Given the above principles, let us consider specific kinds of deception for information systems under warfare-like attacks.  Several taxonomies of deception in warfare have been proposed, of which that of (Dunnigan and Nofi, 2001) is representative.  Figure 1 shows the spectrum of these methods, and Table 1 summarizes our assessment of them (10 = most appropriate, 0 = inappropriate).

1. Concealment ('hiding your forces from the enemy')
2. Camouflage ('hiding your troops and movements from the enemy by artificial means')
3. False and planted information (disinformation, 'letting the enemy get his hands on information that will hurt him and help you')
4. Lies ('when communicating with the enemy')
5. Displays ('techniques to make the enemy see what isn't there')
6. Ruses ('tricks, such as displays that use enemy equipment and procedures')
7. Demonstrations ('making a move with your forces that implies imminent action, but is not followed through')
8. Feints ('like a demonstration, but you actually make an attack')
9. Insight ('deceive the opponent by outthinking him')

We evaluate these in order.  Figure 1 presents a way to conceptualize them, and Table 1 summarizes them.

Figure 1: The spectrum of deception types.

Table 1: Summary of our assessment of deceptive types in information-system attack.

Concealment

Concealment for conventional military operations uses natural terrain features and weather to hide forces and equipment from an enemy.  A cyber-attacker can try to conceal their suspicious files in little-visited places in an information system.  But this will not work very well because automated tools allow us to quickly find things in cyberspace and intrusion-detection systems allow us to automatically check for suspicious activity.  'Steganography' or putting hidden secrets in innocent-looking information is only good for data, not programs.  But concealment of intentions is important for both attack and defense in cyberspace, especially defense where it is unexpected.

Camouflage

Camouflage aims to deceive the senses artificially.  Examples are aircraft with muffled engines and devices for dissipating heat signatures and flying techniques that minimize enemy detection efforts (Latimer, 2001).  Attackers of a computer system can camouflage themselves by behaving as legitimate users, but this is not very useful because most computer systems do not track user history very deeply.  But camouflaged malicious software has become common in unsolicited ('spam') electronic mail, as for instance email saying 'File you asked for' and 'Read this immediately' with a virus-infested attachment.  Such camouflage could be adapted for information warfare.  Defensive camouflage is not very useful because legitimate users as well as attackers will be impeded by moving or renaming resources and commands, and camouflage won't protect against many attacks such as buffer overflows to gain access privileges.

False and planted information

The Mincemeat example used false planted information, and false 'intelligence' could similarly be planted on computer systems or Web sites to divert or confuse attackers or even defenders in a 'campaign of disinformation'.  Scam Web sites (Mintz, 2002) use a form of disinformation.  But most false information about a computer system is easy to check out because software can help: A honeypot is not hard to recognize.  Disinformation must not be easily disprovable, and that is hard.  Attackers will also not likely read disinformation during an attack, so it won't help once an attack is started, only in preparations for an attack.  And only one lie can make an enemy mistrustful of all other statements you make, just as one mistake can destroy the illusion in stage magic (Tognazzini, 1993).

Lies

Spreading lies and rumors is as old as warfare itself.  The Soviets during the Cold War used disinformation by repeating a lie often, through multiple channels, until it seemed to be the truth.  This was very effective in overrepresenting Soviet military capabilities during the 1970s and 1980s (Dunnigan and Nofi, 2001).

Lies might help an attacker a little though stealth is more effective.  However, outright lies about information systems are often an easy and useful defensive deceptive tactic.  Users of an information system assume that, unlike with people, everything the system tells them is true.  And users of today's complex operating systems like Microsoft Windows are well accustomed to annoying and seemingly random error messages that prevent them from doing what they want.  The best things to lie about could be the most basic things that matter to an attacker: The presence of files and ability to open and use them.  So a computer system could issue false error messages when asked to do something suspicious, or could lie that it can't download or open a suspicious file when it really can (Michael et al, 2003).

