Person:
Ahamad,
Mustaque
Ahamad,
Mustaque
Permanent Link
Associated Organization(s)
Organizational Unit
ORCID
ArchiveSpace Name Record
Publication Search Results
Now showing
1 - 4 of 4
-
ItemOne-Time Cookies: Preventing Session Hijacking Attacks with Stateless Authentication Tokens(Georgia Institute of Technology, 2012-02) Dacosta, Italo ; Chakradeo, Saurabh ; Ahamad, Mustaque ; Traynor, PatrickHTTP cookies are the de facto mechanism for session authentication in web applications. However, their inherent security weaknesses allow attacks against the integrity of web sessions. HTTPS is often recommended to protect cookies, but deploying full HTTPS support can be challenging due to performance and financial concerns, especially for highly distributed applications. Moreover, cookies can be exposed in a variety of ways even when HTTPS is enabled. In this paper, we propose One-Time Cookies (OTC), a more robust alternative for session authentication. OTC prevents attacks such as session hijacking by signing each user request with a session secret securely stored in the browser. Unlike other proposed solutions, OTC does not require expensive state synchronization in the web application, making it easily deployable in highly distributed systems. We implemented OTC as a plugin for the popular WordPress platform and as an extension for Firefox and Firefox for mobile browsers. Our extensive experimental analysis shows that OTC introduces a latency of less than 6 ms when compared to cookies - a negligible overhead for most web applications. Moreover, we show that OTC can be combined with HTTPS to effectively add another layer of security to web applications. In so doing, we demonstrate that One-Time Cookies can significantly improve the security of web applications with minimal impact on performance and scalability.
-
ItemOne-Time Cookies: Preventing Session Hijacking Attacks with Disposable Credentials(Georgia Institute of Technology, 2011) Dacosta, Italo ; Chakradeo, Saurabh ; Ahamad, Mustaque ; Traynor, PatrickMany web applications are vulnerable to session hijacking attacks due to the insecure use of cookies for session management. The most recommended defense against this threat is to completely replace HTTP with HTTPS. However, this approach presents several challenges (e.g., performance and compatibility concerns) and therefore, has not been widely adopted. In this paper, we propose “One-Time Cookies” (OTC), an HTTP session authentication protocol that is efficient, easy to deploy and resistant to session hijacking. OTC’s security relies on the use of disposable credentials based on a modified hash chain construction. We implemented OTC as a plug-in for the popular WordPress platform and conducted extensive performance analysis using extensions developed for both Firefox and Firefox for mobile browsers. Our experiments demonstrate the ability to maintain session integrity with a throughput improvement of 51% over HTTPS and a performance approximately similar to a cookie-based approach. In so doing, we demonstrate that one-time cookies can significantly improve the security of web sessions with minimal changes to current infrastructure.
-
ItemA Crow or a Blackbird?: Using True Social Network and Tweeting Behavior to Detect Malicious Entities in Twitter(Georgia Institute of Technology, 2010) Balasubramaniyan, Vijay A. ; Maheswaran, Arjun ; Mahalingam, Viswanathan ; Ahamad, Mustaque ; Venkateswaran, H.The growing popularity of Twitter and its ability to enable near instantaneous sharing of information has made it a target of attacks by malicious entities who use it to spam and provide links to malware. There is evidence that these entities are using increasingly sophisticated techniques that mimic the behavior of reputed sources to avoid detection. We use novel mechanisms that utilize the true social network of users, the quality of information produced by them and their tweeting behavior to identify such entities. A scheme based on these mechanisms is even able to detect malicious entities that collude to establish dense social networks. Using actual data from a representative sample of 278, 758 Twitter users, we demonstrate the effectiveness of this approach by showing that (1) we identified 5334 accounts that had links to unsafe websites, and (2) over a period of 31 days, 181 accounts that our algorithm identified as potentially malicious were subsequently suspended by Twitter. We believe our algorithm is one of the first to automatically deal with a broad range of malicious entities present in Twitter.
-
ItemPrivacy Preserving Grapevines: Capturing Social Network Interactions Using Delegatable Anonymous Credentials(Georgia Institute of Technology, 2009) Balasubramaniyan, Vijay A. ; Lee, Younho ; Ahamad, MustaqueA wide variety of services allow users to meet online and communicate with each other, building new social relationships and reinforcing older ones. Unfortunately, malicious entities can exploit such services for fraudulent activities such as spamming. It is critical that these services protect users from unwanted interactions, especially when new relationships are being established - the introduction problem. The problem of assessing that a social network connection is no longer beneficial is also important due to the dynamic nature of such networks. A large number of new connections are established through existing, weak social ties (for example, friend of a friend). On the other hand, the willingness of a user to continue interactions with an existing relationship is an indication of his or her endorsement of that relationship. The interaction history of a user provides valuable information about both new social network connections and the validity of established ones. However, capturing this interaction history is rife with privacy concerns. In this paper, we create a transferable token framework, based on delegatable anonymous credentials (DAC - Crypto 2009), that captures interaction history in a privacy preserving manner. By using the Groth Sahai proof system, we extend DACs to allow for single use tokens with the ability to identify token double spenders. We show that such tokens can, simultaneously, demonstrate the existence of a social network path and capture the continued validity of a social network connection. We present an implementation of this DAC based token framework and utilize it in a Voice over IP (VoIP) setting to enable legitimate user interactions in the presence of a spammer threat model. Our results indicate that we are able to achieve low false positive and false negative rates for realistic threat scenarios without disclosing a user’s social network connections.