Jione Choi scite author profile

Jione Choi

2Publications

10Citation Statements Received

63Citation Statements Given

How they've been cited

How they cite others

Affiliations

Korea University

Publications

Order By: Most citations

PhantomFS: File-Based Deception Technology for Thwarting Malicious Users

Lee

Choi

Lee³

et al. 2020

IEEE Access

View full text Add to dashboard Cite

File-based deception technologies can be used as an additional security barrier when adversaries have successfully gained access to a host evading intrusion detection systems. Adversaries are detected if they access fake files. Though previous works have mainly focused on using user data files as decoys, this concept can be applied to system files. If so, it is expected to be effective in detecting malicious users because it is very difficult to commit an attack without accessing a single system file. However, it may suffer from excessive false alarms by legitimate system services such as file indexing and searching. Legitimate users may also access fake files by mistake. This paper addresses this issue by introducing a hidden interface. Legitimate users and applications access files through the hidden interface which does not show fake files. The hidden interface can also be utilized to hide sensitive files by hiding them from the regular interface. By experiments, we demonstrate the proposed technique incurs negligible performance overhead, and it is an effective countermeasure to various attack scenarios and practical in that it does not generate false alarms for legitimate applications and users.

show abstract

PhantomFS-v2: Dare You to Avoid This Trap

et al. 2020

View full text Add to dashboard Cite

It has been demonstrated that deception technologies are effective in detecting advanced persistent threats and zero-day attacks which cannot be detected by traditional signature-based intrusion detection techniques. Especially, a file-based deception technology is promising because it is very difficult (if not impossible) to commit an attack without reading and modifying any file. It can play as an additional security barrier because malicious file access can be detected even if an adversary succeeds in gaining access to a host. However, PhantomFS still has a problem that is common to deception technologies. Once a deception technology is known to adversaries, it is unlikely to succeed in alluring adversaries. In this paper, we classify adversaries who are aware of PhantomFS according to their knowledge level and permission of PhantomFS. Then we analyze the attack surface and develop a defense strategy to limit the attack vectors. We extend PhantomFS to realize the strategy. Specifically, we introduce multiple hidden interfaces and detection of file execution. We evaluate the security and performance overhead of the proposed technique. We demonstrate that the extended PhantomFS is secure against intelligent adversaries by penetration testing. The extended PhantomFS offers higher detection accuracy with lower false alarm rate compared to existing techniques. It is also demonstrated that the overhead is negligible in terms of response time and CPU time.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Jione Choi

PhantomFS: File-Based Deception Technology for Thwarting Malicious Users

PhantomFS-v2: Dare You to Avoid This Trap

Contact Info

Product

Resources

About