Moving Target Defense for Web Applications

January 2018

abstract: Web applications continue to remain as the most popular method of interaction for businesses over the Internet. With it's simplicity of use and management, they often function as the "front door" for many companies. As such, they are a critical component of the security ecosystem as vulnerabilities present in these systems could potentially allow malicious users access to sensitive business and personal data. The inherent nature of web applications enables anyone to access them anytime and anywhere, this includes any malicious actors looking to exploit vulnerabilities present in the web application. In addition, the static configurations of these web applications enables attackers the opportunity to perform reconnaissance at their leisure, increasing their success rate by allowing them time to discover information on the system. On the other hand, defenders are often at a disadvantage as they do not have the same temporal opportunity that attackers possess in order to perform counter-reconnaissance. Lastly, the unchanging nature of web applications results in undiscovered vulnerabilities to remain open for exploitation, requiring developers to adopt a reactive approach that is often delayed or to anticipate and prepare for all possible attacks which is often cost-prohibitive. Moving Target Defense (MTD) seeks to remove the attackers' advantage by reducing the information asymmetry between the attacker and defender. This research explores the concept of MTD and the various methods of applying MTD to secure Web Applications. In particular, MTD concepts are applied to web applications by implementing an automated application diversifier that aims to mitigate specific classes of web application vulnerabilities and exploits. Evaluation is done using two open source web applications to determine the effectiveness of the MTD implementation. Though developed for the chosen applications, the automation process can be customized to fit a variety of applications. / Dissertation/Thesis / Masters Thesis Computer Science 2018

Computer science

Automated Source Code Randomization

Computer Science

Dynamic Configurations

Moving Target Defense

Web Application Security

The What, When, and How of Strategic Movement in Adversarial Settings: A Syncretic View of AI and Security

January 2020

abstract: The field of cyber-defenses has played catch-up in the cat-and-mouse game of finding vulnerabilities followed by the invention of patches to defend against them. With the complexity and scale of modern-day software, it is difficult to ensure that all known vulnerabilities are patched; moreover, the attacker, with reconnaissance on their side, will eventually discover and leverage them. To take away the attacker's inherent advantage of reconnaissance, researchers have proposed the notion of proactive defenses such as Moving Target Defense (MTD) in cyber-security. In this thesis, I make three key contributions that help to improve the effectiveness of MTD. First, I argue that naive movement strategies for MTD systems, designed based on intuition, are detrimental to both security and performance. To answer the question of how to move, I (1) model MTD as a leader-follower game and formally characterize the notion of optimal movement strategies, (2) leverage expert-curated public data and formal representation methods used in cyber-security to obtain parameters of the game, and (3) propose optimization methods to infer strategies at Strong Stackelberg Equilibrium, addressing issues pertaining to scalability and switching costs. Second, when one cannot readily obtain the parameters of the game-theoretic model but can interact with a system, I propose a novel multi-agent reinforcement learning approach that finds the optimal movement strategy. Third, I investigate the novel use of MTD in three domains-- cyber-deception, machine learning, and critical infrastructure networks. I show that the question of what to move poses non-trivial challenges in these domains. To address them, I propose methods for patch-set selection in the deployment of honey-patches, characterize the notion of differential immunity in deep neural networks, and develop optimization problems that guarantee differential immunity for dynamic sensor placement in power-networks. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2020

Artificial intelligence

Cyber-security

Equilibrium Computation

Equilibrium Learning

Game Theory

Leader-Follower Games

Moving Target Defense

Pattern-of-life extraction and anomaly detection using GMTI data

Liu, Tsa Chun

January 2019

Ground Moving Target Indicator (GMTI) uses the concept of airborne surveillance of moving ground objects to observe and take actions accordingly. This concept was established in the late 20th century and was put to test during the Gulf War to observe enemy movement on the other side of the mountain. During the war, due to limitations of technology, information such as enemy movement were usually observed through human readings. With the improvement of surveillance technology, tracking individual target became possible, which allows the extraction of useful features for advance usage. Such features, known as tracks, are the results of GMTI tracking. Although the quality of the tracker plays a crucial role in the system performance of this paper, the development of the tracker is not discussed in this paper. The developed system will use simulated ideal GMTI tracks as input dataset. This paper presents an end-to-end system that includes Anomaly GMTI (AGMTI) track simulation, Pattern of Life (PoL) extraction and Anomaly Detection System (ADS). All the subsystems (AGMTI, PoL and ADS) are independent of each other, so they can either be replaced or disabled to resemble different real-world scenarios. The results from AGMTI will provide inputs for the rest of the subsystems. The results from PoL extraction will be used to improve the performance of ADS. The proposed ADS is a semi-supervised learning detection system in which the system takes prior information to support and improve detection performance, but will still operate without prior information. The AGMTI tracks simulator will be simulated with an open-sourced software called Simulation of Urban Traffic (SUMO). The AGMTI tracks simulator subsystem will make use of SUMO's API to generate normal and anomaly GMTI tracks. The PoL extraction will be accomplished by using various clustering algorithms and statistical functions. The ADS will use combination of various anomaly detection algorithms for different anomaly events including statistical approach using Gaussian Mixture Model Expectation Maximization (GMM-EM), Hidden Markov Model (HMM), graphical approach using Weiler-Atherton Polygon Clipping (WAPC) and various clustering algorithms such as K-means clustering, Spectral clustering and DBSCAN. Finally, as extensions to the proposed system, this paper also presents Contextual Pattern of Life (CPoL) and Grouped Anomaly Detection. The CPoL is an extension to the PoL to enhance the quality and robustness of the extraction. The Grouped Anomaly is extension to both AGMTI track simulator and ADS to diversify the possible scenarios. The results from the ADS will be evaluated. Details of implementation will be provided so the system can be replicated. / Thesis / Master of Applied Science (MASc)

Ground moving target indicator

Pattern-of-life

Clustering

Anomaly detection

Traffic

Classification

Simulation

Model

Cybersecurity for the Internet of Things:  A Micro Moving Target IPv6 Defense

Zeitz, Kimberly Ann

04 September 2019

As the use of low-power and low-resource embedded devices continues to increase dramatically with the introduction of new Internet of Things (IoT) devices, security techniques are necessary which are compatible with these devices. This research advances the knowledge in the area of cybersecurity for the IoT through the exploration of a moving target defense to apply for limiting the time attackers may conduct reconnaissance on embedded systems while considering the challenges presented from IoT devices such as resource and performance constraints. We introduce the design and optimizations for µMT6D, a Micro-Moving Target IPv6 Defense, including a description of the modes of operation and use of lightweight hash algorithms. Through simulations and experiments µMT6D is shown to be viable for use on low power and low resource embedded devices in terms of footprint, power consumption, and energy consumption increases in comparison to the given security benefits. Finally, this provides information on other future considerations and possible avenues of further experimentation and research. / Doctor of Philosophy / This research aims to advance knowledge in the area of cybersecurity for the Internet of Things through the exploration and validation of a moving target defense to apply for limiting the time attackers may conduct reconnaissance on low powered embedded system devices considering the challenges presented from IoT devices such as resource and performance constraints. When an attack is carried out against a network, reconnaissance is utilized to identify the target machine or device. Limiting the time for reconnaissance, therefore has a direct impact on the ability of an adversary to carry out an attack. Many of the security techniques utilized today do not fit the IoT constraints. Research in this area is just beginning and security is often not considered. Sensors collecting and sending information can be compromised both through the network and access to the physical devices. How can these devices securely send information? How can these devices withstand attacks aiming to stop their functionality or to gain information? There are many aspects which need to be investigated to understand security vulnerabilities and potential defenses. As our technologies evolve our security defenses need to evolve as well. My research aims to further the understanding of the security of the IoT devices which have quickly become pervasive in our society. This research will expand the knowledge of the ability to safe guard connected devices from cyber-attacks and provide insight into the space and performance requirements of a technique previously only used on large scale systems. By designing, implementing experimental prototypes, and conducting simulations and experiments this research assesses the viable use of a Micro Moving Target IPv6 Defense (µMT6D).

Internet of Things

IPv6 Security

Embedded Systems

Moving Target Defense

Wireless Sensor Networks

RESONANT: Reinforcement Learning Based Moving Target Defense for Detecting Credit Card Fraud

Abdel Messih, George Ibrahim

20 December 2023

According to security.org, as of 2023, 65% of credit card (CC) users in the US have been subjected to fraud at some point in their lives, which equates to about 151 million Americans. The proliferation of advanced machine learning (ML) algorithms has also contributed to detecting credit card fraud (CCF). However, using a single or static ML-based defense model against a constantly evolving adversary takes its structural advantage, which enables the adversary to reverse engineer the defense's strategy over the rounds of an iterated game. This paper proposes an adaptive moving target defense (MTD) approach based on deep reinforcement learning (DRL), termed RESONANT to identify the optimal switching points to another ML classifier for credit card fraud detection. It identifies optimal moments to strategically switch between different ML-based defense models (i.e., classifiers) to invalidate any adversarial progress and always stay a step ahead of the adversary. We take this approach in an iterated game theoretic manner where the adversary and defender take turns to take their action in the CCF detection contexts. Via extensive simulation experiments, we investigate the performance of our proposed RESONANT against that of the existing state-of-the-art counterparts in terms of the mean and variance of detection accuracy and attack success ratio to measure the defensive performance. Our results demonstrate the superiority of RESONANT over other counterparts, including static and naïve ML and MTD selecting a defense model at random (i.e., Random-MTD). Via extensive simulation experiments, our results show that our proposed RESONANT can outperform the existing counterparts up to two times better performance in detection accuracy using AUC (i.e., Area Under the Curve of the Receiver Operating Characteristic (ROC) curve) and system security against attacks using attack success ratio (ASR). / Master of Science / According to security.org, as of 2023, 65% of credit card (CC) users in the US have been subjected to fraud at some point in their lives, which equates to about 151 million Americans. The proliferation of advanced machine learning (ML) algorithms has also contributed to detecting credit card fraud (CCF). However, using a single or static ML-based defense model against a constantly evolving adversary takes its structural advantage, which enables the adversary to reverse engineer the defense's strategy over the rounds of an iterated game. This paper proposes an adaptive defense approach based on artificial intelligence (AI), termed RESONANT, to identify the optimal switching points to another ML classifiers for credit card fraud detection. It identifies optimal moments to strategically switch between different ML-based defense models (i.e., classifiers) to invalidate any adversarial progress and always stay a step ahead of the adversary. We take this approach in an iterated game theoretic manner where the adversary and defender take turns to take their action in the CCF detection contexts. Via extensive simulation experiments, we investigate the performance of our proposed RESONANT against that of the existing state-of-the-art counterparts in terms of the mean and variance of detection accuracy and attack success ratio to measure the defensive performance. Our results demonstrate the superiority of RESONANT over other counterparts, showing that our proposed RESONANT can outperform the existing counterparts by up to two times better performance in detection accuracy and system security against attacks.

Iterated games

adversarial learning

moving target defense

credit card

fraud detection

reinforcement learning

machine learning

Game tree search algorithms for the game of cops and robber

Moldenhauer, Carsten

11 1900

Moving target search has been given much attention during the last twenty years. It is a game in which multiple pursuers (cops) try to catch an evading agent (robber) and also known as the game of cops and robber. Within this thesis we study a discrete alternating version played on a graph with given initial positions for the cops and the robber, providing a number of results for optimal and sub-optimal approaches to the game.

cops and robbers

moving target search

Two-Agent IDA*

Reverse Minimax A*

Iterative Proof-Number Search

TrailMax

Dynamic Abstract TrailMax

pursuit games

Jammer Cancelation By Using Space-time Adaptive Processing

Uysal, Halil

01 October 2011

Space-Time Adaptive Processing (STAP) has been widely used in spaceborne and airborne radar platforms in order to track ground moving targets. Jammer is an hostile electronic countermeasure that is being used to degrade radar detection and tracking performance. STAP adapts radar&rsquo / s antenna radiating pattern in order to reduce jamming effectiveness. Jamming power that enters the system is decreased with respect to the adapted radiation pattern. In this thesis, a generic STAP radar model is developed and implemented in simulation environment. The implemented radar model demonstrates that, STAP can be used in order to suppress wideband jammer effectiveness together with ground clutter effects.

Game tree search algorithms for the game of cops and robber

Moldenhauer, Carsten

Unknown Date

No description available.

cops and robbers

moving target search

Two-Agent IDA*

Reverse Minimax A*

Iterative Proof-Number Search

TrailMax

Dynamic Abstract TrailMax

pursuit games

Algorithmes de suivi de cible mobile pour les réseaux de capteurs sans fils / Moving target tracking algorithms for Wireless Sensor Networks

Boulanouar, Ibtissem

24 June 2014

Les réseaux de capteurs sans fils se définissent comme un ensemble de petits appareils autonomes et interconnectés. Ces capteurs sont déployés dans une zone d'intérêt dans le but de collecter des informations de l'environnement comme la température ou la qualité de l'air, suivant l'application envisagée. L'évolution de ces dispositifs de capture vers le multimédia ouvre l'accès à une plus large palette d'applications et de services pour une meilleure maitrise de notre environnement. Dans cette thèse nous nous intéressons au suivi de cible mobile dans les réseaux de capteurs sans fils, certains de ces capteurs pouvant collecter des images. Le suivi de cible (Tracking) consiste à détecter et à localiser sur l'ensemble de sa trajectoire une cible traversant une zone d'intérêt. Cette application peut s'avérer très utile, par exemple, pour détecter et enregistrer les déplacements d'un intrus dans une zone sensible ou encore pour suivre les déplacements d'une personne assistée et munie d'un appareil avec interface radio. Contrairement aux systèmes de surveillance classiques qui nécessitent une infrastructure fixe, les réseaux de capteurs sans fils sont aussi faciles à installer qu'à désinstaller. De plus, grâce à leur polyvalence, ils peuvent être utilisés dans de nombreux environnements hostiles et inaccessibles pour l'être humain. Toutefois, étant restreints en énergie, ils ne peuvent rester actifs en permanence au risque de limiter considérablement leur durée de vie. Afin de résoudre ce problème, l'idée est d'activer uniquement les capteurs qui sont sur la trajectoire de la cible au moment ou cette dernière est à leur portée radio ou visuelle. La question est donc : comment et sur quels critères activer ces capteurs afin d'obtenir à tout moment le meilleur compromis entre la précision du suivi et la préservation des ressources énergétiques ? C'est à cette question que nous essayerons de répondre tout au long de cette thèse. Dans un premier temps nous nous intéressons aux cibles communicantes qui ont la faculté d'émettre des signaux et donc de faciliter grandement le processus de suivi. Le défi ici est de relayer l'information entre les différents capteurs concernés. Nous utilisons pour cela un algorithme de déploiement basé sur le concept de forces virtuelles (VFA : Virtual Forces Algorithm) associé à un algorithme de suivi collaboratif et distribué implémenté sur un réseau organisé en clusters. Ensuite, nous traitons le cas, plus complexe et plus fréquent, des cibles non communicantes. L'objectif est de détecter la présence de la cible uniquement à l'aide de capteurs de présence. Pour cela nous proposons le déploiement d'un réseau de capteurs sans fil hétérogènes composé decapteurs de mouvement en charge de la partie détection de la cible et de capteurs vidéo en charge de la partie localisation. Lorsqu'une cible est détectée par un capteur de mouvement, l'information est communiquée aux capteurs vidéo voisins qui décident d'activer ou non leurs caméras en se basant sur des critères prédéfinis tenant compte de l'angle d'orientation des caméras. Enfin, dans une dernière contribution nous nous intéressons plus spécifique mentaux modèles de mobilité de la cible. Ces modèles nous permettent d'anticiper ses déplacements et d'affiner le processus d'activation des capteurs qui sont sur sa trajectoire. Nous utilisons pour cela le filtre de Kalman étendu combiné à un mécanisme de détection de changements de direction nommé CuSum (Cumulative Summuray). Ce mécanisme nous permet de calculer efficacement les futures coordonnées de la cible et de réveiller les capteurs en conséquence / Wireless Sensor Networks (WSN) are a set of tiny autonomous and interconnected devices. These Sensors are scattered in a region of interest to collect information about the surrounding environment depending on the intended application. Nowadays, sensors allow handling more complex data such as multimedia flow. Thus, we observe the emergence of Wireless Multimedia Sensor Networks opening a wider range of applications. In this work, we focus on tracking moving target in these kinds of networks. Target tracking is defined as a two-stage application: detection and localization of the target through its evolution inside an area of interest. This application can be very useful. For example, the presence of an intruder can be detected and its position inside a sensitive area reported, elderly or sick persons carrying sensors can be tracked anytime and so on. Unlike classical monitoring systems, WSN are more flexible and more easy to set up. Moreover, due to their versatility and autonomy they can be used in hostile regions, inaccessible for human. However, these kinds of networks have some limitations: wireless links are not reliable and data processing and transmission are greedy processes in term of energy. To overcome the energy constraint, only the sensors located in target pathway should be activated. Thus, the question is : how to select these sensors to obtain the best compromise between the tracking precision and the energy consumption? This is the question we are trying to answer in this dissertation. Firstly, we focus on communicating targets which have the ability to transmit signals and greatly facilitate the tracking process. The challenge here is to relay the information between the concerned sensors. In order to deal with this challenge, we use a deployment strategy based on virtual forces (VFA: Virtual Forces Algorithm) associated to a distributed tracking algorithm implemented in a cluster-based network. Secondly, we handle a more complex and more frequent case of non-communicating targets. The objective is to detect the presence of such target using movement sensors. We propose the deployment of an heterogeneous wireless sensor networks composed of movement sensors used to detect the target and camera sensors used to locate it. When the target is detected the information is sent to the camera sensors which decide whether to activate or not their cameras based on probabilistic criteria which include the camera orientation angle. Finally, as our last contribution, we specifically focus on target mobility models. These models help us to predict target behaviour and refine the sensor activation process. We use the Extended Kalamn filter as prediction model combined with a change detection mechanism named CuSum (Cumulative Summuray). This mechanism allows to efficiently compute the future target coordinates, and to select which sensors to activate

