25 Scopus citations

Abstract

The present complexity in designing web applications makes software security a difficult goal to achieve. An attacker can explore a deployed service on the web and attack at his/her own leisure. Moving Target Defense (MTD) in web applications is an effective mechanism to nullify this advantage of their reconnaissance but the framework demands a good switching strategy when switching between multiple configurations for its web-stack. To address this issue, we propose the modeling of a real world MTD web application as a repeated Bayesian game. We formulate an optimization problem that generates an effective switching strategy while considering the cost of switching between different web-stack configurations. To use this model for a developed MTD system, we develop axi automated system for generating attack sets of Common Vulnerabilities and Exposures (CVEs) for input attacker types with predefined capabilities. Our framework obtains realistic reward values for the players (defenders and attackers) in this game by using security domain expertise on CVEs obtained from the National Vulnerability Database (NVD). We also address the issue of prioritizing vulnerabilities that when fixed, improves the security of the MTD system. Lastly, we demonstrate the robustness of our proposed model by evaluating its performance when there is uncertainty about input aitacker information.

Original languageEnglish (US)
Title of host publication16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017
PublisherInternational Foundation for Autonomous Agents and Multiagent Systems (IFAAMAS)
Pages178-186
Number of pages9
Volume1
ISBN (Electronic)9781510855076
StatePublished - Jan 1 2017
Event16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017 - Sao Paulo, Brazil
Duration: May 8 2017May 12 2017

Other

Other16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017
CountryBrazil
CitySao Paulo
Period5/8/175/12/17

ASJC Scopus subject areas

  • Artificial Intelligence
  • Software
  • Control and Systems Engineering

Fingerprint Dive into the research topics of 'A game theoretic approach to strategy generation for moving target defense in web applications'. Together they form a unique fingerprint.

Cite this