期刊文献+
任意字段
题名或关键词
题名
关键词
文摘
作者
第一作者
机构
刊名
分类号
参考文献
作者简介
基金资助
栏目信息

基于哈希树和有限状态机的XSS检测模型 被引量:4

XSS Detection Model Based on Hash Tree and Finite State Machine
下载PDF
导出
摘要 目前对于跨站脚本(XSS)攻击缺乏有效的防御措施。针对该问题,提出一种基于哈希树的多模式匹配模型,以快速检测XSS攻击。将质数分辨定理作为哈希散列函数的基础,对特征值进行编码,使其成为特征节点进行动态增减,以构建哈希树,并结合改进的确定性有限状态机算法提取多模式相似度攻击向量,实现多模式匹配的快速检测。实验结果表明,该模型的检测准确率较高,漏报率和误报率较低,能满足大范围XSS脚本攻击的防范要求。 Aiming at the lack of effective prevention measures against Cross-site Scripting(XSS) attacks, this paper proposes multi-pattern matching model for rapidly detection based on the Hash tree. The contributions include: Using prime resolution theorem as the basis of hash function; Adopting a series of encoded methods to the feature values; Dynamically adding nodes to build a Hash tree; Combining an improved deterministic finite state machine algorithm to extract multiple pattern similarity attack vectors for rapid detection of XSS. Experimental results show that this model can effectively prevent reflective XSS.
作者 曹文 郭帆 余敏 张磊
机构地区 江西师范大学计算机信息工程学院
出处 《计算机工程》 CAS CSCD 2013年第6期154-157,161,共5页 Computer Engineering
基金 江西省教育厅科技基金资助项目(20101106) 科技部国际合作基金资助项目(2010DFA70990)
关键词 哈希树 跨站脚本 相似度 确定性有限状态机 攻击向量 Hash tree Cross-site Scripting(XSS) similarity deterministic finite state machine attack vector
分类号 TP309.2 [自动化与计算机技术—计算机系统结构]
  • 相关文献

参考文献10

  • 1OWASP.The Ten Most Critical Web Application Security Risks[EB/OL].(2010-04-10).https://www.owasp.org/index.php/Top_10.
  • 2XSSED.XSS Attack Information[EB/OL].[2012-05-13].http://xssed.com.
  • 3Grossman J, Fogie S, Song D.XSS Attacks: Cross Site Scripting Exploits and Defense[M].[S.l.]: Amorette Pedersen, 2007.
  • 4王夏莉,张玉清.一种基于行为的XSS客户端防范方法[J].中国科学院研究生院学报,2011,28(5):668-675. 被引量:15
  • 5Nadji Y, Saxena P, Song D.Document Structure Integrity: A Robust Basis for Cross-sitescripting Defense[C]//Proceedings of the 16th Network and Distributed System Security Symposium.San Diego, USA: [s.n.], 2009.
  • 6Gundy M V, Chen H.Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Crosssite Scripting Attacks[C]//Proceedings of the 16th Network and Distributed System Security Symposium.San Diego, USA: [s.n.], 2009.
  • 7Xu W, Bhatkar S, Sekar R.Taint-enhanced Policy En force- ment: A Practical Approach to Defeat a Wide Range of Attacks[C]//Proc.of the 15th USENIX Security Symposium.Vancouver, Canada: [s.n.], 2006.
  • 8赵学杰,唐屹.跨站脚本攻击模式研究[J].信息网络安全,2011(11):62-64. 被引量:2
  • 9Hansen R.XSS(Cross Site Scripting) Cheat Sheet[EB/OL].[2012-05-04].http://ha.ckers.org/xssAttacks.xml.
  • 10Johns M, Engelmann B, Posegga J.XSSDS: Server-side Detection of Cross-site Scripting Attacks[C]//Proc.of Annual Computer Security Applications Conference.Anaheim, USA: [s.n.], 2008.

