skip to main content
10.1145/2994475.2994481acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

AHEAD: A New Architecture for Active Defense

Published: 24 October 2016 Publication History

Abstract

Active defense is a popular defense technique based on systems that hinder an attacker's progress by design, rather than reactively responding to an attack only after its detection. Well-known active defense systems are honeypots. Honeypots are fake systems, designed to look like real production systems, aimed at trapping an attacker, and analyzing his attack strategy and goals. These types of systems suffer from a major weakness: it is extremely hard to design them in such a way that an attacker cannot distinguish them from a real production system. In this paper, we advocate that, instead of adding additional fake systems in the corporate network, the production systems themselves should be instrumented to provide active defense capabilities. This perspective to active defense allows containing costs and complexity, while at the same time provides the attacker with a more realistic-looking target, and gives the Incident Response Team more time to identify the attacker. The proposed proof-of-concept prototype system can be used to implement active defense in any corporate production network, with little upfront work, and little maintenance.

References

[1]
Artillery. https://github.com/shoreditch-ops/artillery.
[2]
Conpot. https://github.com/mushorg/conpot.
[3]
Decloak. https://github.com/cmlh/decloak.
[4]
Dionaea. https://github.com/rep/dionaea.
[5]
Docker platform. https://www.docker.com/.
[6]
Harbinger distribution. http://www.blackhillsinfosec.com/?page_id=4419.
[7]
Honeybadger. http://github.com/honeybadger-io/honeybadger-ruby.
[8]
Kippo. https://github.com/desaster/kippo.
[9]
Portspoof. https://github.com/drk1wi/portspoof.
[10]
Rubberglue. https://github.com/adhdproject/adhdproject.github.io/blob/master/Tools/Rubberglue.md.
[11]
Webbugserver. https://github.com/adhdproject/adhdproject.github.io/blob/master/Tools/WebBugServer.md.
[12]
Weblabyrinth. https://github.com/mayhemiclabs/weblabyrinth.
[13]
K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis. Detecting targeted attacks using shadow honeypots. In Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14, SSYM'05, pages 9--9, 2005.
[14]
F. Araujo, K. W. Hamlen, S. Biedermann, and S. Katzenbeisser. From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 942--953, 2014.
[15]
M. L. Bringer, C. A. Chelmecki, and H. Fujinoki. A survey: Recent advances and future trends in honeypot research. In International Journal of Computer Network and Information Security, IJCNIS, 2012.
[16]
R. Di Pietro and L. V. Mancini. Intrusion Detection Systems, volume 38 of Advances in Information Security. Springer, 2008.
[17]
S. Jajodia, K. A. Ghosh, V. Subrahmanian, V. Swarup, C. Wang, and S. X. Wang, editors. Moving Target Defense II: Application of Game Theory and Adversarial Modeling. Springer, 2013.
[18]
S. Jajodia, K. A. Ghosh, V. Swarup, C. Wang, and S. X. Wang, editors. Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats. Springer, 2011.
[19]
S. Jajodia, P. Shakarian, V. Subrahmanian, V. Swarup, and C. Wang, editors. Cyber Warfare: Building the Scientific Foundation. Springer, 2015.
[20]
A. Kott, C. Wang, and F. R. Erbacher, editors. Cyber Defense and Situational Awareness. Springer, 2014.
[21]
N. Provos and T. Holz. Detecting Honeypots, chapter in book: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley Professional, 2007.
[22]
Spitzner. Honeypots: Tracking Hackers. Addison-Wesley Longman, 2002.
[23]
S. Tapaswi, A. Mahboob, A. S. Shukla, I. Gupta, P. Verma, and J. Dhar. Markov chain based roaming schemes for honeypots. Wirel. Pers. Commun., pages 995--1010, 2014.

Cited By

View all
  • (2023)symbSODA: Configurable and Verifiable Orchestration Automation for Active Malware DeceptionACM Transactions on Privacy and Security10.1145/362456826:4(1-36)Online publication date: 20-Sep-2023
  • (2023)Towards Mission Aware Cyber-Resiliency with Autonomous AgentsProceedings of the 2023 Australasian Computer Science Week10.1145/3579375.3579421(36-39)Online publication date: 30-Jan-2023
  • (2023)DOLOS: A Novel Architecture for Moving Target DefenseIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.331896418(5890-5905)Online publication date: 2023
  • Show More Cited By

Index Terms

  1. AHEAD: A New Architecture for Active Defense

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SafeConfig '16: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense
    October 2016
    130 pages
    ISBN:9781450345668
    DOI:10.1145/2994475
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 24 October 2016

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. active defense
    2. cyber deception
    3. honeypot
    4. honeytoken
    5. intrusion detection system

    Qualifiers

    • Research-article

    Conference

    CCS'16
    Sponsor:

    Acceptance Rates

    SafeConfig '16 Paper Acceptance Rate 6 of 13 submissions, 46%;
    Overall Acceptance Rate 22 of 61 submissions, 36%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)43
    • Downloads (Last 6 weeks)3
    Reflects downloads up to 16 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2023)symbSODA: Configurable and Verifiable Orchestration Automation for Active Malware DeceptionACM Transactions on Privacy and Security10.1145/362456826:4(1-36)Online publication date: 20-Sep-2023
    • (2023)Towards Mission Aware Cyber-Resiliency with Autonomous AgentsProceedings of the 2023 Australasian Computer Science Week10.1145/3579375.3579421(36-39)Online publication date: 30-Jan-2023
    • (2023)DOLOS: A Novel Architecture for Moving Target DefenseIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.331896418(5890-5905)Online publication date: 2023
    • (2023)Case Study A: A Prototype Autonomous Intelligent Cyber-Defense AgentAutonomous Intelligent Cyber Defense Agent (AICA)10.1007/978-3-031-29269-9_19(395-408)Online publication date: 3-Jun-2023
    • (2023)AICA Development ChallengesAutonomous Intelligent Cyber Defense Agent (AICA)10.1007/978-3-031-29269-9_18(367-394)Online publication date: 3-Jun-2023
    • (2022)A deep learning assisted personalized deception system for countering web application attacksJournal of Information Security and Applications10.1016/j.jisa.2022.10316967:COnline publication date: 27-Jun-2022
    • (2022)An Ensemble Based Deep Learning Framework to Detect and Deceive XSS and SQL Injection AttacksIntelligent Information and Database Systems10.1007/978-3-031-21743-2_15(183-195)Online publication date: 28-Nov-2022
    • (2022)Human-Subject Experiments on Risk-Based Cyber Camouflage GamesCyber Deception10.1007/978-3-031-16613-6_2(25-40)Online publication date: 7-Oct-2022
    • (2022)Diversifying Deception: Game-Theoretic Models for Two-Sided Deception and Initial Human StudiesCyber Deception10.1007/978-3-031-16613-6_1(1-23)Online publication date: 7-Oct-2022
    • (2021)A Multiphase Dynamic Deployment Mechanism of Virtualized Honeypots Based on Intelligent Attack Path PredictionSecurity and Communication Networks10.1155/2021/63782182021Online publication date: 21-Oct-2021
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media