{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,25]],"date-time":"2025-10-25T14:22:51Z","timestamp":1761402171406,"version":"3.41.0"},"reference-count":49,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2021,10,15]],"date-time":"2021-10-15T00:00:00Z","timestamp":1634256000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"UK Defence Science and Technology Laboratory"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2021,12,31]]},"abstract":"\n In this article, we propose a novel method that aims to improve upon existing moving-target defences by making them unpredictably reactive using probabilistic decision-making. We postulate that unpredictability can improve network defences in two key capacities: (1) by re-configuring the network in direct response to detected threats, tailored to the current threat and a security posture, and (2) by deceiving adversaries using pseudo-random decision-making (selected from a set of acceptable set of responses), potentially leading to adversary delay and failure. Decisions are performed automatically, based on reported events (e.g.,\n Intrusion Detection System (IDS)<\/jats:bold>\n alerts), security posture, mission processes, and states of assets. Using this codified form of situational awareness, our system can respond differently to threats each time attacker activity is observed, acting as a barrier to further attacker activities. We demonstrate feasibility with both anomaly- and misuse-based detection alerts, for a historical dataset (playback), and a real-time network simulation where asset-to-mission mappings are known. Our findings suggest that unpredictability yields promise as a new approach to deception in laboratory settings. Further research will be necessary to explore unpredictability in production environments.\n <\/jats:p>","DOI":"10.1145\/3450973","type":"journal-article","created":{"date-parts":[[2021,10,17]],"date-time":"2021-10-17T01:40:14Z","timestamp":1634434814000},"page":"1-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":7,"title":["Deception in Network Defences Using Unpredictability"],"prefix":"10.1145","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0860-5130","authenticated-orcid":false,"given":"Jassim","family":"Happa","sequence":"first","affiliation":[{"name":"Information Security Group, Royal Holloway, University of London, UK"}]},{"given":"Thomas","family":"Bashford-Rogers","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Creative Technologies, University of the West of England, Bristol, UK"}]},{"given":"Alastair Janse","family":"Van Rensburg","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Oxford, UK"}]},{"given":"Michael","family":"Goldsmith","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Oxford, UK"}]},{"given":"Sadie","family":"Creese","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Oxford, UK"}]}],"member":"320","published-online":{"date-parts":[[2021,10,15]]},"reference":[{"key":"e_1_3_3_2_2","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2003.1254322"},{"key":"e_1_3_3_3_2","doi-asserted-by":"crossref","first-page":"158","DOI":"10.1145\/2799979.2799999","volume-title":"Proceedings of the 8th International Conference on Security of Information and Networks","author":"Vasilomanolakis Emmanouil","year":"2015","unstructured":"Emmanouil Vasilomanolakis, Shankar Karuppayah, Panayotis Kikiras, and Max M\u00fchlh\u00e4user. 2015. A honeypot-driven cyber incident monitor: Lessons learned and steps ahead. In Proceedings of the 8th International Conference on Security of Information and Networks. ACM, 158\u2013164."},{"key":"e_1_3_3_4_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4614-0977-9"},{"key":"e_1_3_3_5_2","doi-asserted-by":"crossref","first-page":"31","DOI":"10.1145\/2663474.2663479","volume-title":"Proceedings of the 1st ACM Workshop on Moving Target Defense","author":"Zhuang Rui","year":"2014","unstructured":"Rui Zhuang, Scott A. DeLoach, and Xinming Ou. 2014. Towards a theory of moving target defense. In Proceedings of the 1st ACM Workshop on Moving Target Defense. ACM, 31\u201340."},{"key":"e_1_3_3_6_2","volume-title":"Proceedings of the USENIX.","author":"Sun Ruimin","year":"2015","unstructured":"Ruimin Sun, Matt Bishop, Natalie C. Ebner, Daniela Oliveira, and Donald E. Porter. 2015. The case for unpredictability and deception as os features. In Proceedings of the USENIX."},{"key":"e_1_3_3_7_2","volume-title":"Proceedings of the 15th Workshop on Hot Topics in Operating Systems","author":"Sun Ruimin","year":"2015","unstructured":"Ruimin Sun, Donald E. Porter, Daniela Oliveira, and Matt Bishop. 2015. The case for less predictable operating system behavior. In Proceedings of the 15th Workshop on Hot Topics in Operating Systems (HotOS \\lbraceXV\\rbrace)."},{"key":"e_1_3_3_8_2","unstructured":"Stephen A. White. 2004. Introduction to BPMN. IBM Cooperation."},{"key":"e_1_3_3_9_2","doi-asserted-by":"publisher","DOI":"10.1002\/sec.242"},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/2683467.2683482"},{"key":"e_1_3_3_11_2","article-title":"Deceiving end-to-end deep learning malware detectors using adversarial examples","author":"Kreuk Felix","year":"2018","unstructured":"Felix Kreuk, Assi Barak, Shir Aviv-Reuven, Moran Baruch, Benny Pinkas, and Joseph Keshet. 2018. Deceiving end-to-end deep learning malware detectors using adversarial examples. arXiv:1802.04528. Retrieved from https:\/\/arxiv.org\/abs\/1802.04528.","journal-title":"arXiv:1802.04528"},{"key":"e_1_3_3_12_2","first-page":"1","volume-title":"Proceedings of the USENIX Security Symposium","volume":"173","author":"Provos Niels","year":"2004","unstructured":"Niels Provos et\u00a0al. 2004. A virtual honeypot framework. In Proceedings of the USENIX Security Symposium, Vol. 173. 1\u201314."},{"key":"e_1_3_3_13_2","doi-asserted-by":"publisher","DOI":"10.1504\/IJICS.2010.031858"},{"key":"e_1_3_3_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/1947940.1948065"},{"key":"e_1_3_3_15_2","first-page":"208","volume-title":"Proceedings of the 2015 10th International Conference for Internet Technology and Secured Transactions","author":"Campbell Ronald M.","year":"2015","unstructured":"Ronald M. Campbell, Keshnee Padayachee, and Themba Masombuka. 2015. A survey of honeypot research: Trends and opportunities. In Proceedings of the 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST\u201915). IEEE, 208\u2013212."},{"key":"e_1_3_3_16_2","article-title":"A survey on honeypot software and data analysis","author":"Nawrocki Marcin","year":"2016","unstructured":"Marcin Nawrocki, Matthias W\u00e4hlisch, Thomas C. Schmidt, Christian Keil, and Jochen Sch\u00f6nfelder. 2016. A survey on honeypot software and data analysis. arXiv:1608.06249. Retrieved from https:\/\/arxiv.org\/abs\/1608.06249.","journal-title":"arXiv:1608.06249"},{"key":"e_1_3_3_17_2","doi-asserted-by":"publisher","DOI":"10.1631\/FITEE.1601321"},{"key":"e_1_3_3_18_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11390-019-1906-z"},{"key":"e_1_3_3_19_2","article-title":"6 Ways to Deceive Cyber Attackers","author":"Ferreira Jose","year":"2018","unstructured":"Jose Ferreira, Anne Grahn, Jason Nelson, David O\u2019Leary, and David Poarch. 2018. 6 Ways to Deceive Cyber Attackers. Retrieved from https:\/\/edge.siriuscom.com\/security\/6-ways-to-deceive-cyber-attackers.","journal-title":"https:\/\/edge.siriuscom.com\/security\/6-ways-to-deceive-cyber-attackers"},{"key":"e_1_3_3_20_2","first-page":"272","volume-title":"Proceedings of the Human Factors and Ergonomics Society Annual Meeting","volume":"62","author":"Gutzwiller Robert","year":"2018","unstructured":"Robert Gutzwiller, Kimberly Ferguson-Walter, Sunny Fugate, and Andrew Rogers. 2018. \u201d\u201doh, look, a butterfly!? a framework for distracting attackers to improve cyber defense. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting, Vol. 62. SAGE Publications, Thousand Oaks, CA, 272\u2013276."},{"key":"e_1_3_3_21_2","first-page":"388","volume-title":"Proceedings of the 2016 IEEE 27th International Symposium on Software Reliability Engineering","author":"Sun Ruimin","year":"2016","unstructured":"Ruimin Sun, Andrew Lee, Aokun Chen, Donald E. Porter, Matt Bishop, and Daniela Oliveira. 2016. Bear: A framework for understanding application sensitivity to os (mis) behavior. In Proceedings of the 2016 IEEE 27th International Symposium on Software Reliability Engineering (ISSRE\u201916). IEEE, 388\u2013399."},{"key":"e_1_3_3_22_2","first-page":"123","volume-title":"Proceedings of the 2017 IEEE Conference on Dependable and Secure Computing","author":"Sun Ruimin","year":"2017","unstructured":"Ruimin Sun, Xiaoyong Yuan, Andrew Lee, Matt Bishop, Donald E. Porter, Xiaolin Li, Andre Gregio, and Daniela Oliveira. 2017. The dose makes the poison\u2014Leveraging uncertainty for effective malware detection. In Proceedings of the 2017 IEEE Conference on Dependable and Secure Computing. IEEE, 123\u2013130."},{"key":"e_1_3_3_23_2","doi-asserted-by":"publisher","DOI":"10.5555\/894210"},{"key":"e_1_3_3_24_2","doi-asserted-by":"crossref","first-page":"12\u2013es","DOI":"10.1145\/1190455.1190467","volume-title":"Proceeding from the 2006 Workshop on ns-2: the IP Network Simulator","author":"Lacage Mathieu","year":"2006","unstructured":"Mathieu Lacage and Thomas R. Henderson. 2006. Yet another network simulator. In Proceeding from the 2006 Workshop on ns-2: the IP Network Simulator. 12\u2013es."},{"key":"e_1_3_3_25_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-12331-3_2"},{"key":"e_1_3_3_26_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1007\/978-0-387-71760-9","volume-title":"Introduction to Network Simulator NS2","author":"Issariyakul Teerawat","year":"2009","unstructured":"Teerawat Issariyakul and Ekram Hossain. 2009. Introduction to network simulator 2 (NS2). In Introduction to Network Simulator NS2. Springer, 1\u201318."},{"key":"e_1_3_3_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/1374512.1374522"},{"key":"e_1_3_3_28_2","first-page":"145","volume-title":"Proceedings of the 1st Annual IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks","author":"Polley Jonathan","year":"2004","unstructured":"Jonathan Polley, Dionysus Blazakis, Jonathan McGee, Daniel Rusk, and John S Baras. 2004. ATEMU: A fine-grained sensor network simulator. In Proceedings of the 1st Annual IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks (SECON\u201904). IEEE, 145\u2013152."},{"key":"e_1_3_3_29_2","doi-asserted-by":"publisher","DOI":"10.1007\/0-387-23466-7_13"},{"key":"e_1_3_3_30_2","first-page":"221","volume-title":"Proceedings of the 37th Annual Simulation Symposium.","author":"Sundresh Sameer","year":"2004","unstructured":"Sameer Sundresh, Wooyoung Kim, and Gul Agha. 2004. SENS: A sensor, environment and network simulator. In Proceedings of the 37th Annual Simulation Symposium. IEEE, 221\u2013228."},{"key":"e_1_3_3_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/MCOM.2013.6588659"},{"key":"e_1_3_3_32_2","article-title":"On generating network traffic datasets with synthetic attacks for intrusion detection","author":"Cordero Carlos Garcia","year":"2019","unstructured":"Carlos Garcia Cordero, Emmanouil Vasilomanolakis, Aidmar Wainakh, Max M\u00fchlh\u00e4user, and Simin Nadjm-Tehrani. 2019. On generating network traffic datasets with synthetic attacks for intrusion detection. arXiv:1905.00304. Retrieved from https:\/\/arxiv.org\/abs\/1905.00304.","journal-title":"arXiv:1905.00304"},{"key":"e_1_3_3_33_2","article-title":"A survey of network-based intrusion detection data sets","author":"Ring Markus","year":"2019","unstructured":"Markus Ring, Sarah Wunderlich, Deniz Scheuring, Dieter Landes, and Andreas Hotho. 