Today the web has become a major conduit for information. As the World Wide
Web?s popularity continues to increase, information security on the web has become an
increasing concern. Web information security is related to availability, confidentiality,
and data integrity. According to the reports from http://www.securityfocus.com in May
2006, operating systems account for 9% vulnerability, web-based software systems
account for 61% vulnerability, and other applications account for 30% vulnerability.
In this dissertation, I present a security analysis model using the Markov Process
Model. Risk analysis is conducted using fuzzy logic method and information entropy
theory. In a web-based application system, security risk is most related to the current
states in software systems and hardware systems, and independent of web application
system states in the past. Therefore, the web-based applications can be approximately
modeled by the Markov Process Model. The web-based applications can be conceptually
expressed in the discrete states of (web_client_good; web_server_good,
web_server_vulnerable, web_server_attacked, web_server_security_failed; database_server_good, database_server_vulnerable, database_server_attacked,
database_server_security_failed) as state space in the Markov Chain. The vulnerable
behavior and system response in the web-based applications are analyzed in this
dissertation. The analyses focus on functional availability-related aspects: the probability
of reaching a particular security failed state and the mean time to the security failure of a
system. Vulnerability risk index is classified in three levels as an indicator of the level of
security (low level, high level, and failed level). An illustrative application example is
provided. As the second objective of this dissertation, I propose a security improvement
model for the web-based applications using the GeoIP services in the formal methods. In
the security improvement model, web access is authenticated in role-based access control
using user logins, remote IP addresses, and physical locations as subject credentials to
combine with the requested objects and privilege modes. Access control algorithms are
developed for subjects, objects, and access privileges. A secure implementation
architecture is presented. In summary, the dissertation has developed security analysis
and improvement model for the web-based application. Future work will address Markov
Process Model validation when security data collection becomes easy. Security
improvement model will be evaluated in performance aspect.
| Identifer | oai:union.ndltd.org:tamu.edu/oai:repository.tamu.edu:1969.1/ETD-TAMU-2008-12-110 |
| Date | 14 January 2010 |
| Creators | Wang, Yong |
| Contributors | Lively, William M., Simmons, Dick B. |
| Source Sets | Texas A and M University |
| Language | en_US |
| Detected Language | English |
| Type | Book, Thesis, Electronic Dissertation |
| Format | application/pdf |
Page generated in 0.0025 seconds