Ecole d'ingénieur et centre de recherche en Sciences du numérique

Evaluation of deception-based web attacks detection

Han, Xiao; Kheir, Nizar; Balzarotti, Davide

MTD 2017, 4th ACM Workshop on Moving Target Defense, In conjunction with the 24th ACM Conference on Computer and Communications Security (CCS), October 30-November 3, 2017, Dallas, Texas, USA

A form of moving target defense that is rapidly increasing in popularity consists of enriching an application with a number of deceptive elements and raising an alert whenever an interaction with such elements takes place. The use of deception can reduce some of the advantages of an attacker, making the exploration of the target to discover vulnerabilities a difficult and risky task. Another popular argument in support of deception techniques is that they are very effective at detecting attackers while maintaining a low, or even zero, false positive rate. However, to the best of our knowledge, no experiments have been performed to evaluate the use of deception in web applications. In particular, the lack of precise measurements of false positive and false negative rates makes it very difficult to understand if, and to which extent, deception can be an effective defense solution and a replacement for other traditional detection techniques. In this paper, we first implement a web deception framework that allows us to introduce deception in any web application. Using this framework, we conduct two experiments that measure respectively the number of false alarms in a production environment and the detection accuracy during a controlled red team experiment with 150 participants. The first experiment has been performed for a period of seven months with 258 regular users and no false alarms have been triggered. The second experiment shows instead that deception is indeed capable of detecting attackers even before they could find one of the numerous vulnerabilities in the target application. However, 36% of the attackers who successfully exploited at least one vulnerability did so without triggering any of our traps. While more experiments are needed to better understand this phenomenon, our preliminary study seems to suggest that deception is a valuable companion of other detection techniques but it may not be suitable as a single standalone protection mechanism.

Document Doi Bibtex

Titre:Evaluation of deception-based web attacks detection
Type:Conférence
Langue:English
Ville:Dallas
Pays:ÉTATS-UNIS
Date:
Département:Sécurité numérique
Eurecom ref:5373
Copyright: © ACM, 2017. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in MTD 2017, 4th ACM Workshop on Moving Target Defense, In conjunction with the 24th ACM Conference on Computer and Communications Security (CCS), October 30-November 3, 2017, Dallas, Texas, USA http://dx.doi.org/10.1145/3140549.3140555
Bibtex: @inproceedings{EURECOM+5373, doi = {http://dx.doi.org/10.1145/3140549.3140555}, year = {2017}, title = {{E}valuation of deception-based web attacks detection}, author = {{H}an, {X}iao and {K}heir, {N}izar and {B}alzarotti, {D}avide}, booktitle = {{MTD} 2017, 4th {ACM} {W}orkshop on {M}oving {T}arget {D}efense, {I}n conjunction with the 24th {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity ({CCS}), {O}ctober 30-{N}ovember 3, 2017, {D}allas, {T}exas, {USA}}, address = {{D}allas, {\'{E}}{TATS}-{UNIS}}, month = {10}, url = {http://www.eurecom.fr/publication/5373} }
Voir aussi: