Cyber attacks on both databases and critical infrastructure have threatenedpublic and private sectors. Meanwhile, ubiquitous tracking and wearablecomputing have infringed upon privacy. Advocates and engineers have recentlyproposed using defensive deception as a means to leverage the informationasymmetry typically enjoyed by attackers as a tool for defenders. The termdeception, however, has been employed broadly and with a variety of meanings.In this paper, we survey 24 articles from 2007-2017 that use game theory tomodel defensive deception for cybersecurity and privacy. Then we propose ataxonomy that defines six types of deception: perturbation, moving targetdefense, obfuscation, mixing, honey-x, and attacker engagement. These types aredelineated by their incentive structures, agents, actions, and duration:precisely concepts captured by game theory. Our aims are to rigorously definetypes of defensive deception, to capture a snapshot of the state of theliterature, to provide a menu of models which can be used for applied research,and to identify promising areas for future work. Our taxonomy provides asystematic foundation for understanding different types of defensive deceptioncommonly encountered in cybersecurity and privacy.
展开▼
