Input Validation Research Articles

A Fuzzing Tool Based on Automated Grammar Detection

Software testing is an important step in the software development life cycle to ensure the quality and security of software. Fuzzing is a security testing technique that finds vulnerabilities automatically without accessing the source code. We built a fuzzer, called JIMA-Fuzzing, which is an effective fuzzing tool that utilizes grammar detected from sample input. Based on the detected grammar, JIMA-Fuzzing selects a portion of the valid user input and fuzzes that portion. For example, the tool may greatly increase the size of the input, truncate the input, replace numeric values with new values, replace words with numbers, etc. This paper discusses how JIMA-Fuzzing works and shows the evaluation results after testing against the DARPA Cyber Grand Challenge (CGC) dataset. JIMA-Fuzzing is capable of extracting grammar from sample input files, meaning that it does not require access to the source code to generate effective fuzzing files. This feature allows it to work with proprietary or non-open-source programs and significantly reduces the effort needed from human testers. In addition, compared to fuzzing tools guided with symbolic execution or taint analysis, JIMA-Fuzzing takes much less computing power and time to analyze sample input and generate fuzzing files. However, the limitation is that JIMA-Fuzzing relies on good sample inputs and works primarily on programs that require user interaction/input.

PyPSA-BD: A customized model to explore decarbonized energy transition for developing country

This article provides high-resolution, evidence-based insights towards power sector planning for a developing country. We consider the PyPSA-BD model as a cutting-edge contribution as it’s a fully customized adaptation of PyPSA-Earth for Bangladesh to identify challenges and opportunities for transitioning to a decarbonized power system through counterfactual validation of inputs from national official statistics with a spatial resolution of 30km x 30km and an hourly temporal resolution. Its open-source framework is helpful for future researchers and decision-makers in developing countries like Bangladesh to develop more scenarios to answer any policy-relevant questions as per national need. With 2019 as a reference year, scenarios for 2030, 2041, and 2050 align with national renewable energy integration and decarbonization targets revealing cost-effective generation expansions, diversification of installed capacity through renewable energy penetration, net employment generation, additional land and investment requirement. Model results show that the 2019 installed capacity of 18.94 GW will grow to 61.45 GW by 2030, 102.36 GW by 2041, and 281.52 GW by 2050. By 2050, a storage capacity of 28.5 GW will be required to maintain grid stability. This transition could create approximately 6.7 million jobs and reduce generation costs to 7.63 BDT/kWh by 2050, requiring 3690.85 sq.km of land. Achieving these outcomes will demand an annual investment of approximately 1.99% of Bangladesh’s 2023 GDP from 2025, underscoring the need for national and international finance mobilization. The results guide policymakers to develop sustainable energy transition strategies for Bangladesh that provide power supply security at both spatial and temporal scale.

An Online Knowledge-Based Support System

Technology advances have touched all the fields of human life, and the educational system is not an exception. Students in Nigerian universities experience challenges in their early or later stages of school due to a lack of a knowledge-based support system. This results in massive failure and confusion in later days in school. A knowledge-based online support system has been developed and implemented in this paper to improve academic support services for students and faculty members in the university. The need for such a support system stems from the various academic problems that the students often experience, including a lack of answers to certain questions, which can result in academic failure, taking too long to graduate, or dropping out of the university altogether. The system is web-based; therefore, users can access the necessary information when needed, and, in most cases, it solves common academic issues in a short time using the web. Following the Agile software development methodology and employing a client-server architecture, the system was designed in a user-friendly and efficient manner. Highlights of the system include an extensive database of FAQs, real-time interactive services, and multi-typed query handling. Testing phases were performed and integrated, and modular testing showed that the system worked as intended, providing valid inputs and also flagging any invalid inputs without causing the system failures, and performing provisions for user corrections. The results suggest that the online support system could enhance the academic environment at AE-FUNAI and therefore would benefit students and staff members alike. Nevertheless, certain limitations still prevail, such as poor internet access, which calls for constant enhancement and provision of support to the system.

Unveiling the Underbelly of Web Application Vulnerabilities: A Critical Exploration

This study reveals web application weaknesses and demonstrates how frequent security flaws permit unauthorized entry to web solutions. Many web applications are at risk due to the secrecy of the data they store. Recognizing this theme plays a key role in identifying the threats in play. We examined the OWASP's Top 10 weaknesses together with Session Hijacking and Weak Password Management. Violent Monkey shows the methods to take advantage of this breach by mixing practical exploration with tools, including Burp Suite and Nmap, Wireshark, and browser extensions Cookie Editor. With Cookie Editor at hand, session hijacking happens in a moment as session cookies can be easily gathered with Google Dorking and transmitted to a premium account. Violent monkey effectively represents a key illustration of privilege escalation. An authorized user can access premium features by placing a script in the client component of a web service. Errors occur in managing passwords because a 10-thousand-character password gets made and endorsed without input validation from the system. Thanks to these weaknesses, hackers gain unauthorized access and compromise data. Investigating strong vulnerability management motivates this project and encourages additional research into how machine learning can identify weaknesses and provide timely threat-related data

Security Analysis of SQL Injection Attacks on Multimedia and Journal-Services Sites Using Concatenated Input Validation and Parsing Method (CIVP)

Security Analysis of SQL Injection Attacks on Multimedia and Journal-Services Sites Using Concatenated Input Validation and Parsing Method (CIVP)

AUDIT DAN ANALISIS WEBSITE PEMERINTAH MENGGUNAKAN PENGUJIAN PENETRASI SQL INJECTION DAN CROSS SITE SCRIPTING (XSS)

This study aims to analyze the security of government websites, focusing on vulnerabilities caused by SQL Injection and Cross Site Scripting (XSS) attacks. In accordance with Presidential Instruction No. 3 of 2003 on National Policy and Strategy for E-Government Development, government agencies are required to provide digital services through official websites. However, this increase in digitalization presents challenges in the context of cybersecurity. The research applies penetration testing methods to several government websites in East Java, using the OWASP Top 10 as the primary guide. The results reveal that many government websites are vulnerable to SQL Injection and XSS attacks, which could lead to data theft and information manipulation. Recommendations for enhancing security include implementing input validation techniques and regularly updating software. This research contributes to raising cybersecurity awareness in the governmental sector.

Comparative Analysis of SQL Injection Attack Clasification Using Naïve Bayes Method And Support Vector Machine (SVM).

SQL Injection is an attack that attempts to gain unauthorized access to a database by injecting code and exploiting SQL queries. SQL injection is an attack that is easy to execute but difficult to detect and classify because of the many types. The SQLI vulnerability is the result of incorrect validation of user input, enabling attackers to manipulate programmer queries by adding new SQL operators. Therefore, this study compares the use of the Naïve Bayes algorithm with the Support Vector Machine (SVM). The dataset that will be used in this study comes from a website called Kaggle. This study analyzes the comparison of methods resulting from the classification process based on the value of accuracy of confusion matrix, precision, recall. Naive Bayes, 95.594% accuracy quality while Support Vector Machine (SVM) 96.093% accuracy quality. The highest percentage of accuracy is obtained by the Support Vector Machine (SVM) while the Naïve Bayes accuracy score is slightly lower.

A Time and Place to Land

Cooperation between an unmanned aerial vehicle (UAV) and unmanned surface vehicle (USV) can be critical in fields like search and rescue, marine ecology, and surveying. This is because, by landing a UAV on a USV for recharging, the agents can collaborate to eliminate their individual limitations; UAVs typically have a superior speed and vantage point compared to USVs, but can only remain airborne for short periods of time due to battery limitations, whereas USVs lack mobility and height but can remain at sea for extended periods of time and carry large batteries. The question our work this summer sought to answer is: how can we get a UAV-USV pair to seek out ”calm waters” and attempt a landing when and where the waves are most favorable? Due to the high risk associated with testing such a system on a real body of water, we developed a novel testbed that utilizes an unmanned ground vehicle (UGV) fitted with a custom-made 2-axis tilting landing pad that can pitch and roll to simulate the motion of a USV in a variety of wave conditions. We used this novel testbed with an indoor Crazyflie UAV to experimentally prove a cooperative model-predictive control (MPC) scheme. In essence, MPC works by optimizing control inputs using a model that encodes the dynamics of a system to pick the best series of control inputs from a finite set of valid inputs. Our work successfully proved the viability of a system where two agents use MPC to optimize their relative positions and the intensity of nearby waves to reach consensus on where and when to land. By landing 100+ times using a variety of system configurations, we were able to demonstrate a significantly increased likelihood of successful landings when using our control scheme.

Adversarial Missingness Attacks on Causal Structure Learning

Causality-informed machine learning has been proposed as an avenue for achieving many of the goals of modern machine learning, from ensuring generalization under domain shifts to attaining fairness, robustness, and interpretability. A key component of causal machine learning is the inference of causal structures from observational data; in practice, this data may be incompletely observed. Prior work has demonstrated that adversarial perturbations of completely observed training data may be used to force the learning of inaccurate causal structural models (SCMs). However, when the data can be audited for correctness (e.g., it is cryptographically signed by its source), this adversarial mechanism is invalidated. This work introduces a novel attack methodology wherein the adversary deceptively omits a portion of the true training data to bias the learned causal structures in a desired manner (under strong signed sample input validation, this behavior seems to be the only strategy available to the adversary). Under this model, theoretically sound attack mechanisms are derived for the case of arbitrary SCMs, and a sample-efficient learning-based heuristic is given. Experimental validation of these approaches on real and synthetic data sets, across a range of SCMs from the family of additive noise models (linear Gaussian, linear non-Gaussian, and non-linear Gaussian) demonstrates the effectiveness of adversarial missingness attacks at deceiving popular causal structure learning algorithms.

Carbon management accounting an evolving approach to enhance transparency and accountability in accounting and reporting practices

Purpose This study aims to examine the factors driving the adoption of carbon management accounting (CMA) and various considerations that mediate its effectiveness in accounting and disclosure practices. Design/methodology/approach This study used an exploratory, cross-sectional, quantitative design. Academics, managements/executives, professional accountants, professional auditors and researchers served as the primary units of analysis. This study used a survey method to gather data through a structured online questionnaire. The data were analyzed using descriptive statistics and partial least squares structural equation modeling (PLS-SEM). Findings The results revealed that the factors driving the adoption of CMA directly influence the effectiveness of CMA practices, with a significant mediating effect of regulatory and ethical aspects. Furthermore, this study revealed the difficulty of accounting, quantifying and reporting carbon emissions and revenue generation from the trading of carbon credits. This highlights the critical role of standard-setters and academics in deciding the concrete methodology to promote uniformity in carbon disclosures. Research limitations/implications The major limitations of this study are that it considered only the perception of experts and did not study the actual practices of CMA by considering companies that have already implemented CMA. Further studies should consider this aspect to validate the results of this study. Furthermore, the findings highlight the insignificant effect of economic, environmental and social aspects in enhancing the overall effectiveness of CMA. This is because of the limited number of factors considered in the study of such metrics. To overcome this limitation, future studies should consider wider aspects to validate the outcomes of this study. Practical implications The major contribution of this study is that it serves as a base input for business organizations, academics, researchers and regulatory authorities who are working to implement CMA strategies to reduce carbon emissions and promote net-zero business practices. Originality/value The outcome of this study is unique and new, as the subject matter of this study is in the nascent stage. The outcome of this study may become a significant valid input for regulators and policymaking companies to gain knowledge about CMA practices and motivate them to integrate CMA practices as part of their sustainability initiatives.

A methodology for evaluating feature selection and clustering methods with project-specific requirements

This paper describes a methodology for ranking feature selection and clustering methods with user-specific preferences and taking data properties into account. For a better understanding of this paper, the developed methodology is referred to as the Two Machine Learning Procedures, Preferences and Properties (2ML3P) methodology. The 2ML3P methodology aims to support users from multiple domains, such as engineers, who have little expertise in machine learning (ML). It is also independent from the disciplinary core competencies of the manufacturer, with a strong focus on employability in small and mid-sized enterprises (SME). The foundation of the methodology to evaluate the combination of the two machine learning classes is described. It focuses on a range of feature selection and clustering methods, their limitations, and their challenges. The paper covers the concept phase by defining the inputs, such as the specific characteristics of machine learning classes or the properties of the production data and the user preferences. With applied methodologies such as the analytic hierarchy process (AHP) and the technique for order preference by similarity to ideal solution (TOPSIS), the preferences of the user as valid input are integrated. The scientific contribution of this methodology is the approach to include user preferences and specific data properties in the selection process of two ML methods. As digitalisation progresses, making data-driven decisions in the domains of production and logistics is a goal for many SMEs. This methodology can support a data-driven decision-aid model by providing a guided method, which requires relatively little ML knowledge on the part of the engineer. It allows the user(s) to select the best suited combination of ML methods for a clustering use case.

Secure consensus for PDEs-based multiagent systems under DoS attacks via boundary control approach

This paper focuses on secure consensus for leader-following multiagent systems (MASs) modeled by partial differential equations (PDEs) under denial of service (DoS) attacks. To mitigate the negative effects of DoS attacks, which can paralyze communication and cause agents to fail to receive valid control inputs, a buffer region is established in the communication channels among agents to temporarily store messages from neighbors. Additionally, since the states of the leader and followers are not always measurable, observers are used to estimate these states. To address these challenges, this paper proposes two boundary controllers to ensure leader-following consensus in both measurable and unmeasurable states. One controller is based on original boundary information, while the other utilizes observation information from both the leader and followers. To the best of our knowledge, this is the first attempt to use buffers to solve a class of PDEs-based MASs under DoS attacks. Furthermore, the boundary control approach has the potential to significantly reduce the number of actuators required, thereby lowering control costs. Finally, we present two numerical examples to validate the feasibility of the proposed methods.

Comprehensive review of machine learning models for sql injection detection in e-commerce

With the steady expansion of online commerce, e-commerce sites have become increasingly attractive targets for hackers. These sites serve millions of customers and often hold valuable, confidential, and sometimes financial information in their databases. One particularly dangerous type of attack is SQL injection, which exploits vulnerabilities in web applications to influence backend databases, posing significant threats to such platforms. Traditional defenses like desktop firewalls, input validation, and parameterized queries provide some level of protection but are often insufficient against newer injection variations and sophisticated attackers. The utilization of machine learning to enhance cybersecurity against more advanced threats has been demonstrated as a promising approach. This systematic review examines how various machine learning algorithms are applied to detect SQL injection attacks that could potentially harm e-commerce systems. By identifying and analyzing the relevant literature, this review highlights the effectiveness of different algorithms and their practical applications in enhancing the security of online commerce platforms. More specifically, five techniques were assessed on both real and synthetic datasets: Logistic Regression, Naive Bayes, Random Forest, Artificial Neural Network, and two combined models (Logistic Regression & Naive Bayes, and Artificial Neural Network & Random Forest). The findings indicate that Random Forest performed better than other algorithms in the decision tree family, attributed to its ability to balance precision and recall effectively. However, limitations such as using a single dataset and the computational complexity of some models were noted. This review provides insights for practitioners on selecting appropriate detection models and outlines approaches to address current limitations through future work. Addressing these limitations could involve using more diverse datasets, optimizing computational efficiency, and exploring advanced ensemble methods and neural network architectures.

Analysis of Manual and Automated Methods Effectiveness in Website Penetration Testing for Identifying SQL Injection Vulnerabilities

This research aims to identify vulnerabilities to SQL Injection attacks on websites through penetration testing using quantitative and descriptive methods. In the current digital era, data and information security has become a crucial aspect. One of the frequent threats is SQL Injection attacks, where attackers insert malicious SQL commands into queries executed by web applications. This study utilizes tools such as Burp Suite to identify and exploit vulnerabilities in a login form created by the researchers. The research process begins with the Pre-Engagement Interactions phase, which includes information gathering and setting the testing scope. Subsequently, Vulnerability Testing is conducted to evaluate existing weaknesses. The exploitation of vulnerabilities is performed using the 'OR'1'='1 technique, which successfully demonstrates that the website is vulnerable to SQL Injection attacks. The results of this study indicate that the login form on the website is susceptible to SQL Injection due to insufficient input validation and the use of dynamic SQL queries without prepared statements. Implementing stricter input validation techniques and using prepared statements has proven effective in enhancing website security. This research makes a significant contribution to the field of information system security, particularly in the prevention of SQL Injection attacks. The results of this study can serve as a practical guide for web developers in improving the security of their applications and provide a deeper understanding of the threats and mitigation techniques for SQL Injection.

A curvilinear assessment of innovation in Six Sigma project teams: the influence of psychological safety and intrinsic motivation

PurposeTo investigate the factors affecting innovation in Six Sigma improvement teams. Based on Activation Theory, this study explores the possibility of an inverted U-shaped association between psychological safety and innovation and examines how intrinsic motivation moderates this relationship.Design/methodology/approachModerated regression analysis is carried out to test the curvilinear relationship, using data collected from 324 members of 102 Six Sigma improvement teams from two European manufacturing firms.FindingsThe findings demonstrate that the beneficial effect of psychological safety reaches an inflection point, after which its relations with innovation cease to be linear and positive; this gives the relationship a curvilinear pattern (inverted U-shaped). Further, intrinsic motivation has a supportive effect in enhancing the beneficial impact of psychological safety on innovation, and in shifting the inflection points to a higher level; this demonstrates their synergetic influence on innovation.Originality/valueThe impact of psychological safety on innovation is examined from the new perspective of a curvilinear relationship. This is one of the first studies to investigate the combined effects of individual (intrinsic motivation) and team-level antecedents (psychological safety) on innovation in Six Sigma teams. The study provides insights into how Six Sigma enhances innovation and offers some valid inputs to the current academic debate on this topic.

FuSeBMC v4: Improving Code Coverage with Smart Seeds via BMC, Fuzzing and Static Analysis

Bounded model checking (BMC) and fuzzing techniques are among the most effective methods for detecting errors and security vulnerabilities in software. However, there are still shortcomings in detecting these errors due to the inability of existing methods to cover large areas in target code. We propose FuSeBMC v4, a test generator that synthesizes seeds with useful properties, that we refer to as smart seeds , to improve the performance of its hybrid fuzzer thereby achieving high C program coverage. FuSeBMC works by first analyzing and incrementally injecting goal labels into the given C program to guide BMC and Evolutionary Fuzzing engines. After that, the engines are employed for an initial period to produce the so–called smart seeds. Finally, the engines are run again, with these smart seeds as starting seeds, in an attempt to achieve maximum code coverage/find bugs. During seed generation and normal running, the Tracer subsystem aids coordination between the engines. This subsystem conducts additional coverage analysis and updates a shared memory with information on goals covered so far. Furthermore, the Tracer evaluates test-cases dynamically to convert cases into seeds for subsequent test fuzzing. Thus, the BMC engine can provide the seed that allows the fuzzing engine to bypass complex mathematical guards (e.g., input validation). As a result, we received three awards for participation in the fourth international competition in software testing (Test-Comp 2022), outperforming all state-of-the-art tools in every category, including the coverage category.

Aerodynamic conditions measured at a rotor blade of large wind turbine prototype

In this paper we present high resolution pressure distributions measured on the surface of a rotor blade of an 8 MW offshore prototype. We investigate two time intervals of approximately 10 minute duration acquired in April 2022. During the first time interval the turbine is operated at rated power, during the second time interval the turbine is operated below rated power. We see a clear increase and decrease of pressure values on the pressure side and suction side of the rotor blade, respectively. Also, 1P frequency oscillations are found in all sensors except during idling state. We find a decreasing signal to noise ratio in these oscillations with increasing distance from leading edge towards trailing edge, indicating higher turbulence in the air flow. Additionally, pressure changes during pitching movements can be observed. These data present the first data set of pressure distribution measured over a longer time period on a state-of-the-art sized offshore wind turbine prototype and therefore, provide important input for model validation and further understanding of the aerodynamic conditions at a rotor blade.

Human Action Recognition System Using LRCN

Abstract: The importance of human action recognition is significant across various domains, driving advancements in safety, healthcare, sports analytics, and interactive technologies. Leveraging machine learning techniques like Long Recurrent Convolutional Neural Networks (LRCN) trained on datasets such as UCF50, our project focuses on action prediction from YouTube videos. This technology plays a pivotal role in enhancingsafety and security by enabling the detection of anomalies and suspicious behaviours in surveillance systems. In healthcare, it supports remote patient monitoring, rehabilitation assessment, and personalized care plans based on observed actions. Addi- tionally, in sports analytics and entertainment, human action recognition informs performance evaluation, content creation, and immersive experiences. Our integration of a pre-trained LRCN model into a Flask web application signifies the tangible impact of machine learning on human action recognition, with ongoing efforts to optimize functionality through input validation, error handling, user feedback, security measures, and performance enhancements, illustrating the practical application and societal benefits of this innovative technology

MtDNA-Server 2: advancing mitochondrial DNA analysis through highly parallelized data processing and interactive analytics.

Over the past decade, mtDNA-Server established itself as one of the most widely used variant calling web-services for human mitochondrial genomes. The service accepts sequencing data in BAM format and returns an annotated variant analysis report for both homoplasmic and heteroplasmic variants. In this work we present mtDNA-Server 2, which includes several new features highly requested by the community. Most importantly, it includes (a) the integration of a novel variant calling mode that accurately call insertions, deletions and single nucleotide variants at once, (b) the integration of additional quality control and input validation modules, (c) a method to estimate the required coverage to minimize false positives and (d) an interactive analytics dashboard. Furthermore, we migrated the complete analysis workflow to the Nextflow workflow manager for improved parallelization, reproducibility and local execution. Recognizing the importance of insertions and deletions as well as offering novel quality control, validation and reporting features, mtDNA-Server 2 provides researchers and clinicians a new state-of-the-art analysis platform for interpreting mitochondrial genomes. mtDNA-Server 2 is available via mitoverse, our analysis platform that offers a centralized place for mtDNA analysis in the cloud. The web-service, source code and its documentation are freely accessible at https://mitoverse.i-med.ac.at.

Demand-side load forecasting in smart grids using machine learning techniques.

Electrical load forecasting remains an ongoing challenge due to various factors, such as temperature and weather, which change day by day. In this age of Big Data, efficient handling of data and obtaining valuable information from raw data is crucial. Through the use of IoT devices and smart meters, we can capture data efficiently, whereas traditional methods may struggle with data management. The proposed solution consists of two levels for forecasting. The selected subsets of data are first fed into the "Daily Consumption Electrical Networks" (DCEN) network, which provides valid input to the "Intra Load Forecasting Networks" (ILFN) network. To address overfitting issues, we use classic or conventional neural networks. This research employs a three-tier architecture, which includes the cloud layer, fog layer, and edge servers. The classical state-of-the-art prediction schemes usually employ a two-tier architecture with classical models, which can result in low learning precision and overfitting issues. The proposed approach uses more weather features that were not previously utilized to predict the load. In this study, numerous experiments were conducted and found that support vector regression outperformed other methods. The results obtained were 5.055 for mean absolute percentage error (MAPE), 0.69 for root mean square error (RMSE), 0.37 for normalized mean square error (NRMSE), 0.0072 for mean squared logarithmic error (MSLE), and 0.86 for R2 score values. The experimental findings demonstrate the effectiveness of the proposed method.