Title: Evaluating and Mitigating HTTPS Interception in Thai E-Banking Websites: Challenges and Solutions
<br>Cover Date: 2025-03-10
<br>Cover Display Date: 10 March 2025
<br>DOI: 10.1145/3711650.3711662
<br>Description: This study examines vulnerabilities in HTTPS implementation across 12 Thai e-banking websites, focusing on HSTS misconfigurations and the potential for SSL stripping and keylogger injection attacks. The results show that all sites are susceptible to SSL stripping due to a lack of HSTS preload, allowing interception of login credentials. Furthermore, keylogger injection after MITM and SSL stripping was effective even on sites with salted-hash passwords. To mitigate these threats, the paper proposes to use an On-Screen Keyboard (OSK) combined with salted-hash passwords. Experiments with this approach demonstrate its effectiveness in preventing keystroke logging while maintaining user experience. The research underscores the need for robust technical controls and user education to enhance the security of online banking systems against evolving cyber threats.
<br>Citations: 0
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: A NOVEL ACCESS CONTROL SCHEME WITH IMMEDIATE REVOCATION OF ACCESS PRIVILEGES FOR NAMED DATA NETWORKING
<br>Cover Date: 2023-03-01
<br>Cover Display Date: March 2023
<br>DOI: 10.24507/icicel.17.03.289
<br>Description: Named Data Networking (NDN) is a new paradigm for the future Internet, aiming for efficient content delivery using in-network cache and information-centric communication. Security is built into NDN by embedding a public key signature in each data packet to enable verification of authenticity and integrity of contents. Access control is one of the most challenging issues in NDN. Several previous studies have proposed access control models over NDN. However, there are several drawbacks, particularly access revocation issues. We present a novel access control scheme to solve the problems by achieving immediate revocation. Our access control scheme enables efficient access control for NDN based on the encryption-based access control. The prototype of our scheme has been built on NDN-CXX version 0.7.1. To compare with the previous work, the evaluation has been done by algorithm analyses and emulation techniques on the CORE emulator. From the evaluation results, the proposed mechanism can provide an immediate revocation. We have also found that our access control scheme is suitable for NDN architecture, and the computational burden for immediate revocation is less than in previous proposals.
<br>Citations: 0
<br>Aggregation Type: Journal
<br>-------------------
<br><br><br>Title: Solving MTU mismatch and broadcast overhead of NDN over link-layer networks
<br>Cover Date: 2020-03-01
<br>Cover Display Date: March 2020
<br>DOI: 10.2991/IJNDC.K.200213.001
<br>Description: Named Data Networking (NDN) has been considered as a promising Internet architecture for the future data-centric communication. In particular, NDN over link-layer networks would cut off the overheads of Transmission Control Protocol/Internet Protocol (TCP/IP), and enhance the efficiency of data distribution. However, there are two main unsolved issues for the NDN link-layer, namely broadcast overhead and Maximum Transmission Unit (MTU) mismatch. In this paper, we have therefore designed and implemented an NDN Neighborhood Discovery Protocol, named NDN-NDP, to enable a unicast data transmission over the link-layer. Furthermore, our NDN-NDP has included a negotiation mechanism to fix the MTU mismatch issue. In comparison to previously proposed NDN link-layer technologies, we can fix both MTU mismatch and broadcast overhead problems. Through emulation and experiments on a test-bed, we have also compared our NDN-NDP with the Link-layer Protocol for NDN (NDNLP), which is the most widely deployed NDNLP. From our experiments, NDN-NDP can efficiently fix MTU mismatch and broadcast overhead issue.
<br>Citations: 0
<br>Aggregation Type: Journal
<br>-------------------
<br><br><br>Title: Priority-based scheduling policy for openflow control plane
<br>Cover Date: 2018-02-28
<br>Cover Display Date: 28 February 2018
<br>DOI: 10.3837/tiis.2019.02.014
<br>Description: Software Defined Networking (SDN) is a new network paradigm, allowing administrators to manage networks through central controllers by separating control plane from data plane. So, one or more controllers must locate outside switches. However, this separation may cause delay problems between controllers and switches. In this paper, we therefore propose a Priority-based Scheduling policy for OpenFlow (PSO) to reduce the delay of some significant traffic. Our PSO is based on packet prioritization mechanisms in both OpenFlow switches and controllers. In addition, we have prototyped and experimented on PSO using a network simulator (ns-3). From the experimental results, PSO has demonstrated low delay for targeted traffic in the out-of-brand control network. The targeted traffic can acquire forwarding rules with lower delay under network congestion in control links (with normalized load > 0.8), comparing to traditional OpenFlow. Furthermore, PSO is helpful in the in-band control network to prioritize OpenFlow messages over data packets.
