Baiting Inside Attackers Using Decoy Documents

Bowen, Brian M.; Hershkop, Shlomo; Keromytis, Angelos D.; Stolfo, Salvatore

The insider threat remains one of the most vexing problems in computer security. A number of approaches have been proposed to detect nefarious insider actions including user modeling and profiling techniques, policy and access enforcement techniques, and misuse detection. In this work we propose trap-based defense mechanisms for the case where insiders attempt to exfiltrate and use sensitive information. Our goal is to confuse and confound the attacker requiring far more effort to identify real information from bogus information and to provide a means of detecting when an inside attacker attempts to exploit sensitive information. "Decoy Documents" are automatically generated and stored on a file system with the aim of enticing a malicious insider to open and review the contents of the documents. The decoy documents contain several different types of bogus credentials that when used, trigger an alert. We also embed "stealthy beacons" inside the documents that cause a signal to be emitted to a server indicating when and where the particular decoy was opened. We evaluate decoy documents on honeypots penetrated by attackers demonstrating the feasibility of the method.



Also Published In

Security and Privacy in Communication Networks: 5th International ICST Conference, SecureComm 2009, Athens, Greece, September 14-18, 2009: Revised Selected Papers

More About This Work

Academic Units
Computer Science
Department of Computer Science, Columbia University
Columbia University Computer Science Technical Reports, CUCS-016-09
Published Here
July 15, 2010