weblabyrinth.Google Scholar
- K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis. Detecting targeted attacks using shadow honeypots. In Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14, SSYM'05, pages 9--9, 2005. Google ScholarDigital Library
- F. Araujo, K. W. Hamlen, S. Biedermann, and S. Katzenbeisser. From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 942--953, 2014. Google ScholarDigital Library
- M. L. Bringer, C. A. Chelmecki, and H. Fujinoki. A survey: Recent advances and future trends in honeypot research. In International Journal of Computer Network and Information Security, IJCNIS, 2012.Google Scholar
- R. Di Pietro and L. V. Mancini. Intrusion Detection Systems, volume 38 of Advances in Information Security. Springer, 2008.Google Scholar
- S. Jajodia, K. A. Ghosh, V. Subrahmanian, V. Swarup, C. Wang, and S. X. Wang, editors. Moving Target Defense II: Application of Game Theory and Adversarial Modeling. Springer, 2013. Google ScholarDigital Library
- S. Jajodia, K. A. Ghosh, V. Swarup, C. Wang, and S. X. Wang, editors. Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats. Springer, 2011. Google ScholarDigital Library
- S. Jajodia, P. Shakarian, V. Subrahmanian, V. Swarup, and C. Wang, editors. Cyber Warfare: Building the Scientific Foundation. Springer, 2015. Google ScholarDigital Library
- A. Kott, C. Wang, and F. R. Erbacher, editors. Cyber Defense and Situational Awareness. Springer, 2014. Google ScholarDigital Library
- N. Provos and T. Holz. Detecting Honeypots, chapter in book: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley Professional, 2007.Google Scholar
- Spitzner. Honeypots: Tracking Hackers. Addison-Wesley Longman, 2002. Google ScholarDigital Library
- S. Tapaswi, A. Mahboob, A. S. Shukla, I. Gupta, P. Verma, and J. Dhar. Markov chain based roaming schemes for honeypots. Wirel. Pers. Commun., pages 995--1010, 2014. Google ScholarDigital Library
Index Terms
- AHEAD: A New Architecture for Active Defense
Recommendations
Evaluating Deception and Moving Target Defense with Network Attack Simulation
MTD'22: Proceedings of the 9th ACM Workshop on Moving Target DefenseIn the field of network security, with the ongoing arms race between attackers, seeking new vulnerabilities to bypass defense mechanisms and defenders reinforcing their prevention, detection and response strategies, the novel concept of cyber deception ...
Dressed up: Baiting Attackers through Endpoint Service Projection
SDN-NFV Sec'18: Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function VirtualizationHoneypots have been widely employed to track attackers' activities and divert potential threats against real assets. A critical challenge of honeypot research is how to better integrate deceptive honeypots as part of an overall production network. ...
Using rootkits hiding techniques to conceal honeypot functionality
AbstractHoneypot is one of the existing technologies in the area of computer network security. The goal of Honeypot is to create a tempting target for the attacker. The system that is considered as a Honeypot in the network includes the ...
Comments