Delaying-type responses for use by software decoys

• Main Author: Julian, Donald P.
• Other Authors: Rowe, Neil C.
• Published: Monterey, California. Naval Postgraduate School 2012
• Online Access: http://hdl.handle.net/10945/5043

Approved for public release, distribution is unlimited === Modern intrusion detection systems have become highly reliable in identifying a malicious user on a computer system. Their limitations, though, are increasing the need for an intelligent response to an intrusion. In contrast, intelligent software decoys provide autonomous software-based responses to identified intrusions. In this thesis, we explore conducting military deception, focusing on the use of software-driven simulations to respond to the actions of intruders. In particular, this thesis focuses on a model of a simple deceptive response that is intended to protect a search-type program from a buffer-overflow attack. During our study, we found that after identifying an attack attempt, simulating system saturation with processing delays worked well to deceive a prospective attacker. We also experimented with providing confusing reactions to an identified attack attempt, such as simulated network login screens and fake root-shells. The results were successful, simple reactions to intrusions that mimicked intended system interaction, and they proved to be adequate at implementing the deception principles we studied.