Skip to main content

Computational Decoys for Cloud Security

  • Chapter
  • First Online:
Secure Cloud Computing

Abstract

Cloud-based applications benefit from the scalability and efficiency offered by server consolidation and shared facilities. However, the shared nature of cloud infrastructures may introduce threats stemming from the co-location and combination of untrusted components, in addition to typical risks due to the inevitable presence of weaknesses in the infrastructure itself. As a result, adversaries may be able to place themselves in monitoring proximity to high-value targets and gain unauthorized access to sensitive data. In this paper we present DIGIT, a system that employs decoy computation to impede the ability of adversaries to take advantage of unauthorized access to sensitive information. DIGIT introduces uncertainly as to which data and computation is legitimate by generating a mix of real and decoy activity within a cloud application. Although DIGIT may not impede intruders indefinitely, it prevents them from determining whether a captured system is handling actual or bogus processing within a reasonable amount of time. As adversaries cannot easily distinguish between real and decoy activity, they have to either risk triggering beacon-bearing data that can be traced back to them, or expend significant effort to pinpoint any actual data of interest, forcing them to reveal their presence.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Hacker Posts 6.4 Million LinkedIn Passwords. http://www.technewsdaily.com/7839-linked-passwords-hack.html. December 2012.

  2. Sony Hacked Again, 1 Million Passwords Exposed. http://www.informationweek.com/security/attacks/sony-hacked-again-1-million-passwords-ex/229900111.

  3. Twitter detects and shuts down password data hack in progress. http://arstechnica.com/security/2013/02/twitter-detects-and-shuts-down-password-data-hack-in-progress/. February 2013.

  4. Kostas G. Anagnostakis, Stelios Sidiroglou, Periklis Akritidis, Kostas Xinidis, Evangelos P. Markatos, and Angelos D. Keromytis. Detecting Targeted Attacks Using Shadow Honeypots. In Proceedings of the 14th USENIX Security Symposium, pages 129–144, August 2005.

    Google Scholar 

  5. Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek Saxena, Jun Sun, Yang Liu, and Jin Song Dong. AUTHSCAN: Automatic extraction of web authentication protocols from implementations. In Proceedings of the 20th Network and Distributed Systems Security Symposium (NDSS), 2013.

    Google Scholar 

  6. H. Berghel. Identity theft and financial fraud: Some strangeness in the proportions. Computer, 45(1):86–89, Jan. 2012.

    Article  Google Scholar 

  7. Hristo Bojinov, Elie Bursztein, Xavier Boyen, and Dan Boneh. Kamouflage: Loss-resistant password management. In Proc. of ESORICS’10, 2010.

    Google Scholar 

  8. Brian M. Bowen, Vasileios P. Kemerlis, Pratap V. Prabhu, Angelos D. Keromytis, and Salvatore J. Stolfo. A system for generating and injecting indistinguishable network decoys. Journal of Computer Security, 20(2–3):199–221, 2012.

    Google Scholar 

  9. Brian M. Bowen, Pratap Prabhu, Vasileios P. Kemerlis, Stelios Sidiroglou, Angelos D. Keromytis, and Salvatore J. Stolfo. Botswindler: tamper resistant injection of believable decoys in vm-based hosts for crimeware detection. In Proceedings of the 13th international conference on Recent advances in intrusion detection, RAID’10, pages 118–137, Berlin, Heidelberg, 2010. Springer-Verlag.

    Google Scholar 

  10. Kevin D. Bowers, Ari Juels, and Alina Oprea. HAIL: a High-Availability and Integrity Layer for Cloud Storage. In Proc. of CCS, pages 187–198, 2009.

    Google Scholar 

  11. Andrew Brown and Jeff Chase. Trusted Platform-as-a-Service: A Foundation for Trustworthy Cloud-Hosted Applications. In Proc. of CCSW, 2011.

    Google Scholar 

  12. Paolo Milani Comparetti, Gilbert Wondracek, Christopher Kruegel, and Engin Kirda. Prospex: Protocol specification extraction. In Proceedings of the 30th IEEE Symposium on Security and Privacy, pages 110–125, 2009.

    Google Scholar 

  13. Computerworld. Microsoft BPOS cloud service hit with data breach, Dec 2010. http://www.computerworld.com/s/article/9202078/Microsoft_BPOS_cloud_service_hit_with_data_breach.

