Abstract

The present complexity in designing web applications makes software security a difficult goal to achieve. An attacker can explore a deployed service on the web and attack at his/her own leisure. Moving Target Defense (MTD) in web applications is an effective mechanism to nullify this advantage of their reconnaissance but the framework demands a good switching strategy when switching between multiple configurations for its web-stack. To address this issue, we propose the modeling of a real world MTD web application as a repeated Bayesian game. We formulate an optimization problem that generates an effective switching strategy while considering the cost of switching between different web-stack configurations. To use this model for a developed MTD system, we develop axi automated system for generating attack sets of Common Vulnerabilities and Exposures (CVEs) for input attacker types with predefined capabilities. Our framework obtains realistic reward values for the players (defenders and attackers) in this game by using security domain expertise on CVEs obtained from the National Vulnerability Database (NVD). We also address the issue of prioritizing vulnerabilities that when fixed, improves the security of the MTD system. Lastly, we demonstrate the robustness of our proposed model by evaluating its performance when there is uncertainty about input aitacker information.

Original languageEnglish (US)
Title of host publication16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017
PublisherInternational Foundation for Autonomous Agents and Multiagent Systems (IFAAMAS)
Pages178-186
Number of pages9
Volume1
ISBN (Electronic)9781510855076
StatePublished - Jan 1 2017
Event16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017 - Sao Paulo, Brazil
Duration: May 8 2017May 12 2017

Other

Other16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017
CountryBrazil
CitySao Paulo
Period5/8/175/12/17

Fingerprint

Costs
Uncertainty

ASJC Scopus subject areas

  • Artificial Intelligence
  • Software
  • Control and Systems Engineering

Cite this

Sengupta, S., Vadlamudi, S. G., Kambhampati, S., Doupe, A., Zhao, Z., Taguinod, M., & Ahn, G-J. (2017). A game theoretic approach to strategy generation for moving target defense in web applications. In 16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017 (Vol. 1, pp. 178-186). International Foundation for Autonomous Agents and Multiagent Systems (IFAAMAS).

A game theoretic approach to strategy generation for moving target defense in web applications. / Sengupta, Sailik; Vadlamudi, Satya Gautam; Kambhampati, Subbarao; Doupe, Adam; Zhao, Ziming; Taguinod, Marthony; Ahn, Gail-Joon.

16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017. Vol. 1 International Foundation for Autonomous Agents and Multiagent Systems (IFAAMAS), 2017. p. 178-186.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Sengupta, S, Vadlamudi, SG, Kambhampati, S, Doupe, A, Zhao, Z, Taguinod, M & Ahn, G-J 2017, A game theoretic approach to strategy generation for moving target defense in web applications. in 16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017. vol. 1, International Foundation for Autonomous Agents and Multiagent Systems (IFAAMAS), pp. 178-186, 16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017, Sao Paulo, Brazil, 5/8/17.
Sengupta S, Vadlamudi SG, Kambhampati S, Doupe A, Zhao Z, Taguinod M et al. A game theoretic approach to strategy generation for moving target defense in web applications. In 16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017. Vol. 1. International Foundation for Autonomous Agents and Multiagent Systems (IFAAMAS). 2017. p. 178-186
Sengupta, Sailik ; Vadlamudi, Satya Gautam ; Kambhampati, Subbarao ; Doupe, Adam ; Zhao, Ziming ; Taguinod, Marthony ; Ahn, Gail-Joon. / A game theoretic approach to strategy generation for moving target defense in web applications. 16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017. Vol. 1 International Foundation for Autonomous Agents and Multiagent Systems (IFAAMAS), 2017. pp. 178-186
@inproceedings{482bbb77ae1c405aba12b7c03177ce9a,
title = "A game theoretic approach to strategy generation for moving target defense in web applications",
abstract = "The present complexity in designing web applications makes software security a difficult goal to achieve. An attacker can explore a deployed service on the web and attack at his/her own leisure. Moving Target Defense (MTD) in web applications is an effective mechanism to nullify this advantage of their reconnaissance but the framework demands a good switching strategy when switching between multiple configurations for its web-stack. To address this issue, we propose the modeling of a real world MTD web application as a repeated Bayesian game. We formulate an optimization problem that generates an effective switching strategy while considering the cost of switching between different web-stack configurations. To use this model for a developed MTD system, we develop axi automated system for generating attack sets of Common Vulnerabilities and Exposures (CVEs) for input attacker types with predefined capabilities. Our framework obtains realistic reward values for the players (defenders and attackers) in this game by using security domain expertise on CVEs obtained from the National Vulnerability Database (NVD). We also address the issue of prioritizing vulnerabilities that when fixed, improves the security of the MTD system. Lastly, we demonstrate the robustness of our proposed model by evaluating its performance when there is uncertainty about input aitacker information.",
author = "Sailik Sengupta and Vadlamudi, {Satya Gautam} and Subbarao Kambhampati and Adam Doupe and Ziming Zhao and Marthony Taguinod and Gail-Joon Ahn",
year = "2017",
month = "1",
day = "1",
language = "English (US)",
volume = "1",
pages = "178--186",
booktitle = "16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017",
publisher = "International Foundation for Autonomous Agents and Multiagent Systems (IFAAMAS)",

}

TY - GEN

T1 - A game theoretic approach to strategy generation for moving target defense in web applications

AU - Sengupta, Sailik

AU - Vadlamudi, Satya Gautam

AU - Kambhampati, Subbarao

AU - Doupe, Adam

AU - Zhao, Ziming

AU - Taguinod, Marthony

AU - Ahn, Gail-Joon

PY - 2017/1/1

Y1 - 2017/1/1

N2 - The present complexity in designing web applications makes software security a difficult goal to achieve. An attacker can explore a deployed service on the web and attack at his/her own leisure. Moving Target Defense (MTD) in web applications is an effective mechanism to nullify this advantage of their reconnaissance but the framework demands a good switching strategy when switching between multiple configurations for its web-stack. To address this issue, we propose the modeling of a real world MTD web application as a repeated Bayesian game. We formulate an optimization problem that generates an effective switching strategy while considering the cost of switching between different web-stack configurations. To use this model for a developed MTD system, we develop axi automated system for generating attack sets of Common Vulnerabilities and Exposures (CVEs) for input attacker types with predefined capabilities. Our framework obtains realistic reward values for the players (defenders and attackers) in this game by using security domain expertise on CVEs obtained from the National Vulnerability Database (NVD). We also address the issue of prioritizing vulnerabilities that when fixed, improves the security of the MTD system. Lastly, we demonstrate the robustness of our proposed model by evaluating its performance when there is uncertainty about input aitacker information.

AB - The present complexity in designing web applications makes software security a difficult goal to achieve. An attacker can explore a deployed service on the web and attack at his/her own leisure. Moving Target Defense (MTD) in web applications is an effective mechanism to nullify this advantage of their reconnaissance but the framework demands a good switching strategy when switching between multiple configurations for its web-stack. To address this issue, we propose the modeling of a real world MTD web application as a repeated Bayesian game. We formulate an optimization problem that generates an effective switching strategy while considering the cost of switching between different web-stack configurations. To use this model for a developed MTD system, we develop axi automated system for generating attack sets of Common Vulnerabilities and Exposures (CVEs) for input attacker types with predefined capabilities. Our framework obtains realistic reward values for the players (defenders and attackers) in this game by using security domain expertise on CVEs obtained from the National Vulnerability Database (NVD). We also address the issue of prioritizing vulnerabilities that when fixed, improves the security of the MTD system. Lastly, we demonstrate the robustness of our proposed model by evaluating its performance when there is uncertainty about input aitacker information.

UR - http://www.scopus.com/inward/record.url?scp=85032875652&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85032875652&partnerID=8YFLogxK

M3 - Conference contribution

VL - 1

SP - 178

EP - 186

BT - 16th International Conference on Autonomous Agents and Multiagent Systems, AAMAS 2017

PB - International Foundation for Autonomous Agents and Multiagent Systems (IFAAMAS)

ER -