A cooperative and independent deception system in the active cyber defense system

Document Type : Original Article

Authors

1 Assistant Professor, Malik Ashtar University of Technology, Tehran, Iran

2 Master's student, Malik Ashtar University of Technology, Tehran, Iran

Abstract

Cyber deception technology is a part of the process of identifying and responding to incidents. This technology helps the security team identify and analyze advanced threats by persuading an attacker to strike fake resources. The deception approach is to create a high-precision warning about high-risk behaviors. Deception occurs in a variety of ways, including an active defense approach. Active defense is an approach that is based on the establishment of measures to detect, analyze, identify and reduce threats to communication systems and networks in real time by default, which ultimately leads to cyber security. To better understand the techniques used in active defense, we can mention the Honeypot. The Honeypot is a trick that is deliberately placed on the net to be explored by an attacker in order to record, track and analyze the activities performed. In this project, we have used a low-interaction Honeypot to identify malicious activities. Using these technologies and strategies, we have designed an active cyber defense system (SDF). Taking into account the IP, this system has the capability of monitoring and real-time detection of abnormalities that occur in the form of functional level of attackers. Both the cyber deception and the honeypot concentrate on trapping the attacker by misleading, confusing, and etc. But active cyber deception (SDF) technology is an evolution of Honeypot, extending its limited capabilities.

