Convergence Security Journal (융합보안논문지)

Korea convergence Security Association (한국융합보안학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on the Model for Determining the Deceptive Status of Attackers using Markov Chain

Markov Chain을 이용한 기만환경 칩입 공격자의 기만 여부 예측 모델에 대한 연구

  • 유선모 (주식회사 앰진/AIS 연구소) ;
  • 위성모 (한국인터넷진흥원 탐지대응팀) ;
  • 한종화 (한국인터넷진흥원 탐지대응팀) ;
  • 김용현 (주식회사 앰진/AIS 연구소) ;
  • 조정식 (한국인터넷진흥원 탐지대응팀)
  • Received : 2023.06.05
  • Accepted : 2023.06.30
  • Published : 2023.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

Cyber deception technology plays a crucial role in monitoring attacker activities and detecting new types of attacks. However, along with the advancements in deception technology, the development of Anti-honeypot technology has allowed attackers who recognize the deceptive environment to either cease their activities or exploit the environment in reverse. Currently, deception technology is unable to identify or respond to such situations. In this study, we propose a predictive model using Markov chain analysis to determine the identification of attackers who infiltrate deceptive environments. The proposed model for deception status determination is the first attempt of its kind and is expected to overcome the limitations of existing deception-based attacker analysis, which does not consider attackers who identify the deceptive environment. The classification model proposed in this study demonstrated a high accuracy rate of 97.5% in identifying and categorizing attackers operating in deceptive environments. By predicting the identification of an attacker's deceptive environment, it is anticipated that this model can provide refined data for numerous studies analyzing deceptive environment intrusions.

사이버 기만 기술은 공격자의 활동을 모니터링하고 새로운 유형의 공격을 탐지하는 데 중요한 역할을 한다. 그러나 기만 기술의 발전과 더불어 Anti-honeypot 기술 또한 발전하여 기만환경임을 알아챈 공격자가 기만환경에서의 활동을 중단하거나 역으로 기만환경을 이용하는 사례들도 존재하지만 현재 기만 기술은 이러한 상황을 식별하거나 대응하지 못하고 있다. 본 연구에서는 마코프 체인 분석 기법을 이용하여 기만환경에 침입한 공격자의 기만환경 식별 여부 예측 모델을 제안한다. 본 연구에서 제안하는 기만 여부 판단 모델은 확인한 바로는 공격자의기만환경 식별 여부를 판단하기 위한 최초의 시도이며 기만환경을 식별한 공격자를 고려하지 않는 기존의 기만기술 기반 공격자 분석에 대한 연구의 제한사항을 극복할 수 있을 것으로 예상한다. 본 연구에서 제안한 분류 모델은 기만환경임을 식별하고 활동하는 공격자 분류에 97.5%의 높은 정확도를 보였으며 공격자의 기만환경 식별여부 예측을 통해 수많은 기만환경 침입 데이터 분석 연구에 정제된 데이터를 제공할 수 있을 것으로 기대된다.

Keywords

Acknowledgement

본 연구는 2021년 국방과학연구소 주관 미래도전국방기술연구개발사업(UD210030TD)의 지원을 받아 연구되었음.

