IEEE Access (Jan 2020)

PhantomFS-v2: Dare You to Avoid This Trap

  • Jione Choi,
  • Hwiwon Lee,
  • Younggi Park,
  • Huy Kang Kim,
  • Junghee Lee,
  • Youngjae Kim,
  • Gyuho Lee,
  • Shin-Woo Shim,
  • Taekyu Kim

DOI
https://doi.org/10.1109/ACCESS.2020.3034443
Journal volume & issue
Vol. 8
pp. 198285 – 198300

Abstract

Read online

It has been demonstrated that deception technologies are effective in detecting advanced persistent threats and zero-day attacks which cannot be detected by traditional signature-based intrusion detection techniques. Especially, a file-based deception technology is promising because it is very difficult (if not impossible) to commit an attack without reading and modifying any file. It can play as an additional security barrier because malicious file access can be detected even if an adversary succeeds in gaining access to a host. However, PhantomFS still has a problem that is common to deception technologies. Once a deception technology is known to adversaries, it is unlikely to succeed in alluring adversaries. In this paper, we classify adversaries who are aware of PhantomFS according to their knowledge level and permission of PhantomFS. Then we analyze the attack surface and develop a defense strategy to limit the attack vectors. We extend PhantomFS to realize the strategy. Specifically, we introduce multiple hidden interfaces and detection of file execution. We evaluate the security and performance overhead of the proposed technique. We demonstrate that the extended PhantomFS is secure against intelligent adversaries by penetration testing. The extended PhantomFS offers higher detection accuracy with lower false alarm rate compared to existing techniques. It is also demonstrated that the overhead is negligible in terms of response time and CPU time.

Keywords