A Deception Technique for Adaptive Intrusion Detection
The rapid rise of the digital economy and the internet is driving growth of businesses, but it is also introducing new cyber security risks. The Accenture 2020 state of cybersecurity report reveals that the three areas of cybersecurity protection with the largest increases in cost are network security, threat detection and security monitoring. To help mitigate network based inside and outside attacks, researchers have developed honeypots which are deception defenses used to divert the attention of attackers from the real systems or networks and to analyze attacks methods and patterns of activities. They are also used to educate security professionals and support network forensics. However, traditional static honeypots can be detected easily using anti-honeypot toolkits, such as honeypot hunter, since they utilize a fixed configuration and response. When a honeypot is detected, an attacker can tamper with the evidence collected by the honeypot and attempt an attack on the real system. To help overcome these weaknesses, researchers proposed dynamic honeypots, which can change their configuration and can make it more difficult for an attacker to detect where valuable assets are located. Dynamic honeypots are usually deployed in a centralized host to support automation. However, this host, if compromised, can lead to the breakdown of the real system. Therefore, blockchain can be used to address this problem since it features distribution and decentralization. Due to the decentralization property, every network node disperses the computation load and has better robustness. The advantage of blockchain relies on the fact that data cannot be tampered with since any change would be revealed by the nodes which are connected to the network. Also, if one host is compromised the same information is still held by other hosts in the network. Therefore, honeypots and honeynet deployed with blockchain integration can better support network forensics as they can prevent fraud and data theft with more auditable features. The objective of this project is to develop a novel deception technique for adaptive intrusion detection. The proposed system will implement honeytokens that redirect the attackers from the real server or network to the blockchain based honeynet, in order to trap and then track the attackers’ activities, patterns and methods. This information will be used to update the intrusion detection system knowledge through online machine learning. Additionally, the honeynet will store data that could potentially serve as digital evidence during forensic investigations or provide information about a security incident.