Deep Down the Rabbit Hole: On References in Networks of Decoy Elements

TL;DR

This paper introduces inter-referencing decoy elements in deception technology, providing a theoretical foundation, stochastic model, and implementation to enhance intrusion detection by increasing element interconnectivity.

Contribution

It proposes a novel approach of inter-referencing decoy elements, extending existing deception frameworks with a theoretical basis and practical implementation.

Findings

Enhanced decoy frameworks with inter-referencing improve detection capabilities

The stochastic model supports the effectiveness of interconnected decoys

Implementation demonstrates practical viability of the approach

Abstract

Deception technology has proven to be a sound approach against threats to information systems. Aside from well-established honeypots, decoy elements, also known as honeytokens, are an excellent method to address various types of threats. Decoy elements are causing distraction and uncertainty to an attacker and help detecting malicious activity. Deception is meant to be complementing firewalls and intrusion detection systems. Particularly insider threats may be mitigated with deception methods. While current approaches consider the use of multiple decoy elements as well as context-sensitivity, they do not sufficiently describe a relationship between individual elements. In this work, inter-referencing decoy elements are introduced as a plausible extension to existing deception frameworks, leading attackers along a path of decoy elements. A theoretical foundation is introduced, as well as a stochastic model and a reference implementation. It was found that the proposed system is suitable to enhance current decoy frameworks by adding a further dimension of inter-connectivity and therefore improve intrusion detection and prevention.