Biblio

In the 21st century, world-leading industries are under the accelerated development of digital transformation. Along with information and data resources becoming more transparent on the Internet, many new network technologies were introduced, but cyber-attack also became a severe problem in cyberspace. Over time, industrial control networks are also forced to join the nodes of the Internet. Therefore, cybersecurity is much more complicated than before, and suffering risk of browsing unknown websites also increases. To practice defenses against cyber-attack effectively, Cyber Range is the best platform to emulate all cyber-attacks and defenses. This article will use VMware virtual machine emulation technology, research cyber range systems under industrial control network architecture, and design and implement an industrial control cyber range system. Using the industrial cyber range to perform vulnerability analyses and exploits on web servers, web applications, and operating systems. The result demonstrates the consequences of the vulnerability attack and raises awareness of cyber security among government, enterprises, education, and other related fields, improving the practical ability to defend against cybersecurity threats.

Cyber threats can cause severe damage to computing infrastructure and systems as well as data breaches that make sensitive data vulnerable to attackers and adversaries. It is therefore imperative to discover those threats and stop them before bad actors penetrating into the information systems.Threats hunting algorithms based on machine learning have shown great advantage over classical methods. Reinforcement learning models are getting more accurate for identifying not only signature-based but also behavior-based threats. Quantum mechanics brings a new dimension in improving classification speed with exponential advantage. The accuracy of the AI/ML algorithms could be affected by many factors, from algorithm, data, to prejudicial, or even intentional. As a result, AI/ML applications need to be non-biased and trustworthy.In this research, we developed a machine learning-based cyber threat detection and assessment tool. It uses two-stage (both unsupervised and supervised learning) analyzing method on 822,226 log data recorded from a web server on AWS cloud. The results show the algorithm has the ability to identify the threats with high confidence.

In this modern era, web security is often required to beware from fraudulent activities. There are several hackers try to build a program that can interact with web pages automatically and try to breach the data or make several junk entries due to that web servers get hanged. To stop the junk entries; CAPTCHA is a solution through which bots can be identified and denied the machine based program to intervene with. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. In the progression of CAPTCHA; there are several methods available such as distorted text, picture recognition, math solving and gaming based CAPTCHA. Game based turing test is very much popular now a day but there are several methods through which game can be cracked because game is not intellectual. So, there is a required of intrinsic CAPTCHA. The proposed system is based on Intrinsic Decision based Situation Reaction Challenge. The proposed system is able to better classify the humans and bots by its intrinsic problem. It has been considered as human is more capable to deal with the real life problems and machine is bit poor to understand the situation or how the problem can be solved. So, proposed system challenges with simple situations which is easier for human but almost impossible for bots. Human is required to use his common sense only and problem can be solved with few seconds.

Cyber security is turning into a significant angle in each industry like in banking part, force and computerization segments. Servers are basic resources in these enterprises where business basic touch information is put away. These servers frequently join web servers in them through which any business information and tasks are performed remotely. Thus, clearly for a solid activity, security of web servers is extremely basic. This paper gives another testing way to deal with defenselessness appraisal of web applications by methods for breaking down and utilizing a consolidated arrangement of apparatuses to address a wide scope of security issues.

The advancements in technology can be seen in recent years, and people have been adopting the emerging technologies. Though people rely upon these advancements, many loopholes can be seen if you take a particular field, and attackers are thirsty to steal personal data. There has been an increasing number of cyber threats and breaches happening worldwide, primarily for fun or for ransoms. Web servers and sites of the users are being compromised, and they are unaware of the vulnerabilities. Vulnerabilities include OWASP's top vulnerabilities like SQL injection, Cross-site scripting, and so on. To overcome the vulnerabilities and protect the site from getting down, the proposed work includes the implementation of a Web Application Firewall focused on the Application layer of the OSI Model; the product protects the target web applications from the Common OWASP security vulnerabilities. The Application starts analyzing the incoming and outgoing requests generated from the traffic through the pre-built Application Programming Interface. It compares the request and parameter with the algorithm, which has a set of pre-built regex patterns. The outcome of the product is to detect and reject general OWASP security vulnerabilities, helping to secure the user's business and prevent unauthorized access to sensitive data, respectively.

Cyberattacks are one of the most pressing issues of our time. The impact of cyberthreats can damage various sectors such as business, health care, and governments, so one of the best solutions to deal with these cyberattacks and reduce cybersecurity threats is using Deep Learning. In this paper, we have created an in-depth study model to detect SQL Injection Attacks and Cross-Site Script attacks. We focused on XSS on the Stored-XSS attack type because SQL and Stored-XSS have similar site management methods. The advantage of combining deep learning with cybersecurity in our system is to detect and prevent short-term attacks without human interaction, so our system can reduce and prevent web attacks. This post-training model achieved a more accurate result more than 99% after maintaining the learning level, and 99% of our test data is determined by this model if this input is normal or dangerous.

Web server is an appealing target for attackers since it may be exploited to gain access to an organization’s internal network. After compromising a web server, the attacker can construct a webshell to maintain a long-term and stealthy access for further attacks. Among all webshell-based attacks, command injection is a powerful attack that can be launched to steal sensitive data from the web server or compromising other computers in the network. To monitor and analyze webshell-based command injection, we develop a hybrid webshell honeypot framework called HoneyBog, which intercepts and redirects malicious injected commands from the front-end honeypot to the high-fidelity back-end honeypot for execution. HoneyBog can achieve two advantages by using the client-server honeypot architecture. First, since the webshell-based injected commands are transferred from the compromised web server to a remote constrained execution environment, we can prevent the attacker from launching further attacks in the protected network. Second, it facilitates the centralized management of high-fidelity honeypots for remote honeypot service providers. Moreover, we increase the system fidelity of HoneyBog by synchronizing the website files between the front-end and back-end honeypots. We implement a prototype of HoneyBog using PHP and the Apache web server. Our experiments on 260 PHP webshells show that HoneyBog can effectively intercept and redirect injected commands with a low performance overhead.

Preventing the cyberattacks has been a concern for any organization. In this research, the authors propose a novel method to detect cyberattacks by monitoring and analyzing the network traffic. It was observed that the various log files that are created in the server does not contain all the relevant traces to detect a cyberattack. Hence, the HTTP traffic to the web server was analyzed to detect any potential cyberattacks. To validate the research, a web server was simulated using the Opensource Damn Vulnerable Web Application (DVWA) and the cyberattacks were simulated as per the OWASP standards. A python program was scripted that captured the network traffic to the DVWA server. This traffic was analyzed in real-time by reading the various HTTP parameters viz., URLs, Get / Post methods and the dependencies. The results were found to be encouraging as all the simulated attacks in real-time could be successfully detected. This work can be used as a template by various organizations to prevent any insider threat by monitoring the internal HTTP traffic.

Intrusion Detection System (IDS) is a system that could detect suspicious activity in a network. Two approaches are known for IDS, namely signature-based and anomaly-based. The anomaly-based detection method was chosen to detect suspicious and abnormal activity for the system that cannot be performed by the signature-based method. In this study, attack testing was carried out using three DoS tools, namely the LOIC, Torshammer, and Xerxes tools, with a test scenario using IDS and without IDS. From the test results that have been carried out, IDS has successfully detected the attacks that were sent, for the delivery of the most consecutive attack packages, namely Torshammer, Xerxes, and LOIC. In the detection of Torshammer attack tools on the target FTP Server, 9421 packages were obtained, for Xerxes tools as many as 10618 packages and LOIC tools as many as 6115 packages. Meanwhile, attacks on the target Web Server for Torshammer tools were 299 packages, for Xerxes tools as many as 530 packages, and for LOIC tools as many as 103 packages. The accuracy of the IDS performance results is 88.66%, the precision is 88.58% and the false positive rate is 63.17%.

Regular expression denial of service (ReDoS)— which exploits the super-linear running time of matching regular expressions against carefully crafted inputs—is an emerging class of DoS attacks to web services. One challenging question for a victim web service under ReDoS attacks is how to quickly recover its normal operation after ReDoS attacks, especially these zero-day ones exploiting previously unknown vulnerabilities.In this paper, we present RegexNet, the first payload-based, automated, reactive ReDoS recovery system for web services. RegexNet adopts a learning model, which is updated constantly in a feedback loop during runtime, to classify payloads of upcoming requests including the request contents and database query responses. If detected as a cause leading to ReDoS, RegexNet migrates those requests to a sandbox and isolates their execution for a fast, first-measure recovery.We have implemented a RegexNet prototype and integrated it with HAProxy and Node.js. Evaluation results show that RegexNet is effective in recovering the performance of web services against zero-day ReDoS attacks, responsive on reacting to attacks in sub-minute, and resilient to different ReDoS attack types including adaptive ones that are designed to evade RegexNet on purpose.