Displays

Displays aim to make the enemy see what isn’t there. Dummy positions, decoy targets, and battlefield noise fabrication are all examples.  Past Iraqi deception regarding their 'weapons of mass destruction' used this idea (Kay, 1995).  Clandestine activity was hidden in declared facilities; facilities had trees screening them and road networks steering clear of them; power and water feeds were hidden to mislead about facility use; facility operational states were disguised by a lack of visible security; and critical pieces of equipment were moved at night.  Additionally, Iraqis distracted inspectors by busy schedules, generous hospitality, cultural tourism, and accommodations in lovely hotels far from inspection sites, or simply took inspectors to different sites than what they asked to see.

Stealth is more valuable than displays in attacking an information system.  Defenders don't care what an attacker looks like because they know attacks can come from any source.  But defensively, displays have several valuable uses for an information system.  One use is to make the defender see imaginary resources, as with a fake directory Web site we created.  It looks like a Web portal to a large directory (Figure 2), displaying a list of typical-sounding files and subdirectories, but everything is fake.  The user can click on subdirectory names to see plausible subdirectories, and can click on file names to see what appear to be encrypted files in some cases (the bottom of Figure 2) and image-caption combinations in other cases (the top right of Figure 2).  But the 'encryption' is just a random number generator, and the image-caption pairs are drawn randomly from a complete index of all images and captions at our school so they are unrelated to the names used in the directory.  And for some of the files it claims 'You are not authorized to view this page' or gives another error message when asked to open them.  The site is a prototype of a way  to entice spies by encouraging them to think there are secrets here and encouraging them to draw surprising connections between concepts, thereby encouraging them to waste further time here.

Another defensive use of displays is to confuse the attacker's damage assessment.  Simply delaying a response to an attacker may make them think that they have significantly slowed your system as is typical with 'denial-of-service' attacks (Julian et al, 2003).  Unusual characters typed by the attacker or attempts to overflow input boxes (classic attack methods for many kinds of software) could initiate pop-up windows that seem to represent debugging facilities or other system-administrator tools, as if the user as 'broke through' to the operating system.  Computer viruses and worms often have distinctive symptoms that are not hard to simulate, as for instance with system slowdowns, distinctive vandalism patterns of files, and so on.  Once we have detected a viral attack, a deceptive system response can remove the virus and then simulate its effects for the attacker, much like faking of damage from bombing a military target.

Organization Chart

Figure 2: Example fake directory and file display from our software.

Ruses

Ruses attempt to make an opponent think he is seeing his own troops or equipment when, in fact, he is confronting the enemy (Bell and Whaley, 1991).  Ruses can be the flying of false flags at sea or wearing of captured enemy uniforms.  One kind involves making friendly forces think their own forces are the enemy's.  Modern ruses can use electronic means, like impersonators transmitting orders to enemy troops.

Most attacks on computer systems are ruses that amount to variants of the ancient idea of sneaking your men into the enemy's fortress by disguising them, as with the original Trojan Horse.  Attackers can pretend to be system administrators, and software with malicious modifications can pretend to be unmodified.  Ruses are not much help defensively.  For instance, pretending to be a hacker is hard to exploit.  If you do so to offer false information to the enemy, you have the same problems discussed regarding planted information.  It is also hard to convince an enemy you are an ally unless you actually subvert a computer system since there are simple ways to confirm most effects.

Demonstrations

Demonstrations use military power, normally through maneuvering, to distract the enemy. There is no intention of following through with an attack immediately.  In 1991, General Schwarzkopf used deception to convince Iraq that a main attack would be directly into Kuwait, supported by an amphibious assault (Scales, 1998).  Aggressive ground-force patrolling, artillery raids, amphibious feints, ship movements, and air operations were part of the deception.  Throughout, ground forces engaged in reconnaissance and counter-reconnaissance operations with Iraqi forces to deny the Iraqis information about actual intentions.

Demonstrations of the strength of an attacker's methods or a defender's protections are likely to be counterproductive for information systems: A adversary gains a greater sense of achievement by subverting the more impressive adversaries.  But bragging might encourage attacks on a honeypot and generate additional useful data.

