An Approach to Generate Realistic HTTP Parameters for Application Layer Deception

• Published in: Applied Cryptography and Network Security Vol. 13269; pp. 337 - 355
• Main Authors: Sahin, Merve, Hébert, Cédric, Cabrera Lozoya, Rocio
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer International Publishing AG 2022; Springer International Publishing
• Series: Lecture Notes in Computer Science
• Subjects: Active defense; Deception; Web application security
• ISBN: 3031092333; 9783031092336
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-031-09234-3_17

Deception is a form of active defense that aims to confuse and divert attackers who try to tamper with a system. Deceptive techniques have been proposed for web application security, in particular, to enrich a given application with deceptive elements such as honey cookies, HTTP parameters or HTML comments. Previous studies describe how to automatically add and remove such elements into the application traffic, however, the elements themselves need to be decided manually, which is a tedious task (especially for large-scale applications) and makes the adoption of deception more cumbersome. In this paper, we aim to automate the generation of deceptive HTTP parameter names for a given web application. Such parameters should seamlessly blend into application context and be indistinguishable from the rest of the parameters, in order to maximize the deception effect. To achieve this, we propose to use word embeddings trained with a domain-specific corpus obtained from existing web application source code. We evaluate our method through a survey, where we ask the participants to identify the deceptive parameters in two different web applications’ APIs. Moreover, the survey is composed of two variants in order to further experiment with the impact of the quantity and enticement of deceptive parameters. The results confirm the effectiveness of our method in generating indistinguishable honey parameter names. We also find that the participants’ expectation of the ratio of honey parameters remains constant, regardless of the actual number. Thus, a higher number of honeytokens can provide a stronger defense. Moreover, making attackers aware of deception can help to obfuscate the real attack surface, e.g., by masquerading more than 10% of the real application elements to look like traps. Finally, although our work focuses on the generation of parameter names, we also discuss other related challenges in a holistic way, and provide multiple directions for future research.