Considering the escalating frequency and sophistication of cyber threats targeting web applications, this paper proposes the development of an automated web security analysis tool to address the accessibility gap for ...Considering the escalating frequency and sophistication of cyber threats targeting web applications, this paper proposes the development of an automated web security analysis tool to address the accessibility gap for non-security professionals. This paper presents the design and implementation of an automated web security analysis tool, AWSAT, aimed at enabling individuals with limited security expertise to effectively assess and mitigate vulnerabilities in web applications. Leveraging advanced scanning techniques, the tool identifies common threats such as Cross-Site Scripting (XSS), SQL Injection, and Cross-Site Request Forgery (CSRF), providing detailed reports with actionable insights. By integrating sample payloads and reference study links, the tool facilitates informed decision-making in enhancing the security posture of web applications. Through its user-friendly interface and robust functionality, the tool aims to democratize web security practices, empowering a wider audience to proactively safeguard against cyber threats.展开更多
The threshold cryptography provides a new approach to building intrusion tolerance applications. In this paper, a threshold decryption scheme based elliptic curve cryptography is presented. A zero-knowledge test appro...The threshold cryptography provides a new approach to building intrusion tolerance applications. In this paper, a threshold decryption scheme based elliptic curve cryptography is presented. A zero-knowledge test approach based on elliptic curve cryptography is designed. The application of these techniques in Web security is studied. Performance analysis shows that our scheme is characterized by excellent security as well as high efficiency.展开更多
In today’s rapidly evolving digital landscape,web application security has become paramount as organizations face increasingly sophisticated cyber threats.This work presents a comprehensive methodology for implementi...In today’s rapidly evolving digital landscape,web application security has become paramount as organizations face increasingly sophisticated cyber threats.This work presents a comprehensive methodology for implementing robust security measures in modern web applications and the proof of the Methodology applied to Vue.js,Spring Boot,and MySQL architecture.The proposed approach addresses critical security challenges through a multi-layered framework that encompasses essential security dimensions including multi-factor authentication,fine-grained authorization controls,sophisticated session management,data confidentiality and integrity protection,secure logging mechanisms,comprehensive error handling,high availability strategies,advanced input validation,and security headers implementation.Significant contributions are made to the field of web application security.First,a detailed catalogue of security requirements specifically tailored to protect web applications against contemporary threats,backed by rigorous analysis and industry best practices.Second,the methodology is validated through a carefully designed proof-of-concept implementation in a controlled environment,demonstrating the practical effectiveness of the security measures.The validation process employs cutting-edge static and dynamic analysis tools for comprehensive dependency validation and vulnerability detection,ensuring robust security coverage.The validation results confirm the prevention and avoidance of security vulnerabilities of the methodology.A key innovation of this work is the seamless integration of DevSecOps practices throughout the secure Software Development Life Cycle(SSDLC),creating a security-first mindset from initial design to deployment.By combining proactive secure coding practices with defensive security approaches,a framework is established that not only strengthens application security but also fosters a culture of security awareness within development teams.This hybrid approach ensures that security considerations are woven into every aspect of the development process,rather than being treated as an afterthought.展开更多
Software-related security aspects are a growing and legitimate concern,especially with 5G data available just at our palms.To conduct research in this field,periodic comparative analysis is needed with the new techniq...Software-related security aspects are a growing and legitimate concern,especially with 5G data available just at our palms.To conduct research in this field,periodic comparative analysis is needed with the new techniques coming up rapidly.The purpose of this study is to review the recent developments in the field of security integration in the software development lifecycle(SDLC)by analyzing the articles published in the last two decades and to propose a way forward.This review follows Kitchenham’s review protocol.The review has been divided into three main stages including planning,execution,and analysis.From the selected 100 articles,it becomes evident that need of a collaborative approach is necessary for addressing critical software security risks(CSSRs)through effective risk management/estimation techniques.Quantifying risks using a numeric scale enables a comprehensive understanding of their severity,facilitating focused resource allocation and mitigation efforts.Through a comprehensive understanding of potential vulnerabilities and proactive mitigation efforts facilitated by protection poker,organizations can prioritize resources effectively to ensure the successful outcome of projects and initiatives in today’s dynamic threat landscape.The review reveals that threat analysis and security testing are needed to develop automated tools for the future.Accurate estimation of effort required to prioritize potential security risks is a big challenge in software security.The accuracy of effort estimation can be further improved by exploring new techniques,particularly those involving deep learning.It is also imperative to validate these effort estimation methods to ensure all potential security threats are addressed.Another challenge is selecting the right model for each specific security threat.To achieve a comprehensive evaluation,researchers should use well-known benchmark checklists.展开更多
In order to protect the website and assess the security risk of website, a novel website security risk assessment method is proposed based on the improved Bayesian attack graph(I-BAG) model. First, the Improved Bayesi...In order to protect the website and assess the security risk of website, a novel website security risk assessment method is proposed based on the improved Bayesian attack graph(I-BAG) model. First, the Improved Bayesian attack graph model is established, which takes attack benefits and threat factors into consideration. Compared with the existing attack graph models, it can better describe the website's security risk. Then, the improved Bayesian attack graph is constructed with optimized website attack graph, attack benefit nodes, threat factor nodes and the local conditional probability distribution of each node, which is calculated accordingly. Finally, website's attack probability and risk value are calculated on the level of nodes, hosts and the whole website separately. The experimental results demonstrate that the risk evaluating method based on I-BAG model proposed is a effective way for assessing the website security risk.展开更多
