research-article

AHEAD: A New Architecture for Active Defense

Authors:
Fabio De Gaspari

Sapienza Universita' di Roma, Roma, Italy

Sapienza Universita' di Roma, Roma, Italy
View Profile

,
Sushil Jajodia

George Mason University, Fairfax, VA, USA

George Mason University, Fairfax, VA, USA
View Profile

,
Luigi V. Mancini

Sapienza Universita' di Roma, Roma, Italy

Sapienza Universita' di Roma, Roma, Italy
View Profile

,
Agostino Panico

Sapienza Universita' di Roma, Roma, Italy

Sapienza Universita' di Roma, Roma, Italy
View Profile

SafeConfig '16: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber DefenseOctober 2016Pages 11–16https://doi.org/10.1145/2994475.2994481

Published:24 October 2016Publication History

SafeConfig '16: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense

Pages 11–16

ABSTRACT

Active defense is a popular defense technique based on systems that hinder an attacker's progress by design, rather than reactively responding to an attack only after its detection. Well-known active defense systems are honeypots. Honeypots are fake systems, designed to look like real production systems, aimed at trapping an attacker, and analyzing his attack strategy and goals. These types of systems suffer from a major weakness: it is extremely hard to design them in such a way that an attacker cannot distinguish them from a real production system. In this paper, we advocate that, instead of adding additional fake systems in the corporate network, the production systems themselves should be instrumented to provide active defense capabilities. This perspective to active defense allows containing costs and complexity, while at the same time provides the attacker with a more realistic-looking target, and gives the Incident Response Team more time to identify the attacker. The proposed proof-of-concept prototype system can be used to implement active defense in any corporate production network, with little upfront work, and little maintenance.

References

Artillery. https://github.com/shoreditch-ops/artillery.Google Scholar
Conpot. https://github.com/mushorg/conpot.Google Scholar
Decloak. https://github.com/cmlh/decloak.Google Scholar
Dionaea. https://github.com/rep/dionaea.Google Scholar
Docker platform. https://www.docker.com/.Google Scholar
Harbinger distribution. http://www.blackhillsinfosec.com/?page_id=4419.Google Scholar
Honeybadger. http://github.com/honeybadger-io/honeybadger-ruby.Google Scholar
Kippo. https://github.com/desaster/kippo.Google Scholar
Portspoof. https://github.com/drk1wi/portspoof.Google Scholar
Rubberglue. https://github.com/adhdproject/adhdproject.github.io/blob/master/Tools/Rubberglue.md.Google Scholar
Webbugserver. https://github.com/adhdproject/adhdproject.github.io/blob/master/Tools/WebBugServer.md.Google Scholar
Weblabyrinth. https://github.com/mayhemiclabs/weblabyrinth.Google Scholar
K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis. Detecting targeted attacks using shadow honeypots. In Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14, SSYM'05, pages 9--9, 2005. Google ScholarDigital Library
F. Araujo, K. W. Hamlen, S. Biedermann, and S. Katzenbeisser. From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 942--953, 2014. Google ScholarDigital Library
M. L. Bringer, C. A. Chelmecki, and H. Fujinoki. A survey: Recent advances and future trends in honeypot research. In International Journal of Computer Network and Information Security, IJCNIS, 2012.Google Scholar
R. Di Pietro and L. V. Mancini. Intrusion Detection Systems, volume 38 of Advances in Information Security. Springer, 2008.Google Scholar
S. Jajodia, K. A. Ghosh, V. Subrahmanian, V. Swarup, C. Wang, and S. X. Wang, editors. Moving Target Defense II: Application of Game Theory and Adversarial Modeling. Springer, 2013. Google ScholarDigital Library
S. Jajodia, K. A. Ghosh, V. Swarup, C. Wang, and S. X. Wang, editors. Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats. Springer, 2011. Google ScholarDigital Library
S. Jajodia, P. Shakarian, V. Subrahmanian, V. Swarup, and C. Wang, editors. Cyber Warfare: Building the Scientific Foundation. Springer, 2015. Google ScholarDigital Library
A. Kott, C. Wang, and F. R. Erbacher, editors. Cyber Defense and Situational Awareness. Springer, 2014. Google ScholarDigital Library
N. Provos and T. Holz. Detecting Honeypots, chapter in book: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley Professional, 2007.Google Scholar
Spitzner. Honeypots: Tracking Hackers. Addison-Wesley Longman, 2002. Google ScholarDigital Library
S. Tapaswi, A. Mahboob, A. S. Shukla, I. Gupta, P. Verma, and J. Dhar. Markov chain based roaming schemes for honeypots. Wirel. Pers. Commun., pages 995--1010, 2014. Google ScholarDigital Library

Index Terms

AHEAD: A New Architecture for Active Defense
1. Security and privacy
  1. Security services
    1. Access control

Recommendations

Evaluating Deception and Moving Target Defense with Network Attack Simulation
MTD'22: Proceedings of the 9th ACM Workshop on Moving Target Defense

In the field of network security, with the ongoing arms race between attackers, seeking new vulnerabilities to bypass defense mechanisms and defenders reinforcing their prevention, detection and response strategies, the novel concept of cyber deception ...
Read More
Dressed up: Baiting Attackers through Endpoint Service Projection
SDN-NFV Sec'18: Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

Honeypots have been widely employed to track attackers' activities and divert potential threats against real assets. A critical challenge of honeypot research is how to better integrate deceptive honeypots as part of an overall production network. ...
Read More
Using rootkits hiding techniques to conceal honeypot functionality
Abstract
Honeypot is one of the existing technologies in the area of computer network security. The goal of Honeypot is to create a tempting target for the attacker. The system that is considered as a Honeypot in the network includes the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SafeConfig '16: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense
October 2016
130 pages
ISBN:9781450345668
DOI:10.1145/2994475
General Chairs:
Nicholas J. Multari
Pacific Northwest National Lab, USA
,
Anoop Singhal
National Institute of Standards and Technology, USA
,
David O. Manz
Pacific Northwest National Lab, USA
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 24 October 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
active defense
cyber deception
honeypot
honeytoken
intrusion detection system
Qualifiers
- research-article
Conference

Acceptance Rates
SafeConfig '16 Paper Acceptance Rate6of13submissions,46%Overall Acceptance Rate22of61submissions,36%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 22
  Total Citations
  View Citations
- 592
  Total Downloads
- Downloads (Last 12 months)33
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

AHEAD: A New Architecture for Active Defense

SafeConfig '16: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense

ABSTRACT

References

Cited By

Index Terms

Recommendations

Evaluating Deception and Moving Target Defense with Network Attack Simulation

Dressed up: Baiting Attackers through Endpoint Service Projection

Using rootkits hiding techniques to conceal honeypot functionality

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

AHEAD: A New Architecture for Active Defense

SafeConfig '16: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense

ABSTRACT

References

Cited By

Index Terms

Recommendations

Evaluating Deception and Moving Target Defense with Network Attack Simulation

Dressed up: Baiting Attackers through Endpoint Service Projection

Using rootkits hiding techniques to conceal honeypot functionality

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media