Today's cyber defenses do not prevent all malicious intrusions, which compromise enterprise network environments by exploiting both human errors and system vulnerabilities. This state of affairs is likely to persist in the foreseeable future. Cyber attack tactics such as phishing e-mail, SQL injections, SMB exploits, cross-site scripting, etc. enable adversaries to inject malware into enterprise networks. After establishing an initial foothold, malware typically conducts reconnaissance, followed by lateral movements by compromising other hosts/systems on the network. Although existing cyber defense tools can detect a wide range of potential intrusion activities, a certain share of the generated alarms are false-positives. Since administrators of enterprise networks generally lack the resources to investigate every alarm, they set threshold values for different types of alarms to investigate only those more likely caused by intrusions, according to the enterprise threat models. This approach allows stealthy malware, in particular Advanced Persistent Threats (APTs), to stay undetected if they manage to generate no alarm or very few alarms with potential to be considered false-positives in a very long period of time. We are investigating novel use of dynamic cyber deception techniques to aid the detection of activities of stealthy APTs. Our long-term goal is to develop autonomous agents engaged in investigations of every alarm that could indicate malware activities, rather than taking actions only when preset alarm threshold values are crossed. To set up the foundation for achieving the above goal, our current research spans the following areas: (i) minimizing the number of devices/hosts that are observable/accessible from any given host in order to reduce both the number of different types of alarms and the total number of alarms that could be raised by cyber security sensors; (ii) enabling automated creation of deceptive network views for each host and allowing such views to be changed on demand; (iii) using both low-interaction and proactive honeypots to generate illusive augmented false attack interfaces to increase the chance of detecting hidden threats; and (iv) investigating novel approaches for developing autonomous agents that manage the use of cyber deception schemes on-the-fly. The remainder of this paper is organized as follows. Section 2 provides a discussion about cyber deception along with tactics that we have developed and plan to leverage, including the generation of deceptive network views to minimize the number of genuine hosts accessible by a host and the insertion of honeypots as fake hosts in deceptive network views. Section 3 discusses the currently considered approach for developing autonomous agents managing cyber deception, game theory problem formulation, space search heuristics, and our strategy for training autonomous agents. In Section 4 we present our progress to date with some discussions. We conclude this position paper in Section 5.
Cyber deception is being considered as an approach to boost cyber defense [
Moving target defense has been a heavily researched topic as it provides camouflage for enterprise
networks. In general, MTD techniques change network and device configuration settings on the fly, with
an objective to both confuse (i.e., slow down/dissuade) adversaries and increase the chance of detecting
further adversarial activities. In our research, we are building on top of ACyDS [
Server OpenFlow Switch
Host 2
A Deceptive Network View rendered by the setup below to Host 2
DHCP
Server DHCP
Relay OpenFlow Controller
NotifyDHCPDerver& DVG of nodes joining the network Read
Write
Read DVDB
Honeypot
DNS Server Honeypot DHCP
Server DNSServer Update configurations Deception
View Generator Deception Server Mail Server Host 2 Host 1 Mail Server Host 1 Web Server
DHCP Server DHCP Server
DNS Server DNS Server
Host 2
Host 1
Mail Server
Web Server
Honeypot
We illustrate the concept of ACyDS using Figure 1. We assume that both Host 1 and Host 2 are on the
same network, but are presented with two entirely different network views. Host 1’s network topology
is different than Host 2’s, and the IP address of a given server (e.g., HTTP), is different in the two views. In
the figure, Host 2’s view includes 3 honeypots, while Host 1’s view has none. ACyDS’s capability is enabled
by the various components shown in Figure 1(c). Readers interested in the functions of the components
and ACyDS implementation are referred to [
Honeypots are fake hosts that are not used to perform any production task. Their primary purpose is to
direct intruders in their lateral movement from already compromised devices to provide more
information to network defenders for determining whether certain hosts have been compromised
(lowinteraction honeypots). A secondary purpose is to keep the adversary engaged in fruitless activity
(highinteraction honeypots). There has been a wide array of research activities in this area, mostly are
lowinteraction honeypots. Open source (e.g. honeyd [
We consider the combination of camouflage and decoy to enhance cyber security defense a promising research direction. Existing technologies allow static setup of camouflage and decoy; however, once the adversary recognizes the scheme and the usage pattern, both tactics become futile. However, providing dynamic and variable camouflage and ever-changing decoy deployment/placement is a challenge because of the need to ensure consistent management of changing defense with minimal impact on normal network operations. Needless to say, humans are ill-fit for this task in any real network, but an autonomous agent that is able to manage various deception techniques on-the-fly has the potential of significantly raising the level of difficulty for adversarial reconnaissance.
