Jin-Cherng Lin

Performance Evaluation for Scheduling Algorithms in WiMAX Network

In the last years, demand for high-speed Internet access and multimedia service has increased greatly. The IEEE 802.16 Working Group on broadband wireless access is developing the IEEE 802.16 standards for wireless metropolitan area networks. IEEE 802.16 aims at providing broadband wireless last-mile access in a Metropolitan Area Network, easy deployment, high speed data rate and large spanning area. WiMAX also support quality of service architecture include priority scheduling and queuing for bandwidth allocation to support our system more efficient. Therefore, we have an idea to implement some scheduling schemes on WiMAX system in NS2 to analysis in uplink and downlink direction to get better performance. By simulation results, it can show the performance of different scheduling schemes clearly, and which one suit for different specific environment. Finally, we can support an efficient Queuing scheduling theory on dynamic bandwidth allocation to get better performance for the IEEE 802.16 system.

The Automatic Defense Mechanism for Malicious Injection Attack

Injection attack is a technique to inject codes into a computer program or system by taking advantage of the unchecked assumptions the system makes about its inputs. The purpose of the injected code is typically to bypass or modify the originally intended functionality of the program. It is popular in system hacking or cracking to gain information, privilege escalation or unauthorized access to a system. Many applications security vulnerabilities result from generic injection problems. Examples of such vulnerabilities are SQL injection, shell injection and script injection (cross site scripting). Some applications attempt to protect themselves by filtering malicious input data, but it may not be viable to modify the source of such components (either because the code was shipped in binary form or because the license agreement is prohibitive). We have tried to develop a defense mechanism that can automatically produce a proper input validation function on security gateway to filter malicious injection. The security gateway is allocated in front of application server to eliminate malicious injection vulnerabilities. To verify the efficiency of the tool, we pick the Websites made up of some Web applications that often contain third-party vulnerable components shipped in binary form. Among these experiments, our defense mechanism has proved their efficiency to avoid malicious injection attack.

An Automatic Revised Tool for Anti-Malicious Injection

Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Some sites attempt to protect themselves by filtering malicious input, but a surprising number of web applications have used no mechanisms to validate input. We have developed a advanced tool that can producing a proper input validation function depending on the database server and the application framework. The tool can automatically insert input proper validation function into the server-side program to eliminate vulnerabilities based on malicious injection. To verify the Efficiency of the tool, we picked the websites made up of some example programs included in the books or created by some web generator tools. Among our experiments, the websites have been automatically injected validation function to avoid malicious injection attack.

An Automatic Mechanism for Sanitizing Malicious Injection

According to OWASP Top 10 2007, top 1-5 critical Web application security vulnerabilities caused by unchecked input [1]. Unvalidated Input may lead hacker to inject code to bypass or modify the originally intended functionality of the program to gain information, privilege escalation or unauthorized access to a system. Examples of such vulnerabilities are SQL injection, Shell injection and Cross Site Scripting (XSS). Proper input validation is an effective countermeasure to act as a defense against input attacks but it may induce false negative or false positive. We develop a defense system consisting of a testing framework and a sanitizing mechanism on a security gateway. The security gateway is allocated in front of application server to mitigate malicious injection. To verify the efficiency of the sanitizing mechanism, we focus on whether the filter rules have better detection rate to sanitize input data. Among our experiments, different fields may be automatically injected proper validation rules made up of some sub-rules. By means of the mechanism, we reduce false rate and prove that the hybrid method is more ideal than any traditional input handling.

Design, implementation and performance evaluation of IP-VPN

Network security has always been a significant issue, but a recognized priority today due to the popularity of Internet. The issue is not if security should be implemented on a network rather, the question to ask is if security has been implemented properly and the interoperability with todays network architecture. Although there are various ways to perform a secure network environment, but the most popular and the most progressive network security mechanism is Security Architecture for IP (IPSec), offered by IETF (Internet Engineering Task Force). We discuss the problems when combine IPSec into current TCP/IP module by porting an IPSec shareware (FreeS/WAN) into a router. Finally, in order to understand the impact on routers performance when using various services and hash/encryption algorithms provided by IPSec, we testing the throughput of the router before and after applying IPSec.

