Web Service Access Control Based on Browser Fingerprint Detection

Authors

  • Liu Hui Beijing Jiaotong University, China
  • He Xudong Beijing Jiaotong University, China https://orcid.org/0000-0002-9879-6232
  • Gao Fan Beijing Jiaotong University, China
  • Wang KaiLun Beijing Jiaotong University, China
  • Yuan Enze Beijing Jiaotong University, China

DOI:

https://doi.org/10.13052/jwe1540-9589.20512

Keywords:

Access control, Adversarial learning, Browser fingerprint, Web service. Communicated by: to be filled by the Editorial

Abstract

Web services have covered all areas of social life, and various browsers have become necessary software on computers and mobile phones, and they are also the entrances to Web services. All kinds of threats to web data security continue to appear, so web services and browsers have become the focus of security. In response to the requirements of Web service for access entity identification and data access control, this paper proposes a multi-dimensional browser fingerprint detection method based on adversarial learning, and designs a Web service access control framework combined with browser fingerprint detection. Through the joint use of multi-dimensional browser features, adversarial learning is used to improve the accuracy and robustness of browser fingerprint detection; a cross-server and browser-side Web service access control framework is established by creating tags for Web data resources and access entities. Based on the mapping relationship between browser fingerprint detection entities and data resources, fine-grained hierarchical data access control is realized. Through experiments and analysis, the browser fingerprint detection method proposed in this paper is superior to existing machine learning detection methods in terms of accuracy and robustness. Based on the adversarial learning method, good detection results can be obtained in the case of a small number of user samples. At the same time, the open source data set is further used to verify the advantages of the method in this paper. The Web service access control framework can satisfy the requirements of Web data security control, is an effective supplement to user identification technology, and is implementable.

Downloads

Download data is not yet available.

Author Biographies

Liu Hui, Beijing Jiaotong University, China

Liu Hui received his B.Sc. degrees in Computer Science and Technology from Hunan University, China; M.Sc. degree in Computer Science and Technology from Huazhong University of Science and Technology, China; Now, Liu Hui is a Ph.D. candidate in Beijing Jiaotong University, China; His research field of centers on information security.

He Xudong, Beijing Jiaotong University, China

He Xudong received his B.Sc. degrees in Dalian Jiaotong University, China; He Xudong is a Ph.D. candidate in Computer Technology from Beijing Jiaotong University, China; His main research field are Web security, Internet of Things security and blockchain.

Gao Fan, Beijing Jiaotong University, China

Gao Fan received her B.Sc. degrees in computer science and Technology from Shandong University of Technology, China; M.Sc. degree in Computer Technology from Beijing Jiaotong University, China; Her main research field are Web security and browser fingerprint detection.

Wang KaiLun, Beijing Jiaotong University, China

Wang KaiLun received his B.Sc. degrees in Beijing University of Technology. He is currently studying for a master’s degree in the school of computing and information technology of Beijing Jiaotong University. His current research interests include Internet of Things and blockchain.

Yuan Enze, Beijing Jiaotong University, China

Enze Yuan received his B.E. degree in information security from Beijing Jiaotong University, Beijing, China, in 2020, He is currently pursuing the MA.Eng degree in cyberspace security at Beijing Jiaotong University. His research interests include Internet of things and blockchain.

References

C. Administration, “Cyberspace administration of china,” http://www.cac.gov.cn/2021-02/03/c_1613923423079314.htm.

H. Wang, Y. Zhang, J. Li, and D. Gu, “The achilles heel of oauth: A multi-platform study of oauth-based authentication,” in Proceedings of the 32nd Annual Conference on Computer Security Applications, ser. ACSAC ’16. New York, NY, USA: Association for Computing Machinery, 2016, p. 167–176. [Online]. Available: https://doi.org/10.1145/2991079.2991105

A. Armando, R. Carbone, L. Compagna, J. Cuéllar, and L. Tobarra, “Formal analysis of SAML 2.0 web browser single sign-on: breaking the saml-based single sign-on for google apps,” in Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, FMSE 2008, Alexandria, VA, USA, October 27, 2008, V. Shmatikov, Ed. ACM, 2008, pp. 1–10. [Online]. Available: https://doi.org/10.1145/1456396.1456397

D. Perito, C. Castelluccia, M. A. Kâafar, and P. Manils, “How unique and traceable are usernames?” CoRR, vol. abs/1101.5578, 2011. [Online]. Available: http://arxiv.org/abs/1101.5578

