performance analysis of cyber deception using ......5.4 the probability of attacker success as the...
TRANSCRIPT
PERFORMANCE ANALYSIS OF CYBER DECEPTION USINGPROBABILISTIC MODELS
BY
MICHAEL B. CROUSE
A Thesis Submitted to the Graduate Faculty of
WAKE FOREST UNIVERSITY GRADUATE SCHOOL OF ARTS AND SCIENCES
in Partial Fulfillment of the Requirements
for the Degree of
MASTER OF SCIENCE
Computer Science
May 2012
Winston-Salem, North Carolina
Approved By:
Errin W. Fulp, Ph.D., Advisor
David J. John, Ph.D., Chair
Daniel A. Canas, Ph.D.
Acknowledgements
I would like to thank several people who have worked many long hours in helpingproduce this thesis. Without the help of Pacific Northwest National Laboratory, Dr.Thomas Carroll and Dr. Glenn Fink, this thesis would not have been possible. Thankyou to Dr. Carroll for allowing me to take a role the development of this researchand for all the advice and support throughout this process.
I would also like to thank the Department of Computer Science at Wake ForestUniversity. I truly am grateful for everything the department has done over thepast several years in providing me with the resources and time to accomplish mygoals. Without their support, I would not be the person and researcher that I am.Specifically to Dr. Daniel Canas, I want to thank you for all the independent projects,research, and the time you have given to help me reach this point.
I also want to thank my family for their constant support and love throughoutmy long stay at Wake Forest. Without their phone calls, messages and dinner visits,none of my accomplishments would have been possible. As I make my next steps, Iknow they will continue to support and encourage me to work hard and do my best.
To Ashley Snead, thank you for your patience and support during my time atWake Forest. You are an inspirational part of my life and keep me motivated tocontinue working towards my goals.
And finally to Dr. Errin W. Fulp, I express my deepest gratitude. If not for yourtireless efforts, constant humor and optimism, I am confident I would not have reachedthis point. I can not begin to thank you enough for you guidance and wisdom duringmy time at Wake Forest. You encouraged me to set my goals high and provided thesupport I needed to achieve them, preparing me as I take the next steps in my life.
ii
Table of Contents
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
List of Figures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
List of Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Challenges in Cyber Security . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Deception Techniques in Cyber Security . . . . . . . . . . . . . . . . 4
Chapter 2 Deception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1 Deception Techniques in War . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Deception Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 The Deception Planning Process . . . . . . . . . . . . . . . . . . . . . 10
2.4 Deception Techniques in Cyber Security . . . . . . . . . . . . . . . . 11
2.5 Varieties of Cyber Deception . . . . . . . . . . . . . . . . . . . . . . . 11
2.5.1 Host Based Cyber Deception . . . . . . . . . . . . . . . . . . . 12
2.5.2 Network Based Cyber Deception . . . . . . . . . . . . . . . . 13
Chapter 3 Probabilistic Modeling of Deception . . . . . . . . . . . . . . . . . . . . 15
3.1 Urn-Models for Estimating Probabilities . . . . . . . . . . . . . . . . 15
3.1.1 Urn-Model Applications . . . . . . . . . . . . . . . . . . . . . 16
3.2 Urn Model for Network Address Shuffling . . . . . . . . . . . . . . . . 16
3.2.1 Urn Model for Static Addressing . . . . . . . . . . . . . . . . 18
3.2.2 Urn Model for Perfect Shuffling . . . . . . . . . . . . . . . . . 19
3.3 Urn Model for the Deployment of Honeypots . . . . . . . . . . . . . . 23
3.3.1 Urn Model for Honeypots . . . . . . . . . . . . . . . . . . . . 23
Chapter 4 Network Address Shuffling Theoretical Analysis . . . . . . . . . 27
4.1 Gaining a Foothold Attack Scenario . . . . . . . . . . . . . . . . . . . 27
4.1.1 Effect of Number of Scans . . . . . . . . . . . . . . . . . . . . 28
4.1.2 Effect of Network Address Size . . . . . . . . . . . . . . . . . 31
4.1.3 Effect of Number of Vulnerable Computers . . . . . . . . . . . 32
iii
4.2 Minimum to Win Attack Scenario . . . . . . . . . . . . . . . . . . . . 34
4.2.1 Effect of Number of Scans . . . . . . . . . . . . . . . . . . . . 35
4.2.2 Effect of Network Address Size . . . . . . . . . . . . . . . . . 37
4.2.3 Effect of Number of Vulnerable Computers . . . . . . . . . . . 39
Chapter 5 Honeypot Theoretical Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.1 Gaining a Foothold Attack Scenario . . . . . . . . . . . . . . . . . . . 43
5.1.1 Effect of Number of Scans . . . . . . . . . . . . . . . . . . . . 43
5.1.2 Effect of Number of Honeypots . . . . . . . . . . . . . . . . . 45
5.2 Minimum to Win Attack Scenario . . . . . . . . . . . . . . . . . . . . 46
5.2.1 Effect of Number of Scans . . . . . . . . . . . . . . . . . . . . 48
5.2.2 Effect of Number of Honeypots . . . . . . . . . . . . . . . . . 49
5.2.3 Effect of Number of Vulnerable Computers . . . . . . . . . . . 50
Chapter 6 Discrete Event Simulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.1 Simulator Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.2 Event Queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.3 Statistics Captured by the Simulator . . . . . . . . . . . . . . . . . . 54
6.4 DES Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Chapter 7 Empirical Cost-Benefit Analysis of Shuffling. . . . . . . . . . . . . 56
7.1 Simulation Implementation . . . . . . . . . . . . . . . . . . . . . . . . 56
7.1.1 Traffic Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7.2 Shuffling Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
7.2.1 Attacker Probability of Success . . . . . . . . . . . . . . . . . 58
7.2.2 Shuffling Cost vs Benefit . . . . . . . . . . . . . . . . . . . . . 59
Chapter 8 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
8.1 Performance of Network Address Shuffling . . . . . . . . . . . . . . . 62
8.2 Performance of HoneyPots . . . . . . . . . . . . . . . . . . . . . . . . 63
Chapter 9 Future Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Curriculum Vitae . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
iv
List of Figures
1.1 Number of hosts connected to the internet since 1981 [7]. . . . . . . . 2
1.2 Tasks associated with the attack proccess . . . . . . . . . . . . . . . . 5
2.1 Tasks associated with the deception process . . . . . . . . . . . . . . 10
3.1 Markov chain model of perfect address shuffling attacker success prob-abilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.1 The probability of attacker success as the number of scans increases tothe network size. There is only one vulnerable computer in the addressspace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.2 Probability of attacker success for finding single vulnerable computeras the size of the network increases. The attacker can scan the entireaddress space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.3 The probability of attacker success as the proportion of vulnerableaddresses to other addresses within the space increases. The attackercan scan the entire address space. . . . . . . . . . . . . . . . . . . . . 33
4.4 The expected percentage of vulnerable computers contacted by theattacker as the number of scan attempts increases. . . . . . . . . . . 35
4.5 The probability of attacker success as the number of scan attemptsincreases. The attacker must contact at least 10 vulnerable computers. 36
4.6 The expected percentage of vulnerable computers contacted as the ra-tio of scans to network size decreases. . . . . . . . . . . . . . . . . . 38
4.7 The probability of attacker success as the number of addresses increasesand the number of scans remains constant, k = 100. . . . . . . . . . . 39
4.8 The probability of attacker success as the percentage of vulnerablecomputers required to succeed increases. . . . . . . . . . . . . . . . . 40
5.1 The probability of attacker success given x honeypots as the numberof scan attempts increases for foothold attacks. . . . . . . . . . . . . . 44
5.2 The probability of attacker success as the percentage of honeypotswithin the address space increases for foothold attacks. . . . . . . . . 47
5.3 The probability of attacker success given x honeypots as the scanningrate increases in relation to the size of the address space for a minimumto win attack scenario. Attacker success must contact 50% of thevulnerable computers (roughly 10% of the addresses in the addressspace.) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
v
5.4 The probability of attacker success as the number of honeypots in-creases within the address space for a minimum to win attack sce-nario. Attacker success must contact 50% of the vulnerable computer(roughly 10% of the addresses in the address space.) . . . . . . . . . . 50
5.5 The probability of attacker success given x honeypots as the number ofvulnerable computers within the address space increases for a minimumto win attack scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.6 The probability of attacker success given x honeypots as the numberof vulnerable computers required for success increases for a minimumto win attack scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.1 Discrete event simulator execution cycle . . . . . . . . . . . . . . . . 55
7.1 The average percentage of vulnerable computers contacted as the shuf-fle frequency (rate) increases. A shuffle rate zero is static addressing,while a shuffle rate of 1 is perfect shuffling (shuffle after each recon-naissance attempt). Network contained 10 vulnerable computers in aclass-C address space. . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
7.2 The connection loss and attacker success probability as the shuffle fre-quency (rate) increases. A shuffle rate zero is static addressing, whilea shuffle rate of 1 is perfect shuffling (shuffle after each reconnaissanceattempt). Attacker is required to contact 10 out of 10 vulnerable com-puters in the class-C address space. . . . . . . . . . . . . . . . . . . 60
vi
List of Tables
2.1 Deception taxonomy summarized from Barton’s General Theory onDeception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
vii
Abstract
With the recent development of cyber-crime and cyber-warefare, new techniquesfor thwarting cyber attackers are required. Deception is the a mechanism that at-tempts to distort or misled an adversary. It is a proven tactic leveraged in traditionalwarfare with a long history of noted successes. While deception has seen great successin traditional warfare, it has seen little use within the cyber security realm. Further-more, there is very little demonstrated modeling of such defenses in terms of attackerssuccess. This thesis establishes a novel urn-modeling technique for providing the prob-ability of success for an attacker in two different network deception defenses, networkaddress shuffling and honeypots. This work goes on to analyze these models in twoscenarios, gaining a foothold and minimum to win, providing insight into the effectboth defenses can have under various environments. Finally, this thesis performsan empirical analysis of network address shuffling to provide a cost-benefit analysisregarding attack success and the effect on legitimate network users.
viii
Chapter 1: Introduction
Technology continues to integrate itself further into the daily routine of the av-
erage person in the United States. In 2004, the more than 7 in 10 people had a
personal computer. Technology continues to grow by leaps in bounds in two regards,
capability and integration. New devices with new and more advanced functionalities
are released at astounding rates. Functionalities, such as face and voice recognition,
that were put aside due to their computational difficulties are now being deployed in
living rooms and common place on hand held and mobile devices. The iPhone and
Android smart phones are incredible pieces of technology that continue evolve and
grow in functionality every day with the release of new applications. These applica-
tions enhance and refine the usefulness of their devices and expand their capabilities.
Technology is also becoming invasive to the productivity of every day life. Comput-
ers, cell phones, and tablets are no longer simply add-ons to a user’s daily life but
integral tools to accomplishing almost every task.
The exponential growth of technology and its integration into peoples lives brings
increased productivity and a higher standard of living. However, with these innova-
tions often come unseen or unpredictable side-effects. As people become more reliant
and dependent on technology, the consequences of failure or compromise of the con-
nections holding these services together grow as well.
One of the current trends in the integration of technology into every day life is the
necessity of constant access to information. Global access to information continues
to be a focus of technology providers, allowing customers to have their information
always at their finger-tips. The increased focus and interest in cloud computing and
storage is the primary example for this trend. Every large technology company has
1
Figure 1.1: Number of hosts connected to the internet since 1981 [7].
released and is heavily marketing their cloud service which provides exactly this type
of global access. This added functionality has the benefit of allowing users to be
much more productive, their personal and work data available on every device, in
any location, at any time. However, this has lead to more information being digitized
and stored in central locations. The consequences of this model can be substantial.
