Abstract
Cyber attacks are typically preceded by a reconnaissance phase in which attackers aim at collecting valuable information about the target system, including network topology, service dependencies, operating systems, and unpatched vulnerabilities. Unfortunately, when system configurations are static, attackers will always be able, given enough time, to acquire accurate knowledge about the target system through a variety of tools—including operating system and service fingerprinting—and engineer effective exploits. To address this important problem, many techniques have been devised to dynamically change some aspects of a system’s configuration in order to introduce uncertainty for the attacker. In this chapter, we present a graph-based approach for manipulating the attacker’s view of a system’s attack surface, which addresses several limitations of existing techniques. To achieve this objective, we formalize the notions of system view and distance between views. We then define a principled approach to manipulating responses to attacker’s probes so as to induce an external view of the system that satisfies certain desirable properties. In particular, we propose efficient algorithmic solutions to two classes of problems, namely (1) inducing an external view that is at a minimum distance from the internal view, while minimizing the cost for the defender; (2) inducing an external view that maximizes the distance from the internal view, given an upper bound on the cost for the defender. In order to demonstrate practical applicability of the proposed approach, we present deception-based techniques for defeating an attacker’s effort to fingerprint operating systems and services on the target system. These techniques consist in manipulating outgoing traffic so that it resembles traffic generated by a completely different system. Experimental results show that our approach can efficiently and effectively deceive an attacker.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We present a taxonomy of OS fingerprinting tools in Sect. 6.
- 2.
A more complete definition of view could incorporate information about service dependencies and vulnerabilities, similarly to what proposed in [2].
- 3.
Each primitive may have a set of specific parameters, which we omit to simplify the notation.
- 4.
As specified in RFC 793, this option code may be used between options, for example, to align the beginning of a subsequent option on a word boundary.
- 5.
Errors occurs only during the connection phase, and altering the banner will not affect previously established connections.
- 6.
We omit the code dealing with sequence numbers adjustment for reasons of space.
- 7.
For the sake of brevity, we omit the code for checksum recomputation.
References
F. H. Abbasi, R. J. Harris, G. Moretti, A. Haider, and N. Anwar. Classification of malicious network streams using honeynets. In Proceedings of the IEEE Conference on Global Communications (GLOBECOM 2012), pages 891–897, Anaheim, CA, USA, December 2012. IEEE.
M. Albanese, S. Jajodia, A. Pugliese, and V. S. Subrahmanian. Scalable analysis of attack scenarios. In Proceedings of the 16th European Symposium on Research in Computer Security (ESORICS 2011), pages 416–433, Leuven, Belgium, September 2011. Springer.
M. Albanese, A. De Benedictis, S. Jajodia, and K. Sun. A moving target defense mechanism for manets based on identity virtualization. In Proceedings of the 1st IEEE Conference on Communications and Network Security (IEEE CNS 2013), pages 278–286, Washington, DC, USA, October 2013. IEEE.
M. Albanese, E. Battista, S. Jajodia, and V. Casola. Manipulating the attacker’s view of a system’s attack surface. In Proceedings of the 2nd IEEE Conference on Communications and Network Security (IEEE CNS 2014), pages 472–480, San Francisco, CA, USA, October 2014.
M. Albanese, E. Battista, and S. Jajodia. A deception based approach for defeating OS and service fingerprinting. In Proceedings of the 3rd IEEE Conference on Communications and Network Security (IEEE CNS 2015), pages 253–261, Florence, Italy, September 2015.
P. Auffret. SinFP, unification of active and passive operating system fingerprinting. Journal in Computer Virology, 6(3):197–205, August 2010.
D. Barroso Berrueta. A practical approach for defeating Nmap OS-Fingerprinting. http://nmap.org/misc/defeat-nmap-osdetect.html, January 2003.
V. Casola, A. De Benedictis, and M. Albanese. A moving target defense approach for protecting resource-constrained distributed devices. In Proceedings of the 14th International Conference on Information Reuse and Integration (IEEE IRI 2013), pages 22–29, San Francisco, CA, USA, August 2013.
V. Casola, A. De Benedictis, and M. Albanese. Integration of Reusable Systems, chapter A Multi-Layer Moving Target Defense Approach for Protecting Resource-Constrained Distributed Devices. Advances in Intelligent and Soft Computing. Springer, 2013.
C.-M. Chen, S.-T. Cheng, and R.-Y. Zeng. A proactive approach to intrusion detection and malware collection. Security and Communication Networks, 6(7):844–853, July 2013.
Q. Duan, E. Al-Shaer, and H. Jafarian. Efficient random route mutation considering flow and network constraints. In Proceedings of the 1st IEEE Conference on Communications and Network Security (IEEE CNS 2013), pages 260–268, Washington, DC, USA, October 2013. IEEE.
M. Dunlop, S. Groat, R. Marchany, and J. Tront. Implementing an IPv6 moving target defense on a live network. In Proceedings of the National Moving Target Research Symposium, Annapolis, MD, USA, June 2012.
Executive Office of the President, National Science and Technology Council. Trustworthy cyberspace: Strategic plan for the federal cybersecurity research and development program. http://www.whitehouse.gov/, December 2011.
R. Gula. Enhanced operating system identification with Nessus. http://www.tenable.com/blog/enhanced-operating-system-identification-with-nessus, February 2009.
J. H. Jafarian, E. Al-Shaer, and Q. Duan. OpenFlow random host mutation: Transparent moving target defense using software defined networking. In Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks (HotSDN 2012), pages 127–132, Helsinki, Finland, August 2012. ACM.
S. Jajodia, A. K. Ghosh, V. Swarup, C. Wang, and X. S. Wang, editors. Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, volume 54 of Advances in Information Security. Springer, 1st edition, 2011.
G. F. Lyon. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, 2009.
P. K. Manadhata and J. M. Wing. An attack surface metric. IEEE Transactions on Software Engineering, 37(3):371–386, May 2011.
A. Rana. What is AMap and how does it fingerprint applications? http://www.sans.org/security-resources/idfaq/amap.php, March 2014.
G. Shu and D. Lee. Network protocol system fingerprinting - a formal approach. In Proceedings of the 25th IEEE International Conference on Computer Communications (INFOCOM 2006). IEEE, April 2006.
C. Trowbridge. An overview of remote operating system fingerprinting. SANS Institute InfoSec Reading Room, July 2003.
D. Watson, M. Smart, G. R. Malan, and F. Jahanian. Protocol scrubbing: Network security through transparent flow modification. IEEE/ACM Transactions on Networking, 12(2): 261–273, April 2004.
M. Zalewski. p0f v3 (version 3.06b). http://lcamtuf.coredump.cx/p0f3/, January 2012.
Acknowledgements
This work was partially supported by the Army Research Office under grants W911NF-13-1-0421, W911NF-09-1-0525, and W911NF-13-1-0317, and by the Office of Naval Research under grants N00014-12-1-0461 and N00014-13-1-0703.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Albanese, M., Battista, E., Jajodia, S. (2016). Deceiving Attackers by Creating a Virtual Attack Surface. In: Jajodia, S., Subrahmanian, V., Swarup, V., Wang, C. (eds) Cyber Deception. Springer, Cham. https://doi.org/10.1007/978-3-319-32699-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-32699-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-32697-9
Online ISBN: 978-3-319-32699-3
eBook Packages: Computer ScienceComputer Science (R0)