CONCEAL: A Strategy Composition for Resilient Cyber Deception: Framework, Metrics, and Deployment

  • Qi DuanEmail author
  • Ehab Al-Shaer
  • Mazharul Islam


Cyber deception is a key proactive cyber resilience technique to reverse the current asymmetry that favors adversaries in cyber warfare by creating a significant confusion in discovering and targeting cyber assets. One of the key objectives for cyber deception is to hide the true identity of the cyber assets in order to effectively deflect adversaries away from critical targets, and detect their activities early in the kill chain.

Although many cyber deception techniques were proposed including using honeypots to represent fake targets and mutating IP addresses to frequently change the ground truth of the network configuration (Jafarian et al., IEEE Transactions on Information Forensics and Security 10(12):2562–2577 (2015)), none of these deception techniques is resilient enough to provide high confidence of concealing the identity of the network assets, particularly against sophisticated attackers. In fact, in this chapter our analytical and experimental work showed that highly resilient cyber deception is unlikely attainable using a single technique, but it requires an optimal composition of various concealment techniques to maximize the deception utility. We, therefore, present a new cyber deception framework, called CONCEAL, which is a composition of mutation, anonymity, and diversity to maximize key deception objectives, namely concealability, detectability, and deterrence, while constraining the overall deployment cost. We formally define the CONCEAL metrics for concealability, detectability, and deterrence to measure the effectiveness of CONCEAL. Finally, we present the deployment of CONCEAL as a service to achieve manageability and cost-effectiveness by automatically generating the optimal deception proxy configuration based on existing host/network configuration, risk constraints of network services, and budget constraints. Our evaluation experiments measure both the deception effectiveness based on the above metrics and the scalability of the CONCEAL framework.



This research was supported in part by United States Army Research Office under contract number W911NF1510361. Any opinions, findings, conclusions or recommendations stated in this material are those of the authors and do not necessarily reflect the views of the funding sources.


  1. 1.
  2. 2.
    (2018) Yices: An SMT solver.
  3. 3.
    Al-Shaer E (2009) Mutable networks, National cyber leap year summit 2009 participants ideas report. Tech. rep., Networking and Information Technology Research and Development (NTIRD)Google Scholar
  4. 4.
    Al-Shaer E (2011) Toward network configuration randomization for moving target defense. In: Jajodia S, Ghosh AK, Swarup V, Wang C, Wang XS (eds) Moving Target Defense, Advances in Information Security, vol 54, Springer New York, pp 153–159Google Scholar
  5. 5.
    Anagnostakis KG, Sidiroglou S, Akritidis P, Xinidis K, Markatos EP, Keromytis AD (2005) Detecting targeted attacks using shadow honeypots. In: Usenix SecurityGoogle Scholar
  6. 6.
    Antonatos S, Akritidis P, Markatos EP, Anagnostakis KG (2007) Defending against hitlist worms using network address space randomization. Comput Netw 51(12):3471–3490, DOI CrossRefGoogle Scholar
  7. 7.
    Budiarto R, Samsudin A, Heong CW, Noori S (2004) Honeypots: why we need a dynamics honeypots? In: Information and Communication Technologies: From Theory to Applications, 2004. Proceedings. 2004 International Conference on, IEEE, pp 565–566Google Scholar
  8. 8.
    Davis M, Putnam H (1960) A computing procedure for quantification theory. J ACM 7:201–215, DOI, URL MathSciNetCrossRefGoogle Scholar
  9. 9.
    Hutchins EM, Cloppert MJ, Amin RM (2011) Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research 1:80Google Scholar
  10. 10.
    Jafarian H, Niakanlahiji A, Al-Shaer E, Duan Q (2016) Multi-dimensional host identity anonymization for defeating skilled attackers. In: Proceedings of the 2016 ACM Workshop on Moving Target Defense, ACM, New York, NY, USA, MTD ’16, pp 47–58, DOI 10.1145/2995272.2995278, URL
  11. 11.
    Jafarian JH, Al-Shaer E, Duan Q (2012) Openflow random host mutation: transparent moving target defense using software defined networking. In: Proceedings of the first workshop on Hot topics in software defined networks, ACM, pp 127–132Google Scholar
  12. 12.
    Jafarian JH, Al-Shaer E, Duan Q (2015) An effective address mutation approach for disrupting reconnaissance attacks. IEEE Transactions on Information Forensics and Security 10(12):2562–2577CrossRefGoogle Scholar
  13. 13.
    Jafarian JHH, Al-Shaer E, Duan Q (2014) Spatio-temporal address mutation for proactive cyber agility against sophisticated attackers. In: Proceedings of the First ACM Workshop on Moving Target Defense, ACM, MTD ’14, pp 69–78Google Scholar
  14. 14.
    Kewley D, Fink R, Lowry J, Dean M (2001) Dynamic approaches to thwart adversary intelligence gathering. DARPA Information Survivability Conference and Exposition 1:0176, DI
  15. 15.
    McClure S, Scambray J, Kurtz G, Kurtz (2005) Hacking exposed: network security secrets and solutions, vol 6. McGraw-Hill/Osborne New YorkGoogle Scholar
  16. 16.
    Medved J, Varga R, Tkacik A, Gray K (2014) Opendaylight: Towards a model-driven SDN controller architecture. In: World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2014 IEEE 15th International Symposium on a, IEEE, pp 1–6Google Scholar
  17. 17.
    Michalski J, Price C, Stanton E, Lee E, Seah CK, TAN YH, Pheng C (2002) Final report for the network security mechanisms utilizing network address translation LDRD project. technical report sand2002-3613. Tech. rep., Sandia National LaboratoriesGoogle Scholar
  18. 18.
    Michalski JT (2006) Network security mechanisms utilising network address translation. International Journal of Critical Infrastructures 2(1):10–49CrossRefGoogle Scholar
  19. 19.
    Rowe NC, Custy EJ, Duong BT (2007) Defending cyberspace with fake honeypots. Journal of Computers 2(2):25–36CrossRefGoogle Scholar
  20. 20.
    Sun J, Sun K (2016) DESIR: Decoy-enhanced seamless IP randomization. In: INFOCOM 2016Google Scholar
  21. 21.
    Team M (2012) Mininet: An instant virtual network on your laptop (or other pc)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Software and Information SystemsUniversity of North Carolina at CharlotteCharlotteUSA

Personalised recommendations