The privacy and security impact of having sensitive information with a single point
of failure can lead to the complete compromise of this valuable data.
1.1 Challenges in Cyber Security
Computer Security is a decades old problem that began with the need to ensure
equal allocation resources for a communal computing platforms and the protection of
sensitive data and research. These needs created a whole new set of responsibilities
and inspired a whole new facet of technology and computer science.
When universities began connecting their computing resources, forming what
would become the Internet, the problem of securing the resources became even more
2
complex. Administrators of these large computing clusters now not only have to
worry about local users but ones also outside the confines of their university net-
work as well. The complexity of maintaining access control for a growing number of
users and resources continues to increase. Infrastructures that were once as small a
single computer are now in the thousands, providing access and/or information to
millions. Obviously, guaranteeing any type of security for these types of networks is
difficult. Even providing security on a single computer has more attack vectors for
any one security tool to cover much less the growing infrastructures seen in world-wide
corporations and governments.
The security of information and infrastructure is a problem that is common among
corporate and government enterprises alike. As more national security and confiden-
tial material information is stored digitally, the focus on securing critical infrastruc-
ture will continue to be a high priority.
One key focus is the protection of large-scale, global infrastructures and the need
to prevent unauthorized, malicious entities from gaining a foothold into networks.
There are many current security technologies for protecting networks including fire-
walls, demilitarized-zones (DMZs), and intrusion detection systems (IDS). These tools
have been successful at protecting against known attackers and attack vectors, but
often they fall short when confronted with an unknown attack. This type of protec-
tion is considered to be very reactive in nature. For many institutions, this type of
static defense does not provide enough protection to satisfy their security and risk
requirements. As a result, there is a new research focus to provide a more dynamic
and adaptive defense in hopes of providing measures of mitigating against new and
more motivated attackers.
3
1.2 Deception Techniques in Cyber Security
One technique that is being employed as a defense in under these difficult circum-
stances is deception. Deception is a mechanism that attempts to distort or mislead
an attacker to taking a course of action that is more suited to the goals of the de-
fender. It is a tool that has been leveraged, practiced, and in many cases, perfected
throughout thousands of years of warfare. However, the translation of this knowledge
into application in the cyber domain has not yet taken hold. The administrators on
the front line of the cyber war have little expertise in the uses of deception. Security
researchers believe that deception can be an effective means of increasing the chances
of success against an adversary [19].
Figure 1.2 is a flow chart describing the steps in which a well-resoured attacker
goes through when attempting to compromise a target. The goal of deception is to
provide uncertainty for an attacker and affect their decision-making process. Ideally,
the attacker would choose an sub-optimal course of action leading to detection or a
decision to walk away.
Currently, deception is utilized on a limited scale for computer systems. One of
the common deception utilities in use is a honeypot. Many administrators deploy
devices on their network that contain false information but present themselves as
critical infrastructure. These devices are placed within the network solely with the
purpose of attracting unknowing malicious users and once their activity is captured,
the administrator can then ban the user access to the network. Another deception
technique that has been experimented with is network address shuffling. Network
address shuffling is the process of permuting the pool of Internet Protocol (IP) ad-
dresses to physical computers periodically to make it difficult for attackers to locate
a particular computer or set of computers.
While both of these deception techniques have seen exploration and use, there
4
START
Case Plan & Prepare Scan &Enumerate
Networkmeets
expecta-tions?
Is riskbelow
thresh-old?
Are moreresourcesavailable?
GIVE UP
Test, Practice,Replan
Are weready?
Did wesucceed?
PLUNDER
Attack
Assess Damage
no
yes
no
yes
no
yes
no
yes no
yes
Figure 1.2: Tasks associated with the attack proccess
5
has been little effort to determine theoretically how effective these approaches are in
protecting against attacks. This research provides models that describe the theoretic
bounds of the effectiveness of using deceptive tools. The models provide insight into
the expected, long term outcomes of using honeypots and network address shuffling.
The models will then be used to provide a guide in determining effective ways of
deploying the deception tools given the constraints and requirements of a particular
network or infrastructure.
This thesis proceeds in the following: chapter two provides background on decep-
tion and detail involving current deception tools, chapter three describes urn models
and presents models for honeypots, network address shuffling, chapter four presents
empirical and experimental data resulting from the urn models as well as analysis of
these results, chapter five concludes the results and presents possible future research
in deception modeling.
6
Chapter 2: Deception
Deception is defined as being the actions taken to deliberately mislead attackers
and to thereby cause them to take (or not take) specific actions [19]. Deception
techniques consist of hiding the real and showing the false [2]. Hiding the real is act
of concealing the truth by obscuring the pattern used for recognizing it. Showing
the false is portraying something that is fake to alter the enemies perception of the
pattern. Most deceptions involve pieces of both hiding and showing but the primary
intent or goal of the person or persons constructing the deception allows for simple
classification into one of the two categories. The important distinction of classifying
whether the deception is hiding or showing depends simply on its goal.
2.1 Deception Techniques in War
Deception is a technique often used in war to provide an advantage over an adversary.
Sun Tzu’s The Art of War states that war is heavily entrenched of acts in deception,
“All warfare is based on deception” [17]. Deception has been employed in hundreds of
wars to give an advantage over an opponent. Sun Tzu wrote that deception was the
most important aspect of battle, believing that if employed correctly it would lead to
the most effective means of victory, and the use of deception would in fact preserve
more lives of soldiers and lead to victory more quickly.
There are many examples of deception being employed that have impacted the
outcome of battles; sometimes simply the number of causalities and the number of
munitions used and others the difference between victory and defeat. While it is often
difficult to apply causality of deception to the outcome of victory, many agree that
deception can and often does play a major role in war. One of the most famous, while
7
most likely fictional, accounts of deception is described in the account of the Trojan
War. The Trojan Horse is the device that enabled the Greeks to finally breach the
walls of Troy and destroy the city. The Greeks presented a large, wooden horse to
the Trojans as a gift. The Trojans then brought the “gift” behind the wall and left it
unguarded overnight. The wooden horse secretly held several greecian warriors which
emerged during the night and burned the city to the ground. While most research
holds that this event most likely never took place, the moral remains.
During World War II, the Allied forces used deception frequently to disinform and
promote a false sense of their positions and strategy to the German armies. Operation
Fortitude is one of the most famous due to the success of the invasion of Normandy.
The operation consisted of several forms of deception that provided a successful ruse
in convincing the German leadership that the attack would occur at Pas de Calais
instead of Normandy. The Allied forces positioned large number of inflatable tanks
and plywood artillery near Pas de Calais while positioning their actual munitions near
Normandy. The forces also leveraged double agents to leak false information to the
German strategist to enforce the reconnaissance about mounting forces near Pas de
Calais. As a result, the German forces were not adequately prepared for the invasion
at Normandy. This and similar successes have provided motivation to attempt a
parallel approach applied to securing corporate and government infrastructure.
2.2 Deception Taxonomy
The abundant examples and investigation of previous deceptions, a taxonomy was
created. Barton Whaley, among the earliest modern researchers to define and theorize
about deception, created the first published taxonomy for deception. He theorized
that any deception fits into one of two main categories, dissimulation and simulation.
Dissimulation is the process of hiding the real. It’s goal is to at least partially conceal
8
Deception TaxonomyDissimulation Simulation
Masking Concealing all distinctivefeatures or match them tosurrounding characteristics
Mimicking Copying one or more char-acteristics to approximateits distinctive pattern
Repackaging Adding or subtractingcharacteristics to transformthem into something else
Inventing Create something entirelynew or different
Dazzling Randomizing or partiallyobscuring the characteris-tics of an object
Decoying Creating alternative falsecharacteristics that give anadditional pattern
Table 2.1: Deception taxonomy summarized from Barton’s General Theory on De-ception
the truth by obscuring at least part of the pattern used for recognizing it. Simulation
is the process of showing the false. The idea is to pretend or portray something
that is fake, a lie. While any deception will fall into one of these two categories, all
deceptions will incorporate acts that include both hiding and showing.
As Table 2.1 shows, there are six means of deception; three ways to dissimulate
and three ways to simulate. Whaley uses the concept of pattern matching based
on characteristics as the means of recognition. Dissimulation attempts to alter the
pattern in a way to confuse or confound an attacker. By altering something’s true
pattern, it appears to be something else, hiding the real. Masking, repackaging, and
dazzling all follow this pattern, modifying the overall pattern to hide the true pattern.
Simulation creates a new pattern that is meant to distract or confuse an attacker.
More thoroughly, Table 2.1 provides further insight into the fact that all deception
encompasses both simulation and dissimulation. Masking, or concealing the existence
of an object is equivalent to mimicking the pattern of that object not being there.
For example, consider masking a tank with a mirror system. The goal is to hide
the real, the tank is masked by the system of mirrors that reflect the surroundings.
Implicitly, this is also mimicking and showing the false. The entity hiding the tank
9
Identify andstudy the
strategic goal
Analyze andplan the hiding
and showing
Execute andobserve theDeception
Figure 2.1: Tasks associated with the deception process
is also mimicking the surroundings and therefore showing only trees and, in the end,
that there is no tank. This relationship between simulation and dissimulation is a
consequence of the definitions being exact opposites of each other. Each of the forms
of simulation and dissimulation have duality with the subcategory listed beside it;
masking and mimicking, repackaging and inventing, dazzling and decoying.
2.3 The Deception Planning Process
Deception is a difficult task that in most cases must be made to fit the situation; typ-
ically one size does not fit all. The most successful deceptions are engineered mindful
of the goal [2, 6]. By keping the strategic goal in mind, any deception employed will
done with the objective as the priority.
Figure 2.1 is a summary of the deception planning process originally developed
by Whaley, [18], which consists of ten steps. Step one requires the practitioner to
understand the target and the goal of implementing the deception. Having a clear un-
derstanding of both improves the viability of the deception and therefore the chances
of success. Deception is most successful when it is specifically tailored for a target
and for a goal, the more knowledge about both, the better the deception and the
more successful the outcome. Step two involves the most work, planning what and
how the target should interact with the deception tools, determining the pattern of
the items being shown and hidden, and implementing the various hiding and showing
techniques to mask or mimic those patterns. Step three executes the deception but
includes careful observation to determine the level of success and if there are any
10
consequences of the deception. The best outcome is the adversary fails to detect the
deception and forms the hypothesis about the situation that the deception planner
intended.
2.4 Deception Techniques in Cyber Security
Given the background in military strategy and the immense set of examples to draw
from, cyber security experts desire to incorporate these deception techniques for de-
fending infrastructure. Adversaries in the realm of computer security are considered
to have a large advantage. At the highest level, an adversary has to discover and
exploit a single vulnerability to gain access, granted a vulnerability may not yield
complete access but improves the vantage point for further attack. On the other
hand, the defender has to locate and plug every hole, many of which are unknown,
and new vulnerabilities are potentially created with every software update or addi-
tional system added to the network. Moving beyond this reality, adversaries also
work in an environment without the restrictions placed on defenders. An attacker
is only legally constrained by laws that cover cyber events, including theft and de-
struction of property. Many countries have less aggressive policies, even the United
States has issues locating and convicting a cyber-criminal. A defender has to deal
with those regulations but also the policies of their corporation or institution. Often,
those restraints and the moral and ethical requirements of maintaining their status
as an employee vastly limits what the defender can levy against an adversary.
2.5 Varieties of Cyber Deception
Defenders are out matched in many respects and require tools to tip the balance in
their favor. Deception has been an effective tool in warfare in situations where a
side has a distinct advantage. As such, deception tools and techniques have been
11
constructed and implemented to increase the burden of the attacker and to increase
the chances of the defender successfully defeating an adversary. Two deception tools
that are implemented or being experimented with are honeypots and network address
shuffling. Both tools attempt to conceal key infrastructure and consume resources of
an attacker. They hide the real and show the false in order to alter the attacker’s
perception of the network and lead to the capture and defeat of the adversary.
Deception can be employed at various locations within a network of computers.
Deception can be used at the host level, running an individual computer. It can also
be leveraged at the network level, consisting of groups of devices, including firewalls,
routers, and hosts working together.
2.5.1 Host Based Cyber Deception
Host level deception is a single device, for example a personal computer, that employs
deception as a defense mechanism. The device will often mask important information
and show false information to thwart an attacker. There are several examples of host
based deception that have achieved large success in making common attacks diffi-
cult or near impossible. The most well-known is stack randomization which defends
again buffer overflow exploits. The vulnerability occurs because of improper bound
checking for memory allocated on the stack. An attacker is able to leverage the abil-
ity to overflow the stack and rewrite the return address, providing the attacker the
ability to execute arbitrary code, often at elevated priviledges. Stack randomization
is the process of altering the location of the stack pointer that the attacker seeks
to overwrite. This makes executing a buffer overflow exploit much more difficult to
successfully perform and almost impossible to replicate with consistency.
Another proposed deception technique is to have common operating system util-
ities, such as ls, cat, and ps, to present unexpected data at random intervals [14].
12
This work calls this type of deception inconsistent deception, the practice of provided
unexpected data with the intent to disorient an attacker.
2.5.2 Network Based Cyber Deception
Network level deception is focused on protecting sets of computers rather than just
a single device. Normally, the deception invovles more than one device working to
execute the deception and deter attackers.
Network Address Shuffling
Network address shuffling is a dynamic defense that alters an organizations network
appearance by periodically remapping the usually static association between network
addresses and systems. This technique is classified as concealing, the goal is to hide
the real systems within the address space. Technically, a system of methodically
changing the addresses of systems with a network have been implemented.
One network address shuffling implementation utilizes Dynamic Host Configura-
tion Protocol (DHCP) to reassign each host’s network address [1]. This technique
relies on Domain Name Service (DNS) to establish the new addresses within a do-
main to insure that legitimate traffic can continue to operate. This implementation
mainly addresses attacks that rely on hit lists, a precompiled list of target addresses
with a known common vulnerability. One prominent example of this is a hitlist worm,
a worm with extremely fast propagation time because instead of searching for new
hosts to infect, it maintains the precomputed list of IP addresses. This type of worm
is also dangerous because the normal scanning phase is one of the characteristics that
can be detected. With a precomputed list, there is no need for a scanning phase [1].
Another implementation is Dynamic Network Address Translation (DYNAT).
This implementation relies upon a modified form of Network Address Translation
13
(NAT) [10]. The system remaps the NATed addresses and computers to keep the
addresses and computer “locations” constantly changing. Machines within the in-
ternal network that require a connection to the computers being shuffled maintain a
key paired with the algorithm used to update the addresses. The technique does not
leverage DNS and therefore is immune to attacks that utilize hit lists. However, the
requirement of communicating hosts to have a priori knowledge about the shuffling
algorithm and parameters.
Honeypots
A honeypot is a computer system that is designed to be a trap for unauthorized
accesses [16]. Honeypots are deployed within a network to appear like normal, active
systems to an outsider. The deception technique being employed is mimicking. The
system mimics a real system to fool the adversary into probing and/or attacking it.
The system responds to queries with information that represents a possible system
within the infrastructure but unlike a normal system, it maintains very detailed logs of
all interactions. All interaction with a honeypot can be considered malicious because
all normal users have no reason or knowledge of the fake system. From these detailed
logs, administrators can gain insight into an attacker’s goals and methods. If an
attacker attempts to attack and even compromises the honeypot, the administrator
has a complete log of their attack and on a system that has no impact on the security
of the enterprise. It is for these reasons that honeypots have seen a large deployment
within networks.
14
Chapter 3: Probabilistic Modeling of Deception
Deception has been shown to be beneficial in warfare and in isolated, anecdotal
cyber-security related events [17]. Given these successes and the need for new methods
of defense against cyber attacks, cyber-deception is an important area of exploration.
The focus of this research is not the implementation of a new, novel cyber deception
tool but establishing a new set of models that provide a means of measuring the
theoretical bounds of two deception techniques: honeypots and network address shuf-
fling. Specifically, this research will explore the probability of attacker success and
the expected number of computers compromised. These models can be expanded to
build cost equations to be used by administrators to determine the most effective way
to employ these deception techniques. This chapter will provide information about
the approach taken to model deception and provide the models for network address
shuffling and honeypots.
3.1 Urn-Models for Estimating Probabilities
There is little work in providing theoretical studies of deception tools in current re-
search. For example, the cyber-deception research work of [1] and [10] involves tech-
nical implementation and empirical study of two network address shuffling systems.
These empirical studies demonstrate how effective the tool is in a given circumstance,
however, they only demonstrate performance in a single scenario. This approach pro-
vides little understanding and the information gained cannot be applied to the future
performance of the techniques. Creating an urn model for deception will provide
probabilistic bounds under different conditions.
15
3.1.1 Urn-Model Applications
A common tool used for modeling the probability of a system is an urn. An urn is a
simple vessel containing a set of marbles consisting of different colors. A player then
draws a marble from the vessel, yielding a random selection from the urn and notates
it’s color and then possibly repeats. The urn model for determining the long term
probabilities of a given system has been leveraged in physics, communications, and
computer science [12].
Urns are useful as a modeling tool as they provide a concrete medium for deter-
mining statistical distributions given a set of events. They are used to determine
probabilities of future events based on various processes over time such as drawing a
certain color marble or the number of expected draws before a certain color appears.
Using a urn as a mechanism for determining these allows for easy understanding
and then translation, or mapping, into real world scenarios involving probability and
distributions with a system.
3.2 Urn Model for Network Address Shuffling
As previously described in Chapter 2, network address shuffling is the process of
permeating the addresses of devices in a network over time. The process occurs
naturally in most systems over months and even years. For example, computers that
use DHCP for connectivity have a lease associated with an address. To be leveraged
for deception, the process is accelerated to make it difficult for an attack’s knowledge
about the IP address of a computer a given time to be correct at a later one. To
model this system, the environment and goals must be clearly defined.
To model the performance of shuffling, consider the following scenario: an attacker
targets a network that is maintained by an administrator with the goal of preventing
the attacker from compromising the network. The attacker performs reconnaissance
16
on the network, seeking to gain information about the network and systems to be
used in the next phase of attack. The goal of network address shuffling is to render
this information useless, keeping the computers within the network hidden from the
attacker. The attacker’s goal is to gain knowledge about key infrastructure within
the network, specifically learn their location within the address space.
Given those goals, let us consider the following:
• There are n total addresses available to the administrator (address space) and
v vulnerable computers where v ≤ n.
• A shuffle event randomly and uniformly remaps all n addresses in the network.
• The attacker is aware of the address space (n addresses) and will serially attempt
k connections to this space.
• The goal of the attacker is to discover at least one unique vulnerable computer
in k attempt.
• The attacker only needs to contact the vulnerable computer once.
Given these constraints, consider an urn consisting of nmarbles, the number equals
the number of addresses within the network. Of the n marbles, let there be exactly
v green marbles. The v green marbles represent the number of vulnerable computers
within the network and n − v blue marbles represent the computers that are not
termed “critical” according to the attacker’s goals or is a empty address within the
network. Note n is equal to the number of addresses, not the number of computers
within the network.
To simulate a reconnaissance attempt, the attacker is allowed to draw one marble
from the urn at a time. Given that the attacker can attempt k reconnaissances, this
is modeled as k draws. This represents the attacker being able to scan or probe the
17
network in a serial fashion. If the attacker wanted to scan the entire network, then
k = n. The success of the attacker depends if within the k draws, the attacker draws at
least one green marble, which represents discovery the location of key infrastructure.
The model will show the impact of network address shuffling by simply modifying
what happens between draws from the urn. This will give bounds about how well this
type of defense theoretically performs in terms of the probability of the attack success.
First, the next section will consider the case in which no shuffling is performed, static
addressing. Then, the most extreme case will be explored, shuffling after each draw
from the urn, perfect shuffling.
3.2.1 Urn Model for Static Addressing
Static Addressing occurs when the defender does not change the address of computers;
therefore there is no active defense against reconnaissance. As a result, the attacker
can simply iterate through the network and gain perfect knowledge about the ad-
dresses of the computers on the network. If the attacker employs a k = n strategy,
their probabilty of success (drawing at least one green marble using the urn model)
is one. Otherwise, if k < n, an urn model can be used to provide the probability of
attacker success.
Again, consider a urn with n marbles, consisting of two populations. v green
marbles and n − v blue marbles. At each turn, the attacker draws a marble and
does not replace it. The attacker continues to draw and not replace the marbles, k
times. This process is termed a hypergeometric distribution, “number of successes in
a sequence of k draws from a finite population without replacement” [12]. Let Xk be
a random number that follows the hypergeometric distribution for drawing x green
marbles on k draws from the urn.
18
Pr(Xk = x) =
(vx
)(n−vk−x
)(nk
) (3.1)
The hypergeometric distribution accurately mirrors the situation occurring be-
tween the attacker and the target network. With static addresses, any probe per-
formed by the attacker will provide knowledge that will remain true, i.e. no reason
to probe the same address again. This maintained knowledge is equivalent to the
non-replacement strategy in the described urn model.
Given equation 3.1, calculating the probabilities of the attacker success requires
simple probabilistic manipulation. As previously stated, the attacker’s success re-
quires the discovery of one vulnerable computer, equivalent to drawing at least one
green marble, Pr(0 < Xk ≤ v). The probability of drawing at least one green marble
is:
Pr(Xk ≥ 1) = 1 − Pr(Xk = 0) = 1 −(n−vk
)(nk
) (3.2)
The expected number of vulnerable computers discovered, i.e. green marbles
drawn, when k ≤ n is:
E(Xk) =kv
n(3.3)
3.2.2 Urn Model for Perfect Shuffling
Consider the situation in which the administrator employs network address shuffling
methodology to permeate the addresses within the network. As shown in [1], the
probability of attacker success decreases with the frequency of shuffling. In order to
study the best case for the defense in terms of defending the network, the network
19
0, 0 1, 0 2, 0 3, 0 · · ·
0, 1 1, 1 2, 1 3, 1 · · ·
0, 2 1, 2 2, 2 3, 2 · · ·
0, 3 1, 3 2, 3 3, 3 · · ·
......
......
en
en
en
en
e+1n
e+1n
e+1n
e+1n
e+2n
e+2n
e+2n
e+2n
e+3n
e+3n
e+3n
e+3n
vn
v−1n
v−2n
v−3n
vn
vn
vn
v−1n
v−1n
v−1n
v−2n
v−2n
v−2n
v−3n
v−3n
v−3n
Figure 3.1: Markov chain model of perfect address shuffling attacker success proba-bilities
will be shuffled after every connection attempt, legitimate or malicious traffic. This
will be referred to as perfect shuffling. For the theoretical portion of this research,
normal traffic is not considered so without loss of generality, shuffling will occur after
each reconnaissance attempt made by the attacker.
Given that perfect shuffling is employed, the attacker’s knowledge is diminished
during reconaissance. For example, if the attacker scans k times, where k = n, it is
unlikely that an attacker attempting to determine the location of all computers within
the address space; the attacker will not always locate a unique computer with each
attempt. The shuffle event will potentially cause the attacker to contact a computer
more than once. Therefore, perfect shuffling is an improvement in the case where
k = n in terms of attacker success.
