Over the years, malicious entities in cyber-space have grown smarter and resourceful. For defenders to stay abreast of the increasingly sophisticated attacks, the need is to understand these attacks. In this paper, we study the current trends in security attacks and present a threat model that encapsulates their sophistication. Survivability is difficult to achieve because of its contradictory requirements. It requires that a critical system survives all attacks (including zero-day attacks), while still conserving the timeliness property of its mission. We recognize deception as an important tool to resolve this conflict.
The proposed deception-based framework predicts an attacker’s intent in order to design a stronger and more effective recovery; hence strengthening system survivability. Each design choice is supported by evidence and a detailed review of existing literature. Finally, we discuss the challenges in implementing such a framework and the directions that can be taken to overcome them.
Powerful Google developer tools for immediate impact! (2023-24 C)
A deception framework for survivability against next generation
1. A Deception Framework for Survivability
Against Next Generation Cyber Attacks
Ruchika Mehresh and Shambhu Upadhyaya
Department of Computer Science and Engineering,
University at Buffalo, Buffalo, NY 14260
1
2. Motivation
The Asymmetric warfare
Kind of sophisticated attacks happening lately:
Botnets, command and control
Operation Aurora
Stuxnet
3
3. Problem Statement
How to enable critical systems to survive the
next-generation of sophisticated attacks
Deception
4
4. Introduction
• Survivability is the ability of a system to perform
its mission (essential operations) in presence of
attacks, faults or accidents
• Focus on how to survive an attack
– Does not focus on source or type of attack
5
5. Introduction
• Survivability involves four phases:
– Prevention against faults/attacks
– Detection of faults/attacks
– Recovery from faults/attacks
– Adaptation/Evolution to avoid future attacks
• Timeliness property
6
6. Introduction
Next-generation attack assessment
Formal requirements
Deception as a tool of defense
Proposed framework
7
7. Underlying pattern in
sophisticated attacks [6]
Solution
Features:
1. Multi-shot
2. Stealth
3. Contingency plan
8
8. Formal system requirements
Recognizing the smart adversary
Prevention
Surreptitious detection
Effective recovery with adaptation
Zero-day attacks
9
10. Deception as tool of defense
• Preventive deception
– Hiding, Distraction, Dissuasion
• Detection
– Honeypot farm
• Recovery
– Concealing the detection till an effective patch has
been worked out
11
12. Work in progress
• Design issues
• Controlling the feedback loop
• Smart-box design
– Assess the nature of the traffic flow
– Map AIOS to a honeypot
13
13. Conclusion
• Deception based survivability solution against
sophisticated attacks
• Dealing with zero-day attacks while conserving
timeliness property
• Stronger recovery with surreptitious detection
14
14. References
1. E. Nakashima and J. Pomfret. China proves to be an aggressive foe in
cyberspace, November 2009.
2. M. Ramilli and M. Bishop. Multi-stage delivery of malware. 5th International
Conference on Malicious and Unwanted Software (MALWARE), 2010.
3. E. J. Kartaltepe, J. A. Morales, S. Xu, and R. Sandhu. Social network based botnet
command-and-control: emerging threats and countermeasures. Proceedings of the
8th international conference on Applied cryptography and network security
(ACNS), pages 511–528, 2010.
4. M. Labs and M. F. P. Services. Protecting your critical assets, lessons learned from
operation aurora. Technical report, 2010.
5. M. J. Gross. A declaration of cyber-war, April 2011.
6. K. A. Repik. Defeating adversary network intelligence efforts with active cyber defense
techniques. Master’s thesis, Graduate School of Engineering and Management, Air
Force Institute of Technology, 2008.
7. A. D. Lakhani. Deception techniques using honeypots. Master’s thesis, MSc
Thesis, ISG, Royal Holloway, University of London, 2003.
15
Editor's Notes
- As reported by Washington Post, malicious sleeper code is known to be left behind in the U.S. critical infrastructureby state-sponsored attackers. This sleeper code can be activated anytime to alter or destroy information. - Similar stealth methodologies are also employed during multi-stage delivery of malware discussed in and the botnets stealthy command and control execution model. Stuxnet (June 2010, nuclear power plants in Iran )sniffs for a specific configuration and remains inactive if it does not find it. “Stuxnet is the new face of 21st-century warfare: invisible, anonymous, and devastating.”Another instance of smart malware is ‘Operation Aurora’ that received wide publicity in 2009-10. The most highlightedfeature of Aurora is its complexity, sophistication and stealth. It includes numerous steps to gain and maintain accessto privileged systems until the attacker’s goals are met. The installation and working of this malware is completely hidden from the user. The attack has been aimed at dozens of other organizations, of which Adobe Systems,[3] Juniper Networks[4] and Rackspace[5] have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman, Morgan Stanley[6] and Dow Chemical[7] were also among the targets. Source code repositories, intellectual property.Attackers are growing smarter and attacks more sophisticatedCritical systems are high-value targetsAsymmetric warfareAll attacks can not be prevented, how to “survive” them
Not on who attacked, etc.Whether fault or attack
Asymmetric warfare theoryAttackers have the advantage of time and stealthHow to make the defense agile and adaptive?How to survive sophisticated attacks The issue of survivability
Zero-day attacks: Proactive vs Reactive
- Deception itself in warfare is not new - legal and moral issues.Some concepts are used by many like DTK by Cohen Hiding like fingerprint scrubbing, obfuscation, etc. High interactive honeypots provide an emulation for a real operating system. Thus, the attacker can interact with the operating system and completely compromise the system. Some examples are User Mode Linux (UML), VMware, Argos, etc. Low-interaction honeypots simulate limited network services and vulnerabilities. They can not be completely exploited. Examples are LaBrea, Honeyd, Nepenthes, etc. [26], [27].
Attackers Intent, Objectives and Strategies (AIOS)Dark space + Malicious behavior + Intentional