Core Concepts
An optimization-based decoy allocation scheme that maximizes the number of attack paths intercepted by decoys within a fixed resource budget.
Abstract
The key highlights and insights from the content are:
Cyber deception can be a valuable addition to traditional cyber defense mechanisms, especially for modern cloud-native environments with a fading security perimeter. However, pre-built decoys used in classical computer networks are not effective in detecting and mitigating malicious actors due to their inability to blend with the variety of applications in such environments.
The authors propose a novel optimization-based decoy allocation scheme for cloud-native microservice architectures. They design a metric to evaluate the decoy effectiveness in luring attacks according to the attack graph structure, which models the admissible lateral movements of an attacker between microservices.
The authors formulate an integer non-linear optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget. They also design a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation.
The authors evaluate the performance of the optimal and heuristic solutions against other schemes that use local vulnerability metrics to select which microservices to clone as decoys. The results show that the proposed allocation strategy achieves a higher number of intercepted attack paths compared to these schemes while requiring approximately the same number of decoys.
The authors address the challenge of balancing the number of decoys based on incurred resource usage and the impact of the decoy allocation strategy on the original microservice deployment.