Moving Target Defense under Uncertainty for Web Applications

Moving target defense (MTD) has emerged as a key technique that can be used in various security applications to reduce the threat of attackers by taking away their ability to perform reconnaissance and exploit vulnerabilities. However, most of the existing research in the field assumes unrealistic access to information about the attacker’s motivations and/or actions when developing MTD strategies. Many of the existing approaches also assume complete knowledge regarding the vulnerabilities of a particular application and how each of these vulnerabilities can be exploited by an attacker. In this work, we propose an algorithm that generates ef-fective MTD strategies for web applications that does not rely on prior knowledge about the attackers. Our approach assumes that the only information the defender receives about its own reward function, is via interaction with the attacker in a repeated game setting. We evaluate our algorithm using data which is mined from the National Vulnerability Database to show that it matches the performance of the state of the art techniques, despite using much less information.

[1]  Sailik Sengupta,et al.  Multi-agent Reinforcement Learning in Bayesian Stackelberg Markov Games for Adaptive Moving Target Defense , 2020, ArXiv.

[2]  Hooman Alavizadeh,et al.  Toward Proactive, Adaptive Defense: A Survey on Moving Target Defense , 2019, IEEE Communications Surveys & Tutorials.

[3]  Wei Hu,et al.  Moving target defense: state of the art and characteristics , 2016, Frontiers of Information Technology & Electronic Engineering.

[4]  Nicholas R. Jennings,et al.  Playing Repeated Security Games with No Prior Knowledge , 2016, AAMAS.

[5]  Gergely Neu,et al.  Importance Weighting Without Importance Weights: An Efficient Algorithm for Combinatorial Semi-Bandits , 2015, J. Mach. Learn. Res..

[6]  Zhisheng Hu,et al.  Reinforcement Learning Algorithms for Adaptive Cyber Defense against Heartbleed , 2014, MTD '14.

[7]  Ehab Al-Shaer,et al.  Random Host Mutation for Moving Target Defense , 2012, SecureComm.

[8]  Ambuj Tewari,et al.  Online Bandit Learning against an Adaptive Adversary: from Regret to Policy Regret , 2012, ICML.

[9]  Michael B. Crouse,et al.  Improving the Diversity Defense of Genetic Algorithm-Based Moving Target Approaches , 2012 .

[10]  Sarit Kraus,et al.  Playing games for security: an efficient exact algorithm for solving Bayesian Stackelberg games , 2008, AAMAS.

[11]  Santosh S. Vempala,et al.  Efficient algorithms for online decision problems , 2005, J. Comput. Syst. Sci..

[12]  James Hannan,et al.  4. APPROXIMATION TO RAYES RISK IN REPEATED PLAY , 1958 .