cases” in [118]). Semantic cases are then used to enumerate the space of possible decep-tions. The taxonomy based on linguistic cases is divided into seven categories: spatial, time, participant, causality, quality, essence, and speech-act theory. Figure3.3illustrates the linguistic cases-based taxonomy.
Deception based on linguistic case theory
Spatial Temporal Participant Causality Quality Essence Speech-act theory
location-at location-through location-from location-to direction orientation
frequency time-from time-to time-through time-at
agent object instrument beneficiary experiencer recipient
cause contradiction effect purpose
accompaniment content value manner material measure order
supertype whole
external precondition internal precondition
Figure 3.3: Linguistic cases categories used in deception actions
Spatial cases (location-at, location-through, location-from, location-to, direction, ori-entation) represent actions associated with locations where deception can apply to (e.g.
hide one’s location in defending against an attack, locations during file transfers). Tem-poral cases (frequency, time-from, time-to, time-through, time-at) comprise actions as-sociated with frequency and time that deception can apply to (e.g., increased frequency in denial-of-service attacks, time-stamp associated to events in a log file). Participant cases (agent, object, instrument, beneficiary, experiencer, recipient) are those actions as-sociated with agents and objects (e.g., software/hardware used in deceptive mechanisms, the beneficiary of a scam, the target of a deception). Causality cases (cause, contradiction, effect, purpose) represent actions associated with causal aspects of the deception (e.g., the expected effect, the purpose and the causes of applying social engineering). Quality cases (accompaniment, content, value, manner, material, measure, order) are those related to resources, values, and way actions performed by defenders and attackers (e.g., disinfor-mation and repackaging malicious software ). Essence (supertype, whole) represents ontological aspects of the action, type and the context to which the deception occurs (e.g., attacks pretending to be something else, attacks that is only part of a major offensive). Fi-nally, speech-act theory (external precondition, internal precondition) refers to semantic cases related to communication (e.g., the user changed his password, knowledge about password policy of a website).
Cohen [79] groups deceptions by the hierarchical levels of a computer system and their vulnerabilities. Deceptions are expressed in terms of intrusions at the hardware, device driver, protocol, operating system, library and support function, application, recursive language, and meaning vs. content levels. The levels interact (send/receive signals) with each other, usually hierarchically, although there are exceptions. The model assumes that every signal level of the hierarchy can either be induced or inhibited. While offensive deception can be applied to every level, defense is only attainable in some cases. For
3 . 3 . D E C E P T I O N M O D E L S
example, defensive deception using hardware level requires physical access to the system or logical access with capabilities to alter hardware level functions (e.g., microcode access).
On the other hand, Cohen suggests that the application level is an relevant area for defensive deceptions since applications tend to directly influence the decision processes made by attackers.
Almeshekah and Spafford [9] present a classification on how deception can be inte-grated into computer system components. The proposed classification considers that deception can be achieved by manipulating the functionality or the state of the systems, as illustrated in Fig. 3.4.Decisionrepresents deception applied to decisions made by the
Deception of...
Functionalityof systems Stateof systems
Decision (the system’s decision)
Software and Services (in the target systems)
Internal Data (stored in our system)
Public Data(Disseminate outside our system)
System Responses (can be considered as public data)
Administrative Raw Network System
Configurations
Weakness (i.e. vulnerabilities
in the system)
Performance (of the system)
Impact [damage assessment]
(of malicious activities) Activity (currently in the system)
Figure 3.4: Computer systems components where deception can be integrated with [9]
computer system. For example, a system’s authentication decision where adversaries are deceived by giving them access to “fake” accounts in the cases of online guessing attacks.
Software and Services provide fake systems and services for adversaries, such as those presented by honeypot-based mechanisms (see Section3.2). Honeypots are intended to provide attackers with a number of fake systems running fake services. Moreover, de-ception is used to mask the identities of our current existing software/services by using obfuscation tools. Internal DataandPublic Dataapply to the raw data in computer sys-tems, e.g., files, directories, and databases, or to the administrative data used for decision and/or monitoring the system’s activities (e.g., passwords). Deceit can also be injected into the public data about the systems (e.g., public data about some “fake” personnel for the purpose of catching attacks such as spear phishing). Configurations influence how attackers perceive the configuration of the network and the systems. This is particularly relevant when attackers perform lateral movements, which they need to know how and where to move to compromise new targets.Weaknessprovides intentional vulnerabilities in the system to make adversaries confused whether the exploit has succeeded or not. Per-formanceinfluences the attacker’s perception of the system’s performance, which may put the deceiver at an advantageous position. Impactprovides evidence to make the attacker perceive that the damage caused is more, or less, than the real damage. This evidence
may cause the attacker to stop the attack or become less aggressive. Activityrepresents the injection of some fake data about activities into the system to influence attackers’ per-ception and, therefore, their reactions. Finally, the taxonomy considersSystem Responses as public data.
Pawlick et al. [272] present a taxonomy of defensive deception under the perspective of game-theory. Fig. 3.5 shows the defensive deception taxonomy. It is composed of
Defensive Deception
Perturbation Moving Target Defense
Obfuscation Mixing Honey-X Attacker Engagement Cryptic
Mimetic
Intensive
Extensive
Static
Dynamic Motive Informational
Informational
Motive
Θ P
A A T
ΘPrivate Information P Actors T Duration A Actions
Figure 3.5: Defensive deception taxonomy based on game-theory studies [272]
six types of deception techniques, namely perturbation, moving target defense, obfus-cation, mixing, Honey-X, attacker engagement. Pertubation refers to adding noise in a communication to limit leakage of sensitive information. Moving Target Defense aims at randomizing and reconfiguring networks, assets, and defense tools to decrease the effectiveness of attacker reconnaissance. Obfuscationconsiders protecting privacy by redi-recting attackers to decoy targets rather than real assets and revealing useless information aside real information.Mixingrefers to the use of exchange systems such as mix networks and mix zones to prevent linkability. Honey-Xdeception regards the use of specific sys-tems such as honeypots and honeynets to draw the attackers’ attention. Finally,Attacker Engagementis about using feedback to manipulate attackers over a long period of time to make them waste time and resources while gathering intelligence about them.
In a broad sense, there are two categories of cybersecurity deception: Cryptic and Mimetic. These are terms borrowed from biology. Crypsis is used when an animal resembles some object which is of no interest to its enemy, and in doing so it is concealed.
Mimesis mimics an object that is well known, and in so doing it becomes conspicuous.
The taxonomy considers game-theory notions of private information, actors, actions, and duration. Private information (θ) is about causing attackers to obtain noisy or uncertain information about the state of reality. These results are accomplished by manipulating the attacker’s beliefs to create traps or decoys, or hiding a true belief. Actors (P) are the players involved in deception. Based on the actors, cryptic deception can be divided into intensive and extensive deception. In intensive deception, the defender alters the same object that is being hidden by, for example, adding noise to private data. In extensive deception, the defender hides an object using other objects in the environment by, for example, changing the location of the private data. Actions (A) represent how deceivers proceed with the deception. Cryptic deception is categorized into deception that uses
3 . 3 . D E C E P T I O N M O D E L S
information and deception that uses motion. Deception that uses information creates noise by manipulating the data released about agents’ properties. Deception that uses motion is associated with agility and randomization and modifies the agents’ properties over time. Regarding duration (T), within mimetic deception, scenarios can be static or dynamic. Dynamic games feature multiple interactions, while static games consist of only one interaction (one-shot games). The most popular set of static mimetic deceptions are honeypots, honeynets, and honeytokens, generically referred as honey-x. Attacker engagement denotes all forms of dynamic mimetic deception.
More recently, Han et al. [151] propose a multi-dimension classification based on four major levels: goal of deception, unit of deception, layer of deception, deployment of deception (Fig. 3.6). Goal of deception captures the purpose a deception technique
Defensive deception
Goal Unit Layer Deployment
Improve and complement attack detection
Enhance prevention
Mitigate successful
attacks
Almeshekah and Spafford taxonomy
Data Unit
Parameter
File
Account
User profile
Source code Database record
Network Data
Application
System Built-in
Add-to In-front
Isolated
Figure 3.6: Multi-dimension deception proposed in [151]
is trying to achieve. The goal can be either to improve and complement attack detec-tion, enhance prevendetec-tion, or mitigate successful attacks. The first category (improve and complement attack detection) includes solutions designed to detect an attack, typically because it interacts with active traps or passive decoys intentionally left accessible to adversaries. Deceptions from the second category (enhance prevention) aim at confusing or distracting attackers from the real targets before an attack occurs. The last category (mitigate successful attacks) targets on-going attacks and tries to reduce their damage.
Unit of deception refers to the granularity of the decoy used to deceive. It reuses the granularity proposed by Almeshekah and Spafford (3.4) and refines data unit in the following elements: parameter (e.g., honey URL parameters and honey web form fields), file (e.g., decoy documents), account (e.g., honey user account), user profile (e.g., honey profiles), source code (e.g., decoy comments in source code), and database record (e.g., database honey tokens). Layer of deception indicates the computation layer at which deception is implemented. It is organized into network, system, application, and data
layers.
Deployment of deception refers to how deception is integrated within a target system.
There are four categories of deployment: built-in, added-to, in-front, and isolated. Build-in considers the deception Build-in the design of the system. Added-to deceptions are those injected into the system a posteriori, when the system is operational and running (e.g.
decoy files). In-front deceptions consider solutions that run between the target system and the adversary (e.g. proxy). Finally, isolated deployment considers fully isolated solutions from real systems.
3.3.2 Probabilistic models
Probabilistic models assess the outcome of different deceptive events by incorporating belief as a random variable. Rowe [299] proposes a Bayesian belief-update model to estimate the attacker’s belief in false excuses (e.g., network breakdown and system is currently under maintenance). Rowe [298] also proposes a probabilistic model to assess the cost and benefits of deceiving. This model is useful to determine if and when to deceive. A multilayered deception model is presented by Wang et al. [364]. This model considers three layers of deception (honey people, honey file with honey activity, and honey servers with honey activity) to find the optimal allocation of honey-resources in such way that minimize the total loss in case of an attack. Crouse et al. [89] introduces a set of probabilistic models to assist administrators with deploying honeypots based on address shuffling (moving-target) and honeypots (deception) as reconnaissance defenses.
In the same spirit, Cho and Noam [71] employ a probability model using Stochastic Petri Nets to investigate how integrated defense system equipped with IDS, deception, and moving-target defense can best perform based on the interplay between different defense techniques. Jajodia et al. [183] propose a probabilistic logic of deception (PLD-Logic) and show how generating a mix of real and fake results in the least (expected) damage to the system.
3.3.3 Game-theory approaches
Game-theoretic models are employed in cyber security to formally capture the interac-tions between an attacker and a defender. In deceptive interacinterac-tions, game-theory mod-els provide a quantitative and systematic understanding of deceptions by allowing the development of incentive mechanisms that could alleviate cyber risks. Game-theory ap-proaches applied to cyber security study the equilibrium solutions to determine optimal strategies for defense [294]. A solution is a formal rule for predicting how a game will be played. Briefly, a game consists of players, actions, payoffs, and strategies. A traditional analysis of games is finding equilibrium strategies. The most commonly solution concept employed in game theory is the Nash equilibrium, which is reached when players cannot improve their payoffby independently changing their strategy [294].
3 . 3 . D E C E P T I O N M O D E L S
General deceptive games have been proposed to model the behavior of the deceiver and deceivee and construct strategies for both attack and defense [170, 378, 377, 86].
More specifically, strategies using honeypots in network defense have been extensively modeled using game-theory approaches. These approaches employ strategies to optimally decide on the best response to probes sent by attackers [131,159,278,110,109,273,212, 185] and actively stimulate malicious users into exposing itself [354]. Although deceptive games are typically modeled by disguising a honeypot as a normal system, it might be the case of normal systems disguised as a honeypot as well [54,59]. Other relevant areas of investigation using game-theory include the problem of jamming attacks for wireless networks [382,78,5], gaining information from botnets [383], determining the balance between capital and expense for defensive investments [384], mitigating DDoS attacks [59], deceiving the fingerprinting process [289], detecting attacks that use fake avatars in social networks [246], and mitigating attacks against cloud services using moving target deceptive mechanisms [77,4].
More recently, hypergames have been employed in cyber deception as a mean to un-derstand how attacker’s perception of security defenses can be modeled and how they influence the attacker’s strategy. Unlike traditional game theory models, hypergames allow modeling misperceptions that result from the use of deceptive techniques [32].