The backdoor or information leak of Web servers can be detected by using Web Mining techniques on some abnormal Web log and Web application log data. The security of Web servers can be enhanced and the damage of illeg...The backdoor or information leak of Web servers can be detected by using Web Mining techniques on some abnormal Web log and Web application log data. The security of Web servers can be enhanced and the damage of illegal access can be avoided. Firstly, the system for discovering the patterns of information leakages in CGI scripts from Web log data was proposed. Secondly, those patterns for system administrators to modify their codes and enhance their Web site security were provided. The following aspects were described: one is to combine web application log with web log to extract more information,so web data mining could be used to mine web log for discovering the information that firewall and Information Detection System cannot find. Another approach is to propose an operation module of web site to enhance Web site security. In cluster server session, Density -Based Clustering technique is used to reduce resource cost and obtain better efficiency.展开更多
Along with the development of Internet, Web Services technology is a new branch of Web application program, and it has become a hotspot in computer science. However, it has not made great progress in research on Web S...Along with the development of Internet, Web Services technology is a new branch of Web application program, and it has become a hotspot in computer science. However, it has not made great progress in research on Web Services security. Traditional security solutions cannot satisfy the Web Services security require of selective protection, end-to-end security and application layer security. Web Services technology needs a solution integrated in Web Services framework to realize end-to-end security. Based on cryptography and Web Services technology and according to W3C, XML encryption specification, XML digital Signature specification and WS-Security, which proposed by IBM and Microsoft, a new Web services security model based on message layer is put forward in this paper. The message layer is composed of message handlers. It is inserted into the message processing sequence and provides transparent security services for Web Services. To verify the model, a Web Services security system is realized on, net platform. The implementation version of the model can provide various security services, and has advantages such as security, scalability, security controllability and end-to-end security in message level. Key words Web services - Web services security - message layer CLC number TP 393.08 Biography: WANG Cui-ru (1954-), female, Professor, research direction: database and information management system.展开更多
This paper investigates whether security headers are enforced to mitigate cyber-attacks in web-based systems in cyberspace. The security headers examined include X-Content-Type-Options, X-Frame-Options, Strict-Transpo...This paper investigates whether security headers are enforced to mitigate cyber-attacks in web-based systems in cyberspace. The security headers examined include X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, Referrer-Policy, Content-Security-Policy, and Permissions-Policy. The study employed a controlled experiment using a security header analysis tool. The web-based applications (websites) were analyzed to determine whether security headers have been correctly implemented. The experiment was iterated for 100 universities in Africa which are ranked high. The purposive sampling technique was employed to understand the status quo of the security headers implementations. The results revealed that 70% of the web-based applications in Africa have not enforced security headers in web-based applications. The study proposes a secure system architecture design for addressing web-based applications’ misconfiguration and insecure design. It presents security techniques for securing web-based applications through hardening security headers using automated threat modelling techniques. Furthermore, it recommends adopting the security headers in web-based applications using the proposed secure system architecture design.展开更多
A URL(Uniform Resource Locator)is used to locate a digital resource.With this URL,an attacker can perform a variety of attacks,which can lead to serious consequences for both individuals and organizations.Therefore,at...A URL(Uniform Resource Locator)is used to locate a digital resource.With this URL,an attacker can perform a variety of attacks,which can lead to serious consequences for both individuals and organizations.Therefore,attackers create malicious URLs to gain access to an organization’s systems or sensitive information.It is crucial to secure individuals and organizations against these malicious URLs.A combination of machine learning and deep learning was used to predict malicious URLs.This research contributes significantly to the field of cybersecurity by proposing a model that seamlessly integrates the accuracy of machine learning with the swiftness of deep learning.The strategic fusion of Random Forest(RF) and Multilayer Perceptron(MLP)with an accuracy of 81% represents a noteworthy advancement,offering a balanced solution for robust cybersecurity.This study found that by combining RF and MLP,an efficient model was developed with an accuracy of 81%and a training time of 33.78 s.展开更多
Improving website security to prevent malicious online activities is crucial,and CAPTCHA(Completely Automated Public Turing test to tell Computers and Humans Apart)has emerged as a key strategy for distinguishing huma...Improving website security to prevent malicious online activities is crucial,and CAPTCHA(Completely Automated Public Turing test to tell Computers and Humans Apart)has emerged as a key strategy for distinguishing human users from automated bots.Text-based CAPTCHAs,designed to be easily decipherable by humans yet challenging for machines,are a common form of this verification.However,advancements in deep learning have facilitated the creation of models adept at recognizing these text-based CAPTCHAs with surprising efficiency.In our comprehensive investigation into CAPTCHA recognition,we have tailored the renowned UpDown image captioning model specifically for this purpose.Our approach innovatively combines an encoder to extract both global and local features,significantly boosting the model’s capability to identify complex details within CAPTCHA images.For the decoding phase,we have adopted a refined attention mechanism,integrating enhanced visual attention with dual layers of Long Short-Term Memory(LSTM)networks to elevate CAPTCHA recognition accuracy.Our rigorous testing across four varied datasets,including those from Weibo,BoC,Gregwar,and Captcha 0.3,demonstrates the versatility and effectiveness of our method.The results not only highlight the efficiency of our approach but also offer profound insights into its applicability across different CAPTCHA types,contributing to a deeper understanding of CAPTCHA recognition technology.展开更多
