Defending computer system with decoys - PDF document

ofcomputers.1IntroductionOrganizationsacrosstheglobearebecomingincreasinglyawareoftheimportanceofsecuringtheircomputersystems.Asaconsequence,worldwidesalesofsecuritysoftwareroseby7.5%in2011[5].Governmentagenciesareparticularlyconsciousoftheneedtodefendtheircomputinginfrastructure.ThisisexempliedbythefactthattheUnitedStatesgovernmentincreasedfundingforcybersecurityresearchby35%from2011to2012[15].Attentivenesstosecuritypracticeshasalsorisenattheindividuallevel,as90%ofAmericanadultsnowbelievethatasafeInternetiscriticaltotheU.S.economy[16].Yetinspiteoftheheightenedscrutinythatsecuritypracticeshavebeenunder,computercrimescontinueto ourish.ArecentstudybythePonemonInstitutefoundthatthenumberofcyberattackshasmorethandoubledsince2010[14].Sincetheseattacksarealsobecomingmorecomplexanddiculttoanticipate,anaveragecompanycancurrentlyexpecttobethevictimof1.8successfuloensiveeortspermonth[14].Thevastmajorityofexistingcomputersecuritymeasuresfocusoncontrollingaccesstokeepmaliciousactorsout.Otherapproachesattempttoeliminatesystemvulnerabilitiesoratleastpreventtheirexploitation.Theaforementionedtrendsinsecuritystatisticsleavelittledoubtthatthesetechniquesarenotcapableofsucientlysecuringtoday'scomputernetworks.Overtimesuchsecuritysolutionswillinvariablyfail,allowingadversariestoillicitlyaccesssystemcredentials,data,andnancialresources.Furthermore,traditionalsecuritytechniquesoernodefenseagainst\insiders"whoinitiallyholdlegitimatecredentialsbutlaterchoosetogorogue.Thispaperproposestheuseofdecoysasanewparadigmforaddressingcomputersecurityissuesthatexistingdefensesarenotcapableofdetecting.Decoysareconstructswhichcontaindatathatappearsvaluablebutisinfactspurious.Sinceauthenticuserswillhaveanatural2 2RelatedWorkTheuseofdeceptivetechniques,suchasdisinformativepropaganda,tothwartone'senemieshasplayedapartinmilitarycon ictsinceantiquity.NoonehassummarizedtheimportanceofdisinformationinthecontextofcombatmoreconciselythanSunTzu,whowrotethat\allwarfareisbasedondeception"intheArtofWar[17].AwellknownexampleofdeceptioninamilitarycontextisOperationBodyguard,whichwasanAlliedplanusedduringWorldWarIItodistractGermanforcesfromtheinvasionofNormandy[8].Althoughdeceptionisanancientconcept,ithasonlyrecentlybeenappliedtotheprocessofsecuringcomputersystems.CliStollwastherstpersonknowntoutilizemisdirectioninordertosecureanetworkofcomputers.StollestablishedaspurioussetofcomputingresourcesinordertocatchhackerswhowereattemptingtoexltrateinformationfromLawrenceBerkeleyNationalLaboratory[6].Computerswhoseprimaryfunctionistoattracttheattentionofmaliciousactorsareoftencalled\honeypots."Entirenetworksofsuchspuriousmachinesareknownas\honeynets."Thesesystemsareusuallyconstructedinawaysuchthattheyappearasthoughtheyareanunassumingcomponentofalargernetworkarchitecture.Inreality,however,theyfailtocontainanyusefuldataandarecordonedofromnetworkresourceswhichareactuallyvalued.Honeypotsandhoneynetscanbequiteeectivewhenusedtodetectexternalthreats.Theirapplicabilitytowardsdefendingagainstattacksoriginatingfromwithinanorganizationislimited,though.Thisisduetothefactthatthisclassofadversariestypicallyalreadyhavetheknowledgethatisrequiredtoaccesstheportionofanetworkwherelegitimatedataresides.Furthermore,honeypotsoernoutilityafterasuccessfulattackhasalreadyoccurred.Spitznerextendedtheconceptofhoneypotstothedomainofinsiderthreatdetectionbyinventingtheconceptof\honeytokens"[12].Honeytokensaredeceptivesecurityconstructsthatworkatamuchnergranularitythanhoneypotsorhoneynetworks.Theyareindividual4 bankcredentialsismorelikelytocapturetheirmaliciousactivitythanonewhosecontentconcernsmedicalinformation.Similarly,certaingenresofdecoysmaybemoreapplicabletospeciccorporateenvironments.WehaveincludedadetaileddiscussionofdecoyusagescenariosinSection4.Inordertodesigndecoysthatareaseectiveaspossible,itisalsobenecialtoanalyzetheminamoregeneralsensebyconsideringcharacteristicsthatareindependentofapar-ticularcontext.AsinitiallyexploredbyBowenet.alin[1],severalabstractpropertiesexistthatdenehowadecoyshouldoperateunderidealcircumstances.Someoftheseattributesconcerntherelationshipbetweenadversariesanddecoydata,whileotherspertaintotheinteractionsbetweenlegitimateusersanddeceptivematerial.A\perfectlybelievabledecoy"wouldpreciselyconformtoalloftheseguidelines,thoughpracticalrestrictionspreventthisfromoccurringinmostsituations.Althoughthereexistssomeoverlapbetweenthesetraits,itisalsoworthnotingthattheyarenotcompletelyorthogonal.Forexample,believabilityanddierentiabilityareincontentiontosomeextent.3.1BelievabilityOneofadecoy'sprimaryfunctionsistobebelievable.Uponinspection,adecoyshouldappearauthenticandtrustworthy.Intheabsenceofanyadditionalinformation,itshouldbeimpossibletodiscernaspuriousdecoyfromauthenticdata.Forexample,adecoytaxdocumentshouldcontainallofthesameeldsasonethatisactuallyinuse,andeachofitseldsshouldbepopulatedwithrealisticvalues.Believabilitycanbeformalizedviathefollowingthoughtexperiment.Considerapoolofles,someofwhichcontainrealdataandsomeofwhicharefabricateddecoys.Selectadecoyleandrealpieceofdatafromthispool,andpresentittoanadversary.Theselecteddecoycanbeconsideredperfectlybelievableifthisattackerhasanequalprobabilityofselectingthedecoyandthelegitimatedocument.Thischaracteristicisofcriticalimportancetoexternallyobservablefeaturesofdecoys.6 locationssuchasauser'sdesktop.Italsodemonstratesthatitishelpfultoplacedocumentsinhightraclesystemlocations,includingworkingfolderswherelesthatareaccessedonaday-to-daybasisarestored.Filesystemsearchesarealsouseractionsthatmayresultinthepresenceofdecoys.Conspicuousdecoysshouldthereforebeeasilylocatedbysearchqueries.Thisrelatesconspicuousnessbacktoenticingness,however,asthesearchtermsthatanadversaryemployeeswillbeheavilydependentontheirunderlyingmotivation.3.4DetectabilityTheaforementioneddecoypropertiesallconcerntherelationshipbetweendecoydocumentsandapotentialattacker.Detectability,ontheotherhand,describestheabilityofdecoystonotifytheirownerwhentheyhavebeenaccessed.Anidealdecoysystemwouldissueanalerteachandeverytimeadecoyisaccessed,buttechnicalchallenges,includingnetworkavailabilityandvariabilitybetweensoftwareplatforms,meanthatthismaynotalwaysbepossibleinpractice.Deployingmultipleoverlappingdecoymonitorsthatoperateatdierentsystemlevelscanhelpmitigatethepossibilityofanattackeraccessingadecoywhileremainingunde-tected.Featuresofthedecoydocumentsthemselvescanbeleveragedtoequipthemwithembeddedalertcode.Monitoringsoftwarecanbeplacedintheoperatingsystemtodetectpredeterminedtokensplacedwithindecoyswhentheyareopened.Further,operatingsys-temauditingcanbeenabledtorecorddecoyinteractions.Inordertocheckfordocumentexltration,softwarecanbeplacedonnetworkequipmenttocheckforsuchtokensaswell.Finally,thecontentofdecoydocumentscanalsoserveasanalertsystem.Forexample,credentialsforspuriousaccountscanbeplacedwithinadecoy.Sincethereisnoreasonthatalegitimateuserwouldeveraccesstheseaccounts,anyactivitytheyexhibitwouldsendastrongsignalofmaliciousintent.Itisparticularlycriticalthatdecoyaccesseventsaredetectablewhileanattackistakingplace.Continuingtomonitorthisinformationallowsforcondentiallyviolationstobe8 