Cyber Deception on the Security of Web Servers
The Internet's growth has made the increasing number of web applications available through the HTTP protocol. Throughout our daily lives, web applications offer resources in a variety of areas such as healthcare, retail, education, critical infrastructure, and so on. Most web applications are designed to manage sensitive and essential tasks that can attract a large number of attackers. According to Symantec, attackers normally compromise web servers and inject malicious code, and then allow victims to be redirected to the servers of the exploit kit. Web services are becoming increasingly immensely powerful and complex, making it harder to accept all potential exceptions to the proper behaviour of web servers and applications, contributing to significant security issues. Attacks on web applications make up more than 65 percent of the Internet's overall attempts to attack. Web application vulnerabilities such as SQL injection and as well as custom-built applications account for over 80 percent of the vulnerabilities discovered. An attack on a web server, however, is often just the first step of an intrusion intended to access internal network data sources. Many applications-focused attacks such as SQL injection, and parameter manipulation. Intranet websites can be targeted indirectly from the outside by first attacking an internal network web browser. Since corporate users are sitting behind firewalls, they often have the access required to target an attacker's intranet applications. A victim visits a malicious web page that gets hold of the web browser of the victim. The victim's web browser can then be instructed on behalf of the attacker to connect to servers on the internal IP range. By turn, a user's web browser on an internal network will become a forum for launching attacks on internal targets.
In this paper we concentrate on a similar scenario where an intrusion starts with an assault on the company's front-facing web servers. Web servers are usually located in demilitarised zones where they interact on secured networks with data sources since they can not be relied on to be completely safe. Web servers in a DMZ are secured by IP/port-based filtering and can connect to internet-based machines and other internet-based servers that are typically less hardened due to cost/benefit smuggling. If an attacker achieves control over the web server, he can perform the same commands on these servers as anyone on the server's keyboard. Starting an effective attack requires immersive terminal access that can be achieved by copying the shell interpreter to a folder within the web server's document root. For this function, there are several manipulation methods, including the use of URL parsing, SQL injection, or targeting applications that improperly validate input variables. Consequently, a URL can invoke the shell interpreter to collect information about the internal network and try to increase the privileges of the attacker for the internal network. Probable methods of mitigating the impact of the attack may include preventing the web server from regularly updating the web server from accessing the data source with the data source, or segmenting the network, putting the data source on a different segment, and restricting interaction to the rest of the network. Such interventions, though, do not eliminate the risks of an attack
II. Related work
Surname et al. have conducted a performance evaluation of different … with regards to network jitter, energy efficiency and …. With the use of twenty NS-2 simulation runs for its experiment, they have concluded that the … has considerably lower … than …. However, it achieves this at the expense of a higher … in the following situations. The particular trade-offs have also been researched by Other Surname et al., specifically for the case of.
III. Analysis and Critical Discussion
1 Defrauding the attacker
Cyber attacks are commonly considered in the context of cyberconflict on a broad scale. An overall conclusion is that, while possible, a cyber-attack (or counter-cyber-attack in this paper's topic) is not necessarily the right response to the intrusion; one explanation is that if it is not completely successful, the attacker would immediately realize that his attack is failing and change to a different mode of attack. An even more fundamental issue is that cyber-attacks occur in an environment where attackers are linked to neutral third parties; counter-attacks on a legitimate target eventually harm a neutral party. This potential unpredictable damage, as well as weak attribution (identities are easily hidden or manufactured in cyberspace) reduces counterattack potency in cyberspace. Even worse, cyberspace deterrence becomes much more difficult because we can not threaten undetermined attackers and threaten the wrong party is detrimental.
2 Managing Honeypots
To gather data and review specific types of attacks, honeypots have been used for a long time to mimic some components of a full operating system. They intend to be tested, assaulted, or jeopardized. They are, by definition, machines connected to a network that no one should use; any connexion is the outcome of an error or an attack. Honeypots therefore have no production value that allows trustworthy forensic data analysis with fewer false positives. For instance, resembles various hosts to deceive attackers by scanning a network of victims. Describes a honeypot that is used to analyse an attacker's behaviour after breaking into a machine. The authors make breaking in easy for an attacker: for ssh user accounts, they use weak passwords. Describes a low-interaction honeypot platform (trying to emulate only the vulnerable parts of a specific service) used to gather information about self-replicating malicious software. Likewise uses honeypots to gather data from malware. Defines a low-interaction honeypot web application that emulates vulnerabilities to collect data from attacks targeting web applications. It is designed by providing the proper response to requests of the attacker to appear vulnerable to the attacker.
2.2 Intrusion Deception
Honeypots deployment offers invaluable information about the actions of hackers that can be used to develop the techniques of Intrusion Deception, but Intrusion Deception goes far beyond honeypots deployment. Although honeypots are computers that are not meant to be used by anyone, Intrusion Deception refers to fully productive computer systems that are meant to be used by an authorised group of users. Intrusion Deception goes beyond detecting and responding to threats in the basic security model. It comes from understanding that the basic security model helps the intruder to be one step ahead and plan his strike well ahead of our reaction. It seeks to be strategic, taking advantage of the mindset and vulnerability of the attacker. The understanding of an attacker's typical mentality, his willingness to cause damage, the use of attack techniques, the way he analyses a system after the initial intrusion can all be used to create effective defensive deceptions as generic excuse scenarios rather than isolated actions that may not be sufficiently persuasive. Previous efforts to include deception focused on creating web servers or website sections with 'secrets' that would interest only a malicious intruder. Because regular users would not be searching for secrets, anyone who accesses the secret area is assumed to be an intruder and the web server responds deceptively by acting as if finding network failures or difficulties in retrieving data. This form of deception is intended to mislead the attacker and make him waste resources and time on the presumption that the server is under a time-critical DoS attack or an intrusion where the attacker relies on an unpredictable and short-lived attack. The Intrusion Deception concept covers a broad range of responses, including fake information and decoy systems. It improves information systems allowing them to deceive enemies in order to prevent them from achieving their objectives. Because attackers rely on computer system responses, such deception can be very successful with minimal resources, whether attacks are conducted by insiders or outsiders.
Its initial objective is to gather insight into the nature of the attack but, unlike a honeypot whose objective is to lure and study attackers, its actual purpose is to confuse, misdirect and frustrate a malicious attacker while at the same time gathering intelligence and forcing the attacker to expose its sources and methods.
It also employs techniques to force the attacker to perform actions that are detrimental to his purpose, such as forcing him to use communication protocols that make it easier for the Intrusion Deception system to achieve its purpose. Deception is useful even when we are very sure of an attack, first as a delaying tactic, and by diverting the attacker to honeynets at the proper time as determined by the detected intrusion, until at some point it may become safer to disconnect the attacker. A framework for using intelligent software decoys to deceive hackers once they have infiltrated a system is described in . The model consists of a security contract, which when violated triggers the generation of deceptive decoys by the software object. The goal of this deception is to convince the mobile agent into concluding that it has successfully infiltrated the system. The decoys described simply consist of a fake java object generated at run time with randomly permutated arguments. Most of these techniques have been compiled in a software package consisting of PERL scripts called the deception toolkit (DTK). In the Intrusion Deception architecture, we continuously monitor network and server activities for suspiciousness. As suspiciousness increases, we first provide minimum deceptive measures, and then increase their frequency and severity. Deception is used sparingly and consistently to keep the attacker fooled as long as possible, tying up his resources while reducing his chances of a successful attack. Thus, Intrusion Deception is a defense mechanism implemented on a real web server that continues to provide correct information to legitimate users (and to benign requests of a potential attacker) and engages in deception only when an attack is verified to be in progress. Its fundamental purpose is not to mount a counterattack but rather to give the illusion to the attacker that he is succeeding. Therefore, it is only an additional level of defense of an otherwise fully functional web server, increasing the difficulty of a successful attack. The question of whether deception is ethical or legal has been extensively examined in the past and most ethical theories allow for deception against serious harm. We consider an intrusion into a web server to be serious harm. Legal issues in several countries are presented in including whether the defender has a duty to disconnect the system under attack (to retreat from the attack). While the range of Intrusion Deception techniques is extensive, in this paper we focus on engaging intrusion deception techniques to prevent an attacker from gaining control of a web server and using it as an intermediate step to launch attacks into the internal network of an organization. We focus on the situation where despite network defenses, an attacker has penetrated the network and has managed to install a malicious piece of software on the web server.
III. A deception module on Apache
One way of protecting critical processes, such as the Apache web server, is to enclose them in software wrappers. A software wrapper is basically a set of rules for detecting and responding to suspicious behavior. It allows the interaction between the critical process and the external client (who might be a potential attacker), but employs deception techniques when it detects an intrusion. In its simplest form, the software wrapper responds with fake error messages, keeps the attacker occupied or redirects his traffic to a honeypot. In a concept quite similar to a software wrapper, Apache modules have been developed to defend the server against attacks. Two common ones are ModSecurity and ModEvasive. ModSecurity considers common types of attacks such as variable-length buffer injection, meta character injection, and SQL injection that pass unobstructed through common firewall configurations, and attempts to detect the attacks and block the related traffic. ModEvasive is an Apache module providing evasive action in the event of an HTTP DoS or DDoS attack. It detects certain events, such as frequently requesting the same page, and denies access to the corresponding IP address. It can be configured to coordinate with firewalls and routers to optimize its response and reduce the required bandwidth and processor utilization. Although their purpose is to defend the server against attacks, they both rely fundamentally on access controls, and neither of them attempts to use deception.
Here, you briefly summarise the work carried out and suggest possible future work. The conclusions section is similar to the abstract with the addition of the future work suggestion or perhaps more detail in the summarization of the results of the previous section.