Conference PaperPDF Available

Modeling the Effects of Amount and Timing of Deception in Simulated Network Scenarios

Authors:

Abstract and Figures

With the growth of digital infrastructure, cyber-attacks are increasing in the real-world. Cyber-attacks are deliberate exploitation of computer systems, technology-dependent enterprises, and networks. Deception, i.e., the act of making someone believe in something that is not true, could be a way of countering cyber-attacks. In this paper, we use an existing real-time simulation environment (" Deception Game ") to model the decision making of hackers in the presence of deception. We use human data from a published experiment involving the use of Deception Game (N = 100 participants) to evaluate how a cognitive model based upon Instance-Based Learning Theory (IBLT) could account for attack decisions in the presence of different amounts of deception and different timings of deception. Results from IBL model revealed that using late and high deception caused a reduction in attacks on regular webserver compared to early and low deception. Furthermore, the parameters obtained from the IBL model helped provide reasons for the experimental results. We highlight implications of our results on computational modeling of decisions in the cyber world.
Content may be subject to copyright.
Modeling the Effects of Amount and Timing of
Deception in Simulated Network Scenarios
Palvi Aggarwal
Applied Cognitive Science Lab
Indian Institute of Technology Mandi, India
palvi_aggarwal@students.iitmandi.ac.in
Cleotilde Gonzalez
Dynamic Decision Making Lab
Carnegie Mellon University, USA
coty@cmu.edu
Varun Dutt
Applied Cognitive Science Lab
Indian Institute of Technology Mandi, India
varun@iitmandi.ac.in
Abstract— With the growth of digital infrastructure, cyber-
attacks are increasing in the real-world. Cyber-attacks are
deliberate exploitation of computer systems, technology-
dependent enterprises, and networks. Deception, i.e., the act of
making someone believe in something that is not true, could be a
way of countering cyber-attacks. In this paper, we use an existing
real-time simulation environment (“Deception Game”) to model
the decision making of hackers in the presence of deception. We
use human data from a published experiment involving the use of
Deception Game (N = 100 participants) to evaluate how a
cognitive model based upon Instance-Based Learning Theory
(IBLT) could account for attack decisions in the presence of
different amounts of deception and different timings of
deception. Results from IBL model revealed that using late and
high deception caused a reduction in attacks on regular
webserver compared to early and low deception. Furthermore,
the parameters obtained from the IBL model helped provide
reasons for the experimental results. We highlight implications of
our results on computational modeling of decisions in the cyber
world.
Keywords— Deception; Amount of deception; Cyber-attacks;
Hackers; Honeypots; Timing of deception; Instance-Based
Learning Theory; Computational Modeling; Zero-day attacks.
I.
I
NTRODUCTION
The increasing reliance of our industries, governments, and
economies on Internet makes them a target of cyber-attacks.
Advanced cyber-attacks including viruses, trojans, spywares,
rootkits, and malwares are increasing rapidly [1]. In fact, the
Cybersecurity Ventures forecasts that the cost for cyber-attacks
will grow at a rate of 6 trillion USD annually from 2016-2021,
which includes data damage, stolen money, theft of personal
and financial data, lost productivity, and reputation harm [1].
Cyber criminals are getting smarter day-by-day. They find
new ways to get into our systems and damage or steal
information in less time than we expect. Thus, modern cyber-
attacks on critical cyber infrastructure reveal the urgent need
for enhanced cyber security. As cyber threats grow, we need
advance security techniques that could be used to neutralize
them. Currently, there are various security solutions available
to defend against cyber-attacks, but not enough of these
solutions can prevent zero-day cyber-attacks [2]. The need of
the hour is to create real-time cyber-attack detection
environments and deception tools can play a critical role in
such scenarios. Deception may involve interaction between two
parties, a target and a deceiver, in which the deceiver causes
the target to believe in a false description of reality [3]. The
objective is to cause the target to work in such a way that is
beneficial to the deceiver [3]. Hackers, people who wage
cyber-attacks to compromise systems on the Internet [5], may
use certain deception techniques such as change in malware
signature, conceal code and logic, encrypted exploits, and
social engineering (e.g., by deceiving help desk employees to
install malicious code or obtain credentials). These deception
techniques may help hackers deceive analysts, people who
protect computer networks against cyber-attacks, and wage
successful attacks on networks.
However, deception could also be used as a line of defense
against hackers [6]. When used for defense, deception
strategies may use feints and deceits to thwart hackers’
cognitive processes, delay attack activities, and disrupt the
breach process. When used for defense, deception may be
achieved through mis-directions, fake responses, and
obfuscations [7]. These techniques rely upon hacker’s trust in
response from network, data, and applications during an actual
attack. To create deception for defense, security experts may
use honeypots, servers that are fake and that mimic real
servers, for gathering intelligence about hackers.
The key to using deception for defense is in making hackers
believe in information generated by honeypots. Recently,
researchers have investigated the role of amount and timing of
deception in cyber security using Deception Game (DG) [8].
Aggarwal et al. [8] used 10-repeated rounds in DG where the
amount of deception was manipulated at 2-levels: low
(deception used on 2 out of 10 rounds) and high (deception
used on 4 out of 10 rounds). The timing of deception was
manipulated at 2-levels: early (deception used within the first 5
rounds) and late (deception used within the last 5 rounds). It
was found that the proportion of attacks reduced when the
amount of deception was high and the timing of deception was
late. However, Aggarwal et al. [8] derived their hypotheses
qualitatively based upon IBLT and these authors did not
develop computational models in their paper that could account
for the decision-making of hackers in the presence of
deception. In this paper, we address this need and develop
computational cognitive models based upon IBLT that account
for hacker’s decision-making in the presence of deception.
