1

Research on deception in defense of information

systems

Neil C. Rowe, Mikhail Auguston, Doron Drusinsky, and J. Bret Michael

U.S. Naval Postgraduate Schoolncrowe@nps.edu

2

The Software Decoy ProjectFunded by the Department of Homeland Security and other agenciesTailoring classic military deception for defending computer assetsGoal is to provide a second line of defense beyond access controls, which is especially useful for insider attacksKey parts of the project:

Theory of deception for information systemsSimple testbed deceptive software and ways to attach it to operating systems and applicationsTemporal reasoning in deceptionLegal issues in software deception

3

Example: A fake-directory interface

4

Example random-context data from the fake directory

5

Example simple cyber-attack plan for a rootkitinstall rootkit

obtain admin status

cause buffer overflow in port X

connect to target machine on port X

scan local network for ports with known vulnerabilities

learn local network topology

check for newly discovered vulnerabilities of common software

guess password of account on target machine

download rootkit

ftp to hacker archive

decompress rootkit

close ftp connection

test rootkit

login as admin

logout

install secure port X server

download port X upgrade

ftp to port X site

close ftp connection

logoutdecompress rootkit

6

Example ploy: Delete admin authorization + log out5

39

25

install rootkit

close ftp

50

0.2

0.9

0.1

0.2

0.8

0.2

0.8

0.83

0.170.4

0.9

0

33

22 1 2 3 4

35

6

78

9

ping

pingresearchvulnerabilities

researchvulnerabilities scan open port overflow

bufferbecome admin

become admin

login

ftp

24

25

download rootkit

download rootkit downloadsecureport

download secureport

10

11

122

13

14 15 16 17 18 19

downloadsecureport

close ftp

decompressrootkit

installsecureport

installrootkit

logout

21 22 23 28close ftp

decompresssecureport

installsecureport

testrootkit

testrootkit

testrootkit

testrootkit

testrootkit

26

close ftp

27

29

30

decompresssecureport

decompress secureport

decompress rootkitdecompress

rootkit

install rootkit

32

31

ftp

downloadsecureport

downloadsecureport

180

70

167

107

61

36

101 10099

97

10075

7462

96

8685

4874

65

55

47 30 11

36 24 1 0

0.33

0.8

0.67 0.17

0.80.2

34

test rootkit

ftp

0.25 0.75

40decompresssecureport

close port

close port

0.83

20

55

51

0.1

0.9

0.1

0.6

106

102

103

104105

open port

overflowbuffer

become admin

close port

login

7

Software wrappers for deception

For a deception defense to be effective, it is good to distribute it across many features of an operating system -- like "antibodies".We are building tools to automatically modify software to insert "wrappers" around key code; the wrappers can apply deception when their suspicions are aroused.

8

General decoy architectureAttacker

Operating system Applications software 1

Applications software 2

Wrapper

Component 1 Component 2Wrapper

Component 3Component 4

Decoy supervisor Intrusion-detection system

Decoying rules

9

Example deception rule for a software wrapper• This detects opening a file, read/write operations, and

closing the file.• Each event cause a message to the system log file.• The pre and post indicate whether the action is done

before or after the matching kernel call.• $path provides values of kernel call parameters.• Besides executing code, wrapper rules may prevent or

delay execution of a kernel call.R1 : detect

open pre { wr_printf("open file %s", $path) ; } ( read pre { wr_printf("read file %s ", $path); } |

write pre {wr_printf("write file %s ", $path);} ) *close post { wr_printf( "file %s closed", $path); }

10

Timing in deceptions

Deceptions involve sequences of activities in time.In some deceptions, the timing of these activities is critical.Since people have difficulty reasoning about time, it is helpful to formalize complex activities for computer analysis.We use "KTL", knowledge temporal logic.

11

Knowledge LogicCards Game

A,B A,C

C,BB,C

C,A B,A

1

11 2

22

Possible Worlds Model

<A,B> |= Knows player2 player1hasCardAStatement must be true in allworlds possible for player2 when in <A,B>

False, because in C,B:

player1hasCardA = false

12

KTL: Monitoring – static possible worlds model

player1HasA

player2HasB

player1HasC

player2HasA ...

DBRoverMonitor

Static model of possible worlds

True, false, true, false, false!

<WORLD NAME="AB"> <PL CODE="player1HasA" TRUTH="1" /> <PL CODE="player1HasB" TRUTH="0" /> <PL CODE="player1HasC" TRUTH="0" /> <PL CODE="player2HasA" TRUTH="0" /> <PL CODE="player2HasB" TRUTH="1" /> <PL CODE="player2HasC" TRUTH="0" /> </WORLD>

13

KTL: Monitoring

14

KTL: Simulation

15

Kripke model for the "Man Who Never Was"This gives all possible worlds seen by the three agents, the British, the Germans, and

the Spanish. We define the following three Boolean propositions, which together induce a space of eight possible worlds: H- represents possible worlds where Major Martin episode is a deception: G- represents possible worlds where the German coroner is in Spain and is working on the case; M- represents possible worlds where Major Martin drowned.

Hence, for example, w1 = <H, ¬G, ¬M> is the possible world where the Major Martin episode is a deception, the German coroner is not in Spain, and Major Martin did not drown. This is the possible world the British considered they were in, but in fact, they were unable to distinguish between this world and w2 = <H, G, ¬M> and could have very well been in world w2.

H,G,M

H,G, ¬M

¬H,G, M

¬H,G, ¬M

H, ¬G,M

H, ¬G, ¬M

¬H, ¬G,M

¬H, ¬G, ¬M

D,S

B,S

D,S

D,S

B,S

B,S

B,S

D,S

S

S

D,S

16

Legal issues in software deception

Deception applied by a government is limited by law and policy, the former of which can be represented by mechanical rules.The policy (latitude with which to apply the law) is not readily amenable to full automation, but we are developing decision-support tools for assessing deception options.An area in which this is critical is defense against cyber-terrorism.We developed THEMIS, a threat evaluation "metamodel" for information systems that organizes a legal case against computer network attacks.