Shielding against Web Application Attacks - Detection Techniques and Classification

The field of IoT web applications is facing a range of security risks and system attacks due to the increasing complexity and size of home automation datasets. One of the primary concerns is the identification of Distributed Denial of Service (DDoS) attacks in home automation systems. Attackers can easily access various IoT web application assets by entering a home automation dataset or clicking a link, making them vulnerable to different types of web attacks. To address these challenges, the cloud has introduced the Edge of Things paradigm, which uses multiple concurrent deep models to enhance system stability and enable easy data revelation updates. Therefore, identifying malicious attacks is crucial for improving the reliability and security of IoT web applications. This paper uses a Machine Learning algorithm that can accurately identify web attacks using unique keywords. Smart home devices are classified into four classes based on their traffic predictability levels, and a neural system recognition model is proposed to classify these attacks with a high degree of accuracy, outperforming other classification models. The application of deep learning in identifying and classifying attacks has significant theoretical and scientific value for web security investigations. It also provides innovative ideas for intelligent security detection by classifying web visitors, making it possible to identify and prevent potential security threats

Web Single Sign-On Authentication using SAML

Companies have increasingly turned to application service providers (ASPs) or Software as a Service (SaaS) vendors to offer specialized web-based services that will cut costs and provide specific and focused applications to users. The complexity of designing, installing, configuring, deploying, and supporting the system with internal resources can be eliminated with this type of methodology, providing great benefit to organizations. However, these models can present an authentication problem for corporations with a large number of external service providers. This paper describes the implementation of Security Assertion Markup Language (SAML) and its capabilities to provide secure single sign-on (SSO) solutions for externally hosted applications

End-to-End QoS Support for a Medical Grid Service Infrastructure

Quality of Service support is an important prerequisite for the adoption of Grid technologies for medical applications. The GEMSS Grid infrastructure addressed this issue by offering end-to-end QoS in the form of explicit timeliness guarantees for compute-intensive medical simulation services. Within GEMSS, parallel applications installed on clusters or other HPC hardware may be exposed as QoS-aware Grid services for which clients may dynamically negotiate QoS constraints with respect to response time and price using Service Level Agreements. The GEMSS infrastructure and middleware is based on standard Web services technology and relies on a reservation based approach to QoS coupled with application specific performance models. In this paper we present an overview of the GEMSS infrastructure, describe the available QoS and security mechanisms, and demonstrate the effectiveness of our methods with a Grid-enabled medical imaging service

Business integration models in the context of web services.

E-commerce development and applications have been bringing the Internet to business and marketing and reforming our current business styles and processes. The rapid development of the Web, in particular, the introduction of the semantic web and web service technologies, enables business processes, modeling and management to enter an entirely new stage. Traditional web based business data and transactions can now be analyzed, extracted and modeled to discover new business rules and to form new business strategies, let alone mining the business data in order to classify customers or products. In this paper, we investigate and analyze the business integration models in the context of web services using a micro-payment system because a micro-payment system is considered to be a service intensive activity, where many payment tasks involve different forms of services, such as payment method selection for buyers, security support software, product price comparison, etc. We will use the micro-payment case to discuss and illustrate how the web services approaches support and transform the business process and integration model.

ESCUDO: A Fine-grained Protection Model for Web Browsers

Web applications are no longer simple hyperlinked documents. They have progressively evolved to become highly complex---web pages combine content from several sources (with varying levels of trustworthiness), and incorporate significant portions of client-side code. However, the prevailing web protection model, the same-origin policy, has not adequately evolved to manage the security consequences of this additional complexity. As a result, web applications have become attractive targets of exploitation. We argue that this disconnection between the protection needs of modern web applications and the protection models used by web browsers that manage those applications amounts to a failure of access control. In this paper, we present Escudo, a new web browser protection model designed based on established principles of mandatory access control. We describe our implementation of a prototype of Escudo in the Lobo web browser, and illustrate how web applications can use Escudo for securing their resources. Our evaluation results indicate that Escudo incurs low overhead. To support backwards compatibility, Escudo defaults to the same-origin policy for legacy applications

Model checking web applications

The modelling of web-based applications can assist in capturing and understanding their behaviour. The development of such applications requires the use of sound methodologies to ensure that the intended and actual behaviour are the same. As a verification technique, model checking can assist in finding design flaws and simplifying the design of a web application, and as a result the design and the security of the web application can be improved. Model checking has the advantage of using an exhaustive search of the state space of a system to determine if the specifications are true or not in a given model. In this thesis we present novel approaches in modelling and verifying web applications' properties to ensure their design correctness and security. Since the actions in web applications rely on both the user input and the server status; we propose an approach for modelling and verifying dynamic navigation properties. The Spin model checker has been used successfully in verifying communication protocols. However, the current version of Spin does not support modelling time. We integrate discrete time in the Spin model to allow the modelling of realistic properties that rely on time constraints and to analyse the sequence of actions and time. Examining the sequence of actions in web applications assists in understanding their behaviour in different scenarios such as navigation errors and in the presence of an intruder. The model checker Uppaal is presented in the literature as an alternative to Spin when modelling real-time systems. We develop models with real time constraints in Uppaal in order to validate the results from the Spin models and to compare the differences between modelling with real time and with discrete time as in Spin. We also compare the complexity and expressiveness of each model checker in verifying web applications' properties. The web application models in our research are developed gradually to ensure their correctness and to manage the complexities of specifying the security and navigation properties. We analyse the compromised model to compare the differences in the sequence of actions and time with the secure model to assist in improving early detections of malicious behaviour in web applications

Web applications testing techniques: a systematic mapping study

Due to the importance of Web application testing techniques for detecting faults and assessing quality attributes, many research papers were published in this field. For this reason, it became essential to analyse, classify and summarize the research in the field. The main goal of this research is to provide a classification or categorization of Web applications testing techniques or approaches to help researchers and practitioners to understand the current state-of-the-art in this field and find it easier to focus their research on the areas that had received less attention. To achieve this goal, this research conducted a systematic mapping study on 98 research papers in the field of Web applications testing published between 2008 and 2021. This mapping study resulted in a classification schema that categorizes the papers in this field into: model-based testing category, security testing category, and other types of testing categories. In model-based testing of Web applications, research papers were classified according to the model used for test data generation, while the research papers in the field of Web applications security testing were classified according to the targeted vulnerability. The results showed that the most commonly used Web applications testing techniques in literature are model-based testing and security testing. Besides, the most commonly used models in model-based testing are finite-state machines. The most targeted vulnerability in security testing is SQL injection. Test automation is the most targeted testing goal in both model-based and security testing. For other Web applications testing techniques, the main goals of testing were test automation, test coverage, and assessing security quality attributes

Desain Dan Implementasi Layanan Penyedia Data Penerimaan Mahasiswa Baru Berbasis Web Services Untuk Menunjang Executive Support System

A design and implement a data provider services (services provider) new admissions web-based services to support the needs of data for executive support system without reducing the workload of academic database server, ensure interoperability and security systems in Lampung State Polytechnic. With the data provider services (services provider) is a web-based services, the future of academic data base server can be accessed and processed using a multi-platform applications.Methods floating system used in this study are the method of software engineering approach, Linear Models. Starting with the analysis, to collect and analyze data through field studies. Later stages of the design, architectural design services for data providers, data design, interfaces and applications required. The next stage is the implementation of the service architecture design data providers (services provider) web-based services, data, interfaces and applications implemented on the real or actual conditions. The final step is testing the method of black box testing, test architecture for service providers warrant the entire system runs well and fi

Adversarial-Playground: A Visualization Suite Showing How Adversarial Examples Fool Deep Learning

Recent studies have shown that attackers can force deep learning models to misclassify so-called "adversarial examples": maliciously generated images formed by making imperceptible modifications to pixel values. With growing interest in deep learning for security applications, it is important for security experts and users of machine learning to recognize how learning systems may be attacked. Due to the complex nature of deep learning, it is challenging to understand how deep models can be fooled by adversarial examples. Thus, we present a web-based visualization tool, Adversarial-Playground, to demonstrate the efficacy of common adversarial methods against a convolutional neural network (CNN) system. Adversarial-Playground is educational, modular and interactive. (1) It enables non-experts to compare examples visually and to understand why an adversarial example can fool a CNN-based image classifier. (2) It can help security experts explore more vulnerability of deep learning as a software module. (3) Building an interactive visualization is challenging in this domain due to the large feature space of image classification (generating adversarial examples is slow in general and visualizing images are costly). Through multiple novel design choices, our tool can provide fast and accurate responses to user requests. Empirically, we find that our client-server division strategy reduced the response time by an average of 1.5 seconds per sample. Our other innovation, a faster variant of JSMA evasion algorithm, empirically performed twice as fast as JSMA and yet maintains a comparable evasion rate. Project source code and data from our experiments available at: https://github.com/QData/AdversarialDNN-PlaygroundComment: 5 pages. {I.2.6}{Artificial Intelligence} ; {K.6.5}{Management of Computing and Information Systems}{Security and Protection}. arXiv admin note: substantial text overlap with arXiv:1706.0176