Evaluation of Deception-Based Web Attacks Detection

A form of moving target defense that is rapidly increasing in popularity consists of enriching an application with a number of deceptive elements and raising an alert whenever an interaction with such elements takes place. The use of deception can reduce some of the advantages of an attacker, making the exploration of the target to discover vulnerabilities a difficult and risky task. Another popular argument in support of deception techniques is that they are very effective at detecting attackers while maintaining a low, or even zero, false positive rate. However, to the best of our knowledge, no experiments have been performed to evaluate the use of deception in web applications. In particular, the lack of precise measurements of false positive and false negative rates makes it very difficult to understand if, and to which extent, deception can be an effective defense solution and a replacement for other traditional detection techniques. In this paper, we first implement a web deception framework that allows us to introduce deception in any web application. Using this framework, we conduct two experiments that measure respectively the number of false alarms in a production environment and the detection accuracy during a controlled red team experiment with 150 participants. The first experiment has been performed for a period of seven months with 258 regular users and no false alarms have been triggered. The second experiment shows instead that deception is indeed capable of detecting attackers even before they could find one of the numerous vulnerabilities in the target application. However, 36% of the attackers who successfully exploited at least one vulnerability did so without triggering any of our traps. While more experiments are needed to better understand this phenomenon, our preliminary study seems to suggest that deception is a valuable companion of other detection techniques but it may not be suitable as a single standalone protection mechanism.

[1]  Constantine Katsinis,et al.  A Framework for Intrusion Deception on Web Servers , 2013 .

[2]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[3]  Michael B. Crouse,et al.  Probabilistic Performance Analysis of Moving Target and Deception Reconnaissance Defenses , 2015, MTD@CCS.

[4]  Fred Cohen,et al.  A note on the role of deception in information protection , 1998, Computers & security.

[5]  J. Yuill,et al.  Honeyfiles: deceptive files for intrusion detection , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[6]  Mohammed H. Almeshekah Using Deception to Enhance Security: A Taxonomy, Model, and Novel Uses , 2015 .

[7]  William M. S. Stout,et al.  Computer network deception as a Moving Target Defense , 2015, 2015 International Carnahan Conference on Security Technology (ICCST).

[8]  Han Chong Goh Intrusion deception in defense of computer systems , 2007 .

[9]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[10]  Oscar Serrano Serrano,et al.  Changing the game: The art of deceiving sophisticated attackers , 2014, 2014 6th International Conference On Cyber Conflict (CyCon 2014).

[11]  Rayford B. Vaughn,et al.  Phighting the Phisher: Using Web Bugs and Honeytokens to Investigate the Source of Phishing Attacks , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[12]  Stefan Katzenbeisser,et al.  From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation , 2014, CCS.

[13]  Dimitris Gavrilis,et al.  Flash Crowd Detection Using Decoy Hyperlinks , 2007, 2007 IEEE International Conference on Networking, Sensing and Control.

[14]  Calton Pu,et al.  A Link Obfuscation Service to Detect Webbots , 2010, 2010 IEEE International Conference on Services Computing.

[15]  Lior Rokach,et al.  HoneyGen: An automated honeytokens generator , 2011, Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics.

[16]  C. Stoll The Cuckoo's Egg : Tracking a Spy Through the Maze of Computer Espionage , 1990 .

[17]  James Bret Michael,et al.  Software Decoys: Intrusion Detection and Countermeasures , 2002 .

[18]  Angelos D. Keromytis,et al.  Detecting Targeted Attacks Using Shadow Honeypots , 2005, USENIX Security Symposium.

[19]  Mohammed H. Almeshekah,et al.  The case of using negative (deceiving) information in data protection , 2014 .

[20]  A. B. Robert Petrunic,et al.  Honeytokens as active defense , 2015, 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[21]  Ronald L. Rivest,et al.  Honeywords: making password-cracking detectable , 2013, CCS.

[22]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[23]  Xiaowei Li,et al.  A survey on server-side approaches to securing web applications , 2014, ACM Comput. Surv..

[24]  Charles R. Honts Deception: Detection of , 2009 .

[25]  Donald P. Julian Delaying-type responses for use by software decoys , 2002 .

[26]  Mladen A. Vouk,et al.  Defensive computer-security deception operations: processes, principles and techniques , 2006 .