The present complexity in designing web applications makes software security a difficult goal to achieve. Moreover, an attacker can explore a deployed service on the web and attack at his/her own leisure. Although Moving Target Defense (MTD) in web applications is an effective mechanism to nullify this advantage of their reconnaissance, the framework demands a good switching strategy when switching between multiple configurations for its web-stack. To address this issue, we propose modeling of a real-world MTD web application as a repeated Bayesian game to generate an effective switching strategy. To incorporate this model into a real system, we propose an automated system for generating attack sets of Common Vulnerabilities and Exposures (CVEs) for input attacker types with predefined capabilities. Our framework obtains realistic reward values for the players (defenders and attackers) in this game by using security domain expertise on CVEs obtained from the National Vulnerability Database (NVD). Also, with our model, we address the issue of prioritizing vulnerabilities that when fixed, improves the security of the MTD system. Lastly, we demonstrate the robustness of our proposed model by evaluating its performance when there is uncertainty about input attacker information.
from cs.AI updates on arXiv.org http://arxiv.org/abs/1602.07024
via IFTTT
No comments:
Post a Comment