Attribution, Temptation, and Expectation: A Formal Framework for Defense-by-Deception in Cyberwarfare

  • Ehab Al-ShaerEmail author
  • Mohammad Ashiqur Rahman
Part of the Advances in Information Security book series (ADIS, volume 56)


Defense-by-deception is an effective technique to address the asymmetry challenges in cyberwarfare. It allows for not only misleading attackers to non-harmful goals but also systematic depletion of attacker resources. In this paper, we developed a game theocratic framework that considersattribution, temptation andexpectation, as the major components for planning a successful deception plan. We developed as a case study a game strategy to proactively deceive remote fingerprinting attackers without causing significant performance degradation to benign clients. We model and analyze the interaction between a fingerprinter and a target as a signaling game. We derive the Nash equilibrium strategy profiles based on the information gain analysis. Based on our game results, we designDeceiveGame, a mechanism to prevent or to significantly slow down fingerprinting attacks. Our performance analysis shows thatDeceiveGame can reduce the probability of success of the fingerprinter significantly, without deteriorating the overall performance of other clients. Beyond the DeceiveGame application, our formal framework can be generally used to synthesize correct-by-construction cyber deception plans against other attacks.


Information Gain Game Model Defense Cost Signaling Game Perfect Bayesian Equilibrium 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Adrian. Osfuscate 0.3. 2008. Available in
  2. O. Arkin and F. Yarochkin. A fuzzy approach to remote active operating system fingerprinting. 2003. Available in
  3. E. Al-Shaer, Q. Duan, and J. H. Jafarian. Random host mutation for moving target defense. InSECURECOMM, 2012.Google Scholar
  4. Basil. Windivert 1.0: Windows packet divert. 2012. Available in
  5. Fyodor. Remote os detection via tcp/ip fingerprinting (2nd generation). 2007. Available in
  6. L. Greenwald and T. Thomas. Evaluating tests used in operating system fingerprinting. InLGS Bell Labs Innovations, 2007.Google Scholar
  7. R. Gibbons. Game theory for applied economics. InPrinceton University Press, 1992.Google Scholar
  8. J. Michalski. Network security mechanisms utilizing network address translation. InJournal of Critical Infrastructures, volume 2, 2006.Google Scholar
  9. K. Poduri and K. Nichols. Simulation studies of increased initial tcp window size. InInternet Draft by IETF, 1998.Google Scholar
  10. G. Prigent, F. Vichot, and F. Harroue. Ipmorph: Fingerprinting spoofing unification. InJournal in Computer Virology, volume 6, Oct 2009.Google Scholar
  11. M. Rahman, M. Manshaei, and E. Al-Shaer. AQ2 A game-theoretic solution for counter-fingerprinting. Technical Report,2013. Available at
  12. Roualland and Jean-Marc Saffroy. Ip personality. 2001. Available in
  13. M. Smart, G. R. Malan, and F. Jahanian. Defeating tcp/ip stack fingerprinting. InUSENIX Security, Aug 2000.Google Scholar
  14. Tcp optimizer, speed guide. 2011. Available in
  15. The internet traffic archive. 2008. Available in
  16. K. Wang. Frustrating os fingerprinting with morph. 2004. Available in
  17. X. Zhang and L. Zheng. Delude remote operating system (os) scan by honeyd. InWorkshop on Computer Science and Engineering, Oct 2009.Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.University of North Carolina at CharlotteCharlotteUSA

Personalised recommendations