<br>Citations: 3
<br>Aggregation Type: Journal
<br>-------------------
<br><br><br>Title: Classifying peer-to-peer traffic using protocol hierarchy
<br>Cover Date: 2014-07-30
<br>Cover Display Date: 30 July 2014
<br>DOI: 10.1109/ICCOINS.2014.6868391
<br>Description: Detection and classification of peer-to-peer traffic are still difficult tasks for bandwidth shapers. First, peer-to-peer traffic is not easy to detect, and can be a serious problem. Second, some peer-to-peer applications may be desirable, while some may be undesirable. Hence, different peer-to-peer applications should also be treated differently. The previous work of peer-to-peer traffic detection still faces both problems. So, in this paper, we propose new classification mechanisms to solve the problems. Our proposed solution has been implemented by using JAVA, and experimented on a network test-bed. Experimental results have demonstrated that our extended classification mechanism can improve the peer-to-peer traffic detection and classification.
<br>Citations: 1
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: A novel challenge & response scheme against selective forwarding attacks in MANETs
<br>Cover Date: 2013-12-01
<br>Cover Display Date: 2013
<br>DOI: 10.1109/ICUFN.2013.6614806
<br>Description: A selective forwarding attack is a notorious security problem in MANET environments. The attacking method can seriously cause a failure in MANET transmission. So, several previous schemes have proposed to solve the problem. However, all of the previous schemes still have some drawbacks. Hence, in this paper, we have designed a new challenge and response scheme to detect the selective forwarding attack. The prototype of our design has also been implemented on CORE emulator, and been experimented on. The experimental results have demonstrated that our new scheme can effectively identify the selective forwarding attacker. © 2013 IEEE.
<br>Citations: 1
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: A fast and efficient authentication scheme for WAVE unicast services in vehicular networks
<br>Cover Date: 2013-12-01
<br>Cover Display Date: 2013
<br>DOI: 10.1109/ICUFN.2013.6614819
<br>Description: Recently, there have been several potential attacks (e.g., bogus message, eavesdropping, source modification, invasion of privacy, and replays) on Wireless Access in Vehicular Environment (WAVE). Several solutions have been previously proposed. However, most of them are based on Public Key Infrastructure (PKI) and authentication in broadcast services. The PKI can cause cryptographic overhead and the management difficulties of public key certificates. Also, the broadcast services would incur network congestion. Hence, this paper proposes a fast and efficient authentication scheme for WAVE unicast services to reduce the network congestion and the PKI overhead between vehicles and Road Side Units (RSU). Our scheme is based on a Pairwise Transient Key (PTK) procedure with few extra authentication steps. Performance evaluation of the new scheme has been experimented on a network simulator (NS-2). The experimental results have demonstrated the favorable features of the new scheme. © 2013 IEEE.
<br>Citations: 2
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: A novel authentication scheme for V2I communication based on WAVE unicast services
<br>Cover Date: 2013-12-01
<br>Cover Display Date: 2013
<br>DOI: 10.1155/2013/827084
<br>Description: One of the most challenging issues in vehicular network designs is security matter. Particularly, there have been several potential attacks (e.g., message alteration, eavesdropping, privacy violation, and replay) on Vehicle to Infrastructure (V2I) communication. Most previous studies have based on Public Key Infrastructure (PKI) and authentication in broadcast services. By relying on the PKI solutions, cryptographic overhead and the management difficulties of public key certificates can be problematic. Furthermore, broadcast services can cause network flooding. Hence, this paper proposes a novel authentication scheme based on WAVE unicast services to reduce the PKI overhead between vehicles and Road Side Units (RSU). The new scheme is based on Pairwise Transient Key (PTK) procedures with a few extra authentication steps. To evaluate the new scheme, we have experimented on a Network Simulator (NS-2) under both city and highway scenarios. The experimental results have demonstrated that our new scheme introduces only small WAVE Short Message (WSM) delay. The new scheme is also flexible to use in various scenarios under different road situations. © 2013 Atthapol Suwannasa et al.
