What is Cyber Deception?

Jeffrey Pawlick
Feb 26 · 7 min read
Honeypots are just one of the rising stars in the world of cyber deception. Here are six categories of cyber deception based on Game Theory for Cyber Deception.

Experts in cyber defense usually assume that attackers are the smart ones. They are the ones with zero-day vulnerabilities, social engineering schemes, and obfuscated malware. They are the ones who reconnoiter a target for months or years — and once inside might go undetected for just as long.

But over the last few years, interest has been mounting in countering these asymmetries through active defense: “synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities… using sensors, software, and intelligence…” [DoD 2012].

One particular type of active defense is deception.

Within cybersecurity research, deception has acquired buzz-word status. It was the topic of a special track at GameSec 2018, a keynote talk at HoTSoS 2019, and several recent books [Bodmer et al. 2012, Heckman et al. 2015, Sushil and Subrahamian 2016, Pawlick and Zhu 2021].

Moreover, the start-up world is replete with companies that claim to leverage deception. Attivo Networks, Acalvio, Cemmetria, and Illusive Networks are all built around misleading attackers [c.f. Taslet].

As a fire needs oxygen, attackers — once they have found their way in to a network — need reliable data that will lead them toward their target. By saturating the environment with deceptive information, Illusive creates a distorted reality that the attacker cannot confidently navigate. — Illusive Networks

Unfortunately, buzz-word status brings with it a certain risk: like “big data,” “deception” end up signifying both everything and nothing at all.

We need definitions: a taxonomy of deception. A “common language and a set of basic concepts about which the security community can develop a shared understanding” [MITRE 2000].

And if we want to be able to predict, analyze, and measurably improve deception, we need quantitative definitions. Definitions that use mathematics.

In this article, I’ll introduce several types of cyber deception, along with mathematical definitions that differentiate them and suggest promising ways to model them using game theory.

Broad Definition of Deception

Here’s one possible definition of deception, adapted from the Stanford Encyclopedia of Philosophy:

To deceive = to intentionally cause another person to acquire or continue to
have a false belief, or to be prevented from acquiring or cease to have a true
belief

This definition is broad, which is good. On the other hand, its breadth limits its depth. Security professionals need high-resolution definitions in order to implement deception in specific scenarios.

Example of mixing in vehicular networks, from [Freudiger et al. 2009]. As Vehicle 1 turns left at its first intersection, it can swap pseudonyms with Vehicle 2 and Vehicle 3. At its second intersection, it can swap three other vehicles. The goal is to decrease linkability between the vehicles and their pseudonyms.

Looking at existing cybersecurity literature, deception seems to fall into six different categories — or species, as we’ll call them: perturbation, obfuscation, moving target defense, mixing, honey-x, and attacker engagement [Pawlick and Zhu 2019].

Example of moving target defense from [Zhu and Başar 2013]. A defender chooses the arrangement of systems with various vulnerabilities, and the attacker selects an attack path that depends for its success on the arrangement of the vulnerabilities. The defender updates the configuration of the system each round.

The differences between these six species, though, are not always clear. What is the difference, for example, between obfuscation and moving target defense? How should their mathematical models differ?

In order to define the boundaries between these types of deception in a quantitative manner, we’ll use principles taken from game theory.

Game Theory

Game theory is a branch of mathematics that studies decision-making under competition. If the owner of a car company wants to choose the automobile price that will earn the most profits, that is optimization. But if she is competing with the owner of another company down the street, that is game theory. Players in game theory have to think not only: “What does my opponent believe?” but also “What does my opponent believe that I believe?”

Game theory applies well to both deception and cybersecurity, in which attackers and defenders try to guess each other’s actions and mislead each other’s beliefs.

We can start by breaking down deception into cryptic and mimetic deception based on the type of information involved.

The term crypsis refers to the prevention of an adversary from acquiring a true belief. In this example, a defender hides the true existence of a database from an adversary.
We use the term mimesis to signify the creation of a specific false belief. Here, a defender makes an adversary believe that a database exists, when, in fact, it does not exist.

Recall the definition of that we used as a starting point:

To deceive = to intentionally cause another person to acquire or continue to
have a false belief, or to be prevented from acquiring or cease to have a true
belief.

The definition naturally delineates between two subcategories: to cause another person a) to be prevented from acquiring or cease to have a true belief, or b) to acquire or continue to have a false belief.

