Journal Articles
Permanent URI for this collectionhttps://idr.nitk.ac.in/handle/123456789/19884
Browse
55 results
Search Results
Item Securing web applications from injection and logic vulnerabilities: Approaches and challenges(Elsevier B.V., 2016) Deepa, G.; Santhi Thilagam, P.S.Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the application could allow an attacker to steal sensitive information and perform adversary actions, and hence it is important to secure web applications from attacks. Defensive mechanisms for securing web applications from the flaws have received attention from both academia and industry. Objective: The objective of this literature review is to summarize the current state of the art for securing web applications from major flaws such as injection and logic flaws. Though different kinds of injection flaws exist, the scope is restricted to SQL Injection (SQLI) and Cross-site scripting (XSS), since they are rated as the top most threats by different security consortiums. Method: The relevant articles recently published are identified from well-known digital libraries, and a total of 86 primary studies are considered. A total of 17 articles related to SQLI, 35 related to XSS and 34 related to logic flaws are discussed. Results: The articles are categorized based on the phase of software development life cycle where the defense mechanism is put into place. Most of the articles focus on detecting the flaws and preventing the attacks against web applications. Conclusion: Even though various approaches are available for securing web applications from SQLI and XSS, they are still prevalent due to their impact and severity. Logic flaws are gaining attention of the researchers since they violate the business specifications of applications. There is no single solution to mitigate all the flaws. More research is needed in the area of fixing flaws in the source code of applications. © 2016 Elsevier B.V. All rights reserved.Item Securing native XML database-driven web applications from XQuery injection vulnerabilities(Elsevier Inc. usjcs@elsevier.com, 2016) Palsetia, N.; Deepa, G.; Ahmed Khan, F.; Santhi Thilagam, P.S.; Pais, A.R.Database-driven web applications today are XML-based as they handle highly diverse information and favor integration of data with other applications. Web applications have become the most popular way to deliver essential services to customers, and the increasing dependency of individuals on web applications makes them an attractive target for adversaries. The adversaries exploit vulnerabilities in the database-driven applications to craft injection attacks which include SQL, XQuery and XPath injections. A large amount of work has been done on identification of SQL injection vulnerabilities resulting in several tools available for the purpose. However, a limited work has been done so far for the identification of XML injection vulnerabilities and the existing tools only identify XML injection vulnerabilities which could lead to a specific type of attack. Hence, this work proposes a black-box fuzzing approach to detect different types of XQuery injection vulnerabilities in web applications driven by native XML databases. A prototype XQueryFuzzer is developed and tested on various vulnerable applications developed with BaseX as the native XML database. An experimental evaluation demonstrates that the prototype is effective against detection of XQuery injection vulnerabilities. Three new categories of attacks specific to XQuery, but not listed in OWASP are identified during testing. © 2016 Elsevier Inc.Item Live migration of virtual machines with their local persistent storage in a data intensive cloud(Inderscience Enterprises Ltd. editor@inderscience.com, 2017) Modi, A.; Achar, R.; Santhi Thilagam, P.S.Processing large volumes of data to drive their core business has been the primary objective of many firms and scientific applications in these days. Cloud computing being a large-scale distributed computing paradigm can be used to cater for the needs of data intensive applications. There are various approaches for managing the workload on a data intensive cloud. Live migration of a virtual machine is the most prominent paradigm. Existing approaches to live migration use network attached storage where just the run time state needs to be transferred. Live migration of virtual machines with local persistent storage has been shown to have performance advantages like security, availability and privacy. This paper presents an optimised approach for migration of a virtual machine along with its local storage by considering the locality of storage access. Count map combined with a restricted block transfer mechanism is used to minimise the downtime and overhead. The solution proposed is tested by various parameters like bandwidth, write access patterns and threshold. Results show the improvement in downtime and reduction in overhead. © © 2017 Inderscience Enterprises Ltd.Item En-Route Filtering Techniques in Wireless Sensor Networks: A Survey(Springer New York LLC barbara.b.bertram@gsk.com, 2017) Kumar, A.; Pais, A.R.Majority of wireless sensor networks (WSNs) are deployed in unattended environments and thus sensor nodes can be compromised easily. A compromised sensor node can be used to send fake sensing reports to the sink. If undetected these reports can raise false alarms. To deal with the problem of fake report generation, a number of en-route filtering schemes have been proposed. Each of these schemes uses different cryptographic methods to check the authenticity of reports while they are being forwarded hop by hop toward base station. However, majority of these techniques can handle only limited compromised nodes or they either need node localization or statically configured routes for sending reports. Furthermore, majority of en-route filtering techniques are vulnerable to various denial of service attacks. Our main aims in this survey are: (a) to describe the major en-route filtering techniques, (b) to analyze these techniques on various parameters including security and (c) to outline main unresolved research challenges in en-route filtering in WSNs. © 2017, Springer Science+Business Media New York.Item Security bound enhancement of remote user authentication using smart card(Elsevier Ltd, 2017) Madhusudhan, R.; Hegde, M.Distribution of resources and services via open network has becoming latest trend in information technology. This is provided by many service provider servers. In open network, hackers can easily obtain the communication data. Therefore, open networks and servers demand the security to protect data and information. Hence, network security is most important requirement in distributed system. In this security system, authentication is considered as the fundamental and essential method. Recently many remote user authentication schemes are proposed. In 2012, WANG Ding et al. proposed a remote user authentication scheme, in which the author stated that the scheme provides protection against offline password guessing, impersonation and other known key attacks. By cryptanalysis we have identified that, WANG Ding et al.'s scheme does not provide user anonymity, once the smart card is stolen. This scheme is also susceptible to offline password guessing attack, server masquerading attack, stolen smart card attack and insider attack. Further, this scheme still has problem with proper perfect forward secrecy and user revocation. In order to fix these security weaknesses, an enhanced authentication scheme is proposed and analysed using the formal verification tool for measuring the robustness. From the observation of computational efficiency of the proposed scheme, we conclude that the scheme is more robust and easy to implement practically. © 2017Item Batch verification of Digital Signatures: Approaches and challenges(Elsevier Ltd, 2017) Kittur, A.S.; Pais, A.R.Digital Signatures can be considered analogous to an ordinary handwritten signature for signing messages in the Digital world. Digital signature must be unique and exclusive for each signer. Multiple Digital Signatures signed by either single or multiple signers can be verified at once through Batch Verification. There are two main issues with respect to Batch Verification of Digital Signatures; first is the security problem and the second is the computational speed. Due to e-commerce proliferation, quick verification of Digital Signatures through specific hardware or efficient software becomes critical. Internet companies, banks, and other such organizations use Batch verification to accelerate verification of large number of Digital Signatures. Many Batch Verification techniques have been proposed for various Digital Signature algorithms. But most of them lack the security requirements such as signature authenticity, integrity, and non-repudiation. Hence there is a need for the study of batch verification of Digital Signatures. The main contributions of our survey include: (a) Identifying and categorizing various Batch verification techniques for RSA, DSS, and ECDSA(includes schemes based on Bilinear Pairing) (b) Providing a comparative analysis of these Batch Verification techniques (c) Identifying various research challenges in the area of Batch verification of signatures. © 2017 Elsevier LtdItem Leveraging virtual machine introspection with memory forensics to detect and characterize unknown malware using machine learning techniques at hypervisor(Elsevier Ltd, 2017) M.a, M.A.; Jaidhar, C.D.The Virtual Machine Introspection (VMI) has emerged as a fine-grained, out-of-VM security solution that detects malware by introspecting and reconstructing the volatile memory state of the live guest Operating System (OS). Specifically, it functions by the Virtual Machine Monitor (VMM), or hypervisor. The reconstructed semantic details obtained by the VMI are available in a combination of benign and malicious states at the hypervisor. In order to distinguish between these two states, the existing out-of-VM security solutions require extensive manual analysis. In this paper, we propose an advanced VMM-based, guest-assisted Automated Internal-and-External (A-IntExt) introspection system by leveraging VMI, Memory Forensics Analysis (MFA), and machine learning techniques at the hypervisor. Further, we use the VMI-based technique to introspect digital artifacts of the live guest OS to obtain a semantic view of the processes details. We implemented an Intelligent Cross View Analyzer (ICVA) and implanted it into our proposed A-IntExt system, which examines the data supplied by the VMI to detect hidden, dead, and dubious processes, while also predicting early symptoms of malware execution on the introspected guest OS in a timely manner. Machine learning techniques are used to analyze the executables that are mined and extracted using MFA-based techniques and ascertain the malicious executables. The practicality of the A-IntExt system is evaluated by executing large real-world malware and benign executables onto the live guest OSs. The evaluation results achieved 99.55% accuracy and 0.004 False Positive Rate (FPR) on the 10-fold cross-validation to detect unknown malware on the generated dataset. Additionally, the proposed system was validated against other benchmarked malware datasets and the A-IntExt system outperforms the detection of real-world malware at the VMM with performance exceeding 6.3%. © 2017 Elsevier LtdItem Applications nature aware virtual machine provisioning in cloud(Inderscience Publishers, 2018) Achar, R.; Santhi Thilagam, P.S.Rapid growth of internet technologies and virtualisation has made cloud as a new IT delivery mechanism, which is gaining popularity from both industry and academia. Huge demand for a cloud resources, running similar nature applications in the same server results in application degradation whenever there is a sudden rise in workload. In order to minimise the application degradations, there is an urgent need to know the nature of applications running in cloud for efficient virtual machine (VM) provisioning. Existing cloud architecture does not provide any mechanism to handle this issue. This paper presents a modified cloud architecture which contains additional component called application analyser to identify the nature of applications running in each VM. Based on applications nature, this paper presents a novel VM provisioning mechanism using genetic algorithm. In order to utilise the resources efficiently, this paper also presents a mechanism for VM provisioning with migration. Experimental study is conducted using CloudSim simulator shows that proposed mechanism is efficiently allocating resources to the virtual machines. © 2018 Inderscience Enterprises Ltd.Item Energy-efficient and reliable data collection in wireless sensor networks(Turkiye Klinikleri Journal of Medical Sciences Talapapa Bulvary no. 102 Hamammonu 1 06230, 2018) Puneeth, D.; Joshi, N.; Atrey, P.K.; Kulkarni, M.Ensuring energy efficiency, data reliability, and security is important in wireless sensor networks (WSNs). A combination of variants from the cryptographic secret sharing technique and the disjoint multipath routing scheme is an effective strategy to address these requirements. Although Shamir's secret sharing (SSS) provides the desired reliability and information-theoretic security, it is not energy efficient. Alternatively, Shamir's ramp secret sharing (SRSS) provides energy efficiency and data reliability, but is only computationally secure. We argue that both these approaches may suffer from a compromised node (CN) attack when a minimum number of nodes is compromised. Hence, we propose a new scheme that is energy efficient, provides data reliability, and is secure against CN attacks. The core idea of our scheme is to combine SRSS and a round-reduced AES cipher, which we call "split hop AES (SHAES)". Both the simulation results and the theoretical analysis are employed to validate the near-sink CN attack, and a secure reliable scheme using SHAES is proposed. © 2018 TÜBITAK.Item Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications(Springer Verlag service@springer.de, 2018) Deepa, G.; Santhi Thilagam, P.S.; Ahmed Khan, F.A.; Praseed, A.; Pais, A.R.; Palsetia, N.As web applications become the most popular way to deliver essential services to customers, they also become attractive targets for attackers. The attackers craft injection attacks in database-driven applications through the user-input fields intended for interacting with the applications. Even though precautionary measures such as user-input sanitization is employed at the client side of the application, the attackers can disable the JavaScript at client side and still inject attacks through HTTP parameters. The injected parameters result in attacks due to improper server-side validation of user input. The injected parameters may either contain malicious SQL/XML commands leading to SQL/XPath/XQuery injection or be invalid input that intend to violate the expected behavior of the web application. The former is known as an injection attack, while the latter is called a parameter tampering attack. While SQL injection has been intensively examined by the research community, limited work has been done so far for identifying XML injection and parameter tampering vulnerabilities. Database-driven web applications today rely on XML databases, as XML has gained rapid acceptance due to the fact that it favors integration of data with other applications and handles diverse information. Hence, this work proposes a black-box fuzzing approach to detect XQuery injection and parameter tampering vulnerabilities in web applications driven by native XML databases. A prototype XiParam is developed and tested on vulnerable applications developed with a native XML database, BaseX, as the backend. The experimental evaluation clearly demonstrates that the prototype is effective against detection of both XQuery injection and parameter tampering vulnerabilities. © 2017, Springer-Verlag Berlin Heidelberg.