Deception in Network Defences using Unpredictability. / Happa, Jassim; Bashford-Rogers, Thomas; Janse van Rensburg, Alastair; Goldsmith, Michael; Creese, Sadie.

In: Digital Threats: Research and Practice, 15.10.2021, p. 1-26.

Research output: Contribution to journalArticlepeer-review

Published

Standard

Deception in Network Defences using Unpredictability. / Happa, Jassim; Bashford-Rogers, Thomas; Janse van Rensburg, Alastair; Goldsmith, Michael; Creese, Sadie.

In: Digital Threats: Research and Practice, 15.10.2021, p. 1-26.

Research output: Contribution to journalArticlepeer-review

Harvard

Happa, J, Bashford-Rogers, T, Janse van Rensburg, A, Goldsmith, M & Creese, S 2021, 'Deception in Network Defences using Unpredictability', Digital Threats: Research and Practice, pp. 1-26. https://doi.org/10.1145/3450973

APA

Happa, J., Bashford-Rogers, T., Janse van Rensburg, A., Goldsmith, M., & Creese, S. (2021). Deception in Network Defences using Unpredictability. Digital Threats: Research and Practice, 1-26. [29]. https://doi.org/10.1145/3450973

Vancouver

Happa J, Bashford-Rogers T, Janse van Rensburg A, Goldsmith M, Creese S. Deception in Network Defences using Unpredictability. Digital Threats: Research and Practice. 2021 Oct 15;1-26. 29. https://doi.org/10.1145/3450973

Author

Happa, Jassim ; Bashford-Rogers, Thomas ; Janse van Rensburg, Alastair ; Goldsmith, Michael ; Creese, Sadie. / Deception in Network Defences using Unpredictability. In: Digital Threats: Research and Practice. 2021 ; pp. 1-26.

BibTeX

@article{3392aba2344640c5a223a8b38b0c290d,
title = "Deception in Network Defences using Unpredictability",
abstract = "In this paper, we propose a novel method that aims to improve upon existing moving-target defences by making them unpredictably reactive using probabilistic decision-making. We postulate that unpredictability can improve network defences in two key capacities: (1), by re-configuring the network in direct response to detected threats, tailored to the current threat and a security posture, and (2): by deceiving adversaries using pseudo-random decision-making (from a set of acceptable set of responses), potentially leading to adversary delay and failure. Decisions are performed automatically, based on reported events (e.g. IDS alerts), security posture, mission processes, and states of assets. Using this codified form of situational awareness, our system can respond differently to threats each time attacker activity is observed, acting as a barrier to further attacker activities. We demonstrate feasibility with both anomaly- and misuse-based detection alerts, for a historical dataset (playback), and a real-time network simulation where asset-to-mission mappings are known. Our findings suggest that unpredictability yields promise as a new approach to deception in laboratory settings. Further research will be necessary to explore unpredictability in production environments.",
keywords = "Network Defences, Decision Trees, Situational Awareness, Simulation",
author = "Jassim Happa and Thomas Bashford-Rogers and {Janse van Rensburg}, Alastair and Michael Goldsmith and Sadie Creese",
year = "2021",
month = oct,
day = "15",
doi = "10.1145/3450973",
language = "English",
pages = "1--26",
journal = "Digital Threats: Research and Practice",
issn = "2576-5337",
publisher = "ACM",

}

RIS

TY - JOUR

T1 - Deception in Network Defences using Unpredictability

AU - Happa, Jassim

AU - Bashford-Rogers, Thomas

AU - Janse van Rensburg, Alastair

AU - Goldsmith, Michael

AU - Creese, Sadie

PY - 2021/10/15

Y1 - 2021/10/15

N2 - In this paper, we propose a novel method that aims to improve upon existing moving-target defences by making them unpredictably reactive using probabilistic decision-making. We postulate that unpredictability can improve network defences in two key capacities: (1), by re-configuring the network in direct response to detected threats, tailored to the current threat and a security posture, and (2): by deceiving adversaries using pseudo-random decision-making (from a set of acceptable set of responses), potentially leading to adversary delay and failure. Decisions are performed automatically, based on reported events (e.g. IDS alerts), security posture, mission processes, and states of assets. Using this codified form of situational awareness, our system can respond differently to threats each time attacker activity is observed, acting as a barrier to further attacker activities. We demonstrate feasibility with both anomaly- and misuse-based detection alerts, for a historical dataset (playback), and a real-time network simulation where asset-to-mission mappings are known. Our findings suggest that unpredictability yields promise as a new approach to deception in laboratory settings. Further research will be necessary to explore unpredictability in production environments.

AB - In this paper, we propose a novel method that aims to improve upon existing moving-target defences by making them unpredictably reactive using probabilistic decision-making. We postulate that unpredictability can improve network defences in two key capacities: (1), by re-configuring the network in direct response to detected threats, tailored to the current threat and a security posture, and (2): by deceiving adversaries using pseudo-random decision-making (from a set of acceptable set of responses), potentially leading to adversary delay and failure. Decisions are performed automatically, based on reported events (e.g. IDS alerts), security posture, mission processes, and states of assets. Using this codified form of situational awareness, our system can respond differently to threats each time attacker activity is observed, acting as a barrier to further attacker activities. We demonstrate feasibility with both anomaly- and misuse-based detection alerts, for a historical dataset (playback), and a real-time network simulation where asset-to-mission mappings are known. Our findings suggest that unpredictability yields promise as a new approach to deception in laboratory settings. Further research will be necessary to explore unpredictability in production environments.

KW - Network Defences

KW - Decision Trees

KW - Situational Awareness

KW - Simulation

U2 - 10.1145/3450973

DO - 10.1145/3450973

M3 - Article

SP - 1

EP - 26

JO - Digital Threats: Research and Practice

JF - Digital Threats: Research and Practice

SN - 2576-5337

M1 - 29

ER -