Fox in the Trap: Thwarting Masqueraders via Automated Decoy Document Deployment

Voris, Jonathan A.; Jermyn, Jill Louise; Boggs, Nathaniel Gordon; Stolfo, Salvatore

Organizations face a persistent challenge detecting malicious insiders as well as outside attackers who compromise legitimate credentials and then masquerade as insiders. No matter how good an organization’s perimeter defenses are, eventually they will be compromised or betrayed from the inside. Monitored decoy documents (honey files with enticing names and content) are a promising approach to aid in the detection of malicious masqueraders and insiders. In this paper, we present a new technique for decoy document distribution that can be used to improve the scalability of insider detection. We develop a placement application that automates the deployment of decoy documents and we report on two user studies to evaluate its effectiveness. The first study indicates that our automated decoy distribution tool is capable of strategically placing decoy files in a way that offers comparable security to optimal manual deployment. In the second user study, we measure the frequency that normal users access decoy documents on their own systems and show that decoy files do not significantly interfere with normal user tasks.



Also Published In

Proceedings of the Eighth European Workshop on System Security

More About This Work

Academic Units
Computer Science
Published Here
July 14, 2015


Presented at the European Workshop on System Security (EuroSec); 2015.