Deception towards Moving Target Defense

kfupm.edu.sa
Web Deception towards Moving Target
Defense
Basirudin Djamaluddin
Ahmed Alnazeer
Farag Azzedin
52nd Annual IEEE Carnahan Conference on Security Technology – Montreal October 22-25, 2018
25-October-2018

Web Application And Its Risks
King Fahd University of Petroleum & Minerals
kfupm.edu.sa2
• Web Application Risks1:
• Publically exposed which may contained with sensitive information – attractive for
adversaries
• It may contain vulnerabilities which make them vulnerable from cyber-security
threats.
• Known Techniques To Overcome Cyber-Security Threats
• Mechanism to expose the vulnerabilities before the adversaries expose it:
• Black-box by doing vulnerability scan and analyzing the output2
• White-box by analyzing the source code (static) and rewrites the code in
binary level3
• Securely develop the application itself, analysis/testing and runtime protection4, i.e.
following the requirement from Open Web Application Security Project (OWASP)5
10/28/2018 – 52nd Annual IEEE Carnahan Conference on Security Technology – Montreal October 22-25, 2018
1. M. Taguinod, et al., “Toward a Moving Target Defense for Web Applications,” Proc. - 2015 IEEE 16th Int. Conf. Inf. Reuse Integr. IRI 2015, 2015.
2. A. Doupé, et al, “Enemy of the State: A State-Aware Black-Box Vulnerability Scanner.” 2012.
3. A. Doupé, et al, “deDacota: Toward Preventing Server-side XSS via Automatic Code and Data Separation,” 2013
4. X. Li and Y. Xue, “A survey on server-side approaches to securing web applications,” ACM Comput. Surv., vol. 46, no. 4, pp. 1–29, 2014.
5. https://www.owasp.org/index.php/Main_Page

Web Application And Its Risks (cont.)
kfupm.edu.sa3
• Challenges:
• The static analysis, however, is not suitable for long running defense strategy
where the adversaries can observe and try to get insight of the web application to
find new vulnerabilities or defeat the detection mechanism and then launch new
attack through the identified possible new attack vectors1,2
• The weakness of modern tools as advanced security techniques is there, in which
these tools work reactionary and as the result it may lost to get the information of
what the objective behind the attack of the adversaries3
Static analysis and reactionary defend system to cyber-attacks cannot totally overcome
the issue, in fact – it may add complexity to the defender without giving such of expected
positive results at the end.
A proactive implementation by enhancing the flexibility and make the attack surface more
dynamic will move the complexity to the attackers.
2. D. Evans, et al., “Effectiveness of Moving Target Defenses,” in Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, 2011
3. V. E. Urias, et a., “Computer network deception as a Moving Target Defense,” Proc. - Int. Carnahan Conf. Secur. Technol., vol. 2015–Janua, 2016.

Proactive and Dynamic Defense Approach – Deception
kfupm.edu.sa4
• Known techniques have limitations which cannot provide a comprehensive solution
against Internet threats and have driven research on overcoming the attacks at very
beginning and warn the users1
• Deception technique is one of the cyber-security defender solution to overcome
aforementioned limitations which recently have attracted security researchers1,2.
• Deception is a technique that work by creating fake target to deceive attacker like
honeypots which is designed to lure the attacker where its value is already
compromised, built and configured to look vulnerable in the perception of adversaries,
although if it is being attacked it will not cause any loss to the main system3
1. X. Han, et al., “Evaluation of Deception-Based Web Attacks Detection,” Proc. 2017 Work. Mov. Target Def. - MTD ’17, pp. 65–73, 2017.
2. M. Almeshekah, et al., “The case of using negative (deceiving) information in data protection,”, 2014.
3. C. De Faveri and A. Moreira, “A SPL Framework for Adaptive Deception-based Defense,” vol. 9, pp. 5542–5551, 2018.
Weakness: it has only limit to the view of the attacks that hit it, there is no way to make the
honeypots as the main system if the main system is attacked.
In the other side, if the attackers keep attacking the honeypots, the defenders can use it as
a countermeasure to the attackers1

Proactive and Dynamic Defense Approach – Moving Target Defense (MTD)
kfupm.edu.sa5
• Increase the complexity of cyber-attacks (for the adversaries) by making the system
less homogeneous, less static and less deterministic which can make the attack
surface more dynamic
• Example:
• In network, by changing network topology (i.e. random port numbers, extra open or
close ports or even fake listening port.
• In application, by changing the application environment, application type and
version and last one is routing them through different hosts.
By applying MTD, protection level is increased and reduced the asymmetric advantage that
the attacker has.

MTD in Web Application1
kfupm.edu.sa6
• Two Important factors for MTD implementation to web application:
• When-to-move?
• What-to-move?
• What will be the possible targets that the adversaries will attack? With this information
the requirements can be divided into 4 specific layers:
• Logic Layer
• Storage Layer
• Presentation Layer
• Browsers
1. M. Taguinod, et al., “Toward a Moving Target Defense for Web Applications,” Proc. - 2015 IEEE 16th Int. Conf. Inf. Reuse Integr. IRI 2015, pp. 510–517

MTD in Web Application (cont.)
kfupm.edu.sa7
• What-to-move – Web application layers for MTD:
• Logic Layer
• Change the web application by changing from one to another (i.e. from
Python to PHP), objective: confuse the attacker and increase the complexity
of attack in term of different structure of the language which requires
fingerprinting to know the language
• Prevent in the memory attack (lowest language – assembly)
• Storage Layer
• Mainly, the attack will be SQL injection attack which requires fingerprinting to
know the SQL database.
• Strategy: jump between two databases which has different SQL statements.
Also to apply proper sanitation both in input and output.
• Presentation Layer
• Objective: Avoid direct threat in presentation layers such as Cross-Site
Scripting (XSS).
• Mechanism: generate random token to add complexity for the adversaries

Problem Statements
kfupm.edu.sa8
Static Web Deception
If adversaries successfully attack the main web application instead of the deception then
defender doesn’t have any option to countermeasure the adversaries
Limited Diversification
• Proactive MTD can be achieved by applying redirection incoming web traffic to
nonstandard web port and rotating the active web server that serve the incoming traffic1.
• This rotation of web application only based on the port rotation can be enhanced by
adding more diversification layers: logical and storage
1. M. Thompson, et al. "Dynamic Application Rotation Environment for Moving Target Defense." Resilience Week (RWS), 2016. IEEE, 2016.

Related Works
kfupm.edu.sa9
• The movement of deception towards MTD on higher-network level1
• Within the Deception Network model, it is proposed an MTD based on entire
network enclaves as well as host attributes, characteristics and files. Rather than
using the second network to contain the threat, it is used to hide the defender.
• Dynamic Application Rotation Environment for Moving Target Defense (DARE
MTD)2
• A proactive MTD by applying redirection on incoming web traffic to nonstandard
web port and rotating the active web server that will server the incoming traffic.
• It succeed to achieve the goals of: increasing uncertainty and resilience.
• Proposal of complete MTD in web application with multi diversifications3
• Proposed complete MTD in the web application with diversification in four layers:
logical, storage, presentation and browser.
• Implemented logical layer diversification by creating translator for Python to PHP
• Implemented storage diversification by translating the dialect of MySQL and
PostgreSQL
1. V. E. Urias, et al., “Computer network deception as a Moving Target Defense,” Proc. - Int. Carnahan Conf. Secur. Technol., vol. 2015–Janua, 2016.

Our Proposal
Approach, Implementation and Evaluation
10
kfupm.edu.sa10/28/2018 – 52nd Annual IEEE Carnahan Conference on Security Technology – Montreal October 22-25, 2018

Approach: Combining Web Deception and MTD
kfupm.edu.sa11
• Deception Environment
• Provides fake implementation with the look and feel similar to the real system to
attract the adversary
• The environment is built close to one of the MTD implementation
• Multi Layer MTD Implementations in Real System
• Dynamic configuration to route to one of two web servers (only one is up at a
time) every 30 seconds1
• Each web server setup with two web sites each with different application
environments (diversity in the logical layer). This is as alternative of source code
diversity as suggested by Taguinod et al. This will resolve static application
implementation in DARE by Thompson et al.
• Dynamically provide two database applications which will only one will be up
(rotated dynamically) on which the active application will be connected to. This is
a novice MTD approached proposed in our implementation.
MTD Tool
We developed a small application as an MTD Tool which will make sure that the MDT
happens in each layers

MTD Tool Operation Algorithm
kfupm.edu.sa12
MTD Tool
Starts
Wait for 30
seconds
Reconfigure
Director to direct
to next active
server
Reconfigure next
active server to
next active
database
Stop the active
server and database
and start the next
active ones
Results
Mitigate known/unknown vulnerabilities, by
reducing the amount of time the active platform is
being exposed
Final
Outcomes
1. Increase uncertainty to the attackers
2. Increase defensive system resilience by
reducing the down time
Measurement:
1. How much we success to reduce the likelihood exploit?
2. How far the impact of a successful exploit has reduced?
3. Do we still maintain application availability?