Therefore, in a hypergame, the assumption of common knowledge is relaxed, and the players may have erroneous interpretations about the conflict. Gutierrez et al. [148]
contribute with scenarios to model misperception using hypergames. These scenarios encompass misinterpretation (when a player does not correctly interpret an action, player, or preference), over-Perception (when a player believes that there are additional players or player actions which do not exist), and under-Perception (when a player under-perceive the presence of other players or the types of actions that a player may execute). In similar way, Cho et al. [72] define hypergames in two levels. At first-level, each player plays the game based on its perception. On the other hand, at second-level hypergame, at least one player is aware of another player’s misperception. In a more specific application, Gutier-rez et al. [149] show how hypergames can be used to model the ErsatzPassword security mechanism, which is used to mitigate offline password cracking attacks. Ferguson-Walter et al. [117] propose the use of hypergames in adaptive cyber deception. This game con-siders attacker as being “naive” or “sophisticated” according to whether they are aware that deception is a component of the game or not.
3.3.4 Deception planning
Deception planning models refer to processes models designed to specify, integrate, con-duct, and evaluate deception operations. A deception operation, in the context of cyber space, represents the use of one or more deceptive methods to enhance the security of a software system. Yuill [375] proposes a deception operation process model cover-ing planncover-ing and runtime activities. This model, which is inspired by military models,
constitutes a basic process focused on the components found in successful deception operations. There are five major stages in the process: (i)deception-operation develop-ment,(ii)deployment,(iii)target engaged,(iv)continuation decision, and(v)termination.
Deception-operation development stage is where the planning, building, and preparation for target’s engagement take place. The second stage, deployment, aims at presenting the deception story to the target in his observation arenas. This represents the transition between planning and operation. The third stage, target engaged, starts when the decep-tion is received by the target. The deceiver uses feedback channels to gather informadecep-tion about the target’s reception of the deception. At this point, there is a decision (stage four - continuation decision) for continuing with the deception. The deception operation can either terminate, continue as-is, or being modified. If decision is for Termination (stage five), it is necessary to take control of the deception operation and perform clean-up operations to not leave any trace and to give the defender the opportunity to reuse parts of the deception in further operations.
Almeshekah and Spafford [9] propose a model to plan and integrate deception in computer security defenses. This model differs from others by explicitly proposing an integration of the deception into the system operation. The main contribution of this model, however, is to provide insights on how to incorporate deception in many parts of computer systems. For this, it uses the taxonomy presented in Section3.3.1to guide the development of the deception story. The process model comprises three phases: (i) plan-ning,(ii)implementing and integrating, and(iii)monitoring and evaluating. In planning, first the planner makes clear the purpose of integrating deceptive mechanisms in a sys-tem; second, he defines how the target should react to the deceptive process; third, he identifies which biases (cognitive, cultural, etc.) the deception will exploit in the target’s perception; fourth, a deception story is created by the planner based on simulation and dissimulation techniques; fifth, the planner specified the feedback channels; sixth, he identifies the risks and proper countermeasures. During the implementing and integrat-ing phase, deceptive components are developed and/or configured to start developintegrat-ing their functions. The last phase in the framework, monitoring and evaluating, occurs at runtime and aims at monitoring the feedback channels to identify the state of target beliefs among believed, suspected, and disbelieved.
Stech et al. [336] present the deception chain, a high-level meta-model for cyber-denial and deception (D&D) operations management. This model is an adaptation of Whaley’s process model [368]. The main contribution of this model is to provide means to integrate cyber-D&D systems with cyber threat intelligence and cyber operations security into the enterprise’s larger active defense system. The deception chain provides a life cycle perspective, comprising of eight phases:(i)purpose,(ii)collect intelligence,(iii)design cover story, (iv) plan, (v) prepare, (vi) execute, (vii) monitor, and (viii) reinforce. In the purpose phase, the goals of the deception operation are identified along with the criteria that would indicate the deception’s success. Collect intelligence aims at defining how the adversary is expected to behave in response to the deception operation. Design
3 . 3 . D E C E P T I O N M O D E L S
cover story determines what information must be hidden and what information must be created and revealed to develop a convincing story. During the plan phase, the planner analyzes the characteristics of the real events to operationalize the activities that reveal or conceal the information conveying the cover story. Prepare involves designing the desired perceptual and cognitive effects on the target. The execute phase coordinates and control the deception operation with ongoing operations so they can support the deception cover story. The monitor phase collects information from observation channels to determine if deception operations are aligned with the desired effect on adversary behavior. Finally, reinforce analyzes ongoing operations to determine if the cover story needs to be reinforced with additional deceptions. At this stage, planners have three options: revisit the first phase of the deception chain, execute an alternative deception, or plan another operation. All activities of this model can be mapped to activities presented in the previous models.