To determine the long-term probability of attacker success when the defender
20
employs perfect address shuffling, the previous static address urn model needs a simple
modification. The urn still consists of n marbles, v green marbles representing the
vulnerable computers. The attacker will draw k marbles from the urn and record the
color. However, for the perfect shuffling model, the attacker will return the marble
to the urn. If the marble drawn is blue, representing a non-vulnerable address, the
attacker will simply return it. This action represents that the attacker determined the
computer was not exploitable but the knowledge is not useful because of the shuffling
event. If the attacker draws a green marble, a vulnerable computer, the attacker
will then replace it with a blue marble. The marble is replaced with a blue marble
because discovering the same vulnerable computer does not count toward discovering
a new, unique vulnerable computer within the address space. Contacting the same
vulnerable computer is not useful or beneficial to the attacker.
Determining the distribution of this scenario with the urn is similar to the dis-
cussion of contagion problems in [12]. Polya urn models can consist of multiple
populations and various replacement methodologies which then can be respresented,
in many cases, as probability equations for the expected outcome. For this urn model,
the population of green marbles will decrease while the blue population grows but
only when a green marble is drawn.
Figure 3.1 illustrates, the probabilities are dependent on the sequence in which
the colors are drawn. Following the diagram, e is equal to n− v, the number of non
vulnerable computers or empty addresses. The values within each node represents
the number of blue and green marbles drawn to reach that node, the ordered pair
(blue, green). Moving towards the right in the diagram demonstrates the change in
probability if a blue marble is drawn. Since a blue marble is simply placed back in the
urn, the probability does not change, it remains en
and vn
for drawing a green marble.
When a green marble is drawn, the diagram transitions downward. As shown, the
21
probabilities for transitioning right or down are altered to reflect the increase in blue
population and the decrease in green. The probability of drawing a green marble is
now v−1n
and the probability of drawing a blue marble is e+1n
.
Consider the following example: what is the probability of drawing at least two
green marbles within four pulls from the urn. Given the change in probabilities based
on the color drawn, the order in which the marbles are draw does matter. The diagram
provides a means of determining all the cases, any path that leads to a node with
at least two green marbles drawn and the total drawn is equal to four is part of the
total probability. The total probability is equal to the sum of all possible paths that
met the criteria described above, at least two green marbles within four pulls. The
following gives the complete form:
Pr(X4 = 2) =e
n
e
n
v
n
(v − 1)
n+e
n
v
n
(e+ 1)
n
(v − 1)
n+
e
n
v
n
(v − 1)
n
e+ 2
n+v
n
(e+ 1)
n
(e+ 1)
n
(v − 1)
n+
v
n
(e+ 1)
n
(v − 1)
n
(e+ 2)
n+v
n
(v − 1)
n
(e+ 2)
n
(e+ 2)
n
The example accounts for the six possible paths in Figure 3.1 from the starting
state (0, 0) to state (2, 2) for the desired probability. One pattern that results from this
example, and subsequent ones, is the common factor that represents the probability
of drawing a green marble, vnv−1v
. This mirrors the criteria of drawing at least two
green marbles, vn
for the first one and v−1n
for the second.
The closed form of the probability is derived in [12]. The probability of drawing
x green marbles, given k draws is:
22
Pr(Xk = x) =
(vx
)nk
·x∑
j=0
(−1)x−j(x
j
)(e+ j)k (3.4)
The expected number of green marbles drawn, Xk, given k draws is also derived
[12].
E(Xk) = v
(1 −
(1 − 1
n
)k). (3.5)
3.3 Urn Model for the Deployment of Honeypots
A honeypot is a device used as a trap to detect unauthorized access [15]. Honeypots
are computers dedicated to tracking the user and system activity which can be used
to gain understanding of an attacker and their plans. This type of detection and
finger-printing is a major consequence and reason for avoidance for the attacker [13].
Honeypots are seeing an increase in deployment in both networks and also in
honeynets. Honeynets are networks consisting only of honeypots to catch attackers
scanning for low-hanging fruit. There is considerable research involving the deploy-
ment and outcomes of employing honeypots as a defense mechanism [13]. The general
approach is to place as many honeypots within the network and hope to catch and log
attack attempts. This blanket approach includes several pitfalls including the cost
of deployment and the time necessary to parse the log data generated by the large
number of devices.
3.3.1 Urn Model for Honeypots
Given that there is at least an initial cost of configuration, modeling the probability of
catching an attacker given a deployment of honeypots is useful. Using an urn model,
23
one can derive the chances of attacker success and detection given an address size and
the size of each population: an active computer, an empty address, and a honeypot.
Providing a model with theoretical bounds will allow administrators to weigh the cost
and benefit of deploying honeypots within their infrastructure.
Consider the same constraints outlined for modeling the probability for attacker
success within a statically addressed network with the following modifications:
• There are n total addresses available to the administrator (address space) and
v ≤ n vulnerable computers.
• There are h honeypots within the network, an attacker probe that contacts a
honeypot constitutes the detection of the attacker and therefore failure.
• The attacker is aware of the address space (n addresses) and will serially attempt
k connections, k < n.
• Given k attempts, the attacker wins if they are able to locate m vulnerable
computers within the network without contacting a honeypot.
The urn will function in a similar fashion. The urn will hold n marbles total,
consisting of three populations: v green marbles representing vulnerable hosts, h red
marbles representing honeypots, and n− (v+h) blue marbles representing everything
else within the network. The attacker will draw one marble at a time and after k
draws, the turn is considered a success if at least one green marble has been drawn
and no red marbles have been drawn.
Regardless of the occurrence within the k draws from the urn, the attacker will
continue for k draws. While there are many known techniques for determining if a
device is a honeypot [9], for simplification this model will assume that the attacker is
unable to distinguish a real device from a honeypot. Based on this assumption, the
24
attacker would not stop after drawing a honeypot but would continue the reconnais-
sance, unaware of already being detected. Given that the attacker locates their target
number of vulnerable computers in some number of scans less than k, the attacker will
still continue drawing in hopes of locating more key computers. These assumptions
simplify the probability equations by requiring the attacker to draw the same number
of marbles from the urn each turn.
Following this structure, if the attacker draws k = n marbles and h > 0, then
the attacker has zero probability of success. The attacker would discover all vulnera-
ble computers but would also draw at least one red marble representing a honeypot.
To determine the probability of success where k < n, it can be derived using the
multivariate hypergeometric distribution. A multivariate hypergeometric distribution
describes the probability of drawing x marbles with k draws from a finite popula-
tion consisting of more than two colors without replacement. In terms of modeling
honeypots, the following is the multivariate hypergeometric distribution:
Pr(Xk = x) =
(vx
)(hl
)(n−(v+h)k−(x+l)
)(nk
) (3.6)
where l is the number of red marbles desired to be drawn. For the attacker, the
outcome desired would be l = 0. Since there is no replacement in a hypergeometric
distribution, the probabilistic mean, or expected value, is simply the number of draws,
k, times the number of marbles of a particular color divided by the total population
of the urn. The expected number of green marbles drawn, representing the number
of vulnerable computers, given k draws is:
E(Xk) = kv
n(3.7)
The expected number of red marbles, representing the number of honeypots, given
25
k draws is:
E(Xk) = kh
n(3.8)
26
Chapter 4: Network Address Shuffling
Theoretical Analysis
Given the urn models developed for describing the performance of network address
shuffling as a deception defense, analysis is possible. The developed equations are de-
pendent upon network size, number of vulnerable computers and number of scans
by the attacker. For example, administrators managing a large portion of systems
running outdated operating systems would have a larger pool of known vulnerable
computers and therefore have different parameters in determining the success or fail-
ure of defense. Exploring the behavior of the models for deception tools will provide
insight into the effectiveness of the defenses in various scenarios.
Network address shuffling has only been studied empirically as part of a proof
of implementation in [1] and [10]. The previous chapter developed an urn model
to describe the probabilities of attacker success in terms of number of scans, size
of the network, and number of vulnerable computers within the network. From the
model, the equations were constructed to describe the performance of network address
shuffling. Specifically, two equations were formulated to describe the two extremes,
static addressing and perfect shuffling. There are several variables that impact the
performance, including network size, number of vulnerable computers, and number
of probes, The analysis will describe under what circumstances does network address
shuffling provide a viable defense against attackers.
4.1 Gaining a Foothold Attack Scenario
A common goal among attackers is simply gain a foothold (an exposed and easily
compromised computer) within a network to use as a point for further reconnaissance
27
and subsequent attacks. Given this circumstance where the attacker goal is simply
to locate one vulnerable computer, the probability of success is dependent on the size
of the network, the number of scans, and how many vulnerable computers are within
the network.
Equation 3.4 can be used to determine the probability of attacker success when
perfect shuffling is used. However, because the goal of the attacker is to find only a
single computer, replacement of the marbles is not relevant. The replacement scheme
is not relevant because the attacker is only trying to locate one vulnerable or key
piece of infrastructure. The replacement is needed if the attacker needs to locate
more than one computer therefore, in this specific case, a binomial distribution is
easier to analyze and will produce the same results. A binomial distribution is the
probabiltiy distribution of the number of successes in a sequence of n independent
experiments with two possible outcomes, i.e. heads or tails, true or false, etc.. In this
case, the number of consecutive non-vulnerable computers located before finding a
vulnerable one. The distribution follows this equation:
Pr(Xk = x) =
(v
x
)px(1 − p)k−x (4.1)
where p = vn, simply the number number of vulnerable computers over the number of
addresses. Using the binomial distribution in 4.1, the attacker success rate is:
Pr(0 < Xk ≤ k) = 1 − Pr(Xk = 0) (4.2)
4.1.1 Effect of Number of Scans
Given that the goal of the attacker is locate a single vulnerable computer within
the network, one parameter to consider with this model is exploring how the attacker
28
success is affected by scanning less than the entire network. Performing a full network
scan during reconnaissance can expose the attacker and lead to detection. This risk
can be mitigated by limiting the number of scans within a certain time interval.
To gain insight into the effect that network address shuffling has on this approach,
analysis of the number of scans, k, is required.
Again, assume that there is only one vulnerable computer within the network.
For example, it is from this point the attacker may hope to create a starting point to
compromise the important infrastructure within the network. When static addressing
is employed, the probability of attacker success increases in a linear fashion as the
number of scans increases. The probability of attacker success with k scans is kn
therefore if k = n2, half the address size, then the probability of attacker success is
0.5.
For network address shuffling, the attacker success probability is given by equation
4.1:
Pr(0 < Xn ≤ n) = 1 − Pr(Xn = 0)
= 1 −(
1 − 1
n
)k
As k increases, the probability of success for the attacker increases but at a slower
rate. In the previous section, k was strictly equal to n. In this section, k ≤ n. The
maximum probability, when k = n, is 0.63 as described in the previous scenario. Fig-
ure 4.1 shows the slow increase of the attacker success compared to the linear increase
for static addressing. The network size is 100 therefore 0.63 is the maximum attacker
success probability. There is a theoretical benefit using this model for network address
shuffling over static addressing; however, the gain is not substantial.
29
0 10 20 30 40 50 60 70 80 90 1000
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
percentage of address space scanned
att
acke
r su
cce
ss p
rob
ab
ility
Attacker Success as Percent Scanned Increasesing
Perfect Shuffling
Static Addresses
Figure 4.1: The probability of attacker success as the number of scans increases tothe network size. There is only one vulnerable computer in the address space.
30
4.1.2 Effect of Network Address Size
Given that the goal of the attacker is to locate a vulnerable computer to gain a
foothold and assuming there is only one vulnerable computer, static addressing pro-
vides no defense and the attacker is successful. The optimal strategy for the attacker
to simply attempt k scans where k is equal to the number addresses within the net-
work, n. The attacker will always locate at least one vulnerable computer within the
network given that one exists. The only impact is that attacker must expend more
resources by probing a larger and larger address space.
