Visualizing Endpoint Security Technologies using Attack Trees

Pettersson, Stefan

January 2008

Software vulnerabilities in programs and malware deployments have been increasing almost every year since we started measuring them. Information about how to program securely, how malware shall be avoided and technological countermeasures for this are more available than ever. Still, the trend seems to favor the attacker. This thesis tries to visualize the effects of a selection of technological countermeasures that have been proposed by researchers. These countermeasures: non-executable memory, address randomization, system call interception and file integrity monitoring are described along with the attacks they are designed to defend against. The coverage of each countermeasure is then visualized with the help of attack trees. Attack trees are normally used for describing how systems can be attacked but here they instead serve the purpose of showing where in an attack a countermeasure takes effect. Using attack trees for this highlights a couple of important aspects of a security mechanism, such as how early in an attack it is effective and which variants of an attack it potentially defends against. This is done by the use of what we call defensive codes that describe how a defense mechanism counters a sub-goal in an attack. Unfortunately the whole process is not well formalized and depends on many uncertain factors.

endpoint security

attack tree

memory corruption

non-executable memory

address randomization

system call interception

Computer Sciences

Datavetenskap (datalogi)

Limiting fake accounts in large-scale distributed systems through adaptive identity management / Gerenciamento adaptativo de identidades em sistemas distribuídos de larga escala

Cordeiro, Weverton Luis da Costa

January 2014

Sistemas online como Facebook, Twitter, Digg, e comunidades BitTorrent (entre vários outros) oferecem um processo leve para a obtenção de identidades (por exemplo, confirmar um endereço de e-mail válido; os requisitos podem variar dependendo do sistema), de modo que os usuários possam cadastrar-se facilmente nos mesmos. Tal conveniência vem com um preço, no entanto: com um pequeno esforço, um atacante pode obter uma grande quantidade de contas falsas (ataque Sybil), e utilizá-las para executar atividades maliciosas (que possam prejudicar os usuários legítimos) ou obter vantagens indevidas. É extremamente desafiador (senão impossível) desenvolver uma única solução de gerenciamento de identidades que seja ao mesmo tempo capaz de oferecer suporte a uma variedade de usuários usando dispositivos heterogêneos e adequada para uma diversidade de ambientes (por exemplo, sistemas distribuídos de larga escala, Internet das Coisas, e Internet do Futuro). Como consequência, a comunidade de pesquisa tem focado no projeto de soluções de gerenciamento de identidades customizadas, em cenários com um conjunto bem definido de propósitos, requisitos e limitações. Nesta tese, abordamos o problema de contas falsas em sistemas distribuídos de larga escala. Mais especificamente, nos concentramos em sistemas baseados no paradigma para- par e que podem acomodar esquemas de gerenciamento de identidades leves e de longo prazo (ex., sistemas de compartilhamento de arquivos e de live streaming, sistemas de detecção de intrusão colaborativos, entre outros); leves porque os usuários devem obter identidades sem precisar fornecer “provas de identidade” (ex., passaporte) e/ou pagar taxas; e longo prazo porque os usuários devem ser capazes de