Communications of the ACM
Neural networks and the bias/variance dilemma
Neural Computation
C4.5: programs for machine learning
C4.5: programs for machine learning
Machine Learning
Machine Learning
Introduction to Modern Information Retrieval
Introduction to Modern Information Retrieval
Fast Algorithms for Mining Association Rules in Large Databases
VLDB '94 Proceedings of the 20th International Conference on Very Large Data Bases
Tree induction vs. logistic regression: a learning-curve analysis
The Journal of Machine Learning Research
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Forcehttps: protecting high-security web sites from network attacks
Proceedings of the 17th international conference on World Wide Web
XSS Attacks: Cross Site Scripting Exploits and Defense
XSS Attacks: Cross Site Scripting Exploits and Defense
Review: A review of machine learning approaches to Spam filtering
Expert Systems with Applications: An International Journal
Outside the Closed World: On Using Machine Learning for Network Intrusion Detection
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
SessionShield: lightweight protection against session hijacking
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Reliable protection against session fixation attacks
Proceedings of the 2011 ACM Symposium on Applied Computing
Automatic and precise client-side protection against CSRF attacks
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Fortifying web-based applications automatically
Proceedings of the 18th ACM conference on Computer and communications security
CsFire: transparent client-side mitigation of malicious cross-domain requests
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Detecting and defending against third-party tracking on the web
NSDI'12 Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation
Serene: self-reliant client-side protection against session fixation
DAIS'12 Proceedings of the 12th IFIP WG 6.1 international conference on Distributed Applications and Interoperable Systems
Hi-index | 0.00 |
Browser-based defenses have recently been advocated as an effective mechanism to protect web applications against the threats of session hijacking, fixation, and related attacks. In existing approaches, all such defenses ultimately rely on client-side heuristics to automatically detect cookies containing session information, to then protect them against theft or otherwise unintended use. While clearly crucial to the effectiveness of the resulting defense mechanisms, these heuristics have not, as yet, undergone any rigorous assessment of their adequacy. In this paper, we conduct the first such formal assessment, based on a gold set of cookies we collect from 70 popular websites of the Alexa ranking. To obtain the gold set, we devise a semi-automatic procedure that draws on a novel notion of authentication token, which we introduce to capture multiple web authentication schemes. We test existing browser-based defenses in the literature against our gold set, unveiling several pitfalls both in the heuristics adopted and in the methods used to assess them. We then propose a new detection method based on supervised learning, where our gold set is used to train a binary classifier, and report on experimental evidence that our method outperforms existing proposals. Interestingly, the resulting classification, together with our hands-on experience in the construction of the gold set, provides new insight on how web authentication is implemented in practice.