Over the years, operating systems (OSs) have grown significantly in complexity and size providing attackers with more avenues to compromise their security. By eliminating the OS, it becomes possible to develop general-purpose non-embedded applications that are free of typical OS-related vulnerabilities. Such applications are simpler and smaller in size, making it easier secure the application code. Bare machine computing (BMC) applications run on ordinary desktops and laptops without the support of any operating system or centralized kernel. Many BMC applications have been developed previously for single-core systems. We show how to build BMC applications for multicore systems by presenting the design and implementation of a novel UDP-based bare machine prototype Web server for a multicore architecture. We also include preliminary experimental results from running the server on the Internet. This work provides a foundation for building secure computer applications that run on multicore systems without the need for intermediary software.

The object of the research is distributed software-defined storage systems, as well as methods of caching disk devices. It is important for improving the performance of storage systems, which is relevant in modern conditions. In this article, an assessment of the possibility of improving performance through the use of various caching methods is made, as well as experimental research and analysis of the results obtained. The parameters of the application's operation with the disk subsystem have been determined. The results of experiments are presented - testing was carried out on a deployed architecture of a distributed storage with two types of caching, the results are combined in graphs. Conclusions are drawn, including on the prospects for further research.

Mathematical model of web server protection is being proposed based on filtering HTTP (Hypertext Transfer Protocol) packets that do not match the semantic parameters of the request standards of this protocol. The model is defined as a graph, and the relationship between the parameters - the sets of vulnerabilities of the corporate network, the methods of attacks and their consequences-is described by the Cartesian product, which provides the correct interpretation of a corporate network cyber attack. To represent the individual stages of simulated attacks, it is possible to separate graph models in order to model more complex attacks based on the existing simplest ones. The unity of the model proposed representation of cyber attack in three variants is shown, namely: graphic, text and formula.

DDoS attacks are pre-dominant in traditional networks, they are used to bring down the services of important servers in the network, thereby affecting its performance. One such kind of attack is HTTP GET Flood DDoS attack in which a lot of HTTP GET request messages are sent to the victim web server, overwhelming its resources and bringing down its services to the legitimate clients. The solution to such attacks in traditional networks is usually implemented at the servers, but this consumes its resources which could otherwise be used to process genuine client requests. Software Defined Network (SDN) is a new network architecture that helps to deal with these attacks in a different way. In SDN the mitigation can be done using the controller without burdening the server. In this paper, we first show how an HTTP GET Flood DDoS attack can be performed on the webserver in an SDN environment and then propose a solution to mitigate the same with the help of the SDN controller. At the server, the attack is detected by checking the number of requests arriving to the web server for a certain period of time, if the number of request is greater than a particular threshold then the hosts generating such attacks will be blocked for the attack duration.

Nowadays, cybersecurity threat is a big challenge to all organizations that present their services over the Internet. Distributed Denial of Service (DDoS) attack is the most effective and used attack and seriously affects the quality of service of each E-organization. Hence, mitigation this type of attack is considered a persistent need. In this paper, we used Network Load Balancing (NLB) and High Availability Proxy (HAProxy) as mitigation techniques. The NLB is used in the Windows platform and HAProxy in the Linux platform. Moreover, Internet Information Service (IIS) 10.0 is implemented on Windows server 2016 and Apache 2 on Linux Ubuntu 16.04 as web servers. We evaluated each load balancer efficiency in mitigating synchronize (SYN) DDoS attack on each platform separately. The evaluation process is accomplished in a real network and average response time and average CPU are utilized as metrics. The results illustrated that the NLB in the Windows platform achieved better performance in mitigation SYN DDOS compared to HAProxy in the Linux platform. Whereas, the average response time of the Window webservers is reduced with NLB. However, the impact of the SYN DDoS on the average CPU usage of the IIS 10.0 webservers was more than those of the Apache 2 webservers.

Distributed Denial of Service (DDoS) attacks have been one of the persistent forms of attacks on information technology infrastructure connected to a public network due to the ease of access to DDoS attack tools. Researchers have been able to develop several techniques to curb volumetric DDoS attacks which overwhelms the target with large number of request packets. However, compared to volumetric DDoS, low amount of research has been executed on mitigating slow DDoS. Data mining approaches and various Artificial Intelligence techniques have been proved by researchers to be effective for reduce DDoS attacks. This paper provides the scholarly community with slow DDoS attack detection techniques using Genetic Algorithm and Support Vector Machine aimed at mitigating slow DDoS attack in a Software-Defined Networking (SDN) environment simulated in GNS3. Genetic algorithm was employed to select the features which indicates the presence of an attack and also determine the appropriate regularization parameter, C, and gamma parameter for the Support Vector Machine classifier. Results obtained shows that the classifier had detection accuracy, Area Under Receiver Operating Curve (AUC), true positive rate, false positive rate and false negative rate of 99.89%, 99.89%, 99.95%, 0.18%, and 0.05% respectively. Also, the algorithm for subsequent implementation of the selective adaptive bubble burst mitigation mechanism was presented.

