GEOGRAPHICAL ASSESMENT OF RESULTS FROM PREVENTING THE PARAMETER TAMPERING IN A WEB APPLICATION

The improving usage of internet and attained intensity of usage rate attracts the malicious in around the world. Many preventing systems are offered by researchers with different infrastructures. Very effective preventing system was proposed most recently by the researchers. The previously offered mechanism has prevented the multi-type vulnerabilities after preventing system was put into use. The attack attempts have been recorded. The researchers analysed the results geographically, discussed the obtained results and made some inference of the results. Our assessments show that the geographical findings can be used to retrieve some implication and build an infrastructure which prevents the vulnerabilities by location.


INTRODUCTION 1.1 Concepts
Development in technology and networking has revealed new areas such as mobile devices, e-commerce, social media, etc. Internet becomes essential part of daily life with these products.The web applications have some vulnerabilities.On the other hand, wide usage of web based applications attracts the malicious attacks because of the vulnerabilities.
Parameter tampering is very important vulnerability for web applications.Web parameter tampering is included by four type of attacks, "Injection", "Insecure Direct Object References", "Invalidated Redirects" and "Forwards and Missing Function Level Access Control" (Menemencioğlu & Orak, 2017).
Detecting and preventing tampering attacks, there are three approach, static, dynamic, and hybrid analysis (Menemencioğlu & Orak, 2017).Static approach is based absence of integrity constraint enforcement (Zhang et al., 2011), dynamic approach is processed during execution time by checking web server responses without needing modification of application codes (Menemencioğlu & Orak, 2017).Hybrid approach uses static analysis and provide dynamic approach with runtime detector.
Static approach analyses the code without execution (Natarajan & Subramani, 2012).It focuses on source codes as text and requires rewriting web applications (Lee, Jeong, Yeo, & Moon, 2012).
Dynamic approach analyses the vulnerabilities during execution time (Natarajan & Subramani, 2012).It focuses on instructions in run time (Schwartz, Avgerinos, & Brumley, 2010).It checks web server responses for each input and does not need modification of web application (Lee et al., 2012).
On the other hand, hybrid method simultaneously analyses web pages and generates SQL queries to test (Lee et al., 2012).

* Corresponding author
The internet usage is extended by the improvement in web security.Furthermore, it effects the trends of commercial and so on (Boyle & Alwitt, 1999).Researches in security field will effect the related preventing security products and they increase the internet usage.(Menemencioğlu & Orak, 2017) proposed a detection system for preventing parameter tampering based on the Deterministic Finite State Machine (DFSM) which uses hybrid analysis approach.A technical description is detailed in related research, only a brief description is included here.The detection system is implemented on a faculty information system.The attack attempts are prevented and registered.The registries are accumulated.Figure 1 presents the proposed preventing system.

Dataset
The accumulated data which consist of prevented attack registries, is analysed in previous research (Menemencioğlu & Orak, 2017).Beyond that study, geographical effects of the proposed system are analysed and discussed in below.
The International Archives of the Photogrammetry, Remote Sensing and Spatial Information Sciences, Volume XLII-4/W6, 2017 4th International GeoAdvances Workshop, 14-15 October 2017, Safranbolu, Karabuk, Turkey Two data sets are held in the study.First goal was detecting attacks.For that reason, first data set covers the period starting from right beginning, includes thirteen-month data.After ensuring detection, the mechanism is enhanced to compare session based data.Second data set has shorter period, but it is much more detailed, covers 6 months of data including session data.

Results
The mechanism that we propose achieves successful results to prevent parameter tampering attacks.Only cost for this operation is the time for checking the parameters on database server.Query time dependents on workload of server.It is not considered here, since it is not the subject of the this paper.If parameter tampering is detected, then there will be time cost for storing attack.The process can be executed in  (1) time, so time complexity is (1).
For detecting tampering attack, the mechanism developed on Karabük University Engineering Faculty is "Academic Curriculum Vitae Based Faculty Information System" (Menemencioğlu, Sonuç, Karaş, & Orak, 2013).This application aims to self-access, manage, manipulate personal data and publish the mentioned entry results for web visitors.
61991 attacks were detected in first dataset.After removing duplicate IP addresses, 3354 unique IP addresses remained.

DISCUSSION AND CONCLUSION
In the previous study, the detection system was implemented on a faculty information system.The results are found very successfully when they are compared with other methods in terms of real time detection and evaluation, method, class and code adjustment instead of accuracy.The accuracy comparison needs same attack dataset to evaluate.In dynamic analysis, providing this type dataset is very difficult.So, accuracy comparison is neglected.The proposed mechanism has simple and effective architecture and implementation which is hybrid analysis based, and very low algorithm overhead.It is cost effective and fastest method in compared.The proposed mechanism attempts to prevent four most common risk types "Injection", "Insecure Direct Object References", "Invalidated Redirects" and "Forwards and Missing Function Level Access Control" which involve parameter tampering (Menemencioğlu & Orak, 2017).
In this research, the accumulated data is examined in detail from geographical point of view.
Implementation web application is in Turkey.Except from Turkey, the most vulnerability attacks are from USA and Russia, Ukraine and China.This can be involved economic and technological development level except Ukraine.In other words, the attackers are mostly located in most developed countries.
Ukraine can be assessed as a splash of the Russian effect when the political impression is considered.Total Europe vulnerability value is about 7 percent.
The distribution of IP series and the rate of A class IP distribution imply the existence of vulnerability detection mechanisms or attack mechanisms like a crawler.Future work will give some thought to these mechanisms.
These appreciations lead the IP based or location based restriction in web based applications, firewall software and hardware products.Future works can focus on IP matching algorithms in the light of the retrieved information in this research.

Figure 2
shows the distribution of IP addresses.98 percent of IP addresses are global IP addresses.Two percent of addresses are NAT IP addresses from Karabük University.

Figure 4 .
Figure 4. Class distribution of IP addresses