An Automatic Mechanism for Adjusting Validation Function

Injection attack is a technique to bypass or modify the originally intended functionality of the program. Many applications security vulnerabilities result from generic injection problems. Examples of such vulnerabilities are SQL injection, shell injection and script injection (cross site scripting). Proper input validation is an effective countermeasure to act as a defense against input attacks. However, it is challenging because there is no specific answer for what implies valid input across applications. As individual fields often require specific validation, input validation adopting only one filter rule may induce false negative or false positive. We develop a defense system consisting of an event driven security testing framework and an adjustable validation function on a security gateway. The security gateway is allocated in front of application server to eliminate malicious injection vulnerabilities. To verify the efficiency of the adjustable mechanism, we focus on whether the validation functions included in meta-programs have proper filter rules to sanitize input data. Among our experiments, different fields may have various validation rules made up of some sub-rules. By means of these rules, we reduce false rate and increase detection rate. That is to say, we prove that the diversified validation rules produced by our automatic mechanism are more efficient and elastic than only one rule.

Defense automatic malicious tools based on navigation behavior

Abstract Nowadays the trend of the Web application attack is using various vulnerability scanners to find flaws before launching attacks. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Most of the web application security problems as use the CAPTCHA defend the system by identification if the traffic source is human or robots. In this paper, we describe our techniques for automatically identifying human-generated web action and separate it from Malicious Crawler action. The technology is similar with CAPTCHA and able to block Malicious Crawler readily, but it can precise identify the parameter to fill in by Malicious Crawler. The user can enter without any distorted images and prevent miscellaneous entering movements. Our experiments to distinguish ability show that 100% of human users and Malicious Crawler are with a maximum false positive rate of 0%. Such identification can help protect individual Web sites, reduce the abuse tools, or help identify compromised computers within an organization.

An Automated Mechanism for Secure Input Handling

Numbers of the programs are poorly written, lacking even the most basic security procedures for handling input data from users. The input validation vulnerability can be detected by many tools but few tools can fix the flaws automatically. The security gateway can used to protect vulnerable Web sites immediately but it may induce false recognition through impersonal rule. By means of hybrid analysis and injection test, the vulnerable Web pages can be listed. Only those in vulnerable list need to be checked completely, so as to mitigate the system load and false positives effectively. Moreover an algorithm based on multilevel strategy is proposed producing individual sanitizing rule automatically for every vulnerable injection point. To meet the aim of automated validation, the enhanced crawler, the testing framework and the metaprograms are integrated into a sanitizing mechanism after we analyze the data flow. According to the experimental results, the mechanism has been proved to be a more effective scheme than those traditional input handling methods for mitigating malicious injection.

Predication of Software Reliability Based on Grey System

There are lots of factors influencing software reliability in course of developing software, so scientists have to omit minor factors and to preserve key factors. Furthermore, artificially simplify and limit the ways affecting the preserved factors, which is used as the basis to establish mathematic model and predict software reliability. As same as other software reliability models, there are also some assumptions or limitations in this paper. However, theses assumptions or limitations are originated from basic assumption of grey system. Most traditional software reliability models are derived from probability method, but grey system is not. Therefore, this paper will only make a comparison between our mathematic model derived by grey system and that derived by probability method. Finally, the result was that both models are limitary discrete monotone increasing exponential function. However, precision of reliability predication will be dependent on testing of bigger real cases for a long time. This paper, based on grey system, simply has put forward our viewpoint.

Generating timed test cases with oracles for real-time software

Abstract The time-dependent and asynchronous nature of many real-time applications adds a potentially difficult problem to the testing activities, which needs to be solved. To address this need, we present a formal testing strategy for real-time software by using dual-language approach. In our approach, we start with the derivation of real-time software requirements in temporal logic form as our basis of descriptive formalism. Then we propose an abstract semantics to correlate the temporal logic formulae with the time Petri nets of the software. Therefore, we obtain the operational formalism to generate the test cases. According to the temporal properties of the software requirements, the descriptive formalism provides rich information for test oracle generation. By combining the timed test cases with oracles, the firm and definite test suites are formed.