What is Cyber Deception?
Experts in cyber defense usually assume that attackers are the smart ones. They are the ones with zero-day vulnerabilities, social engineering schemes, and obfuscated malware. They are the ones who reconnoiter a target for months or years — and once inside might go undetected for just as long.
But over the last few years, interest has been mounting in countering these asymmetries through active defense: “synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities… using sensors, software, and intelligence…” [DoD 2012].
One particular type of active defense is deception.
Within cybersecurity research, deception has acquired buzz-word status. It was the topic of a special track at GameSec 2018, a keynote talk at HoTSoS 2019, and several recent books [Bodmer et al. 2012, Heckman et al. 2015, Sushil and Subrahamian 2016, Pawlick and Zhu 2021].
Moreover, the start-up world is replete with companies that claim to leverage deception. Attivo Networks, Acalvio, Cemmetria, and Illusive Networks are all built around misleading attackers [c.f. Taslet].
As a fire needs oxygen, attackers — once they have found their way in to a network — need reliable data that will lead them toward their target. By saturating the environment with deceptive information, Illusive creates a distorted reality that the attacker cannot confidently navigate. — Illusive Networks
Unfortunately, buzz-word status brings with it a certain risk: like “big data,” “deception” end up signifying both everything and nothing at all.
We need definitions
We need definitions: a taxonomy of deception. A “common language and a set of basic concepts about which the security community can develop a shared understanding” [MITRE 2000].
And if we want to be able to predict, analyze, and measurably improve deception, we need quantitative definitions. Definitions that use mathematics.
In this article, I’ll introduce several types of cyber deception, along with mathematical definitions that differentiate them and suggest promising ways to model them using game theory.
Broad Definition of Deception
Here’s one possible definition of deception, adapted from the Stanford Encyclopedia of Philosophy:
To deceive = to intentionally cause another person to acquire or continue to
have a false belief, or to be prevented from acquiring or cease to have a true
belief
This definition is broad, which is good. On the other hand, its breadth limits its depth. Security professionals need high-resolution definitions in order to implement deception in specific scenarios.
Looking at existing cybersecurity literature, deception seems to fall into six different categories — or species, as we’ll call them: perturbation, obfuscation, moving target defense, mixing, honey-x, and attacker engagement [Pawlick and Zhu 2019].
The differences between these six species, though, are not always clear. What is the difference, for example, between obfuscation and moving target defense? How should their mathematical models differ?
In order to define the boundaries between these types of deception in a quantitative manner, we’ll use principles taken from game theory.
Game Theory
Game theory is a branch of mathematics that studies decision-making under competition. If the owner of a car company wants to choose the automobile price that will earn the most profits, that is optimization. But if she is competing with the owner of another company down the street, that is game theory. Players in game theory have to think not only: “What does my opponent believe?” but also “What does my opponent believe that I believe?”
Game theory applies well to both deception and cybersecurity, in which attackers and defenders try to guess each other’s actions and mislead each other’s beliefs.
Private Information
We can start by breaking down deception into cryptic and mimetic deception based on the type of information involved.
Recall the definition of that we used as a starting point:
To deceive = to intentionally cause another person to acquire or continue to
have a false belief, or to be prevented from acquiring or cease to have a true
belief.
The definition naturally delineates between two subcategories: to cause another person a) to be prevented from acquiring or cease to have a true belief, or b) to acquire or continue to have a false belief.
The first of these is crypsis, and the second is mimesis. We take these terms from biology.
“In [crypsis]… an animal resembles some object which is of no interest to its enemy, and in doing so is concealed…
in [mimesis]… an animal resembles an object which is well known… and in so doing becomes conspicuous” [Cott 1940].
Moving target defense, for example, is an example of crypsis, because the goal is to hide the true configuration of a network. Defenders don’t care what the attacker thinks about the network, as long as it is wrong.
On the other hand, the deployment of honeypots is an example of mimesis, because the goal is to make attackers think that a honeypot is a production system, and so lure them towards the honeypot.
As we will see, these differing goals can be represented by the game-theoretic notion of private information.
Actors
Based on the actors involved, cryptic deception can be divided into extensive or intensive deception.
defender adds noise to his own private data.
example, the defender dynamically changes the location of the private data.
Intensive deception modifies an actor or its representation. For example, some privacy techniques add noise to data about a user before publishing the data.
By contrast, extrinsic deception hides data through collaboration with outside actors. An example in cyberspace is mix networks, in which messages enter a network and are relayed through a chain of proxy servers before they leave the network. Each individual message is hidden because of the presence of the other messages.
We’ll move rapidly through the next two concepts.
Actions
In addition to actors, our taxonomy also divides cryptic deception based on the actions involved. We distinguish between deception that uses information and deception that uses motion. Deception that uses information manipulates data that is released about agents’ attributes, while deception that uses motion either modifies these properties over time or realizes these properties from a random variable.
In other words, informational deception uses noise, while motive deception uses randomization or agility.
Duration
Finally, some techniques for mimetic deception are static while others are dynamic. Low-interaction honeypots, for example, mimic production systems without providing extensive functionality. They present attackers with a static deception, and can be modeled with static game theory.
High-interaction honeypots, however, aim to deceive an attacker over time. This requires a corresponding shift from static to dynamic game theory models.
Synthesizing the Taxonomy
Combining these four game-theoretic principles gives us the above taxonomy. As long as the principles are clearly understood, each type of deception is unambiguously defined. For instance, perturbation is cryptic, intensive, and informational deception. Honey-x is mimetic, static deception.
We don’t want to claim that these are the only possible definitions. But they offer one potential starting point — one possible common language to speak.
Matching deception species to models
Once we have this common language, we can talk about which models best capture each species of deception.
The figure below gives our opinion of some promising approaches. We put the approaches in blurred shapes to suggest that other models are also possible.
instance, cryptic, intensive, and motive deception (i.e., moving target defense) can be modeled
by non-cooperative, complete-information, two-player games with mixed strategies.
The root node is non-cooperative games. Within non-cooperative games, models with incomplete information are well suited for mimetic deception, since they model the false attacker beliefs inculcated by defenders. One-shot games such as signaling games [Carroll and Grosu 2009] can capture honey-x, while dynamic games such as partially-observable stochastic games are necessary to fully model dynamic deception.
Within cryptic deception (top half of the figure), intensive deception such as perturbation and moving target defense can be modeled by two-player games. Its just defender against attacker, or tech user versus machine learning algorithms that threaten his or her privacy.
On the other hand, some types of crypsis — such as mix networks —use multiple agents. These require more than two players.
Within both cryptic intensive and cryptic extensive deception, the techniques that use motion change defense configurations over time. From an attacker’s point of view, this is the same as choosing a random strategy at a given instant of time. Hence, the situation can be modeled using mixed strategies. Deception that uses information rather than motion can be modeled using the information-theoretical concept of noise.
For more information, interested readers can see Game Theory for Cyber Deception, in which we use these definitions to study:
- Obfuscation for information privacy using mean-field Stackelberg games [Pawlick and Zhu 2017] (complete-information, N+1-player games that use noise),
- Honey-x for network defense using signaling games with evidence [Pawlick et al. 2018] (incomplete-information, one-shot games), and
- Attacker engagement against advanced persistent threats using a robust Markov decision process (a way of modeling games with dynamic elements) [Pawlick et al. 2019].
