We modified how Linux-based operating systems store user’s passwords and incorporated a machine dependent machine function in the process. When an attacker steals the hashed passwords file (e.g., etc/shadow) and tries to crack the password, ersatz “fake” passwords are returned instead. The design of this tool can be found in this paper and the code, which was mainly developed by Christopher Gutierrez, can be found here.
]]>Douglas Rapp is a PhD student working on the project as of 2021.
Former grad student Chris Gutierrez is now a Security Solutions Research Scientist at Intel.
Mohammed Almeshekah has completed his PhD and left Purdue to take a faculty position at King Saud University. His PhD dissertation, Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses, is available online in the CERIAS library.
Jeff Avery has finished his PhD and accepted a full-time position post graduation as a Software Engineer in the Future Technical Leaders program at Northrop Grumman. His PhD dissertation, The Application of Deception to Software Security Patching is available online in the CERIAS library.
We are interested in collaboration with others, at Purdue University or elsewhere. Please contact us for details.
]]>In everyday security, deception plays a prominent role in our physical world security. We leave lights on to deter thieves by deceiving them to think someone is inside. We may further put up signs that warn “Beware of the Dog” to cast doubt on the nature of our defenses. Inside, we may place our valuables in a safe, but hide the safe behind a painting.
Over history, deception has evolved to find its natural place in our societies and eventually our technical systems. Deception and decoy-based mechanisms have been used in cyber security for more than two decades in techniques such as honeypots and obfuscation.
Our group is investigating how deception can be used to improve the security of computers and networks. This site provides a summary and reference of the work we have done with links to more in-depth information.
In the last few years several vendors have sprung up marketing products with deception as a basic component. Here are the ones we know about. Let us know if there are any we are missing.
]]>The work in this project has been partially supported by funding from CERIAS at Purdue University.
Portions of this work conducted in 2014-2015 were supported by Northrop Grumman through its Cybersecurity Research Consortium.
Portions of this work conducted in 2015-2017 were supported by the National Science Foundation grant #1548114.
All of the support of this project is gratefully acknowledged.
Any opinions, findings, conclusions or recommendations expressed on this website or in any of our materials are those of the author(s) and do not necessarily reflect the views of the National Science Foundation, the Northrop Grumman Corporation, CERIAS, or Purdue University.
]]>If you want to join the group’s (not highly active) mailing list, Decepticons, please send email with the word “subscribe” in the subject or body of the message to decepticons-request@cerias.purdue.edu.
]]>