Over the past few years, enterprises are facing a growing number of highly customized and targeted attacks that use sophisticated techniques and seek after important company assets, such as customer data and intellectual property. Unlike conventional attacks, targeted attacks are operated by experts who use multiple steps to gain access to sensitive assets, and most of time, leave very few network traces behind for detection. In this paper, we propose a multi-layer deception system that provides an in depth defense against such sophisticated targeted attacks. Specifically, based on previous knowledge and patterns of such attacks, we model the attacker as trying to compromising an enterprise network via multiple stages of penetration and propose defenses at each of these layers using deception based detection. Due to multiple layers of deception, the probability of detecting such an attack will be greatly enhanced. We present a proof of concept implementation of one of the key deception methods proposed. Due to various financial constraints of an enterprise, we also model the design of the deception system as an optimization problem in order to minimize the total expected loss due to system deployment and asset compromise. We find that there is an optimal solution to deploy deception entities, and even over spending budget on more entities will only increase the total expected loss to the enterprise. Such a system Detecting Targeted Attacks by Multilayer Deception 177 phase, gathering information such as the organization background, resources and individual employees to initially target to launch the attack. By using social engineering techniques, such as a spear-phishing email, the attacker attempts to "infiltrate" into the enterprise by using a particular employee as the entry point. This typically requires an employee to fall victim to the social engineering attack, for example by following a web link or opening an attachment that contains some exploit and malicious payload. During this phase of "exploitation", the attacker penetrates a level deeper by gaining control of the employee's personal assets (such as email and personal computer). This may then be used to penetrate another level deeper into the enterprise through manual "exploration" of remote servers (hosting databases, proprietary algorithms, intellectual properties etc.), or to launch additional social engineering attacks against other employees who have access to the information that the attacker seeks to obtain. Some attacks may exploit and gain control of many different servers and machines during the exploration phase to gain a persistent foothold in the enterprise. Once an asset has been obtained, the attacker finally "exfiltrates" the data out of the enterprise network and the attack can be considered successful.This pattern, as mentioned above, reveals that there are three layers of penetration -a human layer, a local asset layer, and a global asset layer. Each layer of penetration brings the attacker closer to the targeted information assets...
