Research On Defensive Cyber Deception Technology

The explosive growth of the Internet has put it out of its initial expectations.After decades of development,the Internet has evolved into a global Internet.With the rapid development of the concept of E-Business,E-government,Internet of Things,Smart Home,Cloud computing and so on,Digital technology,represented by the Internet,has accelerated the integration with various fields and penetrated into people's life.Almost all traditional industries,traditional applications,and services have been changed by the Internet,which brings innovation and development opportunities to various industries.Powered by political or economic interests,there are frequent attacks on critical infrastructures in recent years,and the number of information theft incidents has increased rapidly.The United States and other countries have formed CyberArmy.Cyberspace has become the fifth dimension battlefield.As the world becomes more and more dependent on the Internet,the damage from cyber-attacks is also more serious.The security threat posed by the traditional Internet can also threat real world security.The asymmetric situation between network attacks and defenses is one of the key issues of current network security:1)The certainty,static and isomorphism of the current network system enables an attacker to get the information of the target through probing.Attackers repeatedly analyse and perform penetration against the target system until they find vulnerabilities.Existing technologies cannot eliminate all vulnerabilities;2)Attackers can learn experience from failed attacks,and adjust their strategy.A defender can only learn the detected attacks,so he cannot predict the next action of an attacker;3)An attacker can detect which commercial defense devices have been deployed in a business network by scanning,probing and other means.The same security products are utilized to verify and test the network weapons so as the network weapon can evade detection.In a cyber-attack,an attacker generally determines the next action based on the information obtained by the network investigation.Cyber deception uses planned actions to mislead and confuse attackers,making them take action that is beneficial to the defender.In compared with traditional security technologies,cyber deception is not focus on attacking features but attackers themselves,can reverse asymmetric situation between the attacker and the defender.It has got concern by researchers and enterprises.Based on the above facts,studying the core mechanism of cyber deception,focusing on the evolution of cyber deception,comprehensive researching cyber deception related technologies,are significant for increasing Chinese deterrence ability of cyberspace warfare and prevention China from cyberspace threats.In this thesis,the author researches on defensive cyber deception technology.First,this thesis conducts theoretical research.By studying the mechanism of cyber deception and existing technology,this thesis is intended to reveal the nature of the current cyber deception technology and sums up the evolution trend and basic attributes.Then this thesis takes the Web as the breakthrough point,and studies cyber deception model and technology for Web protection.The thesis includes four research points:Studying the formalized model and mechanism of cyber deception to accurately describe the basic problem of cyber deception;Studying Web honeypot technology based on collaborative mechanism to capture attacks against Web and learn threats against Web applications;Studying tracking techniques used in deception systems,to support the collection of identity information of attackers;Finally,Studying Web defense model based on deception to add Web security.The main contribution of the paper includes:(1)In the direction of cyber deception mechanism,this thesis first analyzes the existing definitions and previous studies,then set the formal definition of cyber deception.Four security attributes of cyber deception design are proposed.That is Confidentiality,Authentication,Controllability,Availability.The meaning of each attribute is expounded.This thesis expounds five states in cyber deception life cycle and expatiates the meaning and how each state transfer.The deception process is described from three aspects:deception action design,deception implementation,and effect evaluation.Besides,the thesis takes the time as a clue,based on the published tools and academic research,sums up the evolution of cyber deception technology,dividing the development process of cyber deception into "pioneering stage","honeypot stage" and "deception defense stage".The "inception stage"introduces the origin of cyber deception and its early development characteristics."Honeypot stage" introduces various kinds of honeypot and representative products.The "deception defense stage" analyzes the reasons for the decline of honeypot technology and the rise of deception defense technology,then introduces the information of representative cyber deception manufacturers.The characteristics of three stages of deception technology are discussed.(2)In the direction of Web honeypot,the thesis proposes a design scheme for high-interaction Web honeypot,intending for the obvious promotion of success probability of a Web honeypot be attacked,so that to enhance attack information collection on high-interaction Web honeypot.First,the author analyzes the process of Web attacks against honeypot and introduced a concept called honeypot-cluster which consists of several Web honeypots and a collaboration control unit.Then,a collaboration algorithm is designed.By using the collaboration algorithm,a honeypot-cluster performance as if it is a single honeypot.Next,the author designs and implements a prototype system called ArkHoney,which is based on the collaboration algorithm.ArkHoney is implemented with four different Web applications(Joomla,WordPress,phpMyAdmin,Drupal).The author describes its design,implementation,risk control,as well as how to log the attacks in details.The author deployed the system for two months to evaluate its performance.In the experiments,ArkHoney attracted 7933 hits,which came from 985 distinct IP addresses.By analyzing the data collected by ArkHoney,26 attacks against four applications were manually confirmed.This thesis provides some insights into a few interesting attacks.Experimental results show this thesis's work can enhance attack collection on high-interaction Web honeypot.(3)In attacker tracking direction,this thesis introduces how to use the browser fingerprint technology tracking attackers in cyber deception system.Firstly,this thesis introduces the existing network tracking technology from three aspects—IP tracking,control host tracking,attacker and organization tracking.Then the Web tracking technology is introduced.The model framework of browser fingerprint tracking is described,and the fingerprint tracking algorithm is designed.In order to enhance the effect of tracking,a similarity judgment mechanism and multiple recognition technology is introduced.Browser fingerprint similarity judgment algorithm addresses the problem of fingerprint differentiation caused by terminal information adjustment,while multiple recognition technology increases the stability of recognition.From April 15,2016,to October 28,2017,the deployed honeypot collected 10,259 access records and extracted 3,094 cookies,1228 fingerprints and 1038 IP messages.486 public IP addresses were extracted from the IP messages,and their geographical distribution was analyzed.Time interval was calculated respectively according to the Cookie,fingerprints,tracking algorithm to analyze tracking stability.The experiment discovered using tracking algorithm can obtain the best tracking result than using cookies and fingerprint.(4)In Web protection direction,this thesis proposed a Web protection model based on deception.This thesis introduces the traditional defense technology and analyzes its shortcomings with intrusion kill chains.Traditional network security defense system mainly uses intrusion isolation,intrusion detection and other technologies to block attacks.However,in targeted attacks,an attacker will continue attacks the target until he is succeeding.The difficulties of defensing such attacks are that when an attack is blocked,the attacker can realize the failure,then adjust the strategy,until he can bypass defense mechanisms.The Web protection model proposed in this thesis changes the traditional mode of blocking attacks.Increases system security by introducing the detected attack into a deception environment to consume the attacker's time.In order to confuse attackers,a deception server is used,which is the clone of the business system.The implementation of a prototype system is given,and the security of the prototype system is analyzed.The model can achieve the goal of increasing the attack' difficulty and improving the security of the system.In summary,to fight security threats in cyber space,this thesis presents a series of research on defensive cyber deception technology.This thesis has made some progress in cyber deception mechanism,Web honeypot,attacker tracking,as well as Web protection model based on deception.The methods and techniques in our research will do benefit to improving the network attack discovery ability,and is meaningful and valuable for mitigating cybercrimes.