Counterplanning deceptions to foil cyber-attack plans

Abstract

Tactics involving deception are important in military strategies. We have been exploring deliberate deception in defensive tactics by information systems under cyber-attack as during information warfare. We have developed a tool to systematically "counterplan" or find ways to foil a particular attack plan. Our approach is to first find all possible atomic "ploys" that can interfere with the plan. Ploys are simple deceits the operating system can do such as lying about the status of a file. We analyze ploys as to the degree of difficulty they cause to the plan wherever they can be applied. We then formulate a "counterplan" by selecting the most cost-effective set of ploys and assign appropriate presentation methods for them, taking into account the likelihood that, if we are not careful, the attacker will realize they are being deceived and will terminate our game with them. The counterplan can be effected by a modified operating system. We have implemented our counterplanner in a tool MECOUNTER that uses multiagent planning coupled with some novel inference methods to efficiently find a best counterplan. We apply the tool to an example of a rootkit-installation plan and discuss the results.