II. L
ITERATURE
A way to study the use of deception for cyber-defense is
through non-cooperative dynamic games between hackers and
analysts as described by Behavioral Game Theory (BGT) [9-
13]. A non-cooperative dynamic game consists of two or more
players, set of actions, the outcome of each player’s interaction
and the game’s information structures [14]. Recently, a non-
cooperative dynamic game called “Deception Game (DG)” was
proposed for modeling use of deception for defense [17]. In
DG, a hacker may first probe webservers on a network certain
number of times and then decide to attack one of the
webservers for real. Analysts may make some of the
webservers as honeypots in DG and use deception via these
honeypots to trap hackers in the network. Researcher have
analyzed deception strategies in DG and computed their mixed-
strategy Nash equilibria [17]. However, research has yet to
investigate how humans performing as hackers make actual
decisions in DG. Second, research has yet to be undertaken that
investigates the influence of timing and amount of deception
on a hacker’s decisions. Furthermore, less attention has been
given to computational modeling of hackers’ decisions in
situations involving deception, where such models may help
improve our understanding of hacker’s mental processes. Prior
investigations have shown prospect theory [20, 21], surprise
trigger change theory [22] and Instance-Based Learning
Theory [IBLT; 9, 12, 18-19], a theory of decisions from
experience, to provides an accurate account of human decisions
in situations involving network defense [10-12]. In such
situations, human hackers and analysts, playing a game against
each other, possess cognitive limitations and rely on recency
and frequency of available information to make decisions.
Therefore, the application of IBLT to the hacker’s experiential
decisions in DG will help explain how these decisions are
impacted by the amount and timing factors, and this
investigation will help improve current technical solutions to
provide better decision support to analysts in their job.
IBLT, a theory of decisions from experience, could help
provide expectations on decisions of hackers due to reliance on
recency and frequency of available information to make
decisions. Aggarwal et al. [8] build their hypotheses based on
IBLT, i.e., human hackers making decisions from experience
would tend to take those actions that maximize their expected
rewards. When a high amount of deception is present in DG,
then it is likely that hackers get deceived more from the
network. The high frequency of negative rewards due to
excessive deception would tend to make hackers reduce their
proportion of not-attack actions and regular-attack actions.
Similarly, when deception is used in later rounds in DG, then,
due to reliance on recency of information and recent negative
rewards, IBLT predicts hackers to reduce their proportion of
not-attack actions and regular-attack actions. Aggarwal et al.
[8] tested these expectations in an experiment as shown in the
next section. In this paper, using the experimental results from
Aggarwal et al. [8], we develop a cognitive model of hacker’s
decision-making using IBLT. The model accounts for the
effects of amount (high and low) and timing (late and early) of
deception on hacker’s decisions. The parameters obtained from
the model help explain the reasons for experimental results in
Aggarwal et al. [8].
III. D
ECEPTION GAME
The Deception Game (DG) is a sequential, incomplete
information, single-player game (shown in Figure 1), i.e., a
game between a hacker player and a network [8, 17]. The game
is formally denoted as DG (n, k, γ), where n is total number of
webservers, k is the number of honeypots, and γ is the number
of probes after which the hacker makes his final decision to
attack the network or not [17]. Aggarwal et al. [8] translated
this game into DG (2, 1, 1), n = 2 (two webservers), k = 1 (one
honeypot), and γ = 1 (the hacker can probe one of the
webservers once or can choose not to probe before attacking
one of the webservers for real). In DG, hacker can either
probe/attack (regular webserver or honeypot webserver) or
choose not-probe/not attack. The objective of hacker player is
to attack regular webserver which will give him positive
rewards. The game is played for multiple rounds and, in each
round, the game requires participants playing as hackers to first
probe the network (probe stage) and then decide whether to
attack the network or not (attack stage) [8].
In the probe stage, hacker should decide either probe any
one of the two webservers presented as buttons on a computer
screen, or not to probe any webserver (see Fig. 1A). Probing a
webserver means clicking the button corresponding to a
webserver and getting a response from the network on whether
the probed webserver is a honeypot or a regular webserver.
Honeypot webservers are decoys that pretend to be regular
webservers with the aim of trapping hackers [7]. In contrast,
regular webservers are real webservers, which store valuable
information on company’s products and employees.
Participant’s goal in DG is to perform as a hacker and attack a
regular webserver. If deception is used in a game round, then
the network’s response to hacker’s probe is opposite to the
actual state of webservers. Thus, if a hacker probes a regular
webserver, then the network’s response will be “honeypot”;
and, if the hacker probes a honeypot, then the network’s
response will be “regular.” In contrast, if deception is absent in
a game round, and then the network response to hacker’s probe
is as per the actual state of webservers. Thus, if the hacker
probes a regular webserver, then the network’s response will be
“regular”; and, if the hacker probes a honeypot webserver, then
the network’s response will be responded to as “honeypot.” As
described in Table 1, probing a regular webserver will allow
hacker to steal information successfully and he will gain +5
points. However, by probing honeypot webserver, hacker will
be caught and will lose -5 points. If hacker does not probe, he
will neither lose nor gain any points. After probing one of the
webservers, hacker enters the Attack stage (see Fig. 1B). In the
Attack stage, hacker could either decide to attack one of the
webservers for real or decide not to attack the network.
Attacking a regular webserver will act as reward of +10 points
to the hacker. However, by attacking honeypot webserver,
hacker will lose -10 points. If hacker does not attack, he will
neither lose nor gain any points. After the Attack stage, the
hacker will be given feedback about the actions she took in the
preceding game and the actual nature of the webserver,
honeypot or regular, which the hacker attacked (see Fig. 1C). If
hacker decided not to attack the network, then no feedback is
provided on the actual nature of the webservers.
Fig. 1. The Deception Game with two webservers, where one of them is a
honeypot. (A) Probe Stage, where a participant performing as a hacker could
probe one of the webservers once or decide not to probe the network. (B)
Attack stage, where a participant acting as a hacker could attack one of the
webservers once or decide not to attack the network. (C) Feedback in the
deception game after the attack stage. Source: [8].
T
ABLE
1.
H
ACKER
S PAYOFFS DURING THE
(
A
)
P
ROBE
S
TAGE AND
(
B
)
A
TTACK
STAGES IN THE GAME
.
S
OURCE
:
[8]
a. Probe Stage
Hacker’s Action Hacker’s Payoff
Probe a Regular Webserver +5 points
Probe a Honeypot Webserver -5 points
Do Not Probe 0 points
b. Attack Stage
Hacker’s Action Hacker’s Payoff
Attack a Regular Webserver +10 points
Attack a Honeypot Webserver -10 points
Do Not Attack 0 points
Probe and Attack stages of the game will involve payoffs for
participants performing as hackers as shown in Table 1.
Hacker participants will be shown their current and total
payoffs as part of the feedback screen across several games.
