Eduardo Feitosa

Automatic classification of cross-site scripting in web pages using document-based and URL-based features

The structure of dynamic websites comprised of a set of objects such as HTML tags, script functions, hyperlinks and advanced features in browsers lead to numerous resources and interactiveness in services currently provided on the Internet. However, these features have also increased security risks and attacks since they allow malicious codes injection or XSS (Cross-Site Scripting). XSS remains at the top of the lists of the greatest threats to web applications in recent years. This paper presents the experimental results obtained on XSS automatic classification in web pages using Machine Learning techniques. We focus on features extracted from web document content and URL. Our results demonstrate that the proposed features lead to highly accurate classification of malicious page.

Towards Secure and Dependable Authentication and Authorization Infrastructures

We propose a resilience architecture for improving the security and dependability of authentication and authorization infrastructures, in particular the ones based on RADIUS and OpenID. This architecture employs intrusion-tolerant replication, trusted components and entrusted gateways to provide survivable services ensuring compatibility with standard protocols. The architecture was instantiated in two prototypes, one implementing RADIUS and another implementing OpenID. These prototypes were evaluated in fault-free executions, under faults, under attack, and in diverse computing environments. The results show that, beyond being more secure and dependable, our prototypes are capable of achieving the performance requirements of enterprise environments, such as IT infrastructures with more than 400k users.

Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and opportunities

Abstract—In our previous work we designed and evaluatedthe feasibility of highly secure and dependable identity providers(IdPs) for the increasing requirements of future IT infrastruc-tures. In this position paper we extend our previous workby analyzing and discussing the benefits of deploying highlysecure and dependable identity providers-as-a-service (IdP-as-a-Service), without compromising the confidentiality of sensitivedata and operations. In order to achieve this goal, we discusssome of the forefront challenges of deploying IdP-as-a-Serviceas a cloud-of-clouds model to ensure important properties suchas the resistance against different types of threats and attacks,arbitrary faults, and make it more realistic to improve the systemavailability up to the three-nines mark. Notwithstanding, the mainopportunities towards IdP-as-a-Service are also analyzed. Wefinish the paper proposing a sustainable business model basedon our previous deployments and results, showing that it can bea win-win opportunity, i.e., both IdP-as-a-Service providers andcustomers can benefit from it.Keywords—identity providers, IdP-as-a-Service, business modeland opportunities, security, dependability, high availability, cloudproviders, multi-cloud, telco cloud, hybrid cloud.

Increasing the Resilience and Trustworthiness of OpenID Identity Providers for Future Networks and Services

We introduce a set of tools and techniques for increasing the resilience and trustworthiness of identity providers (IdPs) based on OpenID. To this purpose we propose an architecture of specialized components capable of fulfilling the essential requirements for ensuring high availability, integrity and higher confidentiality guarantees for sensitive data and operations. Additionally, we also discuss how trusted components (e.g., TPMs, smart cards) can be used to provide remote attestation on the client and server side, i.e., how to measure the trustworthiness of the system. The proposed solution outperforms related work in different aspects, such as countermeasures for solving different security issues, throughput, and by tolerating arbitrary faults without compromising the system operations. We evaluate the system behavior under different circumstances, such as continuous faults and attacks. Furthermore, the first performance evaluations show that the system is capable of supporting environments with thousands of users.

A cyber-resilient architecture for critical security services

Authentication and authorization are two of the most important services for any IT infrastructure. Taking into account the current state of affairs of cyber warfare, the security and dependability of such services is a first class priority. For instance, the correct and continuous operation of identity providers (e.g., OpenID) and authentication, authorization and accounting services (e.g., RADIUS) is essential for all sorts of systems and infrastructures. As a step towards this direction, we introduce a functional architecture and system design artifacts for prototyping fault- and intrusion-tolerant identification and authentication services. The feasibility and applicability of the proposed elements are evaluated through two distinct prototypes. Our findings indicate that building and deploying resilient and reliable critical services is an achievable goal through a set of system design artifacts based on well-established concepts in the fields of security and dependability. Additionally, we provide an extensive evaluation of both resilient RADIUS (R-RADIUS) and OpenID (R-OpenID) prototypes. We show that our solution makes services resilient against attacks without affecting their correct operation. Our results also pinpoint that the prototypes are capable of meeting the needs of small to large-scale systems (e.g., IT infrastructures with 800k to 10M users).