二级参考文献16

  • 1Wichers D. The top 10 most critical web application security risks[ R]. The Open Web Application Security Project (OWASP), 2010.
  • 2Kirda E, Vigna G, Jovanovic N. Noxes: a client-side solution for mitigating cross-site scripting attacks [ C ] //The 21st Annum ACM Symposium on Applied Computing. New York, USA: ACM, 2006: 330-337.
  • 3Kirda E, Kruegel C, Virgac G. Client-side cross-site scripting protection[ J]. Computers and Security, 2009, 28 (7) : 592-604.
  • 4Livshits B, Cui W. Spectator: detection and containment of JavaScript worms [ C ]//USENIX 2008 Annual Technical Conference on Annual Technical Conference. Boston, USA: ACM, 2008; 335-348.
  • 5Sun F, Xu L, Su Z. Client-side detection of XSS worms by monitoring payload propagation [ C ] //Proceedings of the 14th European Conference on Research in Computer Security. Saint-Malo, France: ACM, 2009: 539-554.
  • 6Fogie S, Hansen R, Rager A, et al. XSS attacks: cross site scripting exploits and defense [ M ]. New York: Syngress Media, 2007.
  • 7Garcia J, Navarro G.A survey on cross-site scripting attacks : USA, abs/0905. 4850 [ P/OL]. (2009-05-29) [ 2010-10-12 ] http ://arxiv. org/pdf/0905. 4850v1.
  • 8Faghani M, Saidi H. Social networks' XSS worms[ C]//International Conference on Computational Science and Engineering. Vancouver, Canada: IEEE Computer Society, 2009 : 1137-1141.
  • 9Dabirsiaghi A. Building and stopping next generation XSS worms[ C]//3rd International OWASP Symposium on Web Application Security. Ghent, Belguim, 2008.
  • 10Network Working Group. HTTP methods: USA, internet RFC 2616 [ P/OL ]. (2004-09-01) [ 2010-10-12 ] http: //www. w3. org/ Protocols/rfc2616/rfc2616. html.

共引文献15

同被引文献39

  • 1吴正桢,陈秀真,李建华.基于聚类和报警先决条件的网络入侵关联分析[J].计算机工程,2007,33(21):122-124. 被引量:3
  • 2孙吉贵,刘杰,赵连宇.聚类算法研究[J].软件学报,2008(1):48-61. 被引量:1065
  • 3中国互联网信息中心.第36次中国互联网络发展状况统计报告[EB/OL].http://ww.cnnic.cn,20159.
  • 4国际电信联盟. 2014年信息与通信技术[EB/OL]. http://www.itu.int/en/ITU-D/Statistics/Documents/facts/ICTFactsFigures2014-e.pdf, 2014-05-08.
  • 5国家互联网应急中心. 互联网安全威胁报告[EB/OL]. http://www.cert.org.cn/publish/main/upload/File/2015 monthly08.pdf, 2015-08-10.
  • 6Wang Cong, Wang Qian, Ren Kui, et al. Toward secure and dependable storage services in cloud computing[J]. IEEE Transactions on Services Computing, 2012,5(2):220-232.
  • 7Shar L K, Tan H B K. Defeating SQL injection[J]. IEEE Computer Society, 2013,46(3):69-77.
  • 8W3C. Document Object Model(DOM)[EB/OL]. http://www.w3.org/DOM/, 2005-02-19.
  • 9Fonseca J, Seixas N, Vieira M, et al. Analysis of field data on Web security vulnerabilities[J]. IEEE Transactions on Dependable and Secure Computing, 2014,11(2):89-100.
  • 10Yan Ye, Qian Yi, Sharif H, et al. A survey on smart grid communication infrastructures : Motivations, requirements and challenges[J]. IEEE Communications Surveys & Tu- torials, 2013,15( 1 ) :5-20.

引证文献4

二级引证文献19

计算机工程
2013年 第6期

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部