Your search keyword '"Browsers"' showing total 502 results

1. Collaborative Sense-Making in Genomic Research: The Role of Visualisation.

Author

Rittenbruch, Markus, Vella, Kellie, Brereton, Margot, Hogan, James M., Johnson, Daniel, Heinrich, Julian, and OrDonoghue, Sean

Subjects

VISUALIZATION, VISUAL analytics, MOLECULAR biologists, HUMAN-computer interaction

Abstract

Genomic research emerges from collaborative work within and across different scientific disciplines. A diverse range of visualisation techniques has been employed to aid this research, yet relatively little is known as to how these techniques facilitate collaboration. We conducted a case study of collaborative research within a biomedical institute to learn more about the role visualisation plays in genomic mapping. Interviews were conducted with molecular biologists (N = 5) and bioinformaticians (N = 6). We found that genomic research comprises a variety of distinct disciplines engaged in complex analytic tasks that each resist simplification, and their complexity influences how visualisations were used. Visualisation use was impacted by group-specific interactions and temporal work patterns. Visualisations were also crucial to the scientific workflow, used for both question formation and confirmation of hypotheses, and acted as an anchor for the communication of ideas and discussion. In the latter case, two approaches were taken: providing collaborators with either interactive or static imagery representing a viewpoint. The use of generic software for simplified visualisations, and quick production and curation was also noted. We discuss these findings with reference to group-specific interactions and present recommendations for improving collaborative practices through visual analytics. [ABSTRACT FROM AUTHOR]

Published

2022

2. The Impacts of Referent Display on Gesture and Speech Elicitation.

Author

Williams, Adam S. and Ortega, Francisco R.

Subjects

SPEECH & gesture, PARTICIPATORY design, GESTURE, AUTOMATIC speech recognition, SOCIAL interaction, AUGMENTED reality

Abstract

Elicitation studies have become a popular method of participatory design. While traditionally used to examine unimodal gesture interactions, elicitation has started being used with other novel interaction modalities. Unfortunately, there has been no work that examines the impact of referent display on elicited interaction proposals. To address that concern this work provides a detailed comparison between two elicitation studies that were similar in design apart from the way that participants were prompted for interaction proposals (i.e., the referents). Based on this comparison the impact of referent display on speech and gesture interaction proposals are each discussed. The interaction proposals between these elicitation studies were not identical. Gesture proposals were the least impacted by referent display, showing high proposal similarity between the two works. Speech proposals were highly biased by text referents with proposals directly mirroring text-based referents an average of 69.36% of the time. In short, the way that referents are presented during elicitation studies can impact the resulting interaction proposals; however, the level of impact found is dependent on the modality of input elicited. [ABSTRACT FROM AUTHOR]

Published

2022

3. Characterizing Embedded Web Browsing in Mobile Apps.

Author

Tian, Deyu, Ma, Yun, Balasubramanian, Aruna, Liu, Yunxin, Huang, Gang, and Liu, Xuanzhe

Subjects

WEB browsing, MOBILE apps, MOBILE operating systems, WEBSITES, WEB-based user interfaces, WEB browsers

Abstract

Modern mobile operating systems support displaying Web pages in native mobile applications. When an app user navigates to a specific location containing a Web page, the Web page will be loaded and rendered from within the app. Such kind of Web browsing, as we call embedded Web browsing, is different from traditional Web browsing, which involves typing a URL on a browser and loading the Web page. However, little has been known about the prevalence or performance of such embedded Web pages. In this paper, we conduct, to the best of our knowledge, the first measurement study on embedded Web browsing on Android. Our study on 22,521 popular Android apps shows that 57.9 and 73.8 percent of apps embed Web pages on two popular app markets, that is, Google Play and Wandoujia, respectively. We design and implement EWProfiler, a tool that can automatically search for embedded Web pages inside apps, trigger page loads, and retrieve performance metrics to analyze the embedded Web browsing performance at scale. Based on 445 embedded Web pages obtained by EWProfiler in 99 popular apps from the two app markets, we investigate the characteristics and performance of embedded Web pages, and find that embedded Web pages significantly impede the app user experience. We investigate the effectiveness of three techniques, i.e., separating the browser kernel to a different process, loading pages from the local storage, and pre-rendering, to optimize the performance of embedded Web browsing. We believe that our findings could draw the attention of Web developers, browser vendors, app developers, and mobile OS vendors together toward a better performance of embedded Web browsing. [ABSTRACT FROM AUTHOR]

Published

2022

4. Scalable Scalable Vector Graphics: Automatic Translation of Interactive SVGs to a Multithread VDOM for Fast Rendering.

Author

Schwab, Michail, Saffo, David, Bond, Nicholas, Sinha, Shash, Dunne, Cody, Huang, Jeff, Tompkin, James, and Borkin, Michelle A.

Subjects

JAVASCRIPT programming language, CASCADING style sheets, SOURCE code

Abstract

The dominant markup language for Web visualizations—Scalable Vector Graphics (SVG)—is comparatively easy to learn, and is open, accessible, customizable via CSS, and searchable via the DOM, with easy interaction handling and debugging. Because these attributes allow visualization creators to focus on design on implementation details, tools built on top of SVG, such as D3.js, are essential to the visualization community. However, slow SVG rendering can limit designs by effectively capping the number of on-screen data points, and this can force visualization creators to switch to Canvas or WebGL. These are less flexible (e.g., no search or styling via CSS), and harder to learn. We introduce Scalable Scalable Vector Graphics (SSVG) to reduce these limitations and allow complex and smooth visualizations to be created with SVG. SSVG automatically translates interactive SVG visualizations into a dynamic virtual DOM (VDOM) to bypass the browser's slow ‘to specification’ rendering by intercepting JavaScript function calls. De-coupling the SVG visualization specification from SVG rendering, and obtaining a dynamic VDOM, creates flexibility and opportunity for visualization system research. SSVG uses this flexibility to free up the main thread for more interactivity and renders the visualization with Canvas or WebGL on a web worker. Together, these concepts create a drop-in JavaScript library which can improve rendering performance by 3–9× with only one line of code added. To demonstrate applicability, we describe the use of SSVG on multiple example visualizations including published visualization research. A free copy of this article, collected data, and source code are available as open science at osf.io/ge8wp. [ABSTRACT FROM AUTHOR]

Published

2022

5. Validation of HTTP Response Time From Network Traffic as an Alternative to Web Browser Instrumentation.

Author

Lopez, Carlos, Morato, Daniel, Magana, Eduardo, and Izal, Mikel

Abstract

The measurement of response time in hypertext transfer protocol (HTTP) requests is the most basic proxy measurement method for evaluating Web browsing quality. It is used in the research literature and in application performance measurement instruments. During the development of a website, response time is obtained from in-browser measurements. After the website has been deployed, network traffic is used to continuously monitor activity, and the measurement data are used for service management and planning. In this study, we evaluate the accuracy of the measurements obtained from network traffic by comparing them with the in-browser measurement of resource load time. We evaluate the response times for encrypted and clear-text requests in an emulated network environment, in a laboratory deployment equivalent to a data centre network, and accessing popular Web sites on the public Internet. The accuracy for response time measurements obtained from network traffic is noticeable higher for Internet long distance paths than for low-delay paths (below 20 ms round-trip). The overhead of traffic encryption in secure HTTP requests has a negative effect on measurement accuracy, and we find relative measurement errors higher than 70% when using network traffic to infer HTTP response times compared with in-browser measurements. [ABSTRACT FROM AUTHOR]

Published

2022

6. The Invisible Side of Certificate Transparency: Exploring the Reliability of Monitors in the Wild.

Author

Li, Bingyu, Lin, Jingqiang, Li, Fengjun, Wang, Qiongxiao, Wang, Wei, Li, Qi, Cheng, Guangshen, Jing, Jiwu, and Wang, Congli

