| Search the Collection|Browse Subjects|Services|Library Information|Community |News & Events | |
|
|
|
|
|
|
|
|
||||
|
|||||||
Type of Document Dissertation Author Yuill, James Joseph, Author's Email Address jimyuill@pobox.com URN etd-10272006-055733 Title Defensive Computer-Security Deception Operations: Processes, Principles and Techniques Degree PhD Graduate Program Computer Science Advisory Committee
Advisor Name Title Dr. Ana I. Antón Committee Co-Chair Dr. Mladen Vouk Committee Co-Chair Dr. Donald Bitzer Committee Member Dr. Dorothy Denning Committee Member Keywords
- scanning
- intrusion detection
- computer security
- honeypots
- deception
Date of Defense 2006-05-02 Availability unrestricted Abstract This thesis is concerned with the processes, principles and techniques that are involved in deception-operations for computer-security defense. In this work, computer security deception-operations are defined as the planned actions taken to mislead hackers and thereby cause them to take (or not take) specific actions that aid computer-security defenses. Computer security researchers have investigated hackers? use of deception to attack networks and the deceptive honeypot systems used to defend networks. However, relatively little has been done to systematically model and examine computer security deception-operations. This work addresses these issues by focusing on deception for computer-security defense. The four main contributions of this thesis are:
1) A process model for deception operations: this model, which is based on military deception theory and practice, provides deception planners with a framework for conducting deception operations. The framework includes a validated set of processes, principles and techniques.
2) A process model of deceptive hiding: this model aids the defender in developing new hiding techniques and in evaluating existing techniques. Deceptive hiding is modeled as defeating the target?s discovery processes: direct observation, investigation based on evidence, and learning from others.
3) Deception-based intrusion detection systems: the two deception models informed the design and evaluation of these systems. The honeyfiles system extends the network file system to provide bait files for hackers. These files trigger an alarm when opened. The net-chaff system employs computer-impersonations to detect and contain hacker?s network scans within an intranet.
4) Experiments and evaluation: a prototype honeyfile system was implemented, and the net-chaff system was simulated and modeled analytically. This work, and subsequent experimentation, provide exploratory and confirmatory assessment of the two deception models. The experimental portion of this work reveals that: (a) the honeyfiles prototype was deployed on a deceptive network and, when subjected to hacking, was observed to be an effective means for intrusion detection; and (b) the net-chaff system can reliably detect and contain intranet scans before they access vulnerable computers.
Files
Filename Size Approximate Download Time (Hours:Minutes:Seconds)
28.8 Modem 56K Modem ISDN (64 Kb) ISDN (128 Kb) Higher-speed Access etd.pdf 1.13 Mb 00:05:14 00:02:41 00:02:21 00:01:10 00:00:06