Réseaux de capteurs sans fil

Suivi de cible mobile

Prédiction

Filtre de Kalman

Wireless Sensor Networks

Moving target tracking

Prediction

Kalman filter

Reconstruction de trajectoires de cibles mobiles en imagerie RSO aéroportée / Moving target trajectory reconstruction using circular SAR imagery

Poisson, Jean-Baptiste

12 December 2013

L’imagerie RSO circulaire aéroportée permet d’obtenir de nombreuses informations sur les zones imagées et sur les cibles mobiles. Les objets peuvent être observés sous plusieurs angles, et l’illumination continue d’une même scène permet de générer plusieurs images successives de la même zone. L’objectif de cette thèse est de développer une méthode de reconstruction de trajectoire de cibles mobiles en imagerie RSO circulaire monovoie, et d’étudier les performances de la méthode proposée. Nous avons tout d’abord mesuré les coordonnées apparentes des cibles mobiles sur les images RSO et leur paramètre de défocalisation. Ceci permet d’obtenir des informations de mouvement des cibles, notamment de vitesse et d’accélération. Nous avons ensuite utilisé ces mesures pour définir un système d’équations non-linéaires permettant de faire le lien entre les trajectoires réelles des cibles mobiles et leurs trajectoires apparentes. Par une analyse mathématique et numérique de la stabilité de ce système, nous avons montré que seul un modèle de cible mobile avec une vitesse constante permet de reconstruire précisément les trajectoires des cibles mobiles, sous réserve d’une excursion angulaire suffisante. Par la suite, nous avons étudié l’influence de la résolution des images sur les performances de reconstruction des trajectoires, en calculant théoriquement les précisions de mesure et les précisions de reconstruction qui en découlent. Nous avons mis en évidence l’existence théorique d’une résolution azimutale optimale, dépendant de la radiométrie des cibles et de la validité des modèles étudiés. Finalement nous avons validé la méthode développée sur deux jeux de données réelles. / Circular SAR imagery brings a lot of information concerning the illuminated scenes and the moving targets. Objects may be seen from any angle, and the continuity of the illumination allows generating a lot of successive images from the same scene. In the scope of this thesis, we develop a moving target trajectory reconstruction methodology using circular SAR imagery, and we study the performances of this methodology. We have first measured the apparent coordinates of the moving targets on SAR images, and also the defocusing parameter of the targets. This enables us to obtain information concerning target movement, especially the velocity and the acceleration. We then used these measurements to develop a non-linear system that makes the link between the apparent trajectories of the moving targets and the real ones. We have shown, by a mathematical and numerical analysis of the robustness, that only a model of moving target with constant velocity enables us to obtain accurate trajectory reconstructions from a sufficient angular span. Then, we have studied the azimuth resolution influence on the reconstruction accuracy. In order to achieve this, we have theoretically estimated the measurement accuracy and the corresponding reconstruction accuracy. We have highlighted the existence of an optimal azimuth resolution, depending on the target radiometry and on the validity of the two target models. Finally, we have validated the method on two real data sets on X-Band acquired by SETHI and RAMSES NG, the ONERA radar systems, and confirmed the theoretical analyses of its performances.

Imagerie RSO circulaire

Radar à synthèse d'ouverture

Cible mobile

Reconstruction de trajectoire

Circular SAR imagery

Synthetic aperture radar

Moving target

Trajectory reconstruction