1
Research on deception in defense of information
systems
Neil C. Rowe, Mikhail Auguston, Doron Drusinsky, and J. Bret Michael
U.S. Naval Postgraduate [email protected]
2
The Software Decoy ProjectFunded by the Department of Homeland Security and other agenciesTailoring classic military deception for defending computer assetsGoal is to provide a second line of defense beyond access controls, which is especially useful for insider attacksKey parts of the project:
Theory of deception for information systemsSimple testbed deceptive software and ways to attach it to operating systems and applicationsTemporal reasoning in deceptionLegal issues in software deception
3
Example: A fake-directory interface
4
Example random-context data from the fake directory
5
Example simple cyber-attack plan for a rootkitinstall rootkit
obtain admin status
cause buffer overflow in port X
connect to target machine on port X
scan local network for ports with known vulnerabilities
learn local network topology
check for newly discovered vulnerabilities of common software
guess password of account on target machine
download rootkit
ftp to hacker archive
decompress rootkit
close ftp connection
test rootkit
login as admin
logout
install secure port X server
download port X upgrade
ftp to port X site
close ftp connection
logoutdecompress rootkit
6
Example ploy: Delete admin authorization + log out5
39
25
install rootkit
close ftp
50
0.2
0.9
0.1
0.2
0.8
0.2
0.8
0.83
0.170.4
0.9
0
33
22 1 2 3 4
35
6
78
9
ping
pingresearchvulnerabilities
researchvulnerabilities scan open port overflow
bufferbecome admin
become admin
login
ftp
24
25
download rootkit
download rootkit downloadsecureport
download secureport
10
11
122
13
14 15 16 17 18 19
downloadsecureport
close ftp
decompressrootkit
installsecureport
installrootkit
logout
21 22 23 28close ftp
decompresssecureport
installsecureport
testrootkit
testrootkit
testrootkit
testrootkit
testrootkit
26
close ftp
27
29
30
decompresssecureport
decompress secureport
decompress rootkitdecompress
rootkit
install rootkit
32
31
ftp
downloadsecureport
downloadsecureport
180
70
167
107
61
36
101 10099
97
10075
7462
96
8685
4874
65
55
47 30 11
36 24 1 0
0.33
0.8
0.67 0.17
0.80.2
34
test rootkit
ftp
0.25 0.75
40decompresssecureport
close port
close port
0.83
20
55
51
0.1
0.9
0.1
0.6
106
102
103
104105
open port
overflowbuffer
become admin
close port
login
7
Software wrappers for deception
For a deception defense to be effective, it is good to distribute it across many features of an operating system -- like "antibodies".We are building tools to automatically modify software to insert "wrappers" around key code; the wrappers can apply deception when their suspicions are aroused.
8
General decoy architectureAttacker
Operating system Applications software 1
Applications software 2
Wrapper
Component 1 Component 2Wrapper
Component 3Component 4
Decoy supervisor Intrusion-detection system
Decoying rules
9
Example deception rule for a software wrapper• This detects opening a file, read/write operations, and
closing the file.• Each event cause a message to the system log file.• The pre and post indicate whether the action is done
before or after the matching kernel call.• $path provides values of kernel call parameters.• Besides executing code, wrapper rules may prevent or
delay execution of a kernel call.R1 : detect
open pre { wr_printf("open file %s", $path) ; } ( read pre { wr_printf("read file %s ", $path); } |
write pre {wr_printf("write file %s ", $path);} ) *close post { wr_printf( "file %s closed", $path); }
10
Timing in deceptions
Deceptions involve sequences of activities in time.In some deceptions, the timing of these activities is critical.Since people have difficulty reasoning about time, it is helpful to formalize complex activities for computer analysis.We use "KTL", knowledge temporal logic.
11
Knowledge LogicCards Game
A,B A,C
C,BB,C
C,A B,A
1
11 2
22
Possible Worlds Model
<A,B> |= Knows player2 player1hasCardAStatement must be true in allworlds possible for player2 when in <A,B>
False, because in C,B:
player1hasCardA = false
12
KTL: Monitoring – static possible worlds model
player1HasA
player2HasB
player1HasC
player2HasA ...
DBRoverMonitor
Static model of possible worlds
True, false, true, false, false!
<WORLD NAME="AB"> <PL CODE="player1HasA" TRUTH="1" /> <PL CODE="player1HasB" TRUTH="0" /> <PL CODE="player1HasC" TRUTH="0" /> <PL CODE="player2HasA" TRUTH="0" /> <PL CODE="player2HasB" TRUTH="1" /> <PL CODE="player2HasC" TRUTH="0" /> </WORLD>
13
KTL: Monitoring
14
KTL: Simulation
15
Kripke model for the "Man Who Never Was"This gives all possible worlds seen by the three agents, the British, the Germans, and
the Spanish. We define the following three Boolean propositions, which together induce a space of eight possible worlds: H- represents possible worlds where Major Martin episode is a deception: G- represents possible worlds where the German coroner is in Spain and is working on the case; M- represents possible worlds where Major Martin drowned.
Hence, for example, w1 = <H, ¬G, ¬M> is the possible world where the Major Martin episode is a deception, the German coroner is not in Spain, and Major Martin did not drown. This is the possible world the British considered they were in, but in fact, they were unable to distinguish between this world and w2 = <H, G, ¬M> and could have very well been in world w2.
H,G,M
H,G, ¬M
¬H,G, M
¬H,G, ¬M
H, ¬G,M
H, ¬G, ¬M
¬H, ¬G,M
¬H, ¬G, ¬M
D,S
B,S
D,S
D,S
B,S
B,S
B,S
D,S
S
S
D,S
16
Legal issues in software deception
Deception applied by a government is limited by law and policy, the former of which can be represented by mechanical rules.The policy (latitude with which to apply the law) is not readily amenable to full automation, but we are developing decision-support tools for assessing deception options.An area in which this is critical is defense against cyber-terrorism.We developed THEMIS, a threat evaluation "metamodel" for information systems that organizes a legal case against computer network attacks.