To manage the combination of camouflage and decoy, an autonomous agent needs to assess changes to the current system state, determine the next moves, and then adjust the configuration of deception tactics. Our plan is to develop such agents by using the following approach, illustrated in Figure 2. Thanks to the isolated network environment that ACyDS provides for each host, the problem can be formulated as a two-player game between the dynamic deception management agent and a potential adversary on a host (or a set of hosts). As shown in the figure, the agent receives sensory input from hosts, honeypots, and SDN controller. Since the network view is controlled by the agent, the number of nodes and therefore the amount of sensory input is under its control, too. Based on the sensory input the agent receives, it may decide to keep the current network view for a given host intact, or it can produce a new view using deception tactics such as changing IP addresses of all the nodes in the network view of a host, inserting additional honeypots into a network view, configuring honeypots to change their behaviors such as becoming more interactive and running a database server containing false data, and so on. In particular, new tactics are used to further investigate potential intrusion events. For example, an alarm is raised by a real host about a failed connection from another host to a closed port. This could be accidental and hence a false alarm, or it could be an intentional probing attempt by malware on the probing host. In addition to collecting information from the probing host to find out which process attempts the connection, the agent may remove the probed node from the view of the probing host and replace it with a proxy or a honeypot, or engage another proactive honeypot to communicate with the probing node, which may get the attention of the malware, if present on the probing host, to probe the newly found honeypots. If further honeypot probing happens, it would be a strong indicator that malware is present on the probing node, and additional moves may be planned by the agent.
A host’s deceptive network view HoHnoenHyoepnyeopytpoott disguisedas host HoHnoSeneyerpvyoeptrootr
SDN
Agent
As the reader can easily extrapolate, the game has a large number of possible moves and states. Given
the large state space, we plan to explore the following methodology to train the agent, allowing it to grow
its capability over many simulated games. This will also help us achieve an understanding about the Nash
equilibrium for different state spaces we consider. Our training approach works as follows.
First, with the help of human experts, we plan to build a semi-cognitive synthetic adversary that specializes
in reconnaissance and lateral movement. We will start with the assumption that the adversary is a stealthy
APT, and it makes prudent moves following a given adversary model. Under uncertainties this adversary
may make probabilistic decisions. For the deceptive agent, we plan to explore the concept of deep
learning [
To develop an agent for managing cyber deception on-the-fly, we adopt a multi-phased approach. In
Phase 1 we enumerate the following: (i) possible reconnaissance actions that could be used by adversary,
with and without sending probes, (ii) sensor information to be collected from hosts by the agent and (iii)
deception tactics that the agent may take, along with the parameters to configure and ranges of the
parameters. In Phase 2 we plan to develop a stealthy semi-cognitive adversary, a deception-managing
agent, and realistic scenarios first in simulation and then for the CyberVAN testbed [
We are currently at the end of Phase 1, and part of the Phase 2 work is under way, including the development of a stealthy adversary.
In this paper, we outline the goals of managing dynamic cyber deception, its basic mechanisms and an approach to creating an autonomous agent to automate the task. Thanks to the use of ACyDS to limit the scope of the problem space, we are able to significantly reduce the state space compared to a non-ACyDS network environment. Our plan is to continue this research under the U.S. Army Cyber Security Collaborative Research Alliance (CRA) program.
The authors want to thank the U.S. Army Research Laboratory Cyber Security Collaborative Research Alliance program for supporting this research.