• Journal of information and communication convergence engineering
• /
• v.17 no.2
• /
• pp.149-160
• /
• 2019

Web applications typically interact with databases. Therefore, it is very crucial to understand which web components access which database resources when maintaining web apps. Existing research identifies interactions between Java web components, such as JavaServer Pages and servlets but does not extract dependencies between the web components and database resources, such as tables and attributes. This paper proposes a dynamic analysis of Java web apps, which extracts such dependencies from a Java web app and represents them as a graph. The key responsibility of our analysis method is to identify when web components access database resources. To fulfill this responsibility, our method dynamically observes the database-related objects provided in the Java standard library using the proxy pattern, which can be applied to control access to a desired object. This study also experiments with open source web apps to verify the feasibility of the proposed method.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.16 no.1
• /
• pp.79-92
• /
• 2020

As the number of systems increases and the network size increases, automated attack prediction systems are urgently needed to respond to cyber attacks. In this study, we developed four types of information gathering sensors for collecting asset and vulnerability information, and developed technology to automatically generate attack graphs and predict attack targets. To improve performance, the attack graph generation method is divided into the reachability calculation process and the vulnerability assignment process. It always keeps up to date by starting calculations whenever asset and vulnerability information changes. In order to improve the accuracy of the attack target prediction, the degree of asset risk and the degree of asset reference are reflected. We refer to CVSS(Common Vulnerability Scoring System) for asset risk, and Google's PageRank algorithm for asset reference. The results of attack target prediction is displayed on the web screen and CyCOP(Cyber Common Operation Picture) to help both analysts and decision makers.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.22 no.3
• /
• pp.458-470
• /
• 2018

As the requirements of web apps become complex and rapidly changing, the maintenance of web apps becomes more important. However, web apps have a problem that more often than not there is not enough documentation to understand and maintain them. Thus, their effective maintenance requires models that represent their internal behavior occurring when they dynamically generate web pages. Previous works identify web components (such as JSPs and Servlets) as participants in the behavior but not web resources (such as images, CSS files, and JavaScript files). Moreover, they do not identify dependency relations between web components and web resources. This paper dynamically analyzes Java web apps to extract such dependency relations, which are included in our graph model for page generation. Case studies using open-source web apps show the applicability of the proposed approach.