<br>Citations: 2
<br>Aggregation Type: Journal
<br>-------------------
<br><br><br>Title: Cross-layer optimization of Vehicle-to-Vehicle video streaming for overtaking maneuver assistance systems
<br>Cover Date: 2013-12-01
<br>Cover Display Date: 2013
<br>DOI: 10.1109/ICUFN.2013.6614839
<br>Description: Overtaking maneuver on roads without a clear view can cause serious accident. Hence, real-time video streaming deliveries between two vehicles over Vehicular Ad Hoc Networks (VANETs) have been proposed as an overtaking maneuver assistance system. The system is also known as a V2V see-through system since it sends real-time video scenes seeing by a front vehicle to the driver of the back vehicle to help him decide on overtaking maneuver. However, sending real-time video streaming over VANET is still problematic due to delay and packet loss. Several solutions have previously proposed to fix the problems, but all of them still have some drawbacks. So, we propose in this paper a cross-layer optimization of video streams (video frame skipping, video transcoding and frame rate reduction) for overtaking environments. The proposed approach is based on IEEE 802.11 EDCA. Experimental results on our approach using OMNET++ have demonstrated some favorable points, such as bandwidth waste avoidance and acceptable video latency. © 2013 IEEE.
<br>Citations: 6
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: Towards a new design of firewall: Anomaly elimination and fast verifying of firewall rules
<br>Cover Date: 2013-09-09
<br>Cover Display Date: 2013
<br>DOI: 10.1109/JCSSE.2013.6567326
<br>Description: Network security is usually protected by a firewall, which checks in-out packets against a set of defined policies or rules. Hence, the overall performance of the firewall generally depends on its rule management. For example, the performance can be decreased when there are firewall rule anomalies. The anomalies may happen when two sets of firewall rules are overlapped or their decision parts are both an acceptance and a denial simultaneously. In this paper, we propose a new paradigm of the firewall design, consisting of two parts: (1) Single Domain Decision firewall (SDD) - a new firewall rule management policy that is certainly not conflicts, and (2) the Binary Tree Firewall (BTF) - a data structure and an algorithm to fast check the firewall rules. Experimental results have indicated that the new design can fix conflicting anomaly and increase the speed of firewall rule checking from O(N<sup>2</sup>) to O(log<inf>2</inf> N). © 2013 IEEE.
<br>Citations: 17
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: A lightweight agent-based egress NAC on wireless LAN
<br>Cover Date: 2012-10-30
<br>Cover Display Date: 2012
<br>DOI: 10.1109/ICCISci.2012.6297103
<br>Description: An egress Network Access Control (NAC) is widely deployed to control users in a wireless network. However, Medium Access Control (MAC) address spoofing is a technique that can easily bypass the egress NAC. So, this vulnerability is a big problem in almost all NAC systems around the world. To solve this problem, we proposeaVisa mechanism to enhance the egress NAC authentication. The mechanism needs only a JAVA applet to run without manually installing any agent-program. To evaluate our new mechanism, we have built a prototyped program, and experiment on a wireless test-bed. The performance evaluation has demonstrated favorable features of our new Visa mechanism. © 2012 IEEE.
<br>Citations: 0
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: Simple and lightweight HTTPS enforcement to protect against SSL striping attack
<br>Cover Date: 2012-10-17
<br>Cover Display Date: 2012
<br>DOI: 10.1109/CICSyN.2012.50
<br>Description: SSL is a protocol for secured traffic connections. By using the SSL, HTTPS has been designed to prevent eavesdroppers and malicious users from web application services. However, man-in-the-middle attack techniques based on stripping and sniffing the HTTPS connections are still possible, causing security problems on web applications. Several scrip-kiddy tools to launch such attacks are easy to find and available on the Internet. In this paper, we therefore proposed a solution to protect against SSL striping attack. By enforcing a connection to HTTPS, our techniques determine the web URL and enforce the communication to HTTPS for protecting against the SSL striping attack. The experimental results on a test-bed have demonstrated an effectiveness and efficiency of our solution. © 2012 IEEE.
<br>Citations: 14
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: Two-state peer-to-peer flow detection algorithm
<br>Cover Date: 2012-10-02
<br>Cover Display Date: 2012
<br>DOI: 10.1109/ECTICon.2012.6254342
<br>Description: Peer-to-peer flow detection algorithm has been studied for several years. Port-based classification, regular expression, graphlet and various machine learning based algorithms have been proposed as solutions. Unfortunately, all previous algorithms have been failed in various aspects especially for the encrypted peer-to-peer traffic. In this paper, we present a new algorithm to delivers more effectiveness. We have also prototyped our algorithm and evaluate on a test-bed. The performance evaluation has demonstrated the better effectiveness of our algorithm in comparison to the previous ones. © 2012 IEEE.
