Abstract
Web application servers are prone to attacks that are more vulnerable and thousands of security breaches that are taking place everyday. Predominantly, the hackers to breach the web application systems security use the method of SQL injections and XSS models. IDS systems play a pivotal role in identifying the intrusions and alerting about the attacks. Despite that, there are numerous models of IDS systems in place; one of the commonly approached systems is the syntax analyzers. However, the limitations in terms of programming language dependency and the related issues drop the performance levels of syntax analyzer based strategies. To ensure the right kind of http request vulnerabilities, detection methods are in place; the Cuckoo Search based Exploratory Scale (CSES) to defend input-type validation vulnerabilities of HTTP requests is proposed here in this paper. The key objective of CSES is to magnify the speed and accuracy of input-type validation of web applications. The programming language dependency and server level process overhead issues do not impact the performance of CSES. In addition, the other key benefit of CSES model is optimal speed in search related to vulnerability scope detection. The experimental studies that are carried out on a dataset that contains the records prone to cross-site scripting, SQL injection alongside the normal records, depict better performance of the model, when compared to the other benchmarking model of DEKANT. CSES model has delivered improved accuracy levels in identifying the attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
D. Balzarotti et al., “Saner: composing static and dynamic analysis to validate sanitization in web applications,” Proc. IEEE Symposium on Security and Privacy, pp. 387–401, 2008
X. Fu and C.-C. Li, “A string constraint solver for detecting web application vulnerability,” Proc. International Conference on Software Engineering and Knowledge Engineering, pp. 535–542, 2010
M. Martin and M.S. Lam, “Automatic generation of XSS and SQL injection attacks with goal-directed model checking,” Proc. USENIX Security Symposium, pp. 31–43, 2008
K.-K. Ma, K. Y. Phang, J.S. Foster, and M. Hicks. “Directed Symbolic Execution,” Proc. International Conference on Static Analysis, pp. 95–111, 2011
Y. Shin, A. Meneely, L. Williams, and J.A. Osborne, “Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities,” IEEE Transactions on Software Engineering, vol. 37, no. 6, pp. 772–787, 2011
Rager, Anton. “XSSProxy’.” (2005); http://xss-proxy.sourceforge.net/
Larouche, Francois. “SQL Power Injector.” (2011); http://www.sqlpowerinjector.com
Powers, David Martin. “Evaluation: from precision, recall and F-measure to ROC, informedness, markedness and correlation.” (2011).
Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: Proceedings of the 2006 Workshop on Programming Languages and Analysis for Security. pp. 27–36 (Jun 2006)
Nunes, P., Fonseca, J., Vieira, M.: phpSAFE: A security analysis tool for OOP web application plugins. In: Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (Jun 2015)
Son, S., Shmatikov, V.: SAFERPHP: Finding semantic vulnerabilities in PHP applications. In: Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security (2011)
Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy. pp. 590–604 (May 2014)
Medeiros, I., Neves, N.F., Correia, M.: Detecting and removing web application vulnerabilities with static analysis and data mining. IEEE Transactions on Reliability 65(1), 54–69 (March 2016)
Medeiros, I., Neves, N.F., Correia, M.: Equipping WAP with weapons to detect vulnerabilities. In: Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (2016)
Arisholm, E., Briand, L.C., Johannessen, E.B.: A systematic and comprehensive investigation of methods to build and evaluate fault prediction models. Journal of Systems and Software 83(1), 2–17 (2010)
Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security. pp. 529–540 (2007)
Shin, Y., Meneely, A., Williams, L., Osborne, J.A.: Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Transactions on Software Engineering 37(6), 772–787 (2011)
Perl, H., Dechand, S., Smith, M., Arp, D., Yamaguchi, F., Rieck, K., Fahl, S., Acar, Y.: VCC Finder: Finding potential vulnerabilities in open-source projects to assist code audits. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. pp. 426–437. CCS ‘15 (Oct 2015)
Shar, L.K., Tan, H.B.K.: Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities. In: Proceedings of the 34th International Conference on Software Engineering. pp. 1293–1296 (2012)
Shar, L.K., Tan, H.B.K.: Predicting common web application vulnerabilities from input validation and sanitization code patterns. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering. pp. 310–313 (2012)
Witten, I.H., Frank, E., Hall, M.A.: Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann, 3rd edn. (2011)
Shar, L.K., Tan, H.B.K., Briand, L.C.: Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis. In: Proceedings of the 35th International Conference on Software Engineering. pp. 642–651 (2013)
Yamaguchi, F., Wressnegger, C., Gascon, H., Rieck, K.: Chucky: Exposing missing checks in source code for vulnerability discovery. In: Proceedings of the 20th ACM SIGSAC Conference on Computer Communications Security. pp. 499–510 (Nov 2013)
Scandariato, R., Walden, J., Hovsepyan, A., Joosen, W.: Predicting vulnerable software components via text mining. IEEE Transactions on Software Engineering 40(10), 993–1006 (2014)
Medeiros, Ibéria, Nuno Neves, and Miguel Correia. “DEKANT: a static analysis tool that learns to detect web application vulnerabilities.” Proceedings of the 25th International Symposium on Software Testing and Analysis. ACM, 2016
Baik, Nam-Kyun, et al. “Analysis and design of an intrusion tolerance node for application in traffic shaping.” Control, Automation and Systems, 2008. ICCAS 2008. International Conference on. IEEE, 2008
Garg, Aman, and AL Narasimha Reddy. “Mitigation of DoS attacks through QoS regulation.” Microprocessors and Microsystems 28.10 (2004): 521–530
Ranjan, Supranamaya, et al. “DDoS-shield: DDoS-resilient scheduling to counter application layer attacks.” IEEE/ACM Transactions on Networking (TON) 17.1 (2009): 26–39
Das, Debasish, Utpal Sharma, and D. K. Bhattacharyya. “Detection of HTTP flooding attacks in multiple scenarios.” Proceedings of the 2011 International Conference on Communication, Computing & Security. ACM, 2011
Jech, Thomas. Set theory. Springer Science & Business Media, 2013
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Venkatramulu, S., Guru Rao, C.V. (2018). CSES: Cuckoo Search Based Exploratory Scale to Defend Input-Type Validation Vulnerabilities of HTTP Requests. In: Bhateja, V., Tavares, J., Rani, B., Prasad, V., Raju, K. (eds) Proceedings of the Second International Conference on Computational Intelligence and Informatics . Advances in Intelligent Systems and Computing, vol 712. Springer, Singapore. https://doi.org/10.1007/978-981-10-8228-3_23
Download citation
DOI: https://doi.org/10.1007/978-981-10-8228-3_23
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-8227-6
Online ISBN: 978-981-10-8228-3
eBook Packages: EngineeringEngineering (R0)