Reconnaissance activities precedent other attack steps in the cyber kill chain. Zero-day attacks exploit unknown vulnerabilities and give attackers the upper hand against conventional defenses. Honeypots have been used to deceive attackers by misrepresenting the true state of the network. Existing work on cyber deception does not model zero-day attacks. In this paper, we address the question of "How to allocate honeypots over the network?" to protect its most valuable assets. To this end, we develop a two-player zero-sum game theoretic approach to study the potential reconnaissance tracks and attack paths that attackers may use. However, zero-day attacks allow attackers to avoid placed honeypots by creating new attack paths. Therefore, we introduce a sensitivity analysis to investigate the impact of different zero-day vulnerabilities on the performance of the proposed deception technique. Next, we propose several mitigating strategies to defend the network against zero-day attacks based on this analysis. Finally, our numerical results validate our findings and illustrate the effectiveness of the proposed defense approach.

翻译：侦察活动在网络杀伤链中先于其他攻击步骤。零日攻击利用未知漏洞，使攻击者在传统防御面前占据优势。蜜罐通过误导网络真实状态来欺骗攻击者。现有关于网络欺骗的研究未对零日攻击进行建模。本文探讨了"如何在网络上分配蜜罐以保护其最有价值资产"这一问题。为此，我们开发了一种双人零和博弈论方法，研究攻击者可能使用的潜在侦察轨迹和攻击路径。然而，零日攻击允许攻击者通过创建新攻击路径来规避已部署的蜜罐。因此，我们引入敏感性分析，研究不同零日漏洞对所提欺骗技术性能的影响。基于此分析，我们提出了若干缓解策略以防御网络免受零日攻击。最后，数值结果验证了我们的发现，并说明了所提防御方法的有效性。