政大機構典藏-National Chengchi University Institutional Repository(NCCUR):Item 140.119/141044
English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  Items with full text/Total items : 113313/144292 (79%)
Visitors : 50945327      Online Users : 906
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version
    政大典藏 > College of Commerce > Department of MIS > Theses >  Item 140.119/141044
    Please use this identifier to cite or link to this item: https://nccur.lib.nccu.edu.tw/handle/140.119/141044


    Title: 網路偵查攻擊之封包式欺騙防禦
    DEFIC: Defensive Packet Deception on Reconnaissance Attack
    Authors: 林子翔
    Lin, Zih-Siang
    Contributors: 郁方
    Yu, Fang
    林子翔
    Lin, Zih-Siang
    Keywords: 網路殺攻擊鍊
    網路偵查
    欺騙式防禦
    作業系統指紋
    連接埠掃描
    Cyber kill chain
    Network reconnaissance
    Defensive deception
    OS fingerprint
    Port scanning
    Date: 2022
    Issue Date: 2022-08-01 17:25:09 (UTC+8)
    Abstract: 網絡偵查是網絡攻擊鏈的第一階段,攻擊方進行主機發現、端口掃描和作業系統檢測,試圖從遠端主機獲取關鍵資源。
    在網絡偵查階段誤導對手可以提供主動保護機制,而非在攻擊實際發生後才採取應對措施,此舉可防止後續階段的武器化和攻擊者的漏洞利用。

    在本文中,我們提出了一種新的封包式欺騙防禦框架DEFIC,可用於對抗 Nmap 等第三方網路偵查工具的常見偵查攻擊。
    我們所提出的欺騙式防禦框架可以偽造針對連接埠和系統組態之掃描封包的欺騙式回應,以在網絡偵查期間混淆攻擊者,從而使目標主機能夠偽裝其正在運行防禦端所指定的作業系統。
    除此之外,我們建構了幾個作業系統模板,可動態針對系統實時狀態、掃描封包的細微差異包與作業系統欺騙策略生成一系列的偽造回應。

