Search results

The purpose of this paper is to investigate the web vulnerability challenges at European library web sites and how these issues can affect the data protection of their patrons.

A web vulnerability testing tool was used to analyze 80 European library sites in four countries to determine how many security vulnerabilities each had and what were the most common types of problems.

Analysis results from surveying the libraries show the majority have serious security flaws in their web applications. The research shows that despite country‐specific laws mandating secure sites, system librarians have not implemented appropriate measures to secure their online information systems.

Further research on library vulnerability throughout the world can be taken to educate librarians in other countries of the serious nature of protecting their systems.

The findings serve to remind librarians of the complexity in providing a secure online environment for their patrons and that a disregard or lack of awareness of securing systems could lead to serious vulnerabilities of the patrons' personal data and systems. Lack of consumer trust may result in a decreased use of online commerce and have serious repercussions for the municipal libraries. Several concrete examples of methods to improve security are provided.

The paper serves as a current paper on data security issues at Western European municipal library web sites. It serves as a useful summary regarding technical and managerial measures librarians can take to mitigate inadequacies in their security implementation.

The purpose of this paper is to introduce a new tool which detects, prevents and records common web attacks that mainly result in web applications information leaking using pattern recognition. It is a cross‐platform application, namely, it is not OS‐dependent or web server dependent. It offers a flexible attacks search engine, which scans http requests and responses during a webpage serving without affecting the web server performance.

The paper starts with a study of the most known web vulnerabilities and the way they can be exploited. Then, it focuses on those web attacks based on input validation, which are the ones the new tool detects through pattern recognition. This tool acts as a proxy server having a simple GUI for administration purposes. Patterns can be detected in both http requests and responses in an extensible and manageable way.

The new tool was compared to dotDefender, a commercial web application firewall, and ModSecurity, a widely used open source application firewall, using over 200 attack patterns. The new tool had satisfying results for every attack category examined having a high percentage of success. Results for stored XSS could not be achieved since the other tools are not able to search and detect them in http responses. The fact that the new tool is very extensible, it makes it possible for future work to be done.

This paper introduces a new web server plug‐in, which has some advanced web application firewall features with a flexible attacks search engine which scans http requests and responses. By scanning http responses, attacks such as stored XSS can be detected, a feature that cannot be found on other web application firewalls.

Effective and efficient software security inspection is crucial as the existence of vulnerabilities represents severe risks to software users. The purpose of this paper is to empirically evaluate the potential application of Stochastic Gradient Boosting Trees (SGBT) as a novel model for enhanced prediction of vulnerable Web components compared to common, popular and recent machine learning models.

An empirical study was conducted where the SGBT and 16 other prediction models have been trained, optimized and cross validated using vulnerability data sets from multiple versions of two open-source Web applications written in PHP. The prediction performance of these models have been evaluated and compared based on accuracy, precision, recall and F-measure.

The results indicate that the SGBT models offer improved prediction over the other 16 models and thus are more effective and reliable in predicting vulnerable Web components.

This paper proposed a novel application of SGBT for enhanced prediction of vulnerable Web components and showed its effectiveness.

The purpose of this paper is to mitigate vulnerabilities in web applications, security detection and prevention are the most important mechanisms for security. However, most existing research focuses on how to prevent an attack at the web application layer, with less work dedicated to setting up a response action if a possible attack happened.

A combination of a Signature-based Intrusion Detection System (SIDS) and an Anomaly-based Intrusion Detection System (AIDS), namely, the Intelligent Intrusion Detection and Prevention System (IIDPS).

After evaluating the new system, a better result was generated in line with detection efficiency and the false alarm rate. This demonstrates the value of direct response action in an intrusion detection system.

Data limitation.

The contributions of this paper are to first address the problem of web application vulnerabilities. Second, to propose a combination of an SIDS and an AIDS, namely, the IIDPS. Third, this paper presents a novel approach by connecting the IIDPS with a response action using fuzzy logic. Fourth, use the risk assessment to determine an appropriate response action against each attack event. Combining the system provides a better performance for the Intrusion Detection System, and makes the detection and prevention more effective.

Security analyser tools provide a useful means of automatically identifying, and potentially exploiting, vulnerabilities within computer systems and networks but they are also of assistance to hackers looking for ways to break in. The paper highlights the range of tools that are available and of potential use to both audiences and considers the extent to which each group is likely to benefit from them in practice. It is considered that the ease of use of tools such as Back Orifice 2000 provides a means by which even the relatively unskilled hacker may inflict damage upon a system. Although tools are generally equally available to hackers and administrators, the hacker community is likely to be more aware of the opportunities available. Even where adminstrators are aware of the existence of particular tools, survey results indicate that they make relatively limited use of them. Factors that may account for this include their overall workload and lack of security awareness. Appropriate countermeasures can be identified to combat the individual categories of tool, but the problem of ensuring that these safeguards are implemented still remains.