<br>Citations: 1
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: An enhancement of the SDP Security Description (SDES) for key protection
<br>Cover Date: 2012-10-02
<br>Cover Display Date: 2012
<br>DOI: 10.1109/ECTICon.2012.6254320
<br>Description: To provide VoIP traffic with message authentication and confidentiality, Secure Real Time Protocol (SRTP) and a media keying protocol are needed. SDP Security Description (SDES) is the most widely deployed keying protocol. It also needs Transport Layer Secure (TLS) over the VoIP signal protocol (SIP), known as SIPS. However, from several previous studies, SIPS can be compromised; then cause further problems on SRTP and SDES. So, in this paper, we propose a technique to enhance the SDES protocol to be secure even in the SIP environment without TLS. © 2012 IEEE.
<br>Citations: 11
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: A design of egress NAC using an authentication visa checking mechanism to protect against MAC address spoofing attacks
<br>Cover Date: 2011-08-12
<br>Cover Display Date: 2011
<br>DOI: 10.1109/ECTICON.2011.5947832
<br>Description: An egress Network Access Controller (NAC) is important to authenticate internal users before accessing external networks (such as browsing the Internet). It is generally deployed at most Wi-Fi hotspots. It can be also used to control wired access on any open Ethernet jacks (such as business centers or hotel rooms). However, a MAC address spoofing attack is a very simple but powerful technique to bypass the egress NAC. By spoofing their MAC Address to a legitimate user's, attackers can easily access network resources under that user's permission. There have been several previous proposals to solve this problem. However, all of them have been proven to be ineffective. In this paper, we therefore propose a new solution using an authentication visa checking mechanism. From experimental results on a test-bed, our new egress NAC has shown its effectiveness and efficiency in protecting against the MAC address spoofing attack on both wireless and wired network environments. © 2011 IEEE.
<br>Citations: 2
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: A new design of bandwidth shaper with an intra-protocol fairness
<br>Cover Date: 2011-08-12
<br>Cover Display Date: 2011
<br>DOI: 10.1109/ECTICON.2011.5947833
<br>Description: In order to allocate proper network bandwidth in an organization, a bandwidth shaper is generally deployed. It helps ensure that the most significant applications have enough bandwidth shares, and users fairly share the bandwidth. However, with the existing of multi-session download accelerator software (such as IDM, Flashget), some users can cheat the bandwidth share even after using the bandwidth shaper. This problem is known as an intra-protocol fairness problem. So, in this paper, we have proposed to improve the bandwidth shaper by two new mechanisms, namely P2P detection and intra-protocol fairness management. Prototyped software has also been implemented and evaluated. Our experimental results on a test-bed have demonstrated the effectiveness of our design to improve the bandwidth shaper. © 2011 IEEE.
<br>Citations: 0
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: Performance comparison of multicast-encouraging explicit rate adjustment and packet-pair layered multicast
<br>Cover Date: 2008-10-06
<br>Cover Display Date: 2008
<br>DOI: 10.1109/ECTICON.2008.4600452
<br>Description: Multicast-encouraging Explicit Rate Adjustment (MeERA) and Packet-pair receiver-driven cumulative Layer Multicast (PLM) are two of the recently proposed receiver-driven layered multicast congestion control protocols. Both have used explicit rate adjustment techniques in detecting and controlling congestion. Both have also been evaluated by their authors and claim a few advances. However, there is no known study that evaluates these protocols in comparison. In this work, we evaluate both of them in comparison using criteria such as responsiveness, the efficiency of network utilization, fairness, TCP-friendliness, fast convergence, coordination of receivers behind the same bottleneck link, and feasibility in terms of implementation. Performance evaluation is done using a network simulator (ns2). ©2008 IEEE.
