Moving Target Defense for Web Applications using Bayesian Stackelberg Games

by   Sailik Sengupta, et al.

The present complexity in designing web applications makes software security a difficult goal to achieve. An attacker can explore a deployed service on the web and attack at his/her own leisure. Moving Target Defense (MTD) in web applications is an effective mechanism to nullify this advantage of their reconnaissance but the framework demands a good switching strategy when switching between multiple configurations for its web-stack. To address this issue, we propose modeling of a real-world MTD web application as a repeated Bayesian game. We then formulate an optimization problem that generates an effective switching strategy while considering the cost of switching between different web-stack configurations. To incorporate this model into a developed MTD system, we develop an automated system for generating attack sets of Common Vulnerabilities and Exposures (CVEs) for input attacker types with predefined capabilities. Our framework obtains realistic reward values for the players (defenders and attackers) in this game by using security domain expertise on CVEs obtained from the National Vulnerability Database (NVD). We also address the issue of prioritizing vulnerabilities that when fixed, improves the security of the MTD system. Lastly, we demonstrate the robustness of our proposed model by evaluating its performance when there is uncertainty about input attacker information.


page 1

page 2

page 3

page 4


Learning Effective Strategies for Moving Target Defense with Switching Costs

Moving Target Defense (MTD) has emerged as a key technique in various se...

Can I Take Your Subdomain? Exploring Related-Domain Attacks in the Modern Web

Related-domain attackers control a sibling domain of their target web ap...

Spatial-Temporal Moving Target Defense: A Markov Stackelberg Game Model

Moving target defense has emerged as a critical paradigm of protecting a...

Adaptive MTD Security using Markov Game Modeling

Large scale cloud networks consist of distributed networking and computi...

Do Fewer Tiers Mean Fewer Tears? Eliminating Web Stack Components to Improve Interoperability

Web applications are structured as multi-tier stacks of components. Each...

Partially-Observable Security Games for Automating Attack-Defense Analysis

Network systems often contain vulnerabilities that remain unfixed in a n...

A Qualitative Empirical Analysis of Human Post-Exploitation Behavior

Honeypots are a well-studied defensive measure in network security. This...

Please sign up or login with your details

Forgot password? Click here to reset