Date of Award

2022-05-01

Degree Name

Doctor of Philosophy

Department

Computer Science

Advisor(s)

Christopher D. Kiekintveld

Abstract

In this day and age, adversaries in the cybersecurity space have become alarmingly capable of identifying network vulnerabilities and work out various targets to attack where deception is becoming an increasingly crucial technique for the defenders to delay these attacks. For securing computer networks, the defenders use various deceptive decoy objects to detect, confuse, and distract attackers. By trapping the attackers, these decoys gather information, waste their time and resources, and potentially prevent future attacks. However, we have to consider that an attacker with the help of smart techniques may detect the decoys and avoid them. One of the well-known challenges in using decoys is that it can be difficult to design effective decoys that are hard to distinguish from real objects, especially against sophisticated attackers who may be aware of the use of decoys. Both real and decoy objects have observable features that may give the attacker the ability to distinguish one from the other. One way for a defender to enhance a decoyâ??s effectiveness is to modify a few features of either the real or fake objects. But such information manipulation or system modification for the defender needs to be cost-effective. Game-theoretical models are often useful to analyze strategic interactions between agents to find the best decision-making solutions. In this thesis, I study some game-theoretic and adversarial machine learning models to determine optimal strategies for the defender and focus on employing decoys to prevent security threats.

The first game model I work to design practical decoy objects that can fool a sophisticated attacker. This model allows us to investigate many aspects of how a defender should optimize efforts to conceal deceptive objects, which can be applied to honeypots, disguising network traffic, and other domains. Furthermore, its theoretical foundation provides the benefits and limitations of adversarial learning methods for generating deceptive objects. In our model, we allow the defender to modify either the real or fake object that renders objects indistinguishable for the attacker thus, improve deception noticeably. By using this model, we seek to capture some key aspects of cyber deception that are missing from other game-theoretic models. In particular, we focus on whether the defender can design convincing decoy objects and the limitations of deception if some discriminating features of real and fake objects are not easily maskable. To my knowledge, this the first model that introduces a two-sided deception technique to mislead the attackers. However, an important element to take into account for the use of two-sided deception is cost. Here we show, in some cases, deception is either unnecessary or too costly to be effective. The deception level mainly relates to attackersâ?? sophistication, wherein naïve attackers are easy to deceive even with a low-cost strategy. This game model provides a new and more nuanced way to consider the quality of various deception strategies but strives to solve large and complex two-sided feature deception problems. To further develop and scale the model, we use the Adversarial Machine Learning (AML) approach that can generate fake samples that look like real samples and real samples that look like fake samples when the feature space is complex and large. The technique can also be used as a robust classifier for the binary classification problem in a dynamic learning environment. We also present the empirical analysis of the AML algorithm and discuss some possible use cases of our model.

The next game-theoretic model I design to use deceptively crafted honey traffic to confound the knowledge gained by an adversary through passive network reconnaissance. This model characterizes how a defender should deploy honey traffic in the presence of a sophisticated attacker and finds the optimal strategy for deploying honey flows that are fast enough to be used for realistic networks. These optimal defender strategies deter an attacker from acting on the existence of real vulnerabilities found in network traffic. Our proposed model balances cost and benefit trade-offs, but can still be solved quickly enough to be used in a complex network environment. We show that the strategic optimization benefit is the highest when the cost of producing honey flow is reasonable, which is the most likely real application scenario, and the network defender should generate more honey flows to cover the highly valued vulnerabilities. We extend the current game model by addressing that the attack distributes beliefs over various types of honey traffic, reflecting the quality of the honey flows, indicating how hard it is for the attacker to distinguish. In addition, the attacker needs to pay a cost to attack. This model further captures how the honey traffic quality impacts attacks decision-making strategies. We show that high quality honey traffic makes it harder for the attacker to distinguish between real and honey traffic.

Language

en

Provenance

Received from ProQuest

File Size

116 p.

File Format

application/pdf

Rights Holder

Mohammad Sujan Miah

Share

COinS