Enhancing website security is crucial to combat malicious activities,and CAPTCHA(Completely Automated Public Turing tests to tell Computers and Humans Apart)has become a key method to distinguish humans from bots.Whil...Enhancing website security is crucial to combat malicious activities,and CAPTCHA(Completely Automated Public Turing tests to tell Computers and Humans Apart)has become a key method to distinguish humans from bots.While text-based CAPTCHAs are designed to challenge machines while remaining human-readable,recent advances in deep learning have enabled models to recognize them with remarkable efficiency.In this regard,we propose a novel two-layer visual attention framework for CAPTCHA recognition that builds on traditional attention mechanisms by incorporating Guided Visual Attention(GVA),which sharpens focus on relevant visual features.We have specifically adapted the well-established image captioning task to address this need.Our approach utilizes the first-level attention module as guidance to the second-level attention component,incorporating two LSTM(Long Short-Term Memory)layers to enhance CAPTCHA recognition.Our extensive evaluation across four diverse datasets—Weibo,BoC(Bank of China),Gregwar,and Captcha 0.3—shows the adaptability and efficacy of our method.Our approach demonstrated impressive performance,achieving an accuracy of 96.70%for BoC and 95.92%for Webo.These results underscore the effectiveness of our method in accurately recognizing and processing CAPTCHA datasets,showcasing its robustness,reliability,and ability to handle varied challenges in CAPTCHA recognition.展开更多
Fileless webshell attacks against Java web applications have becomemore frequent in recent years as Java has gained market share. Webshell is amalicious script that can remotely execute commands and invade servers. It...Fileless webshell attacks against Java web applications have becomemore frequent in recent years as Java has gained market share. Webshell is amalicious script that can remotely execute commands and invade servers. Itis widely used in attacks against web applications. In contrast to traditionalfile-based webshells, fileless webshells leave no traces on the hard drive, whichmeans they are invisible to most antivirus software. To make matters worse,although there are some studies on fileless webshells, almost all of themare aimed at web applications developed in the PHP language. The complexmechanism of Java makes researchers face more challenges. To mitigate thisattack, this paper proposes JShellDetector, a fileless webshell detector forJava web applications based on program analysis. JShellDetector uses methodprobes to capture dynamic characteristics of web applications in the JavaVirtual Machine (JVM). When a suspicious class tries to call a specificsensitive method, JShellDetector catches it and converts it from the JVMto a bytecode file. Then, JShellDetector builds a Jimple-based control flowgraph and processes it using taint analysis techniques. A suspicious classis considered malicious if there is a valid path from sources to sinks. Todemonstrate the effectiveness of the proposed approach, we manually collect35 test cases (all open source on GitHub) and test JShellDetector and onlytwo other Java fileless webshell detection tools. The experimental results showthat the detection rate of JShellDetector reaches 77.1%, which is about 11%higher than the other two tools.展开更多
The fourth international conference on Web information systems and applications (WISA 2007) has received 409 submissions and has accepted 37 papers for publication in this issue. The papers cover broad research area...The fourth international conference on Web information systems and applications (WISA 2007) has received 409 submissions and has accepted 37 papers for publication in this issue. The papers cover broad research areas, including Web mining and data warehouse, Deep Web and Web integration, P2P networks, text processing and information retrieval, as well as Web Services and Web infrastructure. After briefly introducing the WISA conference, the survey outlines the current activities and future trends concerning Web information systems and applications based on the papers accepted for publication.展开更多
With the rapid development of the Internet,the types of webpages are more abundant than in previous decades.However,it becomes severe that people are facing more and more significant network security risks and enormou...With the rapid development of the Internet,the types of webpages are more abundant than in previous decades.However,it becomes severe that people are facing more and more significant network security risks and enormous losses caused by phishing webpages,which imitate the interface of real webpages and deceive the victims.To better identify and distinguish phishing webpages,a visual feature extraction method and a visual similarity algorithm are proposed.First,the visual feature extraction method improves the Visionbased Page Segmentation(VIPS)algorithm to extract the visual block and calculate its signature by perceptual hash technology.Second,the visual similarity algorithm presents a one-to-one correspondence based on the visual blocks’coordinates and thresholds.Then the weights are assigned according to the tree structure,and the similarity of the visual blocks is calculated on the basis of the measurement of the visual features’Hamming distance.Further,the visual similarity of webpages is generated by integrating the similarity and weight of different visual blocks.Finally,multiple pairs of phishing webpages and legitimate webpages are evaluated to verify the feasibility of the algorithm.The experimental results achieve excellent performance and demonstrate that our method can achieve 94%accuracy.展开更多
Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query ...Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query language (SQL) statement construction and cannot be applied to the new generation of web applications that use not only structured query language (NoSQL) databases as the storage tier. In this paper, we present Lom, a black-box approach for discovering many categories of logic flaws within MongoDB- based web applications. Our approach introduces a MongoDB operation model to support new features of MongoDB and models the application logic as a mealy finite state machine. During the testing phase, test inputs which emulate state violation attacks are constructed for identifying logic flaws at each application state. We apply Lom to several MongoDB-based web applications and demonstrate its effectiveness.展开更多
Existing web-based security applications have failed in many situations due to the great intelligence of attackers.Among web applications,Cross-Site Scripting(XSS)is one of the dangerous assaults experienced while mod...Existing web-based security applications have failed in many situations due to the great intelligence of attackers.Among web applications,Cross-Site Scripting(XSS)is one of the dangerous assaults experienced while modifying an organization's or user's information.To avoid these security challenges,this article proposes a novel,all-encompassing combination of machine learning(NB,SVM,k-NN)and deep learning(RNN,CNN,LSTM)frameworks for detecting and defending against XSS attacks with high accuracy and efficiency.Based on the representation,a novel idea for merging stacking ensemble with web applications,termed“hybrid stacking”,is proposed.In order to implement the aforementioned methods,four distinct datasets,each of which contains both safe and unsafe content,are considered.The hybrid detection method can adaptively identify the attacks from the URL,and the defense mechanism inherits the advantages of URL encoding with dictionary-based mapping to improve prediction accuracy,accelerate the training process,and effectively remove the unsafe JScript/JavaScript keywords from the URL.The simulation results show that the proposed hybrid model is more efficient than the existing detection methods.It produces more than 99.5%accurate XSS attack classification results(accuracy,precision,recall,f1_score,and Receiver Operating Characteristic(ROC))and is highly resistant to XSS attacks.In order to ensure the security of the server's information,the proposed hybrid approach is demonstrated in a real-time environment.展开更多
In the area of secure Web information system, mutual authentication and key agreement are essential between Web clients and servers. An efficient certificateless authenticated key agreement protocol for Web client/ser...In the area of secure Web information system, mutual authentication and key agreement are essential between Web clients and servers. An efficient certificateless authenticated key agreement protocol for Web client/server setting is proposed, which uses pairings on certain elliptic curves. We show that the newly proposed key agreement protocol is practical and of great efficiency, meanwhile, it satisfies every desired security require ments for key agreement protocols.展开更多
Since the web service is essential in daily lives,cyber security becomes more and more important in this digital world.Malicious Uniform Resource Locator(URL)is a common and serious threat to cybersecurity.It hosts un...Since the web service is essential in daily lives,cyber security becomes more and more important in this digital world.Malicious Uniform Resource Locator(URL)is a common and serious threat to cybersecurity.It hosts unsolicited content and lure unsuspecting users to become victim of scams,such as theft of private information,monetary loss,and malware installation.Thus,it is imperative to detect such threats.However,traditional approaches for malicious URLs detection that based on the blacklists are easy to be bypassed and lack the ability to detect newly generated malicious URLs.In this paper,we propose a novel malicious URL detection method based on deep learning model to protect against web attacks.Specifically,we firstly use auto-encoder to represent URLs.Then,the represented URLs will be input into a proposed composite neural network for detection.In order to evaluate the proposed system,we made extensive experiments on HTTP CSIC2010 dataset and a dataset we collected,and the experimental results show the effectiveness of the proposed approach.展开更多
E-commerce,online ticketing,online banking,and other web-based applications that handle sensitive data,such as passwords,payment information,and financial information,are widely used.Various web developers may have va...E-commerce,online ticketing,online banking,and other web-based applications that handle sensitive data,such as passwords,payment information,and financial information,are widely used.Various web developers may have varying levels of understanding when it comes to securing an online application.Structured Query language SQL injection and cross-site scripting are the two vulnerabilities defined by the OpenWeb Application Security Project(OWASP)for its 2017 Top Ten List Cross Site Scripting(XSS).An attacker can exploit these two flaws and launch malicious web-based actions as a result of these flaws.Many published articles focused on these attacks’binary classification.This article described a novel deep-learning approach for detecting SQL injection and XSS attacks.The datasets for SQL injection and XSS payloads are combined into a single dataset.The dataset is labeledmanually into three labels,each representing a kind of attack.This work implements some pre-processing algorithms,including Porter stemming,one-hot encoding,and the word-embedding method to convert a word’s text into a vector.Our model used bidirectional long short-term memory(BiLSTM)to extract features automatically,train,and test the payload dataset.The payloads were classified into three types by BiLSTM:XSS,SQL injection attacks,and normal.The outcomes demonstrated excellent performance in classifying payloads into XSS attacks,injection attacks,and non-malicious payloads.BiLSTM’s high performance was demonstrated by its accuracy of 99.26%.展开更多
Detecting malicious Uniform Resource Locators(URLs)is crucially important to prevent attackers from committing cybercrimes.Recent researches have investigated the role of machine learning(ML)models to detect malicious...Detecting malicious Uniform Resource Locators(URLs)is crucially important to prevent attackers from committing cybercrimes.Recent researches have investigated the role of machine learning(ML)models to detect malicious URLs.By using ML algorithms,rst,the features of URLs are extracted,and then different ML models are trained.The limitation of this approach is that it requires manual feature engineering and it does not consider the sequential patterns in the URL.Therefore,deep learning(DL)models are used to solve these issues since they are able to perform featureless detection.Furthermore,DL models give better accuracy and generalization to newly designed URLs;however,the results of our study show that these models,such as any other DL models,can be susceptible to adversarial attacks.In this paper,we examine the robustness of these models and demonstrate the importance of considering this susceptibility before applying such detection systems in real-world solutions.We propose and demonstrate a black-box attack based on scoring functions with greedy search for the minimum number of perturbations leading to a misclassication.The attack is examined against different types of convolutional neural networks(CNN)-based URL classiers and it causes a tangible decrease in the accuracy with more than 56%reduction in the accuracy of the best classier(among the selected classiers for this work).Moreover,adversarial training shows promising results in reducing the inuence of the attack on the robustness of the model to less than 7%on average.展开更多
文摘Considering the escalating frequency and sophistication of cyber threats targeting web applications, this paper proposes the development of an automated web security analysis tool to address the accessibility gap for non-security professionals. This paper presents the design and implementation of an automated web security analysis tool, AWSAT, aimed at enabling individuals with limited security expertise to effectively assess and mitigate vulnerabilities in web applications. Leveraging advanced scanning techniques, the tool identifies common threats such as Cross-Site Scripting (XSS), SQL Injection, and Cross-Site Request Forgery (CSRF), providing detailed reports with actionable insights. By integrating sample payloads and reference study links, the tool facilitates informed decision-making in enhancing the security posture of web applications. Through its user-friendly interface and robust functionality, the tool aims to democratize web security practices, empowering a wider audience to proactively safeguard against cyber threats.
