Deception-Enhanced Threat Sensing for Resilient Intrusion Detection

  • Frederico Araujo
  • Gbadebo Ayoade
  • Kevin W. HamlenEmail author
  • Latifur Khan


Enhancing standard web services with deceptive responses to cyberattacks can be a powerful and practical strategy for improved intrusion detection. Such deceptions are particularly helpful for addressing and overcoming barriers to effective machine learning-based intrusion detection encountered in many practical deployments. For example, they can provide a rich source of training data when training data is scarce, they avoid imposing a labeling burden on operators in the context of (semi-)supervised learning, they can be deployed post-decryption on encrypted data streams, and they learn concept differences between honeypot attacks and attacks against genuine assets.

The approach presented in this chapter examines how deceptive web service responses can be realized as software security patches that double as feature extraction engines for a network-level intrusion detection system. The resulting system coordinates multiple levels of the software stack to achieve fast, automatic, and accurate labeling of live web data streams, and thereby detects attacks with higher accuracy and adaptability than comparable non-deceptive defenses.


  1. 1.
    K. Alnaami, G. Ayoade, A. Siddiqui, N. Ruozzi, L. Khan, and B. Thuraisingham. P2V: Effective website fingerprinting using vector space representations. In Proceedings of the IEEE Symposium on Computational Intelligence, pages 59–66, 2015.Google Scholar
  2. 2.
    F. Araujo and K. W. Hamlen. Compiler-instrumented, dynamic secret-redaction of legacy processes for attacker deception. In Proceedings of the USENIX Security Symposium, 2015.Google Scholar
  3. 3.
    F. Araujo and K. W. Hamlen. Embedded honeypotting. In S. Jajodia, V. Subrahmanian, V. Swarup, and C. Wang, editors, Cyber Deception: Building the Scientific Foundation, chapter 10, pages 195–225. Springer, 2016.Google Scholar
  4. 4.
    F. Araujo, K. W. Hamlen, S. Biedermann, and S. Katzenbeisser. From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation. In Proceedings of the ACM Conference on Computer and Communications Security, pages 942–953, 2014.Google Scholar
  5. 5.
    S. Axelsson. The base-rate fallacy and its implications for the difficulty of intrusion detection. In Proceedings of the ACM Conference on Computer and Communications Security, pages 1–7, 1999.Google Scholar
  6. 6.
    M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita. Network anomaly detection: Methods, systems and tools. IEEE Communications Surveys & Tutorials, 16(1):303–336, 2014.CrossRefGoogle Scholar
  7. 7.
    A. L. Blum and P. Langley. Selection of relevant features and examples in machine learning. Artificial Intelligence, 97(1):245–271, 1997.MathSciNetCrossRefGoogle Scholar
  8. 8.
    N. Boggs, H. Zhao, S. Du, and S. J. Stolfo. Synthetic data generation and defense in depth measurement of web applications. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, pages 234–254, 2014.CrossRefGoogle Scholar
  9. 9.
    V. Chandola, A. Banerjee, and V. Kumar. Anomaly detection: A survey. ACM Computing Surveys, 41(3):15, 2009.CrossRefGoogle Scholar
  10. 10.
    D. E. Denning. An intrusion-detection model. IEEE Transactions on Software Engineering, 13(2):222–232, 1987.CrossRefGoogle Scholar
  11. 11.
    D. Dudorov, D. Stupples, and M. Newby. Probability analysis of cyber attack paths against business and commercial enterprise systems. In Proceedings of the IEEE European Intelligence and Security Informatics Conference, pages 38–44, 2013.Google Scholar
  12. 12.
    K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton. Peek-a-boo, I still see you: Why efficient traffic analysis countermeasures fail. In Proceedings of the IEEE Symposium on Security & Privacy, pages 332–346, 2012.Google Scholar
  13. 13.
    P. Garcia-Teodoro, J. Diaz-Verdejo, G. Maciá-Fernández, and E. Vázquez. Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security, 28(1):18–28, 2009.CrossRefGoogle Scholar
  14. 14.
    Juniper Research. The future of cybercrime and security: Financial and corporate threats and mitigation, 2015.Google Scholar
  15. 15.
    A. Panchenko, L. Niessen, A. Zinnen, and T. Engel. Website fingerprinting in onion routing based anonymization networks. In Proceedings of the Annual ACM Workshop on Privacy in the Electronic Society, pages 103–114, 2011.Google Scholar
  16. 16.
    A. Patcha and J.-M. Park. An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks, 51(12):3448–3470, 2007.CrossRefGoogle Scholar
  17. 17.
    J. C. Platt. Probabilistic outputs for support vector machines and comparisons to regularized likelihood methods. In Advances in Large Margin Classifiers, pages 61–74. MIT Press, 1999.Google Scholar
  18. 18.
    R. Sommer and V. Paxson. Outside the closed world: On using machine learning for network intrusion detection. In Proceedings of the IEEE Symposium on Security & Privacy, pages 305–316, 2010.Google Scholar
  19. 19.
    Symantec. Internet security threat report, vol. 21, 2016.Google Scholar
  20. 20.
    C.-F. Tsai, Y.-F. Hsu, C.-Y. Lin, and W.-Y. Lin. Intrusion detection by machine learning: A review. Expert Systems with Applications, 36(10):11994–12000, 2009.CrossRefGoogle Scholar
  21. 21.
    E. Vasilomanolakis, S. Karuppayah, M. Mühlhäuser, and M. Fischer. Taxonomy and survey of collaborative intrusion detection. ACM Computing Surveys, 47(4), 2015.CrossRefGoogle Scholar
  22. 22.
    T. Wang, X. Cai, R. Nithyanand, R. Johnson, and I. Goldberg. Effective attacks and provable defenses for website fingerprinting. In Proceedings of the USENIX Security Symposium, 2014.Google Scholar
  23. 23.
    J. Yuill, D. Denning, and F. Feer. Using deception to hide things from hackers: Processes, principles, and techniques. Journal of Information Warfare, 5(3):26–40, 2006.Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Frederico Araujo
    • 1
  • Gbadebo Ayoade
    • 2
  • Kevin W. Hamlen
    • 2
    Email author
  • Latifur Khan
    • 2
  1. 1.IBM T.J. Watson Research CenterYorktown HeightsUSA
  2. 2.The University of Texas at DallasRichardsonUSA

Personalised recommendations