THE METHOD OF SELECTING MEASURES TO PROTECT THE WEB APPLICATION AGAINST ATTACKS

Main Article Content

Artem Tetskyi
https://orcid.org/0000-0003-1745-2452

Abstract

The subject matter of the paper is the process of ensuring the protection of Web applications against attacks aimed at obtaining unauthorized access to the functions of the content management system administrator. The goal is to create a method to select measures to protect the Web application against attacks. The tasks are: to determine a list of common Web application security measures, to develop a method of selection the most efficient protective measures within a limited budget. The methods used are: attacks trees analysis, expert assessment method, methods for solving nonlinear integer programming problems with Boolean variables. The following results were obtained. The method for selecting Web application security measures based on the success rate estimation of a Web application attack has been developed. Inasmuch as all protective measures differ in cost, effectiveness, and influence on various attack vectors, as a result of the choice an optimal set of countermeasures that will provide the maximal reduction level of attack success rate must be determined. That's why not only changing the parameters of countermeasures, but also changing the parameters of the attack tree can lead to changing the set of countermeasures. The problem of selecting protection measures is a nonlinear problem of integer programming with Boolean variables. Conclusions. The scientific novelty of the results is as follows: the method of selecting countermeasures by solving the optimization problem, which allows to select the most effective countermeasures in a limited budget, was improved. The minimization of the attack success rate is used as а target function; the budget of services is specified as a limitation. However, it is also possible to use a minimization of a budget level as a target function, wherein the maximum allowable value of the attack success rate is used as a limitation.

Article Details

How to Cite
Tetskyi, A. (2018). THE METHOD OF SELECTING MEASURES TO PROTECT THE WEB APPLICATION AGAINST ATTACKS. Advanced Information Systems, 2(4), 114–118. https://doi.org/10.20998/2522-9052.2018.4.19
Section
Methods of information systems protection
Author Biography

Artem Tetskyi, National Aerospace University – Kharkiv Aviation Institute, Kharkiv

Assistant of the Department of Computer Systems, Networks and Cybersecurity

References

Atashzar, H., Torkaman, A., Bahrololum, M. and Tadayon, M.H. (2011), “A survey on web application vulnerabilities and countermeasures”, Proc. of the 2011 6th Int.Conf. on Computer Sciences and Convergence Information Technology, pp. 647-652.

Lepofsky, R. (2014), The manager's guide to web application security: a concise guide to the weaker side of the web, Apress, 232 p., DOI: https://doi.org/10.1007/978-1-4842-0148-0.

Shah, S. and Mehtre, B. M. (2015), “An overview of vulnerability assessment and penetration testing techniques”, Journal of Computer Virology and Hacking Techniques, vol. 11, no. 1, pp. 27-49,

DOI: https://doi.org/10.1007/s11416-014-0231-x.

Han, Y., Sakai, A., Hori, Y. and Sakurai, K. (2009), “Improving the Quality of Protection of Web Application Firewalls by a Simplified Taxonomy of Web Attacks”, Advances in Information Security and Its Application. ISA 2009. Communications in Computer and Inf. Science, Vol. 36, Springer, Berlin, Heidelberg, pp. 105-110, DOI: https://doi.org/10.1007/978-3-642-02633-1_14.

McClure, S., Shah, S. and Shah, S. (2002), Web hacking: Attacks and defense, Addison-Wesley Professional, 528 p.

Tetskyi, A.G. (2018), “Applying of attack trees for estimation the probability of a successful attack of the web-application”, Radioelektronni i komp'uterni sistemi, no. 3, pp. 74-79, DOI: https://doi.org/10.32620/reks.2018.3.08.

Usage of Default protocol https for websites, available at: https://w3techs.com/technologies/details/ce-httpsdefault/all/all.

Solver in Excel, available at: https://www.excel-easy.com/data-analysis/solver.html.