ABSTRACT
As the main facial point of the Web-based e-commerce which is frequently considered as a most important application area of Internet, Web page has been being given more and more duties. Accompanied by this trend, the importance of integrity protection for Web pages dramatically grows, since it influences a large amount of people's business and daily life. Actually, during the past few years, the integrity of Web page is under constant threat, such as unauthorized modifications, malicious code injections, which make the risk of fraud lurking in page browsing high and cause many negative consequences. Especially after the so called in-flight page change has been widely detected in recent years, the situation is getting even urgent. In this paper, we present a design of an "Integrity As A Service"(IaaS) system to enforce integrity in Web pages, which is based on a novel fragile watermarking chain scheme and covers both models of the traditional host-target and the new in-flight-target unauthorized modification. Our investigation and analysis show that the proposed system can not only offer a one stop service of Web page integrity protection to the Web sites and users, but also have the practical merits for the small and medium enterprises (SMEs), such as the reduced cost of system development.
- J. Alpert, N. Hajaj, "We knew the Web was big," http://googleblog.blogspot.com/2008/07/we-knew-Web-was-big.html,2008.Google Scholar
- D. Choi, E. G. Im and C. W. Lee, "Intrusion-Tolerant System Design for Web Server Survivability," Information Security Applications, LNCS, Vol 2908, 2003.Google Scholar
- Marcelo Almeida, "Defacements Statistics 2008-2009-2010," http://www.zone-h.org/news/id/4735, 2010.Google Scholar
- G. McGraw and G. Morrisett, "Attacking malicious code: A report to the Infosec research council," IEEE Software, Vol 17, pp.33--41, 2000. Google ScholarDigital Library
- W. Kim, J. Lee, E. Park and S. Kim, "Advanced Mechanism for Reducing False Alarm Rate in Web Page Defacement Detection," The 7th International Workshop on Information Security Applications, 2006.Google Scholar
- F. Y. Wang, F. M. Gong, R. Sargor, K. G. Popstojanova, K. Trivedi, F. Jou, "SITAR: A Scalable Intrusion-Tolerant Architecture for Distributed Services-a technology summary," DARPA Information Survivability Conference and Exposition Proceedings, Vol 2, pp.153--155, 2003.Google ScholarCross Ref
- F. Y. Wang, R. Uppalli, C. Killian, "Analysis of Techniques For Building Intrusion Tolerant Server System," IEEE Military Communications Conference, Vol 2, pp.729--734, 2003. Google ScholarDigital Library
- D. Lin, YM Chen, "Dynamic Web page protection based on content integrity", International Journal of Services and Standards, Vol 3, No.1, pp.120--135, 2007.Google ScholarCross Ref
- ModSecurity, "Open Source Web Application Firewall," http://www.modsecurity.org/.Google Scholar
- SecureIIS "Web Server Protection," http://www.eeye.com/Products/SecureIIS-Web-Server-Security.aspx.Google Scholar
- Tripwire, "Software for Use on Web Servers," http://www.tripwire.com/.Google Scholar
- C. Reis, S. Gribble, T. Kohno, N. C. Weaver, "Detecting In-Flight Page Changes with Web Tripwires," The 5th USENIX Symposium on Networked Systems Design and Implementation, pp.31--44, 2008. Google ScholarDigital Library
- Wikipedia, "HTTP Secure(HTTPS)," http://en.wikipedia.org/wiki/HTTPS.Google Scholar
- C. Gaspard, E. Bertino, C. Nita-Rotaru, S. Goldberg, W. Itani, " SINE: Cache-Friendly Integrity for the Web, "em The 5th workshop on Secure Network Protocols, 2009.Google Scholar
- R. Gennaro, P. Rohatgi, "How to Sign Digital Streams," em Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology, pp.180--197, 1997. Google ScholarDigital Library
- Q. Zhao, H. Lu, "PCA-based Web page watermarking," em Pattern Recognition, Vol 40, pp.1334--1341, 2007. Google ScholarDigital Library
- X. Liu, H. Lu, "Fragile Watermarking Schemes for Tamperproof Web Pages," LNCS, Vol 5264/2008, pp.552--559, 2008. Google ScholarDigital Library
- C. C. Wu, C. C. Chang and S. R. Yang, "An Efficient Fragile Watermarking for Web Pages Tamper-Proof," LNCS, Vol 4537/2007, pp.654--663, 2007.Google Scholar
- P. Sun and H. T. Lu, "Two Efficient Fragile Web Page Watermarking Schemes," Fifth International Conference on Information Assurance and Security, Vol 2, pp.326--329,2009. Google ScholarDigital Library
- X. Z. Long, H. Peng and C. Zhang, "A Fragile Watermarking Scheme Based on SVD for Web Pages," Proceedings of the 5th International Conference on Wireless communications, networking and mobile computing, pp.5248--5251, 2009. Google ScholarDigital Library
- J. E. Jackson, "A User's Guide to Principal Components," Wiley series in probability and mathematical statistics, Applied probability and statistics, 1991.Google Scholar
- N. Vratonjic, J. Freudiger and J. P. Hubaux, "Integrity of the Web Content: The Case of Online Advertising," Workshop on Collaborative Methods for Security and Privacy, 2010. Google ScholarDigital Library
- Y. Hollander, "Behavioral rules vs. signatures: Which should you use?" http://www.computerworld.com/securitytopics/security/story/0,10801,78828,00.html, 2003.Google Scholar
- M. Tanase, "The Future of IDS, "http://www.securityfocus.com/infocus/1518, 2001.Google Scholar
- Y. Hollander, "The Future of Web Server Security," http://www.mcafee.com/us/local-content/white-papers/wp-future.pdf.Google Scholar
- P. Gao, T. Nishide, Y. Hori and K. Sakurai, "Integrity for the In-flight Web Page Based on A Fragile Watermarking Chain Scheme", 5th ACM International Conference on Ubiquitous Information Management and Communication (ICUIMC), 2011. Google ScholarDigital Library
- Wikipedia, "Zero-day attack", http://en.wikipedia.org/wiki/Zero-day-attack.Google Scholar
- Websense, "Seven Criteria for Evaluating Securityas-a-Service (SaaS) Solutions", http://www.Websense.com/assets/white-papers/whitepaper-seven-criteria-for-evaluation-security-as-a-service-solutions-en.pdfGoogle Scholar
- ISO 27001 Security, http://www.iso27001security.com/.Google Scholar
- William G. J. Halfond, Jeremy Viegas and Ro Orso, "A Classification of SQL Injection Attacks and Countermeasures", Proceedings of the IEEE International Symposium on Secure Software Engineering, March 2006.Google Scholar
- W. Gaoqi and X. Xiaoyao, "Research and solution of existing security problems in current internet Web site system", 2nd International Conference on Anti-counterfeiting, Security and Identification (ASID), August 2008.Google Scholar
- Web Again, http://www.lockstep.com/Webagain/index.html.Google Scholar
- W. Fone and P. Gregory. Web page defacement countermeasures. In Proceedings of the 3rd International Symposium on Communication Systems Networks and Digital Signal Processing, pages 26--29,July 2002.Google Scholar
- A. Cooks and M. S. Olivier, "Curtailing web defacement using a read-only strategy," in Proceedings of the 4th Annual Information Security South Africa Conference, Midrand, South Africa, June/July 2004.Google Scholar
- A. Bartoli, E. Medvet, "Automatic Integrity Checks for Remote Web Resources," IEEE Internet Computing, vol. 10, no.6, pp. 56--62, Nov/Dec, 2006. Google ScholarDigital Library
- D. Pulliam, "Hackers deface federal executive board Web sites," http://www.govexec.com/storypage.cfm?articleid=34812.Google Scholar
- J. Kirk, "Microsoftś U. K. Web site hit by SQL injection attack", http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025941, 2006.Google Scholar
- G. Smith, "CRO Website hacked", http://www.siliconrepublic.com/news/news.nv?storyid=single7819, 2007.Google Scholar
- R. Mcmillan, "Bad things lurking on government sites", http://www.infoworld.com/article/07/10/04/Bad-things-lurking-on-government-sites1.html,2007.Google Scholar
- D. Dasey, "Cyber threat to personal details", http://www.smh.com.au/news/technology/cyber-threat-to-personal-details/2007/10/13/1191696235979.html, October 2007.Google Scholar
- PREFECT, "Congressional Web site defacements follow the state of the union", http://praetorianprefect.com/archives/2010/01/congressional-Web-site-defacementsfollow- the-state-of-the-union/, 2010.Google Scholar
- L. Gordon. et. al, "2006 CSI/FBI Computer Crime and Security Survey", Computer Security Institute, 2006.Google Scholar
- R. Richardson, "2007 CSI Computer Crime and Security Survey", Computer Security Institute, 2007.Google Scholar
- G. Killcrece et al., "State of the Practice of Computer Security", Incident Response Teams (CSIRTs), tech. report CMU/SEI-2003-TR-001, ESC-TR-2003-001, Software Eng. Inst., Carnegie Mellon, 2003.Google Scholar
- G. Keizer, "Hackers Deface UN Site", Computerworld, http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9030318, August 2007.Google Scholar
- Aljawarneh, S., Laing,C. and Vickers, P. "Verification of web content integrity: a new approach to protect servers against tampering". In Merabti, M. (ed,), 8th Annual Postgraduate Symposium on the Convergence of Telecommunications, Networking and Broadcasting, 28--29 June. PGNET, pp.159--164, 2007.Google Scholar
- S. Sedaghat, "Web authenticity. Masterś Thesis," University of Western Sydney, Australia, 2002.Google Scholar
- A. Bartoli, G. Davanzo and E. Medvet, "The Reaction Time to Web Site Defacements", IEEE Internet Computing, vol.13, no.4, pp.52--58, July/Aug 2009, doi:10.1109/MIC.2009.91 Google ScholarDigital Library
- Eric Medvet, "Techniques for large-scale automatic detection of web site defacements", 2008.Google Scholar
Index Terms
- IAAS: an integrity assurance service for web page via a fragile watermarking chain module
Recommendations
Integrity for the In-flight web page based on a fragile watermarking chain scheme
ICUIMC '11: Proceedings of the 5th International Conference on Ubiquitous Information Management and CommunicationIn recent years, it has been found that middle modifications and attacks widely exist when web pages are transferred from a web server to a user via HTTP. And the reason is that HTTP does not guarantee the integrity of network traffic. This paper ...
A Novel Web Page Watermark Scheme for HTML Security
ISME '10: Proceedings of the 2010 International Conference of Information Science and Management Engineering - Volume 01The tamper-proof of web pages schemes mainly includes two aspects, one is the generation algorithm on pre-embedded watermarking, and the other is the program on the watermarking embedded. In this paper, a novel web page watermark scheme is proposed for ...
PCA-based web page watermarking
The tamper-proof of web pages is of great importance. Some watermarking schemes have been reported to solve this problem. However, both these watermarking schemes and the traditional hash methods have a problem of increasing file size. In this paper, we ...
Comments