4,454 research outputs found
Preventing SQL Injection through Automatic Query Sanitization with ASSIST
Web applications are becoming an essential part of our everyday lives. Many
of our activities are dependent on the functionality and security of these
applications. As the scale of these applications grows, injection
vulnerabilities such as SQL injection are major security challenges for
developers today. This paper presents the technique of automatic query
sanitization to automatically remove SQL injection vulnerabilities in code. In
our technique, a combination of static analysis and program transformation are
used to automatically instrument web applications with sanitization code. We
have implemented this technique in a tool named ASSIST (Automatic and Static
SQL Injection Sanitization Tool) for protecting Java-based web applications.
Our experimental evaluation showed that our technique is effective against SQL
injection vulnerabilities and has a low overhead.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330
Mockingbird: Defending Against Deep-Learning-Based Website Fingerprinting Attacks with Adversarial Traces
Website Fingerprinting (WF) is a type of traffic analysis attack that enables
a local passive eavesdropper to infer the victim's activity, even when the
traffic is protected by a VPN or an anonymity system like Tor. Leveraging a
deep-learning classifier, a WF attacker can gain over 98% accuracy on Tor
traffic. In this paper, we explore a novel defense, Mockingbird, based on the
idea of adversarial examples that have been shown to undermine machine-learning
classifiers in other domains. Since the attacker gets to design and train his
attack classifier based on the defense, we first demonstrate that at a
straightforward technique for generating adversarial-example based traces fails
to protect against an attacker using adversarial training for robust
classification. We then propose Mockingbird, a technique for generating traces
that resists adversarial training by moving randomly in the space of viable
traces and not following more predictable gradients. The technique drops the
accuracy of the state-of-the-art attack hardened with adversarial training from
98% to 42-58% while incurring only 58% bandwidth overhead. The attack accuracy
is generally lower than state-of-the-art defenses, and much lower when
considering Top-2 accuracy, while incurring lower bandwidth overheads.Comment: 18 pages, 13 figures and 8 Tables. Accepted in IEEE Transactions on
Information Forensics and Security (TIFS
Implementation of Customized UTP Algorithm for Attack Detection in Multitier Web Applications
Internet services and application have gained lots of importance in our daily life such as banking, travel and social networking. Personal information from any of the remote location can be communicated and managed with the help of Internet. Due to their omnipresent use for daily task, web applications have been target for attack. To deal with increasing demand and data complexity web services and applications have moved to a multitiered design. The idea is to detect attacks in multitier architecture to model the network behavior of user sessions across both the front-end web server and the back-end database. The attacks like SQL injection, cross site scripting attack, privilege escalation attack and direct DB attack can be monitored with both the web and subsequent database requestusing customized UTP algorithm, which an independent system cannot do
White-box implementation to advantage DRM
Digital Rights Management (DRM) is a popular approach for secure content distribution. Typically, DRM encrypts the content before delivers it. Most DRM applications use secure algorithms to protect content. However, executing these algorithms in an insecure environment may allow adversaries to compromise the system and obtain the key. To withstand such attack, algorithm implementation is modified in such a way to make the implementation unintelligible, namely obfuscation approach. White-box cryptography (WBC) is an obfuscation technique intended to protect secret keys from being disclosed in a software implementation using a fully transparent methodology. This mechanism is appropriate for DRM applications and able to enhance security for the content provider. However, DRM is required to provide a balanced protection for the content provider and users. We construct a protocol on implementing WBC to improve DRM system. The system does not only provide security for the content provider but also preserves privacy for users
Time Protection: the Missing OS Abstraction
Timing channels enable data leakage that threatens the security of computer
systems, from cloud platforms to smartphones and browsers executing untrusted
third-party code. Preventing unauthorised information flow is a core duty of
the operating system, however, present OSes are unable to prevent timing
channels. We argue that OSes must provide time protection in addition to the
established memory protection. We examine the requirements of time protection,
present a design and its implementation in the seL4 microkernel, and evaluate
its efficacy as well as performance overhead on Arm and x86 processors
An Automated Social Graph De-anonymization Technique
We present a generic and automated approach to re-identifying nodes in
anonymized social networks which enables novel anonymization techniques to be
quickly evaluated. It uses machine learning (decision forests) to matching
pairs of nodes in disparate anonymized sub-graphs. The technique uncovers
artefacts and invariants of any black-box anonymization scheme from a small set
of examples. Despite a high degree of automation, classification succeeds with
significant true positive rates even when small false positive rates are
sought. Our evaluation uses publicly available real world datasets to study the
performance of our approach against real-world anonymization strategies, namely
the schemes used to protect datasets of The Data for Development (D4D)
Challenge. We show that the technique is effective even when only small numbers
of samples are used for training. Further, since it detects weaknesses in the
black-box anonymization scheme it can re-identify nodes in one social network
when trained on another.Comment: 12 page
- …