This paper introduces an intrusion-detection device named honeyfiles. Honeyfiles are bait files i... more This paper introduces an intrusion-detection device named honeyfiles. Honeyfiles are bait files intended for hackers to access. The files reside on a file server, and the server sends an alarm when a honey file is accessed. For example, a honeyfile named "passwords.txt" would be enticing to most hackers. The file server's end-users create honeyfiles, and the end-users receive the honeyfile's alarms. Honeyfiles can increase a network's internal security without adversely affecting normal operations. The honeyfile system was tested by deploying it on a honeynet, where hackers' use of honeyfiles was observed. The use of honeynets to test a computer security device is also discussed. This form of testing is a useful way of finding the faulty and overlooked assumptions made by the device's developers.
Deception offers one means of hiding things from an adversary. This paper introduces a model for ... more Deception offers one means of hiding things from an adversary. This paper introduces a model for understanding, comparing, and developing methods of deceptive hiding. The model characterizes deceptive hiding in terms of how it defeats the underlying processes that an adversary uses to discover the hidden thing. An adversary's process of discovery can take three forms: direct observation (sensing and recognizing), investigation (evidence collection and hypothesis formation), and learning from other people or agents. Deceptive hiding works by defeating one or more elements of these processes. The model is applied to computer security, and it is also applicable to other domains.
Network-based intrusion has become a serious threat to today's highly networked information syste... more Network-based intrusion has become a serious threat to today's highly networked information systems, yet the overwhelming majority of current network security mechanisms are "passive" in response to network-based attacks. In particular, tracing and detection of the source of network-based intrusion has been left largely untouched in existing intrusion detection mechanisms. The fact that intruders can log in through a series of hosts before attacking the final target makes it extremely difficult to trace back the real source of network-based intrusions.
A network device is considered compromised when one of its security mechanisms is defeated by an ... more A network device is considered compromised when one of its security mechanisms is defeated by an attacker. For many networks, an attacker can compromise many devices before being discovered. However, investigating devices for compromise is costly and time-consuming, making it dicult to investigate all, or even most, of a network's devices. Further, investigation can yield false-negative results. This paper describes an intrusion±detection (ID) technique for incident-response. During an attack, the attacker reveals information about himself and about network vulnerabilities. This information can be used to identify the network's likely compromised devices (LCDs). Knowledge of LCDs is useful when limited resources allow only some of the network's devices to be investigated. During an on-going attack, knowledge of LCDs is also useful for tactical planning. The ID technique is based on the US military's battle®eldintelligence process. Models are constructed of the network, as the battlespace. Also, models are constructed of the attackerÕs capabilities, intentions, and courses-of-action. The Economics of Crime, a theory which explains criminal behavior, is used to model the attacker's courses-of-action. The models of the network and the attacker are used to identify the devices most likely to be compromised. Ó
... Evidence-collection consists of two parts: attacker-profiling and economic-attribute appraisa... more ... Evidence-collection consists of two parts: attacker-profiling and economic-attribute appraisal. During an attack, the attacker reveals information about himself and theattack. We'll use that information to build a profile of the attacker. ...
This paper introduces an intrusion-detection device named honeyfiles. Honeyfiles are bait files i... more This paper introduces an intrusion-detection device named honeyfiles. Honeyfiles are bait files intended for hackers to access. The files reside on a file server, and the server sends an alarm when a honey file is accessed. For example, a honeyfile named "passwords.txt" would be enticing to most hackers. The file server's end-users create honeyfiles, and the end-users receive the honeyfile's alarms. Honeyfiles can increase a network's internal security without adversely affecting normal operations. The honeyfile system was tested by deploying it on a honeynet, where hackers' use of honeyfiles was observed. The use of honeynets to test a computer security device is also discussed. This form of testing is a useful way of finding the faulty and overlooked assumptions made by the device's developers.
Deception offers one means of hiding things from an adversary. This paper introduces a model for ... more Deception offers one means of hiding things from an adversary. This paper introduces a model for understanding, comparing, and developing methods of deceptive hiding. The model characterizes deceptive hiding in terms of how it defeats the underlying processes that an adversary uses to discover the hidden thing. An adversary's process of discovery can take three forms: direct observation (sensing and recognizing), investigation (evidence collection and hypothesis formation), and learning from other people or agents. Deceptive hiding works by defeating one or more elements of these processes. The model is applied to computer security, and it is also applicable to other domains.
Network-based intrusion has become a serious threat to today's highly networked information syste... more Network-based intrusion has become a serious threat to today's highly networked information systems, yet the overwhelming majority of current network security mechanisms are "passive" in response to network-based attacks. In particular, tracing and detection of the source of network-based intrusion has been left largely untouched in existing intrusion detection mechanisms. The fact that intruders can log in through a series of hosts before attacking the final target makes it extremely difficult to trace back the real source of network-based intrusions.
A network device is considered compromised when one of its security mechanisms is defeated by an ... more A network device is considered compromised when one of its security mechanisms is defeated by an attacker. For many networks, an attacker can compromise many devices before being discovered. However, investigating devices for compromise is costly and time-consuming, making it dicult to investigate all, or even most, of a network's devices. Further, investigation can yield false-negative results. This paper describes an intrusion±detection (ID) technique for incident-response. During an attack, the attacker reveals information about himself and about network vulnerabilities. This information can be used to identify the network's likely compromised devices (LCDs). Knowledge of LCDs is useful when limited resources allow only some of the network's devices to be investigated. During an on-going attack, knowledge of LCDs is also useful for tactical planning. The ID technique is based on the US military's battle®eldintelligence process. Models are constructed of the network, as the battlespace. Also, models are constructed of the attackerÕs capabilities, intentions, and courses-of-action. The Economics of Crime, a theory which explains criminal behavior, is used to model the attacker's courses-of-action. The models of the network and the attacker are used to identify the devices most likely to be compromised. Ó
... Evidence-collection consists of two parts: attacker-profiling and economic-attribute appraisa... more ... Evidence-collection consists of two parts: attacker-profiling and economic-attribute appraisal. During an attack, the attacker reveals information about himself and theattack. We'll use that information to build a profile of the attacker. ...
Uploads
Papers by Jim Yuill