Thwarting and Analyzing Web Application Attacks Through Cyber Deception / Waleed Bin Shahid
Material type:
TextPublisher: Rawalpindi, MCS (NUST), 2022Description: xiv, 114Subject(s): PhD Information Security Thesis | PhD IS ThesisDDC classification: 005.8,SHA | Item type | Current location | Home library | Shelving location | Call number | Status | Notes | Date due | Barcode | Item holds |
|---|---|---|---|---|---|---|---|---|---|
Thesis
|
Military College of Signals (MCS) | Military College of Signals (MCS) | Thesis | 005.8,SHA (Browse shelf) | Available | Almirah No.68, Shelf No.5 | MCSPhD IS-10 |
The advent of sophisticated and advanced attacks along with the omnipresence of web applications
has made it very challenging to secure web applications in real time. Moreover
the over reliance on simple and traditional security solutions like Web Application Firewalls
(WAFs) has made it more challenging because most cyber attacks including the Advanced
Persistent Threats (APTs) rely on web attacks especially during the attack phases of infiltration
and expansion. Since traditional security solutions (likeWAFs) for countering attacks on
web applications have now become incapacitated to counter modern day attacks, therefore,
researchers shifted towards building deep learning based defensive solutions which have the
ability to detect modern day web attacks. Existing solutions for web attack detection have
many weaknesses as they do not cater for a a large number of attacks, have no attacker profiling
feature, are not cascaded or hybrid in nature and are not optimized. Apart from sound
deep learning based framework for detecting web attacks there has been growing interest
to learn about attacker’s behaviour, attack tactics, methodologies and techniques which is
only possible if the attacker is engaged for a period of time. Researches in the existing
literature do not focus on studying the attacker’s behaviour in addition to attack detection
as this is only possible with the help of a deception system that has the ability to deceive
the attacker(s) through the use of highly deceptive lures that carry deceiving and misleading
information that thereby enticing the attacker(s) to launch attacks. The prime motivation of
carrying out this research work was to come up with a framework which combines the key
functionality of attack detection and deception and use them in a combined fashion so that
web attacks are promptly detected and personalized deception is provided.
In the proposed research, we introduce a hybrid web attack detection module which is
nested with a high interaction and lightweight web deception module to thwart and analyze
all prevalent and commonly known web application attacks. The hybrid web attack detection
module nests the Convolutional Neural Network (CNN) based attack detection engine with a
Cookie Analysis Engine (CAE) in way that web attacks are detected, mitigated and analyzed.
Moreover, the attackers are profiled over the period of time which helps in further optimizing
attack detection and deception. In order to train the deep learning classifier, we first produced
a large dataset over a span of time and selected key features of the HTTP request like Data,
Cookies, Content Length, Type and Requested URL etc. The Cookie Analysis Engine works
in conjunction with the deep learning classifier and checks the cookie fields of all incoming
web requests (HTTP) to find failed sanitization and integrity checks, mutations and presence of advertising/third-party content. Then, the proposed hybrid attack detection framework
analyses the cascaded output from the Cookie Analysis Engine along with the deep learning
based classifier to give a final verdict on the incoming HTTP request. The proposed attack
detection framework was thoroughly tested not just on a custom dataset generated in a real
time environment but also a benchmark dataset which is publicly available. On our dataset,
specifically generated for testing purposes, the proposed framework gave 99.94% accuracy,
while on the public dataset, accuracy of 98.74% was achieved. What makes the proposed
framework highly optimized and less resource intensive was that the primary feature of profiling
the attackers that resulted in limiting the number of executions for the deep learning
classifier since attacker profiles were maintained over time. This enabled the framework
to be easily deployed to counter web attacks in real time. Moreover, the decrease in deep
learning classifier’s executions did not compromise attack detection accuracy and precision.
We also propose a comprehensive web deception framework that is highly interactive and
is combined with the attack detection framework in way that all malicious HTTP requests
detected by the hybrid attack detection framework are routed towards the deception module
thereby protecting the actual web application. This deception module is based on docker
containers making the system more efficient, scalable, fast and efficient thereby enhancing
runtime development and scenario based emulation. The centralized docker controller manages
and controls these attack specific dockers and also interacts directly and securely with
the hybrid attack detection module. The prime attacker profiling feature powered by the
cookie(s) analysis, helps the proposed deception scheme to deal with zero-day attacks as
well. The proposed system has the ability to counter and manage all prominent web application
attacks by engaging attacker(s) for a considerable amount of time. The proposed
deception framework is also suitable for Internet of Things (IoT) networks and has a competitive
edge over existing web deception solutions.
There are no comments on this title.