Abstract

Web applications are a critical component of the security ecosystem as they are often the front door for many companies, as such, vulnerabilities in web applications allow hackers access to companies' private data, which contains consumers' private financial information. Web applications are, by their nature, available to everyone, at anytime, from anywhere, and this includes attackers. Therefore, attackers have the opportunity to perform reconnaissance at their leisure, acquiring information on the layout and technologies of the web application, before launching an attack. However, the defender must be prepared for all possible attacks and does not have the luxury of performing reconnaissance on the attacker. The idea behind Moving Target Defense (MTD) is to reduce the information asymmetry between the attacker and defender, ultimately rendering the reconnaissance information misleading or useless. In this paper we take the first steps of applying MTD concepts to web applications in order to create effective defensive layers. We first analyze the web application stack to understand where and how MTD can be applied. The key issue here is that an MTD application must actively prevent or disrupt a vulnerability or exploit, while still providing identical functionality. Then, we discuss our implementation of two MTD approaches, which can mitigate several classes of web application vulnerabilities or exploits. We hope that our discussion will help guide future research in applying the MTD concepts to the web application stack.

Original languageEnglish (US)
Title of host publicationProceedings - 2015 IEEE 16th International Conference on Information Reuse and Integration, IRI 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages510-517
Number of pages8
ISBN (Print)9781467366564
DOIs
StatePublished - Oct 19 2015
Event16th IEEE International Conference on Information Reuse and Integration, IRI 2015 - San Francisco, United States
Duration: Aug 13 2015Aug 15 2015

Other

Other16th IEEE International Conference on Information Reuse and Integration, IRI 2015
CountryUnited States
CitySan Francisco
Period8/13/158/15/15

Fingerprint

Web application
Launching
Ecosystems
Industry
Vulnerability
Attack
Ecosystem
Luxury
Private companies
Layout
Financial information
Functionality
Information asymmetry
Leisure

Keywords

  • Abstract Syntax Tree
  • Automated Conversion
  • Diversify
  • Layers
  • Moving
  • Randomize
  • Source Translation
  • Tiered
  • Web applications
  • Web Software

ASJC Scopus subject areas

  • Information Systems
  • Information Systems and Management
  • Electrical and Electronic Engineering

Cite this

Taguinod, M., Doupe, A., Zhao, Z., & Ahn, G-J. (2015). Toward a Moving Target Defense for Web Applications. In Proceedings - 2015 IEEE 16th International Conference on Information Reuse and Integration, IRI 2015 (pp. 510-517). [7301020] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/IRI.2015.84

Toward a Moving Target Defense for Web Applications. / Taguinod, Marthony; Doupe, Adam; Zhao, Ziming; Ahn, Gail-Joon.

Proceedings - 2015 IEEE 16th International Conference on Information Reuse and Integration, IRI 2015. Institute of Electrical and Electronics Engineers Inc., 2015. p. 510-517 7301020.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Taguinod, M, Doupe, A, Zhao, Z & Ahn, G-J 2015, Toward a Moving Target Defense for Web Applications. in Proceedings - 2015 IEEE 16th International Conference on Information Reuse and Integration, IRI 2015., 7301020, Institute of Electrical and Electronics Engineers Inc., pp. 510-517, 16th IEEE International Conference on Information Reuse and Integration, IRI 2015, San Francisco, United States, 8/13/15. https://doi.org/10.1109/IRI.2015.84
Taguinod M, Doupe A, Zhao Z, Ahn G-J. Toward a Moving Target Defense for Web Applications. In Proceedings - 2015 IEEE 16th International Conference on Information Reuse and Integration, IRI 2015. Institute of Electrical and Electronics Engineers Inc. 2015. p. 510-517. 7301020 https://doi.org/10.1109/IRI.2015.84
Taguinod, Marthony ; Doupe, Adam ; Zhao, Ziming ; Ahn, Gail-Joon. / Toward a Moving Target Defense for Web Applications. Proceedings - 2015 IEEE 16th International Conference on Information Reuse and Integration, IRI 2015. Institute of Electrical and Electronics Engineers Inc., 2015. pp. 510-517
@inproceedings{22ed4607807349eca0bbcfda82ae4ce9,
title = "Toward a Moving Target Defense for Web Applications",
abstract = "Web applications are a critical component of the security ecosystem as they are often the front door for many companies, as such, vulnerabilities in web applications allow hackers access to companies' private data, which contains consumers' private financial information. Web applications are, by their nature, available to everyone, at anytime, from anywhere, and this includes attackers. Therefore, attackers have the opportunity to perform reconnaissance at their leisure, acquiring information on the layout and technologies of the web application, before launching an attack. However, the defender must be prepared for all possible attacks and does not have the luxury of performing reconnaissance on the attacker. The idea behind Moving Target Defense (MTD) is to reduce the information asymmetry between the attacker and defender, ultimately rendering the reconnaissance information misleading or useless. In this paper we take the first steps of applying MTD concepts to web applications in order to create effective defensive layers. We first analyze the web application stack to understand where and how MTD can be applied. The key issue here is that an MTD application must actively prevent or disrupt a vulnerability or exploit, while still providing identical functionality. Then, we discuss our implementation of two MTD approaches, which can mitigate several classes of web application vulnerabilities or exploits. We hope that our discussion will help guide future research in applying the MTD concepts to the web application stack.",
keywords = "Abstract Syntax Tree, Automated Conversion, Diversify, Layers, Moving, Randomize, Source Translation, Tiered, Web applications, Web Software",
author = "Marthony Taguinod and Adam Doupe and Ziming Zhao and Gail-Joon Ahn",
year = "2015",
month = "10",
day = "19",
doi = "10.1109/IRI.2015.84",
language = "English (US)",
isbn = "9781467366564",
pages = "510--517",
booktitle = "Proceedings - 2015 IEEE 16th International Conference on Information Reuse and Integration, IRI 2015",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - Toward a Moving Target Defense for Web Applications

