NANO SCIENTIFIC RESEARCH CENTRE PVT.LTD., AMEERPET, HYD
WWW.NSRCNANO.COM, 09640648777, 09652926926
DOT NET PROJECTS LIST--2013
DOT NET 2013 IEEE PAPERS
Revisiting Defenses against Large-Scale Online
Password Guessing Attacks
Abstract:
Brute
force and dictionary attacks on password-only remote login services are now
widespread and ever increasing. Enabling convenient login for legitimate users
while preventing such attacks is a difficult problem. Automated Turing Tests
(ATTs) continue to be an effective, easy-to-deploy approach to identify
automated malicious login attempts with reasonable cost of inconvenience to
users. In this paper, we discuss the inadequacy of existing and proposed login
protocols designed to address large-scale online dictionary attacks (e.g., from
a botnet of hundreds of thousands of nodes). We propose a new Password Guessing
Resistant Protocol (PGRP), derived upon revisiting prior proposals designed to
restrict such attacks. While PGRP limits the total number of login attempts
from unknown remote hosts to as low as a single attempt per username,
legitimate users in most cases (e.g., when attempts are made from known,
frequently-used machines) can make several failed login attempts before being
challenged with an ATT. We analyze the performance of PGRP with two real-world
data sets and find it more promising than existing proposals.
Existing System:
Several other techniques are deployed in practice, including: allowing
login attempts without ATTs from a different machine, when a certain number of
failed attempts occur from a given machine; allowing more attempts without ATTs
after a time-out period; and time-limited account locking. Many existing
techniques and proposals involve ATTs, with the underlying assumption that
these challenges are sufficiently difficult for bots and easy for most people.
However, users increasingly dislike ATTs as these are perceived as an
(unnecessary) extra step; Due to successful attacks which break ATTs without
human solvers, ATTs perceived to be more difficult for bots are being deployed.
Proposed System:
The proposal in the present paper,
called Password Guessing Resistant Protocol (PGRP), significantly improves the
security-usability trade-off, and can be more generally deployed beyond
browser-based authentication. PGRP builds on these two previous proposals. In particular,
to limit attackers in control of a large botnet (e.g., comprising hundreds of
thousands of bots), PGRP enforces ATTs after a few (e.g., three) failed login
attempts are made from unknown machines. On the other hand, PGRP allows a high
number (e.g., 30) of failed attempts from known machines without answering any
ATTs. We define known machines as those from which a successful login has
occurred within a fixed period of time. These are identified by their IP
addresses saved on the login server as a white list, or cookies stored on
client machines. A white-listed IP address and/or client cookie expires after a
certain time.
Software
and Hardware Requirements
Hardware Required:
System : Pentium IV
Hard Disk : 80
GB
RAM : 512 MB
Software Required:
Operating
System : Windows
XP
Language : Asp.Net,
C#
Data Base : SQL
Server 2005
Modules:
·
Admin Login
·
User Login
·
PGRP Protocol
·
Withdraw
·
Deposit
·
Transfer
·
Transactions
No comments:
Post a Comment