CERIAS Tech Report 2015-11 Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses

Almeshekah, Mohammed H. PhD, Purdue University, August 2015. Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses. Major Professors: Eugene H. Spafford and Mikhail J. Atallah. As the convergence between our physical and digital worlds continue at a rapid pace, securing our digital information is vital to our prosperity. Most current typi­ cal computer systems are unwittingly helpful to attackers through their predictable responses. In everyday security, deception plays a prominent role in our lives and digital security is no different. The use of deception has been a cornerstone technique in many successful computer breaches. Phishing, social engineering, and drive-by­ downloads are some prime examples. The work in this dissertation is structured to enhance the security of computer systems by using means of deception and deceit. Deception-based security mechanisms focus on altering adversaries’ perception of computer systems in a way that can confuse them and waste their time and resources. These techniques exploit adversaries’ biases and present them with a plausible alter­ native to the truth bringing a number of unique advantages to computer security. In addition, deception has been widely used in many areas of computing for decades and security is no different. However, deception has only been used haphazardly in computer security. In this dissertation we present a framework where deception can be planned and in­ tegrated into computer defenses. We posit how the well-known Kerckhoffs’s principle has been misinterpreted to drive the security community away from deception-based mechanisms. We present two schemes that employ deception to protect users’ pass­ words during transmission and at rest when they are stored on a computer server. Moreover, we designed and built a centralized deceptive server that can be hooked to