Masayuki Hisada

Static and Dynamic Analysis for Web Security in Generic Format

Further to the milestone we achieved in flagging and logging by using generic abstract syntax format, we applied metadata messaging to identify individual node. In order to explore the concept of generic format, we are currently investigating security automaton, event based trigger, and their interference by means of node identification and state transfer. Our objective in web security is to move black box to white box in enterprise practices. In this paper, we explain how our approaches achieve the goal in terms of static and dynamic analysis. To better explain the framework and roadmap of analysis work, we describe our approaches by using macro and micro views individually. Macro view covers analysis of the abstract syntax structure and block identification are the key in flow tracking. Micro view includes node to node interference, the metadata messaging, security automaton we applied, and interoperability between event and node. The logging outputs produced by static analysis can be further developed for dynamic analysis. This bridge the static and dynamic analysis by using tracking and validation techniques. This can also build up the foundation of the web security governance.

SOA Web Security and Applications

The conventional vulnerability detection fails to extend its generic form to an abstract level in coping with particular type of string validation. Consequently the security bypasses key issues such as Java scripting and SQL injection. It causes tremendous business loss and customers risk due to taint distribution and illegal data manipulation. This paper introduces semantic analysis by using metadata codes, as well as a hierarchical parser in token-based algorithmic check. Our research in SOA web security can help industry to minimize business impact, to achieve higher accuracy in vulnerability detection, and to commit fast responsiveness.

The architecture and industry applications of web security in static and dynamic analysis

Purpose – The purpose of this paper is to propose a metadata‐driven approach and the associated technologies to deal with ever‐rising web security issue. The approach applies metadata techniques to envision semantic validation for new types of vulnerability.Design/methodology/approach – Token decomposition design was applied to move analysis work into abstract level. This novel approach can solve the issues by using a dual control method to perform vulnerability validation.Findings – Current analysis has been lack in metadata foundation, the vulnerability is invisible due to semantic obfuscation. This paper reflects the limitation of existing methods. It applies metadata‐driven approach to move physical and syntax analysis into semantic validation.Research limitations/implications – Currently, certain difficulties may be encountered in preparing benchmarking for dual control process before completing development work. However, this paper tries to create scenarios which can be a reference, to evaluate the ...

Static and dynamic analysis for web security in industry applications

To apply our analysis work in industry security applications, we are investigating semantic metadata and structural syntax analysis. This paper explains how our approaches achieve the goal in terms of static and dynamic analysis by using industry scenarios. To better explain the framework and roadmap, we describe our approaches by using macro and micro views individually. Macro view oversees syntax structure and identification, while micro view envisions metadata messaging and parser automaton. The coherence of macro and micro views forms web security framework in tracking and validation. Our research applies the security service in industry fraud detection. It demonstrates metadata messaging for tracking, and HIPA code generation for validation. This bridges the gap between static and dynamic analysis. This also builds up the foundation of web security governance.

Coping with the Complexity of SOA Systems with Message Forensics

This paper introduces an approach to construct SOA (Service Oriented Architecture) systems using the so called a synchronous messaging network. An asynchronous messaging network (or simply messaging network) refers to an overlay network (over LAN, VPN, Internet, etc.) that allows exchanging well-formatted asynchronous messages (typically in XML) between the service providers and consumers in the system. The proposed approach aims at reducing the operation and maintenance cost of the system by using a messaging network enhanced with the capability to store, inspect and analyze selected portions of the exchanged messages under the strict control of security and privacy. Complexity makes any information system vulnerable to design flaws, operation error, and security problems. The proposed approach facilitates analyzing these problems associated with complex SOA systems through the message-store analysis. We consider that the application of computer forensics to the message store in SOA helps the system administrator to identify and fix various problems. The requirements for the messaging network for SOA systems are also presented.

Knowledge-Base Semantic Gap Analysis for the Vulnerability Detection

Web security became an alert in internet computing. To cope with ever-rising security complexity, semantic analysis is proposed to fill-in the gap that the current approaches fail to commit. Conventional methods limit their focus to the physical source codes instead of the abstraction of semantics. It bypasses new types of vulnerability and causes tremendous business loss.