基金Supported by the Foundation of National 863 Programme of China (No. 2002AA142040)
文摘The threshold cryptography provides a new approach to building intrusion tolerance applications. In this paper, a threshold decryption scheme based elliptic curve cryptography is presented. A zero-knowledge test approach based on elliptic curve cryptography is designed. The application of these techniques in Web security is studied. Performance analysis shows that our scheme is characterized by excellent security as well as high efficiency.
文摘In today’s rapidly evolving digital landscape,web application security has become paramount as organizations face increasingly sophisticated cyber threats.This work presents a comprehensive methodology for implementing robust security measures in modern web applications and the proof of the Methodology applied to Vue.js,Spring Boot,and MySQL architecture.The proposed approach addresses critical security challenges through a multi-layered framework that encompasses essential security dimensions including multi-factor authentication,fine-grained authorization controls,sophisticated session management,data confidentiality and integrity protection,secure logging mechanisms,comprehensive error handling,high availability strategies,advanced input validation,and security headers implementation.Significant contributions are made to the field of web application security.First,a detailed catalogue of security requirements specifically tailored to protect web applications against contemporary threats,backed by rigorous analysis and industry best practices.Second,the methodology is validated through a carefully designed proof-of-concept implementation in a controlled environment,demonstrating the practical effectiveness of the security measures.The validation process employs cutting-edge static and dynamic analysis tools for comprehensive dependency validation and vulnerability detection,ensuring robust security coverage.The validation results confirm the prevention and avoidance of security vulnerabilities of the methodology.A key innovation of this work is the seamless integration of DevSecOps practices throughout the secure Software Development Life Cycle(SSDLC),creating a security-first mindset from initial design to deployment.By combining proactive secure coding practices with defensive security approaches,a framework is established that not only strengthens application security but also fosters a culture of security awareness within development teams.This hybrid approach ensures that security considerations are woven into every aspect of the development process,rather than being treated as an afterthought.
文摘Software-related security aspects are a growing and legitimate concern,especially with 5G data available just at our palms.To conduct research in this field,periodic comparative analysis is needed with the new techniques coming up rapidly.The purpose of this study is to review the recent developments in the field of security integration in the software development lifecycle(SDLC)by analyzing the articles published in the last two decades and to propose a way forward.This review follows Kitchenham’s review protocol.The review has been divided into three main stages including planning,execution,and analysis.From the selected 100 articles,it becomes evident that need of a collaborative approach is necessary for addressing critical software security risks(CSSRs)through effective risk management/estimation techniques.Quantifying risks using a numeric scale enables a comprehensive understanding of their severity,facilitating focused resource allocation and mitigation efforts.Through a comprehensive understanding of potential vulnerabilities and proactive mitigation efforts facilitated by protection poker,organizations can prioritize resources effectively to ensure the successful outcome of projects and initiatives in today’s dynamic threat landscape.The review reveals that threat analysis and security testing are needed to develop automated tools for the future.Accurate estimation of effort required to prioritize potential security risks is a big challenge in software security.The accuracy of effort estimation can be further improved by exploring new techniques,particularly those involving deep learning.It is also imperative to validate these effort estimation methods to ensure all potential security threats are addressed.Another challenge is selecting the right model for each specific security threat.To achieve a comprehensive evaluation,researchers should use well-known benchmark checklists.
基金supported by the project of the State Key Program of National Natural Science Foundation of China (No. 90818021)supported by a grant from the national high technology research and development program of China (863program) (No.2012AA012903)
文摘In order to protect the website and assess the security risk of website, a novel website security risk assessment method is proposed based on the improved Bayesian attack graph(I-BAG) model. First, the Improved Bayesian attack graph model is established, which takes attack benefits and threat factors into consideration. Compared with the existing attack graph models, it can better describe the website's security risk. Then, the improved Bayesian attack graph is constructed with optimized website attack graph, attack benefit nodes, threat factor nodes and the local conditional probability distribution of each node, which is calculated accordingly. Finally, website's attack probability and risk value are calculated on the level of nodes, hosts and the whole website separately. The experimental results demonstrate that the risk evaluating method based on I-BAG model proposed is a effective way for assessing the website security risk.
