Uma Ontologia para Mitigar XML Injection
Resumo
As tecnologias utilizadas em web services trazem vulnerabilidades conhecidas em outros domínios para este novo ambiente. As abordagens de detecção de intrusão baseadas em anomalia geralmente produzem alta taxa de falsos positivos, enquanto que abordagens baseadas em assinatura não detectam variações de ataque. Este artigo apresenta um mecanismo híbrido de detecção de ataques que agrega as principais vantagens destas abordagens clássicas. Aplica-se uma ontologia como a base de conhecimento de ataques baseada em estratégia (sequencia encadeada de ações) para mitigar ataques de XML injection, mantendo baixas as taxas de falsos positivos.Referências
Bechhofer, S. (2006) “DIG 2.0: The DIG Description Logic Interface”, http://dig.cs.manchester.ac.uk.
Boag, S., Chamberlin, D., Fernández, M. F., Florescu, D., Robie, J. e Siméon, J. (2011) “XQuery 1.0: An XML Query Language (Second Edition)”, http://www.w3.org/TR/xquery.
Booth, D., Haas, H., Mccabe, F., Newcomer, E., Champion, M., Ferris, C. e Orchard, D. (2004) “Web Services Architecture”, http://www.w3.org/TR/ws-arch.
Bravenboer, M., Dolstra, E. e Visser, E. (2010). Preventing injection attacks with syntax embeddings. In Science of Computer Programming archive, pages 473-495.
CAPEC (2011) “Common Attack Pattern Enumeration and Classification”, http://capec.mitre.org/data/graphs/1000.html.
Clarck&Parsia (2011) “Pellet: OWL 2 Reasoner for Java”, http://clarkparsia.com/pellet.
Combs, G. (2011) “Wireshark – Go Deep”, http://www.wireshark.org.
CWE e SANS (2010) “2010 CWE/SANS Top 25 Most Dangerous Software Errors”, http://cwe.mitre.org/top25/index.html.
CWE (2011) “Common Weakness Enumeration”, http://cwe.mitre.org/data/definitions/91.html.
Siddavatam, I. e Gadge, J. (2008). Comprehensive Test Mechanism to Detect Attack on Web Services. In 16th IEEE International Conference on Networks, pages 1-6.
Dou, D., McDermott, D. e Qi, P. (2004). Ontology Translation on the Semantic Web. In Journal on Data Semantics (JoDS) II, pages 35-57.
Gruber, T. R. (1993). Toward Principles for the Design of Ontologies Used for Knowledge Sharing. In International Journal Human-Computer Studies 43, pages 907-928.
Hansen, R. (2008) “XSS (Cross Site Scripting) Cheat Sheet”, http://ha.ckers.org/xss.html.
Konstantinou, N., Spanos, D. e Mitrou, N. (2008). Ontology and Database Mapping: A Survey of Current Implementations and Future Directions. In Journal of Web Engineering, pg. 1-24.
McGuinness, D., e Harmelen, F. (2009) “OWL 2 Web Ontology Language”, http://www.w3.org/TR/owl-features.
Metasploit (2011) “Metasploit Penetration Testing Resources”, http://www.metasploit.com.
Oracle (2011) “For Java Developers”, http://www.oracle.com/technetwork/java/index.html.
OWASP (2009) “The Open Web Application Security Project”, http://www.owasp.org/images/3/3f/2009AnnualReport.pdf.
OWASP (2011) “The Open Web Application Security Project”, http://www.owasp.org.
Prud'hommeaux, E., e Seaborne, A. (2008) “SPARQL Query Language for RDF”, http://www.w3.org/TR/rdf-sparql-query.
Sourcefire (2011) “Sourcefire VRT Certified Rules The Official Snort Ruleset”, http://www.snort.org/snort-rules.
SourceForge (2011) “Jena – A Semantic Web Framework for Java”, http://jena.sourceforge.net.
SourceForge (2011) “Network Packet Capture Facility for Java”, http://sourceforge.net/projects/jpcap.
Stanford (2011) “The Protégé Ontology Editor and Knowledge Acquisition System”, http://protege.stanford.edu.
Undercoffer, J., Pinkston, J., Joshi, A. e Finin, T. (2004). A Target-Centric ontology for intrusion detection. In Proceedings of the IJCAI W. on Ontologies and Dist. Sys., pg. 47-58.
Vorobiev, A. e Han, J. (2006). Security Attack Ontology for Web Services. In Proceedings of the Second International Conference on Semantics, Knowledge, and Grid, paper 42 (6pp).
Yee, C. G., Shin, W. H. e Rao, G. S. V. R. K. (2007). An Adaptive Intrusion Detection and Prevention (ID/IP) Framework for Web Services. In Proceedings of IEEE International Conference on Convergence Information Technology, pages 528-534.
