Computing Applications

Spoofing the Spoofers

Cybersecurity deception software tricks hackers into revealing the tactics they use to penetrate and control computer systems.

Researchers at various universities have come up with cybersecurity software that tricks hackers into revealing the tactics they use to penetrate and control computer systems. Instead of blocking hackers, the software ingeniously invites hackers in, routes them to a decoy Web site or network, and then studies their behavior as they reveal their nefarious methods.

For example, the DEEP-Dig ((DEcEPtion DIGging) software transforms hackers into "a source of free labor," says Kevin Hamlen, a member of the research team and Eugene McDermott Professor of Computer Science professor at the University of Texas at Dallas.

The ploy of using decoy Web sites and decoy networks to trick hackers has been in use by security administrators since around the turn of the century, according to Richard Forno, a senior lecturer in the department of computer science and electrical engineering of the University of Maryland, Baltimore County (UMBC), and assistant director of the UMBC Center for Cybersecurity.

Approaches to the security deception method vary, but the principle behind them remains the same: enable a hacker to penetrate your network, then trick him or her into thinking they are working with your actual network or data when in fact they are really working with a dummy network or dummy data.

Often, security deception software creates emulations of the inner workings of entire networks or Web sites in an attempt to fool hackers.

The difference with DEEP-Dig's approach to this principle is that it's powered by a deep neural network. Essentially, the software enables a security professional or system administrator to study and react to, hacker activity with much greater sophistication, according to Reza Curtmola, a professor of computer science in the New Jersey Institute of Technology who specializes in cybersecurity.

Specifically, the DEEP-Dig system is able to do this by recording every point, click, and keystroke a hacker makes while trying to damage a dummy network or steal dummy data from a system.  If the hacker is successful, the AI software takes note of the strategy the hacker used to overcome the system, then automatically sets up a defense against that strategy, ensuring it will not work a second time.

Says Shreyas Sen, an associate professor in the school of electrical and computer engineering of Purdue University who specializes in network security and efficiency, "This work adds another tool (in cybersecurity), utilizing the recent advancement of deep learning."

"It is a good illustration of the 'defense in depth' technique, meaning cybersecurity solutions should have multiple layers of defenses," Curtmola says.

Chen Wang, an assistant professor in the division of computer science and engineering of Louisiana State University who leads its Mobile and Internet Security Lab, agrees. "By moving the Web attackers into decoys to continue studying their malicious activities, this method trains a better intrusion detection model by learning more insights into the attacks and adapts to the variants of the attacks."

One reason many cybersecurity professionals use security deception software is that it can speed detection of a network intruder.

"Deploying a security deception system can make the intruder feel they have controlled the system," says Yingying (Jennifer) Chen, Peter D. Cherasia Faculty Scholar and a professor of electrical and computer engineering at Rutgers University. With their guards down, intruders typically attempt to steal data or damage network systems more quickly than they ordinarily would, enabling system security to quickly quash their efforts, Chen says. "We usually call this early post-breach detection."

Using deception software also can result in many fewer false positives, alerts about the penetration of a network that later turn out to be false. Such alerts, which often arise during innocent, everyday use of a network, often plague cybersecurity surveillance of a network.

"Unlike the traditional solutions, security deception will only send out an alert if the intruders try to access or modify certain parts of the decoy system," Chen says. "As a result, the alerts sent by the security deception system have high accuracy and can significantly reduce false positives. In some cases, security deception systems can even achieve zero false positives."

Meanwhile, keeping hackers inside decoy Web sites and networks can be a great safeguard against zero-day and ransomware attacks unleashed by software IT administrators have never seen before, Curtmola says, given that the software never gets to attack the actual computer network.

Cybersecurity professionals also appreciate that the latest incarnations of security deception software draw on artificial intelligence to identify the latest hacker techniques and develop new defenses against them, according to Curtmola.

In fact, AI is expected to enable more networks protected by security deception software in the coming years to recognize "a particular attack pattern or attacker and then provide a dynamic, custom response to slow or dissuade the attacker," according to Eugene H. Spafford, executive director emeritus of Purdue University's Center for Education and Research in Assurance and Security.

Given all these benefits, it's probably no surprise that interest in security deception software is especially keen at organizations linked to the Internet that are engaging in highly sensitive business or highly sensitive research in the commercial, scientific and military research sectors, according to Forno.

Still, security deception software is not perfect; it has its downsides, too. For one, decoy Websites and networks can be expensive to maintain, especially if the dummy properties are attempting to mimic extremely large Web sites or networks, according to Wang.

Moreover, hackers burned by deception software tend to get smarter over time and are often skilled at ensuring they're not duped a second time, according to Spafford. "If the same deception is deployed for too long, it is bound to be discovered by a determined and talented adversary," Spafford says. "Defense must be an on-going process that uses many approaches,  starting with hardening the deployed system and minimizing its exposure."

Perhaps security deception software's greatest potential pitfall is that no amount of AI-powered trickery will safeguard an organization if a network administrator fails to meet the basic requirements of cybersecurity, according to Forno. "Unfortunately, speaking as someone with 20 years in the operational cybersecurity world before moving into academia, seeing the number of preventable cybersecurity incidents regularly taking place, it's clear that we still need to get the basics of cybersecurity right before embracing more, or newer, products and services."

Joe Dysart is an Internet speaker and business consultant based in Manhattan, NY, USA.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More