IV. E
XPERIMENT
In this section, we detail an experiment carried out by
Aggarwal et al. [8] with human participants performing as
hackers across several rounds in the Deception Game (DG).
The DG was used to evaluate the influence of timing and
amount of deception on hacker’s decisions to attack a
simulated network [8].
A. Experiment Design
Aggarwal et al. [8] hired one-hundred participants that
performed as hackers across 10-repeated rounds in DG.
Across the 10-rounds, the amount of deception was
manipulated at 2-levels: low (deception used on 2 out of 10
rounds) and high (deception used on 4 out of 10 rounds). The
timing of deception was manipulated at 2-levels: early
(deception used within the first 5 rounds) and late (deception
used within the last 5 rounds). Deception’s use in a round
meant that the network’s response to a hacker’s probe would
be opposite to network’s actual state (a regular probe would
yield a “honeypot” response and a honeypot probe would yield
a “regular” response). Overall, this design resulted in a total of
4 between-subject conditions (see Fig. 2): Early Low
Deception (ELD; N = 25), Early High Deception (EHD; N =
25), Late Low Deception (LLD; N = 25) and Late High
Deception (LHD; N = 25). Participants were randomly
assigned to these conditions. In each condition, Aggarwal et
al. [8] evaluated the average proportion of honeypot-attack
and not-attack actions during the attack stage. Using human
data in [8], the average proportion of regular-attack and not-
attack actions during the attack stage were evaluated.
Fig. 2. Experiment design using deception game. *: Deception Present +:
Deception Not Present.
B. Participants
In [8], participants were recruited via an email
advertisement for a cyber-security study. Sixty-eight percent
of participants were males. Age ranged from 18 years to 45
years (Mean = 23 years; SD = 4 years). About 71% of
participants self-reported to possess 4-year undergraduate
college degrees; 20% reported to possess high-school degrees,
7% reported to have 2-year college degrees, or some college
experience; and, 2% reported to either to possess graduate
degrees or professional degrees. Participants were paid a flat
participation fee INR 30 (USD 0.5) after completing their
study. Top-10 performing participants, based upon highest
B.
C.
A.
scores in the game, entered a lucky draw. One of these
participants was randomly selected and paid a cash prize of
USD 7.5.
C. Procedure
In [8], participants performing as hackers were given
instructions about their goal in the Deception Game and they
possessed complete information about their action and payoffs
(the payoff matrix was given). Participants were asked to
maximize their payoff by attacking/not-attacking the network
over several rounds of play (the endpoint of the game was not
disclosed at any point in the game). Participants were also told
that deception may be present in some rounds during their
game play and that the network may respond opposite to the
actual state of webservers when deception was present. Each
round had two stages: Probe stage and Attack stage. Hacker
had three actions alternatives to choose between in each stage:
probe/attack webserver 1, probe/attack webserver 2 and not-
probe/not-attack the network (see Fig. 1). Participants
performing as hackers had to make a choice between these
alternatives presented to them on their screen via three buttons
to maximize their payoffs. Once the study ended, participants
were thanked and paid for their participation.
V. E
XPERIMENT
R
ESULTS
A. Amount of Deception
By re-analyzing the human data in [8], we calculated the
proportion of regular attacks. Fig. 3 shows the proportion of
regular-attack and not-attack actions [8] when the amount of
deception was high and low. The proportion of regular-attack
(not-attack) actions were significantly smaller (larger) when
the deception amount was high compared to low (regular-
attacks: 0.35 < 0.49; F (1, 96) = 14.69, p < 0.01, η
2
= 0.13;
not-attacks: 0.21 > 0.11; F (1, 96) = 6.67, p < 0.05, η
2
= 0.08).
These results are as per our expectations above.
Fig. 3. Proportion of regular-attack/not-attack action for different amounts of
deception as High and Low
B.
Timing of Deception
By re-analyzing the human data in [8], we calculated the
proportion of regular attacks. Fig. 4 shows the proportion of
regular-attack and not-attack [8] actions when the timing of
deception was early and late. The proportion of regular-attack
(not-attack) actions were significantly smaller (larger) when
the deception timing was late compared to early (regular-
attacks: 0.35 < 0.50; F (1, 96) = 17.27, p < 0.05, η
2
= 0.15;
not-attacks: 0.25 > 0.08; F (1, 96) = 6.67, p < 0.05, η
2
=
0.084).
Fig. 4. Proportion of regular-attack/not-attack action for different timing of
deception, Late and Early
C. Interaction of Timing and Amount
By analyzing the human data in [8], we calculated the effect
of interaction of timing and amount of deception on proportion
of attack and not-attack actions. Fig. 5 shows the proportion of
regular-attack and not-attack actions across four conditions,
i.e., EHD, ELD, LHD and LLD. Overall, the interaction of
timing and amount was significant for regular-attack actions
(F (1, 96) = 5.38, p < 0.05, η
2
= 0.05) and not-attack actions (F
(1, 96) = 11.01, p < 0.01, η
2
= 0.10).
Fig. 5. Proportion of regular-attack/not-attack actions as a function of timing
and amount of deception in EHD, ELD, LHD and LLD conditions
VI. D
ECEPTION
M
ODEL
A. Instance-Based Learning Model
Using the human data in [8], we developed a cognitive
model of hacker’s decision-making in Deception Game (DG)
using IBL [9, 12, 18-19]. An instance, i.e., smallest unit of
experience, in the IBL model consists of three parts: a
situation in a task (a set of attributes that characterizes the
current state in a task), a decision in a task, and an outcome
resulting from making that decision in that situation [18].
Different parts of an instance are built through a general
decision process in IBLT: recognizing a situation from
attributes in the task, making a judgment about instances to
blend, choosing actions based upon blending of instances, and
updating the outcome in instances via feedback when the
actual outcomes are known. In the IBL model, instances
accumulate over time, are retrieved from memory, and are
used repeatedly according to their availability in memory. This
availability is measured by a statistical mechanism called
activation, originally implemented in the ACT-R cognitive
architecture [19]. IBL model has two free parameters, decay d
and noise s. The decay parameter represents how much a
person relies on recent information. High the values of d
parameter (> 0.5) meant more reliance on recent events rather
than distant events. Noise ensures variability in decisions
made by the model for the same situation and allows capturing
individual differences in data.
In the IBL model of a hacker in DG, each instance consists
of these slots: Hacker’s Decision, Feedback from Network,
Honeypot (Ground Truth) and Outcome. At probe stage,
instance is populated with two slots i.e. Hacker’s Decision and
Feedback from Network. Ground truth and outcome slots are
unknown at the probe stage and hence remain empty. At attack
stage, the partially populated instance is updated and a new
instance is created if the hacker’s decision is different. In each
trial t of the game, the processes of selection of alternatives in
the model starts with calculation of the blended value of
different alternatives, i.e., attack webserver 1, attack
webserver 2 and not-attack [18]. Next, the alternative with the
highest blended value is selected. The blended value of an
alternative depends on outcomes occurring in the alternative
and the probability of retrieval of instances from memory
corresponding to those outcomes. Furthermore, the probability
of retrieval of instances from memory is a function of their
activation in memory, governed by the recency and frequency
of instance retrievals from memory.
B. Parameter Calibration
To find the best values of d and s parameters for different
levels of two variables, timing and amount, we calibrated the
IBL model to each of these levels separately. For calibration,
we put together human data of 50 participants in the early
group (ELD and EHD) and 50 participants in the late group
(LLD and LHD). Next, we put together human data of 50
participants in the high group (EHD and LHD) and 50
participants in the low group (ELD and LLD). Fifty model
participants were run in the IBL model across 10 rounds for
each of these four groups, early, later, high, and low. Model
used blending and activation mechanisms with a separate set
of d and s parameters calibrated per group. During calibration,
we minimized the sum of Mean-Squared Deviations (MSDs)
on proportion of regular-attack and not-attack actions between
model and human data across 10 rounds in DG [24]. The
MSDs obtained after calibration are shown in Table 2.
T
ABLE
2:
P
ARAMETERS AND
MSD
V
ALUES FOR
IBL
M
ODEL
Condition Parameters MSD (Regular
Attack)
MSD (Not
Attack)
Early d = 0.58 0.005 0.002
s = 0.88
Late d = 0.62 0.001 0.0002
s = 0.20
High d = 0.75 0.001 0.001
s = 0.43
Low d = 0.25 0.001 0.0001
s = 0.83
The smaller the value of MSD, the better is the model
performance to account for human regular-attack and not-
attack decisions. A multi-objective genetic algorithm was used
to optimize values of the d and s parameters for both the
model participants. The d parameter was varied between 0.0
and 1.0 and s parameter was varied between 0.0 and 1.0.
These ranges ensured that the optimization could capture the
optimal parameter values with high confidence. The genetic
algorithm had a crossover rate of 0.8% and a mutation rate of
0.01%. The algorithm stopped when any of the following
constraints were met: stall generations = 200, function
tolerance = 1x10
-8
, and when the average relative change in
the fitness function value over 200 stall generations was less
than function tolerance (1x10
-8
).
C. Results
The parameters obtained from the IBL model across each
of the four groups are shown in Table 2. The parameters
obtained for early deception were d = 0.58 and s = 0.88 and
that for the late deception were d = 0.62 and s = 0.20. The
decay parameter’s value in the late condition (0.62) was
higher compared to its value in the early condition (0.58) and
this difference explains greater reliance on recency of
information in the late condition compared to that in the early
condition. Also, noise value (i.e., participant-to-participant
variability) was much less in the late condition compared to
that in the early value. Furthermore, the parameters obtained
for high deception were d= 0.75 and s= 0.43 and those for the
low deception were d= 0.25 and s= 0.83. Thus, high deception
caused more reliance on recency of information with less
participant-to-participant variability compared to that in the
low deception condition.
1) Amount of Deception: As we measured for the human
participants, similarly we ran the IBL model to find the
proportion of regular attacks and not-attack actions by varying
amount of deception. For regular attacks, the MSD value is
0.002 which is again very low. Similarly for not-attack
actions, the MSD value is 0.001 which is again very low.
Hence, the IBL model is able to capture the human data very
well for high and low amount of deception for both the
actions. Fig. 6(a) and 6(b) shows the proportion of regular
attacks and not-attacks by IBL model and human.
Fig. 6. Proportion of (A) regular attacks from IBL model and Human (MSD =
0.002) and (B) not-attacks from IBL model and Human (MSD = 0.001) for
different amounts of deception (High and Low)
2) Timing of Deception: As we measured for amount of
deception, similarly we calculated the proportion of regular
attacks and not-attacks by varying the timing of deception. For
regular attacks, the MSD between human and model for
timing of deception is 0.005. Similarly, the MSD between
human and model for not-attack action is 0.002. The MSD
value obtained is very low which shows that model provides
good approximation for human performance in experiment.
Fig. 7(A) and 7(B) shows the proportion of regular attacks and
not-attack action by IBL model and human.
Fig. 7. Proportion of (A) regular attacks from IBL model and Human (MSD =
0.005) and (B) not-attacks from IBL model and Human (MSD = 0.002) for
different timing of deception (Early and Late)
3) Interaction of Timing and Amount: We calculated the
proportion of regular attacks and not-attack actions from the
IBL model by varying the timing and amount of deception
(see Figure 8A and 8B). For regular attack actions, the MSD
between human data and IBL model data was 0.02. Similarly,
the MSD between human data and IBL model data for not-
attack actions was 0.01. These MSD values show that the IBL
model provided good approximation for human performance
in experiment.
Fig. 8. Proportion of regular attack actions (A) and not-attack actions (B). The
MSD between IBL model and Human data for regular attack actions = 0.02.
The MSD between IBL model and Human data for not-attack actions = 0.01.
VII. D
ISCUSSIO N
Deception strategies are promising methods to fight against
cyber-attacks. Choice of correct timing and correct amount to
deception may help to improve defense mechanisms. Our
results, both from the experimentation and modeling, show
that adequate amount of deception and appropriate timing of
deception do influence the proportion of attack and not attack
actions in a simulated network. In general, high amount and
late timing of deception decreases regular attack actions and
increases not-attack actions. Such decrease in attack actions
signifies that high amount and late timing of deception helps
create attack deterrence for hackers. These results can be
explained using a computational model based upon Instance-
Based Learning Theory (IBLT) [9].
Computational modeling of data revealed that both timing
and amount of deception did influence the proportion of attack
and not-attack actions. We found number of regular-webserver
attacks was less in the late deception condition compared to
the early deception condition. Furthermore, we found that not
attack actions were more for late deception condition
compared to early deception condition. The parameters
obtained in the early deception condition were d = 0.58 and s
= 0.88. In case of early deception condition, the low value of d
showcased participants to rely more on past events; and, the
high noise value showed more variability in participant
choices. The decay parameter in the late condition, i.e., d =
0.62, showed participants pay more emphasis on the recent
information in this condition. Thus, it appears that reliance on
recency of information caused losses to participants, which
resulted in lesser proportion of regular-webserver attacks and
greater proportion not-attack actions in the late condition
compared to the early condition. Next, we found that there
was lesser proportion of attacks on the regular webserver
during the high deception condition compared to low
deception condition. We found more number of not-attack
actions for high deception condition compared to low
deception condition. The parameters obtained for high
deception were d = 0.75 and s = 0.43. Here, high value of d
parameter shows that the human hackers relied more on recent
events compared to past events. The decay value for low
deception condition was 0.25, which shows more reliance on
the past events in memory. Perhaps, the reliance on recency in
high deception condition caused participants to reduce their
attack actions and increase their not-attack actions. Next, we
found that the timing and amount interacted to influence
regular-attack and not-attack actions and that some of the
interaction effects were accounted by the IBL model.
Although deception itself is not a new concept in defense,
however deception as a game changing tool against hacker is
still at its early stage. Deception can play as an effective tool
to detect attacks even before they occur and attacking
networks could be made costly. To make deception an
effective strategy, we plan to extend the current experiment to
multiple searches before attacks in future. In the real world,
hackers likely probe networks multiple times to gain adequate
information for attack. We want to analyze the effect of
multiple probes on deception strategy’s success. Further, as
part of future research, we plan to evaluate different deception
techniques other than a decoying (e.g., mimicking, masking,
packaging, etc.) against attacks on computer networks in the
real world.
A
CKNOWLEDGMENT
Palvi Aggarwal was supported by Visvesverya Ph.D.
Scheme for Electronics and IT (IITM/DeitY-MLA/ASO/77),
Department of Electronics and Information Technology,
Ministry of Communication & IT, Government of India.
Cleotilde Gonzalez was supported by the Army Research
Laboratory under Cooperative Agreement Number W911NF-
13-2-0045 (ARL Cyber Security CRA) to Cleotilde Gonzalez.
Varun Dutt was supported by the Department of Science and
Technology, Government of India award (Award number:
SR/CSRI/28/2013(G)) to Varun Dutt. The views and
conclusions contained in this document are those of the
authors and should not be interpreted as representing the
official policies, either expressed or implied, of the Army
Research Laboratory or the Indian or U.S. Government.
R
EFERENCES
[1] Trustwave global Security Report retrieved from:
https://www2.trustwave.com/rs/815-RFM-
693/images/2015_TrustwaveGlobalSecurityReport.pdf
[2] Symantec Corporation. Internet security threat report Retrieved from
http://www.symantec.com/content/en/us/enterprise/other_resources/bistr
_main_report_v19_21291018.en-us.pdf (2014).
[3] Whaley, Barton. "Toward a general theory of deception." The Journal of
Strategic Studies 5, no. 1 (1982): 178-192.
[4] Glantz, David M. Soviet military deception in the Second World War.
Routledge, 2012.
[5] Denning, Dorothy Elizabeth Robling. Information warfare and security.
Vol. 4. Reading: Addison-Wesley, 1999.
[6] Mitnick, Kevin D., and William L. Simon. The art of deception:
Controlling the human element of security. John Wiley & Sons, 2011.
[7] Rowe, Neil C., and E. John Custy. "Deception in cyber attacks." Cyber
warfare and cyber terrorism (2008): 91-93.
[8] Aggarwal, Palvi, Cleotilde Gonzalez, and Varun Dutt. "Cyber-Security:
Role of Deception in Cyber-Attack Detection." In Advances in Human
Factors in Cybersecurity, pp. 85-96. Springer International Publishing,
2016.
[9] Dutt, Varun, Young-Suk Ahn, and Cleotilde Gonzalez. "Cyber situation
awareness modeling detection of cyber attacks with instance-based
learning theory." Human Factors: The Journal of the Human Factors
and Ergonomics Society 55, no. 3 (2013): 605-618.
[10] Arora, Aman, and Varun Dutt. "Cyber security: evaluating the effects of
attack strategy and base rate through instance based learning." In 12th
International Conference on Cognitive Modeling. Ottawa, Canada.
2013.
[11] Kaur, A., and V. Dutt. "Cyber situation awareness: modeling the effects
of similarity and scenarios on cyber attack detection." In 12th
International Conference on Cognitive Modeling. Ottawa, Canada, vol.
250. 2013.
[12] Gonzalez, Cleotilde, and Varun Dutt. "Instance-based learning:
Integrating sampling and repeated decisions from
experience." Psychological review 118, no. 4 (2011): 523.
[13] Roy, Sankardas, Charles Ellis, Sajjan Shiva, Dipankar Dasgupta, Vivek
Shandilya, and Qishi Wu. "A survey of game theory as applied to
network security." In System Sciences (HICSS), 2010 43rd Hawaii
International Conference on, pp. 1-10. IEEE, 2010.
[14] Camerer, Colin. Behavioral game theory: Experiments in strategic
interaction. Princeton University Press, 2003.
[15] Alpcan, Tansu, and Tamer Başar. Network security: A decision and
game-theoretic approach. Cambridge University Press, 2010.
[16] Crouse, Michael. "Performance Analysis of Cyber Deception Using
Probabilistic Models." PhD diss., Wake Forest University, 2012.
[17] Garg, Nandan, and Daniel Grosu. "Deception in honeynets: A game-
theoretic analysis." In Information Assurance and Security Workshop,
2007. IAW'07. IEEE SMC, pp. 107-113. IEEE, 2007.
[18] Dutt, Varun, and Cleotilde Gonzalez. "Making instance-based learning
theory usable and understandable: The Instance-Based Learning
Tool." Computers in Human Behavior 28, no. 4 (2012): 1227-1240.
[19] Gonzalez, Cleotilde, Javier F. Lerch, and Christian Lebiere. "Instance-
based learning in dynamic decision making." Cognitive Science 27, no. 4
(2003): 591-635.
