Application Layer Cyber Deception without Developer Interaction
Mario Kahlhofer, Stefan Rass
TL;DR
This paper addresses the challenge of deploying application-layer cyber deception without access to source code, focusing on runtime, post-deployment integration in cloud-native environments such as Kubernetes. It surveys 19 techniques, categorizing them by deployment location (container/pod, kernel/network, container platform) and whether they require developer interaction, and evaluates them along technical, topological, operational, and efficacy properties. The authors provide a structured taxonomy (including D-C-S types and deployment modes) and identify underexplored approaches, such as Kubernetes-native patterns and software frameworks, that could reduce interference and improve maintainability. The work aims to bridge theory and production practice, enabling more dynamic, scalable, and personalized deception strategies that operate near the application while remaining compatible with modern cloud-native ecosystems.
Abstract
Cyber deception techniques that are tightly intertwined with applications pose significant technical challenges in production systems. Security measures are usually the responsibility of a system operator, but they are typically limited to accessing built software artifacts, not their source code. This limitation makes it particularly challenging to deploy cyber deception techniques at application runtime and without full control over the software development lifecycle. This work reviews 19 technical methods to accomplish this and evaluates them based on technical, topological, operational, and efficacy properties. We find some novel techniques beyond honeypots and reverse proxies that seem to have received little research interest despite their promise for cyber deception. We believe that overcoming these technical challenges can drive the adoption of more dynamic and personalized cyber deception techniques, tailored to specific classes of applications.