文摘The backdoor or information leak of Web servers can be detected by using Web Mining techniques on some abnormal Web log and Web application log data. The security of Web servers can be enhanced and the damage of illegal access can be avoided. Firstly, the system for discovering the patterns of information leakages in CGI scripts from Web log data was proposed. Secondly, those patterns for system administrators to modify their codes and enhance their Web site security were provided. The following aspects were described: one is to combine web application log with web log to extract more information,so web data mining could be used to mine web log for discovering the information that firewall and Information Detection System cannot find. Another approach is to propose an operation module of web site to enhance Web site security. In cluster server session, Density -Based Clustering technique is used to reduce resource cost and obtain better efficiency.
文摘Along with the development of Internet, Web Services technology is a new branch of Web application program, and it has become a hotspot in computer science. However, it has not made great progress in research on Web Services security. Traditional security solutions cannot satisfy the Web Services security require of selective protection, end-to-end security and application layer security. Web Services technology needs a solution integrated in Web Services framework to realize end-to-end security. Based on cryptography and Web Services technology and according to W3C, XML encryption specification, XML digital Signature specification and WS-Security, which proposed by IBM and Microsoft, a new Web services security model based on message layer is put forward in this paper. The message layer is composed of message handlers. It is inserted into the message processing sequence and provides transparent security services for Web Services. To verify the model, a Web Services security system is realized on, net platform. The implementation version of the model can provide various security services, and has advantages such as security, scalability, security controllability and end-to-end security in message level. Key words Web services - Web services security - message layer CLC number TP 393.08 Biography: WANG Cui-ru (1954-), female, Professor, research direction: database and information management system.
文摘This paper investigates whether security headers are enforced to mitigate cyber-attacks in web-based systems in cyberspace. The security headers examined include X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, Referrer-Policy, Content-Security-Policy, and Permissions-Policy. The study employed a controlled experiment using a security header analysis tool. The web-based applications (websites) were analyzed to determine whether security headers have been correctly implemented. The experiment was iterated for 100 universities in Africa which are ranked high. The purposive sampling technique was employed to understand the status quo of the security headers implementations. The results revealed that 70% of the web-based applications in Africa have not enforced security headers in web-based applications. The study proposes a secure system architecture design for addressing web-based applications’ misconfiguration and insecure design. It presents security techniques for securing web-based applications through hardening security headers using automated threat modelling techniques. Furthermore, it recommends adopting the security headers in web-based applications using the proposed secure system architecture design.
文摘A URL(Uniform Resource Locator)is used to locate a digital resource.With this URL,an attacker can perform a variety of attacks,which can lead to serious consequences for both individuals and organizations.Therefore,attackers create malicious URLs to gain access to an organization’s systems or sensitive information.It is crucial to secure individuals and organizations against these malicious URLs.A combination of machine learning and deep learning was used to predict malicious URLs.This research contributes significantly to the field of cybersecurity by proposing a model that seamlessly integrates the accuracy of machine learning with the swiftness of deep learning.The strategic fusion of Random Forest(RF) and Multilayer Perceptron(MLP)with an accuracy of 81% represents a noteworthy advancement,offering a balanced solution for robust cybersecurity.This study found that by combining RF and MLP,an efficient model was developed with an accuracy of 81%and a training time of 33.78 s.
基金supported by the National Natural Science Foundation of China(Nos.U22A2034,62177047)High Caliber Foreign Experts Introduction Plan funded by MOST,and Central South University Research Programme of Advanced Interdisciplinary Studies(No.2023QYJC020).
文摘Improving website security to prevent malicious online activities is crucial,and CAPTCHA(Completely Automated Public Turing test to tell Computers and Humans Apart)has emerged as a key strategy for distinguishing human users from automated bots.Text-based CAPTCHAs,designed to be easily decipherable by humans yet challenging for machines,are a common form of this verification.However,advancements in deep learning have facilitated the creation of models adept at recognizing these text-based CAPTCHAs with surprising efficiency.In our comprehensive investigation into CAPTCHA recognition,we have tailored the renowned UpDown image captioning model specifically for this purpose.Our approach innovatively combines an encoder to extract both global and local features,significantly boosting the model’s capability to identify complex details within CAPTCHA images.For the decoding phase,we have adopted a refined attention mechanism,integrating enhanced visual attention with dual layers of Long Short-Term Memory(LSTM)networks to elevate CAPTCHA recognition accuracy.Our rigorous testing across four varied datasets,including those from Weibo,BoC,Gregwar,and Captcha 0.3,demonstrates the versatility and effectiveness of our method.The results not only highlight the efficiency of our approach but also offer profound insights into its applicability across different CAPTCHA types,contributing to a deeper understanding of CAPTCHA recognition technology.
基金supported by the National Natural Science Foundation of China(Nos.U22A2034,62177047)High Caliber Foreign Experts Introduction Plan funded by MOST,and Central South University Research Programme of Advanced Interdisciplinary Studies(No.2023QYJC020).
