Forget crowdsourcing, here’s crooksourcing

Machine learning may help improve honeypot-style intrusion detection

Computer scientists in the US are working to apply machine learning techniques in order to develop more effective honeypot-style cyber defenses.

So-called ‘deception technology’ refers to traps or decoy systems that are strategically placed around networks.

These decoy systems are designed to act as a honeypot so that once an attacker has penetrated a network, they will attempt to attack them – setting off security alerts in the process.

Introducing DeepDig

Deception technology is not a new concept. Companies including Illusive Networks and Attivo have been working in the field for several years.

Now, however, researchers from the University of Texas at Dallas (UT Dallas) are aiming to take the concept one step further.

The DeepDig (DEcEPtion DIGging) technique plants traps and decoys onto real systems before applying machine learning techniques in order to gain a deeper understanding of attackers’ behavior.

The technique is designed to use “cyber-attacks as free sources of live training data for machine learning-based intrusion detection systems”.

Somewhat ironically, the prototype technology enlists attackers as free penetration testers.

Dr Kevin Hamlen, endowed professor of computer science at UT Dallas, explained: “Companies like Illusive Networks, Attivo, and many others… create network topologies intended to be confusing to adversaries, making it harder for them to find real assets to attack.”

The shortcoming of existing approaches, Dr Hamlen, told The Daily Swig is that “such deceptions do not learn from attacks”.

“While the defense remains relatively static, the adversary learns over time how to distinguish honeypots from a real asset, leading to an asymmetric game that the adversary eventually wins with high probability,” he said.

“In contrast, DeepDig turns real assets into traps that learn from attacks using artificial intelligence and data mining.”

Learning from attacks

Turning real assets into a form of “honeypot” has numerous advantages, according to Dr Hamlen.

“Even the most skilled adversary cannot avoid interacting with the trap because the trap is within the real asset that is the adversary's target, not a separate machine or software process,” he said.

“This leads to a symmetric game in which the defense continually learns and gets better at stopping even the most stealthy adversaries.”

The research – which has applications in the field of web security – was presented in a paper (PDF) entitled ‘Improving Intrusion Detectors by Crook-Sourcing’, at the recent Computer Security Applications Conference in Puerto Rico.

Algorithms released

The research was funded by the US federal government. The algorithms and evaluation data developed so far have been publicly released to accompany the research paper.

It’s hoped that the research might eventually find its way into commercially available products, but this is still some time off and the technology is still only at the prototype stage.

“In practice, companies typically partner with a university that conducted the research they’re interested in to build a full product,” a UT Dallas spokesman explained. “Dr Hamlen’s project is not yet at that stage.”

RELATED Gold-nuggeting: Machine learning tool simplifies target discovery for pen testers