Thwarting and Analyzing Web Application Attacks Through Cyber Deception

Abstract

The advent of sophisticated and advanced attacks along with the omnipresence of web applications has made it very challenging to secure web applications in real time. Moreover the over reliance on simple and traditional security solutions like Web Application Firewalls (WAFs) has made it more challenging because most cyber attacks including the Advanced Persistent Threats (APTs) rely on web attacks especially during the attack phases of infiltration and expansion. Since traditional security solutions (likeWAFs) for countering attacks on web applications have now become incapacitated to counter modern day attacks, therefore, researchers shifted towards building deep learning based defensive solutions which have the ability to detect modern day web attacks. Existing solutions for web attack detection have many weaknesses as they do not cater for a a large number of attacks, have no attacker profiling feature, are not cascaded or hybrid in nature and are not optimized. Apart from sound deep learning based framework for detecting web attacks there has been growing interest to learn about attacker’s behaviour, attack tactics, methodologies and techniques which is only possible if the attacker is engaged for a period of time. Researches in the existing literature do not focus on studying the attacker’s behaviour in addition to attack detection as this is only possible with the help of a deception system that has the ability to deceive the attacker(s) through the use of highly deceptive lures that carry deceiving and misleading information that thereby enticing the attacker(s) to launch attacks. The prime motivation of carrying out this research work was to come up with a framework which combines the key functionality of attack detection and deception and use them in a combined fashion so that web attacks are promptly detected and personalized deception is provided. In the proposed research, we introduce a hybrid web attack detection module which is nested with a high interaction and lightweight web deception module to thwart and analyze all prevalent and commonly known web application attacks. The hybrid web attack detection module nests the Convolutional Neural Network (CNN) based attack detection engine with a Cookie Analysis Engine (CAE) in way that web attacks are detected, mitigated and analyzed. Moreover, the attackers are profiled over the period of time which helps in further optimizing attack detection and deception. In order to train the deep learning classifier, we first produced a large dataset over a span of time and selected key features of the HTTP request like Data, Cookies, Content Length, Type and Requested URL etc. The Cookie Analysis Engine works in conjunction with the deep learning classifier and checks the cookie fields of all incoming web requests (HTTP) to find failed sanitization and integrity checks, mutations and presence of advertising/third-party content. Then, the proposed hybrid attack detection framework analyses the cascaded output from the Cookie Analysis Engine along with the deep learning based classifier to give a final verdict on the incoming HTTP request. The proposed attack detection framework was thoroughly tested not just on a custom dataset generated in a real time environment but also a benchmark dataset which is publicly available. On our dataset, specifically generated for testing purposes, the proposed framework gave 99.94% accuracy, while on the public dataset, accuracy of 98.74% was achieved. What makes the proposed framework highly optimized and less resource intensive was that the primary feature of profiling the attackers that resulted in limiting the number of executions for the deep learning classifier since attacker profiles were maintained over time. This enabled the framework to be easily deployed to counter web attacks in real time. Moreover, the decrease in deep learning classifier’s executions did not compromise attack detection accuracy and precision. We also propose a comprehensive web deception framework that is highly interactive and is combined with the attack detection framework in way that all malicious HTTP requests detected by the hybrid attack detection framework are routed towards the deception module thereby protecting the actual web application. This deception module is based on docker containers making the system more efficient, scalable, fast and efficient thereby enhancing runtime development and scenario based emulation. The centralized docker controller manages and controls these attack specific dockers and also interacts directly and securely with the hybrid attack detection module. The prime attacker profiling feature powered by the cookie(s) analysis, helps the proposed deception scheme to deal with zero-day attacks as well. The proposed system has the ability to counter and manage all prominent web application attacks by engaging attacker(s) for a considerable amount of time. The proposed deception framework is also suitable for Internet of Things (IoT) networks and has a competitive edge over existing web deception solutions.