Attribution, Temptation, and Expectation: A Formal Framework for Defense-by-Deception in Cyberwarfare
Defense-by-deception is an effective technique to address the asymmetry challenges in cyberwarfare. It allows for not only misleading attackers to non-harmful goals but also systematic depletion of attacker resources. In this paper, we developed a game theocratic framework that considersattribution, temptation andexpectation, as the major components for planning a successful deception plan. We developed as a case study a game strategy to proactively deceive remote fingerprinting attackers without causing significant performance degradation to benign clients. We model and analyze the interaction between a fingerprinter and a target as a signaling game. We derive the Nash equilibrium strategy profiles based on the information gain analysis. Based on our game results, we designDeceiveGame, a mechanism to prevent or to significantly slow down fingerprinting attacks. Our performance analysis shows thatDeceiveGame can reduce the probability of success of the fingerprinter significantly, without deteriorating the overall performance of other clients. Beyond the DeceiveGame application, our formal framework can be generally used to synthesize correct-by-construction cyber deception plans against other attacks.
KeywordsInformation Gain Game Model Defense Cost Signaling Game Perfect Bayesian Equilibrium
- Adrian. Osfuscate 0.3. 2008. Available inhttp://www.irongeek.com.
- O. Arkin and F. Yarochkin. A fuzzy approach to remote active operating system fingerprinting. 2003. Available inhttp://www.sys-security.com/archive/papers/Xprobe2.pdf.
- E. Al-Shaer, Q. Duan, and J. H. Jafarian. Random host mutation for moving target defense. InSECURECOMM, 2012.Google Scholar
- Basil. Windivert 1.0: Windows packet divert. 2012. Available inhttp://reqrypt.org/windivert.html.
- Fyodor. Remote os detection via tcp/ip fingerprinting (2nd generation). 2007. Available inhttp://insecure.org/nmap/osdetect/.
- L. Greenwald and T. Thomas. Evaluating tests used in operating system fingerprinting. InLGS Bell Labs Innovations, 2007.Google Scholar
- R. Gibbons. Game theory for applied economics. InPrinceton University Press, 1992.Google Scholar
- J. Michalski. Network security mechanisms utilizing network address translation. InJournal of Critical Infrastructures, volume 2, 2006.Google Scholar
- K. Poduri and K. Nichols. Simulation studies of increased initial tcp window size. InInternet Draft by IETF, 1998.Google Scholar
- G. Prigent, F. Vichot, and F. Harroue. Ipmorph: Fingerprinting spoofing unification. InJournal in Computer Virology, volume 6, Oct 2009.Google Scholar
- M. Rahman, M. Manshaei, and E. Al-Shaer. AQ2 A game-theoretic solution for counter-fingerprinting. Technical Report,2013. Available athttp://www.manshaei.org/files/TR-DeceiveGame.pdf.
- Roualland and Jean-Marc Saffroy. Ip personality. 2001. Available inhttp://ippersonality.sourceforge.net.
- M. Smart, G. R. Malan, and F. Jahanian. Defeating tcp/ip stack fingerprinting. InUSENIX Security, Aug 2000.Google Scholar
- Tcp optimizer, speed guide. 2011. Available inhttp://www.speedguide.net/tcpoptimizer.php.
- The internet traffic archive. 2008. Available inhttp://ita.ee.lbl.gov/html/traces.html.
- K. Wang. Frustrating os fingerprinting with morph. 2004. Available inhttp://www.synacklabs.net/projects/morph/.
- X. Zhang and L. Zheng. Delude remote operating system (os) scan by honeyd. InWorkshop on Computer Science and Engineering, Oct 2009.Google Scholar