<br>Citations: 0
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: Multi-rate multicast congestion control by explicit rate adjustment and multicast-encouraging TCP-friendliness
<br>Cover Date: 2007-12-01
<br>Cover Display Date: 2007
<br>DOI: 10.1109/ICON.2007.4444069
<br>Description: Strict TCP-friendliness is a problematic issue that discourages multicast deployment on the Internet. In this paper, we therefore propose a new design of Multi-Rate Multicast Congestion Control (MR-MCC) by revising our previous proposed MR-MCC protocol, namely Explicit Rate Adjustment (ERA). In the new design, a multicast-supportive TCP-friendliness bandwidth allocation is used at intermediate nodes (routers) to motivate multicast deployment by giving more bandwidth to ERA without starving TCP. At the end node, an explicit reception rate adjustment algorithm is used. The receiver adjusts its reception rates according to the network conditions using Packet-pair Probe (PP). The implementation of our new ERA is done on the network simulator 2 (ns2). We demonstrate via simulations that the new ERA could provide responsiveness, fairness and the motivation for multicast deployment. © 2007 IEEE.
<br>Citations: 2
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: A web pornography patrol system based on hierarchical image filtering techniques
<br>Cover Date: 2006-12-01
<br>Cover Display Date: 2006
<br>DOI: 10.2991/jcis.2006.268
<br>Description: Due to the flood of pornographic web sites on the internet, content-based web filtering has become an important technique to detect and filter inappropriate information on the web. This is because pornographic web sites contain many sexually oriented texts, images, and other information that can be helpful to filter them. In this paper, we build and examine a system to filter web pornography based on image content. Our system consists of three main processes: (i) normalized R/G ratio, (ii) histogram, and (iii) human composition matrix (HCM) based on skin detection. The first process is using the pixel ratios (red and green color channels) for image filtering. The second process, histogram analysis, is to estimate frequency intensities of an image. If an image falls within the range of training set results, it is likely to be a pornographic image. The last process is HCM based on human skin detection. The experimental results show an effective accuracy after testing. This would demonstrate that our hierarchical image filtering techniques can achieve substantial improvements.
<br>Citations: 2
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: Content-based text classifiers for pornographic web filtering
<br>Cover Date: 2006-01-01
<br>Cover Display Date: 2006
<br>DOI: 10.1109/ICSMC.2006.384926
<br>Description: Due to the flood of pornographic web sites on the internet, effective web filtering systems are essential. Web filtering based on content has become one of the important techniques to handle and filter inappropriate information on the web. We examine two machine learning algorithms (Support Vector Machines and Naïve Bayes) for pornographic web filtering based on text content. We then focus initially on Thai-language and English-language web sites. In this paper, we aim to investigate whether machine learning algorithms are suitable for web sites classification. The empirical results show that the classifier based Support Vector Machines are more effective for pornographic web filtering than Naïve Bayes classifier after testing, especially an effectiveness for the over-blocking problem. ©2006 IEEE.
<br>Citations: 17
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: Explicit rate adjustment for multirate multicast congestion control using TCP throughput equation and packet-pair probe
<br>Cover Date: 2003-01-01
<br>Cover Display Date: 2003
<br>DOI: 10.1109/APCC.2003.1274469
<br>Description: The multirate multicast congestion control (MR-MCC) scheme has been considered as a suitable scheme for multicasting for a very large heterogeneous group of receivers. In this work, we propose a new design of MR-MCC using explicit rate adjustment based on TCP throughput equation and packet-pair probe. The design goals are: scalability, responsiveness, fast convergence, fairness (including interprotocol fairness, intraprotocol fairness, intrasession fairness and TCP-friendliness) and feasibility. We have implemented our design into a network simulator (ns2) and undertake a performance evaluation to investigate it. The results show that our protocol holds good properties of the design goal.
<br>Citations: 1
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>Title: Explicit rate adjustment: An efficient congestion control protocol for layered multicast
<br>Cover Date: 2003-01-01
<br>Cover Display Date: 2003
<br>DOI: 10.1109/icon.2003.1266187
<br>Description: In this paper, we introduce Explicit Hale Adjustment (ERA), a new Multi-rate Multicast Congestion Control (MR-MCC) algorithm. Via ERA, the receiver explicitly adjusts its reception rate according to the network conditions using the TCP throughput equation and Packet-pair Probe. The design goals are responsiveness, efficiency in network utilization, scalability and fairness (including inter-protocol fairness, intra-protocol fairness, ultra-session fairness and TCP-friendliness) as well as simple implementation. We have built ERA into a network simulator (ns2) and demonstrate via simulations that the goals are reached. ©2003 IEEE.
<br>Citations: 7
<br>Aggregation Type: Conference Proceeding
<br>-------------------
<br><br><br>