Visible to the public AHEAD: A New Architecture for Active Defense

TitleAHEAD: A New Architecture for Active Defense
Publication TypeConference Paper
Year of Publication2016
AuthorsDe Gaspari, Fabio, Jajodia, Sushil, Mancini, Luigi V., Panico, Agostino
Conference NameProceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense
Date PublishedOctober 2016
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4566-8
Keywordsactive defense, Automated Response Actions, cyber deception, honey pots, honeypot, honeytoken, Human Behavior, intrusion detection system, pubcrawl, Resiliency, Scalability

Active defense is a popular defense technique based on systems that hinder an attacker's progress by design, rather than reactively responding to an attack only after its detection. Well-known active defense systems are honeypots. Honeypots are fake systems, designed to look like real production systems, aimed at trapping an attacker, and analyzing his attack strategy and goals. These types of systems suffer from a major weakness: it is extremely hard to design them in such a way that an attacker cannot distinguish them from a real production system. In this paper, we advocate that, instead of adding additional fake systems in the corporate network, the production systems themselves should be instrumented to provide active defense capabilities. This perspective to active defense allows containing costs and complexity, while at the same time provides the attacker with a more realistic-looking target, and gives the Incident Response Team more time to identify the attacker. The proposed proof-of-concept prototype system can be used to implement active defense in any corporate production network, with little upfront work, and little maintenance.

Citation Keyde_gaspari_ahead:_2016