manter suas identidades (ex., através de renovação) por um período indefinido. Nosso principal objetivo é propor um arcabouço para precificar adaptativamente as solicitações de identidades como uma abordagem para conter ataques Sybil. A ideia chave é estimar um grau de confiança para as solicitações de identidades, calculada como função do número de identidades já concedidas em um dado período, considerando a origem dessas solicitações. Nossa abordagem baseia-se em prova de trabalho e usa desafios criptográficos como um recurso para conter atacantes. Nesta tese, nós também concentramos esforços na reformulação dos desafios tradicionais, de modo a torná-los “verdes” e “´uteis”. Os resultados obtidos via simulação e experimentação mostraram a viabilidade técnica de usar desafios verdes e ´uteis para o gerenciamento de identidades. Mais importante, eles mostraram que caracterizar as solicitações de identidades com base na origem das mesmas constitui uma abordagem promissora para lidar com a redução substancial da disseminação de contas falsas. / Online systems such as Facebook, Twitter, Digg, and BitTorrent communities (among various others) offer a lightweight process for obtaining identities (e.g., confirming a valid e-mail address; the actual requirements may vary depending on the system), so that users can easily join them. Such convenience comes with a price, however: with minimum effort, an attacker can obtain a horde of fake accounts (Sybil attack), and use them to either perform malicious activities (that might harm legitimate users) or obtain unfair benefits. It is extremely challenging (if not impossible) to devise a single identity management solution at the same time able to support a variety of end-users using heterogeneous devices, and suitable for a multitude of environments (e.g., large-scale distributed systems, Internet-of-Things, and Future Internet). As a consequence, the research community has focused on the design of system-specific identity management solutions, in scenarios having a well-defined set of purposes, requirements, and constraints. In this thesis, we approach the issue of fake accounts in large-scale, distributed systems. More specifically, we target systems based on the peer-to-peer paradigm and that can accommodate lightweight, long-term identity management schemes (e.g., file sharing and live streaming networks, collaborative intrusion detection systems, among others); lightweight because users should obtain identities without being required to provide “proof of identity” (e.g., passport) and/or pay taxes; and long-term because users should be able to maintain their identities (e.g., through renewal) for an indefinite period. Our main objective is to propose a framework for adaptively pricing identity requests as an approach to limit Sybil attacks. The key idea is to estimate a trust score for identity requests, calculated as a as function of the number of identities already granted in a given period, and considering their source of origin. Our approach relies on proof of work, and uses cryptographic puzzles as a resource to restrain attackers. In this thesis, we also concentrate on reshaping traditional puzzles, in order to make them “green” and “useful”. The results obtained through simulation and experimentation have shown the feasibility of using green and useful puzzles for identity management. More importantly, they have shown that profiling identity requests based on their source of origin constitutes a promising approach to tackle the dissemination of fake accounts.

