PhantomFS: File-Based Deception Technology for Thwarting Malicious Users

Lee, Jung‐Hee; Choi, Jione; Lee, Gyu-Ho; Shim, Shin Woo; Kim, Taekyu

doi:10.1109/access.2020.2973700

Cited by 13 publications

(8 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The file-based deception technology has been demonstrated to be effective in thwarting malicious users who have gained access to the host evading intrusion detection systems [9]. However, if adversaries become aware of the deception technology, the deception technology is unlikely to succeed in alluring adversaries.…”

Section: Discussionmentioning

confidence: 99%

“…The goal of PhantomFS [9] is to allure adversaries who have already gained access to a host without being detected by traditional intrusion detection systems. PhantomFS offers an additional security barrier to thwart such adversaries.…”

Section: Background and Related Work A Phantomfsmentioning

confidence: 99%

“…The original paper [9] assumes adversaries do not know anything about PhantomFS. They do not know the existence of the hidden interface and the location of the hidden path.…”

Section: A Threat Modelmentioning

confidence: 99%

“…file indexing). PhantomFS [9] addresses this issue by introducing a hidden interface. The hidden interface is known only to legitimate users and applications.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

PhantomFS-v2: Dare You to Avoid This Trap

et al. 2020

Self Cite

View full text Add to dashboard Cite

It has been demonstrated that deception technologies are effective in detecting advanced persistent threats and zero-day attacks which cannot be detected by traditional signature-based intrusion detection techniques. Especially, a file-based deception technology is promising because it is very difficult (if not impossible) to commit an attack without reading and modifying any file. It can play as an additional security barrier because malicious file access can be detected even if an adversary succeeds in gaining access to a host. However, PhantomFS still has a problem that is common to deception technologies. Once a deception technology is known to adversaries, it is unlikely to succeed in alluring adversaries. In this paper, we classify adversaries who are aware of PhantomFS according to their knowledge level and permission of PhantomFS. Then we analyze the attack surface and develop a defense strategy to limit the attack vectors. We extend PhantomFS to realize the strategy. Specifically, we introduce multiple hidden interfaces and detection of file execution. We evaluate the security and performance overhead of the proposed technique. We demonstrate that the extended PhantomFS is secure against intelligent adversaries by penetration testing. The extended PhantomFS offers higher detection accuracy with lower false alarm rate compared to existing techniques. It is also demonstrated that the overhead is negligible in terms of response time and CPU time.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Background and Related Work A Phantomfsmentioning

confidence: 99%

“…The original paper [9] assumes adversaries do not know anything about PhantomFS. They do not know the existence of the hidden interface and the location of the hidden path.…”

Section: A Threat Modelmentioning

confidence: 99%

“…file indexing). PhantomFS [9] addresses this issue by introducing a hidden interface. The hidden interface is known only to legitimate users and applications.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

PhantomFS-v2: Dare You to Avoid This Trap

et al. 2020

Self Cite

View full text Add to dashboard Cite

show abstract

“…Using decoy documents to track the users with malicious intent, the proposed method did not require additional user credential in the authentication process. In [13], Lee et al developed a hidden interface that recognized malicious users and used decoy files to lure them into an monitored environment. The advantage of their method is that no false alarms will be raised by legitimate applications and users.…”

Section: A Research On Decoy Documentsmentioning

confidence: 99%

Leveraging Machine Learning Techniques to Identify Deceptive Decoy Documents Associated With Targeted Email Attacks

et al. 2021

View full text Add to dashboard Cite

Detecting and preventing targeted email attacks is a long-standing challenge in cybersecurity research and practice. A typical targeted email attack capitalizes on a sophisticated email message to persuade a victim to run a specific, seemingly innocuous, action such as opening a link or an attachment and downloading and installing a software program. To successfully perform such an attack without being noticed afterwards, the attached exploit documents (hereafter referred to as decoy documents), must contain content that is highly relevant to the target. An analysis of such decoy documents can provide crucial information for inferring and identifying the targeted or potentially harmed victims. In this paper, we propose an automatic approach that leverages natural language processing and machine learning to identify decoy documents that have a high chance of deceiving the targeted users. The experimental results show that the proposed method provides good prediction accuracy: the best result obtained on a collection of 200 Chinese decoy documents yielded an accuracy of 97.5%, an F-measure of 97.9% and a low FPR of 3.1%. The proposed scheme can be deployed at various access points to fortify the defense against targeted email attacks that threaten various targets.INDEX TERMS Targeted email attack, decoy document, machine learning, natural language processing

show abstract