Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Deception strategies for web application security: application-layer approaches and a testing platform
Luleå University of Technology, Department of Computer Science, Electrical and Space Engineering.
2017 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

The popularity of the internet has made the use of web applications ubiquitous and essential to the daily lives of people, businesses and governments. Web servers and web applications are commonly used to handle tasks and data that can be critical and highly valuable, making them a very attractive target for attackers and a vector for successful attacks that are aimed at the application layer. Existing misuse and anomaly-based detection and prevention techniques fail to cope with the volume and sophistication of new attacks that are continuously appearing, which suggests that there is a need to provide new additional layers of protection.

This work aims to design a new layer of defense based on deception that is employed in the context of web application-layer traffic with the purpose of detecting and preventing attacks. The proposed design is composed of five deception strategies: Deceptive Comments, Deceptive Request Parameters, Deceptive Session Cookies, Deceptive Status Codes and Deceptive JavaScript.

The strategies were implemented as a software artifact and their performance evaluated in a testing environment using a custom test script, the OWASP ZAP penetration testing tool and two vulnerable web applications.

Deceptive Parameter strategy obtained the best security performance results, followed by Deceptive Comments and Deceptive Status Codes. Deceptive Cookies and Deceptive JavaScript got the poorest security performance results since OWASP ZAP was unable to detect and use deceptive elements generated by these strategies.

Operational performance results showed that the deception artifact could successfully be implemented and integrated with existing web applications without changing their source code and adding a low operational overhead.

Place, publisher, year, edition, pages
2017. , p. 74
Keywords [en]
deception, computer deception, cyberdeception, intrusion detection, intrusion deception, security, cybersecurity, web, web applications, HTTP, penetration testing, security testing, honeypots, honeytokens, decoy, active defense, attacks, web vulnerability scanners, OWASP ZAP, BodgeIt, WAVSEP
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:ltu:diva-64419OAI: oai:DiVA.org:ltu-64419DiVA, id: diva2:1114330
Subject / course
Student thesis, at least 30 credits
Educational program
Information Security, master's level (120 credits)
Supervisors
Examiners
Available from: 2017-06-26 Created: 2017-06-22 Last updated: 2018-03-09Bibliographically approved

Open Access in DiVA

fulltext(3248 kB)184 downloads
File information
File name FULLTEXT02.pdfFile size 3248 kBChecksum SHA-512
811a9eda23b2a7ef67df7241d5127a196df34614c0f6314b76dab448e94fed564f1c09da5660f30457a9e49d0685daa5c2ed2243637242e8b50c0831303a136a
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Izagirre, Mikel
By organisation
Department of Computer Science, Electrical and Space Engineering
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 184 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 694 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf