Browser-based defenses have recently been advocated as an effective mechanism to protect web applications against the threats of session hijacking, fixation, and related attacks. In existing approaches, all such defenses ultimately rely on client-side heuristics to automatically detect cookies containing session information, to then protect them against theft or otherwise unintended use. While clearly crucial to the effectiveness of the resulting defense mechanisms, these heuristics have not, as yet, undergone any rigorous assessment of their adequacy. In this paper, we conduct the first such formal assessment, based on a gold set of cookies we collect from 70 popular websites of the Alexa ranking. To obtain the gold set, we devise a semi-automatic procedure that draws on a novel notion of authentication token, which we introduce to capture multiple web authentication schemes. We test existing browser-based defenses in the literature against our gold set, unveiling several pitfalls both in the heuristics adopted and in the methods used to assess them. We then propose a new detection method based on supervised learning, where our gold set is used to train a binary classifier, and report on experimental evidence that our method outperforms existing proposals. Interestingly, the resulting classification, together with our hands-on experience in the construction of the gold set, provides new insight on how web authentication is implemented in practice.

Quite a mess in my cookie jar! Leveraging machine learning to protect web authentication / Calzavara, Stefano; Tolomei, Gabriele; Bugliesi, Michele; Orlando, Salvatore. - (2014), pp. 189-199. (Intervento presentato al convegno 23rd International Conference on World Wide Web, WWW 2014 tenutosi a Seoul; South Korea) [10.1145/2566486.2568047].

Quite a mess in my cookie jar! Leveraging machine learning to protect web authentication

TOLOMEI, GABRIELE;ORLANDO, Salvatore
2014

Abstract

Browser-based defenses have recently been advocated as an effective mechanism to protect web applications against the threats of session hijacking, fixation, and related attacks. In existing approaches, all such defenses ultimately rely on client-side heuristics to automatically detect cookies containing session information, to then protect them against theft or otherwise unintended use. While clearly crucial to the effectiveness of the resulting defense mechanisms, these heuristics have not, as yet, undergone any rigorous assessment of their adequacy. In this paper, we conduct the first such formal assessment, based on a gold set of cookies we collect from 70 popular websites of the Alexa ranking. To obtain the gold set, we devise a semi-automatic procedure that draws on a novel notion of authentication token, which we introduce to capture multiple web authentication schemes. We test existing browser-based defenses in the literature against our gold set, unveiling several pitfalls both in the heuristics adopted and in the methods used to assess them. We then propose a new detection method based on supervised learning, where our gold set is used to train a binary classifier, and report on experimental evidence that our method outperforms existing proposals. Interestingly, the resulting classification, together with our hands-on experience in the construction of the gold set, provides new insight on how web authentication is implemented in practice.
2014
23rd International Conference on World Wide Web, WWW 2014
authentication cookies; classification; web security
04 Pubblicazione in atti di convegno::04b Atto di convegno in volume
Quite a mess in my cookie jar! Leveraging machine learning to protect web authentication / Calzavara, Stefano; Tolomei, Gabriele; Bugliesi, Michele; Orlando, Salvatore. - (2014), pp. 189-199. (Intervento presentato al convegno 23rd International Conference on World Wide Web, WWW 2014 tenutosi a Seoul; South Korea) [10.1145/2566486.2568047].
File allegati a questo prodotto
File Dimensione Formato  
Calzavara_Mess_2014.pdf

solo gestori archivio

Tipologia: Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 702.18 kB
Formato Adobe PDF
702.18 kB Adobe PDF   Contatta l'autore

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1382685
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 16
  • ???jsp.display-item.citation.isi??? 6
social impact