References

  1. Stoll, Cliff. 2005. The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. Simon and Schuster.
  2. Spitzner, L. 2003. "Honeypots: Catching the Insider Threat." In 19th Annual Computer Security Applications Conference, 2003. Proceedings. 170-79. https://doi.org/10.1109/CSAC.2003.1254322.
  3. Pouget, F., Marc Dacier, and Herve Debar. 2003. "White Paper: Honeypot, Honeynet, Honeytoken: Terminological Issues." Rapport Technique EURECOM 1275 (September).
  4. Cenys, Antanas, Darius Rainys, Lukas Radvilavicius, and Nikolaj Goranin. 2005. "Implementation of Honeytoken Module In DBMS Oracle 9ir2 Enterprise Edition for Internal Malicious Activity Detection." January.
  5. "HoneyGen: An Automated Honeytokens Generator." IEEE Conference Publication, IEEE Xplore. n.d. Accessed March 24, 2023. https://ieeexplore.ieee.org/abstract/document/5984063.
  6. Taofeek, Olayiwola Tokunbo, Moatsum Alawida, Abdulatif Alabdulatif, Abiodun Esther Omolara, and Oludare Isaac Abiodun. 2022. "A Cognitive Deception Model for Generating Fake Documents to Curb Data Exfiltration in Networks During Cyber-Attacks." IEEE Access 10: 41457-76. https://doi.org/10.1109/ACCESS.2022.3166628.
  7. Karuna, Prakruthi, Hemant Purohit, Sushil Jajodia, Rajesh Ganesan, and Ozlem Uzuner. 2021. "Fake Document Generation for Cyber Deception by Manipulating Text Comprehensibility." IEEE Systems Journal 15 (1): 835-45. https://doi.org/10.1109/JSYST.2020.2980177.
  8. Redwood, Owen, Joshua Lawrence, and Mike Burmester. 2015. "A Symbolic Honeynet Framework for SCADA System Threat Intelligence." In Critical Infrastructure Protection IX, edited by Mason Rice and Sujeet Shenoi, 103-18. IFIP Advances in Information and Communication Technology. Cham: Springer International Publishing. https://doi.org/10.1007/978-3-319-26567-4_7.
  9. Banerjee, Mahesh, and Dr S D Samantaray. 2019. "Network Traffic Analysis Based IoT Botnet Detection Using Honeynet Data Applying Classification Techniques." 17 (8).
  10. Kumar, Sanjeev, B. Janet, and R. Eswari. 2019. "Multi Platform Honeypot for Generation of Cyber Threat Intelligence." In 2019 IEEE 9th International Conference on Advanced Computing (IACC), 25-29. https://doi.org/10.1109/IACC48062.2019.8971584.
  11. N. Krawetz, "Anti-honeypot technology," IEEE Security & Privacy, vol. 2, no. 1, pp. 76-79, Jan. 2004, doi: 10.1109/MSECP.2004.1264861.
  12. T. Holz and F. Raynal, "Detecting honeypots and other suspicious environments," in Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, Jun. 2005, pp. 29-36. doi: 10.1109/IAW.2005.1495930.
  13. X. Fu, W. Yu, D. Cheng, X. Tan, K. Streff, and S. Graham, "On Recognizing Virtual Honeypots and Countermeasures," in 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing, Sep. 2006, pp. 211-218. doi: 10.1109/DASC.2006.36.
  14. S. Mukkamala, K. Yendrapalli, R. Basnet, M. K. Shankarapani, and A. H. Sung, "Detection of Virtual Environments and Low Interaction Honeypots," in 2007 IEEE SMC Information Assurance and Security Workshop, Jun. 2007, pp. 92-98. doi: 10.1109/IAW.2007.381919.
  15. Sunmo. Yoo, Sungmo Wi, Jonghwa Han, Yonghyoun Kim, Jungsik Cho, "Anti-Deception Inference and Feature Extraction for Predicting Deception Awareness," in 2023 한국융합보안학회 하계학술대회.
  16. Inhwan Kim, Jiwon Kang, Hoonsang An and Byungkook Jeon, "A Study on Threat Detection Model using Cyber Strongholds," Journal of the Korea Convergence Society Vol. 22. No. 1, pp. 19-27, 2022. https://doi.org/10.33778/kcsa.2022.22.1.019.
  17. Jae-Hyun Choi, Hoo-Jin Lee, "A Study on the Real-time Cyber Attack Intrusion Detection Method", Journal of the Korea Convergence Society Vol. 9. No. 7, pp. 55-62, 2018. https://doi.org/10.15207/JKCS.2018.9.7.055.