Zero Day Initiative (2011) “Zero Day Initiative”, http://www.zerodayinitiative.com/advisories/upcoming/.
Boag, S., Chamberlin, D., Fernández, M. F., Florescu, D., Robie, J. e Siméon, J. (2011) “XQuery 1.0: An XML Query Language (Second Edition)”, http://www.w3.org/TR/xquery.
Booth, D., Haas, H., Mccabe, F., Newcomer, E., Champion, M., Ferris, C. e Orchard, D. (2004) “Web Services Architecture”, http://www.w3.org/TR/ws-arch.
Bravenboer, M., Dolstra, E. e Visser, E. (2010). Preventing injection attacks with syntax embeddings. In Science of Computer Programming archive, pages 473-495.
CAPEC (2011) “Common Attack Pattern Enumeration and Classification”, http://capec.mitre.org/data/graphs/1000.html.
Clarck&Parsia (2011) “Pellet: OWL 2 Reasoner for Java”, http://clarkparsia.com/pellet.
Combs, G. (2011) “Wireshark – Go Deep”, http://www.wireshark.org.
CWE e SANS (2010) “2010 CWE/SANS Top 25 Most Dangerous Software Errors”, http://cwe.mitre.org/top25/index.html.
CWE (2011) “Common Weakness Enumeration”, http://cwe.mitre.org/data/definitions/91.html.
Siddavatam, I. e Gadge, J. (2008). Comprehensive Test Mechanism to Detect Attack on Web Services. In 16th IEEE International Conference on Networks, pages 1-6.
Dou, D., McDermott, D. e Qi, P. (2004). Ontology Translation on the Semantic Web. In Journal on Data Semantics (JoDS) II, pages 35-57.
Gruber, T. R. (1993). Toward Principles for the Design of Ontologies Used for Knowledge Sharing. In International Journal Human-Computer Studies 43, pages 907-928.
Hansen, R. (2008) “XSS (Cross Site Scripting) Cheat Sheet”, http://ha.ckers.org/xss.html.
Konstantinou, N., Spanos, D. e Mitrou, N. (2008). Ontology and Database Mapping: A Survey of Current Implementations and Future Directions. In Journal of Web Engineering, pg. 1-24.
McGuinness, D., e Harmelen, F. (2009) “OWL 2 Web Ontology Language”, http://www.w3.org/TR/owl-features.
Metasploit (2011) “Metasploit Penetration Testing Resources”, http://www.metasploit.com.
Oracle (2011) “For Java Developers”, http://www.oracle.com/technetwork/java/index.html.
OWASP (2009) “The Open Web Application Security Project”, http://www.owasp.org/images/3/3f/2009AnnualReport.pdf.
OWASP (2011) “The Open Web Application Security Project”, http://www.owasp.org.
Prud'hommeaux, E., e Seaborne, A. (2008) “SPARQL Query Language for RDF”, http://www.w3.org/TR/rdf-sparql-query.
Sourcefire (2011) “Sourcefire VRT Certified Rules The Official Snort Ruleset”, http://www.snort.org/snort-rules.
SourceForge (2011) “Jena – A Semantic Web Framework for Java”, http://jena.sourceforge.net.
SourceForge (2011) “Network Packet Capture Facility for Java”, http://sourceforge.net/projects/jpcap.
Stanford (2011) “The Protégé Ontology Editor and Knowledge Acquisition System”, http://protege.stanford.edu.
Undercoffer, J., Pinkston, J., Joshi, A. e Finin, T. (2004). A Target-Centric ontology for intrusion detection. In Proceedings of the IJCAI W. on Ontologies and Dist. Sys., pg. 47-58.
Vorobiev, A. e Han, J. (2006). Security Attack Ontology for Web Services. In Proceedings of the Second International Conference on Semantics, Knowledge, and Grid, paper 42 (6pp).
Yee, C. G., Shin, W. H. e Rao, G. S. V. R. K. (2007). An Adaptive Intrusion Detection and Prevention (ID/IP) Framework for Web Services. In Proceedings of IEEE International Conference on Convergence Information Technology, pages 528-534.
Zero Day Initiative (2011) “Zero Day Initiative”, http://www.zerodayinitiative.com/advisories/upcoming/.
Publicado
06/11/2011
Como Citar
ROSA, Thiago M.; SANTIN, Altair O.; MALUCELLI, Andreia.
Uma Ontologia para Mitigar XML Injection . In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 11. , 2011, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2011
.
p. 43-56.
DOI: https://doi.org/10.5753/sbseg.2011.20562.