The first of these is crypsis, and the second is mimesis. We take these terms from biology.

“In [crypsis]… an animal resembles some object which is of no interest to its enemy, and in doing so is concealed…

in [mimesis]… an animal resembles an object which is well known… and in so doing becomes conspicuous” [Cott 1940].

Moving target defense, for example, is an example of crypsis, because the goal is to hide the true configuration of a network. Defenders don’t care what the attacker thinks about the network, as long as it is wrong.

On the other hand, the deployment of honeypots is an example of mimesis, because the goal is to make attackers think that a honeypot is a production system, and so lure them towards the honeypot.

As we will see, these differing goals can be represented by the game-theoretic notion of private information.

Based on the actors involved, cryptic deception can be divided into extensive or intensive deception.

Intensive deception. The defender alters the same object that is being hidden. In this example, the
defender adds noise to his own private data.
Extensive deception. The defender hides an object using other objects in the environment. In this
example, the defender dynamically changes the location of the private data.

Intensive deception modifies an actor or its representation. For example, some privacy techniques add noise to data about a user before publishing the data.

By contrast, extrinsic deception hides data through collaboration with outside actors. An example in cyberspace is mix networks, in which messages enter a network and are relayed through a chain of proxy servers before they leave the network. Each individual message is hidden because of the presence of the other messages.

We’ll move rapidly through the next two concepts.

In addition to actors, our taxonomy also divides cryptic deception based on the actions involved. We distinguish between deception that uses information and deception that uses motion. Deception that uses information manipulates data that is released about agents’ attributes, while deception that uses motion either modifies these properties over time or realizes these properties from a random variable.

In other words, informational deception uses noise, while motive deception uses randomization or agility.

Finally, some techniques for mimetic deception are static while others are dynamic. Low-interaction honeypots, for example, mimic production systems without providing extensive functionality. They present attackers with a static deception, and can be modeled with static game theory.

High-interaction honeypots, however, aim to deceive an attacker over time. This requires a corresponding shift from static to dynamic game theory models.

Synthesizing the Taxonomy

Our taxonomy breaks down deception into six subcategories based on principles from game theory: private information, actors, actions, and duration.

Combining these four game-theoretic principles gives us the above taxonomy. As long as the principles are clearly understood, each type of deception is unambiguously defined. For instance, perturbation is cryptic, intensive, and informational deception. Honey-x is mimetic, static deception.

We don’t want to claim that these are the only possible definitions. But they offer one potential starting point — one possible common language to speak.

Once we have this common language, we can talk about which models best capture each species of deception.

The figure below gives our opinion of some promising approaches. We put the approaches in blurred shapes to suggest that other models are also possible.

Taxonomy with promising modeling approaches overlaid in a hierarchical fashion. For
instance, cryptic, intensive, and motive deception (i.e., moving target defense) can be modeled
by non-cooperative, complete-information, two-player games with mixed strategies.

The root node is non-cooperative games. Within non-cooperative games, models with incomplete information are well suited for mimetic deception, since they model the false attacker beliefs inculcated by defenders. One-shot games such as signaling games [Carroll and Grosu 2009] can capture honey-x, while dynamic games such as partially-observable stochastic games are necessary to fully model dynamic deception.

Within cryptic deception (top half of the figure), intensive deception such as perturbation and moving target defense can be modeled by two-player games. Its just defender against attacker, or tech user versus machine learning algorithms that threaten his or her privacy.

On the other hand, some types of crypsis — such as mix networks —use multiple agents. These require more than two players.

Within both cryptic intensive and cryptic extensive deception, the techniques that use motion change defense configurations over time. From an attacker’s point of view, this is the same as choosing a random strategy at a given instant of time. Hence, the situation can be modeled using mixed strategies. Deception that uses information rather than motion can be modeled using the information-theoretical concept of noise.

For more information, interested readers can see Game Theory for Cyber Deception, in which we use these definitions to study:

  • Obfuscation for information privacy using mean-field Stackelberg games [Pawlick and Zhu 2017] (complete-information, N+1-player games that use noise),
  • Honey-x for network defense using signaling games with evidence [Pawlick et al. 2018] (incomplete-information, one-shot games), and
  • Attacker engagement against advanced persistent threats using a robust Markov decision process (a way of modeling games with dynamic elements) [Pawlick et al. 2019].

DataSeries

Imagine the future of data

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store