For perfect shuffling, the size of the network will impact the probability the at-
tacker locates a vulnerable computer. The worst case for the attacker is if there is
only one vulnerable computer within the entire address space. Figure 4.2 shows the
attacker success probability as the size of the network increases when the attacker
can scan the entire size of the network, k = n. As the figure shows, the probability
of success for the attacker is very high if the network is small. However, the attacker
success drops as the size of the network increases until it reaches an asymptotic bound
at 0.63. This bound is an artifact of Equations 4.1 and 4.2.
limn→∞
1 − Pr(Xk = 0) = 1 − limn→∞
Pr(Xk = 0)
= 1 − limn→∞
(1 − p)k
= 1 − 1
e
≈ 0.6321
Perfect shuffling is an improvement over static addressing by roughly 0.37, which
is a large percentage improvement. However, the caveat is that the general scenario
consists of only one target, one means of entry, for the attacker. This scenario is most
31
100
101
102
103
104
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
size of network address space
attacker
success p
robabili
ty
Attacker Success using Perfect Shuffling as Network Address Space Increases
Figure 4.2: Probability of attacker success for finding single vulnerable computer asthe size of the network increases. The attacker can scan the entire address space.
likely an uncommon one since most large networks will have multiple vulnerable
entry-ways.
4.1.3 Effect of Number of Vulnerable Computers
In the previous sections, the analysis considered the network size and the number
of scans utilized by the attacker to discover the location of a single computer. In
these scenarios, the network only contained one vulnerable computer or key piece
of infrastructure for the attacker to discover. This assumption was made to provide
the analysis of the best case in terms of affecting attacker success. By relaxing this
assumption and utilizing equations 4.1 and 4.2, a better understanding of how the
number of vulnerable computers impacts the performance can be attained. In the
previous sections, the probability of locating the vulnerable computer is p = 1n
because
32
0 5 10 15 20 25 30 35 40 45 500
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
percentage of the address space vulnerable
att
acke
r su
cce
ss p
rob
ab
ility
Attacker Success as the Number of Vulnerable Increases
Figure 4.3: The probability of attacker success as the proportion of vulnerable ad-dresses to other addresses within the space increases. The attacker can scan the entireaddress space.
33
the population only contained one vulnerable computer, v = 1. To model the percent
of vulnerable computers in the network, p = vn
where v ≥ 1 yielding the following
probability equation:
Pr(0 < Xn ≤ n) = 1 − Pr(Xn = 0)
= 1 −(
1 − v
n
)kAssume that the attacker performs k scans where k = n. Figure 4.3 shows the
probability of success within a class-C address space (256 addresses) as the percentage
of vulnerable computers within the space increases. The probability begins around
0.63 (as shown in Section 4.2) and quickly approaches 1 as the number of vulnerable
computers grows. Therefore Figure 4.3 shows that network shuffling only provides
defense against a foothold approach if the number of vulnerable computers within the
address space is fairly small.
4.2 Minimum to Win Attack Scenario
Another possible scenario for an attacker is to require the compromise multiple com-
puters, a minimum number to accomplish their goal. This scenario exists if the
attacker’s goal is to gain information that is spread across multiple computers or the
goal is to acquire as many resources as possible, for example to use the computers
in a botnet [3]. The minimum to win scenario is more difficult for the attacker than
the foothold attack scenario. As in the foothold scenario, the size of the network, the
number of vulnerable computers and the number of scans will affect the probability
of success for the attacker. In addition, the number of unique computers the attacker
needs to compromise will also impact their probability of success.
34
0 10 20 30 40 50 60 70 80 90 1000
10
20
30
40
50
60
70
80
90
100
percentage of the address space scanned
perc
enta
ge o
f expecte
d v
uln
era
ble
com
pute
rs c
onta
cte
d
Expected Percentage of Vulnerable Computers Contacted as Address Space Increases
Static addresses
Perfect shuffle
Figure 4.4: The expected percentage of vulnerable computers contacted by the at-tacker as the number of scan attempts increases.
4.2.1 Effect of Number of Scans
Given a minimum to win attacker scenario, another important parameter that impacts
the probability of success for an attacker is the number of scans the attacker attempts.
An intelligent attacker might want to mitigate against the risk of scanning at a high
rate. To do this, the attacker would scan less frequently and not the entire address
space. As in the analysis of the address space size, the expected percent of vulnerable
computers contacted and the attack probability of success will provide insight into
the performance of static addressing and perfect shuffling.
Figure 4.4 demonstrates that as the number of scans increases, the expected per-
centage of vulnerable computers contacted increases, as expected. Static addressing
increases linearly, as the attacker enumerates the space, the expected percentage will
increase until the attacker enumerates the whole space, therefore contacts all vulner-
35
0 10 20 30 40 50 60 70 80 90 1000
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
percentage of the address space scanned
attacker
success p
robabili
ty
Attacker Success as Percent Scanned Increases
Static addresses
Perfect shuffle
Figure 4.5: The probability of attacker success as the number of scan attempts in-creases. The attacker must contact at least 10 vulnerable computers.
able computers. In contrast, the perfect shuffling increasing sub-linearly, approaching
the asymptotic bound of 0.63 as in the previous analysis in Section 4.2. Perfect shuf-
fling provides a benefit over static addressing as the number of scan attempts by the
attacker increases.
Attacker performance is impacted by the number of scan attempts. Figure 4.5
shows the probability of attacker success increasing at the number of scan attempts
increases. Both methods are fairly effective when the number of scans is very low but
as the number of scans increases, static addressing quickly yields a higher chance of
attacker success. At a 70% scan ratio against static addressing, the attacker success
probability is 1.0. In contrast, perfect shuffling is more effective at a higher scan rate
as the attacker success doesn’t increase as sharply as static addressing. Even at a
100% ratio, perfect shuffle has a probability of thwarting the attacker. This analysis
36
shows that when perfect shuffling is employed, it reduces the probability of attacker
success if the number of scan attempts is below a certain threshold.
4.2.2 Effect of Network Address Size
If the attacker’s success depends on locating a set of vulnerable computers, then an-
other variable for consideration is the size of the address space. For static addressing,
if the number of scans k = n (is equal to the address size), the expected number of
vulnerable computers found is equal to the total number within the network. For per-
fect shuffling, the number of expected vulnerable computers found where the attacker
scans the entire network is given in Equation 3.5:
The equation has an asymptotic upper bound, converging toward 0.63v as the
number of scans approaches the number of addresses. This can be shown by taking
the limit of equation 3.5:
limn→∞
E(Xk) = limn→∞
v
(1 −
(1 − 1
n
)n)
= v limn→∞
(1 −
(1 − 1
n
)n)
= v
(1 − 1
e
)≈ 0.6321v
Using equation 3.5, a comparison can be made between static and perfect address
shuffling in terms of the expected number of vulnerable computers located by an
attacker performing a reconnaissance attempt when the number of scan attempts,
k, is less than the address space, n. If the attacker only scans α of the address
space, where α = kn, the impact on the percentage of vulnerable computers contacted
is shown in Figure 4.6. This figure demonstrates that the expected percentage of
37
102
103
104
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
network size
expecte
d p
erc
enta
ge o
f vuln
era
ble
com
pute
rs c
onta
cte
d
Expected Percentage of Vulnerable Computers Discovered as Network Size Increases
Static Addressing
Perfect Shuffling
Figure 4.6: The expected percentage of vulnerable computers contacted as the ratioof scans to network size decreases.
computers contacted decreases as the address size grows in both static addressing
and perfect shuffling. Perfect shuffling does have an advantage with an lower initial
percentage of expected vulnerable computers contacted, however this slight advantage
is lost as the portion scans to the network size decreases.
The performance of static addressing and perfect address shuffling is similar if the
attacker’s success is dependent upon finding β vulnerable computers, where β = xk,
within the address space. Figure 4.7 shows the similarity of both method’s perfor-
mance as the size of the network increases. Perfect shuffling provides a small benefit if
the address space is fairly small but the advantage fades as the percent of the network
scanned diminishes.
38
102
103
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
size of network address space
attacker
success p
robabili
ty
Attacker Success Probability as the Address Space Increases
20 vulnerable machines
10 vulnerable machines
Figure 4.7: The probability of attacker success as the number of addresses increasesand the number of scans remains constant, k = 100.
4.2.3 Effect of Number of Vulnerable Computers
The attacker objective requires the compromise of more than a single computer within
the network to be located. The number of computers needed for success can range
from one (modeled in the foothold scenario) to all vulnerable computers within the
network.
Initially assume the network contains v vulnerable computers within n addresses
and the attacker can scan the entire address space. Given this scenario, a static
address approach provides no defense against the attacker. They would simply enu-
merate the entire space and locate all v vulnerable computers. However, if network
address shuffling is employed, the probability of success decreases as the number of
unique computers the attacker needs to locate increases. Equation 4.1, the binomial
39
distribution, is no longer suitable for determining the probability of attacker success
due to the shifting probabilities introduced with the requirement of contacting mul-
tiple unique vulnerable computers. Therefore, the probability of attacker success is
given in Equation 3.4:
Pr(Xk = x) =
(vx
)nk
·x∑
j=0
(−1)x−j(x
j
)(e+ j)k
0 10 20 30 40 50 60 70 80 90 1000
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
percentage of the vulnerable computers required for attacker success
att
acke
r su
cce
ss p
rob
ab
ility
Attacker Success Probability as Percent Required Increases
12% Vulnerable
24% Vulnerable
48% Vulnerable
Figure 4.8: The probability of attacker success as the percentage of vulnerable com-puters required to succeed increases.
Figure 4.8 shows the probability of attacker success is still high when the per-
centage of computers needed for success is low, however it begins to sharply decrease
around 50%. The sharp decrease continues until the attacker has a near zero prob-
ability of locating all v vulnerable hosts within the address space. Figure 4.8 also
40
shows that the trend is similar, regardless of the portion of vulnerable computers to
the number of addresses, n. There is a slight variation in how steeply the drop off
from high probability to near zero. This is attributed to the difficulty of finding a
unique vulnerable computer, i.e. the number of chances to find a unique vulnerable
remains the same however locating a higher number of unique computers is required
for success. Figure 4.8 shows that the slope of various vulnerable populations has a
steeper slope and crosses at an attacker success probability of 0.63. This is due to
fraction in Equation 3.4, specifically v choose x which has a sharply increasing slope
as v increases. As a defense against a minimum to win strategy, network address shuf-
fling can be effective if the number of computers needed to be considered a successful
attacker is high.
41
Chapter 5: Honeypot Theoretical Analysis
Honeypots and honeynets have seen wide deployment within corporate networks
with varying degrees of success [9]. The approach in many of these situations is
to deploy as many honeypots as possible given the resources (administrator time,
machines, etc.) in hopes that more is better. However, this approach should consider
the cost of deployment versus the benefit in deterring attacks.
Game theoretic models have been developed to quantify the benefit of honeypots
[8]. This game theoretic provides an initial framework to assign cost and gain associ-
ated with honeypots but fails to provide probabilistic measures on the effectiveness.
Further research has provided more details on the attacker and defense stratgies in
terms of how each side would approach the game [4].
The urn models presented in Chapter 3 provide basic probabilistic models for at-
tacker success given the deployment of honeypots within the network. To provide
insight into the effect honeypots as a deception tool has on attackers, performance
analysis is required and will be demonstrated in this chapter. From this type of anal-
ysis the analysis, administrators can grasp how effective honeypots are as a defense
tool. This chapter will consider only honeypots, therefore network address shuffling
is not considered or used for any of the models or results. These models, coupled with
the performance analysis, will provide the administrators metrics for determining the
deployment of honeypots within their networks.
This chapter will explore the effect of network size, number of scans and number of
honeypots has on attacker success in two scenarios. First, the scenario of an attacker
attempting to gain a foothold within a network, and second, the scenario where an
attacker must locate a specific set of computers.
42
5.1 Gaining a Foothold Attack Scenario
As described in Section 4.1, the goal of an attacker could be to simply compromise a
single computer within the network. Consider the situation where an attacker wishes
to compromise a certain computer in an infrastructure with the assumption that
connecting directly to this computer is impossible. A strategy for the attacker is to
establish a “foothold” by compromising another computer or set of computers. This
strategy is a lower risk for the attacker as their actions can be more direct and precise,
attracting less attention with this less pronounced behavior. The attacker can then
potentially use the compromised computer as a new platform to scan and enumerate
the computers within the network.
Given the attacker’s desire to locate a single target, the goal of this section is
to determine the impact of employing honeypots within a network where there is a
single vulnerable computer. For the attacker to succeed, they must locate the single
vulnerable computer within the address space without contacting a honeypot. It will
be assumed that if the attacker contacts a honeypot, the attacker is discovered and
is blocked from communicating with computers within the network.
5.1.1 Effect of Number of Scans
Another important variable in measuring the performance of honeypots as a deception
tool is the impact of the number of scan attempts by the attacker. While an increased
number of scans will lead to a higher chance of locating and securing a foothold, it
also increases the likelihood of detection by a honeypot. For this example, the address
space will have a single vulnerable computer to model the attacker foothold scenario.
There are situations where the attacker will always be detected, such as scanning the
entire network if honeypots are deployed.
Figure 5.1 shows the impact of the attacker increasing the number of scan attempts
43
0 10 20 30 40 50 60 70 80 90 1000
0.05
0.1
0.15
0.2
0.25
0.3
0.35
percentage of the address space scanned
attacker
success p
robabili
ty
Attacker Success as the Number of Scans Increases
1% Honeypots
5% Honeypots
10% Honeypots
Figure 5.1: The probability of attacker success given x honeypots as the number ofscan attempts increases for foothold attacks.
in a network of 100 computers.. If no honeypots exist within the address space, there
is a linear relationship between scan percentage and attacker success as found for
static addressing as discussed in Section 4.2.1. With 1% honeypots, the probability
of success increases until the scan rate reaches 50% of the address space. At this point,
it becomes as likely to find a honeypot as finding the vulnerable computer within the
address space. In general the attacker probability of success improves initially as
their chance of locating at least one vulnerable computer increases. However, their
probability of probing a honeypot also increases which will cause the probability
of attacker success to decrease as the scan rate approaches 100%. Figure 5.1 with
1% honeypots as the bell-shape curve with the peak around 50% scan rate because
in this example 1% honeypots = 1 computer within the network. Therefore the
number of vulnerable computers is equal to the number of honeypots. This causes
the probability to be equal of drawing one or the other, giving the symmetrical shape
44
for that example. This provides evidence that the presence of honeypots, even a small
percentage of honeypots within the network, has a significant effect on the probability
of detection.
5.1.2 Effect of Number of Honeypots
Given that the goal of the attacker is to locate a single vulnerable computer without
contacting a honeypot, the probability of success for the attacker is impacted by
the number of honeypots deployed within the network. Therefore, if there are no
honeypots within the network and the attackers scans the the entire network, their
probability of success is 1.0. If at least one honeypot is deployed under the same
circumstances, the attacker will never be successful since they will always contact a
honeypot. If they contact a honeypot before reaching the kth scan, the attacker will
continue to scan. This assumption is made simplify the probability model. It also
models reality in the case where the attacker’s reconaissance is automated, without
carefully observing the result after each scan event. Therefore, contacting a honeypot
would not lead to the attacker, or script, to stop scanning. To analyze the impact of
different honeypots, the number of scans within the network must be k < n − h. If
not, the probability of attacker success is zero following the same logic.
Using the model established in Chapter 3, the attacker’s probability of success in
the given scenario can be determined using Equation 3.6. As described, the number
of vulnerable computers will be set at 1, therefore v = 1. The expansion below
demonstrates the described scenario where there is one vulnerable computer and no
honeypots drawn:
45
Pr(Xk = x) =
(vx
)(hl
)(n−(v+h)k−(x+l)
)(nk
) (5.1)
=
(11
)(h0
)(n−(1+h)k−(1+0)
)(nk
) (5.2)
=
(n−(1+h)
k−1
)(nk
) (5.3)
Using Equation 3.6, the expansion shows the equation simplifies to a simple com-
bination of the ways to draw k − 1 blue marbles and one green.
The probability of attacker success as the ratio of honeypots to number of ad-
dresses increases is shown in Figure 5.2. As expected, the probability of attacker
success when there are no honeypots within the space is proportional to the scan
rate, which is equivalent to the static addressing technique discussed in Chapter 4.
The figure demonstrates that increasing the number of honeypots does cause the
probability of success to quickly decrease. This trend is also independent of the num-
ber of scans performed, honeypots within the space increase the probability of being
detected.
5.2 Minimum to Win Attack Scenario
The previous scenario considered an attacker searching for single computer with the
address space modeling a foothold attack scenario. This is the worst case for an
attacker in terms of success probability because their initial probability of success,
static addressing with no honeypots, is the lowest possible. Adding honeypots will
only decrease the probability of success. Now consider another scenario where the
network has more than one vulnerable computer within the address space. The mo-
tivation for the attacker could be the need to compile a large number of resources for
46
0 5 10 15 20 25 300
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
percentage of honeypots within the address space
attacker
success p
robabili
ty
Attacker Probability as teh Percentage of Honeypots Increases
25% Scan Rate
50% Scan Rate
75% Scan Rate
Figure 5.2: The probability of attacker success as the percentage of honeypots withinthe address space increases for foothold attacks.
a botnet or the information they require is distributed across many nodes within the
infrastructure.
Given this new scenario, the number of vulnerable computers will be v ≥ 1. The
attacker will be required to find a ratio α of the v vulnerable computers within the
space where α = xv. As in the previous section, Equation 3.6 will be used to calculate
the probability of attacker success.
Pr(Xk = x) =
(vx
)(hl
)(n−(v+h)k−(x+l)
)(nk
) (5.4)
=
(vx
)(h0
)(n−(v+h)k−(x+0)
)(nk
) (5.5)
=
(vx
)(n−(v+h)
k−x
)(nk
) (5.6)
47
The substitution for the new scenario changes equation slightly, instead of only
looking at the number of ways of drawing k − 1 blue marbles and one green mar-
ble, the number of ways of pulling x green marbles from the total green population
must be factored into the probability. As before, the number of red marbles drawn,
representing honeypots, must remain zero.
Equations 3.7 and 3.8 to provide the expected number of vulnerable and hon-
eypots drawn given the network size and scanning rate. This will provide another
measurement for analyzing the performance of honeypots within the network. The
expected number of vulnerable computers discovered with k probes is:
E(Xk) = kv
n(5.7)
And the expected number of honeypots probed by the attacker with k attempts
is:
E(Xk) = kh
n(5.8)
5.2.1 Effect of Number of Scans
An important parameter for analyzing the performance of honeypots as a deception
technique is the number of scans. Figure 5.5 and 5.4 provide some insight about the
relationship between the attacker success probability and scanning rate but further
analysis is required. Figure 5.3 demonstrates the probability of attacker success as the
percentage of the network scanned increases. The case of 0% honeypots is identical
to Figure 4.5, static addressing where scanning above 70% provides a probability of
attacker success of near 1.0. The addition of honeypots decreases the probability of
attacker success because the attacker becomes more likely to locate a honeypot as well
48
0 10 20 30 40 50 60 70 80 90 1000
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
percent of network scanned
att
acke
r su
cce
ss p
rob
ab
ility
Attacker Success Probability as the Scanning Rate Increases
0% Honeypots
1% Honeypots
5% Honeypots
Figure 5.3: The probability of attacker success given x honeypots as the scanningrate increases in relation to the size of the address space for a minimum to win attackscenario. Attacker success must contact 50% of the vulnerable computers (roughly10% of the addresses in the address space.)
as the vulnerable computers necessary for success. Again, placing a small number of
honeypots within a network can provide a large benefit for defense.
5.2.2 Effect of Number of Honeypots
Given that the attacker is motivated to locate a larger set of computers within the
minimum to win strategy, the number of honeypots is another parameter to consider.
As an administrator, determining the number of honeypots to deploy to achieve a
certain level of security could be a beneficial tool in preserving time and resources.
Figure 5.4 shows that honeypots do have a significant impact on the attacker’s success
and the size of scan they can attempt without being detected. The probability of
success decreases dramatically at a high scan rate of 70% as the number of honeypots
increases only slightly. Probabilistically, there is slightly less of an immediate impact
49
0 2 4 6 8 10 12 14 16 18 200
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
percentage of honeypots within the address space
attacker
success p
robabili
ty
Attacker Success Probability as the Percentage of Honeypots within the Address Space Increases
40% Scan Rate
50% Scan Rate
70% Scan Rate
Figure 5.4: The probability of attacker success as the number of honeypots increaseswithin the address space for a minimum to win attack scenario. Attacker successmust contact 50% of the vulnerable computer (roughly 10% of the addresses in theaddress space.)
on lower scan rates.
5.2.3 Effect of Number of Vulnerable Computers
The minimum to win strategy introduces a new parameter in determining the prob-
ability of attacker success with the model described in Chapter 3. Given that the
attacker’s motivation is to locate α percent of the v vulnerable computers, the prob-
ability of success is affected by the number of computers, v, that exist within the
address space. For this analysis let the scan rate for the analysis regarding the num-
ber of vulnerable computers is set to 50% as done in the previous section’s analysis.
In both figures for this scenario, the probability of success with 0% honeypots is 50%
is due the scan rate. The probability of success when there are no honeypots is given
in Chapter 4 as the static addressing case.
50
0 2 4 6 8 10 12 14 16 18 200
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
percent of vulnerable machines within address space
att
acke
r su
cce
ss p
rob
ab
ility
Attacker Probability of Success as the Percent of Vulnerable Machines Increases
0% Honeypots
1% Honeypots
5% Honeypots
Figure 5.5: The probability of attacker success given x honeypots as the number ofvulnerable computers within the address space increases for a minimum to win attackscenario.
Figure 5.5 shows the attacker probability of success as the percentage of vulnerable
computers within the infrastructure increases. This scenario requires that the attacker
locate all of the vulnerable computers, α = 1, within the address space for the attack
to be considered a success. This causes the downward trend of the attacker probability,
regardless of the number of honeypots within the address space. Requiring that
the attacker locate multiple vulnerable computers while not contacting any of the
honeypots causes the probability of attacker success to diminish with each additional
vulnerable computers. Honeypots simply create the upper bound for the attacker
probability of success when the number of vulnerable computers needed to success is
low.
Now consider if the attacker’s requirement of success is only locating α where α =
xv, of the vulnerable computers within the address space. Given this new constraint,
Figure 5.6 shows the impact of requiring a higher percent of vulnerable computers
51
0 10 20 30 40 50 60 70 80 90 1000
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
percent of vulnerable machines required for success
attacker
success p
robabili
ty
Attacker Success Probability as the Percent of Vulnerable Computerss Required Increases
1% Honeypots
2% Honeypots
5% Honeypots
Figure 5.6: The probability of attacker success given x honeypots as the numberof vulnerable computers required for success increases for a minimum to win attackscenario.
within the address space to be found. There are 10 vulnerable computers within
100 addresses in the space and the attacker can scan 50% of the address space. The
figure gives insight into deployment strategies given the make-up a network. The
figure shows that with relatively low numbers of honeypots, a drastic impact on the
probability of finding α percent of the vulnerable computers without being detected
is low. This impact diminishes as the number of computers the attacker seeks to
compromise increases, showing that there is little difference in deploying 1% or 5%
honeypots if the attacker is less careful and is required to discover large numbers of
vulnerable computers.
