Active Deception using Factored Interactive POMDPs to Recognize Cyber Attacker's Intent
This work addresses the challenge of improving cybersecurity defense by actively engaging attackers to learn their intent, representing an incremental advance over prior deception methods focused on delay or confusion.
The paper tackles the problem of recognizing a cyber adversary's intent by using deception in a sequential decision-making context, introducing factored interactive POMDPs (I-POMDPx) to model multiple attacker types and phases, with experiments showing significantly better intent recognition compared to common honeypot strategies.
This paper presents an intelligent and adaptive agent that employs deception to recognize a cyber adversary's intent. Unlike previous approaches to cyber deception, which mainly focus on delaying or confusing the attackers, we focus on engaging with them to learn their intent. We model cyber deception as a sequential decision-making problem in a two-agent context. We introduce factored finitely nested interactive POMDPs (I-POMDPx) and use this framework to model the problem with multiple attacker types. Our approach models cyber attacks on a single honeypot host across multiple phases from the attacker's initial entry to reaching its adversarial objective. The defending I-POMDPx-based agent uses decoys to engage with the attacker at multiple phases to form increasingly accurate predictions of the attacker's behavior and intent. The use of I-POMDPs also enables us to model the adversary's mental state and investigate how deception affects their beliefs. Our experiments in both simulation and on a real host show that the I-POMDPx-based agent performs significantly better at intent recognition than commonly used deception strategies on honeypots.