Miao’s Thoughts

Thanks to my advisor that recommended an interesting blog post to me today, which inspired some thoughts of me.

Deception with emulation is a very good idea to protect our systems. Not like former security strategies designed to keep the attacker outside our systems, which are sometimes powerful but maybe will attract the attacker to invest more efforts in order to break into the system. Deception with emulation can make the attacker feel that they are successful and stop attacking voluntary. It is better to pierce the balloon to exhaust the air until the balloon explodes.

But there are some issues we should consider in the application of emulation.

First, how to make the fake system look like a real system. The blog post said if we assign a variable to the ip address respond, the attacker can never know whether it is a emulation shell or real system. However, If we just generate some information and store in the emulation system, next time the attacker will find out that the data is same as last time. So, we should generate data regularly to keep the fake system looks dynamic. To accomplish this goal, the quality of the data generated is important.

However, there is another problem if we use this approach. For example, if the attacker wants to break into the database system of Amazon, in order to verify whether the system is fake, he may intentionally order one product from Amazon and check whether the order exists in the database. If not, it must be a fake system.

This becomes a dilemma.

One solution is to encrypt all the verifiable data. Of course, this can confuse the attacker and slow down the attack. However, it’s costly to encrypt data in real system since it will greatly affect the system performance. And if the attacker knows that we only encrypt emulation system. This approach collapse by itself.