Research On Deception-based Cyber Defense Against Multi-stage Penetration Attack

With the rapid development and pervasiveness of network technology,the intensity and number of cyberattacks are steadily increasing.This has led to serious network security problems.In particular,the multi-stage penetration attack represented by advanced persistent threat puts the traditional defense technology in a passive situation of “easy to attack but difficult to defend”,which has greatly reduced the defense efficiency and brought the huge threat to both commercial and government organizations.Deception-based Cyber Defense(DCD)has been proposed as a new approach for breaking the asymmetry situation in cyberspace.The core idea of DCD is to induce attackers to stray into the deceptive schemes designed by the defender in advance so as to mislead their cognition and cause them to take actions in favor of the defender,thus helping to discover,delay or interrupt the attack process and enhance the network defense ability.In this paper,how to resist the multi-stage penetration attack is taken as a breakthrough point to conduct researches.Specifically,according to the attack characteristics of different stages,some active defense technologies of DCD are proposed to provide the theoretical basis and technical support for resisting multi-stage penetration attack.And this study can not only improve the active defense ability of network security,but also has a very important significance to guarantee military information security.The main contributions of this paper are as follows:1.Aiming at the problem that the existing cyber kill chain and attack graph model are not conducive to guide the defender to implement targeted defense according to the changes of network threats,a dynamic division model of attack stages driven by threats is proposed.On this basis,the characteristics of different attack stages are analyzed,and a framework of DCD against multi-stage penetration attack is constructed.And this proposed framework can provide theoretical support for the construction of phased and targeted defense technologies of DCD.2.Aiming at the problem that the existing attack stage awareness methods are inefficient and cannot be applied to large-scale networks,an attack stage awareness method based on two-layer threat penetration graphs(TLTPG)is proposed.First,the model of TLTPG is defined,where the lower layer is called host threat penetration graph(HTPG),which describes the micro penetration scenarios between any two hosts in the target network,and the upper layer is called network threat penetration graph(NTPG),which describes the macro penetration relationship between the hosts in the target network.Then,based on knowledge graph,the host resource knowledge graph(HRKG)is proposed to generate the HTPG intelligently and efficiently.Further,utilizing the HTPG,the NTPG generation algorithm based on penetration information exchange is given.The layered idea decouples the network size from the number of vulnerabilities and improves the generation efficiency of TLTPG.Finally,according to the alarm in the target network,the attack stage of the attacker can be perceived through threat calculation,which can lay the foundation for the implementation of targeted defense methods in different attack stages.Theoretical analysis and experimental results show that this method can achieve the efficient and accurate perception of the attack stages driven by threats.3.In the initial stage of the multi-stage penetration attack,aiming at the problem that the existing single ending hopping technology cannot effectively resist the attacker with fingerprint tracking ability,the hybrid cyber defense mechanism of DCD that combining the address mutation and fingerprint camouflage is proposed.By analyzing the characteristics of the initial stage of the multi-stage penetration attack,we first introduce and formalize a novel attacker model named Scan and Foothold Attack(SFA).To resist the SFA,the concept of fingerprint camouflage host is introduced,and the defense mechanism combining address mutation and fingerprint camouflage is designed to deceive attackers with maximum probability.Afterward,in order to prove the effectiveness of our method,probabilistic models are designed to provide a deeper analysis of the theoretical effects under different attack and defense scenarios.Furthermore,the SFA is extended to establish a more complex model named Persistent Scan and Foothold Attack(P-SFA).Based on the TLTPG and the alarm data generated by historical attacks,the parameters of P-SFA are deduced from the perspective of the defender.Then the adaptive defense strategy is designed,which can improve the intelligence and effectiveness of DCD,and can effectively interfere with the attack process.The experimental results show that the combination of address mutation and fingerprint camouflage can achieve a better defense effect than the single defense method.4.In the middle stage of the multi-stage penetration attack,aiming at the problem that the existing static deployment method can cause the deployed deception resources to be easily identified and bypassed by attackers,which further lead to a low deception success probability,a dynamic deployment method of deception resources based on reinforcement learning is proposed.Based on the TLTPG,the attack and defense scenario of deception resources deployment is established.Afterward,the model for finding the optimal policy to deploy the deception resources based on reinforcement learning is constructed,and the Q-learning training algorithm with model-free is designed.To speed the learning,the preliminary screening method that can derive the effective deployment locations of deception resources based on NTPG is proposed.Finally,the alarm data is used to guide the algorithm to find the optimal strategy,which can intelligently deploy deception resources according to the changes of target network security states.Finally,we use the real-world network environment for our experiments and conduct in-depth comparisons with state-of-the-art methods.Our evaluations on a large number of attacks show that our method is not easily detected by attackers and has a high defense success probability of nearly 80%,which can effectively delay the attack process.5.At the end of the multi-stage penetration attack,aiming at the problem that the traditional honeypots are not easy to attract attackers,which leads to poor defense efficiency,a defense method of DCD based on dynamic camouflage network(DCN)is proposed.The DCN consists of a real network and a camouflage network.And the latter is constructed by simulating real-time network characteristics of the former.In this way,by using the DCN,the defender can use the real network to maintain the normal operation of the target network,at the same time,can also use the camouflage network to actively deceive the attacker.On this basis,two defense methods of DCD are designed from different levels of traffic and data.According to the different characteristics of two specific network attack and defense scenarios and based on the classic signal game model,the traffic camouflage signal game(TC-SG)model and the data camouflage uncertain signal game(DC-USG)model are established respectively.Further,in order to maximize defense effectiveness,a novel equilibrium solution method is proposed,which can calculate the pure strategy and hybrid strategy simultaneously.The equilibrium solution and experimental results show that this method can effectively lure the attacker into deviating from his attack target under the premise of ensuring the normal operation of services in real network.And the hybrid strategy can increase the confusion of attackers and improve the actual effectiveness of the DCD.