Calendar - University of Houston
Skip to main content

[Defense] Cyber Deception against Adversarial Reconnaissance in Enterprise Network using Semi-Indistinguishable Honeypot

Tuesday, November 29, 2022

4:00 pm - 5:00 pm

In Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy
Shanto Roy
will defend his proposal
Cyber Deception against Adversarial Reconnaissance in Enterprise Network using Semi-Indistinguishable Honeypot


Effective adversarial reconnaissance leads to successful cyber attacks, and organizations use cyber deception to prevent or mitigate attackers’ information-gathering process. Deception enables the defender to fool an attacker by providing misguiding information alongside hiding sensitive information. Honeypots can support active defense by drawing the adversaries’ attention away from real systems, wasting their time and effort, and enabling defenders to observe exploits that would eventually be used against real systems. Since defensive honeypots are useful only as long as the adversaries are oblivious to the deception, it is crucial that honeypots are difficult to distinguish from real systems. In this work, we consider an active-defense scenario where suspected adversaries, who are identified by an intrusion-detection system, are redirected from a real webserver to a honey server. This presents significant challenges since the honey server must appear identical to the real server, but it cannot be a simple clone as the adversary may compromise it and all the information stored on it; further, the honey server must be continuously updated as the web application on the real server may be dynamic. To address these challenges, we introduce a novel framework to Deceive Adversaries through Redirection to Semi-Indistinguishable Honeypot Web Servers (DARSH). Our framework integrates honey networks and servers, which are identical to real ones at the network level; a crawler for copying web content; and programmable switches between these components, legitimate users, and suspected adversaries to orchestrate the deception. To demonstrate the efficacy of DARSH, we develop proof-of-concept implementations and two testbeds: a virtual testbed based on the CORE network emulator and a real-life testbed for extensive experimentation and human evaluation. We present results showing that reconnaissance tools remain oblivious to switching while our systems and legitimate users incur low overhead. Additional results demonstrate our success in protecting sensitive content on the legitimate server. Our results show that a semi-indistinguishable honeypot in DARSH can effectively prevent or mitigate adversarial reconnaissance.

Tuesday, November 29, 2022
4:00PM - 5:00PM CT
Online via Teams

Omprakash Gnawali, Aron Laszka, Stephen Huang, Christopher Kiekintveld, dissertation advisor(s)

Faculty, students and the general public are invited.

Doctoral Proposal Defense