Keywords


Smiley face

[1] S. Brandes, “The Newest Warfighting Domain: Cyberspace,” Synesis: A J.  Sci. , Technol. , Ethics, Policy, vol 4, bll G90-95, 2013.
[2] M. Fossi., [M1] “Symantec Internet Security Threat Report Trends for 2010,”,[M2]  Volume XVI, 2011.
[3] G. J. Rattray, “An Environmental Approach to Understanding Cyberpower,” Cyberpower and National Security, vol 10, National Defense University Press Washington, DC, bll 253–274, 2009.
[4] M. Bailey, E. Cooke, D. Watson, F. Jahanian, and N. Provos, “A Hybrid Honeypot Architecture for Scalable Network Monitoring,” Univ. Michigan, Ann Arbor, MI, USA, Tech. Rep. CSE-TR-499-04, 2004.
 [5] H. Artail, H. Safa, M. Sraj, I. Kuwatly, and Z. Al-Masri, “A Hybrid Honeypot Framework for Improving Intrusion Detection Systems in Protecting Organizational Networks,” Computers & Security, vol. 25, no. 4, pp. 274–288, 2006.
[6] M. Nawrocki, M. Wählisch, T. C. Schmidt, C. Keil, and J. Schönfelder, “A Survey on Honeypot Software and Data Analysis,” arXiv preprint arXiv:1608. 06249, 2016.
[7]  T. K. Lengyel, J. Neumann, S. Maresca, B. D. Payne, and A. Kiayias, “Virtual Machine Introspection in a Hybrid Honeypot Architecture,” In CSET, 2012. 
[8] L. Spitzner, “The Honeynet Project: Trapping the Hackers,” IEEE Security & Privacy, vol. 1, no. 2, pp. 15–23, 2003.
 [9] L. Spitzner, “Honeypots: Catching the Insider Ihreat,” In 19th Annual Computer Security Applications Conference, Proceedings, 2003, pp. 170–179.
[10] B. Cheswick, “An Evening with Berferd in which a Cracker is Lured, Endured, and Studied,” In Proc. Winter USENIX Conference, San Francisco, 1992, pp. 20–24.
 [11]   C. Stoll, The cuckoo’s egg: tracking a spy through the maze of computer espionage. Simon and Schuster, 2005. 
[12] G. Portokalidis, A. Slowinska, and H. Bos, “Argos: An Emulator for Fingerprinting Zero-day Attacks for Advertised Honeypots with Automatic Signature Generation,” ACM SIGOPS Operating Systems Review, vol. 40, no. 4, pp. 15–27, 2006.
[13] R. Rajabioun, “Cuckoo Optimization Algorithm,” Applied Soft Computing, vol. 11, no. 8, pp. 5508–5518, 2011. 
[14] D. Moore, C. Shannon, G. Voelker, and S. Savage, “Network Telescopes: Technical Report,” Cooperative Association for Internet Data Analysis (CAIDA), 2004. 
[15] A. Kirkby, “Honeynet Phase Two: Knowing Your Enemy More”, Computer Fraud & Security, vol. 2001, no. 12, pp. 8–9, 2001.
[16] D. Song, “A snapshot of global Internet worm activity,” The 14th Annual FIRST Conference on Computer Security Incident Handling and Response, [M3] 2002. 
[17] V. Yegneswaran, P. Barford, and D. Plonka, “On the Design and Use of Internet Sinks for Network Abuse Monitoring,” In International Workshop on Recent Advances in Intrusion Detection, 2004, pp. 146–165.
[18] K. M. Aghaei, S. Farshchi, and H. Shirazi, “A New Architecture for Impact Projection of Cyber-attacks Based on High Level Information Fusion in Cyber Command and Control,” Volume 9, No. 36, pp. 125-140,  [M4] 2015.
[19] M. Bailey, E. Cooke, F. Jahanian, J. Nazario, D. Watson, and Others,[M5]  “The Internet MotionS-a Distributed Blackhole Monitoring System,” In NDSS, 2005.
 [20] N. Provos and Others,[M6]  “A Virtual Honeypot Framework,” In USENIX Security Symposium, vol. 173, pp. 1–14, 2004. 
[21] B. Mphago, O. Bagwasi, B. Phofuetsile, and H. Hlomani, “Deception in Dynamic Web Application Honeypots: Case of Glastopf,” In Proceedings of the International Conference on Security and Management (SAM), p. 104, 2015. 
[22] W. Schulze, E. D. Schulze, I. Schulze, and R. Oren, “Quantification of Insect Nitrogen Utilization by the Venus Fly Trap Dionaea Muscipula Catching Prey with Highly Variable Isotope Signatures,” Journal of experimental botany, vol. 52, no. 358, pp. 1041–1049, 2001. 
[23] L. Spitzner, “Specter: A Commercial Honeypot Solution for Windows,” Acesso em, vol. 26, no. 08, 2003.
 [24] S. Poeplau and J. Gassen, “A Honeypot for Arbitrary Malware on USB Storage Devices,” 7th International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 1–8, 2012. 
[25] N. Provos and T. Holz, Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Pearson Education, 2007. 
 [26] L. K. Yan, “Virtual Honeynets Revisited,” In Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, pp. 232–239, 2005.
[27] A. Capalik, “Next-generation Honeynet Technology with Real-time Forensics for US Defense,” In MILCOM 2007-IEEE Military Communications Conference, pp. 1–7, 2007.
[28] N. Memari, S. J. B. Hashim, and K. B. Samsudin, “Towards Virtual Honeynet Based on LXC Virtualization,” IEEE Region 10 Symposium, pp. 496–501, 2014.[M7] 
 [29] D. Sever and T. Kišasondi, “Efficiency and Security of Docker Based Honeypot Systems,” 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1167–1173, 2018.
[30] F. Galán and D. Fernández, “Use of VNUML in Virtual Honeynets Deployment,” IX Reunión Española sobre Criptología y Seguridad de la Información (RECSI), Barcelona, Spain, 2006.
[31] F. Stumpf, A. Görlach, F. Homann, and L. Brückner, “NoSE-building Virtual Honeynets Made Easy,” In Proceedings of the 12th International Linux System Technology Conference, Hamburg, Germany, 2005. 