52
Chapter 6: Discrete Event Simulator
In order to provide empirical results on network address shuffling, a network simu-
lator was developed to implement address shuffling and process real traffic traces. The
network simulator is a simple, discrete event simulator which models a system over
time whose state change occur at discrete points in time. A discrete event simulator
for network traffic and modeling network address shuffling is ideal because shuffle
and connection events are instantaneous. Discrete events simulators consist of three
pieces: a clock, an event queue, and a mechanism for keeping statistics.
6.1 Simulator Clock
The clock is kept by any suitable unit of measure that is relevant for the system
being modeled by the discrete event simulator. The clock maintains the current
time within the simulation allowing for measurement of time of execution and time
between events. The clock advances to the time of the next event because they are
instantaneous.
For the the network address shuffling simulator, the clock is in ticks. At each tick
a connection can begin, maintain its connection or end the connection. The clock
is advanced to the first event in the queue which can be a connection attempt, a
connection end, or the next shuffle of the network addresses.
6.2 Event Queue
The simulation environment must contain at least one list of events (a calendar) that
are to occur during the experiment. The list is arranged such that the next event
on the queue the next event to occur, chronologically. The queue is also normally
53
dynamic, events being added and removed throughout the course of execution. The
list always maintains its chronological order so that when an event is removed from
the queue, it is next scheduled event to occur.
When an event is removed from the queue, it has a set of corresponding routines
to be executed. The routines will execute given the current state of the system being
modeled, altering the state and possibly changing the event queue, alter the course
of execution.
The simulator for network address shuffling has three event types, open a con-
nection, close a connection and shuffle the addresses. A list of open connections is
maintained and updated as connection events occur. A shuffle event causes the map-
ping of address to computers to be permuted. Any open connections are disconnected
and recorded a lost connection.
6.3 Statistics Captured by the Simulator
The last component of a Discrete Event Simulator is a mechanism for gathering statis-
tics. While the events are being executed, the simulator maintains information about
each system state regarding the metrics of interest. For the network address shuffling
simulator maintains information about active connections, severed connections, and
the number of malicious connections affected by the shuffling events.
6.4 DES Operation
A Discrete Event Simulator consists of a clock, an event queue, and a statistics gath-
ering mechanism. Figure 6.1 shows the execution cycle for a typical Discrete Event
Simulator. Setup consists of initialization of the clock, event queue, and statistical
tools. The initial event is added and then the simulator is kicked off. The cycle seen
in the diagram is a simple while loop with an exist condition based on if the queue
54
Setup
ScheduleInitial Event
Set Clock toEvent Time
Remove Eventand Execute
UpdateStatistics
Is EventQueue
Empty?
Stop
no
yes
Figure 6.1: Discrete event simulator execution cycle
has any events left. The cycle is setting the clock to the current event, removing
the event from the queue and executing it, and updating the statistics. This process
repeats until there are no events remaining. The statistics mechanism will generate
a report and then execution ends.
55
Chapter 7: Empirical Cost-Benefit Analysis of
Shuffling
Perfect address shuffling involves permeating every host to a new IP address within
a network every connection attempt. The models presented in Chapter 3 provide
an upper bound on how effective this form of deception in different network sizes,
percentage of vulnerable computers, and the attacker’s decision on scan attempts. The
effect of these parameters were studied in two different attacker strategies, foothold
and minimum to win.
However, the theoretic analysis did not consider the cost of implementing network
address shuffling. Several implementations of network address shuffling has an initial
cost, the configuration of shuffling and the side-effect of lost legitimate traffic. For the
NASR implementation, if a shuffling event occurs during the lifetime of a legitimate
connection, it would immediately sever the connection [1]. The user also cannot
reconnect until the DNS update propagates therefore, the chance of connection loss
for legitimate users is a cost of employing network address shuffling.
An empirical study on real traffic traces will provide insight to the cost of network
address shuffling. By testing on actual traffic traces, one can begin to understand how
many connections would be lost due to shuffling compared to the effect on attacker
success probability.
7.1 Simulation Implementation
To provide an insight on the cost of network address shuffling, a simulation environ-
ment was created to allow for empirical analysis. The environment must be capable
of processing connection and shuffling events while recording statistics about the op-
56
eration. The implementation consists of a network simulator parsing network trace
data interposing shuffling events to provide empirical data on the affect on legitimate
traffic. The simulator creates a class-C address space and simulates shuffling events
every q-intervals.
7.1.1 Traffic Traces
To empirically test the effects of network address shuffling on legitimate traffic, a set
of actual traffic will be used. The discrete event simulator will use each connection
within the traffic data as an event. The simulator will then assign shuffle events which
will also be scheduled within the event simulator. The statistics engine will record all
active connections as lost when a shuffle event occurs. This will provide the number
of lost connection attempts within a traffic trace.
For this type of simulation, the only important pieces of information from the
traffic trace is flow data, specifically the start and duration time of the connections.
Given a traffic trace, converted to flow data, the network simulator simply needs the
start time of each connection and the calculated total connection time. The event
simulator will then schedule every event from the trace with a duration. When a
shuffle event occurs, all active connections will be lost and therefore, recorded as such
by the statistics engine.
CRAWDAD Traffic Traces
For these experiments, traffic traces were collected from the Dartmouth University
Community Resource for Archiving Wireless Data At Dartmouth project (CRAW-
DAD) [11]. The CRAWDAD project is a growing collection of university traffic traces
recorded and anonymized at Dartmouth University under an National Science Foun-
dation grant. The purpose of the project is to provide traffic data for modeling and
57
experimentation on network traffic, which is difficult to procure.
7.2 Shuffling Frequency
The network simulator allows for empirical study of both the effect of shuffling on the
attacker and legitimate traffic. The simulator also provides a simple mechanism for
studying shuffling at various frequencies. Perfect shuffling is easy to model because
the dependency between each draw from the urn, or scan attempt, is zero. However,
with shuffling less frequently causes there to be dependencies between each shuffle
event as well as between each scan attempt. This makes it extremely difficult to
generate a closed form equation to generate the probability of attacker success.
For the empirical simulations, the attacker attempts to scan the entire network,
255 addresses. The shuffle frequency, f will be varied from static addressing, 0, to
perfect shuffling, 1. The number of connection attempts between shuffles is equal to
(1 − f) × 255. For example if shuffle frequency is 10%, the number of connections
between shuffling is (1 − .1) × 255 = 230. The simulator randomizes the shuffling
of the addresses so to provide a statistical average, the experiment was run at each
frequency 100,000 times.
7.2.1 Attacker Probability of Success
First, consider only the effect of shuffling frequency on the attacker’s probability of
success. The network simulator mapped all the traffic into a class-C address space.
The attacker attempted 255 scans trying to locate 10 vulnerable computers within the
network. Because there is randomness in shuffling, the experiment was run 100,000
times and the results shown are the averages. Figure 7.1 shows the effect of varying
shuffling frequencies. The figure starts at static addresses and increases all the way
to perfect shuffling. As before, static addressing yielded no defense, all 10 of the
58
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10
10
20
30
40
50
60
70
80
90
100
shuffle rate
avera
ge p
erc
enta
ge o
f vuln
era
ble
com
pute
rs c
onta
cte
d
Average Percentage Vulnerable Computers Contacted as Shuffle Rate Increases
Figure 7.1: The average percentage of vulnerable computers contacted as the shufflefrequency (rate) increases. A shuffle rate zero is static addressing, while a shufflerate of 1 is perfect shuffling (shuffle after each reconnaissance attempt). Networkcontained 10 vulnerable computers in a class-C address space.
vulnerable computers were discovered. As the shuffling rate increases toward perfect
shuffling, the percentage of vulnerable computers located decreases, as expected.
7.2.2 Shuffling Cost vs Benefit
Now consider the cost of shuffling. The simulation configuration is the same, a class-
C address space. Figure 7.2 shows both the attacker probability of success and the
probability of severing legitimate connections. The attacker probability of success
matches the previous figure, 100% with static addressing and decreasing as it ap-
proaches perfect shuffling. The cost of shuffling remains very low until the shuffling
frequency reaches 80%. Here the frequency trends upward quickly but there is also a
cross over point, where the cost of shuffling and the attacker success probability are
59
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 10
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
shuffle rate
pro
babili
ty
Connection Loss and Attacker Success as Shuffle Rate Increases
Attacker success
Connection loss
Figure 7.2: The connection loss and attacker success probability as the shuffle fre-quency (rate) increases. A shuffle rate zero is static addressing, while a shuffle rate of1 is perfect shuffling (shuffle after each reconnaissance attempt). Attacker is requiredto contact 10 out of 10 vulnerable computers in the class-C address space.
both 5%. The figure does show that there are shuffling frequencies that yield a low
cost to legitimate traffic and alter the probability of success for the attacker.
60
Chapter 8: Conclusion
The security of systems and networks is a growing problem both in size and
complexity. The problem is not only of personal and corporate infrastructure but a
matter of national security. Cyber threats by attackers backed by nation-states are a
growing concern for businesses and government entities alike. In order to be prepared
and protected against these threats, research in game-changing security techniques
is key. Deception is a well-documented and successful tool for providing a tatical
advantage over an adversary, and the use of deception in traditional warfare serves as
evidence of its effectiveness. By leveraging the use-cases and applying them to cyber
security, deception can be a game-changing tool in securing private and national
infrastructure.
Deception has been heavily studied in warfare [17] and further theorized and re-
searched [5, 6, 18, 19]. This research provides the mechanisms and formal language for
discussing and creating new, effective deception tools for use in cyber security. There
has also been research into the measurement of the effectiveness of current, in use
deception tools. Game theoretic models and empirical studies have been performed
to analyze the use of honeypots [4] and network address shuffling [1, 10].
This research provides novel probabilistic models for measuring the theoretic per-
formance of two deception techniques, honeypots and network address shuffling. The
use of urn models allow for performance analysis of these tools in simple attack sce-
narios, such as foothold attackers or minimum to win strategies. The equations are
dependent on network size, number of vulnerable computers within the network, num-
ber of scan attempts, and number of honeypots employed. The developed equations
serve as valuable tools for the evaluation of whether using honeypots and network
61
address shuffling and in what fashion they would be effective as a means of providing
security.
8.1 Performance of Network Address Shuffling
Network address shuffling is the process of permeating the mapping of address to a
host [1]. One of the key phases of an attack is scanning and enumerating possible tar-
gets. Network address shuffling is a deception tool used to render the reconnaissance
phase, or scanning, less effective. The ideal situation would be all the information
from the attacker’s scanning to become useless, causing the attacker to take another,
more risky strategy.
This research provided several probabilistic equations based on network size, num-
ber of vulnerable computers and scan attempts that provide performance analysis of
attacker success when network address shuffling is employed. The analysis demon-
strated that shuffling does have a negative impact on an attacker’s probability of
success. An attacker simply attempting to discover a single vulnerable within a net-
work holding of several vulnerable ones is less affected by perfect shuffling. This is
because the probability of locating just a single computer when there are several is
still fairly high even when shuffling is employed. If the attacker is employing a mini-
mum to win strategy, where they are required to locate several computers for creating
a botnet or data is distributed across several computers, shuffling provides a more
significant defense.