3.6StealthWhileitisclearlydesirablethateverydecoyaccesseventbeperceptibletotheownersofasystem,caremustbetakenlestthealarmsthataccomplishthisarousesuspicion.Anovertmechanismforissuingalertbeaconswouldprovideadversarieswithanobvioussignalthatanelementcontainsatrap,whichcompletelyviolatesthepropertyofdecoyvariability.Themessagesthataretransmittedbydecoysmustthereforebeassubtleandcovertaspossible.Raisinganalertthatdecoycontenthasbeenaccessednecessarilyinvolvestakingsomeaction,however.Evenifprecautionsaretaken,thereisalwaysthepossibilitythatthisactwillbeperceptibletoamaliciousactor.Itisthereforealsodesirabletotriggerbeaconeventsasearlyaspossibletopreventtheirinterception.Forexample,alertsforlebaseddecoysshouldberaisedassoonastheyareaccessedandpriortoanycontentbeingdisplayed,iffeasible.Thiswouldeliminatethepossibilityofadecoybeingrecognizedanddiscardedbeforethedecoysystemhasanopportunitytodetectthatishasbeenaccessed.3.7Non-interferenceThispropertyisthersttodescribehowdecoysshouldcoexistwithlegitimateuserswhoarenotmasqueradingwithassumedcredentials.Anoptimalmasqueraderdetectionnetworkwouldnotaectthehabitsoftypicalusersinanyway.Byinsertingdecoymaterialintoanoperatingenvironment,however,weintroducethepossibilitythatthisdatawillconfuseusersorotherwisehindertheirabilitytocompletetheireverydaytasks.Itisthereforedesirablefordecoystodemonstratethepropertyofnon-interferencebynotobstructingthebehaviorofnormalusers.Ifalesystemispopulatedwithdecoydocumentsthatserveasintrusionsensors,forexample,theprobabilitythatthelesystem'sprimaryownerisabletoaccessaparticularstandarddocumentshouldremainthesameasitwaspriortotheintroductionofthedecoycontent.Similarly,introducingdecoyapplicationstoamobiledevice'soperatingsystemshouldnotimpactauser'sabilitytoaccessrealapplicationsastheynormallywould.10 anoptimalleveloffunctionalityandafterwhichtheirecacybeginstodiminish.Itisthusdesirablefordecoydeploymentsystemstoincludeamechanismbywhichdecoyscanbeupdated,potentiallyextendingtheirshelflifeindenitely.4DecoyUsageScenariosThissectionintroducesseveralbroadsituationsinwhichsecuritycanbebolsteredbyde-ployingadecoydefensenetwork.Italsoattemptstodiscusssomeofthechallengesthatmustbemetinorderfordecoystobeusedeectivelyineachenvironment.4.1HostDecoysThemostcommonusagescenariofordecoysistoplacethemonaterminalthatiswithinalocalcomputernetwork.Thisistheoperatingenvironmentforwhichdecoydocumentswereoriginallydesigned,andassuchtheyrequirelittlemodicationtobeutilizedinthismanner.Therearestillsomedeploymentquestionsthatmustbeconsidered,however.Forexample,systemadministratorsmustdeterminewhethertheywillpushdecoydocumentsouttoclientsystemsorrequireuserstopulldecoysfromadistributionsourcethemselves.Theformerplaceslessofaburdenonindividualusers,butmaytemporarilyleadtoanincreaseinfalsepositivesasusersbecomeacquaintedwiththenewdecoysthathavebeenplacedintheirworkspace.Experimentsfrom[13]showhowdecoyaccessisaectedbyadocument'slesystemlocationandthenumberofdeployeddecoys.4.2NetworkandBehavioralDecoysInaneorttodetectsilentattackersastheyeavesdropontransmissionsbetweencomputersystems,wehavealsodevelopeddecoysthatoperateonanetworklevel.Ratherthanhostbaseddatales,thesedecoysconsistofbogusdata