Subjects

PUBLIC key cryptography

Abstract

To detect fraudulent TLS server certificates and improve the accountability of certification authorities (CAs), certificate transparency (CT) is proposed to record certificates in publicly-visible logs, from which the monitors fetch all certificates and watch for suspicious ones. However, if the monitors, either domain owners themselves or third-party services, fail to return a complete set of certificates issued for a domain of interest, potentially fraudulent certificates may not be detected and then the CT framework becomes less reliable. This paper presents the first systematic study on CT monitors. We analyze the data in 88 public logs and the services of 5 active third-party monitors regarding 3,000,431 certificates of 6,000 selected Alexa Top-1M websites. We find that although CT allows ordinary domain owners to act as monitors, it is impractical for them to perform reliable processing by themselves, due to the rapidly increasing volume of certificates in public logs (e.g., on average about 5 million records or 28.29 GB daily for the minimal set of logs that need to be monitored in 2018, or more than 7 million records per day in 2020, according to the Chrome CT policy). Moreover, our study discloses that (${a}$) none of the third-party monitors guarantees to return the complete set of certificates for a domain, and (${b}$) for some domains, even the union of the certificates returned by the five third-party monitors can probably be incomplete. As a result, the certificates accepted by CT-enabled browsers are not actually visible to the claimed domain owners, even when CT is adopted with well-functioning logs. The risk of invisible fraudulent certificates in public logs raises doubts on the reliability of CT in practice. [ABSTRACT FROM AUTHOR]

Published

2022

7. Fundamental Privacy Limits in Bipartite Networks Under Active Attacks.

Author

Shariatnasab, Mahshad, Shirani, Farhad, and Erkip, Elza

Subjects

BIPARTITE graphs, PRIVACY, MEDICAL databases, SOCIAL networks, STOCHASTIC models, ONLINE social networks

Abstract

This work considers active deanonymization of bipartite networks. The scenario arises naturally in evaluating privacy in various applications such as social networks, mobility networks, and medical databases. For instance, in active deanonymization of social networks, an anonymous victim is targeted by an attacker (e.g. the victim visits the attacker’s website), and the attacker queries her group memberships (e.g. by querying the browser history) to deanonymize her. In this work, the fundamental limits of privacy, in terms of the minimum number of queries necessary for deanonymization, is investigated. A stochastic model is considered, where 1) the bipartite network of group memberships is generated randomly; 2) the attacker has partial prior knowledge of the group memberships; and 3) it receives noisy responses to its real-time queries. The bipartite network is generated based on linear and sublinear preferential attachment, and the stochastic block model. The victim’s identity is chosen randomly based on a distribution modeling the users’ risk of being the victim (e.g. probability of visiting the website). An attack algorithm is proposed which builds upon techniques from communication with feedback, and its performance, in terms of expected number of queries, is analyzed. Simulation results are provided to verify the theoretical derivations. [ABSTRACT FROM AUTHOR]

Published

2022

8. ON-OFF Privacy in the Presence of Correlation.

Author

Ye, Fangwei, Naim, Carolina, and Rouayheb, Salim El

Subjects

*INTERFERENCE channels (Telecommunications), *PRIVACY, *WEB browsers, *MARKOV processes, *OPEN-ended questions

Abstract

We formulate and study the problem of ON-OFF privacy. ON-OFF privacy algorithms enable a user to continuously switch his privacy between ON and OFF. An obvious example is the incognito mode in internet browsers. But beyond internet browsing, ON-OFF privacy can be a desired feature in most online applications. The challenge is that the statistical correlation over time of a user’s online behavior can lead to leakage of information. We consider the setting in which a user is interested in retrieving the latest message generated by one of $N$ sources. The user’s privacy status can change between ON and OFF over time. When privacy is ON the user wants to hide his request. Moreover, since the user’s requests depend on personal attributes such as age, gender, and political views, they are typically correlated over time. As a consequence, the user cannot simply ignore privacy when privacy is OFF. We model the correlation between user’s requests by an $N$ state Markov chain. The goal is to design query schemes with optimal download rate, that preserve privacy in an ON-OFF privacy setting. In this paper, we present inner and outer bounds on the achievable download rate for $N$ sources. We also devise an efficient algorithm to construct an ON-OFF privacy scheme achieving the inner bound and prove its optimality in the case $N=2$ sources. For $N > 2$ , finding tighter outer bounds and efficient constructions of ON-OFF privacy schemes that would achieve them remains an open question. [ABSTRACT FROM AUTHOR]

Published

2021

9. Certificate Transparency in Google Chrome: Past, Present, and Future.

Author

Stark, Emily, DeBlasio, Joe, O'Brien, Devon, Balzarotti, Davide, Enck, William, King, Samuel, and Stavrou, Angelos

Abstract

Certificate Transparency is a maturing system to provide visibility into the certificates that are issued as part of the web's public key infrastructure. In this article, we survey the history of Certificate Transparency deployment so far and discuss ongoing engineering and research challenges. [ABSTRACT FROM AUTHOR]

Published

2021

10. Modeling Large-Scale Manipulation in Open Stock Markets.

Author

Yagemann, Carter, Chung, Pak Ho, Uzun, Erkam, Ragam, Sai, Saltaformaggio, Brendan, and Lee, Wenke

Abstract

This article studies the feasibility of using a botnet to automate stock market manipulation, incorporating data from U.S. Securities and Exchange Commission case files, security surveys of online retail brokerage accounts, and dark web marketplace listings. [ABSTRACT FROM AUTHOR]

Published

2021

11. Internet-Scale Video Streaming over NDN.

Author

Ghasemi, Chavoosh, Yousefi, Hamed, and Zhang, Beichuan

Subjects

*STREAMING video & television, *COMPUTER software installation, *INTERNET users, *DESIGN software, *INTERNET

Abstract

Research in Information-Centric Networking (ICN) and Named Data Networking (NDN) has produced many protocol designs and software prototypes, but they need to be validated and evaluated by real usage on the Internet, which is also critical to the realization of the ICN/NDN vision in the long run. This article presents the first Internet-scale adaptive video streaming service over NDN, which allows regular users to watch videos using NDN technology with no software installation or manual configuration. Since mid-2019, the official NDN website [1] has started using our service to deliver its videos to Internet users over the global NDN testbed, showcasing the feasibility of NDN. We conduct real-world experiments on the NDN testbed to validate the proper implementation of the client, network, and server sides of the proposed system and also evaluate the performance of our video streaming service. [ABSTRACT FROM AUTHOR]

Published

2021

12. VRIA: A Web-Based Framework for Creating Immersive Analytics Experiences.

Author

Butcher, Peter W. S., John, Nigel W., and Ritsos, Panagiotis D.

Subjects

WEB analytics, WEB-based user interfaces, VIRTUAL reality, MATHEMATICAL optimization, SCALABILITY, WORKFLOW

Abstract

We present VRIA, a Web-based framework for creating Immersive Analytics (IA) experiences in Virtual Reality. VRIA is built upon WebVR, A-Frame, React and D3.js, and offers a visualization creation workflow which enables users, of different levels of expertise, to rapidly develop Immersive Analytics experiences for the Web. The use of these open-standards Web-based technologies allows us to implement VR experiences in a browser and offers strong synergies with popular visualization libraries, through the HTML Document Object Model (DOM). This makes VRIA ubiquitous and platform-independent. Moreover, by using WebVR's progressive enhancement, the experiences VRIA creates are accessible on a plethora of devices. We elaborate on our motivation for focusing on open-standards Web technologies, present the VRIA creation workflow and detail the underlying mechanics of our framework. We also report on techniques and optimizations necessary for implementing Immersive Analytics experiences on the Web, discuss scalability implications of our framework, and present a series of use case applications to demonstrate the various features of VRIA. Finally, we discuss current limitations of our framework, the lessons learned from its development, and outline further extensions. [ABSTRACT FROM AUTHOR]

Published

2021

13. X-Check: Improving Effectiveness and Efficiency of Cross-Browser Issues Detection for JavaScript-Based Web Applications.

