Intrusion detection in web applications using text mining

Information security has evolved from just focusing on the network and server layers to also include the web application layer. In fact, security in some types of web applications is often considered a particularly sensitive subject. Achieving a secure web application involves several different issues like encrypting traffic and certain database information, strictly restricting the access control, etc. In this work we focus on detecting attempts of either gaining unauthorised access or misusing a web application. We introduce an intrusion detection software component based on text-mining techniques. By using text categorisation, it is capable of learning the characteristics of both normal and malicious user behaviour from the log entries generated by the web application server. Therefore, the detection of misuse in the web application is achieved without the need of any explicit programming or code writing, hence improving the system maintainability. Because telemedicine systems are usually critical in terms of the confidential information handled and the responsibilities consequently derived, we apply and evaluate our methods on a real web-based telemedicine system called Arnasa.     

语义Web应用研究综述

介绍了语义Web的关键技术XML、RDF(S)和本体,并指出了语义Web技术的众多应用领域:知识管理、语义搜索、P2P、电子商务、电子政务、语义网格、Web挖掘、语义Web服务,智能信息Agent和语义门户等.从这些领域当前面临的困难和挑战出发,分析和论述了语义Web技术在这些应用领域的作用、应用前景和部分研究成果.     

Perturbation-based user-input-validation testing of web applications

User-input-validation (UIV) is the first barricade that protects web applications from application-level attacks. Most UIV test tools cannot detect semantics-related vulnerabilities in validators, such as filling a five-digit number to a field that accepts a year. To address this issue, we propose a new approach to generate test inputs for UIV based on the analysis of client-side information. In particular, we use input-field information to generate valid inputs, and then perturb valid inputs to generate invalid test inputs. We conducted an empirical study to evaluate our approach. The empirical result shows that, in comparison to existing vulnerability scanners, our approach is more effective than existing vulnerability scanners in finding semantics-related vulnerabilities of UIV for web applications.     

XML查询语言XQuery的研究与实现

XQuery是一种对XML结构的文档和数据进行查询的语言.在对该查询语言规范体系分析、理解和研究的基础上,提出了支持W3C的XQuery语言的查询处理引擎的体系结构.针对各个输入输出和处理模块按数据流的方式逐一进行分析,对整个系统的运行状态做了一个总体的介绍.按照这个体系结构,-个XQuery查询处理引擎已经被实现.     

Web标准中的定位原理及其应用

Web标准主要以XHTML CSS语言为两大核心技术,介绍了基于Web标准的进行网站前端开发过程中,使用CSS定位将一个Web元素精确地放在页面指定位置.阐述了CSS框模型、定位原理、浮动与清除原理,并通过简单的编码实例进行了说明各种定位方式的应用,最后应用浮动定位与清除原理实现了典型的Web标准网页布局.     

一种基于安全隐藏的图像分层窜改检测和内容恢复算法

提出了一种可用于数字图像的分层窜改检测和内容恢复的脆弱水印算法。图像中每个分块产生的水印信息包括认证水印和内容恢复水印,其中认证水印由奇偶校验和平均强度信息生成,恢复水印由分块DCT系数量化编码后的信息得到。根据混沌映射和最远距离安全隐藏机制,将恢复水印嵌入到映射块中,可有效避免窜改一致性问题。在接收端,采用分层窜改检测方法,减少窜改分块的漏判和误判,有效提高了窜改精度和恢复质量。实验结果表明,提出的方法与已有方法相比,无论在小面积窜改或大面积窜改情况下均可取得较好的恢复效果。     

Cloning and tampering threats in e-Passports

e-Passports present different security measures designed to safeguard their authenticity and more specifically to protect them from tampering and cloning attempts. Security protocols defined by International Civil Aviation Organization for this purpose (Passive Authentication, Active Authentication) should be enough to prevent such attacks. However, according to current specifications that regulate the Logical Data Structure of the e-Passport’s chip, it is feasible to bypass these protocols exploiting some flaws in the Inspection System. In this paper we show that as long as new documents will not be issued in compliance with new logical data structure’s specifications (currently under discussion), a careless implementation of the inspection procedure may lead to unsuccessful detection of cloned e-Passports.     

