Ditto: Helping Protect IT Networks by Confounding Cyber Attackers

One of the first steps in a cyberattack is identification of the target system or systems: correct identification of what is on a network allows the attacker to make better decisions about what to attack and what tools to use. Ditto interferes with this phase of the attack by misleading attackers about what operating system hosts are running.

Ditto, funded by DARPA, utilizes a network stack that can be tuned by system administrators to emulate different operating systems and software from the ones on the actual server. For example, in the most extreme case, Ditto can cause an attacker to believe that a server is running Linux when it is actually running Windows. More subtly, Ditto can cause an attacker to believe that a target is running a slightly different version of the same operating system.

By fooling the attacker’s detection ability, we can cause the attacker to use the wrong attacks on critical systems. These attacks are much less likely to work, and much more likely to trigger intrusion detection systems.

Ditto functions as a separate network stack that acts as a proxy for the underlying system. It can either be hosted, via virtualization, on the same physical machine as the target operating system, or it can be introduced as a plug-in device. While current Ditto prototypes do add a small amount of latency to existing systems, our experiments suggest that the slowdown will not be a factor except on the most latency-sensitive systems.