Visible to the public Cyber Deception: Virtual Networks to Defend Insider Reconnaissance

TitleCyber Deception: Virtual Networks to Defend Insider Reconnaissance
Publication TypeConference Paper
Year of Publication2016
AuthorsAchleitner, Stefan, La Porta, Thomas, McDaniel, Patrick, Sugrim, Shridatt, Krishnamurthy, Srikanth V., Chadha, Ritu
Conference NameProceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4571-2
Keywordsadvanced persistent threat, insider reconnaissance, insider threat, Network reconnaissance, Network security, pubcrawl, Resiliency, software defined networking
Abstract

Advanced targeted cyber attacks often rely on reconnaissance missions to gather information about potential targets and their location in a networked environment to identify vulnerabilities which can be exploited for further attack maneuvers. Advanced network scanning techniques are often used for this purpose and are automatically executed by malware infected hosts. In this paper we formally define network deception to defend reconnaissance and develop RDS (Reconnaissance Deception System), which is based on SDN (Software Defined Networking), to achieve deception by simulating virtual network topologies. Our system thwarts network reconnaissance by delaying the scanning techniques of adversaries and invalidating their collected information, while minimizing the performance impact on benign network traffic. We introduce approaches to defend malicious network discovery and reconnaissance in computer networks, which are required for targeted cyber attacks such as Advanced Persistent Threats (APT). We show, that our system is able to invalidate an attackers information, delay the process of finding vulnerable hosts and identify the source of adversarial reconnaissance within a network, while only causing a minuscule performance overhead of 0.2 milliseconds per packet flow on average.

URLhttp://doi.acm.org/10.1145/2995959.2995962
DOI10.1145/2995959.2995962
Citation Keyachleitner_cyber_2016