Deceiving Adversary Network Scanning Efforts Using Host-Based Deception

摘要

In this research, we demonstrate the usefulness of manipulating system traffic to deceive an attacker's operating system (OS) fingerprinting as part of their network scanning efforts. Specifically, we address whether host- based OS obfuscation has merit and application as an integral part of Air Force network defense and whether the technique warrants further research and application development. We accomplish this objective through a literature review and a proof of concept evaluation of a selected OS obfuscation tool against selected OS fingerprinting tools under current Air Force network configuration. Our focus areas in the literature review include how to characterize the scanning phase of an adversary attack, a survey of current OS fingerprinting and obfuscation tools, and a description of current AF network concepts. To evaluate the effectiveness of a candidate OS tool, we set up an experimental network environment that simulates adversarial network scanning. The results of our study are as follows: (1) current OS obfuscation tools designed for Windows OS are capable of providing some OS obfuscation on AF networks; (2) current tools need to be evaluated for their impact on network maintenance tools and processes, to include future initiatives like IPv6; and (3) current tools need to improve OS fingerprints and add options to force inconclusive results from fingerprinting tools.