Deception in network defences using unpredictability
In this article, we propose a novel method that aims to improve upon existing moving-target defences by making them unpredictably reactive using probabilistic decision-making. We postulate that unpredictability can improve network defences in two key capacities: (1) by re-configuring the network in...
Main Authors: | , , , |
---|---|
Format: | Journal article |
Language: | English |
Published: |
Association for Computing Machinery
2021
|
_version_ | 1797080746599383040 |
---|---|
author | Happa, J Bashford-Rogers, T Goldsmith, M Creese, S |
author_facet | Happa, J Bashford-Rogers, T Goldsmith, M Creese, S |
author_sort | Happa, J |
collection | OXFORD |
description | In this article, we propose a novel method that aims to improve upon existing moving-target defences by making them unpredictably reactive using probabilistic decision-making. We postulate that unpredictability can improve network defences in two key capacities: (1) by re-configuring the network in direct response to detected threats, tailored to the current threat and a security posture, and (2) by deceiving adversaries using pseudo-random decision-making (selected from a set of acceptable set of responses), potentially leading to adversary delay and failure. Decisions are performed automatically, based on reported events (e.g., Intrusion Detection System (IDS) alerts), security posture, mission processes, and states of assets. Using this codified form of situational awareness, our system can respond differently to threats each time attacker activity is observed, acting as a barrier to further attacker activities. We demonstrate feasibility with both anomaly- and misuse-based detection alerts, for a historical dataset (playback), and a real-time network simulation where asset-to-mission mappings are known. Our findings suggest that unpredictability yields promise as a new approach to deception in laboratory settings. Further research will be necessary to explore unpredictability in production environments. |
first_indexed | 2024-03-07T01:04:34Z |
format | Journal article |
id | oxford-uuid:8ae26372-81dd-4c22-b07b-21a2b472f252 |
institution | University of Oxford |
language | English |
last_indexed | 2024-03-07T01:04:34Z |
publishDate | 2021 |
publisher | Association for Computing Machinery |
record_format | dspace |
spelling | oxford-uuid:8ae26372-81dd-4c22-b07b-21a2b472f2522022-03-26T22:34:37ZDeception in network defences using unpredictabilityJournal articlehttp://purl.org/coar/resource_type/c_dcae04bcuuid:8ae26372-81dd-4c22-b07b-21a2b472f252EnglishSymplectic ElementsAssociation for Computing Machinery2021Happa, JBashford-Rogers, TGoldsmith, MCreese, SIn this article, we propose a novel method that aims to improve upon existing moving-target defences by making them unpredictably reactive using probabilistic decision-making. We postulate that unpredictability can improve network defences in two key capacities: (1) by re-configuring the network in direct response to detected threats, tailored to the current threat and a security posture, and (2) by deceiving adversaries using pseudo-random decision-making (selected from a set of acceptable set of responses), potentially leading to adversary delay and failure. Decisions are performed automatically, based on reported events (e.g., Intrusion Detection System (IDS) alerts), security posture, mission processes, and states of assets. Using this codified form of situational awareness, our system can respond differently to threats each time attacker activity is observed, acting as a barrier to further attacker activities. We demonstrate feasibility with both anomaly- and misuse-based detection alerts, for a historical dataset (playback), and a real-time network simulation where asset-to-mission mappings are known. Our findings suggest that unpredictability yields promise as a new approach to deception in laboratory settings. Further research will be necessary to explore unpredictability in production environments. |
spellingShingle | Happa, J Bashford-Rogers, T Goldsmith, M Creese, S Deception in network defences using unpredictability |
title | Deception in network defences using unpredictability |
title_full | Deception in network defences using unpredictability |
title_fullStr | Deception in network defences using unpredictability |
title_full_unstemmed | Deception in network defences using unpredictability |
title_short | Deception in network defences using unpredictability |
title_sort | deception in network defences using unpredictability |
work_keys_str_mv | AT happaj deceptioninnetworkdefencesusingunpredictability AT bashfordrogerst deceptioninnetworkdefencesusingunpredictability AT goldsmithm deceptioninnetworkdefencesusingunpredictability AT creeses deceptioninnetworkdefencesusingunpredictability |