Documente Academic
Documente Profesional
Documente Cultură
M.Tech.
in
ADVANCE NETWORK
by
Ashish Kumar (2015-AN-05)
ABSTRACT
Contents
1 INTRODUCTION
2 MOTIVATION
3 OBJECTIVES
4 METHODOLOGY
10
12
6 CONCLUSION
21
List of Figures
1
2
3
4
5
6
7
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5
6
6
7
17
19
20
List of Tables
INTRODUCTION
Wireless sensor network in collection of different sensor node, which is used to sense
the environment conditions or physical condition such as vibration, temperature, pressure, sound, motion and pollutants in environment. It is also known as wireless sensor
and actuator networks (WSAN). WSN is made of several node or hundreds or thousands of node, where every node is associated to one (or sometimes many) sensors node.
These sensor node is an self-governing device which contains communication device,
Transceiver, sensor devices and Storage devices. Which interchange the data among
various sensor nodes. WSN have engaged the medium access control (MAC) protocol to
co-ordinate the signal broadcast over the common wireless channels. Otherwise, several
nodes may attempt to access the transmission channel concurrently, which indications
to signals collision, data loss, retransmission, depletion of energy, delay in packets transmission and so on.
WSN have limited resources which is uses for computation, communication bandwidth
Mainly there are two type of congestion occurs in WSN Known as buffer overflow
and link collision. Buffer overflow occurs when
node.JPG
Figure 2: Component of sensor node.
Buffer overflow occurs when a node receive data with higher data rate as compared
to his transmission rate in this case packet will be dropped.And Link collision occurs
when multiple node send a data simultaneously at some point of time collision occur
between the node.Fig. 3 and Fig.4 illustrate these congestion.
MOTIVATION
Wireless sensor network have a limited resources such as power, bandwidth, computing
capability and storage space. Energy is the very important in wsn because battery power
is consumed it is difficult to replace or charge exhausted batteries.
The bandwidth in a Wireless sensor network is low as compared to wired network like
fiber optical networking.
Wireless sensor network uses wireless channel as transmission media for data transmission, which suffer signals misrepresentation and loss due to diminution, duplication,
diffusion, trickle.
In hidden terminal problem, if collision occurs then other side node cannot detect the
collision due to wireless networking this it may fail in avoiding collision. This collision
can result in channel wastage in wireless networking.
When two or more sender nodes send a data to other side nodes concurrently with same
transmission channel, then there is chance of collision between multiple signals at some
point of time. To ensure reliable data transmission, a retransmissions of data occurs
to recover data from the collision. A collision result in wastage of energy, Bandwidth
and larger data loss occurs. In wired networking collision can be detected easily by sent
signal to received signals at sender side. But in wireless sensor network, the signal sent
from the sender is not same as signals receive from the receiver due to signal loss or
obstacles.
OBJECTIVES
There are some objective that I try to cover in this report.They are as follows:
to understand guidelines provided by W3C for user interface in mobile browser.
to study about different security indicators in mobile browser.
to check credibility of website.
to see how indicators are actually implemented
to access website with ensuring security with the help of SSL indicators.
to discuss various attacks possible on browser due to not proper implementation
of guidelines provided by W3C.
METHODOLOGY
Ten mobiles and two tablet programs are utilized against the W3C prescribed rules for
security markers. Furthermore some desktop programs are assessed.The W3C proposals
for UI of versatile programs are as per the following:
W3C RECOMMENDATIONS
1. Identity signal: availability
The security markers indicating personality of a site MUST be accessible to the
client either through the essential on the other hand the optional interface at all
times.
2. Certificates: required content
Notwithstanding the character flag, the web programs MUST make the accompanying security connection data accessible through data sources (testaments): the
site pages space name and the motivation behind why the showed data is trusted
(or not).
3. TLS indicators
a) Significance of presence
Any UI pointer, (for example, the lock) MUST NOT flag the nearness of a declaration unless all parts of the site page are stacked from servers showing in any
event accepted testaments over firmly TLSprotected associations.
b) Content and Indicator Proximity
Content MUST NOT be shown in a way that befuddles facilitated content whats
more, program chrome pointers, by permitting that substance to copy chrome
markers in a position near them.
c) Availability
The TLS pointers MUST be accessible to the client through the essential or the
auxiliary interface at all times.
4. Robustness: visibility of indicators
Web content necessity does not hide the security UI.
5. Error messages
a) Interruption:
Both cautioning/alert and threat messages MUST interfere with the clients present
errand, to such an extent that the client needs to recognize the message.
10
b) Proceeding options:
Cautioning/alert messages MUST furnish the client with particular choices for how
to continue (i.e., these messages MUST NOT prompt a circumstance in which the
main alternative exhibited to the client is to reject the notice and proceed).
c) Inhibit interaction:
The associations for risk messages MUST be displayed in a way that makes it
unimaginable for the client to go to or collaborate with the goal site that made
the peril circumstance happen, without first unequivocally communicating with
the threat message.
11
Empirical Observations
Ten mobile and two tablet browsers are estimated versus the W3C recommended guidelines for security indicators.
1. Identity Signal: Availability Certificates: Required Content
Identity signal includes knowledge about the owner of a website and the like certificate issuer. Since issuing a certificate, the certificate provider asks the communication mail address for the website from a public domain name recorder, and
notes that issued address against the email address supplied in the certificate request. Hence, the purchaser of a website is someone in contact with the person
who registered the domain name. Popular browsers reproduce the owner information of a website using various specification containing owner, name, resident
and company.The results are shown in the table given below against this guidelines.
This table shows the results of the experience that is carried out on all mobile that
are listed above against the first and second W3C guidelines given above.
This table shows the results of the experience that is carried out on all browsers
that are listed above against the first and second W3C guidelines given above.
12
browsers that are listed above against the third W3C guidelines given above.
c) Availability
We concentrated on the nearness of the bolt symbol, the https URL prefix and
points of interest of the figure utilized as a part of a TLS association by going to a
TLS secured page utilizing all applicant programs. The latch symbol and the https
URL prefix are essential interface markers and figure data is an optional interface
marker on desktop programs.
4. Robustness: Visibility of indicators
The TLS markers for the most part found on the essential interface are bolt symbol,
https URL prefix, URL shading and site personality catch. Ordinarily, the address
bar in a web program holds these markers. Consequently, we inspected whether
web content overwrites or pushes the address bar containing security markers out
of a clients view amid perusing.
5. Error messages
It is made illustration situations that request the notice/ alert and risk messages,
14
given the definitions in theW3C archive. The W3C archive gives cases of situations
that request a risk alarm. Be that as it may, as the archive does not determine any
situations that ought to trigger notices, we did our tests utilizing the accompanying situation. It is characterized the situation of a program rendering a blended
substance website page as one that ought to trigger a notice. This is on account of
on a page with both uncertain and secure substance, the client could conceivably
communicate with the unreliable substance on the page.
a) Interruption:
It is inspected whether the versatile and tablet programs show a notice or risk
message in our test situations. At that point encourage watched the way of the
messages to affirm that they really interfere with the clients activities as determined by the W3C rules and are not showed at a position on the screen which a
client can overlook furthermore, keep interfacing with the site.
b) Proceeding options:
It is inspected whether the versatile and tablet programs show a notice or risk
message in our test situations. At that point encourage watched the way of the
messages to affirm that they really interfere with the clients activities as determined by the W3C rules and are not showed at a position on the screen which a
client can overlook furthermore, keep interfacing with the site. This table shows
the results of the experience that is carried out on all mobile browsers that are
listed above against the forth and fifth W3C guidelines given above.
c) Inhibit interaction:
This rule requires a program to keep a client from communicating with a site that
triggers a peril message, before client cooperation with the threat message. We
15
went to a site displaying an untrusted selfsigned declaration from every one of the
programs.
Possible Attacks
As W3C has provided guidelines for UI in browsers of mobile to alert the user from
security issue. If these guidelines are not implemented correctly and fully then attacker
can take advantage of this that flaw to mislead the user. There are number of attacks
possible due to the not appropriate implementation of W3C guidelines. Some of these
are as follows:
1. Phishing without SSL:
An aggressor takes on the appearance of a dependable substance in a phishing
assault. By nearly emulating a genuine sites character data in mix with bolt
symbol satirizing, a noxious site can dispatch a phishing assault without SSL
on a program abusing the W3C rules 1, 2 and 3b as takes after. An aggressor
purchases a space name that intently looks like the space name of the honest to
goodness site. For instance, to parody www.bankofmaharashtra.com, the aggressor
purchases the area name www.bankofmaharashtraa.com. The assailant at that
point impersonates the substance of the focused on true website.
Rather than burning through cash on obtaining a SSL endorsement to build the
bogus believability of the noxious site, an assailant rather makes the favicon of
the pernicious site a bolt picture. Along these lines, the nearly imitated space
name gives an impression of right character of the proposed site and the satirize
bolt gives a fantasy of solid encryption. At the point when this vindictive site is
rendered in a program that makes seeing the URL of the site troublesome, arranges
the favicon beside the latch symbol and does not offer a UI to view personality
data, for example, site proprietors name, indeed, even a propelled client may be
subjected to phishing.
2. Phishing with SSL
Rather than burning through cash on obtaining a SSL endorsement to build the
bogus believability of the noxious site, an assailant rather makes the favicon of
the pernicious site a bolt picture. Along these lines, the nearly imitated space
name gives an impression of right character of the proposed site and the satirize
bolt gives a fantasy of solid encryption. At the point when this vindictive site is
rendered in a program that makes seeing the URL of the site troublesome, arranges
the favicon beside the latch symbol and does not offer a UI to view personality
data, for example, site proprietors name, indeed, even a propelled client may be
subjected to phishing.
16
A man-in-the-middle (system assailant) can mess with the underlying messages sent by
a customer program to set up a SSL association with a site server. Prior to a TLS
association is set up, a customer and server trade a rundown of figures that they bolster.
