McFadden, S;
Maugeri, M;
Hicks, C;
Mavroudis, V;
Pierazzi, F;
(2024)
WENDIGO: Deep Reinforcement Learning for Denial-of-Service Query Discovery in GraphQL.
In:
Proceedings - 45th IEEE Symposium on Security and Privacy Workshops, SPW 2024.
(pp. pp. 68-75).
IEEE: San Francisco, CA, USA.
Preview |
PDF
Wendigo.pdf - Accepted Version Download (402kB) | Preview |
Abstract
GraphQL is a type of web API which enables a unified endpoint for an application's resources through its own query language, and is widely adopted by companies such as Meta, GitHub, X, and PayPal. The query-based structure of GraphQL is designed to reduce the over-/under-fetching typical of REST web APIs. Consequently, GraphQL allows attackers to perform Denial-of-Service (DoS) attacks through queries inducing higher server loads with fewer requests. However, with the additional complexity introduced by GraphQL, ensuring applications are not vulnerable to DoS is not trivial. We propose WENDIGO, a black-box Deep Reinforcement Learning (DRL) approach only requiring the GraphQL schema to discover DoS exploitable queries against target applications. For example, our approach is able to discover queries which can perform a DoS attack utilizing only two GraphQL requests per hour, as opposed to the high volume of traffic required by traditional DoS attacks. WENDIGO achieves this by building increasingly more complex queries while maximizing response time by using GraphQL features to increase the server load. The effective query discovery offered by WENDIGO, not only enables developers to test for potential DoS risk in their GraphQL applications but also showcases DRL's value in security problems such as this one.
| Type: | Proceedings paper |
|---|---|
| Title: | WENDIGO: Deep Reinforcement Learning for Denial-of-Service Query Discovery in GraphQL |
| Event: | 2024 IEEE Security and Privacy Workshops (SPW) |
| Dates: | 23 May 2024 - 23 May 2024 |
| Open access status: | An open access version is available from UCL Discovery |
| DOI: | 10.1109/SPW63631.2024.00012 |
| Publisher version: | https://doi.org/10.1109/spw63631.2024.00012 |
| Language: | English |
| Additional information: | This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions. |
| Keywords: | Industries, Privacy, Closed box, Denial-of-service attack, Deep reinforcement learning, Robustness, Servers |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
| URI: | https://discovery.ucl.ac.uk/id/eprint/10201636 |
Loading...
Loading...Loading...Loading...Archive Staff Only
 |
View Item |
