Abstract
The moving target defense from cyberattacks consists in changing the profile or signature of certain services in an Internet node so that an attacker is not able to identify it uniquely, or find specific angles of attack for it. From an optimization point of view, generating profiles that change and, besides, optimize security is a combinatorial optimization problem where different service configurations are generated and evaluated, seeking the optimum according to a standard server vulnerability evaluation score. In this paper we will use an evolutionary algorithm to generate different server profiles that also minimize the risk of being attacked. Working on the well-known web server nginx, and using an industry-standard web configuration, we will prove that this evolutionary algorithm is able to generate a sufficient amount of different and secure profiles in time for them to be deployed in the server. The system has been released as free software, as is the best practice in security tools.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
It should be noted that some of the proposed configurations, such as nginx + mod_rails, are simply impossible, since mod_rails is an Apache plugin, apart from being specifically designed for Ruby on Rails applications.
References
National cyber leap year summit 2009 co-chairs’ report, networking and information technology research and development, September 2009
Jajodia, S., Ghosh, A.K., Swarup, V., Wang, C., Wang, X.S.: Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, vol. 54. Springer, Heidelberg (2011). https://doi.org/10.1007/978-1-4614-0977-9
Zhuang, R., DeLoach, S.A., Ou, X.: Towards a theory of moving target defense. In: Proceedings of the First ACM Workshop on Moving Target Defense, pp. 31–40. ACM (2014)
NITRD CSIA IWG Cybersecurity Game-Change Research and Development Recommendations, May 2009. https://bit.ly/2peOnfd
Evans, D., Nguyen-Tuong, A., Knight, J.: Effectiveness of moving target defenses. In: Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X. (eds.) Moving Target Defense. Advances in Information Security, vol. 54, pp. 29–48. Springer, New York (2011). https://doi.org/10.1007/978-1-4614-0977-9_2
Cai, G.I., Wang, B.S., Hu, W., Wang, T.Z.: Moving target defense: state of the art and characteristics. Front. Inf. Technol. Electron. Eng. 17(11), 1122–1153 (2016). https://doi.org/10.1631/FITEE.1601321
Yang, W.J., Cai, M.: A security configuration scoring system applying for configuration vulnerabilities. Comput. Mod. 8 (2012)
Common vulnerability scoring system version 3.1: Specification document. https://www.first.org/cvss/specification-document
John, D.J., Smith, R.W., Turkett, W.H., Cañas, D.A., Fulp, E.W.: Evolutionary based moving target cyber defense. In: Proceedings of the Companion Publication of the 2014 Annual Conference on Genetic and Evolutionary Computation, GECCO Comp 2014, Vancouver, BC, Canada, pp. 1261–1268. ACM (2014). https://doi.org/10.1145/2598394.2605437. http://doi.acm.org/10.1145/2598394.2605437
Luburić, N., Sladić, G., Milosavljević, B.: Utilizing a vulnerable software package to teach software security design analysis. In: 2019 42nd International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1169–1174. IEEE (2019)
Kimminich, B.: OWASP juice shop project. Technical report, OWASP (2020). https://www2.owasp.org/www-project-juice-shop/
Bennetts, S.: OWASP Zed attack proxy. Presentation at AppSec USA (2013)
Manadhata, P.K., Wing, J.M.: A formal model for a system’s attack surface. In: Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X. (eds.) Moving Target Defense. Advances in Information Security, vol. 54, pp. 1–28. Springer, New York (2011). https://doi.org/10.1007/978-1-4614-0977-9_1
Lei, C., Zhang, H.Q., Tan, J.L., Zhang, Y.C., Liu, X.H.: Moving target defense techniques: a survey. Secur. Commun. Netw. 2018 (2018)
Ward, B.C., et al.: Survey of cyber moving targets, 2nd edn. Technical report, MIT Lincoln Laboratory Lexington United States (2018)
Wu, S.X., Banzhaf, W.: The use of computational intelligence in intrusion detection systems: a review. Appl. Soft Comput. 10(1), 1–35 (2010). https://doi.org/10.1016/j.asoc.2009.06.019. http://www.sciencedirect.com/science/article/pii/S1568494609000908
Choraś, M., Kozik, R.: Chapter 8 - machine learning techniques for threat modeling and detection. In: Ficco, M., Palmieri, F. (eds.) Security and Resilience in Intelligent Data-Centric Systems and Communication Networks. Intelligent Data-Centric Systems, pp. 179–192. Academic Press (2018). https://doi.org/10.1016/B978-0-12-811373-8.00008-2. http://www.sciencedirect.com/science/article/pii/B9780128113738000082
Kozik, R., Choraś, M., Renk, R., Hołubowicz, W.: Modelling http requests with regular expressions for detection of cyber attacks targeted at web applications. In: de la Puerta, J., et al. (eds.) International Joint Conference SOCO’14-CISIS’14-ICEUTE’14. Advances in Intelligent Systems and Computing, pp. 527–535. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07995-0_52
Buji, A.B.M.: Genetic algorithm for tightening security. Technical report, Institutt for informatikk (2017). https://www.duo.uio.no/handle/10852/58270
Cui, A., Stolfo, S.J.: Symbiotes and defensive mutualism: moving target defense. In: Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X. (eds.) Moving Target Defense. Advances in Information Security, vol. 54, pp. 99–108. Springer, New york (2011). https://doi.org/10.1007/978-1-4614-0977-9_5
Huang, Y., Ghosh, A.K.: Introducing diversity and uncertainty to create moving attack surfaces for web services. In: Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X. (eds.) Moving Target Defense. Advances in Information Security, vol. 54, pp. 131–151. Springer, New York (2011). https://doi.org/10.1007/978-1-4614-0977-9_8
Peng, W., Li, F., Huang, C.T., Zou, X.: A moving-target defense strategy for cloud-based services with heterogeneous and dynamic attack surfaces. In: 2014 IEEE International Conference on Communications (ICC), pp. 804–809. IEEE (2014)
Al-Shaer, E.: Toward network configuration randomization for moving target defense. In: Jajodia, S., Ghosh, A., Swarup, V., Wang, C., Wang, X. (eds.) Moving Target Defense. Advances in Information Security, vol. 54, pp. 153–159. Springer, New York (2011). https://doi.org/10.1007/978-1-4614-0977-9_9
Crouse, M., Fulp, E.W.: A moving target environment for computer configurations using genetic algorithms. In: 2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG), pp. 1–7, October 2011. https://doi.org/10.1109/SafeConfig.2011.6111663
Lucas, B., Fulp, E.W., John, D.J., Cañas, D.: An initial framework for evolving computer configurations as a moving target defense. In: Proceedings of the 9th Annual Cyber and Information Security Research Conference, pp. 69–72. ACM (2014)
Makanju, A., Zincir-Heywood, A.N., Kiyomoto, S.: On evolutionary computation for moving target defense in software defined networks. In: Proceedings of the Genetic and Evolutionary Computation Conference Companion, GECCO 2017, pp. 287–288. ACM, New York (2017). https://doi.org/10.1145/3067695.3075604. http://doi.acm.org/10.1145/3067695.3075604
Champagne, S., Makanju, T., Yao, C., Zincir-Heywood, N., Heywood, M.: A genetic algorithm for dynamic controller placement in software defined networking. In: Proceedings of the Genetic and Evolutionary Computation Conference Companion, GECCO 2018, Kyoto, Japan, pp. 1632–1639. ACM (2018). https://doi.org/10.1145/3205651.3208244. http://doi.acm.org/10.1145/3205651.3208244
Gallagher, M., et al.: Morpheus: a vulnerability-tolerant secure architecture based on ensembles of moving target defenses with churn. In: Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2019, Providence, RI, USA, pp. 469–484. ACM (2019). https://doi.org/10.1145/3297858.3304037. http://doi.acm.org/10.1145/3297858.3304037
w3techs: Usage survey of web servers broken down by ranking. https://w3techs.com/technologies/cross/web_server/ranking
Merelo-Guervós, J., et al.: A comparison of implementations of basic evolutionary algorithm operations in different languages. In: 2016 IEEE Congress on Evolutionary Computation (CEC), pp. 1602–1609, July 2016. https://doi.org/10.1109/CEC.2016.7743980
Dolin, B., Arenas, M.G., Merelo, J.J.: Opposites attract: complementary phenotype selection for crossover in genetic programming. In: Guervós, J.J.M., Adamidis, P., Beyer, H.-G., Schwefel, H.-P., Fernández-Villacañas, J.-L. (eds.) PPSN 2002. LNCS, vol. 2439, pp. 142–152. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45712-7_14
Ong, Y.S., Nair, P.B., Keane, A.J.: Evolutionary optimization of computationally expensive problems via surrogate modeling. AIAA J. 41(4), 687–696 (2003)
Acknowledgements
This paper has been supported in part by projects DeepBio (TIN2017-85727-C4-2-P).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Collado, E.S., Castillo, P.A., Merelo Guervós, J.J. (2020). Using Evolutionary Algorithms for Server Hardening via the Moving Target Defense Technique. In: Castillo, P.A., Jiménez Laredo, J.L., Fernández de Vega, F. (eds) Applications of Evolutionary Computation. EvoApplications 2020. Lecture Notes in Computer Science(), vol 12104. Springer, Cham. https://doi.org/10.1007/978-3-030-43722-0_43
Download citation
DOI: https://doi.org/10.1007/978-3-030-43722-0_43
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-43721-3
Online ISBN: 978-3-030-43722-0
eBook Packages: Computer ScienceComputer Science (R0)