Accession Number : ADA500672


Title :   Baiting Inside Attackers using Decoy Documents


Descriptive Note : Technical rept. 31 Aug-30 Nov 2008


Corporate Author : COLUMBIA UNIV NEW YORK OFFICE OF PROJECTS AND GRANTS


Personal Author(s) : Bowen, Brian M ; Hershkop, Shlomo ; Keromytis, Angelos D ; Stolfo, Salvatore J


Full Text : https://apps.dtic.mil/dtic/tr/fulltext/u2/a500672.pdf


Report Date : 16 Sep 2008


Pagination or Media Count : 21


Abstract : The insider threat remains one of the most vexing problems in computer security. A number of approaches have been proposed to detect nefarious insider actions including user modeling and profiling techniques, policy and access enforcement techniques, and misuse detection. In this work we propose trap-based defense mechanisms for the case where insiders attempt to exfiltrate and use sensitive information. Our goal is to confuse and confound the attacker requiring far more effort to identify real information from bogus information and to provide a means of detecting when an inside attacker attempts to exploit sensitive information. Decoy Documents are automatically generated and stored on a file system with the aim of enticing a malicious insider to open and review the contents of the documents. The decoy documents contain several different types of bogus credentials that when used, trigger an alert. We also embed stealthy beacons inside the documents that cause a signal to be emitted to a server indicating when and where the particular decoy was opened. We evaluate decoy documents on honeypots penetrated by attackers demonstrating the feasibility of the method.


Descriptors :   *INFORMATION SECURITY , *DATA PROCESSING SECURITY , ACCESS , DECOYS , DATA TRANSMISSION SECURITY , COMPUTER NETWORKS , DECEPTION , INTRUSION DETECTION , USER NEEDS , DOCUMENTS , RECORDS MANAGEMENT


Subject Categories : Information Science
      Computer Systems


Distribution Statement : APPROVED FOR PUBLIC RELEASE