A Game Theoretic Approach to Strategy Generation for Moving Target Defense in Web Applications

The present complexity in designing web applications makes software security a difficult goal to achieve. An attacker can explore a deployed service on the web and attack at his/her own leisure. Moving Target Defense (MTD) in web applications is an effective mechanism to nullify this advantage of their reconnaissance but the framework demands a good switching strategy when switching between multiple configurations for its web-stack. To address this issue, we propose the modeling of a real world MTD web application as a repeated Bayesian game. We formulate an optimization problem that generates an effective switching strategy while considering the cost of switching between different web-stack configurations. To use this model for a developed MTD system, we develop an automated system for generating attack sets of Common Vulnerabilities and Exposures (CVEs) for input attacker types with predefined capabilities. Our framework obtains realistic reward values for the players (defenders and attackers) in this game by using security domain expertise on CVEs obtained from the National Vulnerability Database (NVD). We also address the issue of prioritizing vulnerabilities that when fixed, improves the security of the MTD system. Lastly, we demonstrate the robustness of our proposed model by evaluating its performance when there is uncertainty about input attacker information.

[1]  Marthony Taguinod,et al.  Toward a Moving Target Defense for Web Applications , 2015, 2015 IEEE International Conference on Information Reuse and Integration.

[2]  Milind Tambe,et al.  From Physical Security to Cyber Security ? , 2015 .

[3]  Richard Ford,et al.  Moving-Target Defenses for Computer Networks , 2014, IEEE Security & Privacy.

[4]  Michael P. Wellman,et al.  Gradient methods for stackelberg security games , 2016, UAI 2016.

[5]  William W. Streilein,et al.  Finding Focus in the Blur of Moving-Target Techniques , 2014, IEEE Security & Privacy.

[6]  Siv Hilde Houmb,et al.  Quantifying security risk level from CVSS estimates of frequency and impact , 2010, J. Syst. Softw..

[7]  I. Karimi,et al.  Piecewise MILP under‐ and overestimators for global optimization of bilinear programs , 2008 .

[8]  Kevin M. Carter,et al.  Adaptive Attacker Strategy Development Against Moving Target Cyber Defenses , 2014, ArXiv.

[9]  Kevin M. Carter,et al.  A Game Theoretic Approach to Strategy Determination for Dynamic Platform Defenses , 2014, MTD '14.

[10]  Sarit Kraus,et al.  Deployed ARMOR protection: the application of a game theoretic model for security at the Los Angeles International Airport , 2008, AAMAS 2008.

[11]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[12]  Sarit Kraus,et al.  Playing games for security: an efficient exact algorithm for solving Bayesian Stackelberg games , 2008, AAMAS.

[13]  Sailik Sengupta,et al.  Moving Target Defense for Web Applications using Bayesian Stackelberg Games: (Extended Abstract) , 2016, AAMAS.

[14]  Michael P. Wellman,et al.  Empirical Game-Theoretic Analysis for Moving Target Defense , 2015, MTD@CCS.

[15]  Scott A. DeLoach,et al.  Towards a Theory of Moving Target Defense , 2014, MTD '14.

[16]  Vincent Conitzer,et al.  Computing the optimal strategy to commit to , 2006, EC '06.

[17]  Pratyusa K. Manadhata,et al.  Game Theoretic Approaches to Attack Surface Shifting , 2013, Moving Target Defense.

[18]  Ronald L. Rivest,et al.  FlipIt: The Game of “Stealthy Takeover” , 2012, Journal of Cryptology.

[19]  Alexander V. Outkin,et al.  Evaluating Moving Target Defense with PLADD , 2015 .

[20]  Heinrich von Stackelberg Market Structure and Equilibrium , 2010 .

[21]  Milind Tambe,et al.  From physical security to cybersecurity , 2015, J. Cybersecur..

[22]  Christopher Krügel,et al.  Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner , 2012, USENIX Security Symposium.