Abstract
Web applications are a critical component of the security ecosystem as they are often the front door for many companies, as such, vulnerabilities in web applications allow hackers access to companies' private data, which contains consumers' private financial information. Web applications are, by their nature, available to everyone, at anytime, from anywhere, and this includes attackers. Therefore, attackers have the opportunity to perform reconnaissance at their leisure, acquiring information on the layout and technologies of the web application, before launching an attack. However, the defender must be prepared for all possible attacks and does not have the luxury of performing reconnaissance on the attacker. The idea behind Moving Target Defense (MTD) is to reduce the information asymmetry between the attacker and defender, ultimately rendering the reconnaissance information misleading or useless. In this paper we take the first steps of applying MTD concepts to web applications in order to create effective defensive layers. We first analyze the web application stack to understand where and how MTD can be applied. The key issue here is that an MTD application must actively prevent or disrupt a vulnerability or exploit, while still providing identical functionality. Then, we discuss our implementation of two MTD approaches, which can mitigate several classes of web application vulnerabilities or exploits. We hope that our discussion will help guide future research in applying the MTD concepts to the web application stack.
Original language | English (US) |
---|---|
Title of host publication | Proceedings - 2015 IEEE 16th International Conference on Information Reuse and Integration, IRI 2015 |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 510-517 |
Number of pages | 8 |
ISBN (Print) | 9781467366564 |
DOIs | |
State | Published - Oct 19 2015 |
Event | 16th IEEE International Conference on Information Reuse and Integration, IRI 2015 - San Francisco, United States Duration: Aug 13 2015 → Aug 15 2015 |
Other
Other | 16th IEEE International Conference on Information Reuse and Integration, IRI 2015 |
---|---|
Country/Territory | United States |
City | San Francisco |
Period | 8/13/15 → 8/15/15 |
Keywords
- Abstract Syntax Tree
- Automated Conversion
- Diversify
- Layers
- Moving
- Randomize
- Source Translation
- Tiered
- Web applications
- Web Software
ASJC Scopus subject areas
- Information Systems
- Information Systems and Management
- Electrical and Electronic Engineering