Skip to main content
SpringerLink
Log in

Baiting Inside Attackers Using Decoy Documents

  • Conference paper
Security and Privacy in Communication Networks (SecureComm 2009)

Abstract

The insider threat remains one of the most vexing problems in computer security. A number of approaches have been proposed to detect nefarious insider actions including user modeling and profiling techniques, policy and access enforcement techniques, and misuse detection. In this work we propose trap-based defense mechanisms and a deployment platform for addressing the problem of insiders attempting to exfiltrate and use sensitive information. The goal is to confuse and confound an adversary requiring more effort to identify real information from bogus information and provide a means of detecting when an attempt to exploit sensitive information has occurred. “Decoy Documents” are automatically generated and stored on a file system by the D3 System with the aim of enticing a malicious user. We introduce and formalize a number of properties of decoys as a guide to design trap-based defenses to increase the likelihood of detecting an insider attack. The decoy documents contain several different types of bogus credentials that when used, trigger an alert. We also embed “stealthy beacons” inside the documents that cause a signal to be emitted to a server indicating when and where the particular decoy was opened. We evaluate decoy documents on honeypots penetrated by attackers demonstrating the feasibility of the method.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bell, D.E., LaPadula, L.J.: Secure Computer Systems: Mathematical Foundations, MITRE Corporation (1973)

    Google Scholar 

  2. Bell, J., Whaley, B.: Cheating and Deception. Transaction Publishers, New Brunswick (1982)

    Google Scholar 

  3. Butler, J., Sherri, S.: Security: Spyware and Rootkits. In: Login, December 2004, vol. 29(6) (2004)

    Google Scholar 

  4. Clark, D.D., Wilson, D.R.: A Comparison of Commercial and Military Computer Security Policies. In: IEEE Symposium on Security and Privacy, pp. 184–194 (1987)

    Google Scholar 

  5. Demers, A., Gehrke, J., Hong, M., Panda, B., Riedewald, M., Sharma, V., White, W.: Cayuga: A General Purpose Event Monitoring System. In: CIDR, pp. 412–422 (2007)

    Google Scholar 

  6. Detristan, T., Ulenspiegel, T., Malcom, Y., Von Underduk, M.S.: Polymorphic Shellcode Engine Using Spectrum Analysis. Phrack 11, 61–69 (2003)

    Google Scholar 

  7. Friess, N., Aycock, J.: Black Market Botnets. Department of Computer Science, University of Calgary, TR 2007-873-25 (July 2007)

    Google Scholar 

  8. Hoang, M.: Handling Today’s Tough Security Threats. Symantec Security Response (2006)

    Google Scholar 

  9. The Honeynet Project, http://www.honeynet.org

  10. The Honeynet Project, Know Your Enemy: Sebek, A Kernel based data capture tool (November 2003)

    Google Scholar 

  11. Honeypot Mailing List, Security Focus, http://www.securityfocus.com/archive/119

  12. Katz, J., Yehuda, L.: Introduction to Modern Cryptography. Chapman and Hall CRC Press, Boca Raton (2007)

    MATH  Google Scholar 

  13. Kravets, D.: From Riches to Prison: Hackers Rig Stock Prices. Wired Blog Network (September 2008)

    Google Scholar 

  14. Krebs, B.: Web Fraud 2.0: Validating Your Stolen Goods. The Washington Post (August 20, 2008)

    Google Scholar 

  15. Li, W., Stolfo, S.J., Stavrou, A., Androulaki, E., Keromytis, A.: A Study of Malcode-Bearing Documents. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 231–250. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  16. Maloof, M., Stephens, G.D.: ELICIT: A System for Detecting Insiders Who Violate Need-to-know. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 146–166. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  17. McRae, C.M., Vaughn, R.B.: Phighting the Phisher: Using Web Bugs and Honeytokens to Investigate the Source of Phishing Attacks. In: Proceedings of the 40th Hawaii International Conference on System Sciences (2007)

    Google Scholar 

  18. Orbiscom, http://www.orbiscom.com/

  19. Richardson, R.: CSI/FBI Computer Crime and Security Survey (2007)

    Google Scholar 

  20. Smith, R.M.: Microsoft Word Documents that Phone Home. Privacy Foundation (August 2000)

    Google Scholar 

  21. Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the infeasibility of modeling polymorphic shellcode. In: Proceedings of the 14th ACM conference on Computer and communications security (CCS 2007), pp. 541–551 (2007)

    Google Scholar 

  22. Spitzner, L.: Honeypots: Catching the Insider Threat. In: Proceedings of ACSAC, Las Vegas (December 2003)

    Google Scholar 

  23. Spitzner, L.: Honeytokens: The Other Honeypot. Security Focus (2003)

    Google Scholar 

  24. Stoll, C.: The Cuckoo’s Egg. Doubleday (1989)

    Google Scholar 

  25. Symantec. Global Internet Security Threat Report, Trends for July –December 2007 (April 2008)

    Google Scholar 

  26. Webb, S., Caverlee, J., Pu, C.: Social Honeypots: Making Friends with a Spammer Near You. In: Proceedings of the Fifth Conference on Email and Anti-Spam (CEAS 2008), Mountain View, CA (August 2008)

    Google Scholar 

  27. Ye, N.: Markov Chain Model of Temporal Behavior for Anomaly Detection. In: Proceedings of the 2000 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, June 2000, pp. 171–174 (2000)

    Google Scholar 

  28. Yuill, J., Denning, D., Feer, F.: Using Deception to Hide Things from Hackers: Processes, Principles, and Techniques. Journal of Information Warfare 5(3), 26–40 (2006)

    Google Scholar 

  29. Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: Deceptive Files for Intrusion Detection. In: Proceedings of the 2004 IEEE Workshop on Information Assurance, United States Military Academy, West Point, NY, June 2004, pp. 116–122 (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Columbia University, USA

    Brian M. Bowen, Shlomo Hershkop, Angelos D. Keromytis & Salvatore J. Stolfo

Authors
  1. Brian M. Bowen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shlomo Hershkop
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Salvatore J. Stolfo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Electrical Engineering and Computer Science, Robert R. McCormick School of Engineering and Application Science, Northwestern University, 2145 Sheridian Road, 60208-3118, Evanston, IL, USA

    Yan Chen

  2. Athens Information Technology, Markopoulo Ave., GR-19002, Peania, Greece

    Tassos D. Dimitriou

  3. Institute for Infocomm Research, 1 Fusionopolis Way, 21-01 Connexis, South Tower, 138632, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2009 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J. (2009). Baiting Inside Attackers Using Decoy Documents. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds) Security and Privacy in Communication Networks. SecureComm 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 19. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05284-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-05284-2_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-05283-5

  • Online ISBN: 978-3-642-05284-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation