Abstract
Abstract
Smart devices are equipped with technology that facilitates communication among devices connected via the Internet. These devices are shipped with a user interface that enables users to perform administrative activities using a web browser linked to the device’s server. Cross-site scripting (XSS) is the most prevalent web application vulnerability exploited by attackers to compromise smart devices. In this paper, the authors have designed a framework for shielding smart devices from XSS attacks. It is a machine learning-based attack detection framework which employs self-organizing-map (SOM) to classify XSS attack string. The input vector to the SOM is generated based on attack ontology and the changing behavior of the attack strings in different input fields in the device web interface. Additionally, it also sanitizes the injected attack string to neutralize the harmful effects of attack. The experimental results are obtained using the real-world dataset on the XSS attack. We tested the proposed framework on web interface of two smart devices (TP-link Wi-Fi router and HP color printer) containing hidden XSS vulnerabilities. The observed results unveil the robustness of the proposed work against the existing work as it achieves a high accuracy of 0.9904 on the tested dataset. It is a platform-independent attack detection system deployed on the browser or server side.
- Providing end-to-end security using quantum walks in IoT networksIEEE Access20208926879269610.1109/ACCESS.2020.2992820Google ScholarCross Ref
- FedMCCS: multicriteria client selection model for optimal IoT federated learningIEEE Internet Things J2021864723473510.1109/JIOT.2020.3028742Google ScholarCross Ref
- Multiple-path testing for cross site scripting using genetic algorithmsJ Syst Architect201664506210.1016/j.sysarc.2015.11.001Google ScholarDigital Library
- A survey on IoT intrusion detection: federated learning, game theory, social psychology and explainable AI as future directionsIEEE Internet Things J202210.1109/JIOT.2022.3203249Google Scholar
- A survey on IoT platforms: Communication, security, and privacy perspectivesComput Netw202119210.1016/j.comnet.2021.108040Google Scholar
- Banerjee R, Baksi A, Singh N, Bishnu SK (2020) Detection of XSS in web applications using Machine Learning Classifiers. In: 2020 4th international conference on electronics, materials engineering and nano-technology (IEMENTech). IEEE, pp 1–5Google Scholar
- Richardson L (2007) Beautiful soup documentation. Dosegljivo. https://www.crummy.com/software/BeautifulSoup/bs4/doc/. Accessed 7 Aug 2018Google Scholar
- Securing heterogeneous embedded devices against XSS attack in intelligent IoT systemComput Secur202211810.1016/j.cose.2022.102710Google ScholarDigital Library
- Chaudhary P, Gupta S, Gupta BB (2016) Auditing defense against XSS worms in online social network-based web applications. In: Handbook of research on modern cryptographic solutions for computer and cyber security. IGI Global, pp 216–245Google Scholar
- LP-SBA-XACML: lightweight semantics based scheme enabling intelligent behavior-aware privacy for IoTIEEE Trans Dependable Secure Comput202219116117510.1109/TDSC.2020.2999866Google ScholarDigital Library
- The advantages of the Matthews correlation coefficient (MCC) over F1 score and accuracy in binary classification evaluationBMC Genom202021111310.1186/s12864-019-6413-7Google ScholarCross Ref
- Kaggle (2019) Cross-site scripting dataset. https://www.kaggle.com/syedsaqlainhussain/cross-site-scripting-xss-dataset-for-deep-learning. Accessed 2 Jan 2022Google Scholar
- DOMPurify 2.3.0 (2021) https://github.com/cure53/DOMPurify. Accessed 2 Jan 2022Google Scholar
- Duchene F, Rawat S, Richier JL, Groz R (2014) KameleonFuzz: evolutionary fuzzing for black-box XSS detection. In: Proceedings of the 4th ACM conference on data and application security and privacy, pp 37–48Google Scholar
- Fang Y, Li Y, Liu L, Huang C (2018). DeepXSS: cross site scripting detection based on deep learning. In Proceedings of the 2018 international conference on computing and artificial intelligence, pp 47–51Google Scholar
- Github, XSS Payload Dataset (2021) https://github.com/ismailtasdelen/xss-payload-list. Accessed 2 Jan 2022Google Scholar
- Cross-site scripting (XSS) abuse and defense: exploitation on several testing bed environments and its defenseJ Inf Priv Secur2015112118136Google ScholarCross Ref
- Cross-site scripting attacks: classification, attack, and countermeasures2020CRC Press10.1201/9780429351327Google Scholar
- Designing a XSS defensive framework for web servers deployed in the existing smart city infrastructureJ Organ End User Comput (JOEUC)20203248511110.4018/JOEUC.2020100105Google ScholarDigital Library
- Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: present and future challengesInt J Cloud Appl Comput (IJCAC)201773143Google ScholarDigital Library
- Gupta S, Gupta BB (2015) PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications. In: Proceedings of the 12th ACM international conference on computing frontiers, pp 1–8Google Scholar
- XSS-SAFE: a server-side approach to detect and mitigate cross-site scripting (XSS) attacks in JavaScript codeArab J Sci Eng201641389792010.1007/s13369-015-1891-7Google ScholarCross Ref
- A translation approach to portable ontology specificationsKnowl Acquis19935219922010.1006/knac.1993.1008Google ScholarDigital Library
- A survey on internet of things security: Requirements, challenges, and solutionsInternet Things20211410.1016/j.iot.2019.100129Google ScholarCross Ref
- Html5lib parser (2020). https://pypi.org/project/html5lib/. Accessed 11 Jan 2022Google Scholar
- HtmlSanitizer (2020). https://github.com/mganss/HtmlSanitizer. Accessed 11 Jan 2022Google Scholar
- The self-organizing mapProc IEEE19907891464148010.1109/5.58325Google ScholarCross Ref
- Law KM, Ip AW, Gupta BB, Geng S (eds) (2021) Managing IoT and mobile technologies with innovation, trust, and sustainable computing. CRC PressGoogle Scholar
- Lei L, Chen M, He C, Li D (2020) XSS detection technology based on LSTM-attention. In: 2020 5th international conference on control, robotics and cybernetics (CRC). IEEE, pp 175–180Google Scholar
- Lionel Sujay Vailshery (2021) IoT connected devices worldwide 2030. https://www.statista.com/statistics/802690/worldwide-connected-devices-by-access-technology/. Accessed 21 Jan 2022Google Scholar
- XGBXSS: an extreme gradient boosting detection framework for cross-site scripting attacks based on hybrid feature selection approach and parameters optimizationJ Inf Secur Appl202158Google Scholar
- Mrad A, Al-Hilo A, Sharafeddine S, Assi C (2022) NOMA-aided UAV data collection from time-constrained IoT devices. DOI: https://doi.org/10.1109/ICC45855.2022.9838643Google Scholar
- a model of semantic-based image retrieval using C-tree and neighbor graphInt J Semant Web Inf Syst (IJSWIS)20221812310.4018/IJSWIS.295551Google ScholarDigital Library
- OWASP Java HTML Sanitizer (2019). https://owasp.org/www-project-java-html-sanitizer/. Accessed 10 Jan 2022Google Scholar
- OWASP top 10 web application security risks (2021) https://owasp.org/Top10/. Accessed 22 Jan 2022Google Scholar
- Protégé Tool (2019). https://protege.stanford.edu/. Accessed 10 Jan 2022Google Scholar
- Cross-site scripting (XSS) attacks and mitigation: a surveyComput Netw202016610.1016/j.comnet.2019.106960Google ScholarDigital Library
- Security testing methodology for vulnerabilities detection of xss in web services and ws-securityElectron Notes Theor Comput Sci201430213315410.1016/j.entcs.2014.01.024Google ScholarDigital Library
- Online altitude control and scheduling policy for minimizing aoi in UAV-assisted IoT wireless networksIEEE Trans Mob Comput20222172493250510.1109/TMC.2020.3042925Google Scholar
- Integration of semantics into sensor data for the IoT: a systematic literature reviewInt J Semant Web Inf Syst (IJSWIS)20201612510.4018/IJSWIS.2020100101Google Scholar
- Singamaneni KK, Dhiman G, Juneja S, Muhammad G, AlQahtani SA, Zaki J (2022) A novel QKD approach to enhance IIOT privacy and computational knacks. Sensors. DOI: https://doi.org/10.3390/s22186741Google Scholar
- Distributed denial-of-service (DDoS) attacks and defense mechanisms in various web-enabled computing platforms: issues, challenges, and future research directionsInt J Semant Web Inf Syst (IJSWIS)20221814310.4018/IJSWIS.297143Google ScholarDigital Library
- InFeMo: flexible big data management through a federated cloud systemACM Trans Internet Technol (TOIT)202122212210.1145/3426972Google ScholarDigital Library
- Secure timestamp-based mutual authentication protocol for IoT devices using rfid tagsInt J Semant Web Inf Syst (IJSWIS)2020163203410.4018/IJSWIS.2020070102Google Scholar
- Resolving cross-site scripting attacks through genetic algorithm and reinforcement learningExpert Syst Appl202116810.1016/j.eswa.2020.114386Google Scholar
- Artificial intelligence in the cyber domain: offense and defenseSymmetry202012341010.3390/sym12030410Google Scholar
- Cross-site script vulnerability penetration testing technologyJ Harbin Eng Univer2017381117691774Google Scholar
- Adversarial examples detection for XSS attacks based on generative adversarial networksIEEE Access20208109891099610.1109/ACCESS.2020.2965184Google Scholar
- Zhang WZ, Elgendy IA, Hammad M, Iliyasu AM, Du X, Guizani M, Abd El-Latif AA (2020b) Secure and optimized load balancing for multi-tier IoT and edge-cloud computing systems. IEEE Internet Things J 8(10):8119–8132Google Scholar
- An ensemble learning approach for XSS attack detection with domain knowledge and threat intelligenceComput Secur20198226126910.1016/j.cose.2018.12.016Google ScholarDigital Library
- Zhou Z, Gaurav A, Gupta BB, Lytras MD, Razzak I (2021) A fine-grained access control and security approach for intelligent vehicular transport in 6g communication system. IEEE Trans Intell Transp SystGoogle Scholar
Recommendations
A threat pattern for the "cross-site scripting (XSS)" attack
PLoP '15: Proceedings of the 22nd Conference on Pattern Languages of ProgramsWe present a threat pattern that describes cross-site scripting (XSS) attacks. In this attack attackers insert scripts in web applications that will lead to misuses in a target web application. Cross-Site Scripting is listed as number three risk on the ...
Securing heterogeneous embedded devices against XSS attack in intelligent IoT system
AbstractToday, we are living in the realm of Internet of Things (IoT) where simple objects are embedded with the capabilities to understand and operate in its surroundings for offering distinct services to the users. These objects are shipped ...
Detecting Blind Cross-Site Scripting Attacks Using Machine Learning
SPML '18: Proceedings of the 2018 International Conference on Signal Processing and Machine LearningCross-site scripting (XSS) is a scripting attack targeting web applications by injecting malicious scripts into web pages. Blind XSS is a subset of stored XSS, where an attacker blindly deploys malicious payloads in web pages that are stored in a ...
Comments