Moving Target Defense (MTD) has been emerged as a promising countermeasure to defend systems against cyberattacks asymmetrically while working well with legacy security and defense mechanisms. MTD provides proactive security services by dynamically altering attack surfaces and increasing attack cost or complexity to prevent further escalation of the attack. However, one of the non-trivial hurdles in deploying MTD techniques is how to handle potential performance degradation (e.g., interruptions of service availability) and maintain acceptable quality-of-service (QoS) in an MTD-enabled system. In this paper, we derive the service performance metrics (e.g., an extent of failed jobs) to measure how much performance degradation is introduced due to MTD operations, and propose QoS-aware service strategies (i.e., drop and wait) to manage ongoing jobs with the minimum performance degradation even under MTD operations running. We evaluate the service performance of software-defined networking (SDN)-based web services (i.e., Apache web servers). Our experimental results prove that the MTD-enabled system can minimize performance degradation by using the proposed job management strategies. The proposed strategies aim to optimize a specific service configuration (e.g., types of jobs and request rates) and effectively minimize the adverse impact of deploying MTD in the system with acceptable QoS while retaining the security effect of IP shuffling-based MTD.

In the existing scheduling algorithms of mimicry structure, the random algorithm cannot solve the problem of large vulnerability window in the process of random scheduling. Based on known vulnerabilities, the algorithm with diversity and complexity as scheduling indicators can not only fail to meet the characteristic requirements of mimic's endogenous security for defense, but also cannot analyze the unknown vulnerabilities and measure the continuous differences in time of mimic Executive Entity. In this paper, from the Angle of attack surface is put forward based on mimicry attack the mimic Executive Entity scheduling algorithm, its resources to measure analysis method and mimic security has intrinsic consistency, avoids the random algorithm to vulnerability and modeling using known vulnerabilities targeted, on time at the same time can ensure the diversity of the Executive body, to mimic the attack surface web server scheduling system in continuous time is less, and able to form a continuous differences. Experiments show that the minimum symbiotic resource scheduling algorithm based on time continuity is more secure than the random scheduling algorithm.

Mobile browsers have become one of the main mediators of our online activities. However, as web pages continue to increase in size and streaming media on-the-go has become commonplace, mobile data plan constraints remain a significant concern for users. As a result, data-saving features can be a differentiating factor when selecting a mobile browser. In this paper, we present a comprehensive exploration of the security and privacy threat that data-saving functionality presents to users. We conduct the first analysis of Android's data-saving browser (DSB) ecosystem across multiple dimensions, including the characteristics of the various browsers' infrastructure, their application and protocol-level behavior, and their effect on users' browsing experience. Our research unequivocally demonstrates that enabling data-saving functionality in major browsers results in significant degradation of the user's security posture by introducing severe vulnerabilities that are not otherwise present in the browser during normal operation. In summary, our experiments show that enabling data savings exposes users to (i) proxy servers running outdated software, (ii) man-in-the-middle attacks due to problematic validation of TLS certificates, (iii) weakened TLS cipher suite selection, (iv) lack of support of security headers like HSTS, and (v) a higher likelihood of being labelled as bots. While the discovered issues can be addressed, we argue that data-saving functionality presents inherent risks in an increasingly-encrypted Web, and users should be alerted of the critical savings-vs-security trade-off that they implicitly accept every time they enable such functionality.

Protocol detection is the process of determining the application layer protocol in the context of network security monitoring, which requires a timely and precise decision to enable protocol-specific deep packet inspection. This task has proven to be complex, as isolated characteristics, like port numbers, are not sufficient to reliably determine the application layer protocol. In this paper, we analyze the Dynamic Protocol Detection mechanisms employed by popular and widespread open-source network monitoring tools. On the example of HTTP, we show that all analyzed detection mechanisms are vulnerable to evasion attacks. This poses a serious threat to real-world monitoring operations. We find that the underlying fundamental problem of protocol disambiguation is not adequately addressed in two of three monitoring systems that we analyzed. To enable adequate operational decisions, this paper highlights the inherent trade-offs within Dynamic Protocol Detection.

