Article

An Approach to Generate Realistic HTTP Parameters for Application Layer Deception

Authors:

Rocio Cabrera LozoyaAuthors Info & Claims

Applied Cryptography and Network Security: 20th International Conference, ACNS 2022, Rome, Italy, June 20–23, 2022, Proceedings

Pages 337 - 355

https://doi.org/10.1007/978-3-031-09234-3_17

Published: 20 June 2022 Publication History

Abstract

Deception is a form of active defense that aims to confuse and divert attackers who try to tamper with a system. Deceptive techniques have been proposed for web application security, in particular, to enrich a given application with deceptive elements such as honey cookies, HTTP parameters or HTML comments. Previous studies describe how to automatically add and remove such elements into the application traffic, however, the elements themselves need to be decided manually, which is a tedious task (especially for large-scale applications) and makes the adoption of deception more cumbersome.

In this paper, we aim to automate the generation of deceptive HTTP parameter names for a given web application. Such parameters should seamlessly blend into application context and be indistinguishable from the rest of the parameters, in order to maximize the deception effect. To achieve this, we propose to use word embeddings trained with a domain-specific corpus obtained from existing web application source code. We evaluate our method through a survey, where we ask the participants to identify the deceptive parameters in two different web applications’ APIs. Moreover, the survey is composed of two variants in order to further experiment with the impact of the quantity and enticement of deceptive parameters.

The results confirm the effectiveness of our method in generating indistinguishable honey parameter names. We also find that the participants’ expectation of the ratio of honey parameters remains constant, regardless of the actual number. Thus, a higher number of honeytokens can provide a stronger defense. Moreover, making attackers aware of deception can help to obfuscate the real attack surface, e.g., by masquerading more than 10% of the real application elements to look like traps. Finally, although our work focuses on the generation of parameter names, we also discuss other related challenges in a holistic way, and provide multiple directions for future research.

References

[1]

Adobe CIF REST API and data model. https://github.com/adobe/commerce-cif-api/tree/deprecated

Abstract

References

Cited By

Index Terms

Recommendations

Parameter manipulation attack prevention and detection by using web application deception proxy

Simulating Deception for Web Applications Using Reinforcement Learning

Deception-Based Game Theoretical Approach to Mitigate DoS Attacks

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations