Web application protection against SQL injection attack

SQL injection vulnerabilities poses a severe threat to web applications as an SQL Injection Attack (SQLIA) could adopt new obfuscation techniques to evade and thwart countermeasures such as Intrusion Detection Systems (IDS). SQLIA gains access to the back-end database of vulnerable websites, allowing hackers to execute SQL commands in a web application resulting in financial fraud and website defacement. The lack of existing models in providing protections against SQL injection has motivated this paper to present a new and enhanced model against web database intrusions that use SQLIA techniques. In this paper, we propose a novel concept of negative tainting along with SQL keyword analysis for preventing SQLIA and described our that we implemented. We have tested our proposed model on all types of SQLIA techniques by generating SQL queries containing legitimate SQL commands and SQL Injection Attack. Evaluations have been performed using three different applications. The results show that our model protects against 100% of tested attacks before even reaching the database layer.

Using response action with Intelligent Intrusion detection and prevention System against web application malware

Findings: After evaluating the new system, a better result was generated in line with detection efficiency and the false alarm rate. This demonstrates the value of direct response action in an intrusion detection system.

Protecting web applications from DDoS attacks by an active distributed defense system

In the last a few years a number of highly publicized incidents of Distributed Denial of Service (DDoS) attacks against high-profile government and commercial websites have made people aware of the importance of providing data and services security to users. A DDoS attack is an availability attack, which is characterized by an explicit attempt from an attacker to prevent legitimate users of a service from using the desired resources. This paper introduces the vulnerability of web applications to DDoS attacks, and presents an active distributed defense system that has a deployment mixture of sub-systems to protect web applications from DDoS attacks. According to the simulation experiments, this system is effective in that it is able to defend web applications against attacks. It can avoid overall network congestion and provide more resources to legitimate web users.

Web malware that targets web applications

Web applications have steadily increased, making them very important in areas, such as financial sectors, e-commerce, e-government, social media network, medical data, e-business, academic an activities, e-banking, e-shopping, e-mail. However, web application pages support users interacting with the data stored in their website to insert, delete and modify content by making a web site their own space. Unfortunately, these activities attracted writers of malicious software for financial gain, and to take advantage of such activities to perform their malicious objectives. This chapter focuses on severe threats to web applications specifically on Structure Query Language Injection Attack (SQLIA) and Zeus threats. These threats could adopt new obfuscation techniques to evade and thwart countermeasures Intrusion Detection Systems (IDS). Furthermore, this work explores and discusses the techniques to detect and prevent web application malwar.

Crime toolkits : the current threats to web applications

Increasingly, web applications are being developed over the Internet. Securing these web applications is becoming important as they hold critical security features. However, cybercriminals are becoming smarter by developing a crime toolkit, and employing sophisticated techniques to evade detection. These crime toolkits can be used by any person to target Internet users. In this paper, we explore the techniques used in crime toolkits. We present a current state-of-the-art analysis of crime toolkits and focus on attacks against web applications. The crime toolkit techniques are compared with the vulnerability of web applications to help reveal particular behaviour such as popular web application vulnerabilities that malicious writers prefer. In addition, we outline the existing protection mechanism, and observe that the possibility for damage is rising, particularly as specialization and scale increase in cybercrime.

An optimal transportation routing approach using GIS-based dynamic traffic flows

This paper examines the value of real-time traffic information gathered through Geographic Information Systems for achieving an optimal vehicle routing within a dynamically stochastic transportation network. We present a systematic approach in determining the dynamically varying parameters and implementation attributes that were used for the development of a Web-based transportation routing application integrated with real-time GIS services. We propose and implement an optimal routing algorithm by modifying Dijkstra’s algorithm in order to incorporate stochastically changing traffic flows. We describe the significant features of our Web application in making use of the real-time dynamic traffic flow information from GIS services towards achieving total costs savings and vehicle usage reduction. These features help users and vehicle drivers in improving their service levels and productivity as the Web application enables them to interactively find the optimal path and in identifying destinations effectively.