Author

Wu, Guoquan, He, Meimei, Chen, Wei, Wei, Jun, and Zhong, Hua

Abstract

Web 2.0 application based on JavaScript is a wide-spread application domain today as it delivers rich, interactive user experiences. However, with the increasing number of browsers and platforms on which the applications can be executed, cross-browser incompatibilities (XBIs) are becoming a serious problem for organizations to develop modern JavaScript-based Web applications. Although lots of XBIs detection techniques have been proposed, there are still some limitations: 1) existing techniques are prone to generating certain false positives/negatives that result from the fact that they ignore non-deterministic events (e.g., timer, asynchronous request/response) inside the browser; 2) detection process is inefficient, as the same elements located in different pages will be repeatedly checked even if they stay unchanged after an event is triggered. Leveraging existing record/replay technique, we proposed X-Check, a novel cross-browser testing technique, which supports automated XBIs detection effectively. To improve the efficiency of XBIs detection, this paper further designed an incremental detection algorithm by only checking DOM-mutated and layout-changed nodes. Our empirical evaluation shows that X-Check is effective and efficient. For the selected 21 real-world Web applications, it identifies XBIs with a fairly high precision (83 percent) and recall (93 percent), and improves the performance of XBIs detection about 5.79 times compared to its non-optimized version. [ABSTRACT FROM AUTHOR]

Published

2021

14. Browser-Level Parallelism and Interactive Rendering APIs for Scalable Computation-Intensive SaaS: Application to Brain Diffusion MRI.

Author

Benmerar, Tarik Zakaria, Megherbi, Thinhinane, Kachouane, Mouloud, Deriche, Rachid, and Oulebsir-Boumghar, Fatima

Abstract

Due to their heavy reliance on server infrastructure, the current computation-intensive SaaS suffer from scalability issues compared to the existing data-intensive commercial SaaS. Offloading certain computations to the client browser can resolve these scalability issues but the current Browser APIs are complex to use and integrate in a single software. We propose in this paper four high level APIs that harness existing browser-based paradigms and proven software architectures to reduce the complexity of parallel computing and device-agnostic interactive rendering in the web browser. To allow experimental results, we have developed a proof-of-concept browser-based and interactive diffusion MRI where we have particularly deployed a parallel Diffusion Tensor Estimation. Our platform provides us easy APIs achieving up to 4 times speedup in parallel computation and real-time interactive rendering performances across different Browsers and Devices in comparison to other existing solutions in the Diffusion MRI Community. [ABSTRACT FROM AUTHOR]

Published

2021

15. Locally-Centralized Certificate Validation and its Application in Desktop Virtualization Systems.

Author

Li, Bingyu, Lin, Jingqiang, Wang, Qiongxiao, Wang, Ze, and Jing, Jiwu

Abstract

To validate a certificate, a user needs to install the certificate of the root certification authority (CA) and download the certificate revocation information (CRI). Although operating systems and browsers manage the certificate trust list (CTL) of publicly-trusted root CAs for global users, locally-trusted root CAs still play an important role and it is difficult for a user to manage its CTL properly by itself. Meanwhile, the CRI access is inefficient, sometimes even unavailable, and causes privacy leakage. We revisit these problems by analyzing the TLS sessions within an organization. To the best of our knowledge, we are the first to analyze CTL management and CRI access on the scale of medium-sized organizations. Based on the analysis, a locally-centralized design is proposed to manage the CTLs of all users by IT administrators and access the CRI services for all users, within an organization. We apply this design to desktop virtualization systems to demonstrate its applicability, and build vCertGuard with oVirt and KVM-QEMU. In vCertGuard, the CTLs of all virtual machines (VMs) are managed in the VM monitors (VMMs). In the CTL, the self-signed certificates of publicly-trusted root CAs are properly configured, while each locally-trusted certificate chain is specified one by one. vCertGuard accesses the CRI services for all VMs, and the downloaded CRI is cached and shared among VMs. Because most TLS servers are visited by multiple users of an organization, it reduces the cost of CRI access. Experimental results of the prototype system show that vCertGuard maintains the CTLs with a negligible overhead, and significantly improves the performance of CRI access. [ABSTRACT FROM AUTHOR]

Published

2021

16. JSDoop and TensorFlow.js: Volunteer Distributed Web Browser-Based Neural Network Training

Author

Jose A. Morell, Andres Camero, and Enrique Alba

Subjects

Artificial intelligence, browsers, collaborative work, distributed algorithms, distributed computing, internet, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

In 2019, around 57% of the population of the world has broadband access to the Internet. Moreover, there are 5.9 billion mobile broadband subscriptions, i.e., 1.3 subscriptions per user. So there is an enormous interconnected computational power held by users all around the world. Also, it is estimated that Internet users spend more than six and a half hours online every day. But in spite of being a great amount of time, those resources are idle most of the day. Therefore, taking advantage of them presents an interesting opportunity. In this study, we introduce JSDoop, a prototype implementation to profit from this opportunity. In particular, we propose a volunteer web browser-based high-performance computing library. JSdoop divides a problem into tasks and uses different queues to distribute the computation. Then, volunteers access the web page of the problem and start processing the tasks in their web browsers. We conducted a proof-of-concept using our proposal and TensorFlow.js to train a recurrent neural network that predicts text. We tested it in a computer cluster and with up to 32 volunteers. The experimental results show that training a neural network in distributed web browsers is feasible and accurate, has a high scalability, and it is an interesting area for research.

Published

2019

17. Predictive Prefetching Based on User Interaction for Web Applications.

Author

Joo, Minwoo, An, Yeonoh, Roh, Heejun, and Lee, Wonjun

Abstract

Web prefetching is a key technology to hide network latencies from users. Conventional prefetching methods, however, misconstrue the purpose of user’s browsing behaviors and resulting experience due to their dependence on statistical characteristics or metadata of individual Web applications. In this letter, we propose a predictive prefetching scheme, WebPrefetcher, which utilizes interaction events to decipher user’s genuine intention and context. Our intensive performance analysis results obtained with a real Web browser demonstrate that WebPrefetcher improves user-perceived quality of experience noticeably, outperforming competitive models. [ABSTRACT FROM AUTHOR]

Published

2021

18. Comments on “Insider Attack Protection: Lightweight Password-Based Authentication Techniques Using ECC”.

Author

Shamshad, Salman, Mahmood, Khalid, Kumari, Saru, and Khan, Muhammad Khurram

Abstract

The radical progress in web services has drained more attraction towards escalating the security of several applications that serve and interact with the Internet users. In order to get authenticated from servers, the users must disclose their secret information to the server such as password and username so that they can access distinct applications on the Web. Due to distinct security attacks, such secret credentials should be discouraged from being revealed. Moreover, it is vibrant to secure the systems from known attacks. In contrast to all known security attacks, the insider attack is considered devastating because the privileged insiders of a system can violate the secret credentials, which may lead towards irrecoverable damage to both the system and the user. Therefore, to ensure the security of the system from insider attacks, different protocols have been proposed. Very recently, Rajamanickam et al. “Insider attack protection: Lightweight password-based authentication techniques using ECC,” presented novel authentication scheme for insider attack protection. They claimed that their protocol not only prevents insider attack but it is also immune to several known security attacks. This comment discloses the non-trivial weaknesses in the authentication phase between client and server. We have identified that the adversary can successfully impersonate the entities communicating with each other through this protocol. Moreover, their protocol fails to offer forward and backward secrecy. Consequently, we suggest possible solution for attack resilience. [ABSTRACT FROM AUTHOR]

Published

2021

19. Combinatorial Testing of Browsers’ Support for Multimedia.

Author

Deng, Xi, Zhang, Zhiqiang, Li, Rundong, Yan, Jun, and Zhang, Jian

Subjects

*WEB-based user interfaces, *WEBSITES, *HYPERTEXT systems, *STREAMING media

Abstract

The fifth version of the Hypertext Markup Language (HTML) standard is widely adopted in the diverse landscape of browser vendors and their continuously upgrading releases. One primary feature of HTML5 is native multimedia playback. The browsers’ native implementations of multimedia support bring lots of benefits such as improved security but require thorough testing, especially on the web page of complex factor combinations according to our manual checking of publicly visible existing tests. This article employs the combinatorial testing technique to trigger failure-inducing factor combinations effectively and to locate them, guided by some extracted properties that cover browsers’ major workflow of processing multimedia. Results are analyzed to give objective suggestions for browser developers to cast light on the places that implementation enhancement could be made, and for web developers to avoid undesirable effects. [ABSTRACT FROM AUTHOR]

Published

2020

20. An Interactive Mobile Hub for Teaching Electromagnetics Courses [Education Corner].

Author

Ghali, Hani A., Ammar, Nancy Y., and Adly, Ihab

Subjects

NETWORK hubs, ELECTROMAGNETISM, WIRELESS Internet, ONLINE education

Abstract

This article presents the design, development, and deployment of an interactive online teaching and learning platform to improve the students' understanding, through different visualization tools, of core concepts delivered in electromagnetics (EM) courses. The main advantage of such tools is that they require no download time, memory space, or heavy equipment. The platform (or hub) benefits from advances in mobile technology and Internet connectivity to overcome the limitations of past pedagogical approaches. Students can use these tools anytime, from anywhere, and on any portable device. [ABSTRACT FROM AUTHOR]

Published

2020

21. (In-)Security of Cookies in HTTPS: Cookie Theft by Removing Cookie Flags.

Author

Kwon, Hyunsoo, Nam, Hyunjae, Lee, Sangtae, Hahn, Changhee, and Hur, Junbeom

Abstract

HyperText Transfer Protocol (HTTP) cookies are widely used on the web to enhance communication efficiency between a client and a server by storing stateful information. However, cookies may contain private and sensitive information about users. Thus, in order to guarantee the security of cookies, most web browsers and servers support not only Transport Layer Security (TLS) but also other mechanisms such as HTTP Strict Transport Security and cookie flags. However, a recent study has shown that it is possible to circumvent cookie flags in HTTPS by exploiting a vulnerability in HTTP software that allows message truncation. In this paper, we propose a novel cookie hijacking attack called $rotten~cookie$ which deactivates cookie flags even if they are protected by TLS by exploiting a weakness in HTTP in terms of integrity checks. According to our investigation, all major browsers ignore uninterpretable sections of the header of HTTP response messages and accept incorrect formats without any rejection. We demonstrate that, when combined with TLS or application vulnerabilities, this form of attack can obtain private cookies by removing cookie flags. Thus, the attacker can impersonate a legitimate user in the eyes of the server when cookies are used as an authentication token. We prove the practicality of our attack by demonstrating that our attack can lead five major web browsers to accept a cookie without any cookie flags. We thus present a mitigation strategy for the transport layer to preserve cookie security against our attack. [ABSTRACT FROM AUTHOR]

Published

2020

22. Understanding the Manipulation on Recommender Systems through Web Injection.

Author

Zhang, Yubao, Xiao, Jidong, Hao, Shuai, Wang, Haining, Zhu, Sencun, and Jajodia, Sushil

Abstract

Recommender systems have been increasingly used in a variety of web services, providing a list of recommended items in which a user may have an interest. While important, recommender systems are vulnerable to various malicious attacks. In this paper, we study a new security vulnerability in recommender systems caused by web injection, through which malicious actors stealthily tamper any unprotected in-transit HTTP webpage content and force victims to visit specific items in some web services (even running HTTPS), e.g., YouTube. By doing so, malicious actors can promote their targeted items in those web services. To obtain a deeper understanding on the recommender systems of our interest (including YouTube, Yelp, Taobao, and 360 App market), we first conduct a measurement-based analysis on several real-world recommender systems by leveraging machine learning algorithms. Then, web injection is implemented in three different types of devices (i.e., computer, router, and proxy server) to investigate the scenarios where web injection could occur. Based on the implementation of web injection, we demonstrate that it is feasible and sometimes effective to manipulate the real-world recommender systems through web injection. We also present several countermeasures against such manipulations. [ABSTRACT FROM AUTHOR]

Published

2020

23. Analyzing Wikipedia Users’ Perceived Quality of Experience: A Large-Scale Study.

Author

Salutari, Flavia, Hora, Diego Da, Dubuc, Gilles, and Rossi, Dario

Abstract

The Web is one of the most successful Internet applications. Yet, the quality of Web users’ experience is still largely impenetrable. Whereas Web performance is typically studied with controlled experiments, in this work we perform a large-scale study of a real site, Wikipedia, explicitly asking (a small fraction of its) users for feedback on the browsing experience. The analysis of the collected feedback reveals that 85% of users are satisfied, along with both expected (e.g., the impact of browser and network connectivity) and surprising findings (e.g., absence of day/night, weekday/weekend seasonality) that we detail in this paper. Also, we leverage user responses to build supervised data-driven models to predict user satisfaction which, despite including state-of-the art quality of experience metrics, are still far from achieving accurate results (0.62 recall of negative answers). Finally, we make our dataset publicly available, hopefully contributing in enriching and refining the scientific community knowledge on Web users’ QoE. [ABSTRACT FROM AUTHOR]

Published

2020

24. Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery.

Author

Calzavara, Stefano, Conti, Mauro, Focardi, Riccardo, Rabitti, Alvise, and Tolomei, Gabriele

Abstract

We propose a methodology to leverage machine learning (ML) for the detection of web application vulnerabilities. We use it in the design of Mitch, the first ML solution for the black-box detection of cross-site request forgery vulnerabilities. Finally, we show the effectiveness of Mitch on real software. [ABSTRACT FROM AUTHOR]

Published

2020

25. Scientific Visualization as a Microservice.

Author

Raji, Mohammad, Hota, Alok, Hobson, Tanner, and Huang, Jian

Subjects

SCIENTIFIC visualization, WEBSITES, AUGMENTED reality, COMPUTER architecture, TAPESTRY

Abstract

In this paper, we propose using a decoupled architecture to create a microservice that can deliver scientific visualization remotely with efficiency, scalability, and superior availability, affordability and accessibility. Through our effort, we have created an open source platform, Tapestry, which can be deployed on Amazon AWS as a production use microservice. The applications we use to demonstrate the efficacy of the Tapestry microservice in this work are: (1) embedding interactive visualizations into lightweight web pages, (2) creating scientific visualization movies that are fully controllable by the viewers, (3) serving as a rendering engine for high-end displays such as power-walls, and (4) embedding data-intensive visualizations into augmented reality devices efficiently. In addition, we show results of an extensive performance study, and suggest how applications can make optimal use of microservices such as Tapestry. [ABSTRACT FROM AUTHOR]

Published

2020

26. Edge-Assisted Distributed DNN Collaborative Computing Approach for Mobile Web Augmented Reality in 5G Networks.

Author

Ren, Pei, Qiao, Xiuquan, Huang, Yakun, Liu, Ling, Dustdar, Schahram, and Chen, Junliang