文摘Enhancing website security is crucial to combat malicious activities,and CAPTCHA(Completely Automated Public Turing tests to tell Computers and Humans Apart)has become a key method to distinguish humans from bots.While text-based CAPTCHAs are designed to challenge machines while remaining human-readable,recent advances in deep learning have enabled models to recognize them with remarkable efficiency.In this regard,we propose a novel two-layer visual attention framework for CAPTCHA recognition that builds on traditional attention mechanisms by incorporating Guided Visual Attention(GVA),which sharpens focus on relevant visual features.We have specifically adapted the well-established image captioning task to address this need.Our approach utilizes the first-level attention module as guidance to the second-level attention component,incorporating two LSTM(Long Short-Term Memory)layers to enhance CAPTCHA recognition.Our extensive evaluation across four diverse datasets—Weibo,BoC(Bank of China),Gregwar,and Captcha 0.3—shows the adaptability and efficacy of our method.Our approach demonstrated impressive performance,achieving an accuracy of 96.70%for BoC and 95.92%for Webo.These results underscore the effectiveness of our method in accurately recognizing and processing CAPTCHA datasets,showcasing its robustness,reliability,and ability to handle varied challenges in CAPTCHA recognition.
基金supported by the National Natural Science Foundation of China under Grant Number 62001055.
文摘Fileless webshell attacks against Java web applications have becomemore frequent in recent years as Java has gained market share. Webshell is amalicious script that can remotely execute commands and invade servers. Itis widely used in attacks against web applications. In contrast to traditionalfile-based webshells, fileless webshells leave no traces on the hard drive, whichmeans they are invisible to most antivirus software. To make matters worse,although there are some studies on fileless webshells, almost all of themare aimed at web applications developed in the PHP language. The complexmechanism of Java makes researchers face more challenges. To mitigate thisattack, this paper proposes JShellDetector, a fileless webshell detector forJava web applications based on program analysis. JShellDetector uses methodprobes to capture dynamic characteristics of web applications in the JavaVirtual Machine (JVM). When a suspicious class tries to call a specificsensitive method, JShellDetector catches it and converts it from the JVMto a bytecode file. Then, JShellDetector builds a Jimple-based control flowgraph and processes it using taint analysis techniques. A suspicious classis considered malicious if there is a valid path from sources to sinks. Todemonstrate the effectiveness of the proposed approach, we manually collect35 test cases (all open source on GitHub) and test JShellDetector and onlytwo other Java fileless webshell detection tools. The experimental results showthat the detection rate of JShellDetector reaches 77.1%, which is about 11%higher than the other two tools.
文摘The fourth international conference on Web information systems and applications (WISA 2007) has received 409 submissions and has accepted 37 papers for publication in this issue. The papers cover broad research areas, including Web mining and data warehouse, Deep Web and Web integration, P2P networks, text processing and information retrieval, as well as Web Services and Web infrastructure. After briefly introducing the WISA conference, the survey outlines the current activities and future trends concerning Web information systems and applications based on the papers accepted for publication.
基金This work is supported by the National Key R&D Program of China(2016QY05X1000)the National Natural Science Foundation of China(201561402137).
文摘With the rapid development of the Internet,the types of webpages are more abundant than in previous decades.However,it becomes severe that people are facing more and more significant network security risks and enormous losses caused by phishing webpages,which imitate the interface of real webpages and deceive the victims.To better identify and distinguish phishing webpages,a visual feature extraction method and a visual similarity algorithm are proposed.First,the visual feature extraction method improves the Visionbased Page Segmentation(VIPS)algorithm to extract the visual block and calculate its signature by perceptual hash technology.Second,the visual similarity algorithm presents a one-to-one correspondence based on the visual blocks’coordinates and thresholds.Then the weights are assigned according to the tree structure,and the similarity of the visual blocks is calculated on the basis of the measurement of the visual features’Hamming distance.Further,the visual similarity of webpages is generated by integrating the similarity and weight of different visual blocks.Finally,multiple pairs of phishing webpages and legitimate webpages are evaluated to verify the feasibility of the algorithm.The experimental results achieve excellent performance and demonstrate that our method can achieve 94%accuracy.
基金supported by China Scholarship Council,Tianjin Science and Technology Committee(No.12JCZDJC20800)Science and Technology Planning Project of Tianjin(No.13ZCZDGX01098)+2 种基金NSF TRUST(The Team for Research in Ubiquitous Secure Technology)Science and Technology Center(No.CCF-0424422)National High Technology Research and Development Program of Chia(863Program)(No.2013BAH01B05)National Natural Science Foundation of China(No.61402264)
文摘Logic flaws within web applications will allow malicious operations to be triggered towards back-end database. Existing approaches to identifying logic flaws of database accesses are strongly tied to structured query language (SQL) statement construction and cannot be applied to the new generation of web applications that use not only structured query language (NoSQL) databases as the storage tier. In this paper, we present Lom, a black-box approach for discovering many categories of logic flaws within MongoDB- based web applications. Our approach introduces a MongoDB operation model to support new features of MongoDB and models the application logic as a mealy finite state machine. During the testing phase, test inputs which emulate state violation attacks are constructed for identifying logic flaws at each application state. We apply Lom to several MongoDB-based web applications and demonstrate its effectiveness.
基金supported by the National Research Foundation of Korea(NRF)grant funded by the Korea government(MEST)No.2015R1A3A2031159,2016R1A5A1008055.
