Attribution, Temptation, and Expectation: A Formal Framework for Defense-by-Deception in Cyberwarfare

Al-Shaer, Ehab; Rahman, Mohammad Ashiqur

doi:10.1007/978-3-319-14039-1_4

Attribution, Temptation, and Expectation: A Formal Framework for Defense-by-Deception in Cyberwarfare

Ehab Al-Shaer⁷ &
Mohammad Ashiqur Rahman⁷

Chapter
First Online: 01 January 2015

2851 Accesses
1 Citations

Part of the book series: Advances in Information Security ((ADIS,volume 56))

Abstract

Defense-by-deception is an effective technique to address the asymmetry challenges in cyberwarfare. It allows for not only misleading attackers to non-harmful goals but also systematic depletion of attacker resources. In this paper, we developed a game theocratic framework that considersattribution, temptation andexpectation, as the major components for planning a successful deception plan. We developed as a case study a game strategy to proactively deceive remote fingerprinting attackers without causing significant performance degradation to benign clients. We model and analyze the interaction between a fingerprinter and a target as a signaling game. We derive the Nash equilibrium strategy profiles based on the information gain analysis. Based on our game results, we designDeceiveGame, a mechanism to prevent or to significantly slow down fingerprinting attacks. Our performance analysis shows thatDeceiveGame can reduce the probability of success of the fingerprinter significantly, without deteriorating the overall performance of other clients. Beyond the DeceiveGame application, our formal framework can be generally used to synthesize correct-by-construction cyber deception plans against other attacks.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 109.00; Price excludes VAT (USA)

Hardcover Book: USD 139.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

1.
The sender strategy profile\((a,b)\) means that it playsa for the type θ andb for the type\(1-\theta\). In case of the target,\((a,b)\) means that it playsa following theGreedy action andb following theNormal action of the sender.

References

Adrian. Osfuscate 0.3. 2008. Available inhttp://www.irongeek.com.
O. Arkin and F. Yarochkin. A fuzzy approach to remote active operating system fingerprinting. 2003. Available inhttp://www.sys-security.com/archive/papers/Xprobe2.pdf.
E. Al-Shaer, Q. Duan, and J. H. Jafarian. Random host mutation for moving target defense. InSECURECOMM, 2012.
Google Scholar
Basil. Windivert 1.0: Windows packet divert. 2012. Available inhttp://reqrypt.org/windivert.html.
Fyodor. Remote os detection via tcp/ip fingerprinting (2nd generation). 2007. Available inhttp://insecure.org/nmap/osdetect/.
L. Greenwald and T. Thomas. Evaluating tests used in operating system fingerprinting. InLGS Bell Labs Innovations, 2007.
Google Scholar
R. Gibbons. Game theory for applied economics. InPrinceton University Press, 1992.
Google Scholar
J. Michalski. Network security mechanisms utilizing network address translation. InJournal of Critical Infrastructures, volume 2, 2006.
Google Scholar
K. Poduri and K. Nichols. Simulation studies of increased initial tcp window size. InInternet Draft by IETF, 1998.
Google Scholar
G. Prigent, F. Vichot, and F. Harroue. Ipmorph: Fingerprinting spoofing unification. InJournal in Computer Virology, volume 6, Oct 2009.
Google Scholar
M. Rahman, M. Manshaei, and E. Al-Shaer. AQ2 A game-theoretic solution for counter-fingerprinting. Technical Report,2013. Available athttp://www.manshaei.org/files/TR-DeceiveGame.pdf.
Roualland and Jean-Marc Saffroy. Ip personality. 2001. Available inhttp://ippersonality.sourceforge.net.
M. Smart, G. R. Malan, and F. Jahanian. Defeating tcp/ip stack fingerprinting. InUSENIX Security, Aug 2000.
Google Scholar
Tcp optimizer, speed guide. 2011. Available inhttp://www.speedguide.net/tcpoptimizer.php.
The internet traffic archive. 2008. Available inhttp://ita.ee.lbl.gov/html/traces.html.
K. Wang. Frustrating os fingerprinting with morph. 2004. Available inhttp://www.synacklabs.net/projects/morph/.
X. Zhang and L. Zheng. Delude remote operating system (os) scan by honeyd. InWorkshop on Computer Science and Engineering, Oct 2009.
Google Scholar

Download references

Author information

Authors and Affiliations

University of North Carolina at Charlotte, Charlotte, USA
Ehab Al-Shaer & Mohammad Ashiqur Rahman

Authors

Ehab Al-Shaer
View author publications
You can also search for this author in PubMed Google Scholar
Mohammad Ashiqur Rahman
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ehab Al-Shaer .

Editor information

Editors and Affiliations

Center for Secure Information Systems, George Mason University, Fairfax, Virginia, USA
Sushil Jajodia
Arizona State University, Tempe, Arizona, USA
Paulo Shakarian
Computer Science Department, University of Maryland, College Park, Maryland, USA
V.S. Subrahmanian
The MITRE Corporation, McLean, Virginia, USA
Vipin Swarup
Information Sciences Directorate, Triangle Park, North Carolina, USA
Cliff Wang

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Al-Shaer, E., Rahman, M. (2015). Attribution, Temptation, and Expectation: A Formal Framework for Defense-by-Deception in Cyberwarfare. In: Jajodia, S., Shakarian, P., Subrahmanian, V., Swarup, V., Wang, C. (eds) Cyber Warfare. Advances in Information Security, vol 56. Springer, Cham. https://doi.org/10.1007/978-3-319-14039-1_4

Download citation

DOI: https://doi.org/10.1007/978-3-319-14039-1_4
Published: 10 April 2015
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-14038-4
Online ISBN: 978-3-319-14039-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics