Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- Thesis Defense
1 like928 views
The document discusses a taxonomy and model for using deception as a security defense mechanism in computer systems. It highlights various strategies for obfuscation and misdirection to enhance security, emphasizing the limitations of traditional defenses. The thesis also explores the advantages of deceptive frameworks and presents novel approaches to password security and covert communication.
![Technical Specification — One-Time Initialization
• Instantaneously store all passwords in a machine
dependent format.
[ ui , αi , si ]
↓
HDF(αi)
↓
βi = H(HDF(αi) || si)
↓
[ ui , βi , si ]
αi = H(pi || si)](https://image.slidesharecdn.com/thesisdefensepresentation-160705151151/85/Using-Deception-to-Enhance-Security-A-Taxonomy-Model-and-Novel-Uses-Thesis-Defense-39-320.jpg)
![Technical Specification — Injecting
Ersatzpasswords
• When the user is logging-in:
ui , pi
↓
pi*
↓
si’ = HDF(pi || ui) ⊕ pi*
↓
βi’ = H[ pi* || si’],
↓
[ ui , βi’, si’]
[Choose an erstazpassword]
[Compute a new salt]
, pi* = HDF(pi || ui) ⊕ si’](https://image.slidesharecdn.com/thesisdefensepresentation-160705151151/85/Using-Deception-to-Enhance-Security-A-Taxonomy-Model-and-Novel-Uses-Thesis-Defense-40-320.jpg)
![Technical Specification — Login
• The user enters her username (ui) and password (pi).
• The systems checks:
• If H[ (HDF(pi || ui) ⊕ si’) || si’] equals βi’ → correct login.
• If H(pi || si’) equals βi’ → ersatzpassword login.
• else → incorrect username/password.](https://image.slidesharecdn.com/thesisdefensepresentation-160705151151/85/Using-Deception-to-Enhance-Security-A-Taxonomy-Model-and-Novel-Uses-Thesis-Defense-41-320.jpg)
Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses -- Thesis Defense
- 1. Using Deception to Enhance Security: A Taxonomy, Model and Novel Uses Mohammed H. Almeshekah Thesis Defense
- 2. Special Thanks! • To my advisors: • Prof. Eugene Spafford • Prof. Mike Atallah • To my committee members: • Prof. Sam Wagstaff • Prof. Matt Bishop
- 3. Introduction A Holistic Overview of Security Defenses
- 4. Computer System Defenses Denial and Isolation (1) Prevent unauthorized access. (2) Hide the existence and/or the nature of systems and/or data. Degradation and Obfuscation (1) Slow down the attackers. (2) Prevent and reduce the recovery. (3) Obfuscate the value/ nature of systems and/or data. (4) Create noise around valuable data. Deception and Negative Information (1) Lead the attackers astray. (2) Add decoys. (3) Add doubt to the data obtained by the adversary. (4) Increase the risk of attacking computer systems. Attribution and Counter Operation (1) Attributing adversaries. (2) Cause damage to attackers. (3) Increase overall risk in attacking our systems.
- 5. Computer System Defenses Denial and Isolation (1) Prevent unauthorized access. (2) Hide the existence and/or the nature of systems and/or data. Degradation and Obfuscation (1) Slow down the attackers. (2) Prevent and reduce the recovery. (3) Obfuscate the value/ nature of systems and/or data. (4) Create noise around valuable data. Deception and Negative Information (1) Lead the attackers astray. (2) Add decoys. (3) Add doubt to the data obtained by the adversary. (4) Increase the risk of attacking computer systems. Attribution and Counter Operation (1) Attributing adversaries. (2) Cause damage to attackers. (3) Increase overall risk in attacking our systems.
- 6. Status Quo • Breaches: • 84% of these attacks took hours or less to infiltrate. • 66% of breaches took months or years to discover. • Defenses: • Only 5% of these breaches were detected using traditional tools.