P. Laperdrix, N. Bielova, B. Baudry, and G. Avoine, “Browser fingerprinting: A survey,” CoRR, vol. abs/1905.01051, 2019. [Online]. Available: http://arxiv.org/abs/1905.01051

A. FaizKhademi, M. Zulkernine, and K. Weldemariam, “Fpguard: Detection and prevention of browser fingerprinting,” in Data and Applications Security and Privacy XXIX - 29th Annual IFIP WG 11.3 Working Conference, DBSec 2015, Fairfax, VA, USA, July 13-15, 2015, Proceedings, ser. Lecture Notes in Computer Science, P. Samarati, Ed., vol. 9149. Springer, 2015, pp. 293–308. [Online]. Available: https://doi.org/10.1007/978-3-319-20810-7_21

C. F. Torres, H. L. Jonker, and S. Mauw, “Fp-block: Usable web privacy by controlling browser fingerprinting,” in Computer Security – ESORICS 2015 - 20th European Symposium on Research in Computer Security, Vienna, Austria, September 21-25, 2015, Proceedings, Part II, ser. Lecture Notes in Computer Science, G. Pernul, P. Y. A. Ryan, and E. R. Weippl, Eds., vol. 9327. Springer, 2015, pp. 3–19. [Online]. Available: https://doi.org/10.1007/978-3-319-24177-7_1

U. Fiore, A. Castiglione, A. D. Santis, and F. Palmieri, “Countering browser fingerprinting techniques: Constructing a fake profile with google chrome,” in 17th International Conference on Network-Based Information Systems, NBiS 2014, Salerno, Italy, September 10-12, 2014, L. Barolli, F. Xhafa, M. Takizawa, T. Enokido, A. Castiglione, and A. D. Santis, Eds. IEEE Computer Society, 2014, pp. 355–360. [Online]. Available: https://doi.org/10.1109/NBiS.2014.102

Y. Cao, S. Li, and E. Wijmans, “(cross-)browser fingerprinting via OS and hardware level features,” in 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26–March 1, 2017. The Internet Society, 2017. [Online]. Available: https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/cross-browser-fingerprinting-os-and-hardware-level-features/

A. Vastel, P. Laperdrix, W. Rudametkin, and R. Rouvoy, “FP-STALKER: tracking browser fingerprint evolutions,” in 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21–23 May 2018, San Francisco, California, USA. IEEE Computer Society, 2018, pp. 728–741. [Online]. Available: https://doi.org/10.1109/SP.2018.00008

E. Bursztein, A. Malyshev, T. Pietraszek, and K. Thomas, “Picasso: Lightweight device class fingerprinting for web clients,” in Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM@CCS 2016, Vienna, Austria, October 24, 2016, L. Lu and M. Mannan, Eds. ACM, 2016, pp. 93–102. [Online]. Available: http://dl.acm.org/citation.cfm?id=2994467

F. Rochet, K. Efthymiadis, F. Koeune, and O. Pereira, “SWAT: seamless web authentication technology,” in The World Wide Web Conference, WWW 2019, San Francisco, CA, USA, May 13–17, 2019, L. Liu, R. W. White, A. Mantrach, F. Silvestri, J. J. McAuley, R. Baeza-Yates, and L. Zia, Eds. ACM, 2019, pp. 1579–1589. [Online]. Available: https://doi.org/10.1145/3308558.3313637

secureauth, “Device and browser fingerprinting,” https://docs.secureauth.com/pages/viewpage.action?pageId=40045162.

D. Ferraiolo, J. Cugini, and D. Kuhn, “Role-based access control: features and motivations,” 01 1995.

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, “Role-based access control models,” Computer, vol. 29, no. 2, pp. 38–47, 1996. [Online]. Available: https://doi.org/10.1109/2.485845

W. Liu, H. Duan, H. Zhang, P. Ren, and J. Wu, “Trbac: Trust based access control model,” Jisuanji Yanjiu yu Fazhan/Computer Research and Development, vol. 48, no. 8, pp. 1414–1420, 2011, discretionary access control; Dynamic access control; Mandatory access control; Role-based Access Control; Secure operating system; Trust; Trust computing; Trust-based access control.

C. E. da Silva, J. D. S. da Silva, C. Paterson, and R. Calinescu, “Self-adaptive role-based access control for business processes,” in 12th IEEE/ACM International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS@ICSE 2017, Buenos Aires, Argentina, May 22–23, 2017. IEEE Computer Society, 2017, pp. 193–203. [Online]. Available: https://doi.org/10.1109/SEAMS.2017.13

W. K. Grassmann, “Markov modelling,” in Proceedings of the 15th Conference on Winter Simulation – Volume 2, ser. WSC ’83. IEEE Press, 1983, pp. 613–619.

A. Yavari, A. S. Panah, D. Georgakopoulos, P. P. Jayaraman, and R. G. van Schyndel, “Scalable role-based data disclosure control for the internet of things,” in 37th IEEE International Conference on Distributed Computing Systems, ICDCS 2017, Atlanta, GA, USA, June 5–8, 2017, K. Lee and L. Liu, Eds. IEEE Computer Society, 2017, pp. 2226–2233. [Online]. Available: https://doi.org/10.1109/ICDCS.2017.307

M. U. Aftab, Z. Qin, N. W. Hundera, O. Ariyo, Zakria, N. T. Son, and T. V. Dinh, “Permission-based separation of duty in dynamic role-based access control model,” Symmetry, vol. 11, no. 5, p. 669, 2019. [Online]. Available: https://doi.org/10.3390/sym11050669

D. D. F. Maesa, P. Mori, and L. Ricci, “Blockchain based access control,” in Distributed Applications and Interoperable Systems – 17th IFIP WG 6.1 International Conference, DAIS 2017, Held as Part of the 12th International Federated Conference on Distributed Computing Techniques, DisCoTec 2017, Neuchâtel, Switzerland, June 19–22, 2017, Proceedings, ser. Lecture Notes in Computer Science, L. Y. Chen and H. P. Reiser, Eds., vol. 10320. Springer, 2017, pp. 206–220. [Online]. Available: https://doi.org/10.1007/978-3-319-59665-5_15

Y. Yang, X. Zheng, W. Guo, X. Liu, and V. Chang, “Privacy-preserving smart iot-based healthcare big data storage and self-adaptive access control system,” Inf. Sci., vol. 479, pp. 567–592, 2019. [Online]. Available: https://doi.org/10.1016/j.ins.2018.02.005

S. Englehardt and A. Narayanan, “Online tracking: A 1-million-site measurement and analysis,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24–28, 2016, E. R. Weippl, S. Katzenbeisser, C. Kruegel, A. C. Myers, and S. Halevi, Eds. ACM, 2016, pp. 1388–1401. [Online]. Available: https://doi.org/10.1145/2976749.2978313

I. Sánchez-Rola, I. Santos, and D. Balzarotti, “Extension breakdown: Security analysis of browsers extension resources control policies,” in 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16–18, 2017, E. Kirda and T. Ristenpart, Eds. USENIX Association, 2017, pp. 679–694. [Online]. Available: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/sanchez-rola

I. J. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. C. Courville, and Y. Bengio, “Generative adversarial nets,” in Advances in Neural Information Processing Systems 27: Annual Conference on Neural Information Processing Systems 2014, December 8–13 2014, Montreal, Quebec, Canada, Z. Ghahramani, M. Welling, C. Cortes, N. D. Lawrence, and K. Q. Weinberger, Eds., 2014, pp. 2672–2680. [Online]. Available: https://proceedings.neurips.cc/paper/2014/hash/5ca3e9b122f61f8f06494c97b1afccf3-Abstract.html

I. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y. Bengio, “Generative adversarial networks,” Commun. ACM, vol. 63, no. 11, pp. 139–144, Oct. 2020. [Online]. Available: https://doi.org/10.1145/3422622

F. Monay and D. Gatica-Perez, “On image auto-annotation with latent space models,” in Proceedings of the Eleventh ACM International Conference on Multimedia, Berkeley, CA, USA, November 2–8, 2003, L. A. Rowe, H. M. Vin, T. Plagemann, P. J. Shenoy, and J. R. Smith, Eds. ACM, 2003, pp. 275–278. [Online]. Available: https://doi.org/10.1145/957013.957070

K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in 2016 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2016, Las Vegas, NV, USA, June 27–30, 2016. IEEE Computer Society, 2016, pp. 770–778. [Online]. Available: https://doi.org/10.1109/CVPR.2016.90

github, “fingerprintjs,” https://github.com/fingerprintjs/fingerprintjs.

Published

2021-08-26

Issue

Section

Advanced Practice in Web Engineering