Abstract of Increasing the Detection Effectiveness of Deception

            Cybersecurity is the process or state of recovering and protecting networks, programs, and devices from any kind of cyber-attack. Such attacks are an evolving danger to consumers, employees, and organizations. They might be created for destroying and accessing extort money or sensitive data. In effect, they can damage personal and financial lives of people while destroying businesses. In this paper, cybersecurity, its importance, and how threats can affect organizations have been explained. Moving on, the literature review is conducted which explains the perspectives of different authors regarding threats and deceptions which influence different organizational processes. Further, the methodology has been explained with findings and then the conclusion is provided.

Introduction of Increasing the Detection Effectiveness of Deception

            Cybersecurity is the process or state of recovering and protecting networks, programs, and devices from any kind of cyber-attack. Such attacks are an evolving danger to consumers, employees, and organizations. They might be created for destroying and accessing extort money or sensitive data. In effect, they can damage personal and financial lives of people while destroying businesses. It makes researchers attempt to create a strong system of cybersecurity by a specific industry. A reliable system of cybersecurity has several protection layers spread across programs, networks, and computers. To answer the research questions and obtaining the necessary information, a literature review was conducted. In the process of conducting a literature review, different studies were selected. Their perspectives are discussed and the results of their methodologies are explained [1].

            The method of literature review has been selected because it is one of the most reliable and less time-consuming methods of obtaining relevant and accurate information from external sources. Most of the studies consider the process of literature review due to its simplistic nature and how it facilitates the completion of the research. For instance, if some information is normally unavailable, it can be found in studies of other authors. Another reason why studies have been reviewed is that it offers information on the topic that a person has selected. It can provide new researchers with the initial or foundational information which can help in conducting the study.

 In the section of the abstract, the main points and concepts of this research have been explained. It offers a summary of this study and informs about the sections which will be involved in conducting this study. Then comes the research questions which have to be answered in this study. These are the questions which create the foundation of this study. In the section of the literature review, different studies on the same topic have been reviewed and it has been determined whether these studies were effective in obtaining their goals or not.

            In the section of the research method, it will be explained which methods have been selected for conducting the research. It will also explain the structure of methodological approach which has been employed in this research for answering the research questions. In the section of design and specification, it will be explained what decisions have been made regarding the cybersecurity and what changes have been made. It will outline what were the past decisions and how they are now. Thus, it will be important in understanding the changes which have been implemented now. In conclusion, the findings of this paper will be

Literature Review of Increasing the Detection Effectiveness of Deception

                There are several approaches which can be utilized for mitigating it. Sociology and Psychology are useful and reliable tools in the battle against cybersecurity deceptions. They serve to provide accurate information about the process and motives of a potential attack [3]. An insider must be capable of conducting the attack, then he has to be motivated, and finally, he should also have an opportunity of deploying the attack. There are some basic factors which must be considered like ethical flexibility, computer dependency, personal and social frustrations, and introversion. Their evaluation could be seemingly based on custom psychometric tests.

                It is quite tough to identify malevolent insiders. There are some systems which have been created for detecting insider threat, honeypots, graph-based analysis, proactive forensics, and other methods are utilized by some of them [4]. Detection of malevolent insiders is hard to an accomplice. In the process of detection, a useful tool is IDS or intrusion detection systems, as they are capable of detecting deviations, packets with unauthorized content, and abnormal actions from the normal behavior of users. Another useful method which is utilized for mitigating the insider threat is referred to as system calls analysis, events of windows usage, and command sequences. The methods based on user usage habits, namely the analysis of system calls, belong to a very broad group of techniques referred to as user profiling based on host, while honeypots and system of detection systems belong to the family of network-based sensors [5].

                There are some measures which can be taken from the side of clients for preventing threats against computers. In IaaS, where clients are capable of accessing the cloud infrastructure, clients of cloud and computers are unlikely to identify that unauthorized access of people with the use of OS-level mechanisms of security like IPS/IDS [6]. The reason is that an insider who is working for the provider of the cloud has access to the infrastructure which the client cannot control. Cryptographic techniques can be utilized by clients for safeguarding the integrity and confidentiality of their data. But encryption is a better and practical solution for bulk data storage, and particularly for static data. The storage of data in an encrypted form, and decrypting the data every time they have to be utilized is not a proper and adequate defense against an insider. After all, the key of decryption has to be stored in the cloud as well [7]. Because insiders have access to physical serves and can obtain access to physical memory utilized by the client virtual system, all keys of encryption stored in the memory can be obtained. A robust solution is not storing the keys in the cloud but performing manipulation of data on encrypted data. Different methods have been proposed for addressing this issue but the performance overhead of such methods is quite high, which makes impractical for the applications in real-world [8].

