Browse > Article

Detecting CSRF through Analysis of Web Site Structure and Web Usage Patterns  

Choi, Jae-Yeong (인천대학교 컴퓨터공학과)
Lee, Hyuk-Jun (인천대학교 컴퓨터공학과)
Min, Byung-Jun (인천대학교 컴퓨터공학과)
Publication Information
Convergence Security Journal / v.11, no.6, 2011 , pp. 9-15 More about this Journal
Abstract
It is difficult to identify attack requests from normal ones when those attacks are based on CSRF which enables an attacker transmit fabricated requests of a trusted user to the website. For the protection against the CSRF, there have been a lot of research efforts including secret token, custom header, proxy, policy model, CAPTCHA, and user reauthentication. There remains, however, incapacitating means and CAPTCHA and user reauthentication incur user inconvenience. In this paper, we propose a method to detect CSRF attacks by analyzing the structure of websites and the usage patterns. Potential victim candidates are selected and website usage patterns according to the structure and usage logs are analyzed. CSRF attacks can be detected by identifying normal usage patterns. Also, the proposed method does not damage users' convenience not like CAPTCHA by requiring user intervention only in case of detecting abnormal requests.
Keywords
Detect CSRF; Usage Pattern; Web Security;
Citations & Related Records
연도 인용수 순위
  • Reference
1 J. Srivastava, R. Cooley, M. Deshpande, P.-N. Tan, "Web usage mining: Discovery and applications of usage patterns from web data", ACM SIGKDD, 2000.
2 David Gourley and Brian Totty, "HTTP: The Definitive Guide", O'Reilly Media, 2002.
3 http://www.owasp.org/index.php/Cross-Site_Request_Forgery
4 OWASP, CSRF Guard, http://www.owasp.org/index.php/CSRF_Guard
5 N. Jovanovic, E. Kirda, and C. Kruegel, "Preventing Cross Site Request Forgery attacks", In IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), 2006.
6 A. Barth, C. Jackson, and J. C. Mitchell, "Robust defenses for Cross-Site Request Forgery", In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), 2008.
7 Mike Shema, "Seven Deadliest Web Application Attacks", Syngress, 2010.
8 A. Klein. Forging, "HTTP request headers with Flash", http://www.securityfocus.com/archive/1/441014, 2006.
9 M. Johns and J. Winter, "RequestRodeo: Client side protection against session riding", In In Proceedings of the OWASP Europe 2006 Conference, 2006
10 W. Maes, T. Heyman, L. Desmet, and W. Joosen, "Browser Protection against Cross-Site Request Forgery", In Workshop on Secure Execution of Untrusted Code (SecuCode), 2009.
11 www.captcha.net
12 Bing Liu, "Web Data Mining: Exploring Hyperlinks, Contents, and Usage Data", Springer, 2006.