AGrO-Fake: optimal Attack Graph Obfuscation using Fake vulnerabilities

Hadar Polad, Rami Puzis, Bracha Shapira

Following initial penetration into the victim’s network, adversaries usually explore environment in an attempt to discover the network topology and vulnerabilities in the victim’s hosts. Attack graphs are used to model the paths of an attacker within the victim’s network making his/her way towards the goal. Falsifying the information collected by the adversary may significantly slow down lateral movement and increase the amount of noise generated by the attacker within the victim’s network. This in turn will ease on his/her detection. Fake vulnerabilities deployed within the enterprise network can obfuscate the attack graph observed by the adversary. Heuristic search algorithms are used to optimize the assignments of fake vulnerabilities in terms of the maximal negative impact of the attack cost. According to computational experiments conducted on a real large-scale network the proposed deception-based defense can increase the number of attack actions required to reach a goal by more that 100% with only 2-5 fake vulnerabilities.