            When it comes to availability, the utilization of multiple data centers, in different areas, is an effective solution, supposing that the provider of cloud will not be facing an international outrage. Such an option is offered by multiple providers to their clients, which includes switching to the datacenter of backup, in case an emergency or failure happens. Such an approach is capable of protecting the client as long as the malicious threat cannot interfere with different data centers at the very same time [9].

            Authors, in this paper, handled the insider threat in the environment of the cloud. This threat is a renowned issue and has been a topic of significant interest for years, while eligible countermeasures have been proposed in the traditional infrastructures of IT, the same thing cannot be said about cloud environments. In the cloud, an insider attack is easier to carry out and has a significant impact compared to a threat in the traditional infrastructure. Meanwhile, identification and detection of the physical body which performed the attack still is challenging [10]. Two types of insider threats were identified by authors in their work. The first one is working for the provider of cloud service and he could cause a great deal of damage to both customers and providers. On the other hand, the second one is the one who is working for the firm which has selected to outsource. We documented and explained the difference between cloud insider and traditional insider [11].

            A commonly accepted framework of risk management and policy for managing the risks of deception don’t exist. A risk is simplified as the likelihood of a specific event and the results of that event. There is still insufficient information either. The influence of insider threats can take place in several dimensions including influence on organizational culture, reputation loss, organization disruption, and financial loss. It is not possible to highly nuance these impacts, and are not well accounted for or measured. For instance, an insider of bonus round can significantly damage all organizational levels. Thus, a small motivation can have a great impact. In an equal manner, the influence might not rely on motivation, an innocent act can have a harmful influence just like a malicious attack. Therefore, the objective might be to evade damaging consequences in spite of the motivation. These aspects along with other accelerants of risk should be portrayed in the models of threat, for acknowledging their significance. It appears to be sensible for assuming that the likelihood of different insider threats will vary across circumstances and organizations [12].

        Little concrete can be explained about it. It is also unclear how some effective prevention, response, and detection techniques are reducing the threat of insider. For instance, there is insufficient data for saying how efficient different policies of security are depending on insider motivation. It might be that this doesn't matter, it appears that sometimes it is quite touched for distinguishing between the consequences and execution of malicious acts from the ones due to accidence. Meanwhile, it can also be of a great deal. Insiders might utilize domains in unusual ways that might play a role in triggering false alarms. Outsiders acting with unauthorized credentials, acting with intent, and accidental behavior all are threats of an insider, yet it is still unclear how efficient security policies are against different acts stemming from different kinds of motives [13].

            There is not enough information about this kind of a threat. For practitioners and researchers worried about such threats, the most basic issue is the lack of practical information. Most of the data is too old and it also comes from biased sets of data. One seminal study set conducted by Carnegie Mellon and US Secret Service analyzed insider incidents ranging up to 150 with a work of follow up on fifty-four cases. The sample is quite small, focused on specific types of organization and most importantly, it represents instances where the attack of insider has to be found guilty, prosecuted, and caught. Other work of survey, notably the FBI/Computer Security Institute annual study lacks statistical preciseness. It cannot be used for extracting the results which can be reliable. There are some good reasons for insufficient information. The absence of reliable definitions of insider threat specifying requirements of data and insider. Particularly, most of the organizations are reluctant in sharing reports of tier insider issues, for some obvious issues of possible liability and reputation. Consequently, a significant portion of the study on insider threat seems to presuppose an issue while proceeding towards a specific solution while testing the method with artificial sets of data [14].

            Considering the pervasiveness of the Internet and personal use, and the blurred line between home and work, security breaches of IT on personal and workplace computers can cause some serious damages to not only organizations but also individuals. On the other hand, the unsafe behavior of computing of users in a non-work setting might open a loophole for hackers to enter into the systems of their organizations. For instance, when a user is logging into his company’s or his intranet from his home, Trojan can be utilized by hackers for stealing the password and utilizing it to access the confidential information of the organization. Weakly secured computers can also be turned into infected computers by cybercriminals and utilized them for creating botnets just to attack other corporate applications and personal computers. Internet diffusion has certainly made it quite easy for malicious attacks to exploit the vulnerabilities of the system and amplify the adverse effect [15].

            Several forms of IT like botnets, Trojan horses, spyware, worms, and viruses have become the cause of significant financial losses. As indicated by the survey of CSI, malware attacked almost 64.3 percent of the involved companies and security issues seemed to result in the average loss of almost 234,244 dollars for each firm. It is also indicated that in between the period of 2009-7, the US consumers’ financial losses because of spyware and viruses were 1.7 billion dollars and 5.8 billion dollars. Considering its economic impact, the security of IT has gained significant attention from practitioners and researchers of information systems. But most of the previous studies on security of IT have been carried out in organization settings and little is recognized about the behavior of user security in the context of personal use. Recently, researchers have begun to pay attention to security’s human aspect. Still, information about the behaviors of user security is far from being whole or complete. The purpose of the authors in this study was to analyze how users of personal computers cope with the threats of IT [16].

        This research model is derived from TTAT or Technology Threat Avoidance Theory for explaining just how individuals develop perceptions of threat, analyze safeguard measures, and also engage in the behavior of avoidance.  Strong support for this model is provided by the empirical results obtained by researchers.

        The avoidance behaviors of computer users are investigated in this study. A research model is derived from the above theory and it is tested with the use of 150 PC users. Analyses of data reveal some significant findings. First of all, self-efficacy, safeguard cost, safeguard effectiveness, and perceived threat affect avoidance motivation, which seems to determine the behavior of avoidance. Secondly, the perceived threat is seemingly determined by perceived severity and susceptibility while mediating their effects. Lastly, the perceived threat moderates the relation between avoidance motivation and safeguard effectiveness negatively. An enriched understanding of threat avoidance behavior is provided by findings in the context of PC usage where security behavior is seemingly voluntary. More research is required for testing TTAT more comprehensively in other contexts [17].

            Additionally, with the virtualization of organizations, there has been a significant technological shirt to the domestic environment from work. Employees are free to work at their homes or bring some unfinished work to offer a loophole to hackers. Unlike workers in firms, these computer users are unlikely to have a sufficient infrastructure of IT to protect themselves from different cyber-threats, or might not have a strict or standard IT security policy present. For instance, most users of computer are not professionals of IT and lack a very high degree of computer literacy for setting up a secure computing system.

           furthermore, examples of a lack of security awareness of people include sharing passwords, downloading unprotected software, and browsing some unsafe websites. It has been indicated by previous research that users of computers are still the weakest link in the information security field. This can be observed by the way how personal information is regularly disclosed by people to the general public which is online through outlets of social media like Skype, Hi5, Twitter, Facebook, and some professional sites of social networking like LinkedIn. Thus, the study which is reported by authors focuses on cyber-attack which is dangerous to users of computers. However, phishing is a crime of social engineering, a semantic and well-known attack. It is also referred to as online theft of identity. Phishing aims to steal some confidential information like details of online banking, password, and username from its victims. A fraudulent website is created by the attacked, which appears to be just like an original one. All unsuspecting users are invited by sending some mails for accessing the site and accessing their money. It is has been reported by Google that 9500 sites are daily blacklisted. Nonetheless, attacks of phishing are getting more sophisticated with time and when new techniques are learned by attackers and strategies are changed [18].

                Thus, phishing has seemingly become a severe issue of cybersecurity. A role-play survey has been conducted by the authors with almost a thousand respondents of the survey to study who falls victim to all phishing attacks. It was revealed by the study that women are more susceptible in comparison with men to participants and phishing between the ages of 25 and 18 are more susceptible to this attack than other groups of age. In the study, participants came from a group of people from different ethnicities and different ages, including individuals who were worried about the security of the computer.

                It has been indicated that both government organizations and academic institutions have made significant efforts in providing education to end-users for enabling the security understanding of the public. The APWG or anti-phishing workgroup is a non-profit company which is working for providing anti-phishing education just for enhancing security understanding. The team of US computer emergency readiness also seems to provide free advice about some common breaches of security for computer users who don’t have sufficient information about computer security and what type of threats might be influencing their systems. Although a significant amount of effort has been devoted to resolving the issue of phishing threat, by detection and prevention of phishing emails, websites, and URLs, little study has been carried out in the domain of educating users for protecting themselves and their systems from phishing attacks. Hence, the objective of the research was to study whether procedural knowledge or conceptual knowledge has a positive influence on the self-efficacy of computer users about thwarting the attacks of phishing [19].

        ID or intrusion detection is the process of identifying malicious intruder while trying to or after entering a system. It can be said that the basic framework for the detection of intrusion was provided by the authors. And there was a model which Denning proposed, it focused on detection of intrusion by analyzing the audit records of anomaly detection and user activity. Since then, development involves the utilization of probabilistic methods, agents to the utilization of artificial systems. Moving on, a detailed analysis of different technologies and methods associated with intrusion detection is provided by the authors.

        Classification of IDS or Intrusion Detection Systems can be classified by their detection method, based on the signature, and ID based on anomaly detection works on the rule that some specific attacks have obvious signatures like users trying to access a file that is unauthorized or brute force crack of the password. Mainly, anomaly detection is utilized for detecting masquerades where it is pretended by an intruder to be the original user. At present, IDS based on anomaly detection seems to perform classification with the use of machine learning or statistical methods. It is not impossible to classify IDS based on organization, distributed or standalone. IDS based on a host operated by analyzing the operating system’s system calls and reacting to suspicious calls of system. A distributed IDS would be operating throughout the network in a decentralized or centralized manner. The drawbacks and benefits of both systems are combined with hybrid systems.

            Overall, it can be said that this paper is proposing the utilization of a custom IDS which is developed for countering the threats to an automated substation based on simulation attacks on a new method of analyzing intrusion's temporal risk for an electric substation. Detection of intrusion is quite an effective countermeasure which is still not deployed in the networks of IEC61850. It is quite capable of countering the attacks rather blocking passively in a firewall. In comparison with a conventional network of computer, the countermeasures and threats for such a network are quite different. Hence, the IDS for this network has to be established with the use of experimental data based on packet sniffing and simulated attacks. The rules which are obtained from this data are then utilized for IDS which can be applied within a separate host mirrored or gateway to the gateway port. Because of the limited power of processing, present IEDS depend on insecure and simple protocols. Thus, future work has to be focused upon a proper security framework for the design of IED. Such a framework must sere like a guide for ideal security for a specific cost. It must be capable of handling wireless extensions to the network as well [20].

Proposed approach of Increasing the Detection Effectiveness of Deception  

            Due to the increase in intrusions, the concept of network honeypots is becoming a dominating method that can be used to trap and then decode the attack methods, particularly for malicious attackers. The purpose of the present paper is to provide a review for the current state of honeypot technology and to describe the efficient framework that can be used to improve the effectiveness of deceptive honeynets through the proper use of different strategies applied for the deception [11]. The correct monitoring, analysis, and deployment are important to help the system for proper modification and understanding of different modes of attackers in the operations, tools and detail work. In the present work, the theory and background will be used to produce a deception-based honeypot system. There are three main objectives of the present research,

1.      To improve the deception levels that are presented to the attackers in the honeypot designs.

2.      To improve the deceptive honeypot approach and test the effectiveness of empirical learning approach.

3.      To improve the ability to work with the deceptive honeypots and to gather the information about the attack intelligence.

Research methodology of Increasing the Detection Effectiveness of Deception

            The main purpose of using a honeypot system is to exploit the vulnerabilities by hackers and black hat community. Such type of systems is used to learn the moves of attackers and compromise systems. A honeynet is a collection of multiple types of honeypot systems connected in a common network that function in a network. The whole honeypot network system sits behind a Firewall and control as well as captured the traffic [21]. The honeypot system works in Windows and Linux. The system creates an environment based upon a realistic approach for the attackers and generates mirror images of Standard System in the organization internal network. The system is intended to compromise with the attackers for any kind of inbound and outbound traffic. Besides the advantages, there are some disadvantages of Honeypot system used in the internal network of an organization [2]. The advantages of such kind of system include value data collection and analysis of attackers a movement within the system. The white hat community can be used to expose the systems and analyses risk associated with the system. Honeypot system provides deterrence. The disadvantages include worthlessness of the system is no attackers to attack the system and honeypot system can be lost at different platforms and other machines on different networks. The two critical elements of data capture and data control can be used in the system. Data control is outbound and inbound control of the data and system comprises of responsibility to identify outside attacking activity [21]. The firewall act as an access control device for the data control process. The transparent firewall works based on three rules including the exploitation of the honeypot system, Firewall control for internet system, direct communication through internal Network and Critical data collection in the modification of collected data. The data capture process captures all type of activities within honeynet by using tactics, attackers' tools, and motives. In this system, deception is used for the defense purpose that consists of leveraging multiple servers and deception-based software known as honey [21]. The deception services designs are based on IP service port and the best example is Fred Cohan's Deception Tool Kit.   Sometimes the attackers are technically competent, and they can deceive the deception process and defeat attackers intelligent process. It is important to improve Honey pot design by using original Deception Tool Kit (DTK). The effective strategy in this toolkit is to separate the deception over the last portion of the IP address. And further process increases the percentage of deception in the environment. It is important to configure Ethernet card for numerous IP addresses along with with Mac address. The deception process used bogus TCP IP fingerprints for the attackers. The whole intelligence probes are used to detect attacks for the honeypot system. Dunnigan and Nofi's classification scheme can be used to enhance the deceptive protection technique and to develop mode safety deception [15]. Camouflage is associated with an artificial cover that makes the purpose of a harder identification. The different operating system used DTK services. The automation information is used through the internet. The search engines and crawlers are provided in this environment to identify possible processes. The successful use of Camouflage is to prevent attackers with Limited skills. The baseline script of DTK is provided for deception system at Camouflage.  The false and Planted information is used to receive the attackers. In this process, inaccurate information is provided to successful attackers. The system is used in Honeyd system to understand Intelligence capacities and operations with TCP-IP fingerprint modeled system. The display is provided by a fictional computer security organization that uses an indicator from DTK IP Port 365 as a deception port. One of the major drawbacks of using honey d and d TK deployed system is to use small engine services with a high evident deception port.  The focus of the present study is to provide a reception for SMTP, SSH, POP3, Telnet, and FTP services [21]. The different things are provided for different identities that drive automation information provided on the internet. The search engines and crawlers derive analysis of linguistic characteristics and patterns in the posting. The successful technique of preventing attackers is camouflage. One of the key processes for the identification of studies and improving the baseline script is to provide a better deception system. In this system, the fictional computer security organization develop a different procedure to protect the techniques and policies. The system is modeled to provide a possible bogus document with the sort of deception and advanced attacks. The whole system is designed to reduce the number of systems and services that are highly deceptive. The system allows improving the efficiencies by reducing the number of services and prove more effective attacker workloads [8].

Implementation of Increasing the Detection Effectiveness of Deception

                The proposed framework in the research is developed to use empirical learning and the main guideline principles are used in this research. The research will provide the range of quantitative data that can be used to enhance the detection efficiencies of the deception services of the system.  The main approach used in the system is limited to the testing of baseline deception system [8]. The baseline system will be mainly configured for the proper configuration and standard corporate services as configured in the process of SMTP, SSH, FTP services, POP3, and the telnet services used through the DTK. The default mode is selected for the deception daemons. The system will be working on the Linux operating system with the base server and the properties of RedHat 7.3 system. In the process, the Nessus and other vulnerable scanners will be used to examine baseline system with the fool systems [21]. The group can be used to detect the pre-selected hackers along with the required information of the attacker systems. The detection process can be boosted by improving the system with the DTK installed system. The effectiveness can be tested for DTK. Most probably, the hackers would prefer to use the computer security system or computer information taken by the system. According to the previously designed system, the bogus information will be provided to the computer system and attacker will access only bogus information. The reason to propose the system is due to the availability of the system to the users and readily available approach. The default deception will be used to enhance vulnerable tools. The systems can be improved by using probed and vulnerable scanners for the pre-selected hackers. In this way, the deception can be enhanced with improved protection of the confidential system from the attackers. Figure 1 describes the proposed conceptual framework diagram for the improvement of deception services in any system of the organizations. The system can be used to improve the default system with the probes that enhance the vulnerabilities and deception level [11].

Figure 1: Proposed conceptual framework diagram

Conclusion on Increasing the Detection Effectiveness of Deception

            In the present report, the research approach used was to provide richer deception to the attackers by using empirical learning approach through the system using probes and attacks. The research can be used to implement a highly secure system with evolutionary findings in different approaches. The focus of the system is to design a new phase. The testing of the system is based on the analysis of data and attacking tools used by the attackers. The system designed in the research provides optimum outcomes for the pre-selected hacker's attacks and then the level of deception is also identified to improve the system. The coupled deceptive honeypot system can be illustrated as appropriate intrusion detection system. The firewalls are provided as a means to forward the intelligence about the attackers and to defend the system from the external attackers. The proposed system will increase reaction and the countermeasures time of window will also be improved in this system. In a nutshell, it can be concluded that the proposed model can be used to increase the detection effectiveness for the selected computer networks and the deception levels can be improved to keep data away from the attackers. 

References of Increasing the Detection Effectiveness of Deception