Abstract
Smart devices are equipped with technology that facilitates communication among devices connected via the Internet. These devices are shipped with a user interface that enables users to perform administrative activities using a web browser linked to the device’s server. Cross-site scripting (XSS) is the most prevalent web application vulnerability exploited by attackers to compromise smart devices. In this paper, the authors have designed a framework for shielding smart devices from XSS attacks. It is a machine learning-based attack detection framework which employs self-organizing-map (SOM) to classify XSS attack string. The input vector to the SOM is generated based on attack ontology and the changing behavior of the attack strings in different input fields in the device web interface. Additionally, it also sanitizes the injected attack string to neutralize the harmful effects of attack. The experimental results are obtained using the real-world dataset on the XSS attack. We tested the proposed framework on web interface of two smart devices (TP-link Wi-Fi router and HP color printer) containing hidden XSS vulnerabilities. The observed results unveil the robustness of the proposed work against the existing work as it achieves a high accuracy of 0.9904 on the tested dataset. It is a platform-independent attack detection system deployed on the browser or server side.
This is a preview of subscription content, log in via an institution to check access.
Data Availability
Data will be available as per the request to the authors.
References
Abd El-Latif AA, Abd-El-Atty B, Venegas-Andraca SE, Elwahsh H, Piran MJ, Bashir AK et al (2020) Providing end-to-end security using quantum walks in IoT networks. IEEE Access 8:92687–92696
Abdulrahman S, Tout H, Mourad A, Talhi C (2021) FedMCCS: multicriteria client selection model for optimal IoT federated learning. IEEE Internet Things J 8(6):4723–4735. https://doi.org/10.1109/JIOT.2020.3028742
Ahmed MA, Ali F (2016) Multiple-path testing for cross site scripting using genetic algorithms. J Syst Architect 64:50–62
Arisdakessian S, Wahab OA, Mourad A, Otrok H, Guizani M (2022) A survey on IoT intrusion detection: federated learning, game theory, social psychology and explainable AI as future directions. IEEE Internet Things J. https://doi.org/10.1109/JIOT.2022.3203249
Babun L, Denney K, Celik ZB, McDaniel P, Uluagac AS (2021) A survey on IoT platforms: Communication, security, and privacy perspectives. Comput Netw 192:108040
Banerjee R, Baksi A, Singh N, Bishnu SK (2020) Detection of XSS in web applications using Machine Learning Classifiers. In: 2020 4th international conference on electronics, materials engineering and nano-technology (IEMENTech). IEEE, pp 1–5
Richardson L (2007) Beautiful soup documentation. Dosegljivo. https://www.crummy.com/software/BeautifulSoup/bs4/doc/. Accessed 7 Aug 2018
Chaudhary P, Gupta BB, Singh AK (2022) Securing heterogeneous embedded devices against XSS attack in intelligent IoT system. Comput Secur 118:102710
Chaudhary P, Gupta S, Gupta BB (2016) Auditing defense against XSS worms in online social network-based web applications. In: Handbook of research on modern cryptographic solutions for computer and cyber security. IGI Global, pp 216–245
Chehab M, Mourad A (2022) LP-SBA-XACML: lightweight semantics based scheme enabling intelligent behavior-aware privacy for IoT. IEEE Trans Dependable Secure Comput 19(1):161–175. https://doi.org/10.1109/TDSC.2020.2999866
Chicco D, Jurman G (2020) The advantages of the Matthews correlation coefficient (MCC) over F1 score and accuracy in binary classification evaluation. BMC Genom 21(1):1–13
Kaggle (2019) Cross-site scripting dataset. https://www.kaggle.com/syedsaqlainhussain/cross-site-scripting-xss-dataset-for-deep-learning. Accessed 2 Jan 2022
DOMPurify 2.3.0 (2021) https://github.com/cure53/DOMPurify. Accessed 2 Jan 2022
Duchene F, Rawat S, Richier JL, Groz R (2014) KameleonFuzz: evolutionary fuzzing for black-box XSS detection. In: Proceedings of the 4th ACM conference on data and application security and privacy, pp 37–48
Fang Y, Li Y, Liu L, Huang C (2018). DeepXSS: cross site scripting detection based on deep learning. In Proceedings of the 2018 international conference on computing and artificial intelligence, pp 47–51
Github, XSS Payload Dataset (2021) https://github.com/ismailtasdelen/xss-payload-list. Accessed 2 Jan 2022
Gupta BB, Gupta S, Gangwar S, Kumar M, Meena PK (2015) Cross-site scripting (XSS) abuse and defense: exploitation on several testing bed environments and its defense. J Inf Priv Secur 11(2):118–136
Gupta BB, Chaudhary P (2020) Cross-site scripting attacks: classification, attack, and countermeasures. CRC Press
Gupta BB, Chaudhary P, Gupta S (2020) Designing a XSS defensive framework for web servers deployed in the existing smart city infrastructure. J Organ End User Comput (JOEUC) 32(4):85–111
Gupta S, Gupta BB (2017) Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: present and future challenges. Int J Cloud Appl Comput (IJCAC) 7(3):1–43
Gupta S, Gupta BB (2015) PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications. In: Proceedings of the 12th ACM international conference on computing frontiers, pp 1–8
Gupta S, Gupta BB (2016) XSS-SAFE: a server-side approach to detect and mitigate cross-site scripting (XSS) attacks in JavaScript code. Arab J Sci Eng 41(3):897–920
Gruber TR (1993) A translation approach to portable ontology specifications. Knowl Acquis 5(2):199–220
HaddadPajouh H, Dehghantanha A, Parizi RM, Aledhari M, Karimipour H (2021) A survey on internet of things security: Requirements, challenges, and solutions. Internet Things 14:100129
Html5lib parser (2020). https://pypi.org/project/html5lib/. Accessed 11 Jan 2022
HtmlSanitizer (2020). https://github.com/mganss/HtmlSanitizer. Accessed 11 Jan 2022
Kohonen T (1990) The self-organizing map. Proc IEEE 78(9):1464–1480
Law KM, Ip AW, Gupta BB, Geng S (eds) (2021) Managing IoT and mobile technologies with innovation, trust, and sustainable computing. CRC Press
Lei L, Chen M, He C, Li D (2020) XSS detection technology based on LSTM-attention. In: 2020 5th international conference on control, robotics and cybernetics (CRC). IEEE, pp 175–180
Lionel Sujay Vailshery (2021) IoT connected devices worldwide 2030. https://www.statista.com/statistics/802690/worldwide-connected-devices-by-access-technology/. Accessed 21 Jan 2022
Mokbal FMM, Dan W, Xiaoxi W, Wenbin Z, Lihua F (2021) XGBXSS: an extreme gradient boosting detection framework for cross-site scripting attacks based on hybrid feature selection approach and parameters optimization. J Inf Secur Appl 58:102813
Mrad A, Al-Hilo A, Sharafeddine S, Assi C (2022) NOMA-aided UAV data collection from time-constrained IoT devices. https://doi.org/10.1109/ICC45855.2022.9838643
Nhi NTU, Le TM, Van TT (2022) a model of semantic-based image retrieval using C-tree and neighbor graph. Int J Semant Web Inf Syst (IJSWIS) 18:1–23. https://doi.org/10.4018/IJSWIS.295551
OWASP Java HTML Sanitizer (2019). https://owasp.org/www-project-java-html-sanitizer/. Accessed 10 Jan 2022
OWASP top 10 web application security risks (2021) https://owasp.org/Top10/. Accessed 22 Jan 2022
Protégé Tool (2019). https://protege.stanford.edu/. Accessed 10 Jan 2022
Rodríguez GE, Torres JG, Flores P, Benavides DE (2020) Cross-site scripting (XSS) attacks and mitigation: a survey. Comput Netw 166:106960
Salas MIP, Martins E (2014) Security testing methodology for vulnerabilities detection of xss in web services and ws-security. Electron Notes Theor Comput Sci 302:133–154
Samir M, Assi C, Sharafeddine S, Ghrayeb A (2022) Online altitude control and scheduling policy for minimizing aoi in UAV-assisted IoT wireless networks. IEEE Trans Mob Comput 21(7):2493–2505. https://doi.org/10.1109/TMC.2020.3042925
Sejdiu B, Ismaili F, Ahmedi L (2020) Integration of semantics into sensor data for the IoT: a systematic literature review. Int J Semant Web Inf Syst (IJSWIS) 16:1–25. https://doi.org/10.4018/IJSWIS.2020100101
Singamaneni KK, Dhiman G, Juneja S, Muhammad G, AlQahtani SA, Zaki J (2022) A novel QKD approach to enhance IIOT privacy and computational knacks. Sensors. https://doi.org/10.3390/s22186741
Singh A, Gupta BB (2022) Distributed denial-of-service (DDoS) attacks and defense mechanisms in various web-enabled computing platforms: issues, challenges, and future research directions. Int J Semant Web Inf Syst (IJSWIS) 18:1–43. https://doi.org/10.4018/IJSWIS.297143
Stergiou CL, Psannis KE et al (2021) InFeMo: flexible big data management through a federated cloud system. ACM Trans Internet Technol (TOIT) 22(2):1–22
Tewari A et al (2020) Secure timestamp-based mutual authentication protocol for IoT devices using rfid tags. Int J Semant Web Inf Syst (IJSWIS) 16(3):20–34
Tariq I, Sindhu MA, Abbasi RA, Khattak AS, Maqbool O, Siddiqui GF (2021) Resolving cross-site scripting attacks through genetic algorithm and reinforcement learning. Expert Syst Appl 168:114386
Truong TC, Diep QB, Zelinka I (2020) Artificial intelligence in the cyber domain: offense and defense. Symmetry 12(3):410
Wang D, Gu M, Zhao W (2017) Cross-site script vulnerability penetration testing technology. J Harbin Eng Univer 38(11):1769–1774
Zhang X, Zhou Y, Pei S, Zhuge J, Chen J (2020a) Adversarial examples detection for XSS attacks based on generative adversarial networks. IEEE Access 8:10989–10996
Zhang WZ, Elgendy IA, Hammad M, Iliyasu AM, Du X, Guizani M, Abd El-Latif AA (2020b) Secure and optimized load balancing for multi-tier IoT and edge-cloud computing systems. IEEE Internet Things J 8(10):8119–8132
Zhou Y, Wang P (2019) An ensemble learning approach for XSS attack detection with domain knowledge and threat intelligence. Comput Secur 82:261–269
Zhou Z, Gaurav A, Gupta BB, Lytras MD, Razzak I (2021) A fine-grained access control and security approach for intelligent vehicular transport in 6g communication system. IEEE Trans Intell Transp Syst
Funding
The authors have not disclosed any funding.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors have not disclosed any competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Chaudhary, P., Gupta, B.B. & Singh, A.K. Adaptive cross-site scripting attack detection framework for smart devices security using intelligent filters and attack ontology. Soft Comput 27, 4593–4608 (2023). https://doi.org/10.1007/s00500-022-07697-2
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-022-07697-2