Redes : Computadores

Tolerancia : Falhas

Redes P2P

Identity management

Peer-to-peer systems

Sybil attack

Fake accounts

Collusion attacks

Proof of work

Síntese e caracterização de pastas de cimento aditivadas com resinas epóxi análises cinéticas, termodinâmicas e calorimétricas

Tavares, Andrea Macleybiane Gois

05 March 2010

Conselho Nacional de Desenvolvimento Científico e Tecnológico / Cement has been used in the world, presenting a wide versatility. However, due to its chemical nature, it is subject to several types of chemical damages, especially for agents of acidic nature. With the purpose of increase its life-time, new cement slurries have been modified with the addition of specific additives. The objective of this work is to modify cement slurries with epoxy resins, which promote higher resistance of those materials in relation to acid attacks. Three cement slurries were synthesized with epoxy resins (GY, PY-1 and PY-2) and a standard slurries, which was composed by cement and water (w/c = 0,5). The syntheses were performed according to the API recommendations. After 30 days of hydration, the samples were characterized by XDR, FTIR and thermal analysis (TG and DSC). The slurries characterization has suggested the presence of low amounts of portlandita (Ca(OH)2) in the slurry with the higher content of polymerized epoxy resin. The hydration processes of the cement slurries were studied by heat-conduction microcalorimetry. The energetic and enthalpic hydration data were all exothermic in nature. It was verified that the addition of the polymers delayed the processes of hydration of the slurries, decreasing the flow of heat released as a function of the amount of added resin. The cumulative heat release curves have shown the presence of multilinearity of the kinetic processes. The hydration microcalorimetric data were well fitted to the multistep Avrami kinetic model. A kinetic study of HCl interaction with the new slurries were performed by the batch methodology at 25, 35, 45 e 55°C. The Avrami kinetic model also appears to be the most efficient in describing the kinetic isotherms. It was observed that the kinetic constants of interaction of the acid with the slurries increased with the increase of temperature and decreased as a function of the amount of resin added in the slurries. The speed of reaction of the cement slurries with HCl was determined from the kinetic parameters obtained by the Avrami model. Speed reaction in the order of 10-3 mol.g.h-1 were found for the standard slurry and of the order of 10-5 mol.g.h-1 for the slurries with the epoxy resins. In general, the analysis of the kinetic parameters indicated that increasing the resin amount in the composition of the slurries reduced the reaction speed and increased the resistance of those slurries to the acid attack. / O cimento é um dos materiais mais utilizados no mundo, apresentando uma larga versatilidade. No entanto, devido à sua natureza química, está sujeito a vários tipos de desgastes, especialmente por agentes de natureza ácida. Com a finalidade de prolongar o tempo de vida útil desse material, buscam-se novas formulações de pastas de cimento através da adição de aditivos específicos. O objetivo deste trabalho é a modificação de pastas de cimento com resinas epóxi, as quais promovem maior resistência desses materiais frente aos ataques ácidos. Foram sintetizadas três pastas de cimento com resinas epóxi (GY, PY-1 e PY-2) e uma pasta padrão, composta de cimento e água. Para preparação utilizaram-se dois tipos de resinas epóxi, uma do tipo bisfenol-A e seu endurecedor de isoforonodiamina (GY) e outra, uma combinação do bisfenol-F e do bisfenol-A com endurecedor de poliamidoamina (PY-1 e PY-2). Após 30 dias de hidratação, as amostras foram caracterizadas por DRX, FTIR e por análise térmica (TG e DSC). A caracterização das pastas sugeriu a presença de baixas quantidades de portlandita (Ca(OH)2) nas composições com maior porcentagem de resina epóxi. Os processos de hidratação das pastas de cimento foram estudados por calorimetria isotérmica. Os dados energéticos de entalpia de hidratação foram todos de natureza exotérmica. Foi verificado que a adição do polímero retardou o processo de hidratação das pastas, reduzindo o fluxo de calor liberado em função da porcentagem de resina adicionada. As curvas de liberação do fluxo de calor mostraram a presença de vários processos cinéticos distintos. Os dados de hidratação foram bem ajustados ao modelo cinético de Avrami. O estudo cinético de interação de HCl com as pastas de cimento foi realizado pelo método de batelada nas temperaturas de 25, 35, 45 e 55°C. O modelo cinético de Avrami também foi o que mais se mostrou eficiente em descrever as isotérmicas cinéticas. Foram observados que as constantes cinéticas de interação do ácido com as pastas aumentaram com o aumento da temperatura, e diminuíram em função do aumento da quantidade de polímero adicionado nas pastas. A velocidade de reação das pastas de cimento com o HCl foi estimada a partir dos parâmetros cinéticos obtidos pelo modelo de Avrami. Foram verificados valores de velocidade de reação da ordem de 10-3 mol.g.h-1 para a pasta padrão e da ordem de 10-5 mol.g.h-1 para as pastas aditivadas. Em geral, a análise dos parâmetros cinéticos indicou que o aumento da porcentagem de resina na composição das pastas reduziu a velocidade de reação e, aumentou a resistência dessas pastas ao ataque ácido.

Pastas de cimento

Resina epóxi

Microcalorimetria

Ataque ácido

Cement slurries

Epoxy resins

Microcalorimetry

Acid attack

Suscetibilidade de pastas de cimento ao ataque por sulfatos - método de ensaio acelerado. / Susceptibility of cement pastes to sulfate attack - accelerated test method.

