Decoy networks are the secret to deflecting hackers

A form of moving target defense where networks are mimicked will prove to be the best form of hacker defense, scientists from Penn State say

Decoy networks are the secret to deflecting hackers

Attackers have a time advantage over static computer networks because the bad guys can simply hover around the network for long periods, study it and look for an advantage. The computer network is usually just sitting there, dawdling like unfortunate prey silhouetted in a hunter’s rifle scope.

The observing hackers can even disappear for a while, return and find nothing’s changed. The vulnerabilities are still in place. Bang! The perp hits when it’s convenient, and it’s all over.

The best solution to this time-advantage problem are computer defenses that sense malevolent investigations of the network and then squirt the attack over to a fake network that proffers no intelligence about the genuine network, according to some. They were written about as long ago as 2004 in the International Journal of Digital Evidence (PDF).

Penn State information scientists recently created a new prototype dummy network for defending a real network and say their system will only provide information about the dummy network to hackers. The team announced their work at the Honolulu Information Security Conference last month.

The key to it is knowing “a malicious scan is happening," says Dinghao Wu, assistant professor of information sciences and technology, in a Penn State News article. “If it's a large-scale scan, it is usually malicious.”

Hacking the hacker

Once they identify the scan as being potentially wounding, they immediately send the traffic over to the “decoy, or shadow, network.”

That dummy network isn’t visible to the real network, but it gives away just enough detail to bamboozle the crooks. They can’t tell it’s a phony network because the structure is copied, including the number of nodes and so on. The hacker is hacked.

“These shadow networks can be created to simulate complex network structures," Wu says in the article. Not only that, but because it’s not the main network, it’s actually easier to change elements, thus confusing the criminal—he can’t analyze his scan as easily because things have changed.

It’s called a “moving target defense,” Penn State explains.

Reflectors are a prime element. They detect the incoming scanning web traffic without even bothering to try to stop it and then send it to the shadow system.

That “shadow network environment that has the same look as the protection domain” and offers the hacker exactly what he’s looking for, which includes software versions, hardware types and operating system, they explain. It’s all mimicked.

Penn State built its system virtually. That allowed it to simulate both the attack and the reception. However, the scientists say they are ready to deploy in an actual network and that when they do, they will display only the phony network.

Decoy networks gain ground in fight against hackers

Decoy systems, also known as honeypots, are expected to emerge as “frontline technology,” according to a researcher. “We are getting more and more market intelligence that the decoy network technology is quietly gaining ground,” Market Research Media said on its website in January.

That company also, interestingly, came up with a fascinating previous-use scenario for honeypots while writing about its network market projections. It says one of the best decoy network analogies is from the Second World War, where the allies employed film set crews to build fake airfields to fool the enemy.

“Where does a wise man hide a pebble? On the beach,” the organization says on its site. Market Research Media says the decoy market will be valued at $12 billion cumulatively between 2017 and 2022.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.

IT Salary Survey 2021: The results are in