Istituto di Scienza e Tecnologie dell'Informazione     
Calzavara S., Tolomei G., Bugliesi M., Orlando S. Quite a mess in my cookie jar! Leveraging machine learning to protect web authentication. In: WWW'14 - 23rd international conference on World Wide Web (Seul, Corea, 7-11 April 2014). Proceedings, pp. 189 - 200. ACM, 2014.
Browser-based defenses have recently been advocated as an effective mechanism to protect web applications against the threats of session hijacking, fixation, and related attacks. In existing approaches, all such defenses ultimately rely on client-side heuristics to automatically detect cookies con- taining session information, to then protect them against theft or otherwise unintended use. While clearly crucial to the effectiveness of the resulting defense mechanisms, these heuristics have not, as yet, undergone any rigorous assess- ment of their adequacy. In this paper, we conduct the first such formal assessment, based on a gold set of cookies we col- lect from 70 popular websites of the Alexa ranking. To ob- tain the gold set, we devise a semi-automatic procedure that draws on a novel notion of authentication token, which we in- troduce to capture multiple web authentication schemes. We test existing browser-based defenses in the literature against our gold set, unveiling several pitfalls both in the heuris- tics adopted and in the methods used to assess them. We then propose a new detection method based on supervised learning, where our gold set is used to train a binary classi- fier, and report on experimental evidence that our method outperforms existing proposals. Interestingly, the resulting classification, together with our hands-on experience in the construction of the gold set, provides new insight on how web authentication is implemented in practice.
URL: http://dl.acm.org/citation.cfm?doid=2566486.2568047
DOI: 10.1145/2566486.2568047
Subject Web authetication
K.6.5 Management of Computing and Information Systems. Security and Protection

Icona documento 1) Download Document PDF
Icona documento 2) Download Document PDF

Icona documento Open access Icona documento Restricted Icona documento Private


Per ulteriori informazioni, contattare: Librarian http://puma.isti.cnr.it

Valid HTML 4.0 Transitional