The cyber defenses of Critical Infrastructures require early detection of new threats and attacks. This includes defensive systems that are able to learn from novel attacks and to detect 0-day vulnerabilities as early as possible. Honeypots are not defensive systems based on prevention, but they still represent an effective way to gather information about attacks from the source. Nevertheless, most existing solutions operate in a stateless way. As a consequence, they are easily identified by expert attackers, and they are unable to track progress of individual attacks in large applications. We propose a novel approach that enables a so called stateful honeypot. The idea comes from the observation that a typical cyber attack to a Critical Infrastructure is carried out through multiple attempts and intrusions. Hence the main goal is to fingerprint each attacker by observing and registering his adopted methods, tools and actions. Once identified, the adversary is redirected to his specific environment that preserves the history of his previous operations including the installation of rootkits or backdoors. The proposed solution paves the way to a more effective generation of honeypots that are necessary to face the augmented complexity of cyber attacks.
Adversarial fingerprinting of cyber attacks based on stateful honeypots
Colajanni M.
2018
Abstract
The cyber defenses of Critical Infrastructures require early detection of new threats and attacks. This includes defensive systems that are able to learn from novel attacks and to detect 0-day vulnerabilities as early as possible. Honeypots are not defensive systems based on prevention, but they still represent an effective way to gather information about attacks from the source. Nevertheless, most existing solutions operate in a stateless way. As a consequence, they are easily identified by expert attackers, and they are unable to track progress of individual attacks in large applications. We propose a novel approach that enables a so called stateful honeypot. The idea comes from the observation that a typical cyber attack to a Critical Infrastructure is carried out through multiple attempts and intrusions. Hence the main goal is to fingerprint each attacker by observing and registering his adopted methods, tools and actions. Once identified, the adversary is redirected to his specific environment that preserves the history of his previous operations including the installation of rootkits or backdoors. The proposed solution paves the way to a more effective generation of honeypots that are necessary to face the augmented complexity of cyber attacks.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