owsthatareinjectedintoanetwork.Thistracmustappearlegitimateintermsofprotocolspecicationsbutalsocontainsbait12 sensitivecorporateororganizationaldata.Furthermore,gainingaccesstoanorganization'sinfrastructureonthecloudisachievedthroughprovidingausernameandpassword.Suchalightweightauthenticationmechanismpresentsanincreaseintheproblemofmasqueraderinsiderthreats.Accordingto[18],observingdeviationsfromtypicaluserbehaviorcanbeusedintandemwithdecoydocumentsinacloudenvironment.Ifabnormaldataaccessisnoticed,thecloudcanreturndecoyinformationthatlookslegitimatetotheattackerwhotriggeredtheunusualusagepattern.Intheeventofafalsepositive,anauthorizeduserwouldbeabletorecognizeanyfalseinformationreturnedbythecloudandthencorrectlyrespondtoaseriesofauthenticationchallengestoprovehisorherlegitimacy.Thecloudwouldpreventanyunauthorizeddisclosureofinformationbycontinuouslyreturningfalsedatatoadversaries.Alsousefulinadistributedenvironmentsuchasthecloudistheconceptofcomputationaldecoys.Oftenasinglecomponentofacloudwillberesponsibleforacertaintask.Ifthiscomponentiscompromised,thedistributedsystemallowsmigrationoftheuncorruptedcomponentselsewhere.Thecompromisedcomponentscanthenactuallyusecomputationaldeceptiontoreturnfalsedata,thusdivertinganattacker'sattention[11].4.4SoftwareDecoysCompaniesareconstantlyfacedwiththechallengeofpreventingemployeesfromstealingproprietarysoftware.InMayof2012,forexample,acomputerprogrammerwasfoundguiltyofillegallycopyingsoftwarefromtheFederalReserveBankofNewYork[2].Softwareisperhapsthemostvaluableassetforanorganizationandisconsequentlyahighlyprotabletargetforinsiders.Toguardagainsttheunauthorizedexltrationofproprietarysoftware,wehavedevisedsoftwaredecoysthatlooklikelegitimatesourcecodebuthavebeaconsthattriggerwhenthecodeiscompiledorexecuted[19].InadditiontothepropertiesofdecoysdescribedinSection3,softwaredecoysshouldadheretoseveraladditionalrequirements.Thecodemustbecompilableandexecutablein14 Aseconduseofdecoysinamobilesetting,whichissimilartotheirusageinacloudenvironment,isforremoteaccesstosensitivedocuments.Peopleareincreasinglyusingmo-bilephonestoaccessprivateinformation.Wearecurrentlyworkingonamobileapplicationthatinterfaceswithauser'sdocumentsremotelyanddetectsunauthorizedaccess.Whenuploadingdocumentstotheremoteserver,ausercreatesaauthenticationgesturethatislaterusedtoretrieveadocument'scontent.Ifauserprovidesanincorrectgesturewhenattemptingtoaccessadocument,illegitimatedataisreturned.5DecoyGenerationHavingestablishedwhatqualitiesdecoysshouldpossessandwheretheyareintendedtobeused,wenowturnourattentiontohowtheyshouldbecreated.Userscouldcertainlycraftdecoymaterialbyhand.Forinstance,uponcompletinganinvoice,ausercouldcreateasecondaryfakeinvoicethatmirrorstheformattingortheauthenticversionbutcontainsbogusinformation.Suchdecoyswouldbehighqualityintermsoftheirbelievabilitybecausetheywouldcloselymirrorrealdata.Theywouldalsobeverydierentiable;sinceuserswouldhavecreatedthedocumentsthemselves,theywouldeasilybeabletorecognizetheirphonycontent.Theprocessofmanuallyintroducingdecoycontenttoasystemisverytedious,however,sinceeachtimenewinformationissavedonthesystemanequalamountofspuriousmaterialwouldneedtobecreatedaswell.Userswouldalsoberesponsibleforcheckingaccesseventsfortheseles.Needlesstosay,manualdecoycreationwouldscaleverypoorlytoalargeorganizationwithmanycomputersandusers.Making,managing,andmonitoringdecoysisthusanontrivialproblem.Asanalternativetoperformingthesestepsmanually,wesuggestusingasystemthatdoessowithminimaluserinvolvement.ThisispreciselythepurposeoftheDecoyDocumentDistributor(D3)System[1].D3isatoolforgeneratingandmonitoringdecoyswhichcanbeaccessedby16 throughoutthecomputersonhisorhernetworkinordertodefendthemfrominsiderthreats.Tomanuallyplacedecoysinalesystem,thesystemadministratorwouldrsthavetocollectfeedbackfromusersregardingwhichlocationsintheirlesystemtheywouldliketoplacedecoys.Afteraggregatingthisdata,heorshewouldthenhavetorequestabatchofdecoysandthengothroughthepainstakingprocessofcopyingthemtotheirdestinationdirectoriesonebyone.Suchaprocessdoesnotscalewelltoanenvironmentwithalargenumberofcomputersandusers.Incontrast,theDDTrequiresneitherknowledgeregardinglesystemspecicsnorindividualleplacement.Itreducesthetaskofdecoydocumentmanagementtothesimplestepsofspecifyinghowmanydecoysaredesiredandinwhichportionofalesystemtoplacethem.Ourdistributionapplicationisthereforecapableofreducingthetimerequiredtoestablishasystemofinsiderthreatsensorsbyatleastanorderofmagnitudewhileretainingallofthesecuritybenetsofmanualdecoyusage.TheDDThastwomainobjectives.Therstistoautomaticallydeterminelocationsinacomputer'slesystemthataremostlikelytobeaccessedbyamaliciousinsider.Thesecondistoplacedecoydocumentsintheseselectedlocations,eitherdirectlyalongwithexistingdocumentsorinaseparatefolder.TheDDTallowsausertoselectasourcedirectoryofdecoydocumentsthatshouldbedistributedonthetargetmachine.TheusercanchooseanexistingfoldercontainingdecoysorcreateanewsetbyaccessingtheFOGwebsite[7]throughtheDDTandspecifyinganumberofdecoystobegenerated.Thisapproachenables exibilityinthetypesofdocumentsthataredeployedasdecoys.Oncetheuserchoosesasourcedirectoryofdecoydocuments,heorshethenspeciesadestinationdirectory.Thisdestinationdirectoryisusedasarootfromwhichtargetlocationsareselected.Enablingtheusertospecifytherootfromwhichtargetdirectoriesareidentiedallowsmorefreedomindecoyplacement.Forexample,ifaparticularownerofamachineonlyusesdirectorieswithin\C:nSal,"heorshemaywanttoconsiderplacingdecoyssolelyindirectoriesbranchingfromthisroot.18 inwithcurrentlyexistingdocuments,orinseparatefoldersthatcontaindecoysonly.6.3NamingofDecoyDocumentsandFoldersAswithlocation,thenamesofdocumentsdirectlyin uencehowenticingtheylooktoad-versaries.Foldernamescanalsoimpactauser'sdecisiontoaccessalocationinthelesystem.Whencreatingnewdirectoriesinwhichdecoyswillbeplaced,theDDTcreatesfourenticingly-namednewfoldersinthespecieddestinationdirectoryandevenlydispersesthedecoysoverthesefolders.Inaneorttoincreasethevariabilityofdecoys,theDDTusesthreemethodsfornamingdecoydocumentswhenattemptingtoblendthemwithexistingdocumentsinafolder,ran-domlyselectingamongtheseapproaches.Theprimeobjectiveofthenamingschemeistocreatelenamesthatblendinwithexistinglegitimatedocumentssothattheydonotlookovertlysuspicious.Atthesametime,thedecoynamesshouldluremalevolentusersintoopeningthedocuments.Therstnamingmethodselectsanexistingleinthetargetdirectoryandappendseither\-nal"or\-updated"totheendofthelename.Thelogicbehindthisschemeisthatthemostrecentlymodiedversionsoflesmayseemmoreocialthanolderversions.Notethatifeitheroftheterms\nal"or\updated"arealreadyusedinthelename,theDDTselectsanothernamingmethodforthisdecoy.ThesecondnamingmethodemployedbytheDDTappendsadatestringtotheendofarandomlyselectedexistinglenameinthetargetdirectory.Appendingadatestringmakesadocumentappearasifithasbeenmarkedasamoreauthentic,ocialversion.TheDDTusestheformatmmddyyforthedatestrings.Forexample,adecoydocumentmaybenamedcompany