Rui Barbosa de Souza

03 February 2006

O presente trabalho tem por objetivo investigar e propor uma metodologia rápida e eficaz de avaliação da reatividade do cimento Portland frente ao ataque por sulfatos. O método consiste na utilização de amostras de pasta de cimento hidratada em pó, colocadas em contato direto com soluções concentradas de Na2SO4 e MgSO4, em temperatura elevada (65ºC), para acelerar o ataque. Apesar dos cimentos estudados possuírem composição química parecida, os resultados de SO3 combinado mostraram que o cimento Classe G foi pouco menos suscetível ao ataque por sulfatos em função do maior teor de Fe2O3 presente. Da TG e DRX observou-se a formação de etringita no ataque por ambos os sais de sulfato; e formação de gipsita no ataque por MgSO4. Enquanto havia disponibilidade de portlandita na pasta hidratada, o cimento com adição mineral incorporada apresentou mesma taxa de ataque que os demais (sem adição), entretanto a partir do momento que toda a portlandita foi consumida, iniciou-se um processo de descalcificação do C-S-H, observado pela DRX. / The main point of this research is to propose a fast and effective method of evaluation of the cement reactivity to sulfate attack. Resistance to sulfate attack was measured by determining the combined sulfate in cement paste samples with exposure to Na2SO4 and MgSO4 solution, at high temperature (65°C). The samples of cement paste was triturated (powdered) in the proposed method. The results of combined SO3 showed that the Class G cement was little less susceptible to the sulfate attack because it has larger amount of Fe2O3. The ettringite formation was observed in the attack for both sulfate salts; and gypsum formation in the attack for MgSO4 (results of TG and XRD). The blended cement presented same results that the others, however when the Ca(OH)2 was totally consumed, it observed the decalcification of the C-S-H, by XRD.

Ataque por sulfatos

DRX

Durabilidade

Método de ensaio

Microestrutura

Sulfato combinado

TG

Combined sulfate

Durability

Microstructure

Sulfate attack

TG

XRD

Avaliação da influência do tipo de cimento na expansibilidade de misturas de fosfogesso e cimento / Evaluation of the influence of the cement type in the expansivity of cement-stabilized phosphogypsum

Andréa Regina Kaneko Kobayashi

29 August 2000

Fosfogesso é um resíduo sólido da produção de ácido fosfórico pelas indústrias de fertilizantes. A produção anual deste material no mundo é de cerca de 180 milhões de toneladas, e isto causa problemas com a sua armazenagem. O fosfogesso tem sido estudado para uso como material de construção de bases e sub-bases de pavimentos. O fosfogesso tem pouca durabilidade frente à ação da água quando sujeito somente à estabilização mecânica. O cimento Portland é então adicionado ao fosfogesso, resultando em misturas mais estáveis. A reação do aluminato tricálcico contido no cimento e dos sulfatos presentes no fosfogesso poderia conduzir à formação de cristais de etringita e à expansão subseqüente. O objetivo desta pesquisa é avaliar a influência do tipo de cimento na expansibilidade das misturas de fosfogesso e cimento para uso na construção de pavimentos. Analisou-se o comportamento expansivo de corpos de prova compactados com diferentes proporções de fosfogesso e cimento, variando-se o tipo de cimento, energia de compactação e período de cura. Para todos os cimentos usados nesta pesquisa, considerando-se o período de 84 dias de cura, a maior parte da expansão ocorreu nos primeiros 28 dias. A influência do tipo de cimento na expansão das misturas de fosfogesso e cimento é significante, mas o teor de aluminato tricálcico não é a única explicação para o comportamento de expansão observado neste estudo, visto que os resultados experimentais indicam que quantidades crescentes de aluminato tricálcico conduzem a menores expansões, fato que contraria a expectativa inicial desta pesquisa. / Phosphogypsum is a solid by-product resulting from the phosphoric acid process for manufacturing fertilizers. The annual worldwide production of this material is about 180 million de tons and it causes problems with its disposal. The phosphogypsum has been studied for use in pavement base and sub-base materials. Phosphogypsum has poor durability when subjected to mechanical stabilization only in wet conditions. The addition of stabilizing materials, such as Portland cement, is one method of overcoming this deficiency. The chemical reaction between tricalcium aluminate present in Portland cement and sulfate ions supplied by phosphogypsum could lead to the formation of ettringite and subsequent expansion. The objective of this research is to evaluate the influence of Portland cement type on the expansion of cement-stabilized phosphogypsum mixtures for use as pavement construction. The expansion behavior was analyzed through compacted specimens composed by different phosphogypsum and cement proportions, varying the cement type, compaction energy and curing period. For all cements used in this research, most of expansion occurred within the first 28 days in relation to the 84 days of curing. There is a significant influence of cement type on the expansion of the cement-stabilized phosphogypsum mixtures, but the aluminate tricalcium content is not the only explanation for the expansion behavior observed in this study. The experimental results show that an increasing amount of tricalcium aluminate yields lower expansion, fact that thwarts the initial expectation of this research.

Ataque por sulfatos

Cimento

Etringita

Expansão

Fosfogesso

Pavimento

Reciclagem

Rejeito

Cement

Ettringite

Expansion

Pavement

Phosphogypsum

Recycling

Sulfate attack

Waste

Reviewing and Evaluating Techniques for Modeling and Analyzing Security Requirements

Abu-Sheikh, Khalil

January 2007

The software engineering community recognized the importance of addressing security requirements with other functional requirements from the beginning of the software development life cycle. Therefore, there are some techniques that have been developed to achieve this goal. Thus, we conducted a theoretical study that focuses on reviewing and evaluating some of the techniques that are used to model and analyze security requirements. Thus, the Abuse Cases, Misuse Cases, Data Sensitivity and Threat Analyses, Strategic Modeling, and Attack Trees techniques are investigated in detail to understand and highlight the similarities and differences between them. We found that using these techniques, in general, help requirements engineer to specify more detailed security requirements. Also, all of these techniques cover the concepts of security but in different levels. In addition, the existence of different techniques provides a variety of levels for modeling and analyzing security requirements. This helps requirements engineer to decide which technique to use in order to address security issues for the system under investigation. Finally, we found that using only one of these techniques will not be suitable enough to satisfy the security requirements of the system under investigation. Consequently, we consider that it would be beneficial to combine the Abuse Cases or Misuse Cases techniques with the Attack Trees technique or to combine the Strategic Modeling and Attack Trees techniques together in order to model and analyze security requirements of the system under investigation. The concentration on using the Attack Trees technique is due to the reusability of the produced attack trees, also this technique helps in covering a wide range of attacks, thus covering security concepts as well as security requirements in a proper way.

Security Requirements

Abuse Cases

Misuse Cases

Data Sensitivity and Threat Analyses

Strategic Modeling

Attack Trees.

Software Engineering

Programvaruteknik

Plastic card frauds, a survey of current relevant card and system properties / Plastkortsystem och brottsmöjligheter, en genomgång av egenskaper hos kort och läsare

Savostyanova, Natalia, Velichko, Valeriya

January 2004

Recently the society has been turning from the use of paper-based technologies to plastic cards in certain spheres of our life. With the emergence and proliferation of high technologies we cannot content with the security provided bypaper only. Therefore the society has chosen plastic to protect its information because it offers far more security based not only on human perception but also on machine-readable elements. The number of plastic cards in circulation in different spheres of our everyday life increases constantly. They replace money, documents and allow easy and safe access to some services. In spite of its security the plastic card however is subjected to fraud. Plastic card fraud results in significant losses for the various industries. Since the first appearance of plastic cards methods of committing fraud have changed dramatically. Now there is a wide range of high technologies at the disposal of criminals as well as card manufacturers. Therefore we have put the great emphasize of this work on the analysis of the most common card technologies in the Plastic Card World, the magnetic stripe and the chip, existing crimes and main means of their committing. And we also have revealed the weak and strong sides of the prevention techniques, which are currently in use.