Estimating relative disulfide energies : an accurate ab initio potential energy surface

Disulfide torsional energy, a good predictor of disulfide redox potential in proteins, may be estimated by interpolation on a potential energy surface (PES) describing the twisting of diethyl disulfide through its three central dihedral angles. Here we update PES calculations at the M05-2X level of theory with the 6-31G(d) basis set. Although the surface shows no qualitative differences from an earlier MP2(full) PES, energy differences greater than 1 kJ mol^–1 were seen for conformations with χ₂ between –60° and 30°, or with χ₃ below 60° or above 130°. This is particularly significant for highly strained disulfides that are likely to be spontaneously reduced by mechanical means. In benchmarking against the high-level G3X method, M05-2X showed significantly reduced root mean squared deviation compared with MP2(full) (1.0 versus 2.0 kJ mol^–1 respectively). Results are incorporated into a web application that calculates relative torsional energies from disulfide dihedral angles (http://www.sbinf.org/applications/pes.html).

Ipoll: Automatic polling using online search

For years, opinion polls rely on data collected through telephone or person-to-person surveys. The process is costly, inconvenient, and slow. Recently online search data has emerged as potential proxies for the survey data. However considerable human involvement is still needed for the selection of search indices, a task that requires knowledge of both the target issue and how search terms are used by the online community. The robustness of such manually selected search indices can be questionable. In this paper, we propose an automatic polling system through a novel application of machine learning. In this system, the needs for examining, comparing, and selecting search indices have been eliminated through automatic generation of candidate search indices and intelligent combination of the indices. The results include a publicly accessible web application that provides real-time, robust, and accurate measurements of public opinions on several subjects of general interest.

Using Patient Health Questionnaire-9 item parameters of a common metric resulted in similar depression scores compared to independent item response theory model reestimation

Objectives: To investigate the validity of a common depression metric in independent samples. Study Design and Setting: We applied a common metrics approach based on item-response theory for measuring depression to four German-speaking samples that completed the Patient Health Questionnaire (PHQ-9). We compared the PHQ item parameters reported for this common metric to reestimated item parameters that derived from fitting a generalized partial credit model solely to the PHQ-9 items. We calibrated the new model on the same scale as the common metric using two approaches (estimation with shifted prior and StockingeLord linking). By fitting a mixed-effects model and using BlandeAltman plots, we investigated the agreement between latent depression scores resulting from the different estimation models. Results: We found different item parameters across samples and estimation methods. Although differences in latent depression scores between different estimation methods were statistically significant, these were clinically irrelevant. Conclusion: Our findings provide evidence that it is possible to estimate latent depression scores by using the item parameters from a common metric instead of reestimating and linking a model. The use of common metric parameters is simple, for example, using a Web application (http://www.common-metrics.org) and offers a long-term perspective to improve the comparability of patient-reported outcome measures.

Policy-based SQLIA detection and prevention approach for RFID systems

While SQL injection attacks have been plaguing web application systems for years, the possibility of them affecting RFID systems was only identified very recently. However, very little work exists to mitigate this serious security threat to RFID-enabled enterprise systems. In this paper, we propose a policy-based SQLIA detection and prevention method for RFID systems. The proposed technique creates data validation and sanitization policies during content analysis and enforces those policies during runtime monitoring. We tested all possible types of dynamic queries that may be generated in RFID systems with all possible types of attacks that can be mounted on those systems. We present an analysis and evaluation of the proposed approach to demonstrate the effectiveness of the proposed approach in mitigating SQLIA.

An incremental FP-growth web content mining and its application in preference identification

This paper presents a real application of Web-content mining using an incremental FP-Growth approach. We firstly restructure the semi-structured data retrieved from the web pages of Chinese car market to fit into the local database, and then employ an incremental algorithm to discover the association rules for the identification of car preference. To find more general regularities, a method of attribute-oriented induction is also utilized to find customer’s consumption preferences. Experimental results show some interesting consumption preference patterns that may be beneficial for the government in making policy to encourage and guide car consumption.