Implementation
kfupm.edu.sa13
Web Deception (IIS/ASP.NET port 83)
Database (MySQL)
Attackers
MTDTool

MTD Stack
kfupm.edu.sa14
1. PHP which is setup
in both IIS and
Apache will confuse
the attackers about
the real identity of
the running host
server
2. MariaDB may be
suffered with SQL
Injection vector.
This will confuse
when the
reconnaissance
result doesn’t fits
with the actual
MongoDB active
database

Performance Evaluation – Web Deception
kfupm.edu.sa15
• Web Deception Fingerprinting and Vulnerability Scan
• Fingerprinting result using Nmap will give adversaries find that there are two ports
opened in the server: 83 and 80 where the former is for deception while the later
is only a director (no application runs on it) of a real applications under MTD.
• Vulnerability penetration test using Acunetix gives two high-severity type
vulnerabilities and five medium which we expected that these information will
attract the attacker to exploit more (as the objective of deception). Furthermore,
this behavior from the attacker can be used for further investigation.
Severity High Medium Low
Vulnerabilities 2 5 N/A

Performance Evaluation – Individual Sites (Non MTD)
kfupm.edu.sa16
• Individual Primary Web Application Fingerprinting
• For simplicity, the director (port 80) is directed to port 81 (IIS with ASP.NET) which
runs on top of MySQL Database and individual application connects to MySQL
Findings:
1. Nmap cannot fingerprint MongoDB
2. Expectation: when MTD runs,
each of the application should be
fingerprinted fairly by 33%.
However, we can’t expect this for
database.

Performance Evaluation – Individual Sites (Non MTD)
kfupm.edu.sa17
• Individual Primary Web Application Vulnerability Scans
• For simplicity, the director (port 80) is directed to port 81 (IIS with ASP.NET) which
runs on top of MySQL Database and individual application connects to MySQL
• Vulnerability Scan result using Acunetix:
Port 80 81 82 8080
SQL Injection Related 2 2 0 0
IIS Related 0 1 1 0
Cross Site Scripting 0 0 3 3
Medium Severity 7 7 8 9
Low Severity 3 3 3 3
High Risk Alert Level 3 – Vulnerabilities categorized as the most dangerous, which put the scan target at maximum risk for hacking and data theft.
Medium Risk Alert Level 2 – Vulnerabilities caused by server misconfiguration and site-coding flaws, which facilitate server disruption and intrusion.
Low Risk Alert Level 1 – Vulnerabilities derived from lack of encryption of data traffic or directory path disclosures.
https://www.acunetix.com/support/docs/wvs/analyzing-scan-results/

Performance Evaluation – MTD Fingerprinting
kfupm.edu.sa18
• Fingerprint has been done to the port 80 while the MTDTool is running (system is
running in MTD state). Fingerprint tool is using Nmap for 10 trials:
Trial Time (Secs) Port MySQL
81 82 8080
1 202.41 1 0
2 54.77 1 0
3 100.15 1 0
4 46.32 1 1
5 61.9 1 0
6 204.1 1 1
7 202.09 1 0
8 203.22 1 1
9 198.67 1 0
10 202.67 1 0
Findings:
1. The fingerprinting scan took
more time than normal with
average 147.63 seconds

Performance Evaluation – MTD Vulnerability Scan
kfupm.edu.sa19 10/28/2018 – 52nd Annual IEEE Carnahan Conference on Security Technology – Montreal October 22-25, 2018
The result of vulnerability scan against the port 80 (the MTD director) after the MTD is
started is as following: there are no high severity vulnerabilities detected from the
average of 42.33 vulnerabilities that were being discovered. The rest of lower severity
vulnerabilities are: 21.67 medium, 5.2 low and 15.5 informational.
Trial Time (Secs) Total High Medium Low Informational
1 375 13 0 7 3 3
2 136 12 0 2 4 6
3 146 13 0 2 4 7
4 49 19 0 13 3 3
5 47 13 0 6 3 4
6 885 184 0 100 14 70
Avg 273 42.33 0 21.67 5.2 15.5

