decepto

README

#+options: ':nil *:t -:t ::t <:t H:3 \n:nil ^:t arch:headline author:t
#+options: broken-links:nil c:nil creator:nil d:(not "LOGBOOK") date:t e:t
#+options: email:nil f:t inline:t num:nil p:nil pri:nil prop:nil stat:t tags:t
#+options: tasks:t tex:t timestamp:t title:t toc:t todo:t |:t
#+title: Decepto - Cloud Native Cyber Deception
#+author: Daniele Santoro
#+email: dsantoro@fbk.eu
#+language: en
#+select_tags: export
#+exclude_tags: noexport
#+creator: Emacs 28.1 (Org mode 9.5.4)
#+cite_export:

#+begin_center
[[https://decepto.readthedocs.io/][Explore documentations]] - [[https://drive.google.com/drive/folders/12vOQ9DHgnAYh3OacrhppK8bQCE68nblB][Explore demonstration video]]
#+end_center

* What is Decepto?

Decepto is a system that creates decoys as clones of existing services in a
cloud native environment.

Given an application graph (sets of micro-services and data-flows across them)
Decepto decides the services to clone as decoys and where to deploy them based
on optimization metrics such as the availability of resources.

As shown in the below picture it runs in a Kubernetes cluster and could use
multiple external algorithms to take decisions and perform actions.

[[file:docs/_static/images/decepto-10k-foot-view.png]]

Decepto offers notification and monitoring mechanisms to identify the behaviors
of an attacker.

By default it targets Kubernetes environments by extending its default API using
CRD (Custom Resource Definitions). In more detail it offers four main
features: Cloning, Isolating, Monitoring and Alerting.

* Features

** Cloning of a generic microservice into a decoy

The ability to clone a microservice at Pod level taking into consideration the
resource-aware algorithm directives. The new decoy Pod is instrumented to
control alerting and monitoring features.


** Isolating communication flows across the application microservices

The ability to programmatically control the communications flows across
legitimate microservices and/or decoys. Implementation through
activation/deactivation of proper network rules and service discovery entries.


** Monitoring the adversaries behaviors

The ability to collect all relevant data
in order to identify as much as possible the attackers’ behavior
patterns. Collects system-calls, cluster audits, application logs and
microservices in/out traffic.


** Alerting when a decoy receives unwanted traffic

The ability to discover potential malicious communications and notify them to
start other relevant actions. A background process listens in promiscuous mode
to the connections to the decoy which should never receive incoming traffic.

* License
Copyright 2023 Fondazione Bruno Kessler

Licensed under the Apache License, Version 2.0 (the “License”); you may not use
this file except in compliance with the License. You may obtain a copy of the
License here.

Unless required by applicable law or agreed to in writing, software distributed
under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY KIND, either express or implied. See the License for the
specific language governing permissions and limitations under the License.