Presentation is loading. Please wait.

Presentation is loading. Please wait.

Counterplanning Deceptions To Foil Cyber-Attack Plans Paper by: Neil C. Rowe Presentation by: Michael E. Aiello.

Published byMarcus Morrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Counterplanning Deceptions To Foil Cyber-Attack Plans Paper by: Neil C. Rowe Presentation by: Michael E. Aiello."— Presentation transcript:

1 Counterplanning Deceptions To Foil Cyber-Attack Plans Paper by: Neil C. Rowe Presentation by: Michael E. Aiello

2 Agenda Introduction- Deceptive Tactics Counterplanning MECOUNTER Building a ploy strategy Questions

3 Introduction: Deceptive Tactics Second line of defense behind standard information security tactics. Proactive countermeasures. 1.Concealment 2.Camouflage 3.Ruses (use of enemy equipment + procedures) 4.Demonstrations (of capabilities) 5.Disinformation/Lies 6.Displays - “techniques to make the enemy see what isn’t there” 7.Insight (“deceiving the opponent by outthinking)

4 Cyber Deceptive Tactics 1.Lies - powerful because users are accustomed to truth from computer systems 2.Displays - I.E. simulating virus infection while actually destroying the infection 3.Insight - combination of lies and displays integrated into an overall defensive strategy designed to cause the attacker the maximum amount of trouble

5 Obstructive Counterplanning Definition: Planning to interfere with or frustrate and existing plan Tool needed to define computer intrusion plans/goals. MECOUNTER: A tool to define attack models with mostly-declarative definitions of actions. Allows users to create model for 1.Anticipating what an enemy would do 2.Defining disruption models 3.Observe how the enemy responds to disruption

6 MECOUNTER example: “decompress action” 1.If the system does not want a file to be compressed, it should decompress it 2.Decompressing a file on a system requires that it is known to be there, it is compressed, it is known to be compressed, the actor is logged in to its system, and the actor is not currently running any other program there. 3.Normally when a file is decompressed, this deletes the fact of its compression and adds no new facts 4.10% of the time decompression fails with the error message “Wrong Format” 5.Decompression requires a mean time of 5 seconds and has a Poisson distribution

7 Example Markov model for ten runs of a simplified model for rootkit and port-software installation on a computer system.

8 Counterplanning Develop “ploys” to keep the attacker connected to the machine for tracing/logging purposes. GOAL: Annoy attackers, keep them connected, but do not make them suspicious GOAL: Avoid annoying legitimate users. A successful ploy meets both of these goals

9 Probability equation for successful ploys

10 Building a ploy strategy Build a Markov model for an attack sequence Define probability variables for each state (the j’s) Use a greedy search to permutate all of the available ploys against each state. Define threshold for successful ploy and report results.

11 High impact ploy strategy for buffer overflow + root kit example Delete the connection at port 80 Delete the fact the buffer is overflowed Add the fact there are problems in the file system Report the connection is terminated Delete administrator status

12 Questions??

Download ppt "Counterplanning Deceptions To Foil Cyber-Attack Plans Paper by: Neil C. Rowe Presentation by: Michael E. Aiello."

Similar presentations

Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Lecturer: Fadwa Tlaelan

Lecturer: Fadwa Tlaelan
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
Buffer Overflow Attacks Figure 9-21. (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.

Buffer Overflow Attacks Figure (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Term 2, 2011 Week 3. CONTENTS Network security Security threats – Accidental threats – Deliberate threats – Power surge Usernames and passwords Firewalls.

Term 2, 2011 Week 3. CONTENTS Network security Security threats – Accidental threats – Deliberate threats – Power surge Usernames and passwords Firewalls.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Similar presentations

Ads by Google