Security and Privacy in Communication Networks. 5th International ICST Conference, SecureComm 2009, Athens, Greece, September 14-18, 2009, Revised Selected Papers

Research Article

Baiting Inside Attackers Using Decoy Documents

Download52 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-05284-2_4,
        author={Brian Bowen and Shlomo Hershkop and Angelos Keromytis and Salvatore Stolfo},
        title={Baiting Inside Attackers Using Decoy Documents},
        proceedings={Security and Privacy in Communication Networks. 5th International ICST Conference, SecureComm 2009, Athens, Greece, September 14-18, 2009, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2012},
        month={5},
        keywords={},
        doi={10.1007/978-3-642-05284-2_4}
    }
    
  • Brian Bowen
    Shlomo Hershkop
    Angelos Keromytis
    Salvatore Stolfo
    Year: 2012
    Baiting Inside Attackers Using Decoy Documents
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-642-05284-2_4
Brian Bowen1, Shlomo Hershkop1, Angelos Keromytis1, Salvatore Stolfo1
  • 1: Columbia University

Abstract

The insider threat remains one of the most vexing problems in computer security. A number of approaches have been proposed to detect nefarious insider actions including user modeling and profiling techniques, policy and access enforcement techniques, and misuse detection. In this work we propose trap-based defense mechanisms and a deployment platform for addressing the problem of insiders attempting to exfiltrate and use sensitive information. The goal is to confuse and confound an adversary requiring more effort to identify real information from bogus information and provide a means of detecting when an attempt to exploit sensitive information has occurred. “Decoy Documents” are automatically generated and stored on a file system by the D System with the aim of enticing a malicious user. We introduce and formalize a number of properties of decoys as a guide to design trap-based defenses to increase the likelihood of detecting an insider attack. The decoy documents contain several different types of bogus credentials that when used, trigger an alert. We also embed “stealthy beacons” inside the documents that cause a signal to be emitted to a server indicating when and where the particular decoy was opened. We evaluate decoy documents on honeypots penetrated by attackers demonstrating the feasibility of the method.