- 7. Using Deception as a Defensive Mechanism
- 8. Traditional Security Defenses Narrowing down the attack path! Whack Your Attacker Security Tools Computer System
- 9. Traditional Security Defenses Narrowing down the attack path! Whack Your Attacker Security Tools Computer System
- 10. Deception-Based Defenses • Traditional security (negative clues) and deception (positive clues) work in tandem. • Humans are not good at detecting deception: • Detecting deception by college students → 57% • Detecting deception by law enforcement → 54%
- 11. Uniques Advantages of Using Deception
- 12. Uniques Advantages of Using Deception
- 13. Uniques Advantages of Using Deception
- 14. Uniques Advantages of Using Deception
- 15. Uniques Advantages of Using Deception
- 16. Previous Uses of Deception • Used as ad-hoc attempt: • Deception has been mainly used as “trapping” or “deterrence” tools. • Trojan Horses, Phishing, XSS, XSRF and others have long been effective. • Deception is Effectively Used in Many Areas of Computing.
- 18. Framework for Using Deception in Security Defenses
- 19. A Framework
- 20. Deception Framework (3) Exploit Attacker’s Biases What are the plausible responses to the attack and which ones should you use?
- 21. Deception Framework (4) Apply Deception Make your system lie
- 22. Deception Framework (4) Apply Deception
- 23. Deception Framework (8) Monitoring and Dynamic Adjusting Continuous monitoring and dynamic adjustment based on the attacker’s response
- 25. A Password Dangerous Trip MitB MitM
- 26. Information Asymmetry Context-less Authentication User wants to access Banks want me to access.
- 27. Information Asymmetry Contextual Authentication Public Network? Email link? …. Dynamic Decision context
- 28. Goals of Using Such Channel • Limit passwords exposure. • Communicate the user’s authentication context. • Incorporate covert messages in the protocol that are totally oblivious to any part observing.
- 29. A Deceptive Covert Communication • We will use an accumulation function A() that can be realized using modular exponentiation. • A(x1, x2) = A(x2, x1). • Computing A(A(x1), x2) doesn’t require the knowledge of x1, and = A(x1, x2). • Current systems store h = H(passwd || salt).
- 30. A Deceptive Covert Communication Check whether username exists? if usernameExists(): R = randomNonce() key = A(h, R) x = HMACkey(A(R), s, id) Send QR(A(R), x, s, id) id = Serverid
- 31. A Deceptive Covert Communication Check the integrity of QR h = Hash(passwd || salt) key = A(A(R), h) x’ = HMACkey(A(R), s, id) if x == x’ -> route (b) else -> route (a)
- 32. A Deceptive Covert Communication Covert message code = A(A(R), h, msgs)
- 33. A Deceptive Covert Communication Verifying the code code’ = A(A(R), h, possible msgs) check code =? code’
- 34. Comparison
- 35. Ersatzpassword
- 36. A Password Lifecycle Insider Threat/ Compromise
- 37. Passwords Files are Attractive Target • Evernote reported the leakage of the hashed passwords for more than 50 million users • Other attacks against Yahoo, RockYou, LinkedIn and eHarmony has been reported. • Passwords cracking is often a precursor to more significant attacks.
- 38. Ersatzpasswords Goals • Eliminate the possibility of an offline passwords cracking. • Detect the leakage of users’ passwords. • Proactively detect accounts impersonation attempts.
- 39. Technical Specification — One-Time Initialization • Instantaneously store all passwords in a machine dependent format. [ ui , αi , si ] ↓ HDF(αi) ↓ βi = H(HDF(αi) || si) ↓ [ ui , βi , si ] αi = H(pi || si)
- 40. Technical Specification — Injecting Ersatzpasswords • When the user is logging-in: ui , pi ↓ pi* ↓ si’ = HDF(pi || ui) ⊕ pi* ↓ βi’ = H[ pi* || si’], ↓ [ ui , βi’, si’] [Choose an erstazpassword] [Compute a new salt] , pi* = HDF(pi || ui) ⊕ si’
- 41. Technical Specification — Login • The user enters her username (ui) and password (pi). • The systems checks: • If H[ (HDF(pi || ui) ⊕ si’) || si’] equals βi’ → correct login. • If H(pi || si’) equals βi’ → ersatzpassword login. • else → incorrect username/password.
- 42. Three Main Properties • Checking a password requires access to HDF → thwarting offline cracking. • Cracking returns an ersatzpassword for every account → triggering an alarm at the server when used. • Maintain the same format of the password file → deceiving the attacker.