Feints

Feints are similar to demonstrations except they are followed by a true attack.  They are done to distract the enemy from a main attack elsewhere.  Operation Bodyguard supporting the Allied Normandy invasion in 1944 was a clever modification of a feint.  The objective of this deception was to make the enemy think the real main attack was a feint (Breuer, 1993).  It included visual deception and misdirection, deployment of dummy landing craft, aircraft, and paratroops, fake lighting schemes, radio deception, sonic devices, and ultimately a whole fake army group consisting of 50 divisions totaling over one million men.

Feints by the attacker in information warfare could involve attacks with less-powerful methods, to encourage the defender to overreact and be less prepared for subsequent main attack involving a different method.  Something like this is happening right now at a strategic level, as those methods used frequently by hackers like buffer overflows and viruses in email attachments get overreported in press at the expense of the less-used methods like 'backdoors' that are more useful for offensive information warfare.  Defensive counterattack feints in cyberwarfare face the problem that finding an attacker is very difficult is cyberspace, since attackers can conceal their identities by coming in through chains of hundreds of sites, so threats often will not be taken seriously.  But one could use defensive feints effectively to pretend to succumb to one form of attack to conceal a second less-obvious defense.  For instance, one could deny buffer-overflow attacks on most 'ports' (access points) of a computer system with a warning message, but pretend to allow them on a few for which you simulate the effects of the attack.  This is an analog of the tactic of multiple lines of defense used by, among others, the Soviets in World War II.

Insights

War is often a battle of wits, of knowing the enemy better than he knows you.  A good understanding of the Israelis gave the Egyptians conditions for their early success in the 1973 Yom Kippur War.  The Egyptian planners wanted to slow down the Israeli response and prevent a preemptive Israeli strike before completion of their own buildup.  The resulting deception plan cleverly capitalized on Israeli and Western perceptions of the Arabs, including a perceived inability to keep secrets, military inefficiency, and inability to plan and conduct a coordinated action.  The Israeli concept for defense of the Suez Canal assumed a 48-hour warning period would suffice, since the Egyptians could not cross the canal in strength and could be quickly and easily counterattacked.  The aim of the Egyptian deception plan was to provide plausible incorrect interpretations for a massive build-up along the canal and the Golan Heights.  It also involved progressively increasing the 'noise' that the Israelis had to contend with by a series of false alerts (Stein, 1982).

Attackers can use insights to figure out the enemy's weaknesses in advance.  Hacker bulletin boards support this by reporting exploitable flaws in software.  Defensive deception could involve trying to think like the attacker and figuring the best way to interfere with common attack plans.  Methods of artificial intelligence help (Rowe, 2003).  'Counterplanning' can be done, systematic analysis with the objective of thwarting or obstructing an opponent's plan (Carbonell, 1981).  Counterplanning is analogous to placing obstacles along expected enemy routes in conventional warfare.

A good counterplan should not try to foil an attack by every possible means: We can be far more effective by choosing a few related 'ploys' and presenting them well.  Consider an attempt by an attacker to gain control of a computer system by installing their own 'rootkit', a gimmicked copy of the operating system.  This almost always involves finding vulnerable systems by exploration, gaining access to those systems at vulnerable ports, getting administrator privileges on those systems, using those privileges to download gimmicked software, installing the software, testing the software, and using the system to attack others.  We can formulate this precisely and estimate the trouble we will cause the attacker by foiling each of the steps.  Generally it is best to foil the later steps in a plan because we can force the attacker to do more work to repair the damage.  For instance, we could delete a downloaded rootkit after it has been copied.  When the attacker discovers this, they will likely need to redo all the steps of the attack from the original download.  So good deception in information warfare needs a carefully designed plan, just as in conventional warfare.

