TY - BOOK AU - Ahmed Ali Mohammed El-Kosairy TI - A New Web Deception System Framework with Intrusion and Ransomware Detection System [WDS-IRDS] U1 - 658 PY - 2018/// KW - Information Security KW - NULIB KW - Dissertation, Academic N1 - Thesis (M.A.)—Nile University, Egypt, 2018; "Includes bibliographical references"; Contents: ABSTRACT ...................................................................................................................................... 17 CHAPTER 1: INTRODUCTION ............................................................................................................ 19 1.1 GENERAL OVERVIEW ......................................................................................................... 19 1.2 AIMS AND OBJECTIVES ...................................................................................................... 20 1.3 RESEARCH GOALS AND APPROACH .................................................................................... 21 1.4 THESIS ORGANIZATION ...................................................................................................... 21 CHAPTER 2: BACKGROUND .............................................................................................................. 23 2.1 HONEYWEB, WEB PROTECTION AND DECEPTION-BASED SCHEMES ................................... 23 2.2 GAME THEORY-BASED SCHEMES ....................................................................................... 23 2.3 INTRUSION AND RANSOMWAREDETECTION-BASED SCHEMES .......................................... 24 SUMMARY...................................................................................................................................... 24 CHAPTER 3: PROPOSED WDS/ IRDS ARCHITECTURE AND DESIGN ................................................... 25 3.1WEB DECEPTION SYSTEM ARCHITECTURE AND DESIGN [WDS] ................................................... 25 3.1.1 GAME THEORY AND WEB DECEPTION ..................................................................................... 25 3.1.2PROPOSED WDS ARCHITECTURE .............................................................................................. 28 3.1.3 WDS STRUCTURE WITH GIDA MODULE DESIGN ...................................................................... 29 3.2 INTRUSION AND RANSOMWARE DETECTION SYSTEM ARCTURTURE AND DESIGN [IRDS] .......... 32 3.2.1 INTRUDER DETECTION FOR SERVERS AND NETWORK ............................................................. 32 3.2.2 DIFFERENCE BETWEEN RANSOMWARE DETECTION TECHNIQUES ........................................... 34 3.2.3 IRDS DESIGN ........................................................................................................................... 37 8 A. IRDS STRUCTURE AND DESIGN ............................................................................................... 37 B. IRDS AND POSITIONING TECHNIQUE ...................................................................................... 38 C. MISLEADING CONTENTS AND IRDS STRUCTURE/DESIGN ........................................................ 40 SUMMARY...................................................................................................................................... 42 CHAPTER 4: EXPERIMENTAL RESULTS .............................................................................................. 43 4.1 WDS EXPERIMENTS ................................................................................................................... 43 4.1.1 ATTACKS BEFORE USING THE PROPOSED WDS ....................................................................... 43 4.1.2 ATTACKS AFTER USING THE PROPOSED WDS .......................................................................... 44 4.2 IRDS EXPERIMENT ..................................................................................................................... 46 4.2.1 EXPERIMENT 1: TESTING RANSOMWARE DETECTION ............................................................. 46 4.2.2 EXPERIMENT 2: TESTING INTRUSION DETECTION ................................................................... 51 4.2.3 EXPERIMENT 3: COMPARING IRDS, FILE-HASHING, AND ENTROPY ......................................... 55 4.2.4 LIMITATIONS OF THE PROPOSED IRDS .................................................................................... 63 SUMMARY...................................................................................................................................... 64 CHAPTER 5: BENCHMARKING PROPOSED SCHEME .......................................................................... 66 SUMMARY...................................................................................................................................... 83 CHAPTER 6: CONCLUSIONS AND FUTURE WORK ............................................................................. 84 APPENDIX A.................................................................................................................................... 86 SPLUNK SECURITY INFORMATION AND EVENT MANAGEMENT ....................................................... 86 (SIEM)............................................................................................................................................. 86 A.1 WHAT IS SIEM ........................................................................................................................... 86 A.2CAPABILITIES/COMPONENTS ..................................................................................................... 86 A.3WHY SPLUNK............................................................................................................................. 87 APPENDIX B ................................................................................................................................ 90 WDS ALGORITHM: OUR PROPOSED WDS AGENT POLICY SCRIPT ............................... 90 REFERENCES N2 - Abstract: Web applications have many vulnerabilities that allow attackers to compromise sensitive data and gain unauthorized access to the production web servers. Attackers and cybercriminals are always in a race to either compromise networks and servers or embezzle ransoms through ransomware. Current random attacks draw attention to the need for new protection and detection tools. Intruders must be prevented from such exploitations of assets, and their malicious attempts counter-attacked. Among the approaches of preventing intruders from compromising servers and networks is the use of traditional security controls, such as Intrusion Prevention Systems (IPS), firewalls and Antiviruses. Such tactics could be successful at lower attacks levels. Current attacks are more aggressive, they can bypass most security tools. Servers are being compromised and files encrypted for ransom. In this thesis, we propose a web deception scheme to mitigate web attacks in the production web site and detect any intrusion or ransomware in the server and endpoints. The solution is more like a call for arms, using game theory, honeyweb, and honeytokens with ransomware and intrusion detection. Layers of deception systems are introduced to detect any intrusion or ransomware trying to gain access to compromise private files by using a deception system based on honeyfiles and honeytokens. A proof of concept is deployed with implementation of one of the key deception methods proposed to detect ransomware and intruders. The proposed scheme is explained in detail as well as simulation results ER -