Cross-site scripting (XSS) is an often-occurring major attack that developers should consider when developing web applications. We develop a system that can provide practical exercises for learning how to create web applications that are secure against XSS. Our system utilizes free software and virtual machines, allowing low-cost, safe, and practical exercises. By using two virtual machines as the web server and the attacker host, the learner can conduct exercises demonstrating both XSS countermeasures and XSS attacks. In our system, learners use a web browser to learn and perform exercises related to XSS. Experimental evaluations confirm that the proposed system can support learning of XSS countermeasures.

Illicitly hijacking visitors' computational resources for mining cryptocurrency via compromised websites is a consolidated activity.Previous works mainly focused on large-scale analysis of the cryptojacking ecosystem, technical means to detect browser-based mining as well as economic incentives of cryptojacking. So far, no one has studied if certain technical characteristics of a website can increase (decrease) the likelihood of being compromised for cryptojacking campaigns.In this paper, we propose to address this unanswered question by conducting a case-control study with cryptojacking websites obtained crawling the web using Minesweeper. Our preliminary analysis shows some association for certain website characteristics, however, the results obtained are not statistically significant. Thus, more data must be collected and further analysis must be conducted to obtain a better insight into the impact of these relations.

This paper proposes an approach that combines a deep learning-based method and a traditional machine learning-based method to efficiently detect malicious requests Web servers received. The first few layers of Convolutional Neural Network for Text Classification (TextCNN) are used to automatically extract powerful semantic features and in the meantime transferable statistical features are defined to boost the detection ability, specifically Web request parameter tampering. The semantic features from TextCNN and transferable statistical features from artificially-designing are grouped together to be fed into Support Vector Machine (SVM), replacing the last layer of TextCNN for classification. To facilitate the understanding of abstract features in form of numerical data in vectors extracted by TextCNN, this paper designs trace-back functions that map max-pooling outputs back to words in Web requests. After investigating the current available datasets for Web attack detection, HTTP Dataset CSIC 2010 is selected to test and verify the proposed approach. Compared with other deep learning models, the experimental results demonstrate that the approach proposed in this paper is competitive with the state-of-the-art.

Attackers can leverage several techniques to compromise computer networks, ranging from sophisticated malware to DDoS (Distributed Denial of Service) attacks that target the application layer. Application layer DDoS attacks, such as Slow Read, are implemented with just enough traffic to tie up CPU or memory resources causing web and application servers to go offline. Such attacks can mimic legitimate network requests making them difficult to detect. They also utilize less volume than traditional DDoS attacks. These low volume attack methods can often go undetected by network security solutions until it is too late. In this paper, we explore the use of machine learners for detecting Slow Read DDoS attacks on web servers at the application layer. Our approach uses a generated dataset based upon Netflow data collected at the application layer on a live network environment. Our Netflow data uses the IP Flow Information Export (IPFIX) standard providing significant flexibility and features. These Netflow features can process and handle a growing amount of traffic and have worked well in our previous DDoS work detecting evasion techniques. Our generated dataset consists of real-world network data collected from a production network. We use eight different classifiers to build Slow Read attack detection models. Our wide selection of learners provides us with a more comprehensive analysis of Slow Read detection models. Experimental results show that the machine learners were quite successful in identifying the Slow Read attacks with a high detection and low false alarm rate. The experiment demonstrates that our chosen Netflow features are discriminative enough to detect such attacks accurately.

In last decades' web application security has become one of the most important case study of information security studies. Business processes are transferred to web platforms. So web application usage is increased very fast. Web-based attacks have also increased due to the increased use of web applications. In order to ensure the security of web applications, intrusion detection and prevention systems and web application firewalls are used against web based attacks. Blockchain technology, which has become popular in recent years, enables reliable and transparent sharing of data with all stakeholders. In this study, in order to detect web-based attacks, a blockchain based web attack detection model that uses the signature based detection method is proposed. The signature based detection refers to the detection of attacks by looking for specific patterns against known web based attack types, such as Structured Query Language (SQL) Injection, Cross Site Scripting (XSS), Command Injection. Three web servers were used for the experimental study. A blockchain node has been installed with the MultiChain application for each server. Attacks on web applications are detected using the signature list found in the web application as well as detected using the signature list updated on the blockchain. According to the experimental results, the attacks signature detected and defined by a web application are updated in the blockchain lists and used by all web applications.