A DEEPER THEORY OF DECEPTION IN INFORMATION SYSTEMS

An alternative and deeper theory of deception can be developed from the theory of semantic cases in computational linguistics (Fillmore, 1968).  Every action can be associated with a set of other concepts; these are semantic cases, a generalization of syntactic cases in language.  Various cases have been proposed as additions to the basic framework of Fillmore, of which (Copeck et al, 1992) is the most comprehensive we have seen.  To their 28 we add four more, the upward type-supertype and part-whole links and two speech-act conditions (Austin, 1975), to get 32 altogether:

• participant: agent (the person who initiates the action), beneficiary (the person who benefits), experiences (a psychological feature associated with the action), instrument (some thing that helps accomplish the action), object (what the action is done to), and recipient (the person who receives the action)
• space: direction (of the action), location-at, location-from, location-to, location-through, and orientation (in some metric space)
• time: frequency (of occurrence), time-at, time-from, time-to, and time-through
• causality: cause, contradiction (what this action contradicts if anything), effect, and purpose
• quality: accompaniment (additional object associated with the action), content (type of the action object), manner (the way in which the action is done), material (the atomic units out of which the action is composed), measure (the quantity associated with the action), order (of events), and value (the data transmitted by the action)
• essence: supertype (generalization of the action type) and whole (of which the action is a part)
• speech-act theory: precondition (on the action) and ability (of the agent to perform the action)

Our claim is that deception operates on an action to change its perceived associated case values.  For instance, the original Trojan horse modified the purpose of a gift-giving action (it was an attack not a peace offering), its accompaniment (the gift had hidden soldiers), and 'time-to' (the war was not over).  Similarly, an attacker masquerading as the administrator of a computer system is modifying the agent case and purpose case associated with their actions on that system.  For the fake-directory prototype that we built, we use deception in object (it isn't a real directory interface), 'time-through' (some responses are deliberately delayed), cause (it lies about files being too big to load), preconditions (it lies about necessary authorization), and effect (it lies about the existence of files and directories). 

A deception can involve more than one case simultaneously so there are many combinations.  However, not all of the above cases make sense in cyberspace nor for our particular concern, the interaction between an attacker and the software of a computer system.  We can rule out the cases of beneficiary (the attacker is the assumed beneficiary of all activity), experiences (deception in associated psychological states doesn't matter in giving commands and obeying them), recipient (the only agents that matter are the attacker and the system they are attacking), 'location-at' (you can't 'inhabit' cyberspace), orientation (there is no coordinate system in cyberspace), 'time-from' (attacks happen anytime), 'time-to' (attacks happen anytime), contradiction (commands don't include comparisons), manner (there's only one way commands execute besides in duration), material (everything is bits and bytes in cyberspace), and order (the order of commands or files rarely can be varied and cannot deceive either an attacker or defender).

In general, offensive opportunities for deception are as frequent as defensive opportunities, in cyberspace as well as in conventional warfare, but appropriate methods differ.  For instance, the instrument case is associated with offensive deceptions in cyberspace since the attacker can choose the instrument between email attachments, coming in through an insecure port, a backdoor, regular access with a stolen password, and so on, and the defender has little control since they must use the targeted system and its data.  That is different from conventional warfare where, say, the attacker can choose the weapons used in an aerial attack but the defender also can choose among many defensive tactics like hardening targets, decoys, jamming, anti-aircraft fire, or aerial engagement.  In contrast, 'time-through' is primarily associated with defensive deceptions in cyberspace since the defending computer system controls the time it takes to process and respond to a command, and is little affected by the time it takes an attacker to issue commands to it.  But 'object' can be associated with both cyberspace offense and defense because attackers can choose to attack little-defended targets like unused ports, while defenders can substitute low-value targets like honeypots for high-value targets that the attacker thinks they are compromising.  Table 2 summarizes the suitability of the remaining 21 deception methods as we judge them on general principles.  10 indicates the most suitable, and 0 indicates unsuitable; these numbers could be refined by surveys of users or deception experiments.  This table provides a wide-ranging menu of choices for deception planners.

Table 2: Evaluation of deception methods in cyberspace.