Abstract

Recent years have witnessed a surging trend of leveraging deception technique to detect and defeat sophisticated cyber attacks such as the advanced persistent threat. Deception typically employs a decoy network to entrap the attackers and divert the firepower away from the real protected assets. Unfortunately, existing decoy systems failed to achieve a balanced tradeoff between the decoy fidelity and scalability, which potentially undermines the effectiveness of attacker deception. In this paper, we propose a hybrid decoy architecture that separates lightweight front-end decoys from high-fidelity back-end decoy servers. To enhance the deception effectiveness, we introduce dynamics into the decoy system design to make the decoy a moving target, where the front-end decoys constrain attackers by transparently intercepting and forwarding the malicious commands to the heterogeneous back-end decoys for real execution. We implement two prototypes of the hybrid decoy architecture based on Linux Bash shell and Windows PowerShell. The experimental results demonstrate that our system can effectively misdirect and disinform attackers with small network and system overhead.