Click This, Not That: Extending Web Authentication with Deception

With phishing attacks, password breaches, and brute-force login attacks presenting constant threats, it is clear that passwords alone are inadequate for protecting the web applications entrusted with our personal data. Instead, web applications should practice defense in depth and give users multiple ways to secure their accounts. In this paper we propose login rituals, which define actions that a user must take to authenticate, and web tripwires, which define actions that a user must not take to remain authenticated. These actions outline expected behavior of users familiar with their individual setups on applications they use often. We show how we can detect and prevent intrusions from web attackers lacking this familiarity with their victim's behavior. We design a modular and application-agnostic system that incorporates these two mechanisms, allowing us to add an additional layer of deception-based security to existing web applications without modifying the applications themselves. Next to testing our system and evaluating its performance when applied to five popular open-source web applications, we demonstrate the promising nature of these mechanisms through a user study. Specifically, we evaluate the detection rate of tripwires against simulated attackers, 88% of whom clicked on at least one tripwire. We also observe web users' creation of personalized login rituals and evaluate the practicality and memorability of these rituals over time. Out of 39 user-created rituals, all of them are unique and 79% of users were able to reproduce their rituals even a week after creation.

[1]  Vijay Kumar Chaurasiya,et al.  Advanced port knocking authentication scheme with QRC using AES , 2011, 2011 International Conference on Emerging Trends in Networks and Computer Communications (ETNCC).

[2]  Xiao Han,et al.  Evaluation of Deception-Based Web Attacks Detection , 2017, MTD@CCS.

[3]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[4]  Salvatore J. Stolfo,et al.  Software decoys for insider threat , 2012, ASIACCS '12.

[5]  Gianluca Stringhini,et al.  What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild , 2016, Internet Measurement Conference.

[6]  Merve Sahin,et al.  Lessons Learned from SunDEW: A Self Defense Environment for Web Applications , 2020 .

[7]  John Aycock,et al.  Improved port knocking with strong authentication , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[8]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[9]  Collin Mulliner,et al.  Nomadic Honeypots : A Novel Concept for Smartphone Honeypots , 2013 .

[10]  Decoy Document Deployment for Effective Masquerade Attack Detection , 2011, DIMVA.

[11]  Malek Ben Salem,et al.  Decoy Applications for Continuous Authentication on Mobile Devices , 2014 .

[12]  Markus Jakobsson,et al.  Scambaiter: Understanding Targeted Nigerian Scams on Craigslist , 2014, NDSS.

[13]  Mustaque Ahamad,et al.  Phoneypot: Data-driven Understanding of Telephony Threats , 2015, NDSS.

[14]  Fabien Pouget White paper: honeypot, honeynet, honeytoken: terminological issues , 2003 .

[15]  Malek Ben Salem,et al.  Modeling User Search Behavior for Masquerade Detection , 2011, RAID.

[16]  Sotiris Ioannidis,et al.  Two-factor authentication: is the world ready?: quantifying 2FA adoption , 2015, EUROSEC.

[17]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[18]  Hussein Al-Bahadili,et al.  Network Security Using Hybrid Port Knocking , 2010 .

[19]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[20]  Evangelos P. Markatos,et al.  A Systematic Characterization of IM Threats using Honeypots , 2010, NDSS.

[21]  Susan Marie Wade SCADA Honeynets: The attractiveness of honeypots as critical infrastructure security tools for the detection and analysis of advanced threats , 2011 .

[22]  Pierre Laperdrix,et al.  Less is More: Quantifying the Security Benefits of Debloating Web Applications , 2019, USENIX Security Symposium.

[23]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[24]  Debin Gao,et al.  MobiPot: Understanding Mobile Telephony Threats with Honeycards , 2016, AsiaCCS.

[25]  Markus Dürmuth,et al.  Quantifying the security of graphical passwords: the case of android unlock patterns , 2013, CCS.

[26]  Jess Solano,et al.  A Few-Shot Practical Behavioral Biometrics Model for Login Authentication in Web Applications , 2020 .

[27]  Hans D. Schotten,et al.  Cloxy: A Context-aware Deception-as-a-Service Reverse Proxy for Web Services , 2018, MTD@CCS.

[28]  Salvatore J. Stolfo,et al.  Fox in the trap: thwarting masqueraders via automated decoy document deployment , 2015, EUROSEC.