Journal of Advanced Navigation Technology (한국항행학회논문지)

The Korean Navigation Institute (한국항행학회)
권호 표지

An Attack Behavior Expressions for Web Attack Analysis and Composing Attack Database

웹 공격 분석 및 공격 데이터베이스 생성을 위한 효과적인 표현 방법에 관한 연구

  • 이창훈 (한신대학교 컴퓨터공학부)
  • Received : 2010.08.26
  • Accepted : 2010.10.30
  • Published : 2010.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

Nowadays, followed the internet service contents increasing makes also increase attack case on the web system. Usually web attack use mixed many kinds of attack mechanism for successfully attack to the server system. These increasing of the kinds attack mechanism, however web attack defence mechanism is not follow the spread of the attack. Therefore, for the defends web application, web attack should be categorizing and analysing for the effective defense. In this paper, we analyze web attack specification evidence and behavior system that use for effective expressions what we proposed. Also, we generate web attack scenario, it is for using verification of our proposed expressions.

최근에는 웹을 통한 서비스 증가와 더불어 이와 관련된 공격이 증가하고 있다. 또한, 웹 공격 형태는 공격을 성공시키기 위하여 여러 가지 공격을 사용하는 방법을 시도하고 있다. 이와 같이 웹 공격 방법이 다양화 되고 있는 추세이지만, 웹 공격을 방어하기 위한 방법에 관한 연구는 미비하다. 따라서 웹 어플리케이션을 보호하기 위해 웹 공격을 분류하고 이를 통하여 웹 공격의 특성을 파악할 필요가 있다. 본 논문에서는, 현재 웹 어플리케이션에서 수행되는 웹 공격의 특성을 파악하고, 이를 효과적으로 표현하는 방법을 제안한다. 공격이 가능한 웹 공격 시나리오를 다양하게 생성하여, 제안하는 표현 방법을 검증한다.

Keywords

References

  1. 심기명, "최신 웹 해킹 대응 및 개인정보보호 보안 기술", 정보통신연구진흥원, 2007.
  2. Steve Pettit, Sanctum Inc. "Anatomy of a web application: Security considerations", Sanctum. 2001
  3. Philipp Vogt, Florian Nentwish. Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna, "Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis.", In Proceedings of the 14th annual Network and Distributed System Security Conference, 2007
  4. Open Web Application Security Project(OWASP), "OWASO Top 10 2007", http://www,owasp.org, 2007
  5. MITRE, "Vulnerability Type Distributions in CVE", http://cwe.mitre.org/documents/vuln-trends/index.html 2007
  6. Jeongseok Seo, Han-Sung Kim, Sanghyun Cho and Sungdeok Cha, "Web Server Attack Categorization Based on Root Causes and Their Locations", The International Conference on Information Technology: Coding and Computing, 2004
  7. Xinming Ou, Wayne F. Boyer, Miles A. McQueen. "A Scalable Approach to Attack Graph Generation.", Conference on Computer and Communications Securily, 2006
  8. Steven T. Eckmann, Giovanni Vigna and Richard A. Kemmerer, "STATL: An attack language for state-based intrusion detection", Journal of Computer Secrity, 2002
  9. Mike Andrews, James A. Whittaker, "How to Break Web Software: Functional and Security Testing of Web Applications and Web Services", Addison-Wesley Professional, February 2006.
  10. Web Application Security Consortium(WASC), "Web Application Security Consortium : Threat Classification", www.webappsec.org, 2004
  11. G.A. Di Lucca, A. R. Fasolino, M. Mastroianni, P. Tramontana "Identifying Cross Site Scripting Vulnerabilities in Web Applications", Sixth IEEE International Workshop on Web Sile Evolulion, 2004
  12. Engin Kirda, Christopher Kruegel, Giovanni Vigna and Nenad Jovanovic, "Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks", Proceedings of the 2006 ACM symposium on Applied computing, 2006
  13. Omar ISMAIL, Masashi ETOH, Youki KADOBAYASHI, Suguru YAMAGUCHI "A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability", The 18th International Conference on Advanced Information Netwoking and Application IEEE, 2004
  14. William G. J. Halfond and Alessandro Orso. "AMNESIA : Analysis and Monitoring for NEutralizing SQL Injection Attacks", the 20th IEEE/ACM international Conference on Automated software engineering, 2005
  15. Gregory T, Buehrer, Bruce W. Weide, and Paolo A. G. Sivilotti, "Using parse Tree Validation to Prevent SQL Injection Attacks", The 5th international workshop on Software engineering and middleware. 2005
  16. Gregory T. Buehrer, Bruce W. Weide, and Paolo A. G. Sivilotti, "Using parse Tree Validation to Prevent SQL Injection Attacks", The 5th international workshop on Software engineering and middleware, 2005
  17. Chris Anley, "Advanced SQL Injection In SQL Server Applications", Next Generation Security Software Ltd, 2002
  18. Imperva, "Directory Traversal", http://www.imperva.com/resources/glossary/directory_traversal.html. 2007
  19. Guofei Jiang, "Microsoft IIS 4.0/5.0 Extended Unicode Directory Traversal Vulnerability", Institute for Security Technology Studies, Dartmouth College, 2000
  20. Open Web Application Security Project(OWASP), "Testing for Directory Traversal", Open Web Application Security Project, 2007