Role-Based Deception in Enterprise Networks

Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy Pub Date : 2020-08-07 DOI:10.1145/3422337.3447824

I. Anjum, Mu Zhu, Isaac Polinsky, W. Enck, M. Reiter, Munindar P. Singh

{"title":"Role-Based Deception in Enterprise Networks","authors":"I. Anjum, Mu Zhu, Isaac Polinsky, W. Enck, M. Reiter, Munindar P. Singh","doi":"10.1145/3422337.3447824","DOIUrl":null,"url":null,"abstract":"Historically, enterprise network reconnaissance is an active process, often involving port scanning. However, as routers and switches become more complex, they also become more susceptible to compromise. From this vantage point, an attacker can passively identify high-value hosts such as the workstations of IT administrators, C-suite executives, and finance personnel. The goal of this paper is to develop a technique to deceive and dissuade such adversaries. We propose HoneyRoles, which uses honey connections to build metaphorical haystacks around the network traffic of client hosts belonging to high-value organizational roles. The honey connections also act as network canaries to signal network compromise, thereby dissuading the adversary from acting on information observed in network flows. We design a prototype implementation of HoneyRoles an OpenFlow SDN controller and evaluate its security using the PRISM probabilistic model checker. Our performance evaluation shows that HoneyRoles has a small effect on network request completion time, and security analysis demonstrates that once an alert is raised, HoneyRoles can quickly identify the compromised switch with high probability. In doing so, we show that role-based network deception is a promising approach for defending against adversaries in compromised network devices.","PeriodicalId":187272,"journal":{"name":"Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy","volume":"23 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3422337.3447824","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

Historically, enterprise network reconnaissance is an active process, often involving port scanning. However, as routers and switches become more complex, they also become more susceptible to compromise. From this vantage point, an attacker can passively identify high-value hosts such as the workstations of IT administrators, C-suite executives, and finance personnel. The goal of this paper is to develop a technique to deceive and dissuade such adversaries. We propose HoneyRoles, which uses honey connections to build metaphorical haystacks around the network traffic of client hosts belonging to high-value organizational roles. The honey connections also act as network canaries to signal network compromise, thereby dissuading the adversary from acting on information observed in network flows. We design a prototype implementation of HoneyRoles an OpenFlow SDN controller and evaluate its security using the PRISM probabilistic model checker. Our performance evaluation shows that HoneyRoles has a small effect on network request completion time, and security analysis demonstrates that once an alert is raised, HoneyRoles can quickly identify the compromised switch with high probability. In doing so, we show that role-based network deception is a promising approach for defending against adversaries in compromised network devices.

查看原文本刊更多论文

企业网络中基于角色的欺骗

从历史上看，企业网络侦察是一个主动的过程，通常涉及端口扫描。然而，随着路由器和交换机变得越来越复杂，它们也变得更容易受到攻击。从这个有利位置，攻击者可以被动地识别高价值的主机，例如IT管理员、高级管理人员和财务人员的工作站。本文的目标是开发一种技术来欺骗和劝阻这样的对手。我们提出HoneyRoles，它使用蜂蜜连接来围绕属于高价值组织角色的客户端主机的网络流量构建隐喻的干草堆。蜂蜜连接还充当网络金丝雀，发出网络妥协的信号，从而阻止攻击者对网络流中观察到的信息采取行动。我们在OpenFlow SDN控制器上设计了HoneyRoles的原型实现，并使用PRISM概率模型检查器评估其安全性。我们的性能评估表明，HoneyRoles对网络请求完成时间的影响很小，安全分析表明，一旦发出警报，HoneyRoles可以以高概率快速识别受损交换机。在这样做的过程中，我们表明基于角色的网络欺骗是一种很有前途的方法，可以在受损的网络设备中防御对手。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy

自引率

0.00%

发文量