Heckman et al. [160] suggest that organizations should follow an iterative (spiral) model that incrementally heads toward expanding the overall effectiveness of the cyber-D&D capability through higher maturity and continuous process improvements. Con-versely to other deception planning process models, the iterative life cycle management aims at identifying risks and calculate the operation effectiveness through rapid proto-typing. Based on the outcomes observed at the end of each iteration, D&D techniques and services are tuned to increase the maturity model (from basic monitoring to system-atically influence attacker’s behavior). In the basic level of maturity, organizations do not understand the adversary’s behavior but use some means to passively monitor his activities to get more clues. At the highest level, D&D is acknowledged as a strategic ele-ment by the organization and adversaries are influenced at the tactical, operational, and strategic levels. The iterative deception life cycle management is composed of four stages:
(i)plan cyber D&D,(ii)implement,(iii)deploy and execute, and(iv)post-deployment analysis. Plan cyber D&D stage encompasses establishing D&D goals and developing training curricula, tactics, best practices and standards, and metrics. In the implement stage, the organization decides to build or acquire technologies to set up deceptive envi-ronments (e.g., honeypots and honeynets), organizes and shares threat data to enable the secure dissemination of data, and defines the metrics to determine the performance and quality of D&D operations. All threat data are organized into different dimensions (e.g., category, transaction times, and adversary characteristics) and made available through shared repositories to enable the secure dissemination of data to D&D operations. De-ploy and execute stage encompasses fine-tuning deDe-ployments, monitoring observables, and collecting field reports and metrics. At this stage the organization iterates evaluates the risks and effectiveness of the current prototype. Finally, post-deployment analysis stage exploits the outcomes of the iteration by evaluating the effectiveness versus costs of the operation. Based on this analysis, the organization might propose improvements in the processes, services, and technologies for cyber D&D, generating feedback to the next iteration of life cycle management.
Briskin et al. [48] propose the deception design process workflow. The main contri-bution of this model is to consider activities to test and validate the deception plot by exercising attack simulation. The process proposed in this model is composed of two main stages: deception planning and deception design. Deception planning is composed of two main activities: (i)mission analysis and(ii)deception initiation. Mission analysis produces two main outputs: deception limitations/constraints and the mission context.
Limitations/constraints represent possible restrictions originated from the requirements of the operations. Mission context identifies the necessary resources to conduct the oper-ation and the potential targets of the deception. Deception initioper-ation aims at describing the deception goals and specifying the deception story. In the design phase, first the de-ception scenario is described containing the necessary elements to achieve he dede-ception goals; second, a security analysis is performed to define the attack surface, attack scenar-ios, deception transmission channels, and the feedback channels. third, the deception controls that will compose the deception plot are generated; fourth, the deception plot is then created based on the deception controls. A cyber deception plot comprises of a set of deployable software modules, and configuration and deployment scripts; fifth, the controls are tested and validated using attack scenarios; finally, the expected effects and impacts are verified against the deception goals. Similar to Heckman et al.’s model, this process is iterative, thus after analyzing the expected effects and impacts, the decep-tion scenario is refined and the whole decepdecep-tion design loop is repeated until finding an acceptable alignment between the desired effect and the mission impact.
3.3.5 Deception architectures
General architecture models have been proposed as a way to reduce complexity and facilitate the incorporation of deception-based technologies in a network. While most of deception-based technologies are implemented following a specific architecture (e.g., mirage system [339], dynamic host mutation architecture [270], and hybrid decoy archi-tecture [338]), general archiarchi-tectures act as a reference to the implementation of different solutions based on deception. In the field of honeypots, honeynet architectures organize how network elements and honeypot systems related each other to detect attacks, control data flows, collect data, and trigger alerts. A honeynet represents a highly controlled network of honeypots [332]. Honeynet architectures have been organized in three diff er-ent generations: Gen I, Gen II, and Gen III [329]. Gen I architecture is composed of two basic modules: data control (firewall and routers) and data capture (firewall, IDS sensor, and honeypot system log). Data control prevents attackers from using a compromised honeypot system to attack other external computer systems. Data capture aims at col-lecting data from attacks. Gen I honeynets are placed in an isolated network behind a network access control device, often a firewall. The Gen II architecture differs from GenI architecture by adding a honeynet sensor that combines the functionality of both the IDS sensor and the firewall. This resolution creates a solution that is easier to implement