A role-based routing solution for MANET to support hierarchical rescue teams in emergency scenarios

In emergency scenarios, groups of people from different organizations, such as hospitals and the police, must be able to communicate in order to coordinate their efforts in such scenarios. Nevertheless, in emergency scenarios a fixed, predefined infrastructure may not be available or reliable, and to interconnect, mobile devices rely on Mobile Ad hoc Network (MANET) technology. Although MANET routing protocols allow devices to interconnect autonomously and share information, they do not cover the different needs of these groups. This work proposes a new approach to meet these requirements in MANETs running the HTR protocol. We propose an organization-based scheme to achieve role-based goals via high level policies. As a proof of concept, we develop and evaluate a policy to increase the lifetime of a specific group of nodes by influencing the weighs of the network graph. Our results show how the proposed approach can successfully and efficiently influence the behavior of nodes in order to achieve role-based goals improving communication.

Identifying and Classifying Suspicious Network Behavior Using Passive DNS Analysis

Global Domain Name System (DNS) traffic provides a unique perspective on domain names usage by both legitimate users and suspicious applications. Beyond conventional DNS analysis queries and responses altogether, in this paper we investigate domain name queries to identify suspicious network traffic at.br country code Top-Level Domain (ccTLD) authoritative name servers. By monitoring and modeling three DNS components into a direct graph, we expect that network operators are able to understand communication patterns between hosts and domain names, and the real purpose for a name resolution such as in mass Spam or in network reconnaissance attacks. This paper identifies relevant hosts for analysis among network traffic, reducing the number entities to be investigated.

A Multipath Extension for the Heterogeneous Technology Routing Protocol

In recent years we have witnessed the emergence of new access techniques that use both wireless technologies and self-organizing features. Their combination eliminates the need for using pre-defined wired structures and prior configurations. In this paper, we propose an extension by enabling multipath routing over our Heterogeneous Technologies Routing HTR Framework. HTR Multipath routing offers several benefits such as load balancing, fault tolerance, routing loop prevention, energy-conservation, low end-to-end delay, congestion avoidance, among others. This work performs a comparative analysis of the proposed HTR extension, with the baseline HTR, and the widely-used Optimized Link State Routing OLSR protocol. The evaluation is validated through the simulation of heterogeneous technologies such as WiMAX, 3GPP LTE and Wi-Fi. Results show that our proposal effectively improves the data delivery ratio and reduces the end-to-end delay without major impact on network energy consumption.

On the tuning of wireless heterogeneous routing

Multi-radio multi-channel (MR-MC) ad hoc networks pose new configuration challenges, including routing. Although a large number of works exist that investigate the tuning of routing parameter settings, to the best of our knowledge, none of them investigates the impact of heterogeneity and the tuning of parameters on convergence interval and energy consumption. Heterogeneous Technologies Routing (HTR) is a soft-state framework suitable for interconnecting devices in a heterogeneous ad hoc network. In this paper, we investigate the impacts of tuning the HELLO refresh interval timer on the convergence of the HTR protocol and its subsequent energy consumption during this phase. We also compare our tuned HTR with the widely used Optimized Link State Routing (OLSR) protocol. The evaluation is validated through simulation using heterogeneous technologies such as WiMAX, 3GPP LTE and Wi-Fi. Results show that varying the HELLO refresh interval can improve the convergence time and reduce the energy consumption without major impact on network behavior.

A Set of Privacy Inspection Techniques for Online Social Networks

The growing use of Online Social Networks (OSN) has encouraged the adoption of good practices in the design and evaluation of these applications to ensure their social acceptability and quality of use. On this way, privacy can be considered one of the determining factors of quality of use, because privacy discrepant interfaces can negatively influence the users interaction with these systems. One way to support privacy assessment to detect potential problems is through inspection methods. Based on that, in this paper we present a set of privacy inspection techniques called PIT-OSN (Privacy Inspection Technique for Online Social Network). We also present the evaluation of PIT-OSN through of a preliminary study. The results indicated that the technique helped inspectors, not experts, to diagnose privacy issues effectively. PIT-OSN was also considered easy to use and useful by study participants. Finally, the qualitative analysis points out valuable inputs for the refinement of the technique and the opportunities for its improvement.