A new ‘moving target defense’ system that uses a decoy network to mislead hackers
Penn State information scientists have revealed a new computer defense system that can sense possible malicious probes from hackers, and then redirect those attacks to a virtual network that offers little information about the real network.
These ‘shadow networks’ can fake complex network structures, tricking the hackers into believing they have accessed usable information, said the researchers at the Information Security Conference in Honolulu on Thursday.
Until now, the team has developed a prototype to exhibit its capabilities, faking both the attack and the defence on a virtual network.
While this method could help bounce off some of the malicious traffic that hovers over computer systems that are vulnerable, but it may not be possible to avoid all attacks.
“Because of the static nature of a computer network, the attacker has a time advantage,” says Dinghao Wu, assistant professor of information sciences and technology. “Hackers can spend a month, two months, six months or more just studying the network and finding vulnerabilities. When they return to use that information to attack, the network typically has not changed and those vulnerabilities are still there, too.”
The system depends on a device known as a ‘reflector,’ which redirects the suspicious traffic to a decoy, or shadow network, once detected.
This shadow network is isolated and invisible from the real network, but can mimic the structure of a physical network to fool the hackers into believing they are receiving information about an actual network.
“We can’t realistically stop all scanning activities, but we can usually tell when a malicious scan is happening,” says Wu. “If it’s a large-scale scan, it is usually more malicious.”
The system, which is a type of defense known in the computer industry as a moving target defense, also gives network administrators the option to more easily make changes to the shadow network’s virtual system, making it even more difficult for hackers to evaluate the success of their scans.
According to Wu, there should be little effect on the real network’s performance and functionality, as the reflector can act as a regular network device when there’s no known cyber-threat present.
This new strategy can sense malicious activity in a virtual local area network and successfully deflect it to the shadow network, allowing the hackers to only access the decoy information, as proved by the researchers in the demonstrations.
“A typical strategy would be to create a shadow network environment that has the same look as the protection domain,’ says Li Wang, a doctoral candidate in information sciences and technology. “It can have the same number of nodes, network topology and configurations to fool the hacker. These shadow networks can be created to simulate complex network structures.”
The researchers will deploy their method in a real network in the future.