A Deception Framework for Survivability Against Next Generation Cyber Attacks

Ruchika Mehresh and Shambhu UpadhyayaDepartment of Computer Science and Engineering,

University at Buffalo, Buffalo, NY 14260

1

Motivation

3

The Asymmetric warfare

Kind of sophisticated attacks happening lately:Botnets, command and control Operation Aurora Stuxnet

Problem Statement

How to enable critical systems to survive the next-generation of sophisticated attacks

4

Deception

Introduction

• Survivability is the ability of a system to perform its mission (essential operations) in presence of attacks, faults or accidents

• Focus on how to survive an attack– Does not focus on source or type of attack

5

Introduction

• Survivability involves four phases:– Prevention against faults/attacks– Detection of faults/attacks– Recovery from faults/attacks– Adaptation/Evolution to avoid future attacks

• Timeliness property

6

Introduction

7

Next-generation attack assessment

Formal requirements

Deception as a tool of defense

Proposed framework

Solution

8

Underlying pattern in sophisticated attacks [6]

Features:1.Multi-shot2.Stealth3.Contingency plan

Underlying pattern in sophisticated attacks [6]

Features:1.Multi-shot2.Stealth3.Contingency plan

Formal system requirements

9

Recognizing the smart adversary

Prevention

Surreptitious detection

Effective recovery with adaptation

Zero-day attacks

Formal system requirements

10

Conserving timeliness property

Non-verifiable deception

Deception as tool of defense

• Preventive deception– Hiding, Distraction, Dissuasion

• Detection– Honeypot farm

• Recovery– Concealing the detection till an effective patch has

been worked out

11

Framework

12

Work in progress

• Design issues

• Controlling the feedback loop

• Smart-box design– Assess the nature of the traffic flow– Map AIOS to a honeypot

13

Conclusion

• Deception based survivability solution against sophisticated attacks

• Dealing with zero-day attacks while conserving timeliness property

• Stronger recovery with surreptitious detection

14

References1. E. Nakashima and J. Pomfret. China proves to be an aggressive foe in cyberspace,

November 2009.2. M. Ramilli and M. Bishop. Multi-stage delivery of malware. 5th International

Conference on Malicious and Unwanted Software (MALWARE), 2010.3. E. J. Kartaltepe, J. A. Morales, S. Xu, and R. Sandhu. Social network based botnet

command-and-control: emerging threats and countermeasures. Proceedings of the 8th international conference on Applied cryptography and network security (ACNS), pages 511–528, 2010.

4. M. Labs and M. F. P. Services. Protecting your critical assets, lessons learned from operation aurora. Technical report, 2010.

5. M. J. Gross. A declaration of cyber-war, April 2011.6. K. A. Repik. Defeating adversary network intelligence efforts with active cyber

defense techniques. Master’s thesis, Graduate School of Engineering and Management, Air Force Institute of Technology, 2008.

7. A. D. Lakhani. Deception techniques using honeypots. Master’s thesis, MSc Thesis, ISG, Royal Holloway, University of London, 2003.

15