Abstract
Traditional deception-based cyber defenses (DCD) often adopt the static deployment policy that places the deception resources in some fixed positions in the target network. Unfortunately, the effectiveness of these deception resources has been greatly restricted by the static deployment policy, which also causes the deployed deception resources to be easily identified and bypassed by attackers. Moreover, the existing studies on dynamic deployment policy, which make many strict assumptions and constraints, are too idealistic to be practical. To overcome this limitation, an intelligent deployment policy used to dynamically adjust the locations of these deception resources according to the network security state is developed. Starting with formulating the problem of deception resources deployment, we then model the attacker-defender scenario and the attacker’s strategy. Next, the preliminary screening method that can derive the effective deployment locations of deception resources based on threat penetration graph (TPG) is proposed. Afterward, we construct the model for finding the optimal policy to deploy the deception resources using reinforcement learning and design the Q-Learning training algorithm with model-free. Finally, we use the real-world network environment for our experiments and conduct in-depth comparisons with state-of-the-art methods. Our evaluations on a large number of attacks show that our method has a high defense success probability of nearly 80%, which is more efficient than existing schemes.
Highlights
In recent years, we have witnessed a majority of penetration attacks against the critical server infrastructures within both commercial companies and government organizations [1]
We propose an intelligent deployment policy for deception resources based on reinforcement learning (RL)
For the sake of avoiding the above uncertainties, this paper proposes an intelligent deployment policy for deception resources based on RL
Summary
We have witnessed a majority of penetration attacks against the critical server infrastructures within both commercial companies and government organizations [1]. Some scholars have created some honeypots for application layer protocols, e.g., Telnet [10] and HTTP [11], as well as some honeypots for special devices, such as smartphones [12], USB devices [13], and data acquisition equipment [14] Besides these honeypots, there are a variety of forms of deception resources. By combining RL and network security data, we can acquire convincing knowledge of the attacker’s state, which can help us design more successful deception schemes. Our method can dynamically adjust the locations of deception resources according to the network security state and trap the attacker in maximize probability.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