Subjects

*5G networks, *MOBILE computing, *REACTION time, *OBJECT recognition (Computer vision), *OPTICAL head-mounted displays, *AUGMENTED reality, *WEB browsers, *CLOUD computing

Abstract

Web-based DNNs provide accurate object recognition to the mobile Web AR, which is newly emerging as a lightweight mobile AR solution. Webbased DNNs are attracting a great deal of attention. However, balancing the UX against the computing cost for DNN-based object recognition on the Web is difficult for both self-contained and cloud-based offloading approaches, as it is a latency-sensitive service but also has high requirements in terms of computing and networking abilities. Fortunately, the emerging 5G networks promise not only bandwidth and latency improvement but also the pervasive deployment of edge servers which are closer to the users. In this article, we propose the first edge-based collaborative object recognition solution for mobile Web AR in the 5G era. First, we explore the finegrained and adaptive DNN partitioning for the collaboration between the cloud, the edge, and the mobile Web browser. Second, we propose a differentiated DNN computation scheduling approach specially designed for the edge platform. On one hand, performing part of DNN computations on mobile Web without decreasing the UX (i.e., keep response latency below a specific threshold) will effectively reduce the computing cost of the cloud system; on the other hand, performing the remaining DNN computations on the cloud (including remote and edge cloud) will also improve the inference latency and thus UX when compared to the self-contained solution. Obviously, our collaborative solution will balance the interests of both users and service providers. Experiments have been conducted in an actually deployed 5G trial network, and the results show the superiority of our proposed collaborative solution. [ABSTRACT FROM AUTHOR]

Published

2020

27. Web View: A Measurement Platform for Depicting Web Browsing Performance and Delivery.

Author

Saverimoutou, Antoine, Mathieu, Bertrand, and Vaton, Sandrine

Subjects

*WEB browsing, *INTERNET servers, *CONTENT delivery networks, *WEBSITES, *GOING public (Securities), *PROGRAMMING languages, *WEB browsers

Abstract

Web browsing is the main Internet service, and every customer wants the minimum web page loading times. To satisfy this perpetual need, web browsers offer new processing engines and increased functionalities. Web developers make use of new programming languages and paradigms, new transport protocols have been introduced, network operators offer increased bandwidth, and CDN providers deploy web servers closest to end users. To assess the efficiency of these evolutions, delivered performance is often evaluated in a standalone manner, without considering the whole chain of web browsing. We propose Web View, a measurement platform that performs automated web browsing sessions on popular websites in a user-representative environment. Through different configurable parameters, Web View measures a wide set of information in order to evaluate the impact of the different parameters (transport protocols, web browsers, CDN, access networks, etc.). Based on those measurements, to ease the understanding of web browsing and the corresponding evolutions, Web View offers a public visualization website (https://webview. orange.com). For instance, with Web View, we were able to detect that the use of different CDNs at different times of the day can decrease loading times up to 400 percent and that the delivery of content through different transport protocols can decrease loading times up to 79 percent. This article presents the Web View measurement platform as well as remarkable events we noticed during more than one year of measurements. [ABSTRACT FROM AUTHOR]

Published

2020

28. You Could Be Mine(d): The Rise of Cryptojacking.

Author

Carlin, Domhnall, Burgess, Jonah, O'Kane, Philip, and Sezer, Sakir

Abstract

Traditional malicious attacks have evolved beyond file-based methods, with malicious files now existing as processes and services to evade detection. This article examines the rise of cryptojacking-the use of another's machine for profit through cryptocurrency mining-and how we're all at risk. [ABSTRACT FROM AUTHOR]

Published

2020

29. Exposing Cookie Policy Flaws Through an Extensive Evaluation of Browsers and Their Extensions.

Author

Franken, Gertjan, Van Goethem, Tom, and Joosen, Wouter

Abstract

Online abuses give browser users an incentive to employ third-party cookie policies. These policies, built directly into the browser or provided through extensions, are intended to enhance the user's security and privacy. Unfortunately, virtually every policy can be bypassed. [ABSTRACT FROM AUTHOR]

Published

2019

30. A Longitudinal View of Dual-Stacked Websites—Failures, Latency and Happy Eyeballs.

Author

Bajpai, Vaibhav and Schonwalder, Jurgen

Subjects

WEBSITES, CASCADING style sheets, EYE, INTERNET content, INTERNET protocols

Abstract

IPv6 measurement studies have focussed on measuring IPv6 adoption, while studies on measuring IPv6 performance have either become dated or only provide a snapshot view. We provide a longitudinal view of the performance of dual-stacked websites. We show that (since 2013) latency towards ALEXA 10K websites with AAAA entries over the six years have reduced by 29% over IPv4 and by 57% over IPv6. As of Dec 2018, 56% of these websites are faster over IPv6 with 95% of the rest being at most 1 ms slower. We also identify glitches in web content delivery that once fixed can help improve the user experience over IPv6. Using a publicly available dataset, we show that 40% of ALEXA 1M websites with AAAA entries were not accessible over IPv6 in 2009. These complete failures have reduced to 1.9% as of Jan 2019. However, our data collection on partial failures helps identify further that 27% of these popular websites with AAAA entries still suffer from partial failure over IPv6. These partial failures are affected by DNS resolution errors on images, javascript and CSS content. For 12% of these websites, more than half of the content belonging to same-origin sources fails over IPv6, while analytics and third-party advertisements contribute to failures from cross-origin sources. Our results also contribute to the IETF standardisation process. We witness that using an happy eyeballs timer value of 250 ms, clients prefer IPv6 connections to 99% of ALEXA 10 K websites (with AAAA entries) more than 96% of the time. Although, this makes clients prefer slower IPv6 connections in 81% of the cases. Our results show that a Happy Eyeballs (MBA) timer value of 150 ms does not severly affect IPv6 preference towards websites. The entire dataset presenting results on partial failures, latency and HE used in this paper is publicly released. [ABSTRACT FROM AUTHOR]

Published

2019

31. Sensor-Based Mobile Web Cross-Site Input Inference Attacks and Defenses.

Author

Zhao, Rui, Yue, Chuan, and Han, Qi

Abstract

In this paper, we investigate the accelerometer and gyroscope motion sensor-based cross-site input inference attacks that may compromise the security of many mobile Web users, and quantify the extent to which they can be effective. We formulate our attacks as a typical multi-class classification problem and build an inference framework that trains a classifier in the training phase and predicts the user’s new inputs in the attacking phase. To make our attacks effective and realistic, we design unique techniques and address major data quality and data segmentation challenges. We intensively evaluate the effectiveness of our attacks using 98 691 keystrokes collected from 20 participants. Overall, our attacks are effective, for example, they are about 10.8 times more effective than the random guessing attacks regarding inferring letters. We also perform experiments to evaluate the effect of using the data perturbation defense techniques on decreasing the accuracy of our input inference attacks. Our results demonstrate that researchers, smartphone vendors, and app developers should pay serious attention to the motion sensor-based cross-site input inference attacks that can be pervasively performed, and start to design and deploy effective defense techniques. [ABSTRACT FROM AUTHOR]

Published

2019

32. On Influential Trends in Interactive Video Retrieval: Video Browser Showdown 2015–2017.

Author

Lokoc, Jakub, Bailer, Werner, Schoeffmann, Klaus, Muenzer, Bernd, and Awad, George

Abstract

The last decade has seen innovations that make video recording, manipulation, storage, and sharing easier than ever before, thus impacting many areas of life. New video retrieval scenarios emerged as well, which challenge the state-of-the-art video retrieval approaches. Despite recent advances in content analysis, video retrieval can still benefit from involving the human user in the loop. We present our experience with a class of interactive video retrieval scenarios and our methodology to stimulate the evolution of new interactive video retrieval approaches. More specifically, the video browser showdown evaluation campaign is thoroughly analyzed, focusing on the years 2015–2017. Evaluation scenarios, objectives, and metrics are presented, complemented by the results of the annual evaluations. The results reveal promising interactive video retrieval techniques adopted by the most successful tools and confirm assumptions about the different complexity of various types of interactive retrieval scenarios. A comparison of the interactive retrieval tools with automatic approaches (including fully automatic and manual query formulation) participating in the TRECVID 2016 ad hoc video search task is discussed. Finally, based on the results of data analysis, a substantial revision of the evaluation methodology for the following years of the video browser showdown is provided. [ABSTRACT FROM AUTHOR]

Published

2018

33. A Component Architecture for the Internet of Things.

Author

Brooks, Christopher, Jerady, Chadlia, Kim, Hokeun, Lee, Edward A., Lohstroh, Marten, Nouvelletz, Victor, Osyk, Beth, and Weber, Matt

Subjects

INTERNET of things, CYBER physical systems, CLOUD computing, COMPUTER architecture, SEMANTICS

Abstract

In this paper, we describe a component-based software architecture for the Internet of Things in which proxies for Things and services that we call “accessors” interact with one another under a concurrent, time-stamped, discrete-event (DE) semantics. These proxies are analogous to web pages, which proxy a cloud-based service such as a bank, but instead of being designed to interface those services with humans, accessors are designed to interface services and Things with other services and Things. A deterministic DE semantics is combined with a widely used pattern for handling network interactions that we call asynchronous atomic callbacks (AACs). AAC enables many concurrent pending requests to be active at once without blocking and without the treacherous concurrency pitfalls of threads. In effect, our architecture combines AAC with actors where the actor model has been endowed with a temporal semantics. We show how this architecture can leverage the previously reported secure swarm toolkit (SST) to achieve stateof- the-art authentication, authorization, and encryption of interactions across networks. [ABSTRACT FROM AUTHOR]

Published

2018

34. Botnet in the Browser: Understanding Threats Caused by Malicious Browser Extensions.

Author

Perrotta, Raffaello and Hao, Feng

Abstract

Browser extension systems risk exposing APIs, which are too permissive and cohesive with the browser’s internal structure, leaving a hole for malicious developers to exploit security critical functionality. We present a botnet framework based on malicious browser extensions and provide an exhaustive range of attacks that can be launched in this framework. [ABSTRACT FROM AUTHOR]

Published

2018

35. Toward Rendering-Latency Reduction for Composable Web Services via Priority-Based Object Caching.

Author

Hu, Han, Li, Yuanlong, and Wen, Yonggang

Abstract

Web services serve as the cornerstone of the Internet for rendering webpages. The initial rendering latency of webpages, which depends on a subset of critical objects required by the webpage, is a key metric for web services. In this work, we propose to identify this set of critical objects systematically with the goal of caching them at a higher priority to reduce the initial rendering time. We first conduct a measurement study on a mainstream content delivery network provider, the results of which suggest that not all currently cached objects are critical and that only a small portion of the critical objects are cached. Thus, we model the critical-object aware caching scheme as a constrained optimization problem. Using the stochastic optimization framework, we decompose the problem into a set of one-shot optimization problems, which are proved to be NP-hard. We then develop two greedy algorithms with different computational complexity but the same performance bound. Finally, we integrate the resulting approximation algorithms into an online algorithm. Through trace-based simulations, we verify that our proposed algorithm can reduce service latency and network traffic by ensuring a higher cache hit ratio. [ABSTRACT FROM AUTHOR]

Published

2018

36. Tapir: Automation Support of Exploratory Testing Using Model Reconstruction of the System Under Test.

Author

Bures, Miroslav, Frajtak, Karel, and Ahmed, Bestoun S.

Subjects

*SOFTWARE reengineering, *AUTOMATION, *WEBSITES, *METADATA, *IMAGE reconstruction

Abstract

For a considerable number of software projects, the creation of effective test cases is hindered by design documentation that is either lacking, incomplete, or obsolete. The exploratory testing approach can serve as a sound method in such situations. However, the efficiency of this testing approach strongly depends on the method, the documentation of explored parts of a system, the organization and distribution of work among individual testers on a team, and the minimization of potential (very probable) duplicities in performed tests. In this paper, we present a framework for replacing and automating a portion of these tasks. A screen-flow-based model of the tested system is incrementally reconstructed during the exploratory testing process by tracking testers’ activities. With additional metadata, the model serves for an automated navigation process for a tester. Compared with the exploratory testing approach, which is manually performed in two case studies, the proposed framework allows the testers to explore a greater extent of the tested system and enables greater detection of the defects present in the system. The results show that the time efficiency of the testing process improved with the framework support. This efficiency can be increased by team-based navigational strategies that are implemented within the proposed framework, which is documented by another case study presented in this paper. [ABSTRACT FROM AUTHOR]

Published

2018

37. Access Types Effect on Internet Video Services and Its Implications on CDN Caching.

Author

Xie, Gaogang, Li, Zhenyu, Kaafar, Mohamed Ali, and Wu, Qinghua

Subjects

*CONTENT delivery networks, *DIGITAL video, *DIGITAL image processing, *VIDEO on demand, *CACHE memory

Abstract

Video providers heavily rely on geographically distributed content distribution networks (CDNs) to place video content as close to users as possible, with an aim of improving video quality and avoiding single point of failure at the server side. The effectiveness of CDNs is mostly dependent on the content consumption patterns. Currently, video providers are offering access to content from different platforms (e.g., mobile devices and PC clients), which might result in distinct video content consumption patterns and finally affect the efficiency of CDN caching. Nevertheless, the access type effect on Internet videos is not well understood. In this paper, using a data set consisting of 26 million video requests of a large-scale commercial video-on-demand system, we study the effect of three main access types, i.e., proprietary software on PC clients, Web browser, and mobile apps. Several observations suggest that access types should be considered carefully in CDN design. In particular, the user engagement, user interests in content, and video popularity dynamics patterns, three important factors for video caching, vary remarkably in the three access types. Leveraging off our findings, we propose an access type-aware CDN caching system that associates a cache for each access type and also several optimizations, including partial caching of videos based on chunk-level caching, cross-platform read-only cache access, and prefiltering of the least popular videos. Trace-driven simulations demonstrate that the access type-aware CDN caching achieves high cache hit rate and, more importantly, greatly reduces the disk load that is measured by the number of cache replacement operations. [ABSTRACT FROM PUBLISHER]

Published

2018

38. A New User Front End for EAST Remote Participation.

Author

Sun, Xiaoyang, Ji, Zhenshan, Wang, Feng, and Wang, Yang

Subjects

*TOKAMAKS, *REMOTE handling (Radioactive substances), *SUPERCONDUCTING device testing, *NUCLEAR reactors, *NUCLEAR fusion, *EQUIPMENT & supplies, DESIGN & construction

Abstract

The Web-based remote participation system for experimental advanced superconducting tokamak (EAST RPS) has been developed to provide a high-efficient and low-cost way to meet international collaboration requirements. The EAST RPS team focused on the extension, update, and optimization for the RPS during last two years. In the first version, EAST RPS has established Apache-Flex based front-end components to provide a platform-independent user interface. However, some Web browsers, such as Firefox, Google Chrome, and Microsoft Edge, and operation systems (iOS and android) stop supporting or disable the flash player plugin by default, and the Flex technology will become less relevant in the future. The purpose of this paper is to provide an update of the RPD in EAST. The front-end migration should be a priority to update the EAST RPS. The open source, cross-platform, maintainability, and life cycle are the key features that the front-end platform must have. The technical solutions for the new user front end for EAST RPS are offered in this paper. [ABSTRACT FROM AUTHOR]

Published

2018

39. Plausible Deniability in Web Search—From Detection to Assessment.

Author

Mac Aonghusa, Pol and Leith, Douglas J.

Abstract

Web personalization uses what systems know about us to create content targeted at our interests. When unwanted personalization suggests we are interested in sensitive or embarrassing topics, a natural reaction is to deny interest. This is a practical response only if denial of our interest is credible or plausible. Adopting a definition of plausible deniability in the usual sense of “on the balance of probabilities,” we develop a practical and scalable tool called PDE, allowing a user to decide when their ability to plausibly deny interest in sensitive topics is compromised. We show that threats to plausible deniability are readily detectable for all the topics tested in an extensive testing program. Of particular concern is observation of threats to deniability of interest in topics related to health and sexual preferences. We show that this remains the case when attempting to disrupt search engine learning through noise query injection and click obfuscation. We design a defense technique exploiting uninteresting, proxy topics and show that it provides a more effective defense of plausible deniability in our experiments. [ABSTRACT FROM PUBLISHER]

Published

2018

40. Fast Physics on the Web Using C++, JavaScript, and Emscripten.

Author

Zakai, Alon

Subjects

C++, JAVASCRIPT programming language, WEB browsers, COMPUTER simulation, SCRIPTING languages (Computer science), SOFTWARE engineering

Abstract

The web is now capable of running computationally intensive code at near-native speed, enabling new types of content such as physics simulations to be easily shared online. In this article, the author shows how to do just that by writing code in C++ and compiling it to the web with the open-source Emscripten tool, which generates asm.js, a fast subset of JavaScript that runs in all web browsers. [ABSTRACT FROM AUTHOR]

Published

2018

41. A Probabilistic Logic of Cyber Deception.

Author

Jajodia, Sushil, Park, Noseong, Pierazzi, Fabio, Pugliese, Andrea, Serra, Edoardo, Simari, Gerardo I., and Subrahmanian, V. S.

Abstract

Malicious attackers often scan nodes in a network in order to identify vulnerabilities that they may exploit as they traverse the network. In this paper, we propose that the system generates a mix of true and false answers in response to scan requests. If the attacker believes that all scan results are true, then he will be on a wrong path. If he believes some scan results are faked, he would have to expend time and effort in order to separate fact from fiction. We propose a probabilistic logic of deception and show that various computations are NP-hard. We model the attacker’s state and show the effects of faked scan results. We then show how the defender can generate fake scan results in different states that minimize the damage the attacker can produce. We develop a Naive-PLD algorithm and a Fast-PLD heuristic algorithm for the defender to use and show experimentally that the latter performs well in a fraction of the run time of the former. We ran detailed experiments to assess the performance of these algorithms and further show that by running Fast-PLD off-line and storing the results, we can very efficiently answer run-time scan requests. [ABSTRACT FROM PUBLISHER]

Published

2017

42. Off-the-Hook: An Efficient and Usable Client-Side Phishing Prevention Application.

Author

Marchal, Samuel, Armano, Giovanni, Grondahl, Tommi, Saari, Kalle, Singh, Nidhi, and Asokan, N.

Subjects

*PHISHING, *EMAIL spoofing, *CONTENT analysis, *PHISHING prevention, *INTERNET fraud prevention

Abstract

Phishing is a major problem on the Web. Despite the significant attention it has received over the years, there has been no definitive solution. While the state-of-the-art solutions have reasonably good performance, they suffer from several drawbacks including potential to compromise user privacy, difficulty of detecting phishing websites whose content change dynamically, and reliance on features that are too dependent on the training data. To address these limitations we present a new approach for detecting phishing webpages in real-time as they are visited by a browser. It relies on modeling inherent phisher limitations stemming from the constraints they face while building a webpage. Consequently, the implementation of our approach, Off-the-Hook, exhibits several notable properties including high accuracy, brand-independence and good language-independence, speed of decision, resilience to dynamic phish and resilience to evolution in phishing techniques. Off-the-Hook is implemented as a fully-client-side browser add-on, which preserves user privacy. In addition, Off-the-Hook identifies the target website that a phishing webpage is attempting to mimic and includes this target in its warning. We evaluated Off-the-Hook in two different user studies. Our results show that users prefer Off-the-Hook warnings to Firefox warnings. [ABSTRACT FROM AUTHOR]

Published

2017

43. SWAROVsky: Optimizing Resource Loading for Mobile Web Browsing.

Author

Liu, Xuanzhe, Ma, Yun, Wang, Xinyang, Liu, Yunxin, Xie, Tao, and Huang, Gang

Subjects

WEB browsing, WIRELESS communications, WIRELESS sensor nodes, WIRELESS sensor networks, DATA transmission systems, MOBILE computing

Abstract

Imperfect Web resource loading prevents mobile Web browsing from providing satisfactory user experience. In this article, we design and implement the SWAROVsky system to address three main issues of current inefficient Web resource loading: (1) on-demand and thus slow loading of sub-resources of webpages; (2) duplicated loading of resources with different URLs but the same content; and (3) redundant loading of the same resource due to improper cache configurations. SWAROVsky employs a dual-proxy architecture that comprises a remote cloud-side proxy and a local proxy on mobile devices. The remote proxy proactively loads webpages from their original Web servers and maintains a resource loading graph for every single webpage. Based on the graph, the remote proxy is capable of deciding which resources are “really” needed for the webpage and their loading orders, and thus can synchronize these needed resources with the local proxy of a client efficiently and timely. The local proxy also runs an intelligent and light-weight algorithm to identify resources with different URLs but the same content, and thus can avoid duplicated downloading of the same content via network. Our system can be used with existing Web browsers and Web servers, and does not break the normal semantics of a webpage. Evaluations with 50 websites show that on average our system can reduce the page load time by 43.1 percent and the network data transmission by 57.6 percent, while imposing marginal system overhead. [ABSTRACT FROM AUTHOR]

Published

2017

44. ReWAP: Reducing Redundant Transfers for Mobile Web Browsing via App-Specific Resource Packaging.

Author

Liu, Xuanzhe, Ma, Yun, Dong, Shuailiang, Liu, Yunxin, Xie, Tao, and Huang, Gang

Subjects

WEB browsing, INFORMATION retrieval, PACKAGING research, INFORMATION storage & retrieval systems

Abstract

Redundant transfer of resources is a critical issue for compromising the performance of mobile Web applications (a.k.a., apps) in terms of data traffic, load time, and even energy consumption. Evidence demonstrates that the current cache mechanisms are far from satisfactory. With lessons learned from how native apps manage their resources, in this article, we present the ReWAP approach to fundamentally reducing redundant transfers by restructuring the resource loading of mobile Web apps. ReWAP is based on an efficient resource-packaging mechanism where stable resources are encapsulated and maintained into a package, and such a package shall be loaded always from the local storage and updated by explicitly refreshing. By retrieving and analyzing the update of resources, ReWAP maintains resource packages that can accurately identify which resources can be loaded from the local storage for a considerably long period. ReWAP also provides a wrapper for mobile Web apps to enable loading and updating resource packages in the local storage as well as loading resources from resource packages. ReWAP can be easily and seamlessly deployed into existing mobile Web architectures with minimal modifications, and is transparent to end-users. We evaluate ReWAP based on continuous 15-day access traces of 50 mobile Web apps randomly chosen from Alexa top 500 ranking list. Compared to the original mobile Web apps with cache enabled, ReWAP can significantly reduce the data traffic, with the median saving up to 51 percent. In addition, ReWAP can incur only very minor runtime overhead of the client-side browsers and thus does not compromise user experiences. [ABSTRACT FROM AUTHOR]