[32]   D. Fernández , [M8] “Distributed Virtual Scenarios Over Multi-host Linux Environments,” 5th International DMTF Academic Alliance Workshop on Systems and Virtualization Management: Standards and the Cloud (SVM), pp. 1–8, 2011.
[33] W. Fan, D. Fernández, and Z. Du, “Versatile Virtual Honeynet Management Framework,” IET Information Security, vol. 11, no. 1, pp. 38–45, 2017. 
[34] W. Y. Chin, E. P. Markatos, S. Antonatos, and S. Ioannidis, “HoneyLab: Large-scale Honeypot Deployment and Resource Sharing,” Third International Conference on Network and System Security, pp. 381–388, 2009.
[35] B. Sobesto, M. Cukier, M. A. Hiltunen, D. Kormann, G. Vesonder, and R. Berthier, “DarkNOC: Dashboard for Honeypot Management,” In LISA, 2011.
[36] W. Han, Z. Zhao, A. Doupé, and G. J. Ahn, “Honeymix: Toward SDN-based Intelligent Honeynet,” In Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, pp. 1–6, 2016. 
[37]  M. Egele, T. Scholte, E. Kirda, and C. Kruegel, “A Survey on Automated Dynamic Malware-analysis Techniques and Tools,” ACM computing surveys (CSUR), vol. 44, no. 2, pp. 1–42, 2008. 
[38] L. Spitzner, “Know Your Enemy: Genii Honeynets,” The Honeynet Alliance, 2005. 
[39] W. Fan, Z. Du, D. Fernández, and V. A. Villagrá, “Enabling an Anatomic View to Investigate Honeypot Systems: A Survey,” IEEE Systems Journal, vol. 12, no. 4, pp. 3906–3919, 2017. 
[40]  K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis, “Detecting Targeted Attacks Using Shadow Honeypots,” 14th USENIX Security Symposium, [M9]  2005.
[41] S. Schindler, B. Schnor, and T. Scheffler, “Hyhoneydv6: A Hybrid Honeypot Architecture for IPV6 Networks,” International Journal of Intelligent Computing Research, vol. 6, No. 2, pp. 562-570, [M10] 2015. 
[42]   Y. M. P. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and C. Rossow, “IoTPOT: Analysing the Rise of IoT Compromises,” In 9th ${USENIX} Workshop on Offensive Technologies ({WOOT}$ 15), 2015.
[43]   A. Pashaei, M. E. Akbari, M. Z. Lighvan, and H. A. Teymorzade, “Improving the IDS Performance through Early Detection Approach in Local Area Networks Using Industrial Control Systems of Honeypot,” In 2020 IEEE International Conference on Environment and Electrical Engineering and 2020 IEEE Industrial and Commercial Power Systems Europe (EEEIC/I&CPS Europe), pp. 1–5, 2020. 
[44] A. Podhradsky, C. Casey, and P. Ceretti, “The Bluetooth Honeypot Project: Measuring and Managing Bluetooth Risks in the Workplace,” International Journal of Interdisciplinary Telecommunications and Networking (IJITN), vol. 4, no. 3, pp. 1–22, 2012. 
[45] R. Do Carmo, M. Nassar, and O. Festor, “Artemisa: An Open-source Honeypot Back-end to Support Security in VoIP Domains,” In 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops, pp. 361–368, 2011.
 [46] L. Spitzner, “Know Your Enemy: Sebek2 A Kernel Based Data Capture Tool,” Recuperado a partir de http://www. honeynet. org, 2003. 
[47] C. Song, B. Hay, and J. Zhuge, “Know Your Tools: Qebek--Conceal the Monitoring,” The Honeynet Project (www. honeynet. org/sites/default/files/files/KYT-Qebek-final_v1. pdf), 2010. 
[48] C. Willems, T. Holz, and F. Freiling, “Toward Automated Dynamic Malware Analysis Using Cwsandbox,” IEEE Security & Privacy, vol. 5, no. 2, pp. 32–39, 2007. 
[49] X. Jiang and X. Wang, “‘Out-of-the-box’ Monitoring of VM-based High-Interaction Honeypots,” In International Workshop on Recent Advances in Intrusion Detection, pp. 198–218, 2007.
 [50] J. Newsome and D. X. Song, “Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software,” In NDSS, vol. 5, pp. 3–4, 2005.
[51] C. Kreibich and J. Crowcroft, “Honeycomb: Creating Intrusion Detection Signatures Using Honeypots,” ACM SIGCOMM Computer Communication Review, vol. 34, no. 1, pp. 51–56, 2004. 
[52] A. Javaid, Q. Niyaz, W. Sun, and M. Alam, “A Deep Learning Approach for Network Intrusion Detection System,” Eai Endorsed Transactions on Security and Safety, vol. 3, no. 9, p. e2, 2016.
[53] R. Sekar, A.Gupta and S.Zhou. ,  “Specification-based Anomaly Detection: A New Approach for Detecting Network Intrusions”, In Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 265–274, 2002. 
[54]  E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek, “The Click Modular Router,” ACM Transactions on Computer Systems (TOCS), vol. 18, no. 3, pp. 263–297, 2000. 
[55] C. Yoon, T. Park, S. Lee, H. Kang, S. Shin, and Z. Zhang, “Enabling Security Functions with SDN: A Feasibility Study,” Computer Networks, vol. 85, pp. 19–35, 2015.
[56] R. Berthier and M. Cukier, “Honeybrid: A Hybrid Honeypot Architecture,” In USENIX Security Symposium, vol. 2008, 2008. 
[57] R. Kundel P. Stiegele, D. Tran, J. Zobel, O.Abboud, R. Hark and R.Steinmetz, “User Space Packet Schedulers: Towards Rapid Prototyping of Queue-Management Algorithms,” Electronic Communications of the EASST, vol. 80, 2021. 
[58] Y.-D. Lin, T.-B. Shih, Y.-S. Wu, and Y.-C. Lai, “Secure and Transparent Network Traffic Replay, Redirect, and Relay in a Dynamic Malware Analysis Environment,” Security and Communication Networks, vol. 7, no. 3, pp. 626–640, 2014. 
Volume 10, Issue 2 - Serial Number 38
October 2022
Pages 129-142
  • Receive Date: 23 August 2021
  • Revise Date: 11 October 2021
  • Accept Date: 18 December 2021
  • Publish Date: 23 September 2022