欢迎来到留学生英语论文网

当前位置:首页 > 论文范文 > Computer Science

Building a Feedback Control Based Website Security to Prevent XML Injection Attacks

发布时间:2017-03-22
该论文是我们的学员投稿,并非我们专家级的写作水平!如果你有论文作业写作指导需求请联系我们的客服人员 - Denial of service attack, Feedback controller, Xml injection attack, Prioritization

BUILDING FEEDBACK CONTROL BASED WEBSITE SECURITY TO PREVENT XML INJECTION ATTACKS

ABSTRACT

In recent trends website security is the major issue were most of the web pages are affected by various types of attack. Here the major type is Denial of service which is a vulnerable attack that makes a machine unavailable to its intended users. This the serious issue when multiple client uses the same website. In addition to this, another issue is xml injection attack which is common hacking method by a hacker to steal the website information. It is an injection of unwanted xml content and structure into an xml message. The objective of proposed system is to provide website security using feedback controller that slowdowns the burst of request from several users which creates traffic on the server. It also blocks xml injection attack by using XSD customized restriction algorithm. Feedback controller also focuses on multiple requests from same client which is solved by using prioritization techniques.

Keywords - Denial of service attack, Feedback controller, Xml injection attack, Prioritization

INTRODUCTION

Website is a set of relatedweb pagestypically served from a single web domain. It is hosted on at least oneweb server, accessible via a network such as theInternetor a privatelocal area networkthrough an Internet address known as aUniform resource locator. There are various website which are unfortunately prone to security risks and so a network to which web servers that connects is also aware of these threats. The care taken with server maintenance, web application updates and our web site coding will define the size of that window, limit the kind of information that can pass through it and thus establish the degree of web security that we use. They need to be tested and prevented from various attack. From this website usage there consists of various kind vulnerabilities which are yet to be described. As weknow there are a lot of people out there who call themselves hackers. They are actually capable of discovering a new way to overcome web security obstacles. Various website that connects to internet are written in XML language that stands for Extensible Mark-up Language. It is a software- and hardware-independent tool for carrying information. One of the most time-consuming challenges for developers is to exchange data between incompatible systems over the Internet. Thus exchanging data as XML greatly reduces this complexity, since the data can be read by different incompatible applications. XPath is a W3C recommendation syntax that defines the parts of an XML document. These XML files can be stored on internet server exactly the same way as HTML files and they can easily be stored and generated by a standard web server. The basic activity of web server is to store, process and deliverweb pagestoclients. It also defines load limits, because it can handle only a limited number of concurrent client connectionsperIP address(and TCP port) and it can serve only a certain maximum number of requests per second depending on its own settings, HTTP request type, content type (static or dynamic), cached content, and thehardware & softwarelimitations of the OS of the computer on which the web server runs. At any time web servers can be overloaded because of too much legitimate web traffic, denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) ,Computer worms, XSS viruses, Internet slowdowns, and at last partial unavailability of web server leads to overloading.

RELATED WORKS

There are several website security options that are been discussed earlier. Some of the related works papers are based on website security and detection of attacks in them. Most common type of attacks that are studied based on security in website is as follows: 1.Directory Traversal attack which has the ability to move from one directory to another. This can be very dangerous, as it exposes private information to the internet. Attackers can use this to download private files, or to further attack your system. The best defence from this type of attack is strong filtering of user data and updating the server software.2. Cross Site Scripting (XSS) Attack allows an attacker to execute code on the target website from a user's browser, often causing side effects such as data compromise, or the stealing of a user session. XSS can only be prevented by carefully sanitizing all input which is not known to be secure. This includes HTTP referrer objects, The URL, GET parameters, POST parameters etc. 3. Format String Attacks vectors happen in the desktop software community, where older C commands such as printf are more common these functions have migrated to the internet. These are the various attack types, based on these attack related papers are described.[1] This paper deals with the study about XML injection attacks those that produce some change in the XML’s internal components that aims to compromise the Web service application. Here they present XHDS as a hybrid approach that supports knowledge-based detection derived from a signature-based approach and then apply ontology to design the knowledge database for XML injection attacks against Web services. This paper has drawback that we intend to extend the ontology which contemplates other attacks that burden Web services, such as denial of service. This paper does not deals with DoS attack concept further number of attacks grows the power of hybrid approach becomes extinguished.[2] implementation of large-scale, rule-based SIP-aware application-layer-firewall capable of detecting and mitigating SIP-based Denial-of-Service (DoS) attacks at the signalling and media levels. Firewall performs SIP traffic filtering against spoofing attacks; and request, response and out-of state floods. The work presented in this paper, may also help achieve secure end-to-end communication for these services but does not ensure security for xml and xpath injection attacks. [3] There are five common Web application vulnerabilities, their examples and countermeasures to eliminate common security exploits and to secure the emerging class of rich, cross-domain Web applications. They provide end users with client access to server functionality through a set of Web pages. These pages often contain script code to be executed dynamically within the client Web browser. Some of generalized attacks are ineffective against the kind of targeted, malicious hacker activity. [4] This model deals with comprehensive survey of DDoS attacks, detection methods and tools used in wired networks. Mechanism of Victim-end detection approaches are generally employed in the routers of victim networks, providing critical Web services. Practically designing and implementing a DDoS defence is very difficult. The comparison of the existing detection mechanisms shows that most schemes are not capable of fulfilling all the requirements for real time network defence. [5] Cross site scripting attack Occurs at any time, raw data from attacker is sent to an innocent user which make the buffer overflow. Here we identify cross site scripting attack based on URL analysis. We also try to identify all parts contained in a URL that produce a valid JavaScript parse tree. If a fragment produces a syntax tree of a certain depth, then the URL is considered suspicious which are identified and detected by analyzing its structure. In some cases this approach produces the false positive ratio. [6] In this model a benchmarking vulnerabilities detection tool for web services in introduced. This is an Easy and widely-used way to test applications searching vulnerabilities it uses fuzzing techniques to attack applications. It evaluates and compares the existing tools and Selects the most effective tools among them. This targeting tools aims at detecting only SQL Injection attack and not the DoS attack.

PROPOSED SYSTEM

In the proposed system we introduces a new concept called feedback controller which is said to be a backup site for each original website the user uses. The client gives request for a website to the web server, that request is converted into a form of xml data input. The web server does not knows to perform response operations when the request is in the form of normal language therefore it is been converted to XML language. After the conversion this data is fed into the feedback controller which perform various operation finding the out the type of attack and rectify them accordingly. The DoS detection algorithm is performed for finding out if any DoS attack has been occurred from the given input. This detection mechanism eliminates only denial of service attack but to check the XML injection attack have been present or not we use an algorithm called XSD customized restriction algorithm by using this algorithm. Maximum restriction of attack has been avoided and if the attack has been occurred then detection mechanism is used.

Figure 1: the architecture diagram of our project gives the basic explanation of flow of request and response from the clients. The clients who give the request to the website may either be a legitimate or attacking client. This type of clients is found using feedback controller. After the client is given request from website then its request is transferred to the feedback controller for performing various techniques. First the conversion from normal request to XML data input is taken place.

Fig [1]: Architecture diagram

After the conversion phase, verification is done. Xml data input first checks for data leakage in it. By using patch site this data leakage verification is done. If data leakage is occurred it is been eliminated by using the XSD customized restriction algorithm. Next phase checks for the request overload. This occurs when the several clients gives request to the website at a time, in between this hacker perform the request to website which gives thousand of request at a time. This form of attack is said to be denial of service. To find out this request overload we use the DoS detection algorithm.

XSD CUSTOMIZED RESTRICTION ALGORITHM

a. Start the xsd customization algorithm.

b. Gets the request from the direct site and stores it for validation with the patch site.

c. Patch site contains details of each xml content of requested website.

d. Changes the client request into an xml content format and the matches with patch site.

e. If the request is the modified xml content then the user request will be change to request timed out.

f. Hence client will not get the response for that request.

DoS DETECTION ALGORITHM

a. Finds the number of request given to the website.

b. Check whether the request is from legitimate client or attacking client.

c. If the client is legitimate, its response to request is given in the form of prioritization techniques.

d. If the client is attacking, it request overload attempt is lower the response process.

e. This denial of service is said to be DoS attack. It prevents giving the response to other legitimate client.

f. To prevent this attack we detect the attacking client and block them from further hacking of the website.

MODULES

  • xml data injection
  • dos detection
  • data leakage
  • xsd customization

XML data injection:

This is the start of first module in my project; if a client needs information of any files from the web server it sends the request by using the internet. Client request from the website is first converted to an xml data input. After the conversion of request to xml data input, they are send to the feedback controller. Feedback controller analyses and checks for vulnerabilities in the given input. These xml conversions are in built so that web server can know what the client has requested. After the reach of request in web server, the response is send back to the client.

DOS detection:

In this module, the xml data input in the feedback controller checks for any vulnerability present in it. Basic kind of vulnerabilities is denial of service attack, which is an attempt to make a machine or network resource unavailable to its intendedclients. In order to find or avoid these attacks we use dos detection algorithm. This algorithm is used for verification of request; if the request contains any attack then its response will not be send from the web server. Once the verification is over, request is send to the server for replying the response to its legitimate client.

Data leakage:

In this module, after dos detection is over xml data input in the feedback controller checks for the data leakage in the given input. In feedback controller, the xml input is compared with the given patching site to find out any errors present in it. After comparison, it is sended for XSD customization techniques.

XSD customization:

XSD customization techniques are used for verification of xml inputs in feedback controller. Data leakage is checked using the XSD customized restriction algorithm for xml inputs. If the input contains any data leakage those request are not given the response hence which leads to request timed out.

CONCLUSION

In this paper, we proposed the concept of feedback controller for providing website security from various kind of vulnerabilities such as denial of services attack, xml injection attack etc. We use two algorithms such as dos detection algorithm for detecting dos attack and xsd customized restriction algorithm for preventing xml injection attack. This proposed system also provides security and focus on multiple requests from same client which is solved by using prioritization techniques.

REFERENCES

[1] J. Grossman, R. Hansen, P. D. Petkov, A. Rager, and S. Fogie, XSS Attacks: Cross-Site Scripting Exploits and Defense. Burlington, MA: Syngress, 2007.

[2] Z. Su and G. Wassermann. The essence of command injection attacks in Web applications. In Proc. POPL, 2006. Swati Ramesh Kesharwani1 , Aarti Deshpande2

[3]A Survey On XML-Injection Attack Detection Systems International Journal of Science and Research (IJSR) ISSN (Online),2012.

[4] Carl, G., Kesidis, G., Brooks, R. R. and Rai, S. (2006).Denial-of-Service Attack-Detection Techniques. IEEE Internet Computing, pp. 82-89.

[5] Shi, W., Xiang, Y. and Zhou, W.(2005).Distributed Defense Against Distributed Denial-of-Service Attacks. Proceedings of ICA3PP Springer-Verlag, LNCS 3719. pp. 357-362.

[6]Ashwani Garg Shekhar Singh A Review on Web Application Security Vulnerabilities Volume 3, Issue 1, January 2013.

[7]Thiago Mattos Rosa, Altair Olivo Santin and Andreia Malucelli,“Mitigating XML Injection 0-Day Attacks through Strategy-Based Detection Systems” Copublished by the IEEE Computer and Reliability Societies 1540-7993/2013 IEEE, July/August 2013 .

[8] N. Antunes and M. Vieira, “Benchmarking Vulnerability Detection Tools for Web Services,” Proc.IEEE Int’l Conf.Web Services (ICWS), IEEE CS, 2010;doi;10.1109/ICWS.2010.76

[9]W. Zeller and E. W. Felten, “Cross-site request forgeries: Exploitation and prevention,” Princeton University, Tech. Rep., September 2008.

[10]Thiago Mattos Rosa, Altair Olivo Santin and Andreia Malucelli,“Mitigating XML Injection 0-Day Attacks through Strategy-Based Detection Systems” Copublished by the IEEE Computer and Reliability Societies 1540-7993/2013 IEEE, July/August 2013 .

[11] J. Grossman, R. Hansen, P. D. Petkov, A. Rager, and S. Fogie, XSS Attacks: Cross-Site Scripting Exploits and Defense. Burlington, MA: Syngress, 2007.

[12] Shi, W., Xiang, Y., and Zhou, W. (2005).Distributed Defense Against Distributed Denial-of-Service Attacks. Proceedings of ICA3PP 2005, LNCS 3719, pp. 357-362

.

上一篇:Mobile Ad Hoc Networking 下一篇:N Nodes and E Edges Network with QoS Constraints