This research also empirically studied the cost of network address shuffling. In
certain implementations of network address shuffling, frequently altering the mapping
of address to host can have the unfortunate side-effect of severing a legitimate user’s
connection. Obviously, businesses depend on customers being able to have reliable,
consistent interaction with their online presence. The empirical study used a discrete
62
event simulator to test various shuffling frequencies on actual data traces to deter-
mine the average amount of traffic lost. The results showed that there are shuffling
frequencies that still provide acceptable levels of defense while minimizing the effect
on legitimate traffic.
8.2 Performance of HoneyPots
Another deception tool is the use of honeypots to detect and record attacker’s at-
tempting to breach a network is a honeypot. A Honeypot is a device used as a trap
to detect unauthorized access [4]. honeypots have seen wide deployment in commer-
cial infrastructure and also entire networks constructed of honeypots called honeynets
[15]. Honeypots are used to not only detect an attacker but also log the attacker’s
exploit so the vulnerability being used can be closed thorough the rest of the network.
This thesis created several urn-models for determing the theoretical probabilities
of an attacker being able to successful penetrate a network without detection. These
equations were dependent on the size of the network, the number of vulnerable com-
puters within the network and the number of honeypots deployed. The performance
analysis showed that deploying honeypots, in general, affects the how an attacker can
scan a network without be detected. The analysis also shows that with a fairly low
percentage of honeypots within the network, the attacker’s probability of success is
greatly affected. It also shows that the deployment of a large percentage of honeypots
has little benefit, as each additional honeypot has diminishing returns in affecting the
probability of the attacker being detected.
63
Chapter 9: Future Work
There are two possible directions for future work. The first is simply identifying
and exploring new deception techniques for uses in security. The research focused on
modeling current deception techniques but an important focus is looking at new, novel
deception tools to confuse and thwart an attacker. One idea could be to coordinate
multiple deception mechanisms together. This could use actual systems that also
partake in deception. The idea would be layering deceptions, so that an attacker
attempting to gain an understanding of the network infrastructure and possible where
key computers, such as database server, resides would be confused and have difficulty
locating it.
The second is to expand the current urn-models to more accurately model reality.
Currently, the best analysis on q-shuffling can only be done empirically. Shuffling at
a rate less than every connection is termed q-shuffling. By allowing the shuffle rate to
be considerably lower than every connection, the hope is to mitigate against deterring
legitimate traffic while still providing the benefits of address shuffling in affecting an
attacker. The development of an urn or other mathematical model for describing the
probability of attacker success under less that perfect shuffling would be useful in
more realistic implementation modeling.
The established models also need to be expanded to represent the cost of using
this techniques. The empirical study showed that there is a cost but theoretical work
remains to be done to provide proven bounds about the cost of these deception tools.
Another item of future work is to consider using this models to improve upon
the game theory models established in [4]. A game theoretic model is a promising
direction for this research. The game theory would expand this model of looking
64
only at the impact on the attacker and include the defender. This model would allow
for more accurate exploration of how both side’s strategies would change. When an
attacker is discovered or learns that a certain defense is being used, the attacker will
alter their game play in hopes of a better outcome.
65
Bibliography
[1] Spiros Antonatos, Periklis Akritidis, Evangelos P. Markatos, and Kotas G. Anagostakis.
Defending against hitlist worms using network address space randomization. Computer
Networks, 51:3471–3490, 2007.
[2] J. Bell and B. Whaley. Cheaping and Deception. Transaction Publishers, 1982.
[3] Avrim Blum, Dawn Song, and Shobha Venkataraman. Detection of interactive step-
ping stones: Algorithms and confidence bounds. In Conference of Recent Advance in
Intrusion Detection (RAID), pages 258–277. Springer, 2004.
[4] Thomas E. Carroll and Daniel Grosu. A game theoretic investigation of deception in
network security. Security and Communication Networks, (to appear).
[5] Fred Cohen. A note on the role of deception in information systems. Computers &
Security, 17(6):483–506, 1998.
[6] Fred Cohen and Deanna Koike. Misleanding attackers with deception. In Proc. of the
5th IEEE SMC Information Assurance Workshop, pages 30–37, 2004.
[7] Internet Systems Consortium. World internet host: 1981 - 2009, 2009.
[8] Nandan Garg and Daniel Grosu. Deception in honeynets: A game-theortic analysis. In
In Proc. of the 2007 IEEE Workshop on Information Assurance, pages 107–113, 2007.
[9] Thorsten Holz and Frederic Raynal. Detecting honeypots and other suspicious envi-
ronments. In Proceedings of the 2005 IEEE Workshop on Information Assurance and
Security, 2005.
[10] Dorene Kewley, Russ Fink, John Lowry, and Mike Dean. Dynamic approaches to
thwart adversary intelligence gathering. In Proc. of the DARPA Information Surviv-
ability Conference & Exposition II (DISCEX ‘01), volume 1, pages 176–185, 2001.
66
[11] David Kotz, Tristan Henderson, and Ilya Abyzov. CRAWDAD trace
dartmouth/campus/tcpdump/fall03 (v. 2004-11-09). Downloaded from
http://crawdad.cs.dartmouth.edu/dartmouth/campus/tcpdump/fall03, November
2004.
[12] Hosam M. Mahmoud. Polya Urn Models. Chapman and Hall, 2008.
[13] B. McCarty. The honeynet arms race. IEEE Security Privacy, 1(6):79–82, 2003.
[14] Vicentiu Neagoe and Matt Bishop. Inconsistency in deception for defense. In Proceed-
ings of the 2006 workshop on new security paradigms, NSPW ’06, pages 31–38, New
York, NY, USA, 2007. ACM.
[15] The Honeynet Project. Know Your Enemy: Learning about Security Threats. Addison-
Wesley Professional, 2004.
[16] Lance Spitzner. The honeynet project: Trapping the hackers. 1(2):15–23, 2003.
[17] Sun Tzu. The Art of War. El Paso Norte Press, special edition, March 2005.
[18] Barton Whaley. Toward a general theory of deception. Technical Report 1, March
1982.
[19] J. Yuill, F. Feer, D. Denning, and B. Bell. Deception for computer security defense.
Technical report, Office of the Secretary of Defense, January 2004.
67
Michael B. Crouse
ContactInformation
814 Scholastic Dr E-mail: [email protected], NC 27106 USA Mobile: +1-336-225-4703
ResearchInterests
Computer security, network security, deception, swarming agents, modeling, game theory, bio-inspired design, genetic algorithms, systems
Education Wake Forest University, Winston-Salem, NC USA
M.S., Computer Science, May 2012
• Thesis Topic: Network Defense using Deception Techniques• Adviser: Dr. Errin W. Fulp• Area of Study: Computer and Network Security• GPA: 3.9
B.S., Computer Science, May 2010
• Cum Laude, With Honors in Computer Science• Minor in Mathematics• Overall GPA: 3.4, Major GPA: 3.8• Honors Thesis: Discovery of Web-Application Vulnerabilities using Fuzzing Techniques
ResearchExperience
Pacific Northwest National Laboratory, Richland, Washington USAMaster’s Intern in Secure Cyber Systems June to September 2011
• Developed genetic algorithms for Moving-Target Defense.• Implemented simulator for genetic algorithmic approach to system configuration.• Designed and implemented a new Mobile Agent Platform in Python.
Master’s Intern in Secure Cyber Systems June to September 2010
• Developed models to analyze the effectiveness of current cyber-deception techniques.• Implemented Java mobile agent systems for assessment of compromised infrastructures.• Wrote proposals for protecting the SMART GRID and a Moving-Target aproach to
security (both projects funded).
Wake Forest University, Winston-Salem, NC USAResearch Assistant - LEAP-AHEAD September 2011 to Present
• Created a simulator for generating safe system configurations using genetic algorithms.• Implementated genetic algorithmic approach on python Digital Agent Framework.• Co-authored and presented a juried paper at SafeConfig 2011 in Arlington, VA.
Research Assistant - GENI/CEDS September 2010 to May 2011
• Worked with Utah Emulab and DETER for generating virtual testing environments.• Developed mathematical models for analysis of Network Address Shuffling.• Researched Linux system configurations and configuration management systems.
iPhone and GPS Research - RideTheWake September 2010 to May 2011
• Created tracking system for WFU Campus Shuttles resulting in improved studentusage, reduced wait time and monitoring of passenger usage.
• Designed and implemented iPhone application RideTheWake for displaying all campusshuttles current route, location, speed and number of passengers.
• Application in version 2.0, available for download Apple App Store.
Undergraduate Research - Digital Ants vs. Worms September 2009 to May 2010
• Configured local testing environment for JADE implementation of Digital Ants.• Set up mirror of Wikipedia to be used to simulate web traffic.• Conducted experiments in detecting worms using Digital Ants.
68
Network Security Group - SmartBits/Firewall January 2007 to May 2009
• Configured operating system to control SmartBits machine for measuring firewall performance.• Participated in Security presentations and paper reviews on firewalls and network
security.
ProfessionalExperience
Student Project Team - Co-Founder June 2008 to May 2010• Created web application business to design, implement, and maintain businesses online
presence.• Located new clients and organized teams to meet their requirements.• Recruited new member including designers, programmers and project managers.• Organized invoices, payroll and performance reviews.
Web Application DeveloperAcreCare.org - Donation Platform January 2011 to Present
• Designed and implemented unique donation platform to save rain forest in Peru.• Designed database system for managing 350,000 acres.• Created customized web site with content management system.• Raised roughly $1,000 since launch in April.
WFU Center for Energy, Environment, and Sustainability September 2010 to March2011
• Implemented online presence for new center with content management system.• Configured and maintained Mac OS X Server for data backup and a collaboration tool
for environmental research.
WakeStudent.com - Online Magazine September 2009 to April 2010
• Implemented new online magazine with content management system.• Ensured server and web pages were live and maintained.• Implemented new advertising platform for easy management of online advertisement.
OldGoldandBlack.com - Wake Forest Student Paper May 2008 to September 2008
• Implemented new online paper presence with content management system.• Created multimedia platform for collaboration with WakeTV, a student TV station.
RefereedPublications
Crouse, Michael B., Jacob L. White, Errin W. Fulp, Kenneth S. Berenhaut, Glenn A. Fink, A.David McKinnon. Using Swarming Agents for Scalable Security in Large Network Environments.2011 IEEE 54th International Midwest Symposium on Circuits and Systems.
Crouse, Michael B., Errin W. Fulp. A Moving Target Environment for Computer ConfigurationsUsing Genetic Algorithms. 2011 4th Symposium on Configuration Analytics and Automation.
Fink, Glenn A., Chris Oehmen, Jereme Haack, A. David McKinnon, Errin Fulp, Michael B.Crouse. Bio-Inspired Enterprise Security. SASO 2011 Fifth IEEE International Conferenceon Self-Adaptive and Self-Organizing Systems.
Fulp, Errin W., Michael B. Crouse, A. David McKinnon. Using Swarming Agents for SmartGrid Security. 2011 CSIIRW 7th Annual Cyber Security and Information Intelligence ResearchWorkshop.
ManuscriptsUnder Review
Carroll, Thomas E., Errin W. Fulp, Michael B. Crouse, Kenneth Berenhaut. PerformanceAnalysis of Network Address Shuffling. IEEE ICC 2012 - Communication and InformationSystems Security Symposium.
Awards • Named One of Five Top New Inventors. Inventor’s Digest, October 2011• Wake Forest Graduate Research Day Runner-up, Spring 2011; Probabilistic Models for
measuring Performance of Network Address Shuffling
Technical Skills • C, C++, Java, JavaScript, PHP, Python, SQL, MySQL, Matlab, HTML/CSS, Objective-C
69