This chapter introduces a novel approach to proactive, ambiguity-increasing (A-type) cyber deception against passive reconnaissance by advanced persistent threat (APT) adversaries in enterprise networks. The approach targets organizations that own their switching fabric and gives the defender control over the statistics of attacker-observable traffic and the volume of generated deceptive traffic, with quantifiable fidelity. The approach is made practical by next-generation multi-layer switch architectures programmable with P4 (The P4 Project: P4 Open Source Programming Language, 2022). As an expected side effect, it also enables a rich environment to operate future misleading (M-type) deception mechanisms. The proposed system enables defenders to construct per-endpoint deceptive views that blend real and synthetic traffic, thereby increasing attacker uncertainty while maintaining operational transparency for legitimate users. Unlike traditional honeypot and address obfuscation methods, this approach generates statistically indistinguishable fake conversations observable from compromised nodes, preventing adversaries from confidently discerning real network structures or communication patterns. The architecture allows defenders to inject resource-bounded deceptive traffic, dynamically update deception views in real-time, and enforce per-port visibility constraints—all orchestrated through a dedicated deception controller and modular deception components, including Deceptive Traffic Generators (DTGs) and Deceptive Address Manipulators (DAMs). The chapter presents algorithms for constructing conversation and network-plane deceptive views by blending real network data with replicated topologies derived from real-world graph structures. It also details traffic scheduling methods to emulate realistic communication behaviors at scale. Through experimental validation on a hybrid emulation testbed, the system demonstrates feasibility in creating indistinguishable fake endpoints and maintaining TCP session continuity across view changes. The results underscore the system’s ability to impose cognitive and operational costs on adversaries, degrade reconnaissance quality, and shape attacker behavior. This work lays a foundation for scalable deception architectures and opens future directions involving attacker modeling, machine learning-guided deception strategies, and integration with operational security infrastructures.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Proactive Deception for Enterprise Networks with Dynamic Views and Conversation-Based Synthetic Traffic, Enabled by P4 Switches

  • Alex Poylisher,
  • Latha Kant,
  • Ritu Chadha

摘要

This chapter introduces a novel approach to proactive, ambiguity-increasing (A-type) cyber deception against passive reconnaissance by advanced persistent threat (APT) adversaries in enterprise networks. The approach targets organizations that own their switching fabric and gives the defender control over the statistics of attacker-observable traffic and the volume of generated deceptive traffic, with quantifiable fidelity. The approach is made practical by next-generation multi-layer switch architectures programmable with P4 (The P4 Project: P4 Open Source Programming Language, 2022). As an expected side effect, it also enables a rich environment to operate future misleading (M-type) deception mechanisms. The proposed system enables defenders to construct per-endpoint deceptive views that blend real and synthetic traffic, thereby increasing attacker uncertainty while maintaining operational transparency for legitimate users. Unlike traditional honeypot and address obfuscation methods, this approach generates statistically indistinguishable fake conversations observable from compromised nodes, preventing adversaries from confidently discerning real network structures or communication patterns. The architecture allows defenders to inject resource-bounded deceptive traffic, dynamically update deception views in real-time, and enforce per-port visibility constraints—all orchestrated through a dedicated deception controller and modular deception components, including Deceptive Traffic Generators (DTGs) and Deceptive Address Manipulators (DAMs). The chapter presents algorithms for constructing conversation and network-plane deceptive views by blending real network data with replicated topologies derived from real-world graph structures. It also details traffic scheduling methods to emulate realistic communication behaviors at scale. Through experimental validation on a hybrid emulation testbed, the system demonstrates feasibility in creating indistinguishable fake endpoints and maintaining TCP session continuity across view changes. The results underscore the system’s ability to impose cognitive and operational costs on adversaries, degrade reconnaissance quality, and shape attacker behavior. This work lays a foundation for scalable deception architectures and opens future directions involving attacker modeling, machine learning-guided deception strategies, and integration with operational security infrastructures.