Pacific Northwest National Laboratory’s shadow figment technology foils cyberattacks

RICHLAND, Wash. – Scientists have developed a cybersecurity technology called Shadow Figment that is designed to lure hackers into an artificial world and then prevent them from doing harm by feeding them illusory tidbits of success.

The goal is to intercept bad actors by captivating them with an attractive – but imaginary – world.

The technology aims to protect physical targets – infrastructure such as buildings, power grid, Water and sewer systems and even pipelines. The technology was developed by scientists at the US Department of Energy Pacific Northwest National Laboratory.

The starting point for Shadow Figment is an often-used technology called honeypot – something attractive to attract an attacker, perhaps a desirable target with the appearance of easy access.

But while most of the honeypots are used to attract attackers and study their methods, Shadow Figment goes much further. The technology uses artificial intelligence to employ sophisticated deceptions to keep attackers in a fake world – the invention – that mirrors the real world. The bait interacts with users in real time and reacts realistically to commands.

“Our intention is to make interactions seem realistic. When someone interacts with our decoy, we keep them involved and give our defenders extra time to respond, ”said Thomas Edgar, a PNNL cybersecurity researcher who led the development of Shadow Figment.

Take advantage of the attacker’s “success”

The system rewards and occupies hackers with false success signals, while the defenders learn about the attackers’ methods and take measures to protect the real system.

The credibility of the deception relies on a machine learning program that learns from observing the real system on which it is installed. The program reacts to an attack by sending signals that illustrate that the attacked system is reacting in a plausible manner. This “model-driven dynamic deception” is much more realistic than a static decoy, a more common tool that experienced cyber attackers can quickly detect.

Shadow Figment encompasses two worlds that were independent years ago but are now intertwined: the cyber world and the physical world, with sophisticated structures based on complex industrial control systems. Such systems are more often than ever in the crosshairs of hackers. Examples of this include the shutdown of large parts of the electricity network in Ukraine in 2015, an attack on a water supply in Florida earlier this year, and the recent hacking attack on the Colonial Pipeline that affected gasoline supplies along the east coast.

Physical systems are so complex and immense that the number of potential targets – valves, controls, pumps, sensors, coolers, and so on – is limitless. Thousands of devices work together to provide us with uninterrupted electricity, clean water and pleasant working conditions. Incorrect readings maliciously fed into a system can result in power being turned off. They could raise the temperature in a building to uncomfortable or unsafe levels, or change the concentration of chemicals added to a water supply.

Shadow Figment creates interactive clones of such a system in all its complexity, as experienced operators and cyber criminals would expect. If, for example, a hacker turns off a fan in a server room in the artificial world, Shadow Figment reacts with the signal that the air movement has slowed down and the temperature is rising. If a hacker changes a setting on a kettle, the system adjusts the water flow accordingly.

Shadow figure: undermining bad intentions

The intention is to distract bad actors from the real control systems, to direct them into an artificial system in which their actions have no effect.

“We’re buying time so the defenders can take action to prevent bad things from happening,” Edgar said. “Sometimes only a few minutes are enough to stop an attack. But Shadow Figment needs to be part of a broader cybersecurity defense program. There is no solution that is a silver bullet. “

PNNL has applied for a patent on the technology that has been licensed to Attivo Networks. Shadow Figment is one of five cybersecurity technologies developed by PNNL and in a suite called. are summarized Pacific.

“The development of Shadow Figments is another example of how PNNL scientists are focused on protecting the country’s critical assets and infrastructure,” said Kannan Krishnaswami, commercialization manager at PNNL. “This cybersecurity tool has wide-ranging uses in the government and private sectors – from municipalities to utilities to banking, manufacturing and even healthcare providers.”

“The development of Shadow Figment illustrates how PNNL technology can make a difference in so many lives,” said Kannan Krishnaswami, commercialization manager at PNNL. “The lab’s research provides protection from a range of threats, including cyberattacks.”


The latest from the team Results were published in Spring edition of the Information War Journal.

Edgar’s colleagues on the project include William Hofer, Juan Brandi-Lozano, Garrett Seppala, Katy Nowak and Draguna Vrabie. The work was funded by PNNL and the DOE’s Office of Technology Transitions.

Disclaimer: AAAS and EurekAlert! are not responsible for the accuracy of press releases sent to EurekAlert! by contributing institutions or for the use of information via the EurekAlert system.