Farsighted Risk Mitigation of Lateral Movement Using Dynamic Cognitive Honeypots

Linan Huang, Quanyan Zhu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Lateral movement of advanced persistent threats has posed a severe security challenge. Due to the stealthy and persistent nature of the lateral movement, defenders need to consider time and spatial locations holistically to discover latent attack paths across a large time-scale and achieve long-term security for the target assets. In this work, we propose a time-expanded random network to model the stochastic service links in the user-host enterprise network and the adversarial lateral movement. We design cognitive honeypots at idle production nodes and disguise honey links as service links to detect and deter the adversarial lateral movement. The location of the honeypot changes randomly at different times and increases the honeypots’ stealthiness. Since the defender does not know whether, when, and where the initial intrusion and the lateral movement occur, the honeypot policy aims to reduce the target assets’ Long-Term Vulnerability (LTV) for proactive and persistent protection. We further characterize three tradeoffs, i.e., the probability of interference, the stealthiness level, and the roaming cost. To counter the curse of multiple attack paths, we propose an iterative algorithm and approximate the LTV with the union bound for computationally efficient deployment of cognitive honeypots. The results of the vulnerability analysis illustrate the bounds, trends, and a residue of LTV when the adversarial lateral movement has infinite duration. Besides honeypot policies, we obtain a critical threshold of compromisability to guide the design and modification of the current system parameters for a higher level of long-term security. We show that the target node can achieve zero vulnerability under infinite stages of lateral movement if the probability of movement deterrence is not less than the threshold.

Original languageEnglish (US)
Title of host publicationDecision and Game Theory for Security - 11th International Conference, GameSec 2020, Proceedings
EditorsQuanyan Zhu, John S. Baras, Radha Poovendran, Juntao Chen
PublisherSpringer Science and Business Media Deutschland GmbH
Pages125-146
Number of pages22
ISBN (Print)9783030647926
DOIs
StatePublished - 2020
Event11th Conference on Decision and Game Theory for Security, GameSec 2020 - College Park, United States
Duration: Oct 28 2020Oct 30 2020

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume12513 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference11th Conference on Decision and Game Theory for Security, GameSec 2020
CountryUnited States
CityCollege Park
Period10/28/2010/30/20

Keywords

  • Advanced persistent threats
  • Attack graph
  • Cognitive security
  • Lateral movement
  • Long-term security
  • Risk analysis
  • Time-expanded network

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint Dive into the research topics of 'Farsighted Risk Mitigation of Lateral Movement Using Dynamic Cognitive Honeypots'. Together they form a unique fingerprint.

Cite this