[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/2995959.2995966acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

A Grey-Box Approach for Detecting Malicious User Interactions in Web Applications

Published: 28 October 2016 Publication History

Abstract

Web applications are the core enabler for most Internet services today. Their standard interfaces allow them to be composed together in different ways in order to support different service workflows. While the modular composition of applications has considerably simplified the provisioning of new Internet services, it has also added new security challenges; the impact of a security breach propagating through the chain far beyond the vulnerable application. To secure web applications, two distinct approaches have been commonly used in the literature. First, white-box approaches leverage the source code in order to detect and fix unintended flaws. Although they cover well the intrinsic flaws within each application, they can barely leverage logic flaws that arise when connecting multiple applications within the same service. On the other hand, black-box approaches analyze the workflow of a service through a set of user interactions, while assuming only little information about its embedded applications. These approaches may have a better coverage, but suffer from a high false positives rate. So far, to the best of our knowledge, there is not yet a single solution that combines both approaches into a common framework.
In this paper, we present a new grey-box approach that leverages the advantages of both white-box and black-box. The core component of our system is a semi-supervised learning framework that first learns the nominal behavior of the service using a set of elementary user interactions, and then prune this nominal behavior from attacks that may have occurred during the learning phase. To do so, we leverage a graph-based representation of known attack scenarios that is built using a white-box approach. We demonstrate in this paper the use of our system through a practical use case, including real world attack scenarios that we were able to detect and qualify using our approach.

References

[1]
G. Stringhini, P. Mourlanne, G. Jacob, M. Egele, C. Kruegel, and G. Vigna. Evilcohort: Detecting communities of malicious accounts on online services. In 24th USENIX Security Symposium (USENIX Security 15), pages 563--578, Washington, D.C., USA, 2015.
[2]
M. Weissbacher, W. Robertson, E. Kirda, C. Kruegel, and G. Vigna. Zigzag: Automatically hardening web applications against client-side validation vulnerabilities. In 24th USENIX Security Symposium, pages 737--752, Washington, D.C., USA, 2015.
[3]
T. Nelms, R. Perdisci, M. Antonakakis, and M. Ahamad. Webwitness: Investigating, categorizing, and mitigating malware download paths. In 24th USENIX Security Symposium (USENIX Security 15), pages 1025--1040, Washington, D.C., USA, 2015.
[4]
G. Pellgrino and D. Balzarotti. Toward black-box detection of logic flaws in web applications. In Proceeding of the Network and Distributed System Security Symposium NDSS, San Diego, USA, 2014.
[5]
S. Marchal, K. Saari, N. Singh, and N. Asokan. Know your phish: Novel techniques for detecting phishing sites and their targets. In Proceeding of the ICDCS, pages 323--333, Nara-Japan, 2016.
[6]
B. Carminati, E. Ferrari, and P. C. Hung. Web service composition: A security perspective. In International Workshop on Challenges in Web Information Retrieval and Integration, Tokyo, Japan, pages 248--253, 2005.
[7]
A. Doupé, L. Cavedon, C. Kruegel, and G. Vigna. Enemy of the state: A state-aware black-box web vulnerability scanner. In Proceedings of USENIX Security Symposium (USENIX Security 12), pages 523--538, Bellevue, WA, USA, 2012.
[8]
D. Canali, D. Balzarotti, and A. Francillon. The role of web hosting providers in detecting compromised websites. In Proceedings of the World Wide Web Conference WWW, pages 177--188, Rio de Janeiro, Brazil, 2013
[9]
T. Scholte, D. Balzarotti, and E. Kirda. Have things changed now? an empirical study on input validation vulnerabilities in web applications. Elsevier Computer.Security, 31(3):344--356, 2012.
[10]
D. Fett, R. Küsters, and G. Schmitz. Spresso: A secure, privacy-respecting single sign-on system for the web. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, pages 1358--1369, Denver, CO, USA, 2015.
[11]
N. Kheir, N. S. Diop, S.-Y. Loui, and V. Frey. Poster abstract: Detecting malicious behaviors through analysis of user interaction sequences. In Proceedings of the International Conference on Recent Advances in Intrusion Detection RAID, Kyoto, Japan, pages 1--2, 2015.
[12]
X. Li and Y. Xue. Block: A black-box approach for detection of state violation attacks towards web applications. In Proceedings of the 27th Annual Computer Security Applications Conference ACSAC, pages 247--256, Orlando, FA, USA, 2011.
[13]
B. Settles. Active learning literature survey. Computer Sciences Technical Report 1648, University of Wisconsin--Madison, 2009.
[14]
G. Bai, Lei, G. Meng, S. S. Venkatraman, P. Saxena, J. Sun, Y. Liu, and J. Dong. Authscan: Automatic extraction of web authentication protocols from implementations. In Proceedings of the 20th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, 2013.
[15]
K. Veeramachaneni, I. Arnaldo, A. Cuesta-Infante, V. Korrapati, C. Bassias, and K. Li. Ai2: Training a big data machine to defend. In IEEE International Conference on Big Data Security, pages 1--13, New York, NY, USA, 2016.
[16]
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, USA, 2007.
[17]
J. Bau, E. Bursztein, D. Gupta, and J. Mitchell. State of the art: Automated black-box web application vulnerability testing. In IEEE Symposium on Security and Privacy (SP), pages 332--345, Oakland, CA, USA, 2010.
[18]
X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao. A static analysis framework for detecting sql injection vulnerabilities. In Annual International Computer Software and Applications Conference, COMPSAC, Beijing, China, pages 87--96, 2007.
[19]
T. Ball and S. K. Rajamani. The slam project: debugging system software via static analysis. SIGPLAN Not, page 2002.
[20]
D. Balzarotti, M. Cova, V. V. Felmetsger, and G. Vigna. Multi-module vulnerability analysis of web-based applications. In Proceedings of the 14th ACM Conference on Computer and Communications Security CCS, pages 25--35, New York, NY, USA, 2007.
[21]
V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward automated detection of logic vulnerabilities in web applications. In Proceedings of the 19th USENIX Conference on Security, USENIX Security, pages 10--10, Berkeley, CA, USA, 2010.
[22]
M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An approach for the anomaly-based detection of state violations in web applications. In Proceedings of the International Conference on Recent Advances in Intrusion Detection RAID, pages 63--86, 2007.
[23]
A. Armando, G. Pellegrino, R. Carbone, A. Merlo, and D. Balzarotti. From model-checking to automated testing of security protocols: Bridging the gap. In 6th International Conference on Tests and Proofs, 2012.
[24]
A. Sudhodanan, A. Armando, L. Compagna, and R. Carbone. Attack patterns for black-box security testing of multi-party web applications. In In Proceeding of the Network and Distributed System Security Symposium NDSS, San Diego, CA, USA, 2016.
[25]
P. Berkhin. A survey of clustering data mining techniques. In Grouping multidimensional data, pages 25--71. Springer, 2006.
[26]
J. H. Martin and D. Jurafsky. Speech and language processing. International Edition, 710, 2000.
[27]
T. Abou-Assaleh, N. Cercone, V. Keselj, and R. Sweidan. N-gram-based detection of new malicious code. In Computer Software and Applications Conference, 2004. COMPSAC 2004. Proceedings of the 28th Annual International, volume 2, pages 41--42, 2004.
[28]
C. Cadar and D. Engler. Execution generated test cases: How to make systems code crash itself. In Proceedings of the 12th International Conference on Model Checking Software, pages 2--23, 2005.
[29]
W. B. Cavnar, J. M. Trenkle, et al. N-gram-based text categorization. Ann Arbor MI, 48113(2):161--175, 1994.
[30]
L. P. Cordella, P. Foggia, C. Sansone, and M. Vento. A (sub) graph isomorphism algorithm for matching large graphs. IEEE transactions on pattern analysis and machine intelligence, 26(10):1367--1372, 2004.
[31]
I. S. Dhillon, S. Mallela, and D. S. Modha. Information-theoretic co-clustering. In Proceedings of the Ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pages 89--98, 2003.
[32]
P. Godefroid, M. Y. Levin, D. A. Molnar, et al. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, USA, pages 151--166, 2008.
[33]
W.-J. Li, K. Wang, S. J. Stolfo, and B. Herzog. Fileprints: Identifying file types by n-gram analysis. In Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, pages 64--71, 2005.
[34]
E. M. Luks. Isomorphism of graphs of bounded valence can be tested in polynomial time. Journal of computer and system sciences, 25(1):42--65, 1982.
[35]
S. Noel, E. Robertson, and S. Jajodia. Correlating intrusion events and building attack scenarios through attack graph distances. In Proceedings of the Annual Computer Security Applications Conference ACSAC, pages 350--359, Tucson, AZ, USA, 2004.
[36]
P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In Proceedings of the IEEE Symposium on Security and Privacy SP, pages 513--528, Washington, DC, USA, 2010.
[37]
J. R. Ullmann. An algorithm for subgraph isomorphism. J. ACM, 23(1):31--42, 1976.

Cited By

View all
  • (2024)A Survey on the Applications of Semi-supervised Learning to Cyber-securityACM Computing Surveys10.1145/365764756:10(1-41)Online publication date: 22-Jun-2024
  • (2021)A Review on Detection of Cross-Site Scripting Attacks (XSS) in Web SecurityAdvances in Cyber Security10.1007/978-981-33-6835-4_45(685-709)Online publication date: 5-Feb-2021
  • (2020)XSSD: A Cross-site Scripting Attack Dataset and its Evaluation2020 Third ISEA Conference on Security and Privacy (ISEA-ISAP)10.1109/ISEA-ISAP49340.2020.234995(21-30)Online publication date: Feb-2020
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
MIST '16: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats
October 2016
126 pages
ISBN:9781450345712
DOI:10.1145/2995959
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 October 2016

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. black-box
  2. web security
  3. white-box

Qualifiers

  • Research-article

Conference

CCS'16
Sponsor:

Acceptance Rates

MIST '16 Paper Acceptance Rate 8 of 22 submissions, 36%;
Overall Acceptance Rate 21 of 54 submissions, 39%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)26
  • Downloads (Last 6 weeks)5
Reflects downloads up to 22 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)A Survey on the Applications of Semi-supervised Learning to Cyber-securityACM Computing Surveys10.1145/365764756:10(1-41)Online publication date: 22-Jun-2024
  • (2021)A Review on Detection of Cross-Site Scripting Attacks (XSS) in Web SecurityAdvances in Cyber Security10.1007/978-981-33-6835-4_45(685-709)Online publication date: 5-Feb-2021
  • (2020)XSSD: A Cross-site Scripting Attack Dataset and its Evaluation2020 Third ISEA Conference on Security and Privacy (ISEA-ISAP)10.1109/ISEA-ISAP49340.2020.234995(21-30)Online publication date: Feb-2020
  • (2019)A Survey of Exploitation and Detection Methods of XSS VulnerabilitiesIEEE Access10.1109/ACCESS.2019.29604497(182004-182016)Online publication date: 2019

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media