Quite a Mess in My Cookie Jar! Leveraging Machine Learning to Protect Web Authentication

机译：相当混乱在我的饼干罐里！利用机器学习来保护Web身份验证

获取原文

页面导航

摘要
著录项
相似文献
相关主题

摘要

Browser-based defenses have recently been advocated as an effective mechanism to protect web applications against the threats of session hijacking, fixation, and related attacks. In existing approaches, all such defenses ultimately rely on client-side heuristics to automatically detect cookies containing session information, to then protect them against theft or otherwise unintended use. While clearly crucial to the effectiveness of the resulting defense mechanisms, these heuristics have not, as yet, undergone any rigorous assessment of their adequacy. In this paper, we conduct the first such formal assessment, based on a gold set. of cookies we collect from 70 popular websites of the Alexa ranking. To obtain the gold set, we devise a semi-automatic procedure that draws on a novel notion of authentication token, which we introduce to capture multiple web authentication schemes. We test existing browser-based defenses in the literature against our gold set, unveiling several pitfalls both in the heuristics adopted and in the methods used to assess them. We then propose a new detection method based on supervised learning, where our gold set is used to train a binary classifier, and report on experimental evidence that our method outperforms existing proposals. Interestingly, the resulting classification, together with our hands-on experience in the construction of the gold set, provides new insight on how web authentication is implemented in practice.

机译：基于浏览器的防御最近被提倡为一种有效的机制，可以保护Web应用程序免受会话劫持，修复和相关攻击的威胁。在现有方法中，所有此类防御最终都依赖于客户端启发式算法来自动检测包含会话信息的cookie，从而保护它们免遭盗窃或其他意外使用。这些启发式方法虽然显然对由此产生的防御机制的有效性至关重要，但尚未对其严格性进行任何严格的评估。在本文中，我们基于金牌进行了首次此类正式评估。我们从Alexa排名的70个受欢迎的网站中收集的cookie。为了获得黄金集，我们设计了一种半自动过程，该过程借鉴了一种新颖的身份验证令牌概念，我们将其引入以捕获多种Web身份验证方案。我们针对我们的金牌测试了文献中现有的基于浏览器的防御措施，揭示了采用的启发式方法和评估方法中的一些陷阱。然后，我们提出了一种基于监督学习的新检测方法，其中我们的黄金集用于训练二元分类器，并报告实验证据表明我们的方法优于现有建议。有趣的是，由此产生的分类以及我们在构建金牌集方面的动手经验，为在实践中实施Web身份验证提供了新的见解。

著录项

来源
《International conference on world wide web》|2014年|189-199|共11页
会议地点
作者
Stefano Calzavara; Gabriele Tolomei; Michele Bugliesi; Salvatore Orlando;
展开▼
作者单位

展开▼
会议组织
原文格式 PDF
正文语种
中图分类
关键词
Web security; Authentication cookies; Classification;

机译：网络安全;身份验证cookie;分类;

相似文献

外文文献
中文文献
专利

1. A Supervised Learning Approach to Protect Client Authentication on the Web [J] . Calzavara Stefano, Tolomei Gabriele, Casini Andrea, ACM transactions on the web . 2015,第3期

机译：一种监督学习的方法来保护Web上的客户端身份验证
2. Leveraging fuzzy dominance relationship and machine learning for hybrid web service discovery [J] . Merzoug Mohammed, Chikh Mohammed Amine, Hadjila Fethallah International Journal of Web Engineering and Technology . 2016,第2期

机译：利用模糊优势关系和机器学习进行混合Web服务发现
3. WebCallerID: Leveraging cellular networks for Web authentication [J] . Francis Hsu, Hao Chen, Sridhar Machiraju Journal of computer security . 2011,第5期

机译：WebCallerID：利用蜂窝网络进行Web身份验证
4. Quite a Mess in My Cookie Jar! Leveraging Machine Learning to Protect Web Authentication [C] . Stefano Calzavara, Gabriele Tolomei, Michele Bugliesi, International conference on world wide web . 2014

机译：我的饼干罐里很烂摊子！利用机器学习保护Web身份验证
5. Improving user authentication on the web: Protected login, strong sessions, and identity federation. [D] . Dietz, Michael Thomas. 2014

机译：改善网络上的用户身份验证：受保护的登录名，强会话和身份联合。
6. Caught with one’s zinc fingers in the genome integrity cookie jar [O] . Caroline K. Vilas, Lara E. Emery, Eros Lazzerini Denchi, -1

机译：在基因组完整性饼干罐中夹住锌指
7. Protecting web usage of credit cards using one-time pad cookie encryption [O] . Donghua Xu, Chenghuai Lu, Andre Dos Santos 2002

机译：使用一次性cookie cookie加密保护信用卡的Web使用

Quite a Mess in My Cookie Jar! Leveraging Machine Learning to Protect Web Authentication

摘要

著录项

相似文献

相关主题

期刊订阅