{"title":"基于SIEM的云计算环境下Cookie炸弹攻击检测","authors":"Ryuga Kaneko, Taiichi Saito","doi":"10.12720/jait.14.2.193-203","DOIUrl":null,"url":null,"abstract":"—This paper proposes a new method to detect Cookie Bomb attacks. A Cookie Bomb attack is a denial-of-service attack such that a user cannot receive a legitimate Hypertext Transfer Protocol (HTTP) response from an HTTP server because the total amount of cookies in an HTTP request exceeds the size limit accepted by the HTTP server. The new method includes our cloud architecture and detection algorithms. The cloud architecture distributes and executes a detection script, which is an implementation of the detection algorithms. This architecture uses Azure Virtual Machines, Azure Storage, Azure Automation, Azure Monitor, and Microsoft Sentinel. The virtual machines are the core components of the architecture, to which end users can connect via RDP to use their browsers. The detection script performs three tasks: obtaining paths to cookies databases generated by browsers, retrieving cookies data from a database, and comparing a threshold with the total size of all cookies a browser sends to a server. Results indicate that our proposed method 1) enables scheduled automation, 2) provides better visibility across regions, and 3) expands detection coverage for different Windows users, browsers, and browser profiles.","PeriodicalId":36452,"journal":{"name":"Journal of Advances in Information Technology","volume":"1 1","pages":""},"PeriodicalIF":0.9000,"publicationDate":"2023-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Detection of Cookie Bomb Attacks in Cloud Computing Environment Monitored by SIEM\",\"authors\":\"Ryuga Kaneko, Taiichi Saito\",\"doi\":\"10.12720/jait.14.2.193-203\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"—This paper proposes a new method to detect Cookie Bomb attacks. A Cookie Bomb attack is a denial-of-service attack such that a user cannot receive a legitimate Hypertext Transfer Protocol (HTTP) response from an HTTP server because the total amount of cookies in an HTTP request exceeds the size limit accepted by the HTTP server. The new method includes our cloud architecture and detection algorithms. The cloud architecture distributes and executes a detection script, which is an implementation of the detection algorithms. This architecture uses Azure Virtual Machines, Azure Storage, Azure Automation, Azure Monitor, and Microsoft Sentinel. The virtual machines are the core components of the architecture, to which end users can connect via RDP to use their browsers. The detection script performs three tasks: obtaining paths to cookies databases generated by browsers, retrieving cookies data from a database, and comparing a threshold with the total size of all cookies a browser sends to a server. Results indicate that our proposed method 1) enables scheduled automation, 2) provides better visibility across regions, and 3) expands detection coverage for different Windows users, browsers, and browser profiles.\",\"PeriodicalId\":36452,\"journal\":{\"name\":\"Journal of Advances in Information Technology\",\"volume\":\"1 1\",\"pages\":\"\"},\"PeriodicalIF\":0.9000,\"publicationDate\":\"2023-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Advances in Information Technology\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.12720/jait.14.2.193-203\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q4\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Advances in Information Technology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.12720/jait.14.2.193-203","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
摘要
本文提出了一种检测Cookie Bomb攻击的新方法。Cookie Bomb攻击是一种拒绝服务攻击,使用户无法从HTTP服务器接收到合法的HTTP (Hypertext Transfer Protocol)响应,因为HTTP请求中的Cookie总数超过了HTTP服务器可接受的大小限制。新方法包括我们的云架构和检测算法。云架构分发并执行检测脚本,该脚本是检测算法的实现。该架构使用Azure虚拟机、Azure存储、Azure自动化、Azure监视器和Microsoft Sentinel。虚拟机是架构的核心组件,最终用户可以通过RDP连接到虚拟机以使用他们的浏览器。检测脚本执行三个任务:获取浏览器生成的cookie数据库的路径,从数据库中检索cookie数据,并将阈值与浏览器发送给服务器的所有cookie的总大小进行比较。结果表明,我们提出的方法1)实现了预定的自动化,2)提供了更好的跨区域可见性,以及3)扩展了针对不同Windows用户、浏览器和浏览器配置文件的检测范围。
Detection of Cookie Bomb Attacks in Cloud Computing Environment Monitored by SIEM
—This paper proposes a new method to detect Cookie Bomb attacks. A Cookie Bomb attack is a denial-of-service attack such that a user cannot receive a legitimate Hypertext Transfer Protocol (HTTP) response from an HTTP server because the total amount of cookies in an HTTP request exceeds the size limit accepted by the HTTP server. The new method includes our cloud architecture and detection algorithms. The cloud architecture distributes and executes a detection script, which is an implementation of the detection algorithms. This architecture uses Azure Virtual Machines, Azure Storage, Azure Automation, Azure Monitor, and Microsoft Sentinel. The virtual machines are the core components of the architecture, to which end users can connect via RDP to use their browsers. The detection script performs three tasks: obtaining paths to cookies databases generated by browsers, retrieving cookies data from a database, and comparing a threshold with the total size of all cookies a browser sends to a server. Results indicate that our proposed method 1) enables scheduled automation, 2) provides better visibility across regions, and 3) expands detection coverage for different Windows users, browsers, and browser profiles.