Security Analysis and Improvement Model for Web-based Applications

Security Analysis and Improvement Model for Web-based Applications. (December 2008) Yong Wang, B.S.; M.S., Anhui Agricultural University, China; M.S., Texas A&M University Co-Chairs of Advisory Committee: Dr. William M. Lively Dr. Dick B. Simmons Today the web has become a major conduit for information. As the World Wide Web’s popularity continues to increase, information security on the web has become an increasing concern. Web information security is related to availability, confidentiality, and data integrity. According to the reports from http://www.securityfocus.com in May 2006, operating systems account for 9% vulnerability, web-based software systems account for 61% vulnerability, and other applications account for 30% vulnerability. In this dissertation, I present a security analysis model using the Markov Process Model. Risk analysis is conducted using fuzzy logic method and information entropy theory. In a web-based application system, security risk is most related to the current states in software systems and hardware systems, and independent of web application system states in the past. Therefore, the web-based applications can be approximately modeled by the Markov Process Model. The web-based applications can be conceptually expressed in the discrete states of (web_client_good; web_server_good, web_server_vulnerable, web_server_attacked, web_server_security_failed;