文摘Existing web-based security applications have failed in many situations due to the great intelligence of attackers.Among web applications,Cross-Site Scripting(XSS)is one of the dangerous assaults experienced while modifying an organization's or user's information.To avoid these security challenges,this article proposes a novel,all-encompassing combination of machine learning(NB,SVM,k-NN)and deep learning(RNN,CNN,LSTM)frameworks for detecting and defending against XSS attacks with high accuracy and efficiency.Based on the representation,a novel idea for merging stacking ensemble with web applications,termed“hybrid stacking”,is proposed.In order to implement the aforementioned methods,four distinct datasets,each of which contains both safe and unsafe content,are considered.The hybrid detection method can adaptively identify the attacks from the URL,and the defense mechanism inherits the advantages of URL encoding with dictionary-based mapping to improve prediction accuracy,accelerate the training process,and effectively remove the unsafe JScript/JavaScript keywords from the URL.The simulation results show that the proposed hybrid model is more efficient than the existing detection methods.It produces more than 99.5%accurate XSS attack classification results(accuracy,precision,recall,f1_score,and Receiver Operating Characteristic(ROC))and is highly resistant to XSS attacks.In order to ensure the security of the server's information,the proposed hybrid approach is demonstrated in a real-time environment.
基金Supported bythe National Natural Science Foundationof China (60225007 ,60572155) the Science and Technology ResearchProject of Shanghai (04DZ07067)
文摘In the area of secure Web information system, mutual authentication and key agreement are essential between Web clients and servers. An efficient certificateless authenticated key agreement protocol for Web client/server setting is proposed, which uses pairings on certain elliptic curves. We show that the newly proposed key agreement protocol is practical and of great efficiency, meanwhile, it satisfies every desired security require ments for key agreement protocols.
基金This work is supported in part by the National Natural Science Foundation of China(61871140,61872100,61572153,U1636215,61572492,61672020)the National Key research and Development Plan(Grant No.2018YFB0803504)Open Fund of Beijing Key Laboratory of IOT Information Security Technology(J6V0011104).
文摘Since the web service is essential in daily lives,cyber security becomes more and more important in this digital world.Malicious Uniform Resource Locator(URL)is a common and serious threat to cybersecurity.It hosts unsolicited content and lure unsuspecting users to become victim of scams,such as theft of private information,monetary loss,and malware installation.Thus,it is imperative to detect such threats.However,traditional approaches for malicious URLs detection that based on the blacklists are easy to be bypassed and lack the ability to detect newly generated malicious URLs.In this paper,we propose a novel malicious URL detection method based on deep learning model to protect against web attacks.Specifically,we firstly use auto-encoder to represent URLs.Then,the represented URLs will be input into a proposed composite neural network for detection.In order to evaluate the proposed system,we made extensive experiments on HTTP CSIC2010 dataset and a dataset we collected,and the experimental results show the effectiveness of the proposed approach.
基金funded byResearchers Supporting Project Number(RSP2023R476)King Saud University,Riyadh,Saudi Arabia。
文摘E-commerce,online ticketing,online banking,and other web-based applications that handle sensitive data,such as passwords,payment information,and financial information,are widely used.Various web developers may have varying levels of understanding when it comes to securing an online application.Structured Query language SQL injection and cross-site scripting are the two vulnerabilities defined by the OpenWeb Application Security Project(OWASP)for its 2017 Top Ten List Cross Site Scripting(XSS).An attacker can exploit these two flaws and launch malicious web-based actions as a result of these flaws.Many published articles focused on these attacks’binary classification.This article described a novel deep-learning approach for detecting SQL injection and XSS attacks.The datasets for SQL injection and XSS payloads are combined into a single dataset.The dataset is labeledmanually into three labels,each representing a kind of attack.This work implements some pre-processing algorithms,including Porter stemming,one-hot encoding,and the word-embedding method to convert a word’s text into a vector.Our model used bidirectional long short-term memory(BiLSTM)to extract features automatically,train,and test the payload dataset.The payloads were classified into three types by BiLSTM:XSS,SQL injection attacks,and normal.The outcomes demonstrated excellent performance in classifying payloads into XSS attacks,injection attacks,and non-malicious payloads.BiLSTM’s high performance was demonstrated by its accuracy of 99.26%.
基金supported by Korea Electric Power Corporation(Grant Number:R18XA02).
文摘Detecting malicious Uniform Resource Locators(URLs)is crucially important to prevent attackers from committing cybercrimes.Recent researches have investigated the role of machine learning(ML)models to detect malicious URLs.By using ML algorithms,rst,the features of URLs are extracted,and then different ML models are trained.The limitation of this approach is that it requires manual feature engineering and it does not consider the sequential patterns in the URL.Therefore,deep learning(DL)models are used to solve these issues since they are able to perform featureless detection.Furthermore,DL models give better accuracy and generalization to newly designed URLs;however,the results of our study show that these models,such as any other DL models,can be susceptible to adversarial attacks.In this paper,we examine the robustness of these models and demonstrate the importance of considering this susceptibility before applying such detection systems in real-world solutions.We propose and demonstrate a black-box attack based on scoring functions with greedy search for the minimum number of perturbations leading to a misclassication.The attack is examined against different types of convolutional neural networks(CNN)-based URL classiers and it causes a tangible decrease in the accuracy with more than 56%reduction in the accuracy of the best classier(among the selected classiers for this work).Moreover,adversarial training shows promising results in reducing the inuence of the attack on the robustness of the model to less than 7%on average.