2019. A survey of network-based intrusion detection data sets. Comput. Secur. 86 (2019), 147\u2013167.","journal-title":"Comput. Secur."},{"key":"e_1_3_3_34_2","article-title":"Machine learning in cyber-security-problems, challenges and data sets","author":"Amit Idan","year":"2018","unstructured":"Idan Amit, John Matherly, William Hewlett, Zhi Xu, Yinnon Meshi, and Yigal Weinberger. 2018. Machine learning in cyber-security-problems, challenges and data sets. arXiv:1812.07858. Retrieved from https:\/\/arxiv.org\/abs\/1812.07858.","journal-title":"arXiv:1812.07858"},{"key":"e_1_3_3_35_2","article-title":"Microsoft malware classification challenge","author":"Ronen Royi","year":"2018","unstructured":"Royi Ronen, Marian Radu, Corina Feuerstein, Elad Yom-Tov, and Mansour Ahmadi. 2018. Microsoft malware classification challenge. arXiv:1802.10135. Retrieved from https:\/\/arxiv.org\/abs\/1802.10135.","journal-title":"arXiv:1802.10135"},{"key":"e_1_3_3_36_2","article-title":"The UCI KDD Archive","author":"Hettich S.","year":"1999","unstructured":"S. Hettich and S. D. Bay. 1999. The UCI KDD Archive. University of California, Department of Information and Computer Science.","journal-title":"University of California, Department of Information and Computer Science."},{"key":"e_1_3_3_37_2","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1109\/DISCEX.2000.821506","volume-title":"Proceedings of the DARPA Information Survivability Conference and Exposition","volume":"2","author":"Lippmann Richard P.","year":"2000","unstructured":"Richard P. Lippmann, David J. Fried, Isaac Graf, Joshua W. Haines, Kristopher R. Kendall, David McClung, Dan Weber, Seth E. Webster, Dan Wyschogrod, Robert K. Cunningham, et\u00a0al. 2000. Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX\u201900), Vol. 2. IEEE, 12\u201326."},{"key":"e_1_3_3_38_2","doi-asserted-by":"crossref","unstructured":"Melissa J. M. Turcotte Alexander D. Kent and Curtis Hash. 2019. Unified host and network data set. In Data Science for Cyber-Security . World Scientific 1\u201322.","DOI":"10.1142\/9781786345646_001"},{"issue":"2","key":"e_1_3_3_39_2","first-page":"28","article-title":"Friend or faux: Deception for cyber defense","volume":"16","author":"Ferguson-Walter Kimberly J.","year":"2017","unstructured":"Kimberly J. Ferguson-Walter, Dana S. LaFon, and T. B. Shade. 2017. Friend or faux: Deception for cyber defense. J. Inf. Warfare 16, 2 (2017), 28\u201342.","journal-title":"J. Inf. Warfare"},{"key":"e_1_3_3_40_2","volume-title":"The Tularosa Study: An Experimental Design and Implementation to Quantify the Effectiveness of Cyber Deception.","author":"Ferguson-Walter Kimberly","year":"2018","unstructured":"Kimberly Ferguson-Walter, Temmie Shade, Andrew Rogers, Michael Christopher Stefan Trumbo, Kevin S. Nauer, Kristin Marie Divis, Aaron Jones, Angela Combs, and Robert G. Abbott. 2018. The Tularosa Study: An Experimental Design and Implementation to Quantify the Effectiveness of Cyber Deception.Technical Report. Sandia National Laboratory, Albuquerque, NM. DOI:http:\/\/dx.doi.org\/10.24251\/HICSS.2019.874"},{"key":"e_1_3_3_41_2","article-title":"OpenC2","author":"Command Open","year":"2016","unstructured":"Open Command and Control (OpenC2) Language Description Document. 2016. OpenC2. Retrieved from http:\/\/openc2.org\/.","journal-title":"http:\/\/openc2.org\/"},{"key":"e_1_3_3_42_2","article-title":"CRATE\u2014Cyber Range And Training Environment","author":"Agency Swedish Defence Research","year":"2010","unstructured":"Swedish Defence Research Agency. 