PhantomFS-v2: Dare You to Avoid This Trap
- Authors
- Choi, Jione; Lee, Hwiwon; Park, Younggi; Kim, Huy Kang; Lee, Junghee; Kim, Youngjae; Lee, Gyuho; Shim, Shin-Woo; Kim, Taekyu
- Issue Date
- 2020
- Publisher
- IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
- Keywords
- Intrusion detection; Libraries; Monitoring; Penetration testing; Databases; Password; Deception technology; file system; honeypot
- Citation
- IEEE ACCESS, v.8, pp.198285 - 198300
- Indexed
- SCIE
SCOPUS
- Journal Title
- IEEE ACCESS
- Volume
- 8
- Start Page
- 198285
- End Page
- 198300
- URI
- https://scholar.korea.ac.kr/handle/2021.sw.korea/59041
- DOI
- 10.1109/ACCESS.2020.3034443
- ISSN
- 2169-3536
- Abstract
- It has been demonstrated that deception technologies are effective in detecting advanced persistent threats and zero-day attacks which cannot be detected by traditional signature-based intrusion detection techniques. Especially, a file-based deception technology is promising because it is very difficult (if not impossible) to commit an attack without reading and modifying any file. It can play as an additional security barrier because malicious file access can be detected even if an adversary succeeds in gaining access to a host. However, PhantomFS still has a problem that is common to deception technologies. Once a deception technology is known to adversaries, it is unlikely to succeed in alluring adversaries. In this paper, we classify adversaries who are aware of PhantomFS according to their knowledge level and permission of PhantomFS. Then we analyze the attack surface and develop a defense strategy to limit the attack vectors. We extend PhantomFS to realize the strategy. Specifically, we introduce multiple hidden interfaces and detection of file execution. We evaluate the security and performance overhead of the proposed technique. We demonstrate that the extended PhantomFS is secure against intelligent adversaries by penetration testing. The extended PhantomFS offers higher detection accuracy with lower false alarm rate compared to existing techniques. It is also demonstrated that the overhead is negligible in terms of response time and CPU time.
- Files in This Item
- There are no files associated with this item.
- Appears in
Collections - School of Cyber Security > Department of Information Security > 1. Journal Articles
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.