MDE and customization of modeling and simulation web applications

In this paper, we present a model-driven approach to construction of web-based collaborative environments that could be efficiently tailored to modeling and simulation needs of an arbitrary number of M&S application domains. To achieve broad applicability, our approach is based on general concepts and taxonomies in fields of Modeling and Simulation, Distributed Systems, and Collaborative Software. Such stable concepts constitute the collaborative Modeling and online Simulation (cMoS) framework. cMoS provides a general basis for a family of Web-Based M&S applications. Specific M&S applications are supported through customization of the variation points in cMoS. To enable efficient tailoring to specific applications during the operation phase, the variation points are not implicitly hardcoded as traditionally, but are explicitly expressed as models. The use of the resulting models is still limited due to a high barrier of their implementation. This barrier is sought to be amended by model-driven engineering (MDE): models of the variation points are computerized and their implementation is automatically generated. The end result is a model-driven and mostly programming free cMoS system adaptable to new M&S applications through abstract modeling of the variation points. The proposed framework and model-driven construction of a cMoS system are demonstrated. The system customization has been verified for a number of domains: Data Flow Diagrams (DFD), Discrete Event System Specification (DEVS), Process Interaction (PI) and Dynamic Traffic Routing (DTR). A demonstration of the latter is included in this paper. Generic cMoS functionality, such as modeling, collaborative sharing of conceptual models, online simulation and management of shared simulation resources is demonstrated as well.     

Web应用自动化测试的研究

针对目前Web应用"捕捉/回放"式测试脚本复用率不高的问题,根据Web应用的特性给出了一种基于数据驱动的Web测试框架,并设计了基于XML语言的自动化测试脚本.该测试脚本描述了Web应用行为的多请求/响应的迁移模型,并清晰地定义了外部测试数据避免了数据"硬编码"的缺陷,可对Web应用不同方面(例如功能、性能)上进行测试.开发了一个测试执行的原型工具,它以测试脚本为输入并自动化执行测试用例并生成测试结果.     

Model-driven development of composite context-aware web applications

Context-awareness constitutes an essential aspect of services, especially when interaction with end-users is involved. In this paper a solution for the context-aware development of web applications consisting of web services is presented. The methodology proposes a model based approach and advocates in favour of a complete separation of the web application functionality from the context adaptation at all development phases (analysis, design, implementation). In essence, context adaptation takes place on top of and is transparent to the web application business functionality. Starting from UML diagrams of independent web services and respective UML context models, our approach can produce a functional composite context-aware application. At execution level this independence is maintained through an adaptation framework based on message interception.     

Enlargement of vulnerable web applications for testing

There are two main kinds of vulnerable web applications, usual applications developed with a specific aim and applications which are vulnerable by design. On one hand, the usual applications are those that are used everywhere and on a daily basis, and where vulnerabilities are detected, and often mended, such as online banking systems, newspaper sites, or any other Web site. On the other hand, vulnerable by design web applications are developed for proper evaluation of web vulnerability scanners and for training in detecting web vulnerabilities. The main drawback of vulnerable by design web applications is that they used to include just a short set of well-known types of vulnerabilities, usually from famous classifications like the OWASP Top Ten. They do not include most of the types of web vulnerabilities. In this paper, an analysis and assessment of vulnerable web applications is conducted in order to select the applications that include the larger set of types of vulnerabilities. Then those applications are enlarged with more types of web vulnerabilities that vulnerable web applications do not include. Lastly, the new vulnerable web applications have been analyzed to check whether web vulnerability scanners are able to detect the new added vulnerabilities, those vulnerabilities that vulnerable by design web applications do not include. The results show that the tools are not very successful in detecting those vulnerabilities, less than well-known vulnerabilities.     

Performance vs. freshness in web database applications

In this work, we present a novel approach for the efficient materialization of dynamic web pages in e-commerce applications such as an online retail store with millions of items, hundreds of HTTP requests per second and tens of dynamic web page types. In such applications, user satisfaction, as measured in terms of response time (QoS) and content freshness (QoD), determines their success especially under heavy workload. The novelty of our materialization approach over existing ones is that, it considers the data dependencies between content fragments of a dynamic web page. We introduce two new semantic-based data freshness metrics that capture the content dependencies and propose two materialization algorithms that balance QoS and QoD. In our evaluation, we use a real-world experimental system that resembles an online bookstore and show that our approach outperforms existing QoS-QoD balancing approaches in terms of server-side response time (throughput), data freshness and scalability.