| 引用本文: |
-
白小凡,王俊琦,赵易如,王笑克,赵磊.基于行为仿真的Web系统口令安全测试方法[J].信息安全学报,已采用 [点击复制]
- Bai Xiaofan,Wang Junqi,Zhao Yiru,Wang Xiaoke,Zhao Lei.A Behavioral Simulation Approach for Password Security Testing in Web Systems[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 身份认证是保障信息系统安全的重要手段,自20世纪70年以来,口令一直是最常用的身份认证方式。然而,低信息熵的弱口令的滥用和凭证泄露事件降低了基于口令的身份认证的安全性。攻击者可以通过暴力破解和凭据填充等方式入侵系统,威胁信息系统的安全。现有的自动化口令安全检测方法主要分为脚本集成方法、基于分析登录表单构造报文的方法和脚本录制方法,但这些方法在通用性、有效性和大规模检测方面存在明显局限,难以应对现代Web系统中复杂多样的身份认证机制。针对上述挑战,本文在两个关键观察的基础上,提出了一种基于行为仿真的Web系统口令安全测试方法,设计提出了三种登录行为模型:一步式登录、分段式登录和弹出式登录,并基于这些模型进行标签定位与登录行为链构造,实现了基于行为仿真的凭证提交。然后,提出了一种基于差分比较的报文重构策略,通过差分分析识别加密、签名等防护措施,选择合适的报文重构方法。本文提出的方法分别在两个数据集上进行验证,其在登录页面识别准确率、报文构造通用性及大规模凭证提交时间成本方面优于现有方法。其中,登录页面识别误报率仅为0.52%和1.68%,显著低于Shepherd的30.30%。 |
| 关键词: 身份认证 不安全口令 登录行为模型 行为仿真 |
| DOI: |
| 投稿时间:2024-10-22修订日期:2025-02-25 |
| 基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目) |
|
| A Behavioral Simulation Approach for Password Security Testing in Web Systems |
|
Bai Xiaofan, Wang Junqi, Zhao Yiru, Wang Xiaoke, Zhao Lei
|
| (Wuhan University) |
| Abstract: |
| Authentication is a fundamental measure to ensure the security of information systems. Since the 1970s, passwords have been the most widely used method for authentication. However, the misuse of weak passwords with low entropy, along with frequent credential leaks, has significantly compromised the security of password-based authentication. These vul-nerabilities provide attackers with opportunities to exploit systems through methods such as brute-force attacks and cre-dential stuffing, thereby posing severe threats to the overall security of information systems. Existing automated pass-word security detection methods primarily include script integration, message construction based on login form analysis, and script recording. However, these methods suffer from several limitations, including a lack of generalizability, insuf-ficient effectiveness, and poor scalability, making it challenging for them to handle the diverse and evolving authentica-tion mechanisms in modern Web systems. To address these challenges, this paper proposes a novel behavior simula-tion-based method for password security testing in Web systems. Specifically, we design three types of login behavior models, which include one-step login model, segmented login model, and pop-up login models, to simulate user interac-tions. Based on these models, we construct login behavior chains and implement credential submission through behavior simulation. Furthermore, a differential comparison-based packet reconstruction strategy is introduced to assess and choose suitable reconstruction methods by analyzing the presence of encryption, signatures, or other protective measures during login. The proposed method was extensively validated using two different datasets: an industry-standard dataset and a customized dataset obtained through a network search engine. Experimental results indicate that the proposed ap-proach significantly outperforms existing methods in terms of login page recognition accuracy, packet construction gen-eralizability, and efficiency for large-scale credential submissions. In particular, our approach achieves login page recognition false positive rates as low as 0.52% and 1.68%, which is a significant improvement compared to Shepherd's 30.30%, demonstrating its superior accuracy and efficiency. |
| Key words: authentication insecure passwords login behavior model behavioral simulation |
