Baiting Inside Attackers Using Decoy Documents

  • Brian M. Bowen
  • Shlomo Hershkop
  • Angelos D. Keromytis
  • Salvatore J. Stolfo
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 19)


The insider threat remains one of the most vexing problems in computer security. A number of approaches have been proposed to detect nefarious insider actions including user modeling and profiling techniques, policy and access enforcement techniques, and misuse detection. In this work we propose trap-based defense mechanisms and a deployment platform for addressing the problem of insiders attempting to exfiltrate and use sensitive information. The goal is to confuse and confound an adversary requiring more effort to identify real information from bogus information and provide a means of detecting when an attempt to exploit sensitive information has occurred. “Decoy Documents” are automatically generated and stored on a file system by the D3 System with the aim of enticing a malicious user. We introduce and formalize a number of properties of decoys as a guide to design trap-based defenses to increase the likelihood of detecting an insider attack. The decoy documents contain several different types of bogus credentials that when used, trigger an alert. We also embed “stealthy beacons” inside the documents that cause a signal to be emitted to a server indicating when and where the particular decoy was opened. We evaluate decoy documents on honeypots penetrated by attackers demonstrating the feasibility of the method.


Legitimate User Inside Attack Home Directory Credit Card Number Insider Threat 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bell, D.E., LaPadula, L.J.: Secure Computer Systems: Mathematical Foundations, MITRE Corporation (1973)Google Scholar
  2. 2.
    Bell, J., Whaley, B.: Cheating and Deception. Transaction Publishers, New Brunswick (1982)Google Scholar
  3. 3.
    Butler, J., Sherri, S.: Security: Spyware and Rootkits. In: Login, December 2004, vol. 29(6) (2004)Google Scholar
  4. 4.
    Clark, D.D., Wilson, D.R.: A Comparison of Commercial and Military Computer Security Policies. In: IEEE Symposium on Security and Privacy, pp. 184–194 (1987)Google Scholar
  5. 5.
    Demers, A., Gehrke, J., Hong, M., Panda, B., Riedewald, M., Sharma, V., White, W.: Cayuga: A General Purpose Event Monitoring System. In: CIDR, pp. 412–422 (2007)Google Scholar
  6. 6.
    Detristan, T., Ulenspiegel, T., Malcom, Y., Von Underduk, M.S.: Polymorphic Shellcode Engine Using Spectrum Analysis. Phrack 11, 61–69 (2003)Google Scholar
  7. 7.
    Friess, N., Aycock, J.: Black Market Botnets. Department of Computer Science, University of Calgary, TR 2007-873-25 (July 2007)Google Scholar
  8. 8.
    Hoang, M.: Handling Today’s Tough Security Threats. Symantec Security Response (2006)Google Scholar
  9. 9.
    The Honeynet Project,
  10. 10.
    The Honeynet Project, Know Your Enemy: Sebek, A Kernel based data capture tool (November 2003)Google Scholar
  11. 11.
    Honeypot Mailing List, Security Focus,
  12. 12.
    Katz, J., Yehuda, L.: Introduction to Modern Cryptography. Chapman and Hall CRC Press, Boca Raton (2007)zbMATHGoogle Scholar
  13. 13.
    Kravets, D.: From Riches to Prison: Hackers Rig Stock Prices. Wired Blog Network (September 2008)Google Scholar
  14. 14.
    Krebs, B.: Web Fraud 2.0: Validating Your Stolen Goods. The Washington Post (August 20, 2008)Google Scholar
  15. 15.
    Li, W., Stolfo, S.J., Stavrou, A., Androulaki, E., Keromytis, A.: A Study of Malcode-Bearing Documents. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 231–250. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Maloof, M., Stephens, G.D.: ELICIT: A System for Detecting Insiders Who Violate Need-to-know. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 146–166. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    McRae, C.M., Vaughn, R.B.: Phighting the Phisher: Using Web Bugs and Honeytokens to Investigate the Source of Phishing Attacks. In: Proceedings of the 40th Hawaii International Conference on System Sciences (2007)Google Scholar
  18. 18.
  19. 19.
    Richardson, R.: CSI/FBI Computer Crime and Security Survey (2007)Google Scholar
  20. 20.
    Smith, R.M.: Microsoft Word Documents that Phone Home. Privacy Foundation (August 2000)Google Scholar
  21. 21.
    Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the infeasibility of modeling polymorphic shellcode. In: Proceedings of the 14th ACM conference on Computer and communications security (CCS 2007), pp. 541–551 (2007)Google Scholar
  22. 22.
    Spitzner, L.: Honeypots: Catching the Insider Threat. In: Proceedings of ACSAC, Las Vegas (December 2003)Google Scholar
  23. 23.
    Spitzner, L.: Honeytokens: The Other Honeypot. Security Focus (2003)Google Scholar
  24. 24.
    Stoll, C.: The Cuckoo’s Egg. Doubleday (1989)Google Scholar
  25. 25.
    Symantec. Global Internet Security Threat Report, Trends for July –December 2007 (April 2008)Google Scholar
  26. 26.
    Webb, S., Caverlee, J., Pu, C.: Social Honeypots: Making Friends with a Spammer Near You. In: Proceedings of the Fifth Conference on Email and Anti-Spam (CEAS 2008), Mountain View, CA (August 2008)Google Scholar
  27. 27.
    Ye, N.: Markov Chain Model of Temporal Behavior for Anomaly Detection. In: Proceedings of the 2000 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, June 2000, pp. 171–174 (2000)Google Scholar
  28. 28.
    Yuill, J., Denning, D., Feer, F.: Using Deception to Hide Things from Hackers: Processes, Principles, and Techniques. Journal of Information Warfare 5(3), 26–40 (2006)Google Scholar
  29. 29.
    Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: Deceptive Files for Intrusion Detection. In: Proceedings of the 2004 IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY, June 2004, pp. 116–122 (2004)Google Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2009

Authors and Affiliations

  • Brian M. Bowen
    • 1
  • Shlomo Hershkop
    • 1
  • Angelos D. Keromytis
    • 1
  • Salvatore J. Stolfo
    • 1
  1. 1.Department of Computer ScienceColumbia UniversityUSA

Personalised recommendations