Counterplanning Deceptions to Foil Cyber-Attack Plans
Abstract
Tactics involving deception are important in military strategies. We have been exploring deliberate deception in defensive tactics by
information systems under cyber-attack as during information warfare. We have developed a tool to systematically "counterplan" or find ways
to foil a particular attack plan. Our approach is to first find all possible atomic "ploys" that can interfere with the plan. Ploys are simple
deceits the operating system can do such as lying about the status of a file. We analyze ploys as to the degree of difficulty they cause to the plan
wherever they can be applied. We then formulate a "counterplan" by selecting the most cost-effective set of ploys and assign appropriate
presentation methods for them, taking into account the likelihood that, if we are not careful, the attacker will realize they are being deceived
and will terminate our game with them. The counterplan can be effected by a modified operating system. We have implemented our
counterplanner in a tool MECOUNTER that uses multi-agent planning coupled with some novel inference methods to efficiently find a best
counterplan. We apply the tool to an example of a rootkit-installation plan and discuss the results.
Description
Proceedings of the 2003 IEEE Workshop in Information Assurance, West Point, NY, June 2003