Web Application System Research Articles

웹 응용 시스템 개발을 위한 보안을 고려한 통합 분석·설계 방법론 개발 - Oracle11g를 중심으로 -

응용 시스템 개발 과정에 있어서 중요하고 핵심을 이루는 작업은 분석과 설계 작업이며 아울러 대부분의 응용 시스템은 데이터베이스 기반으로 구축된다. 또한, IT 시스템들 간 상호 연결이 증가되면서 응용 시스템들은 외부공격에 쉽게 노출되어 지고 있기 때문에 보안과 관련된 처리 과정 역시 중요하다. 보안은 시스템에서 많은 부분과 상호작용을 하는 복잡한 비기능적 요구사항이다. 하지만 이러한 보안은 대부분 개발 마지막 과정에서 고려하기 때문에 보안에 취약한 응용 시스템이 개발될 가능성이 매우 높다. 따라서 개발 초기에 보안을 반영한 분석 및 설계 과정이 매우 중요하다. J2EE는 웹 응용 시스템을 위한 보안 방안을 제공하고, 아울러 객체-관계형 데이터베이스도 보안을 위하여 역할기반 접근제어를 지원하고 있지만 객체-관계형 데이터베이스 및 J2EE의 역할기반 접근제어를 활용하는, 요구사항 수집부터 구현까지 개발 단계 전체에 걸친 보안을 고려한 일관된 개발방법론은 전무한 실정이다. 따라서 본 논문에서는 보안 요구사항을 요구사항 수집부터 분석 및 설계 그리고 마지막 구현 단계까지 반영하여 J2EE 기반의 웹 응용 시스템을 개발하기 위한, 보안을 고려한 일관된 통합 분석 설계 방법론을 제안한다. In the development process of application systems, the most important works are analysis and design. Most of the application systems are implemented on database system. So, database design is important. Also, IT System are confronted with more and more attacks by an increase interconnections between IT systems. Therefore security-related processes belong to a very important process. Security is a complex non-functional requirement that can interaction of many parts in the system. But Security is considered in the final stages of development. Therefore, Their increases the potential for the final product to contain vulnerabilities. Accordingly, Early in development related to security analysis and design process is very important. J2EE gives a solution based on RBAC((Role Based Access Control) for security and object-relational database also has RBAC for security. But there is not a object-oriented analysis and design methodology using RBAC of J2EE and object-relational database for security. In this paper, the unified object-oriented analysis and design methodology is developed for security-critical web application systems based on J2EE and object-relational database. We used UMLsec and RBAC of object-relational database and J2EE for this methodology.

Seven Phrase Penetration Testing Model

in penetration testing process a simple way to test a system is held by primary analysis and formal methods, Based on the observation that most security flaws are triggered due to a flawed interaction with the environment(12). Herein have describe an approach for testing web application and database integration system for possible security flaws. This approach is to be included in a dynamic model which have the aim to bind the complex and lengthy procedure of penetration testing process. Proposed approach is prepared a model using seven different Phases called as Seven Phase Penetration Testing Model (SPPT-Model). It simplifies the complex penetration testing procedure and allow penetration tester to evaluate accurately what faults to be exist in the target system. The dynamic model of penetration testing can be implementing freely and efficiently on almost all type of applications. This scheme can be used to classify informatics, analytical, complex, logical, well-known and common security flaws of web application.

SQLIA detection and prevention approach for RFID systems

While SQL injection attacks have been plaguing web application systems for years, the possibility of them affecting RFID systems was only identified very recently. However, very little work exists to mitigate this serious security threat to RFID-enabled enterprise systems. At the same time, the drop in RFID tag prices coupled with the increase in storage capacity of the tags have motivated users to store more and more data on the tags for ease of access. This in turn has increased the ability that attackers have of leveraging the tags to try and mount SQLIA based malware attacks on RFID systems thereby increasing the potential threat that RFID-enabled systems pose to the enterprise systems. In this paper, we propose a detection and prevention method from RFID tag-born SQLIA attacks. We have tested all possible types of dynamic queries that may be generated in RFID systems with all possible types of attacks that can be mounted on those systems. We present an analysis and evaluation of the proposed approach to demonstrate its effectiveness in mitigating SQLIA attack.

Balanced partition scheme for distributed caching systems to solve load imbalance problems

Distributed caching system is usually used to alleviate database load in constructing an enterprise web application system. It helps to speed up dynamic web applications. In order to improve the utilization of caching cluster, an appropriate data partitioning and placement scheme is usually applied. This paper proposes a Balanced Partition Scheme (BPS) to solve load imbalance problems and highly skewed data requests in web application. In the BPS, which is based on consistent hash algorithm, the partition and placement schemes are designed respectively to guarantee a system's load balance even when the requests of this system are highly skewed. The range of hash function is divided into several groups equally and those groups will be relocated when caching nodes are overloaded. The implementation and evaluation of the BPS is also presented in this paper. The effectiveness of the BPS has been verified in the simulation experiment and the BPS can successfully solve load imbalance problems when faced with a large number of get/set requests.