Published

2017

45. An Asynchronous P300-Based Brain-Computer Interface Web Browser for Severely Disabled People.

Author

Martinez-Cagigal, Victor, Gomez-Pilar, Javier, Alvarez, Daniel, and Hornero, Roberto

Subjects

BRAIN-computer interfaces, ELECTROENCEPHALOGRAPHY, MEANS of communication for people with disabilities

Abstract

This paper presents an electroencephalographic (EEG) P300-based brain–computer interface (BCI) Internet browser. The system uses the “odd-ball” row-col paradigm for generating the P300 evoked potentials on the scalp of the user, which are immediately processed and translated into web browser commands. There were previous approaches for controlling a BCI web browser. However, to the best of our knowledge, none of them was focused on an assistive context, failing to test their applications with a suitable number of end users. In addition, all of them were synchronous applications, where it was necessary to introduce a “read-mode” command in order to avoid a continuous command selection. Thus, the aim of this study is twofold: 1) to test our web browser with a population of multiple sclerosis (MS) patients in order to assess the usefulness of our proposal to meet their daily communication needs; and 2) to overcome the aforementioned limitation by adding a threshold that discerns between control and non-control states, allowing the user to calmly read the web page without undesirable selections. The browser was tested with sixteen MS patients and five healthy volunteers. Both quantitative and qualitative metrics were obtained. MS participants reached an average accuracy of 84.14%, whereas 95.75% was achieved by control subjects. Results show that MS patients can successfully control the BCI web browser, improving their personal autonomy. [ABSTRACT FROM AUTHOR]

Published

2017

46. Detecting Mobile Malicious Webpages in Real Time.

Author

Amrutkar, Chaitrali, Kim, Young Seuk, and Traynor, Patrick

Subjects

SMARTPHONES, WEB browsing, MALWARE, HTML (Document markup language)

Abstract

Mobile specific webpages differ significantly from their desktop counterparts in content, layout, and functionality. Accordingly, existing techniques to detect malicious websites are unlikely to work for such webpages. In this paper, we design and implement kAYO, a mechanism that distinguishes between malicious and benign mobile webpages. kAYO makes this determination based on static features of a webpage ranging from the number of iframes to the presence of known fraudulent phone numbers. First, we experimentally demonstrate the need for mobile specific techniques and then identify a range of new static features that highly correlate with mobile malicious webpages. We then apply kAYO to a dataset of over 350,000 known benign and malicious mobile webpages and demonstrate 90 percent accuracy in classification. Moreover, we discover, characterize, and report a number of webpages missed by Google Safe Browsing and VirusTotal, but detected by kAYO. Finally, we build a browser extension using kAYO to protect users from malicious mobile websites in real-time. In doing so, we provide the first static analysis technique to detect malicious mobile webpages. [ABSTRACT FROM AUTHOR]

Published

2017

47. A Survey on Web Tracking: Mechanisms, Implications, and Defenses.

Author

Bujlow, Tomasz, Carela-Espanol, Valentin, Lee, Beom-Ryeol, and Barlet-Ros, Pere

Subjects

WEB services, INTERNET security, WEB browsers, HUMAN fingerprints, ONLINE data processing

Abstract

Privacy seems to be the Achilles’ heel of today’s web. Most web services make continuous efforts to track their users and to obtain as much personal information as they can from the things they search, the sites they visit, the people they contact, and the products they buy. This information is mostly used for commercial purposes, which go far beyond targeted advertising. Although many users are already aware of the privacy risks involved in the use of internet services, the particular methods and technologies used for tracking them are much less known. In this survey, we review the existing literature on the methods used by web services to track the users online as well as their purposes, implications, and possible user’s defenses. We present five main groups of methods used for user tracking, which are based on sessions, client storage, client cache, fingerprinting, and other approaches. A special focus is placed on mechanisms that use web caches, operational caches, and fingerprinting, as they are usually very rich in terms of using various creative methodologies. We also show how the users can be identified on the web and associated with their real names, e-mail addresses, phone numbers, or even street addresses. We show why tracking is being used and its possible implications for the users. For each of the tracking methods, we present possible defenses. Some of them are specific to a particular tracking approach, while others are more universal (block more than one threat). Finally, we present the future trends in user tracking and show that they can potentially pose significant threats to the users’ privacy. [ABSTRACT FROM AUTHOR]

Published

2017

48. Characterizing the HTTPS Trust Landscape: A Passive View from the Edge.

Author

Ouvrier, Gustaf, Laterman, Michel, Arlitt, Martin, and Carlsson, Niklas

Subjects

*HTTP (Computer network protocol), *ONLINE banking, *SOCIAL networks, *WEB browsers, *INTERNET, *MOBILE communication systems

Abstract

Our society increasingly relies on web-based services like online banking, shopping, and socializing. Many of these services heavily depend on secure end-to-end transactions to transfer personal, financial, and other sensitive information. At the core of ensuring secure transactions are the HTTPS protocol and the "trust" relationships between many involved parties, including users, browsers, servers, domain owners, and the third-party CAs that issue certificates binding ownership of public keys with servers and domains. This article presents an overview of the current trust landscape and provides statistics to illustrate and quantify some of the risks facing typical users. Using measurement results obtained through passive monitoring of the HTTPS traffic between a campus network and the Internet, we provide concrete examples and characterize the certificate usage and trust relationships in this complex landscape. By comparing our observations against known vulnerabilities and problems, we highlight and discuss the actual security that typical Internet users (e.g., the people on campus) experience. Our measurements cover both mobile and stationary users, consider the involved trust relationships, and provide insights into how the HTTPS protocol is used and the weaknesses observed in practice. While the security properties vary significantly between sessions, out of the 232 million HTTPS sessions we observed, more than 25 percent had weak security properties. [ABSTRACT FROM PUBLISHER]

Published

2017

49. Cybercrime at a Scale: A Practical Study of Deployments of HTTP-Based Botnet Command and Control Panels.

Author

Sood, Aditya K, Zeadally, Sherali, and Bansal, Rohit

Subjects

*CYBERCRIMINALS, *BOTNETS, *COMPUTER crimes, *HTTP (Computer network protocol), *PORTS (Electronic computer system)

Abstract

Cybercriminals deploy botnets for conducting nefarious operations on the Internet. Botnets are managed on a large scale and harness the power of compromised machines, which are controlled through centralized portals known as C&C panels. C&C panels are considered as attackers' primary operating environment through which bots are controlled and updated at regular intervals of time. C&C panels also store information stolen from the compromised machines as a part of the data exfiltration activity. In this empirical study, we analyzed many over 9000 C&C web URLs to better understand the deployment and the operational characteristics of HTTP-based botnets. [ABSTRACT FROM PUBLISHER]

Published

2017

50. How Far Are We from WebRTC-1.0? An Update on Standards and a Look at What's Next.

Author

Loreto, Salvatore and Romano, Simon Pietro

Subjects

*WEB browsers, *INTERNET protocols, *CODECS, *MULTIPLEXING, *MULTIMEDIA communications

Abstract

Real-time communication between browsers has represented an unprecedented standardization effort involving both the IETF and the W3C. These activities have involved both the real-time protocol suite and the application-level JavaScript APIs to be offered to developers in order to allow them to easily implement interoperable real-time multimedia applications in the web. This article sheds light on the current status of standardization, with special focus on the upcoming final release of the so-called WebRTC-1.0 standard ecosystem. It takes stock of the situation with respect to hot topics such as codecs, session description and stream multiplexing. It also briefly discusses how standard bodies are dealing with seamless integration of the initially competing effort known as "Object Real Time Communications." [ABSTRACT FROM PUBLISHER]

Published

2017