- 43. Ersatzpasswords Properties • Plausibility • Non-Deducibility • Typo-Resilience • Crackable • Policy Adherence
- 44. Implementation • We used YubiHSM. • HDF(p) := HMAC-SHA1k(p) • Implemented as a modified pam_unix in an OpenBSD OS.
- 45. Performance Analysis Normal OpenBSD Modified OpenBSD Password update Authentication
- 46. Deceptiver
- 47. Web Applications • Verizon DBIR identified web application attacks as the most common incident in 2013 accounting for 35% of all incidents. • Gartner states that more than 70% of threats are at the web application layer
- 48. Deceptiver
- 49. Deceptiver vs. Honeypots • Instantaneous reflecting the current production state. • Honeypots are yet another set of systems that need to be administered and updated. • Honeypots need to keep copies of different individual resources where deceit is injected.
- 50. Deceptiver Responses 1. Traps •Administrative resources (e.g. .htaccess). •Isolated resource. •Meta/Hidden data. •Known Vulnerabilities. 2. Active deceptive responses •Performance. •Public data. •Software and services
- 51. Implementation
- 53. Performance Analysis — 2 • Further investigating performance showed that 9 lines of codes take %99.2 of execution time. • All of those are querying the mySQL database.
- 54. Future Work The role of biases This Dissertation Modeling the use of deception The creation of deceit Deception Metrics Advanced tools Economical and ethical issues
- 55. Future Work The role of biases This Dissertation Modeling the use of deception The creation of deceit Deception Metrics Advanced tools Economical and ethical issues • The role of Deception. • A framework to plan and integrate deception. • Three practical tools.
- 56. Future Work The role of biases This Dissertation Modeling the use of deception The creation of deceit Deception Metrics Advanced tools Economical and ethical issues • In defending computer systems. • In protecting users. • Further investigating cultural and organization biases.
- 57. Future Work The role of biases This Dissertation Modeling the use of deception The creation of deceit Deception Metrics Advanced tools Economical and ethical issues • Using game theoretical models (e.g. hypergames). • Where to apply deception within the kill-chain.
- 58. Future Work The role of biases This Dissertation Modeling the use of deception The creation of deceit Deception Metrics Advanced tools Economical and ethical issues • Cost/benefit analysis. • Externality effects. • Lying to regular users.
- 59. Future Work The role of biases This Dissertation Modeling the use of deception The creation of deceit Deception Metrics Advanced tools Economical and ethical issues • Measuring plausibility, deductibility, confusion and other characteristics.
- 60. Future Work The role of biases This Dissertation Modeling the use of deception The creation of deceit Deception Metrics Advanced tools Economical and ethical issues • How to create believable fake information?
- 61. Future Work The role of biases This Dissertation Modeling the use of deception The creation of deceit Deception Metrics Advanced tools Economical and ethical issues • Deceptive file system. • Deceptive patches. • Deceptive system calls.
- 62. Publications • M. Almeshekah, C. Gutierrez, M. Atallah and E. Spafford, “ErsatzPasswords – Ending Passwords Cracking” (under review). • M. Almeshekah, M. Atallah and E. Spafford, “Enhancing Passwords Security using Deceptive Covert Communication,” International Conference on ICT Systems Security and Privacy Protection, IFIP SEC’15, May 26-28, 2015, Hamburg, Germany. • M. Almeshekah and E. Spafford, “Using Deceptive Information in Computer Security Defenses,” International Journal of Cyber Warfare and Terrorism (IJCWT), 4 (3), 46-58, July-September 2014, IGI Global. • M. Almeshekah and E. Spafford, “Planning and Integrating Deception into Computer Security Defenses,” New Security Paradigms Workshop (NSPW’14), 15-18 September 2014, Victoria, BC, Canada. • M. Almeshekah and E. Spafford, “The Case of Using Negative (Deceiving) Information in Data Protection,” in Proceedings of the 9th International Conference on Cyber Warfare and Security ICCWS-2014, ISSN: 2048-9870, Academic Conferences and Publishing International Limited, March 2014. • M. Almeshekah, M. Atallah, and E. Spafford, “Back channels can be useful! – layering authentication channels to provide covert communication,” SPW’13, in Security Protocols XXI (B. Christianson, J. Malcolm, F. Stajano, and J. Anderson, eds.), vol. 8263 of Lecture Notes in Computer Science, Springer Berlin Heidelberg, 2013.