  14. Weidong Cui, Vern Paxson, Nicholas C. Weaver, and Y H. Katz. Protocol-independent adaptive replay of application dialog. In Proceedings of the 13th Network and Distributed System Security Symposium (NDSS), 2006.

    Google Scholar 

  15. Holger Dreger, Anja Feldmann, Michael Mai, Vern Paxson, and Robin Sommer. Dynamic application-layer protocol analysis for network intrusion detection. In Proceedings of the 15th USENIX Security Symposium, 2006.

    Google Scholar 

  16. Chris Erway, Alptekin Küpçü, Charalampos Papamanthou, and Roberto Tamassia. Dynamic provable data possession. In Proceedings of the 16th ACM conference on Computer and Communications Security (CCS), pages 213–222, 2009.

    Google Scholar 

  17. Dennis Hollingsworth. Enhancing computer system security. Technical Report P-5064, RAND Corporation, Aug 1973.

    Google Scholar 

  18. Zhiqiang Lin, Xuxian Jiang, Dongyan Xu, and Xiangyu Zhang. Automatic protocol format reverse engineering through context-aware monitored execution. In Proceedings of the 15th Network and Distributed System Security Symposium (NDSS), 2008.

    Google Scholar 

  19. Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. In Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, PLDI ’05, pages 190–200, New York, NY, USA, 2005. ACM.

    Google Scholar 

  20. Yogesh Mundada, Anirudh Ramachandran, and Nick Feamster. SilverLine: Data and Network Isolation for Cloud Services. In Proc. of HotCloud, 2011.

    Google Scholar 

  21. Niels Provos. A virtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium, pages 1–14, August 2004.

    Google Scholar 

  22. Niels Provos and Thorsten Holz. Virtual honeypots: from botnet tracking to intrusion detection. Addison-Wesley Professional, 2007.

    Google Scholar 

  23. Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proc. of CCS, pages 199–212, 2009.

    Google Scholar 

  24. Neil C. Rowe and Hy S. Rothstein. Two taxonomies of deception for attacks on information systems. Journal of Information Warfare, 3(2):27–39, 2004.

    Google Scholar 

  25. Sophos. Groupon subsidiary leaks 300k logins, fixes fail, fails again, 2011 Jun. http://nakedsecurity.sophos.com/2011/06/30/groupon-subsidiary-leaks-300k-logins-fixes-fail-fails-again/.

  26. Lance Spitzner. Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co., Inc., 2002.

    Google Scholar 

  27. Lance Spitzner. Honeytokens: The other honeypot, Jul 2003. http://www.symantec.com/connect/articles/honeytokens-other-honeypot.

  28. Clifford Stoll. Stalking the wily hacker. Communications of the ACM, 31(5):484–497, 1988.

    Article  MathSciNet  Google Scholar 

  29. The Wall Street Journal. Google Discloses Privacy Glitch, 2009 Mar. http://blogs.wsj.com/digits/2009/03/08/1214/.

  30. Trusted Computing Group. TPM Main Specification. http://www.trustedcomputinggroup.org/resources/tpm_main_specification.

  31. Rui Wang, Shuo Chen, and XiaoFeng Wang. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12, pages 365–379, Washington, DC, USA, 2012. IEEE Computer Society.

    Google Scholar 

  32. Gilbert Wondracek, Paolo Milani Comparetti, Christopher Kruegel, and Engin Kirda. Automatic network protocol analysis. In Proceedings of the 15th Network and Distributed System Security Symposium (NDSS), 2008.

    Google Scholar 

  33. J. Yuill, M. Zappe, D. Denning, and F. Feer. Honeyfiles: Deceptive files for intrusion detection. In Proceedings of the 5th IEEE Workshop on Information Assurance, pages 116–122, Jun 2004.

    Google Scholar 

  34. Jim Yuill, Dorothy Denning, and Fred Feer. Using deception to hide things from hackers: Processes, principles, and techniques. Journal of Information Warfare, 5(3):26–40, 2006.

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Georgios Kontaxis .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer Science+Business Media New York

About this chapter

Cite this chapter

Kontaxis, G., Polychronakis, M., Keromytis, A.D. (2014). Computational Decoys for Cloud Security. In: Jajodia, S., Kant, K., Samarati, P., Singhal, A., Swarup, V., Wang, C. (eds) Secure Cloud Computing. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-9278-8_12

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-9278-8_12

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-9277-1

  • Online ISBN: 978-1-4614-9278-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics