Visible to the public CyberMoat: Camouflaging Critical Server Infrastructures with Large Scale Decoy Farms

TitleCyberMoat: Camouflaging Critical Server Infrastructures with Large Scale Decoy Farms
Publication TypeConference Paper
Year of Publication2017
AuthorsSun, J., Sun, K., Li, Q.
Conference Name2017 IEEE Conference on Communications and Network Security (CNS)
Date Publishedoct
PublisherIEEE
ISBN Number 978-1-5386-0683-4
Keywordsattack detection, attacker reconnaissance, authentication, critical server camouflaging, critical server infrastructures, CyberMoat, deception-based cyber defenses, decoy platform, decoy systems, decoy-enhanced defense framework, defense mechanisms, deployed decoys, dynamic proxy address shuffling, Fingerprint recognition, high-fidelity decoy servers, information gathering, Monitoring, Network reconnaissance, pubcrawl, Reconnaissance, Resiliency, security of data, Servers, service availability, static decoy configurations, targeted remote attacks, telecommunication security, transparent connection translation strategy, versatile front-end proxies, Virtual machining
Abstract

Traditional deception-based cyber defenses often undertake reactive strategies that utilize decoy systems or services for attack detection and information gathering. Unfortunately, the effectiveness of these defense mechanisms has been largely constrained by the low decoy fidelity, the poor scalability of decoy platform, and the static decoy configurations, which allow the attackers to identify and bypass the deployed decoys. In this paper, we develop a decoy-enhanced defense framework that can proactively protect critical servers against targeted remote attacks through deception. To achieve both high fidelity and good scalability, our system follows a hybrid architecture that separates lightweight yet versatile front-end proxies from back-end high-fidelity decoy servers. Moreover, our system can further invalidate the attackers' reconnaissance through dynamic proxy address shuffling. To guarantee service availability, we develop a transparent connection translation strategy to maintain existing connections during shuffling. Our evaluation on a prototype implementation demonstrates the effectiveness of our approach in defeating attacker reconnaissance and shows that it only introduces small performance overhead.

URLhttp://ieeexplore.ieee.org/document/8228642/
DOI10.1109/CNS.2017.8228642
Citation Keysun_cybermoat:_2017