The SQL Injection Vulnerability Detection of the Web Application

the SQL injection is one of the common security vulnerabilities of the Web application. This paper studies how to find out the possible SQL injection vulnerabilities. The scheme this paper put forward is the technology of black-box test. The main steps are that firstly construct specific user input in the test period of the Web application system, and inject it into the application system, then get the vulnerability detection report according to the analysis of the test logs.

A Security Threats Identification and Analysis Method Based on Attack Graph

Business system's security management needs to assess the system security situation by using network attack graph.It also needs to analyze the threats exploiting security vulnerabilities.Current security threat identification and analysis methods cannot handle the upper two problems very well at the same time.It cannot handle uncertainties occurred in the process of vulnerability exploiting threat analysis,either.A security threat identification and analysis method is proposed in this paper.The network attack graph is defined via Colored Petri Net(CPN) and an algorithm named NAGG is proposed to construct network attack graph based on the simulation results.We also give an algorithm named NAGD to simultaneously decompose network attack graph into several sub-attack-graphs,each corresponding to a specific vulnerability exploiting threat.The graph is loop-free and its longest attack path is limited to a certain predefined value.In order to prioritize all security threats for disposal,a vulnerability exploiting threat evaluating method named VETE is given to convert sub-attack graph into uncertain inference rule set.This method uses D-S evidence inference engine to calculate threat degree of each threat corresponding to the sub-attack-graph.At last,a typical Web application system is used as an example to validate the effectiveness of the proposed method.

대기행렬 페트리넷을 이용한 웹서비스 시스템 분석 방법

소프트웨어 시스템 개발의 초기 단계에서 시스템의 처리 시간이나 비용을 예측하는 것이 매우 중요하다는 것은 널리 알려진 사실이다. 많은 논문에 처리 시간을 예측하는 페트리넷 방법이 소개된 바 있다. 한편, 컴퓨터 과학 분야의 다른 영역에서는 응용 시스템 개발의 효율성을 증진시키는 방법으로 웹서비스가 깊이 있게 연구되고 있다. 이러한 두 가지 현상을 고려하여, 본 논문은 웹 서비스로 구성된 응용 소프트웨어 시스템의 처리시간을 분석하는 페트리넷 방법을 소개한다. 웹 응용 시스템의 처리시간을 어떤 상수로 표현하기는 대단히 어렵다. 따라서 본 논문은 대기행렬을 갖는 페트리넷으로 웹 응용 시스템을 표현할 것을 제안한다. 본 논문의 핵심은 이러한 대기행렬을 갖는 페트리넷의 분석 방법을 소개한 것이다. It is well known that estimating the system processing time and cost at the early stage of the software system development is very important, and many Petri net methods of analysing processing time have been published. In another field of computer science, web service has been widely studied as a key of an efficient application software development method. Considering these two phenomena, this paper introduces a Petri net method of analysing the process time of application software consisting of web services. It is not plausible to represent the process time of a web application system as a constant. Therefore, we propose to use "Petri net with queues" to represent a web application system. The main contribution of this paper is to introduce a method of analysing a "Petri net with queues".

SU‐D‐214‐05: RTMetrix: Web‐Based Dashboard for Automated Data Mining of Record and Verify (R&V) Systems for Efficiency and Quality

Purpose: Record and verify (R&V) systems are used by most radiation oncology practices for storing the technical treatment planning and delivery data for radiation therapy patients. We have developed an automated quality assurance (QA) method with web‐based dashboards and automated quality and efficiency analysis of the technical planning and treatment delivery process. Methods: Custom software was developed (RTMetrix) to mine the R&V database and provide real‐time analysis of treatment planning and delivery data. RTMetrix was developed using object‐oriented web development software along with a relational database for storing supplemental data associated with the R&V database. It is a read‐only web application system using the R&V data associated with each patient to reconstruct clinical workflows and assess quality of the treatment delivery process. Three main web‐based dashboards with a notification messaging system have been initially developed in areas of treatment delivery, image‐ guided radiation therapy (IGRT) and physics‐based QA tools. Results: The workflow using RTMetrix is straightforward for physicians and physicists by providing the information in standard web browsers. Using RTMetrix, a web query is provided to calculate the real‐time statistics for each physicianˈs IGRT review status including the time taken to perform the review. Another web query in the system provides the average room time over any time period including one day to 10 years. An example of using room time review during the past year revealed that the use of breast patients and pediatric patients required more than 15‐minute treatment times. The final dashboard is the automated QA of the patients treated during the clinic each day. This dashboard provides an additional daily audit of the R&V system using AAPM TG‐40 chart checking rules. Conclusions: RTMetrix provides a platform for easily mining the R&V system for quality and efficiency analysis of radiation oncology departments.

An Approach for Estimation Reliability Model based Web Application Systems

Structured retrieval of relevant data or information, based upon the user query is an essential factor while retrieving and traversing information resources on the World Wide Web. When the information is retrieved from the web, tags play a vital role to identify the relevant data and thereby providing the content to the user. Here we are proposing an approach in which the commonsense knowledge base will provide the gathered relevant information which is requested by the user query. To retrieve data from web, the use of commonsense knowledge will increase the accuracy of the result. When once the information is generated to the user by the common sense knowledge base, it requires evaluating for its quality and correctness. For this, a quantitative reliability estimation approach is explored. A general comparison between the existing approaches and the proposed approach has been also done. General Terms Commonsense knowledge Base, Tags, Reliability Estimation

Type-2 fuzzy description logic

Description logics (DLs) are widely employed in recent semantic web application systems. However, classical description logics are limited when dealing with imprecise concepts and roles, thus providing the motivation for this work. In this paper, we present a type-2 fuzzy attributive concept language with complements (ALC) and provide its knowledge representation and reasoning algorithms. We also propose type-2 fuzzy web ontology language (OWL) to build a fuzzy ontology based on type-2 fuzzy ALC and analyze the soundness, completeness, and complexity of the reasoning algorithms. Compared to type-1 fuzzy ALC, type-2 fuzzy ALC can describe imprecise knowledge more meticulously by using the membership degree interval. We implement a semantic search engine based on type-2 fuzzy ALC and carry out experiments on real data to test its performance. The results show that the type-2 fuzzy ALC can improve the precision and increase the number of relevant hits for imprecise information searches.

Centralized Management of Biology and Medical Science Experiments using Web Application System

Centralized Management of Biology and Medical Science Experiments using Web Application System

Distributed Cipher Services Using Object Activation

As the World Wide Web grows rapidly on a daily basis, the number of new computer attacks is also growing at a matching rate. It is increasing by development of information and communication technology that quantity of transmitted encryption data through network. We have many problems; it is caused by technical development and service increase of user requests. It is required that create safe and reliable encryption keys of web contents. As a result, service quality comes to be low because of increased network traffic and system overload. We need a system and also that should be improved in service quality to process data in massive contents encipherment system. This paper describes a new approach for design and implementation of distributed encryption key processing web application system. It is based on object activation, and can be used for saving serviceable objects to storage and reduce memory resource requested by clients.

Validate Conference Paper using Dice Coefficient

<!-- /* Font Definitions */ @font-face {font-family:SimSun; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-alt:??; mso-font-charset:134; mso-generic-font-family:auto; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:1 135135232 16 0 262144 0;} @font-face {font-family:

Web Application System with Synthetic Aperture Rader Image Processing for Education

Remotely sensed images observed by synthetic aperture radar (SAR) become to be more significant for a variety of purposes. It is necessary to process and focus SAR images at a user's side for required precision. This paper presents a concept, a system structure, and an implementation method for a web application system with a SAR image processing for education. The system employs Ajax technology in consideration of current computer and network systems. This system has three software components, a SAR server, an HTTP server, and a web browser in each terminal computer. The SAR server is the main component for managing the SAR database and processing all SAR data sets. The range-Doppler method is adopted as a focusing algorithm. Three displaying measures are newly introduced since the SAR images are sets of mass complex number pixels. Operation of SAR image, sample processed images are shown to exhibit actual examples of processing ALOS PALSAR (Advanced Land Observing Satellite Phased Array type L-band SAR) data. From step-by-step processing results, the proposed web application system was demonstrated to provide a useful graphical user interface (GUI) and to produce the SAR image with adjusted parameters by using dialogs.

인터넷 쇼핑몰 구매경험자들의 고객만족도에 영향을 미치는 요인

The base of an internet shopping mall is web application system. However, this mall is a market place where selling and buying of products and services take place. Therefore, it should be considered both a commerce function and a web site design function. The commerce function and the web site design function are considered as variables that influence trust and familiarity. This trust and familiarity are considered as the main factors that influence satisfaction of shoppers of internet shopping malls. Analysis indicates that the web site design function significantly influences both trust and familiarity, but the commerce function significantly influence only familiarity negatively. Also trust and familiarity significantly influence user satisfaction.