employees-010412.pdfandplacedinthetargetfolderalongsidealegitimatedocumentnamedcompany employees.pdf.Blendinglenamesbyuseofdelimitersisthenalnamingapproach.TheDDTcalcu-latesthedelimiterusedmostofteninthetargetdirectoryandmodiesadecoy'slename20 date.Ifanadversarydecidedtosortafolder'scontentsbydate,thedecoydocumentswouldthenappearatthetopofthesortedlist,makingthemconspicuousandlikelytobemoreattractivetargets.Anamingconventionthatappendsadatestringtothedecoy'slenameshouldintuitivelysetthele'screationdatetothatusedintheselecteddatestring.TheDDTrstdeterminesanappropriatedateforadecoydocumentbyndingthemediancreationdateofexistinglesinthedecoy'stargetdirectory.Thedecoy'screationdateisthensetwithina48-hourwindowofthemedian.Thedatestringappendedtothelenameisobtainedfromtheproposedcreationdate.Whenplacingdecoydocumentsinaseparatenewfolder,theDDThasnoexistingdocu-mentdatesonwhichtobaseale'stargetdate.Therefore,themodifydatesofthedecoysaredeterminedbythedatethatthedecoysaregeneratedbytheFOGsystem.Acreationdateisthensettouptotwodaysbeforetheexistingmodifydate.TheDDTsubsequentlyaltersthemodifyandcreationdatesofthenewfolderinwhichthedecoysareplaced.Thecreationdateofthefolderissettothecreationdateoftheoldestdecoyleplacedinside;themodifydateissettothatofthemostrecentlymodieddocument.Weconsideredthisdatingapproachthemostpracticalforthecaseinwhichnewdecoyfoldersarecreated,sinceusershavedirectcontroloverthedatesappliedtothedecoydocuments.Inourfuturework,theDDTwillincludeafeatureto\refresh"thedatesofdecoyssothattheyremainamongthemostrecentdocumentsinthelesystem.7ConclusionsTosummarize,thispaperintroducedanovelsecurityparadigmwhichwerefertoasdecoytechnology.Decoysrepresentadrasticdeparturefromexistingsecuritysolutionsinseveralimportantways.Byplacingcontentthatisspuriousyetbelievableandenticinginthepathofpotentialadversaries,decoyscanserveasapotentlastlineofdefenseagainstattacks22 Networks,2009.[2]B.Katz.ChineseManPleadsGuiltytoNYFedCyberTheft.Availableathttp://www.reuters.com/article/2012/05/29/usa-crime-fed-idUSL1E8GTBG120120529,2012.[3]B.Bowen,P.Prabhu,V.Kemerlis,S.Sidiroglou,A.Keromytis,andS.Stolfo.Botswindler:Tamperresistantinjectionofbelievabledecoysinvm-basedhostsforcrimewaredetection.InRecentAdvancesinIntrusionDetection,page118137,2010.[4]B.M.Bowen,V.P.Kemerlis,P.Prabhu,A.D.Keromytis,andS.J.Stolfo.Automatingtheinjectionofbelievabledecoystodetectsnooping.InProceedingsofthethirdACMconferenceonWirelessnetworksecurity,page8186,2010.[5]C.PetteyandR.vanderMeulen.GartnerSaysSecuritySoftwareMarketGrew7.5Percentin2011.Availableathttp://www.gartner.com/it/page.jsp?id=1996415,2012.[6]C.Stoll.TheCuckoo'sEgg,1989.[7]ColumbiaUniversityIntrusionDetectionSystemsLab.FOGComputing.Availableathttp://ids.cs.columbia.edu/FOG/,2012.[8]J.Rubin.Deception:Theother'D'inD-Day.Availableathttp://www.msnbc.msn.com/id/5139053/ns/msnbc_tv-the_abrams_report/t/deception-other-d-d-day,2004.[9]J.VorisandN.BoggsandS.Stolfo.LostinTranslation:ImprovingDecoyDocumentsviaAutomatedTranslation.InWorkshoponResearchforInsiderThreat,2012.[10]J.YuillandM.ZappeandD.DenningandF.Feer.Honeyles:DeceptiveFilesforIntrusionDetection.InWorkshoponInformationAssurance,2004.[11]A.D.Keromytis,R.Geambasu,S.Sethumadhavan,S.J.Stolfo,J.Yang,A.Benameur,M.Dacier,M.Elder,D.Kienzle,andA.Stavrou.TheMEERKATScloudsecurity24