2010. CRATE\u2014Cyber Range And Training Environment. Retrieved from https:\/\/www.foi.se\/en\/our-knowledge\/information-security-and-communication\/information-security\/labs-and-resources\/crate---cyber-range-and-training-environment.html.","journal-title":"https:\/\/www.foi.se\/en\/our-knowledge\/information-security-and-communication\/information-security\/labs-and-resources\/crate---cyber-range-and-training-environment.html"},{"key":"e_1_3_3_43_2","doi-asserted-by":"crossref","first-page":"610","DOI":"10.1214\/aoms\/1177706645","article-title":"A note on the generation of random normal deviates","volume":"2","author":"Box G. E. P.","year":"1958","unstructured":"G. E. P. Box and Mervin E. Muller. 1958. A note on the generation of random normal deviates. Ann. Math. Stat. 2, 29 (1958), 610\u2013611.","journal-title":"Ann. Math. Stat."},{"key":"e_1_3_3_44_2","article-title":"The Perfect Spy for Model-checking Crypto-protocols","author":"Roscoe Bill","year":"1997","unstructured":"Bill Roscoe. 1997. The Perfect Spy for Model-checking Crypto-protocols. Technical Report.","journal-title":"Technical Report"},{"key":"e_1_3_3_45_2","first-page":"1","article-title":"Standardizing cyber threat intelligence information with the structured threat information expression (STIX)","volume":"11","author":"Barnum Sean","year":"2012","unstructured":"Sean Barnum. 2012. Standardizing cyber threat intelligence information with the structured threat information expression (STIX). MITRE Corp. 11 (2012), 1\u201322.","journal-title":"MITRE Corp."},{"key":"e_1_3_3_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/2994539.2994542"},{"key":"e_1_3_3_47_2","volume-title":"Proceedings of the OASIS & FIRST Borderless Cyber Conference and Technical Symposium","author":"Happa Jassim","year":"2017","unstructured":"Jassim Happa. 2017. Protective: A European-wide NREN cyber threat intelligence sharing platform\u2014Lessons learnt to date. In Proceedings of the OASIS & FIRST Borderless Cyber Conference and Technical Symposium. (2017)."},{"issue":"1","key":"e_1_3_3_48_2","first-page":"26","article-title":"Formalising policies for insider-threat detection: A tripwire grammar.","volume":"8","author":"Agrafiotis Ioannis","year":"2017","unstructured":"Ioannis Agrafiotis, Arnau Erola, Michael Goldsmith, and Sadie Creese. 2017. Formalising policies for insider-threat detection: A tripwire grammar.J. Wireless Mobile Netw. Ubiq. Comput. Depend. Appl. 8, 1 (2017), 26\u201343.","journal-title":"J. Wireless Mobile Netw. Ubiq. Comput. Depend. Appl."},{"key":"e_1_3_3_49_2","first-page":"1729","volume-title":"Advances in Neural Information Processing Systems","author":"Norouzi Mohammad","year":"2015","unstructured":"Mohammad Norouzi, Maxwell Collins, Matthew A. Johnson, David J. Fleet, and Pushmeet Kohli. 2015. Efficient non-greedy optimization of decision trees. In Advances in Neural Information Processing Systems. 1729\u20131737."},{"key":"e_1_3_3_50_2","volume-title":"Proceedings of the 17th International Conference on Computers: Recent Advances in Computer Science","author":"K\u00e1cha Pavel","year":"2013","unstructured":"Pavel K\u00e1cha. 2013. IDEA: Designing the data model for security event exchange. In Proceedings of the 17th International Conference on Computers: Recent Advances in Computer Science."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3450973","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3450973","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T17:49:24Z","timestamp":1750268964000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3450973"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,10,15]]},"references-count":49,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2021,12,31]]}},"alternative-id":["10.1145\/3450973"],"URL":"https:\/\/doi.org\/10.1145\/3450973","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"type":"print","value":"2692-1626"},{"type":"electronic","value":"2576-5337"}],"subject":[],"published":{"date-parts":[[2021,10,15]]},"assertion":[{"value":"2020-07-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-02-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-10-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}