Informationsteknik

plastic card

smart card

magnetic stripe

ATM

attack

crime

counterfeiting

skimming

PIN

Informationsteknik

Computer and Information Sciences

Data- och informationsvetenskap

Small wind turbine starting behaviour

Worasinchai, Supakit

January 2012

Small wind turbines that operate in low-wind environments are prone to suffer performance degradation as they often fail to accelerate to a steady, power-producing condition. The behaviour during this process is called “starting behaviour” and it is the subject of this present work. This thesis evaluates potential benefits that can be obtained from the improvement of starting behaviour, investigates, in particular, small wind turbine starting behaviour (both horizontal- and vertical-axis), and presents aerofoil performance characteristics (both steady and unsteady) needed for the analysis. All of the investigations were conducted using a new set of aerodynamic performance data of six aerofoils (NACA0012, SG6043, SD7062, DU06-W-200, S1223, and S1223B). All of the data were obtained at flow conditions that small wind turbine blades have to operate with during the startup - low Reynolds number (from 65000 to 150000), high angle of attack (through 360◦), and high reduced frequency (from 0.05 to 0.20). In order to obtain accurate aerodynamic data at high incidences, a series of CFD simulations were undertaken to illustrate effects of wall proximity and to determine test section sizes that offer minimum proximity effects. A study was carried out on the entire horizontal-axis wind turbine generation system to understand its starting characteristics and to estimate potential benefits of improved starting. Comparisons of three different blade configurations reveal that the use of mixed-aerofoil blades leads to a significant increase in starting capability. The improved starting capability effectively reduces the time that the turbine takes to reach its power-extraction period and, hence, an increase in overall energy yield. The increase can be as high as 40%. Investigations into H-Darriues turbine self-starting capability were made through the analogy between the aerofoil in Darrieus motion and flapping-wing flow mechanisms. The investigations reveal that the unsteadiness associated with the rotor is key to predicting its starting behaviour and the accurate prediction can be made when this transient aerofoil behaviour is correctly modelled. The investigations based upon the analogy also indicate that the unsteadiness can be exploited to promote the turbine ability to self-start. Aerodynamically, this exploitation is related to the rotor geometry itself.

621.4

A machine learning approach for automatic and generic side-channel attacks

Lerman, Liran

10 June 2015

L'omniprésence de dispositifs interconnectés amène à un intérêt massif pour la sécurité informatique fournie entre autres par le domaine de la cryptographie. Pendant des décennies, les spécialistes en cryptographie estimaient le niveau de sécurité d'un algorithme cryptographique indépendamment de son implantation dans un dispositif. Cependant, depuis la publication des attaques d'implantation en 1996, les attaques physiques sont devenues un domaine de recherche actif en considérant les propriétés physiques de dispositifs cryptographiques. Dans notre dissertation, nous nous concentrons sur les attaques profilées. Traditionnellement, les attaques profilées appliquent des méthodes paramétriques dans lesquelles une information a priori sur les propriétés physiques est supposée. Le domaine de l'apprentissage automatique produit des modèles automatiques et génériques ne nécessitant pas une information a priori sur le phénomène étudié.<p><p>Cette dissertation apporte un éclairage nouveau sur les capacités des méthodes d'apprentissage automatique. Nous démontrons d'abord que les attaques profilées paramétriques surpassent les méthodes d'apprentissage automatique lorsqu'il n'y a pas d'erreur d'estimation ni d'hypothèse. En revanche, les attaques fondées sur l'apprentissage automatique sont avantageuses dans des scénarios réalistes où le nombre de données lors de l'étape d'apprentissage est faible. Par la suite, nous proposons une nouvelle métrique formelle d'évaluation qui permet (1) de comparer des attaques paramétriques et non-paramétriques et (2) d'interpréter les résultats de chaque méthode. La nouvelle mesure fournit les causes d'un taux de réussite élevé ou faible d'une attaque et, par conséquent, donne des pistes pour améliorer l'évaluation d'une implantation. Enfin, nous présentons des résultats expérimentaux sur des appareils non protégés et protégés. La première étude montre que l'apprentissage automatique a un taux de réussite plus élevé qu'une méthode paramétrique lorsque seules quelques données sont disponibles. La deuxième expérience démontre qu'un dispositif protégé est attaquable avec une approche appartenant à l'apprentissage automatique. La stratégie basée sur l'apprentissage automatique nécessite le même nombre de données lors de la phase d'apprentissage que lorsque celle-ci attaque un produit non protégé. Nous montrons également que des méthodes paramétriques surestiment ou sous-estiment le niveau de sécurité fourni par l'appareil alors que l'approche basée sur l'apprentissage automatique améliore cette estimation. <p><p>En résumé, notre thèse est que les attaques basées sur l'apprentissage automatique sont avantageuses par rapport aux techniques classiques lorsque la quantité d'information a priori sur l'appareil cible et le nombre de données lors de la phase d'apprentissage sont faibles. / Doctorat en Sciences / info:eu-repo/semantics/nonPublished