분산 암호화를 이용한 웹 어플리케이션 보안

인터넷 사용자의 증가와 인터넷 쇼핑몰의 대중화로 인해 사용자가 요구하는 서비스의 양이 증가하고 있다. 이로 인해 웹 어플리케이션 시스템에는 서버의 과부하로 인한 성능 저하뿐만 아니라, 보안과 관련하여 많은 문제들이 발생한다. 또한 웹 어플리케이션 시스템에서는 클라이언트 요청에 의한 암호화가 필요하고 사용자를 인증하기 위한 공개키를 제공한다. 이때 발생하는 보안상 취약점을 해결하기 위한 방법으로 전달되는 메시지의 암호화와 공개키의 관리가 필요하다. 본 논문은 웹 어플리케이션 시스템에서 기밀성 및 인증을 제공함과 동시에, 다수의 클라이언트 접속 시 데이터의 암호화 처리로 인한 서버의 병목현상으로 인한 성능저하를 방지하고 서비스 질을 향상시키기 위한 방법으로 분산 암호화 시스템을 제안한다. 이러한 분산 암호화 시스템을 구현하기 위하여 자바의 객체 활성화 기술을 적용하였으며, 일부 분산서버의 다운타임에도 지속적인 서비스를 제공할 수 있도록 하였다. Quantity of encrypted data that transmitted through the network are increasing by development of encipherment technology. We have many problems; it is caused by technical development and service increase of user requests. It is necessary that create a many encryption key in one web application system. As a result, service quality comes to be low because of increased network traffic and system overload. There must be a system. That should be improved in secure service quality to process data. This paper describes a new approach for design and implementation of distributed encryption key processing for web application system. In this paper, it is based on distributed encipherment key, for the purpose of confidentially, integrity and authentication. It can prevent system degradation from server's data bottleneck and can improve service quality. For distributed encipherment system, we use java object activation technology. It can service while some distributed server are fail.

Shadow netWorkspace: An open source intranet for learning communities

Shadow netWorkspace (SNS) is a web application system that allows a school or any type of community to establish an intranet with network workspaces for all members and groups. The goal of SNS has been to make it easy for schools and other educational organizations to provide network services in support of implementing a learning community. SNS is open source software using the GNU General Public License (GPL). The software is freely available, and can be downloaded and distributed under the terms of the GPL. SNS is an ongoing project and this instructional development report describes the system, some ways that it is being used, and some key lessons learned from the development and initial deployment of SNS.

천문학 카탈로그 자료의 통합검색 DB 구축

We collected eleven large astronomical catalogues, which include 2MASS, USNO B1.0, GSC 2 catalogues and so on. Most of these catalogues are the frequently used by astronomers for all sorts of applications. But the researches are faced with the problem of accessing these databases because these catalogues contain from tens millions up to thousands of millions of records. So we developed a web application system to manage these large catalogues, the main purpose of the web application is to allow a powerful and efficient querying activity on these catalogues through internet by using a simple web interface. User could retrieve the query result in variety of formats including plain text, HTML, Microsoft Excel format (XLS), and VOTable. Furthermore, user also could display and analyze result graphically by using a powerful interactive visualization tools named VOPlot which was developed by the Virtual Observatory-India (VOI) project.

Electronic Clinical Path System Based on Semistructured Data Model Using Personal Digital Assistant for Onsite Access

Clinical Paths (Paths) have been introduced by different hospitals for patient care management. An Electronic Clinical Path (ECP) with onsite access provision seems to improve the efficiency of medical staffs because they can share vast medical information about patients at a time and also can reuse accumulated data easily, which is impossible with paper-based Path. Data model is the basis for implementing ECP. However, there is no established model for ECP. The purpose of this study is to introduce a model for ECP and implement an ECP with onsite access system. We introduced a Semistructured Data Model (SSDM) for ECP, and implemented a Web application system based on this model using Personal Digital Assistant (PDA) as inputting device. Our system functioned as expected with wireless LAN, and users handled the data on bedside using PDA. By introducing SSDM, we showed the correspondence between schema of Paths and implementation of ECP.

Process modeling across the web information infrastructure

AbstractWeb‐based open source software development (OSSD) project communities provide interesting and unique opportunities for software process modeling and simulation. While most studies focus on analyzing processes in a single organization, we focus on modeling software development processes both within and across three distinct but related OSSD project communities: Mozilla, a Web artifact consumer; the Apache HTTP server that handles the transactions of Web artifacts to consumers such as the Mozilla browser; and NetBeans, a Java‐based integrated development environment (IDE) for creating Web artifacts and application systems. In this article, we look at the process relationships within and between these communities as components of a Web information infrastructure. We employ expressive and comparative techniques for modeling such processes that facilitate and enhance understanding of the software development techniques utilized by their respective communities and the collective infrastructure in creating them. Copyright © 2005 John Wiley &amp; Sons, Ltd.