TY - GEN
T1 - A game theoretic approach to strategy generation for moving target defense in web applications
AU - Sengupta, Sailik
AU - Vadlamudi, Satya Gautam
AU - Kambhampati, Subbarao
AU - Doupé, Adam
AU - Zhao, Ziming
AU - Taguinod, Marthony
AU - Ahn, Gail Joon
N1 - Publisher Copyright:
© Copyright 2017, International Foundation for Autonomous Agents and Multiagent Systems (www.ifaamas.org). All Rights Reserved.
PY - 2017
Y1 - 2017
N2 - The present complexity in designing web applications makes software security a difficult goal to achieve. An attacker can explore a deployed service on the web and attack at his/her own leisure. Moving Target Defense (MTD) in web applications is an effective mechanism to nullify this advantage of their reconnaissance but the framework demands a good switching strategy when switching between multiple configurations for its web-stack. To address this issue, we propose the modeling of a real world MTD web application as a repeated Bayesian game. We formulate an optimization problem that generates an effective switching strategy while considering the cost of switching between different web-stack configurations. To use this model for a developed MTD system, we develop axi automated system for generating attack sets of Common Vulnerabilities and Exposures (CVEs) for input attacker types with predefined capabilities. Our framework obtains realistic reward values for the players (defenders and attackers) in this game by using security domain expertise on CVEs obtained from the National Vulnerability Database (NVD). We also address the issue of prioritizing vulnerabilities that when fixed, improves the security of the MTD system. Lastly, we demonstrate the robustness of our proposed model by evaluating its performance when there is uncertainty about input aitacker information.
AB - The present complexity in designing web applications makes software security a difficult goal to achieve. An attacker can explore a deployed service on the web and attack at his/her own leisure. Moving Target Defense (MTD) in web applications is an effective mechanism to nullify this advantage of their reconnaissance but the framework demands a good switching strategy when switching between multiple configurations for its web-stack. To address this issue, we propose the modeling of a real world MTD web application as a repeated Bayesian game. We formulate an optimization problem that generates an effective switching strategy while considering the cost of switching between different web-stack configurations. To use this model for a developed MTD system, we develop axi automated system for generating attack sets of Common Vulnerabilities and Exposures (CVEs) for input attacker types with predefined capabilities. Our framework obtains realistic reward values for the players (defenders and attackers) in this game by using security domain expertise on CVEs obtained from the National Vulnerability Database (NVD). We also address the issue of prioritizing vulnerabilities that when fixed, improves the security of the MTD system. Lastly, we demonstrate the robustness of our proposed model by evaluating its performance when there is uncertainty about input aitacker information.
UR - https://www.scopus.com/pages/publications/85032875652
M3 - Conference contribution
AN - SCOPUS:85032875652
T3 - Proceedings of the International Joint Conference on Autonomous Agents and Multiagent Systems, AAMAS
SP - 178
EP - 186
BT - 16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017
A2 - Durfee, Edmund
A2 - Das, Sanmay
A2 - Larson, Kate
A2 - Winikoff, Michael
PB - International Foundation for Autonomous Agents and Multiagent Systems (IFAAMAS)
T2 - 16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017
Y2 - 8 May 2017 through 12 May 2017
ER -