Cyber deception can be a valuable addition to traditional cyber defense mechanisms, especially for modern cloud-native environments with a fading security perimeter. However, pre-built decoys used in classical computer networks are not effective in detecting and mitigating malicious actors due to their inability to blend with the variety of applications in such environments. On the other hand, decoys cloning the deployed microservices of an application can offer a high-fidelity deception mechanism to intercept ongoing attacks within production environments. However, to fully benefit from this approach, it is essential to use a limited amount of decoy resources and devise a suitable cloning strategy to minimize the impact on legitimate services performance. Following this observation, we formulate a non-linear integer optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget. Attack paths represent the attacker's movements within the infrastructure as a sequence of violated microservices. We also design a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation. We evaluate the performance of the optimal and heuristic solutions against other schemes that use local vulnerability metrics to select which microservices to clone as decoys. Our results show that the proposed allocation strategy achieves a higher number of intercepted attack paths compared to these schemes while requiring approximately the same number of decoys.

翻译：网络欺骗可作为传统网络防御机制的重要补充，尤其适用于安全边界逐渐模糊的现代云原生环境。然而，经典计算机网络中使用的预置诱饵难以与这类环境中多样化的应用场景融合，因此在检测和缓解恶意行为方面效果有限。另一方面，通过克隆已部署应用微服务的方式构建诱饵，可在生产环境中提供高保真度的欺骗机制以拦截持续攻击。但为充分发挥该方法的优势，必须合理控制诱饵资源用量并设计恰当的克隆策略，以最大限度降低对合法服务性能的影响。基于此观察，我们构建了一个非线性整数优化问题，在固定资源预算内最大化已部署诱饵可截获的攻击路径数量。其中攻击路径指攻击者通过连续违反微服务安全约束而在基础设施中形成的移动轨迹。为克服该模型的计算复杂性，我们同时设计了一种启发式诱饵部署算法以逼近最优解。我们评估了最优解与启发式解相对于其他基于局部漏洞指标选择微服务克隆方案的表现。实验结果表明，所提出的资源分配策略在保持诱饵数量相近的条件下，能够截获更多攻击路径。