[Defense] Cyber Deception against Adversarial Reconnaissance in Enterprise Network using Semi-Indistinguishable Honeypot
Tuesday, November 29, 2022
4:00 pm - 5:00 pm
will defend his proposal
Cyber Deception against Adversarial Reconnaissance in Enterprise Network using Semi-Indistinguishable Honeypot
Effective adversarial reconnaissance leads to successful cyber attacks, and organizations use cyber deception to prevent or mitigate attackers’ information-gathering process. Deception enables the defender to fool an attacker by providing misguiding information alongside hiding sensitive information. Honeypots can support active defense by drawing the adversaries’ attention away from real systems, wasting their time and effort, and enabling defenders to observe exploits that would eventually be used against real systems. Since defensive honeypots are useful only as long as the adversaries are oblivious to the deception, it is crucial that honeypots are difficult to distinguish from real systems. In this work, we consider an active-defense scenario where suspected adversaries, who are identified by an intrusion-detection system, are redirected from a real webserver to a honey server. This presents significant challenges since the honey server must appear identical to the real server, but it cannot be a simple clone as the adversary may compromise it and all the information stored on it; further, the honey server must be continuously updated as the web application on the real server may be dynamic. To address these challenges, we introduce a novel framework to Deceive Adversaries through Redirection to Semi-Indistinguishable Honeypot Web Servers (DARSH). Our framework integrates honey networks and servers, which are identical to real ones at the network level; a crawler for copying web content; and programmable switches between these components, legitimate users, and suspected adversaries to orchestrate the deception. To demonstrate the efficacy of DARSH, we develop proof-of-concept implementations and two testbeds: a virtual testbed based on the CORE network emulator and a real-life testbed for extensive experimentation and human evaluation. We present results showing that reconnaissance tools remain oblivious to switching while our systems and legitimate users incur low overhead. Additional results demonstrate our success in protecting sensitive content on the legitimate server. Our results show that a semi-indistinguishable honeypot in DARSH can effectively prevent or mitigate adversarial reconnaissance.
4:00PM - 5:00PM CT
Online via Teams
Omprakash Gnawali, Aron Laszka, Stephen Huang, Christopher Kiekintveld, dissertation advisor(s)
Faculty, students and the general public are invited.