Future Works and Conclusions
kfupm.edu.sa20
• The first step to improve the previous MTD implementation by Thompson et al. (DARE
MTD) has been implemented in this paper which has proved that the running MTD
gave promising results on the fingerprint and vulnerability scans.
• Further improvements are required in order to make the MTD implementation to be
robust and ready for production usage:
• High availability for one complete stateful application between the MTD servers
• Database synchronization between the MTD database servers
• Application level implementation which is easier to achieve from the implementation
point of view (although requires high resource) can be enhanced to make more
complex reconnaissance process by the adversaries. By switching the language in the
lower level (automatically to such of language conversion engine to assist the MTD)
Conclusions
1. Proposed novice approach to enhance DARE MTD and provided alternative of logical
and database diversities with a working MTD of utilizing multiple web servers, web
application language and databases
2. It is proven that the implementation have increased the complexity on the fingerprint
and vulnerability scans by only able to fingerprint 2 of 3 MTD ports and 1 database
3. The MTD also proved to “remove” the high severity vulnerabilities.

References
[1] M. Taguinod, A. Doupe, Z. Zhao, and G. J. Ahn, “Toward a Moving Target Defense for Web Applications,”
Proc. - 2015 IEEE 16th Int. Conf. Inf. Reuse Integr. IRI 2015, pp. 510–517, 2015.
[2] A. Doupé, L. Cavedon, C. Kruegel, and G. Vigna, “Enemy of the State: A State-Aware Black-Box Vulnerability
Scanner.” 2012.
[3] A. Doupé, W. Cui, M. H. Jakubowski, M. Peinado, C. Kruegel, and G. Vigna, “deDacota: Toward Preventing
Server-side XSS via Automatic Code and Data Separation,” in Proceedings of the 2013 ACM SIGSAC Conference
on Computer & Communications Security, 2013, pp. 1205–1216.
[4] D. Evans, A. Nguyen-Tuong, and J. Knight, “Effectiveness of Moving Target Defenses,” in Moving Target
Defense: Creating Asymmetric Uncertainty for Cyber Threats, S. Jajodia, A. K. Ghosh, V. Swarup, C.Wang, and X.
S. Wang, Eds. New York, NY: Springer New York, 2011, pp. 29–48.
[5] C. De Faveri and A. Moreira, “A SPL Framework for Adaptive Deception-based Defense,” vol. 9, pp. 5542–
5551, 2018.
[6] V. E. Urias, W. M. S. Stout, and C. Loverro, “Computer network deception as a Moving Target Defense,” Proc. -
Int. Carnahan Conf. Secur. Technol., vol. 2015–Janua, 2016.
[7] X. Li and Y. Xue, “A survey on server-side approaches to securing web applications,” ACM Comput. Surv., vol.
46, no. 4, pp. 1–29, 2014.
[8] X. Han, N. Kheir, and D. Balzarotti, “Evaluation of Deception-Based Web Attacks Detection,” Proc. 2017
Work. Mov. Target Def. - MTD ’17, pp. 65–73, 2017.
[9] S. Jajodia, A. Ghosh, V. Swarup, C. Wamg, and X. Wang, Moving Target Defense. Springer, 2011.
[10] J. H. Jafarian, E. Al-Shaer, and Q. Duan. "Openflow random host mutation: transparent moving target defense
using software defined networking." Proceedings of the first workshop on Hot topics in software defined networks.
ACM, 2012.

References
[11] D. Evans, A. Nguyen-Tuong, and J. Knight, Effectiveness of Moving Target Defenses. Springer, 2011, pp. 29–
48.
[12] R. Zhuang1, S. Zhang1, S. A. DeLoach1, X. Ou1, and A. Singhal2,“Simulation-based Approaches to Studying
Effectiveness of Moving-Target Network Defense,” in National Symposium on Moving Target Research, June
2012.
[13] M. Almeshekah, M. Atallah, and E. Spafford, “The case of using negative (deceiving) information in data
protection,” Proc. 2014 CERIAS '14 Proceedings of the 15th Annual Information Security Symposium, Article no.
45, 2014.
[14] M. Thompson, et al. "Dynamic Application Rotation Environment for Moving Target Defense." Resilience
Week (RWS), 2016. IEEE, 2016.

Thank you!
Question? E-mail to:
kfupm.edu.sa
Basirudin Djamaluddin
Ahmed Alnazeer
Farag Azzedin
g201601060@kfupm.edu.sa
g201406320@kfupm.edu.sa
fazzedin@kfupm.edu.sa

Deception towards Moving Target Defense

More Related Content

What's hot

Similar to Deception towards Moving Target Defense

Recently uploaded

Deception towards Moving Target Defense