Defensive computer-security deception operations: processes, principles and techniques

This dissertation is concerned with the processes, principles and techniques that are involved in deception-operations for computer-security defense. In this work, computer security deception-operations are defined as the planned actions taken to mislead hackers and thereby cause them to take (or not take) specific actions that aid computer-security defenses. Computer security researchers have investigated hackers’ use of deception to attack networks and the deceptive honeypot systems used to defend networks. However, relatively little has been done to systematically model and examine computer security deception-operations. This work addresses these issues by focusing on deception for computer-security defense. The four main contributions of this dissertation are: (1)  A process model for deception operations: this model, which is based on military deception theory and practice, provides deception planners with a framework for conducting deception operations. The framework includes a set of processes, principles and techniques. (2) A process model of deceptive hiding: this model aids the defender in developing new hiding techniques and in evaluating existing techniques. Deceptive hiding is modeled as defeating the target’s discovery processes: direct observation, investigation based on evidence, and learning from others. (3)  Two novel deception-based intrusion detection systems: the two deception models informed the design and evaluation of these systems. The Honeyfiles system extends the network file system to provide bait files for hackers. These files trigger an alarm when opened. The Net-Chaff system employs computer-impersonations to detect and contain hacker’s network scans within an intranet. (4) Experiments and evaluation: a prototype Honeyfile system was implemented, and the Net-Chaff system was simulated and modeled analytically. This work, and subsequent experimentation, provide exploratory and confirmatory assessment of the two deception models. The experimental portion of this work reveals that: (a) when the Honeyfiles prototype is deployed on a deceptive network, and when subjected to hacking, it is observed to be an effective means for intrusion detection, and (b) the Net-Chaff system can reliably detect and contain intranet scans before they access vulnerable computers.