    初步結果表明,Nmap 很有可能會誤判被我們如隱形斗篷一般的DEFIC所覆蓋的遠程主機。
    Network reconnaissance stands the first stage of a cyber kill chain, where adversaries conduct host discovery, port scanning, and operating system detection in order to obtain critical information from remote hosts.
    Misleading an adversary in the network reconnaissance phase can provide orthogonal protection in the first place, preventing subsequent phases of weaponization and exploitation from attackers.
    In this paper, we propose a novel packet-level defensive deception framework against common reconnaissance attacks that can be employed by third-party reconnaissance tools such as Nmap.
    Specifically, we propose DEFIC, a deceptive firewall that can forge fake responses to unknown requests on port and system status to confuse attackers during network reconnaissance and hence provide the target host the ability to pretend running with a designated operating system.
    We build several templates of response packets that can be used to reconstruct packets with the desired information and synthesize a sequence of fake packets according to different OS strategies.
    Our preliminary results show that the Nmap tool has a high chance of miss-guessing remote hosts that are covered with our invisibility cloak.
    Reference: [1] E. M. Hutchins, M. J. Cloppert, R. M. Amin et al., “Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains,” Leading Issues in Information Warfare & Security Research, vol. 1, no. 1, p. 80, 2011.
    [2] J. Pawlick, E. Colbert, and Q. Zhu, “A game-theoretic taxonomy and survey of defensive deception for cybersecurity and privacy,” ACM Computing Surveys (CSUR), vol. 52, no. 4, pp. 1–28, 2019.
    [3] T. Yadav and A. M. Rao, “Technical aspects of cyber kill chain,” in International Symposium on Security in Computing and Communication. Springer, 2015, pp. 438–452.
    [4] S. Sengupta, A. Chowdhary, A. Sabur, A. Alshamrani, D. Huang, and S. Kambhampati, “A survey of moving target defenses for network security,” IEEE Communications Surveys & Tutorials, vol. 22, no. 3, pp. 1909–1941, 2020.
    [5] F. J. Stech, K. E. Heckman, and B. E. Strom, “Integrating cyber-d&d into adversary modeling for active cyber defense,” in Cyber deception. Springer, 2016, pp. 1–22.
    [6] M. Zhu, A. H. Anwar, Z. Wan, J.-H. Cho, C. A. Kamhoua, and M. P. Singh, “A survey of defensive deception: Approaches using game theory and machine learning,” IEEE Communications Surveys & Tutorials, vol. 23, no. 4, pp. 2460–2493, 2021.
    [7] D. Ye, T. Zhu, S. Shen, and W. Zhou, “A differentially private game theoretic approach for deceiving cyber adversaries,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 569–584, 2020.
    [8] M. A. Rahman, M. M. Hasan, M. H. Manshaei, and E. Al-Shaer, “A game-theoretic analysis to defend against remote operating system fingerprinting,” Journal of Information Security and Applications, vol. 52, p. 102456, 2020.
    [9] M. Albanese, E. Battista, and S. Jajodia, “A deception based approach for defeating os and service fingerprinting,” in 2015 IEEE Conference on Communications and Network Security (CNS). IEEE, 2015, pp. 317–325.
    [10] Z. Zhao, F. Liu, and D. Gong, “An sdn-based fingerprint hopping method to prevent fingerprinting attacks,” Security and Communication Networks, vol. 2017, 2017.
    [11] M. S. I. Sajid, J. Wei, M. R. Alam, E. Aghaei, and E. Al-Shaer, “Dodgetron: Towards autonomous cyber deception using dynamic hybrid analysis of malware,” in 2020 IEEE Conference on Communications and Network Security (CNS). IEEE, 2020, pp. 1–9.
    [12] S. Wang, Q. Pei, Y. Zhang, X. Liu, and G. Tang, “A hybrid cyber defense mechanism to mitigate the persistent scan and foothold attack,” Security and Communication Networks, vol. 2020, 2020.
    [13] F. De Gaspari, S. Jajodia, L. V. Mancini, and A. Panico, “Ahead: A new architecture for active defense,” in Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense, 2016, pp. 11–16.
    [14] J. H. Jafarian, E. Al-Shaer, and Q. Duan, “Adversary-aware ip address randomization for proactive agility against sophisticated attackers,” in 2015 IEEE Conference on Computer Communications (INFOCOM). IEEE, 2015, pp. 738–746.
    [15] ——, “An effective address mutation approach for disrupting reconnaissance attacks,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 12,
    pp. 2562–2577, 2015.
    [16] S.-Y. Chang, Y. Park, and B. B. A. Babu, “Fast ip hopping randomization to secure hop-by-hop access in sdn,” IEEE Transactions on Network and Service Management, vol. 16, no. 1, pp. 308–320, 2018.
    [17] P. K. Manadhata and J. M. Wing, “An attack surface metric,” IEEE Transactions on Software Engineering, vol. 37, no. 3, pp. 371–386, 2010.
    [18] M. F. Hyder and M. A. Ismail, “Securing control and data planes from reconnaissance attacks using distributed shadow controllers, reactive and proactive approaches,” IEEE Access, vol. 9, pp. 21 881–21 894, 2021.
    [19] G. F. Lyon, Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure. Com LLC (US), 2008.
    [20] MITRE, “CVE,” Oct. 19, 2021. [Online]. Available: https://cve.mitre.org/
    [21] I. Brett, N. Satya, and H. Amy, “Microsoft Fiscal Year 2021 Third Quarter Earnings
    Conference Call,” Apr. 27, 2021. [Online]. Available: https://www.microsoft.com/
    en-us/Investor/events/FY-2021/earnings-fy-2021-q3.aspx
    Description: 碩士
    國立政治大學
    資訊管理學系
    109356036
    Source URI: http://thesis.lib.nccu.edu.tw/record/#G0109356036
    Data Type: thesis
    DOI: 10.6814/NCCU202200748
    Appears in Collections:[Department of MIS] Theses

    Files in This Item:

    File Description SizeFormat
    603601.pdf1350KbAdobe PDF239View/Open


    All items in 政大典藏 are protected by copyright, with all rights reserved.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback