research-article

Fox in the trap: thwarting masqueraders via automated decoy document deployment

Authors:

Jonathan Voris,

Jill Jermyn,

Nathaniel Boggs,

Salvatore StolfoAuthors Info & Claims

EuroSec '15: Proceedings of the Eighth European Workshop on System Security

Article No.: 3, Pages 1 - 7

https://doi.org/10.1145/2751323.2751326

Published: 21 April 2015 Publication History

Get Access

Abstract

Organizations face a persistent challenge detecting malicious insiders as well as outside attackers who compromise legitimate credentials and then masquerade as insiders. No matter how good an organization's perimeter defenses are, eventually they will be compromised or betrayed from the inside. Monitored decoy documents (honey files with enticing names and content) are a promising approach to aid in the detection of malicious masqueraders and insiders. In this paper, we present a new technique for decoy document distribution that can be used to improve the scalability of insider detection. We develop a placement application that automates the deployment of decoy documents and we report on two user studies to evaluate its effectiveness. The first study indicates that our automated decoy distribution tool is capable of strategically placing decoy files in a way that offers comparable security to optimal manual deployment. In the second user study, we measure the frequency that normal users access decoy documents on their own systems and show that decoy files do not significantly interfere with normal user tasks.

References

[1]

F. Araujo, K. W. Hamlen, S. Biedermann, and S. Katzenbeisser. From patches to honey-patches: Lightweight attacker misdirection, deception, and disinformation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 942--953, New York, NY, USA, 2014. ACM.

Digital Library

Google Scholar

[2]

B. Bowen and S. Hershkop and A. Keromytis and S. Stolfo. Baiting Inside Attackers Using Decoy Documents. In Conference on Security and Privacy in Communication Networks, 2009.

Google Scholar

[3]

C. Stoll. The Cuckoo's Egg, 1989.

Google Scholar

[4]

Columbia University Intrusion Detection Systems Lab. FOG Computing. Available at http://ids.cs.columbia.edu/FOG/, 2014.

Google Scholar

[5]

D. Kostadinov. The Cyber Exploitation Life Cycle. Available at http://resources.infosecinstitute.com/the-cyber-exploitation-life-cycle/, 2013.

Google Scholar

[6]

J. Yuill and M. Zappe and D. Denning and F. Feer. Honeyfiles: Deceptive Files for Intrusion Detection. In Workshop on Information Assurance, 2004.

Google Scholar

[7]

A. Juels and R. L. Rivest. Honeywords: Making password-cracking detectable. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS '13, pages 145--160, New York, NY, USA, 2013. ACM.

Digital Library

Google Scholar

[8]

L. Spitzner. Honeytokens: The Other Honeypot. Available at http://www.symantec.com/connect/articles/honeytokens-other-honeypot, 2003.

Google Scholar

[9]

M. Ben Salem and S. Stolfo. Decoy Document Deployment for Effective Masquerade Attack Detection. In Conference on Detection of Intrusions and Malware and Vulnerability Assessment, 2011.

Digital Library

Google Scholar

[10]

S. Tzu. The Art of War. Available at http://classics.mit.edu/Tzu/artwar.html, 2009.

Google Scholar

Cited By

View all

Kahlhofer MAchleitner SRass SMayrhofer R(2024)Honeyquest: Rapidly Measuring the Enticingness of Cyber Deception Techniques with Code-based QuestionnairesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678897(317-336)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678897
Tsouvalas BNikiforakis N(2024)Knocking on Admin’s Door: Protecting Critical Web Applications with DeceptionDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_15(283-306)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_15
Deshpande AGupta S(2023)GenAI in the Cyber Kill Chain: A Comprehensive Review of Risks, Threat Operative Strategies and Adaptive Defense Approaches2023 IEEE International Conference on ICT in Business Industry & Government (ICTBIG)10.1109/ICTBIG59752.2023.10456106(1-5)Online publication date: 8-Dec-2023
https://doi.org/10.1109/ICTBIG59752.2023.10456106
Show More Cited By

Index Terms

Fox in the trap: thwarting masqueraders via automated decoy document deployment
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Behavioral Study of Users When Interacting with Active Honeytokens

Active honeytokens are fake digital data objects planted among real data objects and used in an attempt to detect data misuse by insiders. In this article, we are interested in understanding how users (e.g., employees) behave when interacting with ...
How to Make Efficient Decoy Files for Ransomware Detection?
RACS '17: Proceedings of the International Conference on Research in Adaptive and Convergent Systems

Recently, Ransomware has been rapidly increasing and is becoming far more dangerous than other common malware types. Unlike previous versions of Ransomware that infect email attachments or access certain sites, the new Ransomware, such as WannaCryptor, ...
Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections
SP '14: Proceedings of the 2014 IEEE Symposium on Security and Privacy

Compromised websites that redirect web traffic to malicious hosts play a critical role in organized web crimes, serving as doorways to all kinds of malicious web activities (e.g., drive-by downloads, phishing etc.). They are also among the most elusive ...

Comments

Information & Contributors

Information

Published In

EuroSec '15: Proceedings of the Eighth European Workshop on System Security

April 2015

51 pages

ISBN:9781450334792

DOI:10.1145/2751323

Program Chairs:
Juan Caballero
IMDEA Software Institute
,
Michalis Polychronakis
Stony Brook University

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 April 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

EuroSys '15

Sponsor:

SIGOPS

EuroSys '15: Tenth EuroSys Conference 2015

April 21, 2015

Bordeaux, France

Acceptance Rates

Overall Acceptance Rate 47 of 113 submissions, 42%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
281
Total Downloads

Downloads (Last 12 months)38
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Kahlhofer MAchleitner SRass SMayrhofer R(2024)Honeyquest: Rapidly Measuring the Enticingness of Cyber Deception Techniques with Code-based QuestionnairesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678897(317-336)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678897
Tsouvalas BNikiforakis N(2024)Knocking on Admin’s Door: Protecting Critical Web Applications with DeceptionDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-031-64171-8_15(283-306)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-64171-8_15
Deshpande AGupta S(2023)GenAI in the Cyber Kill Chain: A Comprehensive Review of Risks, Threat Operative Strategies and Adaptive Defense Approaches2023 IEEE International Conference on ICT in Business Industry & Government (ICTBIG)10.1109/ICTBIG59752.2023.10456106(1-5)Online publication date: 8-Dec-2023
https://doi.org/10.1109/ICTBIG59752.2023.10456106
Kiekintveld CLaszka AMiah MRoy SSharmin N(2023)Strategic Cyber CamouflageAutonomous Intelligent Cyber Defense Agent (AICA)10.1007/978-3-031-29269-9_9(183-201)Online publication date: 3-Jun-2023
https://doi.org/10.1007/978-3-031-29269-9_9
Hu ZHu YDolan-Gavitt B(2022)Towards Deceptive Defense in Software Security with Chaff BugsProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545981(43-55)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545981
Zhu MSingh M(2022)Mee: Adaptive Honeyfile System for Insider Attacker DetectionCyber Deception10.1007/978-3-031-16613-6_7(125-143)Online publication date: 7-Oct-2022
https://doi.org/10.1007/978-3-031-16613-6_7
Barron TSo JNikiforakis NCao JHo Au MLin ZYung M(2021)Click This, Not That: Extending Web Authentication with DeceptionProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3453088(462-474)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3453088
Liebowitz DNepal SMoore KChristopher CKanhere SNguyen DTimmer RLongland MRathakumar K(2021)Deception for Cyber Defence: Challenges and Opportunities2021 Third IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)10.1109/TPSISA52974.2021.00020(173-182)Online publication date: Dec-2021
https://doi.org/10.1109/TPSISA52974.2021.00020
Aoike YKamizono MEto MMatsumoto NYoshida N(2021)Decoy-File-Based Deception without Usability Degradation2021 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE)10.1109/CSDE53843.2021.9718420(1-7)Online publication date: 8-Dec-2021
https://doi.org/10.1109/CSDE53843.2021.9718420
Zhang LThing V(2021)Three decades of deception techniques in active cyber defense - Retrospect and outlookComputers and Security10.1016/j.cose.2021.102288106:COnline publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102288
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Behavioral Study of Users When Interacting with Active Honeytokens

How to Make Efficient Decoy Files for Ransomware Detection?

Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections

Comments

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Behavioral Study of Users When Interacting with Active Honeytokens

How to Make Efficient Decoy Files for Ransomware Detection?

Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations