Shielding against Web Application Attacks - Detection Techniques and Classification

The field of IoT web applications is facing a range of security risks and system attacks due to the increasing complexity and size of home automation datasets. One of the primary concerns is the identification of Distributed Denial of Service (DDoS) attacks in home automation systems. Attackers can easily access various IoT web application assets by entering a home automation dataset or clicking a link, making them vulnerable to different types of web attacks. To address these challenges, the cloud has introduced the Edge of Things paradigm, which uses multiple concurrent deep models to enhance system stability and enable easy data revelation updates. Therefore, identifying malicious attacks is crucial for improving the reliability and security of IoT web applications. This paper uses a Machine Learning algorithm that can accurately identify web attacks using unique keywords. Smart home devices are classified into four classes based on their traffic predictability levels, and a neural system recognition model is proposed to classify these attacks with a high degree of accuracy, outperforming other classification models. The application of deep learning in identifying and classifying attacks has significant theoretical and scientific value for web security investigations. It also provides innovative ideas for intelligent security detection by classifying web visitors, making it possible to identify and prevent potential security threats

Secure Data Transmission in BPEL (Business Process Execution Language)

In the world of computation, the encryption is a technique by which the plaintext or any type of data which is converted from the readable form is transformed into an encoded form. That encoded form can only be read by another entity if they have corrected key for decryption. The proposed technique providing the security to the data in inefficient way that can be further use in implementation in new upcoming task and enhancement in current running projects of SOA (Service Oriented Architecture) BPEL (Business Process Execution Language)

Automated Model-based Attack Tree Analysis using HiP-HOPS

As Cyber-Physical Systems (CPS) grow increasingly complex and interact with external CPS, system security remains a nontrivial challenge that continues to scale accordingly, with potentially devastating consequences if left unchecked. While there is a significant body of work on system security found in industry practice, manual diagnosis of security vulnerabilities is still widely applied. Such approaches are typically resource-intensive, scale poorly and introduce additional risk due to human error. In this paper, a model-based approach for Security Attack Tree analysis using the HiP-HOPS dependability analysis tool is presented. The approach is demonstrated within the context of a simple web-based medical application to automatically generate attack trees, encapsulated as Digital Dependability Identities (DDIs), for offline security analysis. The paper goes on to present how the produced DDIs can be used to approach security maintenance, identifying security capabilities and controls to counter diagnosed vulnerabilities

A Study on Formal Verification for JavaScript Software

Information security is still a major problem for users of websites and hybrid mobile applications. While many apps and websites come with terms of service agreements between the developer and end user, there is no rigorous mechanism in place to ensure that these agreements are being followed. Formal methods can offer greater confidence that these policies are being followed, but there is currently no widely adopted tool that makes formal methods available for average consumers. After studying the current state-of-the-art in JavaScript policy enforcement and verification, this research proposes several new techniques for applying model checking to JavaScript that strikes a balance of low runtime overhead and fine-grained policy enforcement that other techniques do not achieve

Sub-session hijacking on the web: Root causes and prevention

Since cookies act as the only proof of a user identity, web sessions are particularly vulnerable to session hijacking attacks, where the browser run by a given user sends requests associated to the identity of another user. When n > 1 cookies are used to implement a session, there might actually be n sub-sessions running at the same website, where each cookie is used to retrieve part of the state information related to the session. Sub-session hijacking breaks the ideal view of the existence of a unique user session by selectively hijacking m sub-sessions, with m < n. This may reduce the security of the session to the security of its weakest sub-session. In this paper, we take a systematic look at the root causes of sub-session hijacking attacks and we introduce sub-session linking as a possible defense mechanism. Out of two flavors of sub-session linking desirable for security, which we call intra-scope and inter-scope sub-session linking respectively, only the former is relatively smooth to implement. Luckily, we also identify programming practices to void the need for inter-scope sub-session linking. We finally present Warden, a server-side proxy which automatically enforces intra-scope sub-session linking on incoming HTTP(S) requests, and we evaluate it in terms of protection, performances, backward compatibility and ease of deployment

CookiExt: Patching the browser against session hijacking attacks

Session cookies constitute one of the main attack targets against client authentication on the Web. To counter these attacks, modern web browsers implement native cookie protection mechanisms based on the HttpOnly and Secure flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been proved about the security guarantees they convey. With the present paper we provide the first such result, by presenting a mechanized proof of noninterference assessing the robustness of the HttpOnly and Secure cookie flags against both web and network attackers with the ability to perform arbitrary XSS code injection. We then develop CookiExt, a browser extension that provides client-side protection against session hijacking, based on appropriate flagging of session cookies and automatic redirection over HTTPS for HTTP requests carrying these cookies. Our solution improves over existing client-side defenses by combining protection against both web and network attacks, while at the same time being designed so as to minimise its effects on the user's browsing experience. Finally, we report on the experiments we carried out to practically evaluate the effectiveness of our approach

Mobile Network Infrastructure Security in Developing Countries – A Kenya Case Study

The usage of mobile network infrastructure to access internet resources for organizations is getting higher year by year in sub-Saharan Africa. However, there was an increase in malicious attacks on mobile networks and devices accessing mobile network infrastructure, targeting organizations’ private information. Grounded in Bandura’s social cognitive theory, the purpose of this multiple case study was to explore strategies security managers used to secure mobile network infrastructures from cyberattacks. Participants comprised four security managers in Kenya in two major cities who successfully implemented strategies to mitigate cyberattacks on the mobile network infrastructures. Data were gathered from video conference, face-to-face, semi-structured interviews, and review of organizations’ documents comprised of policies and procedures, internal reports, and training procedures. Thematic analysis was used to unveil four themes: security awareness and training, infrastructure management, defense-in-depth, and security governance framework. A key recommendation would be for security managers to craft employee security training and awareness to protect the organizations’ data assets. The implications for positive social change include the potential for security managers to mitigate data breaches and protect sensitive customer data from being exposed

Formal methods for web security

In the last few years, many security researchers proposed to endow the web platform with more rigorous foundations, thus allowing for a precise reasoning on web security issues. Given the complexity of the Web, however, research efforts in the area are scattered around many different topics and problems, and it is not easy to understand the import of formal methods on web security so far. In this survey we collect, classify and review existing proposals in the area of formal methods for web security, spanning many different topics: JavaScript security, browser security, web application security, and web protocol analysis. Based on the existing literature, we discuss recommendations for researchers working in the area to ensure their proposals have the right ingredients to be amenable for a large scale adoption