Proactive defense through deception

Abstract

Cyberattacks are typically preceded by a reconnaissance phase in which attackers aim at collecting valuable information about the target system, including network topology, service dependencies, operating systems (OSs), and unpatched vulnerabilities. Unfortunately, when system configurations are static, given enough time, attackers can always acquire accurate knowledge about the target system through a variety of tools—including OS and service fingerprinting—and engineer effective exploits. To address this important problem and increase the resiliency of systems against known and unknown attacks, many techniques have been devised to dynamically and periodically change some aspects of a system’s configuration in order to introduce uncertainty for the attacker. However, these techniques, commonly referred to as moving target defenses, may introduce a significant overhead for the defender. To address this limitation, we present a graph-based approach for manipulating the attacker’s view of a system’s attack surface, which does not require altering the actual configuration of a system. To achieve this objective, we first formalize the notions of system view and distance between views and then define a principled approach to manipulating responses to attacker’s probes so as to induce an external view of the system that satisfies certain desirable properties. In particular, we propose efficient algorithmic solutions to two classes of problems, namely, (i) inducing an external view that is at a minimum distance from the internal view while minimizing the cost for the defender and (ii) inducing an external view that maximizes the distance from the internal view, given an upper bound on the cost for the defender. In order to demonstrate practical applicability of the proposed approach, we present deception-based techniques for defeating an attacker’s effort to fingerprint OSs and services on the target system. These techniques consist in manipulating outgoing traffic so that it resembles traffic generated by a completely different system. Experimental results show that our approach can efficiently and effectively deceive an attacker.