AU - Taguinod, Marthony

AU - Doupe, Adam

AU - Zhao, Ziming

AU - Ahn, Gail-Joon

PY - 2015/10/19

Y1 - 2015/10/19

N2 - Web applications are a critical component of the security ecosystem as they are often the front door for many companies, as such, vulnerabilities in web applications allow hackers access to companies' private data, which contains consumers' private financial information. Web applications are, by their nature, available to everyone, at anytime, from anywhere, and this includes attackers. Therefore, attackers have the opportunity to perform reconnaissance at their leisure, acquiring information on the layout and technologies of the web application, before launching an attack. However, the defender must be prepared for all possible attacks and does not have the luxury of performing reconnaissance on the attacker. The idea behind Moving Target Defense (MTD) is to reduce the information asymmetry between the attacker and defender, ultimately rendering the reconnaissance information misleading or useless. In this paper we take the first steps of applying MTD concepts to web applications in order to create effective defensive layers. We first analyze the web application stack to understand where and how MTD can be applied. The key issue here is that an MTD application must actively prevent or disrupt a vulnerability or exploit, while still providing identical functionality. Then, we discuss our implementation of two MTD approaches, which can mitigate several classes of web application vulnerabilities or exploits. We hope that our discussion will help guide future research in applying the MTD concepts to the web application stack.

AB - Web applications are a critical component of the security ecosystem as they are often the front door for many companies, as such, vulnerabilities in web applications allow hackers access to companies' private data, which contains consumers' private financial information. Web applications are, by their nature, available to everyone, at anytime, from anywhere, and this includes attackers. Therefore, attackers have the opportunity to perform reconnaissance at their leisure, acquiring information on the layout and technologies of the web application, before launching an attack. However, the defender must be prepared for all possible attacks and does not have the luxury of performing reconnaissance on the attacker. The idea behind Moving Target Defense (MTD) is to reduce the information asymmetry between the attacker and defender, ultimately rendering the reconnaissance information misleading or useless. In this paper we take the first steps of applying MTD concepts to web applications in order to create effective defensive layers. We first analyze the web application stack to understand where and how MTD can be applied. The key issue here is that an MTD application must actively prevent or disrupt a vulnerability or exploit, while still providing identical functionality. Then, we discuss our implementation of two MTD approaches, which can mitigate several classes of web application vulnerabilities or exploits. We hope that our discussion will help guide future research in applying the MTD concepts to the web application stack.

KW - Abstract Syntax Tree

KW - Automated Conversion

KW - Diversify

KW - Layers

KW - Moving

KW - Randomize

KW - Source Translation

KW - Tiered

KW - Web applications

KW - Web Software

UR - http://www.scopus.com/inward/record.url?scp=84959153501&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84959153501&partnerID=8YFLogxK

U2 - 10.1109/IRI.2015.84

DO - 10.1109/IRI.2015.84

M3 - Conference contribution

SN - 9781467366564

SP - 510

EP - 517

BT - Proceedings - 2015 IEEE 16th International Conference on Information Reuse and Integration, IRI 2015

PB - Institute of Electrical and Electronics Engineers Inc.

ER -