Informatique générale

Cryptography

Machine learning

Cryptographie

Apprentissage automatique

time series classification

cryptanalysis

cryptography

side-channel attack

machine learning

power analysis

APLICANDO A TRANSFORMADA WAVELET BIDIMENSIONAL NA DETECÇÃO DE ATAQUES WEB / APPLYING TWO-DIMENSIONAL WAVELET TRANSFORM FOR THE DETECTION OF WEB ATTACKS

Mozzaquatro, Bruno Augusti

27 February 2012

Conselho Nacional de Desenvolvimento Científico e Tecnológico / With the increase web traffic of comes various threats to the security of web applications. The threats arise inherent vulnerabilities of web systems, where malicious code or content injection are the most exploited vulnerabilities in web attacks. The injection vulnerability allows the attacker to insert information or a program in improper places, causing damage to customers and organizations. Its property is to change the character frequency distribution of some requests within a set of web requests. Anomaly-based intrusion detection systems have been used to break these types of attacks, due to the diversity and complexity found in web attacks. In this context, this paper proposes a new anomaly based detection algorithm that apply the two-dimensional wavelet transform for the detection of web attacks. The algorithm eliminates the need for a training phase (which asks for reliable data) and searches for character frequency anomalies in a set of web requests, through the analysis in multiple directions and resolutions. The experiment results demonstrate the feasibility of our technique for detecting web attacks. After some adjustments on different parameters, the algorithm has obtained detection rates up to 100%, eliminating the occurrence of false positives. / O aumento do tráfego web vem acompanhado de diversas ameaças para a segurança das aplicações web. As ameaças são decorrentes das vulnerabilidades inerentes dos sistemas web, sendo a injeção de código ou conteúdo malicioso uma das vulnerabilidades mais exploradas em ataques web, pois permite que o atacante insira uma informação ou programa em locais indevidos, podendo causar danos aos clientes e organizações. Esse tipo de ataque tem sido caracterizado pela alteração na distribuição da frequência dos caracteres de algumas requisições dentro de um conjunto de requisições web. Sistemas de detecção de intrusão baseados em anomalias têm sido usados para procurar conter tais tipos de ataques, principalmente em função da diversidade e da complexidade dos ataques web. Neste contexto, o trabalho propõe um novo algoritmo para detecção de anomalias que aplica a transformada wavelet bidimensional na detecção de ataques web e elimina a necessidade de uma fase de treinamento com dados confiáveis de difícil obtenção. O algoritmo pesquisa por anomalias nas frequências dos caracteres de um conjunto de requisições web através da análise em múltiplas direções e resoluções. Os resultados obtidos nos experimentos demonstraram a viabilidade da técnica para detecção de ataques web e também que com ajustes entre diferentes parâmetros foram obtidas taxas de detecção de até 100%, eliminando a ocorrência de falsos positivos.

Detecção de Anomalias

Detecção de Intrusão

Wavelet

Ataques Web

Anomaly Detection

Intrusion Detection

Wavelet, Web Attack