The purpose of this paper is to estimate the effectiveness of web application firewalls (WAFs) at preventing injection attacks by professional penetration testers given presence or absence of four conditions: whether there is an experienced operator monitoring the WAF; whether an automated black box tool has been used when tuning the WAF; whether the individual tuning the WAF is an experienced professional; and whether significant effort has been spent tuning the WAF.

Estimates on the effectiveness of WAFs are made for 16 operational scenarios utilizing judgments by 49 domain experts participating in a web survey. The judgments of these experts are pooled using Cooke's classical method.

The results show that the median prevention rate of a WAF is 80 percent if all measures have been employed. If no measure is employed then its median prevention rate is 25 percent. Also, there are no strong dependencies between any of the studied measures.

The results are only valid for the attacker profile of a professional penetration tester who prepares one week for attacking a WA protected by a WAF.

The competence of the individual(s) tuning a WAF, employment of an automated black box tool for tuning and the manual effort spent on tuning are of great importance for the effectiveness of a WAF. The presence of an operator monitoring it has minor positive influence on its effectiveness.

WA vulnerabilities are widely considered a serious concern. To manage them in deployed software, many enterprises employ WAFs. However, the effectiveness of this type of countermeasure under different operational scenarios is largely unknown.

In the last a few years a number of highly publicized incidents of Distributed Denial of Service (DDoS) attacks against high‐profile government and commercial websites have made people aware of the importance of providing data and services security to users. A DDoS attack is an availability attack, which is characterized by an explicit attempt from an attacker to prevent legitimate users of a service from using the desired resources. This paper introduces the vulnerability of web applications to DDoS attacks, and presents an active distributed defense system that has a deployment mixture of sub‐systems to protect web applications from DDoS attacks. According to the simulation experiments, this system is effective in that it is able to defend web applications against attacks. It can avoid overall network congestion and provide more resources to legitimate web users.

Teaching information systems security features some peculiarities, compared to other scientific fields, as the trainees have to design and protect systems against both known and unknown attacks. Moreover, the so far established stereotypes present the potential intruders as being ingenious and able to penetrate almost every system. The paper aims to discuss these issues.

Within the scope of two different modules in higher education institutes, the students' involvement into practical pre-designed scenarios was attempted, in order for them to understand the way intruders think, the methodologies they follow and the liabilities one may face for the flawed security of network applications and/or the supporting infrastructure. For this reason, an educational software tool was developed (named “Hackademic Challenges”), which comprised a variety of realistic scenarios, where the student had to locate and exploit various vulnerabilities, in order to successfully complete the challenge. Evaluation of the developed tool was attempted through an online, anonymous questionnaire.

The results show that the students embraced this approach and have benefited significantly from going through these exercises.

The contribution consists of findings that may be useful to other instructors teaching similar subjects.

This paper aims to examine issues surrounding digital stewardship and information security with the digital library.

This paper is exploratory in nature.

This paper highlights areas in which there needs to be awareness of information security issues in order to protect patrons and library resources.

Information security is now everyone's business. Librarians who deal heavily in digital content must be active in their stewardship of digital library resources, both to preserve and protect potentially sensitive content, but also the privacy and confidentiality of the patrons.

It is hoped that everyone who has anything to do with the creation, maintenance, dissemination and preservation of digital content in the library context will take information security seriously. This paper is intended to be a primer for those who have not taken account of information security issues to begin doing so on an ongoing basis.

The purpose of this paper is to propose a generic approach that prevents a specific class of code injection attacks (CIAs) in a novel way.

To defend against CIAs this approach involves detecting attacks by using location‐specific signatures to validate code statements. The signatures are unique identifiers that represent specific characteristics of a statement's execution. The key property that differentiates the scheme presented in this paper is that these characteristics do not depend entirely on the code statement, but also take into account elements from its execution context.

The approach was applied successfully to defend against attacks targeting structured query language (SQL), XML Path Language and JavaScript with positive results.

Despite many countermeasures that have been proposed the number of CIAs has been increasing. Malicious users seem to find new ways to introduce compromised embedded executable code to applications by using a variety of languages and techniques. Hence, a generic approach that defends against such attacks would be a useful countermeasure. This approach can defend attacks that involve both domain‐specific languages (e.g. SQL) and general purpose languages (e.g. JavaScript) and can be used both against client‐side and server‐side attacks.