[20] Kahneman, Daniel, and Amos Tversk y. "Prospect theory: An analysis of
decision under risk." Econometrica: Journal of the econometric
society (1979): 263-291.
[21] Tversky, Amos, and Daniel Kahneman. "Advances in prospect theory:
Cumulative representation of uncertainty." Journal of Risk and
uncertainty 5, no. 4 (1992): 297-323.
[22] Nevo, Iris, and Ido Erev. "On surprise, change, and the effect of recent
outcomes." Front. Cogn. Sci 3, no. 24 (2012): 10-3389.
[23] George L.:Cyber-Physical Attacks. Retrieved from
http://www.professionalsecurity.co.uk/reviews/cyber-physical-
attacks,(2015).
[24] Busemeyer, Jerome R., and Julie C. Stout. "A contribution of cognitive
decision models to clinical assessment: decomposing performance on
the Bechara gambling task." Psychological assessment 14, no. 3 (2002):
253.
... Deception, an act of persuading people to believe in false knowledge, has previously been used to enhance security in real-world systems (Almeshekah & Spafford, 2016). Honeypots have been used in the past to deploy deception in cybersecurity, and they have proven to be a viable tool for detecting, preventing, and defeating cyber-attacks (Aggarwal, Gonzalez & Dutt, 2016;Aggarwal et al., 2017;Katakwar et al., 2020). Recently, deception via honeypots has been used to defend against cyberattacks in cutting-edge technologies such as the internet of things (La et al., 2016). ...
... Human decisions in such complex scenarios get influenced by several cybertechnology factors such as network size and timing of deception. (Aggarwal et al., 2017;Katakwar et al., 2020). Among the multiple parameters in cybersecurity scenarios, honeypot plays a key part in diverting the adversary from the target and influencing their decision-making. ...
... Previously, researchers working in the behavioral cybersecurity domain have used Instance-based learning theory (IBLT; Dutt & Gonzalez, 2012;Dutt et al., 2013), a decisionmaking theory based on experience, to explain their findings from cyber situation experiments (Aggarwal et al., 2017;. They also developed IBLT-based cognitive models which could explain how humans make decisions in cyberspace (Aggarwal et al., 2018;Dutt et al., 2013;Maqbool, 2021). ...
Article
Full-text available
Cyberattacks are proliferating, and deception via honeypots may provide efficient strategies for combating cyberattacks. Although prior research has examined deception and network factors using deception-based games, it is still unknown how the proportion of honeypots in a network influences the adversarial decision. This study evaluates the influence of different honeypot proportions on the adversary’s decisions using a deception game (DG). DG has two consecutive stages, probe and attack. In the probe stage, participants may probe a few webservers or not probe the network. In the attack stage, participants may attack any of the webservers or decide not to attack the webservers. Participants were randomly assigned to one of three between-subject conditions containing different honeypot proportions: small, medium, and large. With an increase in the proportion of honeypots, the honeypot and no-attack actions increased dramatically. We show how our findings are applicable in deception-based cyber scenarios.
... Deception is an act of making someone believe in the incorrect information, which may help in providing real-time solutions to combat today's life-threatening cyberattacks (Almeshekah & Spafford, 2016). Deception in cybersecurity has been used with the help of honeypots and it has been found to be a valuable tool to counter emerging cyberattacks (Aggarwal, Gonzalez & Dutt, 2016a;2016b;Aggarwal et al., 2017;Katakwar et al., 2020). Previously, researchers have developed a tool known as HackIT, which could simulate a cyber-attack situation realistically by integrating concepts from behavioral game theory . ...
... The rise in cyber-attacks has uplifted the research community to think up for robust security solution to combat cyberattacks (CNBC, 2021). Deception via honeypot has been a promising tool to combat against cyberattacks (Aggarwal, Gonzalez & Dutt, 2016a;2016b;Aggarwal et al., 2017;Katakwar et al., 2020). The current research involving deception in cybersecurity focuses on human factors involved in cyber situations. ...
Chapter
Full-text available
Cyber-attacks, an intentional effort to capture information or interrupt a network, are growing. Prior research in cybersecurity has investigated the influence of network size on adversarial decisions in a deception game involving honeypots experimentally. However, little is known about the cognitive mechanisms that modulate the influence of network size on adversarial decisions. The primary objective of this research is to investigate how an instance-based learning (IBL) model involving recency, frequency, and cognitive noise would make predictions about adversarial decisions in the presence of networks of different sizes. The experimental study involved the use of a deception game (DG) across three between-subjects conditions of different network sizes: small, medium, and large (N = 20 per condition). The results revealed that the proportion of honeypot and regular probes and attacks were more in the medium-sized and large-sized networks compared to small-sized networks. Similarly, the proportion of no probe and no attack actions were more in small-sized networks compared to medium-and large-sized networks. An IBL model was calibrated to the human decisions collected in the above experiment. An IBL model with ACT-R default parameters was also developed as a baseline. Results revealed that the IBL model with calibrated parameters explained adversary's decisions more accurately compared to the IBL model with ACT-R default parameters. Also, participants showed a greater reliance on recency and frequency of outcomes and smaller cognitive noise in their decision choices across three different network sizes. We highlight the main implications of our findings for the cognitive modeling community.
... IBL models have been used for decades in a wide range of domains including repeated binary choice decisions ( Lejarraga et al., 2012 ), multi-choice sequential decisions ( Gonzalez and Ben-Asher, 2014 ), prediction of human reliance on automation , prediction of human Theory of Mind in gridworlds ( Nguyen and Gonzalez, 2021 ), and prediction of cognitive biases in human decision making (including confirmation bias,anchoring and adjustment, probability matching, and base rate neglect) Lebiere et al. (2013) . In the domain of cybersecurity, IBL models have been widely used to replicate human decision processes in a variety of tasks involving deception in insider attack games Cranford et al. (2018Cranford et al. ( , 2021 , intrusion detection systems ( Aggarwal et al., 2017;2020a ) and susceptibility to phishing emails ( Cranford et al., 2019; ). Yet, despite this success, existing IBL models of human attackers often involve relatively simplistic tasks abstracting the complexity of cyber scenarios. ...