A system assailant can alter the rundown of bolstered figures sent by the customer to
a rundown containing just powerless figures, and at that point forward the customers
demand/reaction to the server. On accepting a rundown of just powerless figures (e.g.,
DES-CBCSHA), the server can either drop the association on the grounds that no figures
are commonly upheld, or give backing to that figure and start a scrambled session with
the powerless figure. At the point when an association utilizing the feeble figure is
started, every one of the information in travel is secured utilizing the feeble figures
encryption plot. This permits a system aggressor to catch the surge of information and
break the feeble encryption disconnected.
c) Mixed content attack
A man-in-the-middle aggressor can alter (e.g., code infusion) with the decoded content
exhibit on a page comprising of blended substance and supplant the first substance with
any malignant substance of his decision. On the off chance that a web program shows
SSL markers for a website page containing blended substance (infringement of rule 3a),
even a specialist client might be not able distinguish a system assault misusing the
blended substance on a page.
Mobifish Scheme: Anti-phishing attack
This sheme consist of two independent component as WebFish and AppFish.They are
designed for mobile web page and mobile applications respectively.
1) WebFish Scheme:
At the point when a program endeavors to stack a website page, WebFish first outputs
its URL to see whether the area name is an IP address. Honest to goodness sites dependably utilize space names as check of their personalities while phishers are probably
going to rundown IP address in URL to mask their fake characters. Next, WebFish
acquires the HTML source code of the stacking page and checks if there is any shape
in that page. The presence of shape is vital since phishers additionally require a shape
with info label which permits client to enter (classified) data and after that submit.
2) AppFish Scheme:
It maintains database called as SAS (suspecious app set).Clients can include the applications they think into SAS, and just applications recorded in SAS are under the
observing of AppFish.
On the off chance that found, the logging procedure starts, in which AppFish takes a
screenshot of the login interface and separates the content with the OCR apparatus. At
18
noxious script into a web applications stockpiling which then causes the script to
be executed by each client that page is served to.
20
CONCLUSION
Mobiles are used to perform many sensitive operations over SSL/TSL connections. The
mobile browsers provides similar functionality as that of the desktop browsers, still due
to reduction in size of screen the security indicators availability and presentation get
affected. It is found that W3C guidelines for UI of mobile browser is not implemented
appropriately. And also there is no consistency in security indicators in all browsers. So
as the security indicators are not implemented correctly even the expert user get mislead
by the attacker. Also some attacks can possible due above problem I have discussed. The
attackers take advantage of absence of or wrong implementation of security indicators.
21
References
[1] C. Amrutkar, P. Traynor, and P. C. V. Oorschot, An Empirical Evaluation of Security Indicators in Mobile Web Browsers, IEEE Transactions on Mobile Computing,
vol. 14, no. 5, pp. 889903, 2015.
[2] Soojin Yoon, JongHun Jung, HwanKuk Kim, Attacks on Web Browsers with
HTML5, The 10th International Conference for Internet Technology and Secured
Transactions, 2015.
[3] Biswajit Panja, Tyler Gennarelli,Priyanka Meharia, Handling Cross Site Scripting
Attacks using Cache Check to Reduce Webpage Rendering Time with Elimination
of Sanitization and Filtering in Light Weight Mobile Web browser, Mobile and
Secure Services, 2015.
[4]
[5] S. Rauti, J. Teuhola, and V. Leppanen, Diversifying SQL to Prevent Injection
Attacks, 2015 IEEE Trustcom/BigDataSE/ISPA, 2015.
[6] A. Ramesh, A. Bhowmick, and A. V. Lal, An authentication mechanism to prevent
SQL injection by syntactic analysis, 2015 International Conference on Trends in
Automation, Communications and Computing Technology (I-TACT-15), 2015.
[7] Longfei Wu, Xiaojiang Du, and Jie Wu, MobiFish: A Lightweight Anti-Phishing
Scheme for Mobile Phones, Computer Communication and Networks Conference
(ICCCN), 2014.
[8] Nikos Virvilis1, Nikolaos Tsalis1, Alexios Mylonas1, Mobile Devices A Phishers
Paradise, Conference on Security and Cryptography,2014.
[9] A. Joshi and V. Geetha, SQL Injection detection using machine learning, 2014
International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT), 2014.
[10] H. Alnabulsi, I. Alsmadi, and M. A. Jarrah, Textual Manipulation for SQL Injection
Attacks, International Journal of Computer Network and Information Security, vol.
6, no. 1, pp. 2633, Jul. 2013.
[11] S. Avireddy, V. Perumal, N. Gowraj, R. S. Kannan, P. Thinakaran, S. Ganapthi, J.
R. Gunasekaran, and S. Prabhu, Random4: An Application Specific Randomized
Encryption Algorithm to Prevent SQL Injection, 2012 IEEE 11th International
Conference on Trust, Security and Privacy in Computing and Communications,
2012.
[12] GoDaddy SSL Certificate [Online]. Available:
http://www.godaddy.com/Compare/gdcompares sl.aspx?isc = sslqgo016b
22
23