44,479 research outputs found
A Robust Mechanism for Defending Distributed Denial OF Service Attacks on Web Servers
Distributed Denial of Service (DDoS) attacks have emerged as a popular means
of causing mass targeted service disruptions, often for extended periods of
time. The relative ease and low costs of launching such attacks, supplemented
by the current inadequate sate of any viable defense mechanism, have made them
one of the top threats to the Internet community today. Since the increasing
popularity of web-based applications has led to several critical services being
provided over the Internet, it is imperative to monitor the network traffic so
as to prevent malicious attackers from depleting the resources of the network
and denying services to legitimate users. This paper first presents a brief
discussion on some of the important types of DDoS attacks that currently exist
and some existing mechanisms to combat these attacks. It then points out the
major drawbacks of the currently existing defense mechanisms and proposes a new
mechanism for protecting a web-server against a DDoS attack. In the proposed
mechanism, incoming traffic to the server is continuously monitored and any
abnormal rise in the inbound traffic is immediately detected. The detection
algorithm is based on a statistical analysis of the inbound traffic on the
server and a robust hypothesis testing framework. Simulations carried out on
the proposed mechanism have produced results that demonstrate effectiveness of
the proposed defense mechanism against DDoS attacks.Comment: 18 pages, 3 figures, 5 table
A Novel Mechanism for Detection of Distributed Denial of Service Attacks
The increasing popularity of web-based applications has led to several
critical services being provided over the Internet. This has made it imperative
to monitor the network traffic so as to prevent malicious attackers from
depleting the resources of the network and denying services to legitimate
users. This paper has presented a mechanism for protecting a web-server against
a distributed denial of service (DDoS) attack. Incoming traffic to the server
is continuously monitored and any abnormal rise in the inbound traffic is
immediately detected. The detection algorithm is based on a statistical
analysis of the inbound traffic on the server and a robust hypothesis testing
framework. While the detection process is on, the sessions from the legitimate
sources are not disrupted and the load on the server is restored to the normal
level by blocking the traffic from the attacking sources. To cater to different
scenarios, the detection algorithm has various modules with varying level of
computational and memory overheads for their execution. While the approximate
modules are fast in detection and involve less overhead, they have lower
detection accuracy. The accurate modules involve complex detection logic and
hence involve more overhead for their execution, but they have very high
detection accuracy. Simulations carried out on the proposed mechanism have
produced results that demonstrate effectiveness of the scheme.Comment: 11 pages, 5 tables. In Proceedings of the First International
Conference on Computer Science and Information Technology (CCSIT 2011).
Springer CCIS Series Vol 133, Advanced Computing, Part 3, pp. 247-257,
Bangalore, 2011, Indi
Body language, security and e-commerce
Security is becoming an increasingly more important concern both at the desktop level and at the network level. This article discusses several approaches to authenticating individuals through the use of biometric devices. While libraries might not implement such devices, they may appear in the near future of desktop computing, particularly for access to institutional computers or for access to sensitive information. Other approaches to computer security focus on protecting the contents of electronic transmissions and verification of individual users. After a brief overview of encryption technologies, the article examines public-key cryptography which is getting a lot of attention in the business world in what is called public key infrastructure. It also examines other efforts, such as IBM’s Cryptolope, the Secure Sockets Layer of Web browsers, and Digital Certificates and Signatures. Secure electronic transmissions are an important condition for conducting business on the Net. These business transactions are not limited to purchase orders, invoices, and contracts. This could become an important tool for information vendors and publishers to control access to the electronic resources they license. As license negotiators and contract administrators, librarians need to be aware of what is happening in these new technologies and the impact that will have on their operations
Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials
Personal cryptographic keys are the foundation of many secure services, but
storing these keys securely is a challenge, especially if they are used from
multiple devices. Storing keys in a centralized location, like an
Internet-accessible server, raises serious security concerns (e.g. server
compromise). Hardware-based Trusted Execution Environments (TEEs) are a
well-known solution for protecting sensitive data in untrusted environments,
and are now becoming available on commodity server platforms.
Although the idea of protecting keys using a server-side TEE is
straight-forward, in this paper we validate this approach and show that it
enables new desirable functionality. We describe the design, implementation,
and evaluation of a TEE-based Cloud Key Store (CKS), an online service for
securely generating, storing, and using personal cryptographic keys. Using
remote attestation, users receive strong assurance about the behaviour of the
CKS, and can authenticate themselves using passwords while avoiding typical
risks of password-based authentication like password theft or phishing. In
addition, this design allows users to i) define policy-based access controls
for keys; ii) delegate keys to other CKS users for a specified time and/or a
limited number of uses; and iii) audit all key usages via a secure audit log.
We have implemented a proof of concept CKS using Intel SGX and integrated this
into GnuPG on Linux and OpenKeychain on Android. Our CKS implementation
performs approximately 6,000 signature operations per second on a single
desktop PC. The latency is in the same order of magnitude as using
locally-stored keys, and 20x faster than smart cards.Comment: Extended version of a paper to appear in the 3rd Workshop on
Security, Privacy, and Identity Management in the Cloud (SECPID) 201
Protecting web services with service oriented traceback architecture
Service oriented architecture (SOA) is a way of reorganizing software infrastructure into a set of service abstracts. In the area of applying SOA to Web service security, there have been some well defined security dimensions. However, current Web security systems, like WS-Security are not efficient enough to handle distributed denial of service (DDoS) attacks. Our new approach, service oriented traceback architecture (SOTA), provides a framework to be able to identify the source of an attack. This is accomplished by deploying our defence system at distributed routers, in order to examine the incoming SOAP messages and place our own SOAP header. By this method, we can then use the new SOAP header information, to traceback through the network the source of the attack. According to our experimental performance evaluations, we find that SOTA is quite scaleable, simple and quite effective at identifying the source.<br /
Preventing SQL Injection through Automatic Query Sanitization with ASSIST
Web applications are becoming an essential part of our everyday lives. Many
of our activities are dependent on the functionality and security of these
applications. As the scale of these applications grows, injection
vulnerabilities such as SQL injection are major security challenges for
developers today. This paper presents the technique of automatic query
sanitization to automatically remove SQL injection vulnerabilities in code. In
our technique, a combination of static analysis and program transformation are
used to automatically instrument web applications with sanitization code. We
have implemented this technique in a tool named ASSIST (Automatic and Static
SQL Injection Sanitization Tool) for protecting Java-based web applications.
Our experimental evaluation showed that our technique is effective against SQL
injection vulnerabilities and has a low overhead.Comment: In Proceedings TAV-WEB 2010, arXiv:1009.330
- …