Article
Full-text available
Masking strategies for cyberdefense (i.e., disguising network attributes to hide the real state of the network) are predicted to be effective in simulated experiments. However, it is unclear how effective they are against human attackers. We address three factors that challenge the effectiveness of the masking strategies in practice: (1) we relax the assumption of rationality of the attackers made by Game Theory/Machine Learning defense algorithms; (2) we provide a cognitive model of human attackers that can inform these defense algorithms; and (3) we provide a way to generate data on attacker’s decisions through simulation with a cognitive model. Two masking strategies of defense were generated using Game Theory and Machine Learning (ML) algorithms. The effectiveness of these two masking strategies of defense, risk averse and rational, are compared in an experiment with human attackers. We collected attacker’s decisions against the two masking strategies. With the limited human participant’s data, the results indicate that the risk averse strategy can reduce the defense losses compared to the rational masking strategy. We also propose a cognitive model based on Instance-Based Learning Theory that accurately represents and predicts the attacker’s decisions in this task. We demonstrate the model’s process by generating simulated data and comparing it to the attacker’s actual actions in the experiment. The model is able to capture the data at the aggregate and at the individual levels of attackers making decisions in both rational and risk averse defense algorithms. We propose that this model can be used to inform game theoretic defense algorithms and to produce synthetic data that can be used by ML algorithms to generate new defense strategies.
... These instances are recalled and reused based on the similarity of the scenario. Researchers in the cybersecurity domain have shown that IBL theory has accounted for human decisions in situations where hackers and defenders play games against each other [22]. Thus, this theory may help derive expectations about the decisions of adversaries in scenarios involving cyber-attacks. ...
... In the latter case, the deception is leveraged to reduce environment uncertainty to improve the RL policies learned by the defender [18]. Other cyber deception research has focused on human subjects experiments [26], sometimes also including also simulations [1], but these simulations are rarely publicly available to other researchers. However, this research does not incorporate deceptive decoys which are lightweight and low-interaction relative to honeypots. ...
Preprint
Full-text available
Deceptive elements, including honeypots and decoys, were incorporated into the Microsoft CyberBattleSim experimentation and research platform. The defensive capabilities of the deceptive elements were tested using reinforcement learning based attackers in the provided capture the flag environment. The attacker's progress was found to be dependent on the number and location of the deceptive elements. This is a promising step toward reproducibly testing attack and defense algorithms in a simulated enterprise network with deceptive defensive elements.
... In the latter case, the deception is leveraged to reduce environment uncertainty to improve the RL policies learned by the defender [18]. Other cyber deception research has focused on human subjects experiments [26], sometimes also including also simulations [1], but these simulations are rarely publicly available to other researchers. However, this research does not incorporate deceptive decoys which are lightweight and low-interaction relative to honeypots. ...
Conference Paper
Full-text available
Deceptive elements, including honeypots and decoys , were incorporated into the Microsoft CyberBattleSim experimentation and research platform [30]. The defensive capabilities of the deceptive elements were tested using reinforcement learning based attackers in the provided capture the flag environment. The attacker's progress was found to be dependent on the number and location of the deceptive elements. This is a promising step toward reproducibly testing attack and defense algorithms in a simulated enterprise network with deceptive defensive elements.
... These instances are recalled and reused based on the similarity of the scenario. Researchers in the cybersecurity domain have shown that IBL theory has accounted for human decisions in situations where hackers and defenders play games against each other [22]. Thus, this theory may help derive expectations about the decisions of adversaries in scenarios involving cyber-attacks. ...
Article
Full-text available
Deception, an act of misleading into false belief, has been proven to be an effective method to counter cyber-attacks. Although prior research in deception in cyber-security has focused on the network size and the proportion of honeypots in games, there has been little research on the influence of probing action costs on adversarial decisions. In this research, using a deception game (DG), we investigate the impact of different cost functions in the probe stage on adversarial decisions. The DG involved a game DG (n, k, γ), where n was the number of webservers, k was the number of honeypot webservers in the network, and γ was the number of probes an adversary could make before choosing to attack the network. In an experiment, three between-subject conditions that differed in the cost of probing actions included: increasing-cost (40 participants), constant-cost (40 participants), and no-cost (40 participants). In increasing-cost, the cost for probing honeypots increased linearly over trials. However, in constant-cost, the cost for probing a honeypot webserver remained constant. In no-cost, probing a webserver did not cost the adversary. Results revealed that the probing cost did not influence the probe and at-tack actions and that there was a significant interaction between different cost conditions and the regular webserver probe actions over blocks. The main implication of the re-search is that the probing action costs may not influence adversarial decisions
... Some researchers have proposed games to study the role of deception in cyber-security mathematically (Aggarwal, Gonzalez & Dutt, 2017;Garg & Gruso, 2007;Kiekintveld, Lisý, & Píbil, 2015). However, more recently, researchers have investigated human decisions in the presence of deception in abstract Stackelberg security games (Cranford, Lebiere & Gonzalez, 2018) as well as applied games like HackIt (Aggarwal et al., 2019;. ...
Article
Full-text available
Deception via honeypots, computers that pretend to be real, may provide effective ways of countering cyber-attacks in computer networks. Although prior research has investigated the effectiveness of timing and amount of deception via deception-based games, it is unclear as to how the size of the network (i.e., number of computer systems in the network) influences adversarial decisions. In this research, using a deception game, we evaluate the influence of network size on adversary’s cyber-attack decisions. The deception game has two sequential stages, probe and attack, and it is defined as DG (n, k, γ), where n is the number of servers, k is the number of honeypots, and γ is the number of probes that adversary makes before attacking the network. In the probe stage, participants may probe a few web servers or may not probe the network. In attack the stage, participants may attack any one of the web servers or decide not to attack the network. In a laboratory experiment, participants were randomly assigned to a repeated deception game across three different between-subject conditions: small (20 participants), medium (20 participants), and large (20 participants). The small, medium, and large conditions used DG (2, 1, 1), DG (6, 3, 3), and DG (12, 6, 6) games, respectively (thus, the proportion of honeypots was kept constant at 50% in all three conditions). Results revealed that in the small network, the proportion of honeypot and no-attack actions were 0.20 and 0.52; whereas, in the medium (large) network, the proportion of honeypot and no-attack actions were 0.50 (0.50) and 0.06 (0.03), respectively. There was also an effect of probing actions on attack actions across all three network sizes. We highlight the implications of our results for networks of different sizes involving deception via honeypots.
Article
Defensive deception is a promising approach for cyber defense. Via defensive deception, a defender can anticipate and prevent attacks by misleading or luring an attacker, or hiding some of its resources. Although defensive deception is garnering increasing research attention, there has not been a systematic investigation of its key components, the underlying principles, and its tradeoffs in various problem settings. This survey focuses on defensive deception research centered on game theory and machine learning, since these are prominent families of artificial intelligence approaches that are widely employed in defensive deception. This paper brings forth insights, lessons, and limitations from prior work. It closes with an outline of some research directions to tackle major gaps in current defensive deception research.
Chapter
Full-text available
Cyberspace, computers, and networks are now potential terrain of warfare. We describe some effective forms of deception in cyberspace and discuss how these deceptions are used in attacks. After a general assessment of deception opportunities in cyberspace, we consider various forms of identity deceptions, denial-of-service attacks, Trojan horses, and several other forms of deception. We then speculate on the directions in which cyber attacks may evolve in the future.
Conference Paper
Full-text available
Cyber-attacks are increasing in the real-world and cause widespread damage to cyber-infrastructure and loss of information. Deception, i.e., actions to promote the beliefs of things that are not true, could be a way of countering cyber-attacks.. In this paper, we propose a deception game, which we use to evaluate the decision making of a hacker in the presence of deception. In an experiment , using the deception game, we analyzed the effect of two between-subjects factors in Hacker's decisions to attack a computer network (N = 100 participants): amount of deception used and the timing of deception. The amount of deception used was manipulated at 2-levels: low and high. The timing of deception use was manipulated at 2-levels: early and late. Results revealed that using late and high deception condition, proportion of not attack actions by hackers are higher. Our results suggest that deception acts as a deter-rence strategy for hacker.
Article
Full-text available
To determine the effects of an adversary's behavior on the defender's accurate and timely detection of network threats. Cyber attacks cause major work disruption. It is important to understand how a defender's behavior (experience and tolerance to threats), as well as adversarial behavior (attack strategy), might impact the detection of threats. In this article, we use cognitive modeling to make predictions regarding these factors. Different model types representing a defender, based on Instance-Based Learning Theory (IBLT), faced different adversarial behaviors. A defender's model was defined by experience of threats: threat-prone (90% threats and 10% nonthreats) and nonthreat-prone (10% threats and 90% nonthreats); and different tolerance levels to threats: risk-averse (model declares a cyber attack after perceiving one threat out of eight total) and risk-seeking (model declares a cyber attack after perceiving seven threats out of eight total). Adversarial behavior is simulated by considering different attack strategies: patient (threats occur late) and impatient (threats occur early). For an impatient strategy, risk-averse models with threat-prone experiences show improved detection compared with risk-seeking models with nonthreat-prone experiences; however, the same is not true for a patient strategy. Based upon model predictions, a defender's prior threat experiences and his or her tolerance to threats are likely to predict detection accuracy; but considering the nature of adversarial behavior is also important. Decision-support tools that consider the role of a defender's experience and tolerance to threats along with the nature of adversarial behavior are likely to improve a defender's overall threat detection.
Conference Paper
Full-text available
Network security is a complex and challenging problem. The area of network defense mechanism design is receiving immense attention from the research community for more than two decades. However, the network security problem is far from completely solved. Researchers have been exploring the applicability of game theoretic approaches to address the network security issues and some of these approaches look promising. This paper surveys the existing game theoretic solutions which are designed to enhance network security and presents a taxonomy for classifying the proposed solutions. This taxonomy should provide the reader with a better understanding of game theoretic solutions to a variety of cyber security problems.
Chapter
Cyber-physical attacks are not the only attacks that exploit interactions between cyberspace and physical space. The reverse, where an attack in physical space aims to affect the availability, integrity, or confidentiality of information in cyberspace, is by no means new or uncommon. During war, telecommunication cables have always been a prime target for physical attacks, and the intelligence community has long known of advanced techniques for eavesdropping on information leaked in physical space. We describe three representative categories of such physical-cyber attacks, including physical and electromagnetic attacks affecting availability, intentional manipulation of physical input to sensors affecting integrity, and exploitation of compromising emanations affecting confidentiality.
Book
Covering attack detection, malware response, algorithm and mechanism design, privacy, and risk management, this comprehensive work applies unique quantitative models derived from decision, control, and game theories to understanding diverse network security problems. It provides the reader with a system-level theoretical understanding of network security, and is essential reading for researchers interested in a quantitative approach to key incentive and resource allocation issues in the field. It also provides practitioners with an analytical foundation that is useful for formalising decision-making processes in network security. Reviews: "Network security is a topic of crucial relevance for the information society and has been addressed by many books. Yet, modeling the reasons specific security decisions are made is a research topic still in its infancy. By its unique and in-depth treatment of the subject, this book is a landmark towards this ambitious goal." - Jean-Pierre Hubaux, EPFL, Switzerland "A decision and game theoretic approach has recently emerged as an important tool for addressing key issues in network security and risk management. This book provides a comprehensive account of this approach by two experts that have pioneered its development and demonstrates its high potential. It should be studied by anyone who aims to develop a thorough and multi-faceted understanding of the subject." - Nick Bambos, Stanford Univ., USA "The great advantage of this book is that the authors covered exhaustively theoretical background related to decision and game theories with a lot of motivating examples. The work is written without unnecessary complexity, while the organization is clear and the contents is well readable. I can recommend this position to researchers and graduate students as well as to engineers, mainly system administrators and security officers." - Marcin Niemiec, IEEE Communications, February 2012.
Article
From the Publisher:A Legendary Hacker Reveals How To Guard Against the Gravest Security Risk of All–Human NatureAuthor Biography: Kevin D. Mitnick is a security consultant to corporations worldwide and a cofounder of Defensive Thinking, a Los Angeles-based consulting firm (defensivethinking.com). He has testified before the Senate Committee on Governmental Affairs on the need for legislation to ensure the security of the government's information systems. His articles have appeared in major news magazines and trade journals, and he has appeared on Court TV, Good Morning America, 60 Minutes, CNN's Burden of Proof and Headline News, and has been a keynote speaker at numerous industry events. He has also hosted a weekly radio show on KFI AM 640, Los Angeles. William L. Simon is a bestselling author of more than a dozen books and an award-winning film and television writer.