面向恶意网页的静态特征体系研究

恶意网页是一种新型的Web攻击手法,攻击者通常将一段恶意代码嵌入网页中,当用户访问该网页时,恶意代码会试图利用浏览器或其插件漏洞在后台隐秘地执行一系列恶意行为.针对恶意网页静态特征抽取问题,本文从已有的特征中选取了14个信息增益值较高的特征,并通过分析恶意网页的混淆手法提出了8个新的特征,共同组成了22维的静态特征体系.此外,针对已有特征抽取流程提出两点改进：对不同编码格式的原始网页进行预处理;回送JavaScript脚本动态生成的的HTML代码,用以进一步抽取HTML相关特征.实验表明,在不均衡数据集和均衡数据集上,本文的特征体系具有一定的有效性.     

Language-Based Caching of Dynamically Generated HTML

Increasingly, HTML documents are dynamically generated by interactive Web services. To ensure that the client is presented with the newest versions of such documents it is customary to disable client caching causing a seemingly inevitable performance penalty. In the system, dynamic HTML documents are composed of higher-order templates that are plugged together to construct complete documents. We show how to exploit this feature to provide an automatic fine-grained caching of document templates, based on the service source code. A service transmits not the full HTML document but instead a compact JavaScript recipe for a client-side construction of the document based on a static collection of fragments that can be cached by the browser in the usual manner. We compare our approach with related techniques and demonstrate on a number of realistic benchmarks that the size of the transmitted data and the latency may be reduced significantly.     

Using a concept lattice of decomposition slices for program understanding and impact analysis

The decomposition slice graph and concept lattice are two program representations used to abstract the details of code into a higher-level view of the program. The decomposition slice graph partitions the program into computations performed on different variables and shows the dependence relation between computations, holding when a computation needs another computation as a building block. The concept lattice groups program entities which share common attributes and organizes such groupings into a hierarchy of concepts, which are related through generalizations/specializations. This paper investigates the relationship existing between these two program representations. The main result of this paper is a novel program representation, called concept lattice of decomposition slices, which is shown to be an extension of the decomposition slice graph, and is obtained by means of concept analysis, with additional nodes associated with weak interferences between computations, i.e., shared statements which are not decomposition slices. The concept lattice of decomposition slices can be used to support software maintenance by providing relevant information about the computations performed by a program and the related dependences/interferences, as well as by representing a natural data structure on which to conduct impact analysis. Preliminary results on small to medium size code support the applicability of this method at the intraprocedural level or when investigating the dependences among small groups of procedures.     

J2EE平台上的HTML电子表格工具的设计

随着Internet的发展,Web应用也得到了快速发展和广泛普及.同时这也给Web应用开发提出了新的要求.与传统应用程序开发相比,Web应用开发具有如下特点：开发周期短,开发成本高,实现技术复杂.为了适应Web应用开发的新特点,开发人员需要一种可以快速开发Web应用的工具.本文介绍了一种J2EE平台上动态HT-ML表格的设计和实现.开发者可以使用该工具定义一个和数据库相联系的动态HTML表格.这个工具可以根据用户的定义自动生成相应的Servlet代码.     

XML技术在化学深层网数据提取中的应用

Internet上的化学数据库是宝贵的化学信息资源,如何有效地利用这些数据是化学深层网所要解决的问题。本文总结了化学深层网的特点,基于XML技术实现从数据库检索返回的半结构化HTML页面中提取数据的目标,使之成为可供程序直接调用做进一步计算的数据。在数据提取过程中,先采用JTidy规范化HTML,得到格式上完整、内容无误的XHTML文档,利用包含着XPath路径语言的XSLT数据转换模板实现数据转换和提取。其中XPath表达式的优劣决定了XSLT数据转换模板能否长久有效地提取化学数据,文中着重介绍了如何编辑健壮的XPath表达式,强调了XPath表达式应利用内容和属性特征实现对源树中数据的定位,并尽可能地降低表达式之间的耦合度,前瞻性地预测化学站点可能出现的变化并在XSLT数据转换模板中采取相应的措施以提高表达式的长期有效性。为创建化学深层网数据提取的XSLT数据提取模板提供方法指导。     

基于简化系统依赖图的静态粗粒度切片方法

基于系统依赖图是计算面向对象程序切片的一个有效方法.但是,系统依赖图的缺点是太复杂,而且在建立系统依赖图的过程中容易出错,一旦出现错误就可能导致切片结果的不准确.通过对系统依赖图进行简化,得到了简化的系统依赖图.它省略了那些表示输入参数和输出参数的结点和概括边.同时,还定义了一种面向对象程序的粗粒度切片概念,讨论了它的性质,分析了它与细粒度切片的关系,并基于简化的系统依赖图计算面向对象程序的粗粒度切片.最后还讨论了切片技术的简单实现.     

一种面向对象程序的过程间切片算法

程序切片是一种程序分析技术，它通过把程序减少到只包含与某个特定计算相关的那些语句来分析程序，过程间切片作为图形可达性问题时，需要扩展过程内切片所用的程序依赖图（PDG）成系统依赖图（SDG），然后利用两阶段图形可达性算法计算比较精确的切片，目前程序切片技术的研究以面向对象程序切片为主，文中讨论了一种合适面向对象程序的分层切片方法，并综合分层切片方法和两阶段图形可达性算法提出了一种简化的计算面向对象程序过程间切片的算法。     

基于VML的矢量图形动态生成过程的研究

Web数据库应用系统中,有时需要有一些统计数据图形给用户传达准确、直观的数据信息。利用HTML来添加图形的传统做法,由于受存储形式限制,其下载速度慢,且不能进行放大、缩小等功能。单纯采用HTML不能很好地表示矢量图形,不能解决这方面的问题。采用VML能够为这一问题提供合理的解决方案。利用VML结合ASP访问数据库,动态生成客户端脚本,绘制出矢量图形。结果表明采用这种方式能够充分发挥ASP的优势,并能表示出形象生动、可放大缩小而不影响图像质量的矢量图形。最后结合一个实例,绘制了数据项统计比较走势图,具有较强的表现力。充分表明采用VML绘制矢量图形具有极大的优势。     

动态web应用中的缺陷定位研究

在动态web应用中,动态生成的HTML页面产生的缺陷难以定位并且会严重影响web应用程序的可用性和稳定性。针对以上问题,本文提出了一种基于符号约束集的web缺陷定位方法,通过对web服务端程序的动态符号执行生成一个带有符号约束的树模型,并给出了一个高效的缺陷映射定位算法。为验证该方法的有效性,本文对几个基于PHP的开源web程序进行实验,结果表明该方法在web应用的HTML缺陷检测定位覆盖率和准确率方面都有所改进。     

模型驱动下的Web应用系统自动生成

为了提高Web应用系统开发效率,提出了模型驱动下的Web应用系统自动生成方法。这种生成方法是以Me—taEdit＋作为元建模工具,首先创建Web应用系统元模型、定制DSL,进而建立Web应用系统领域模型,然后通过MetaEdit＋提供的生成器定义语言MERL,软件开发人员可以很方便地设计出Web应用系统所需的JSP生成器、Servlet生成器、Jayabeans生成器和数据库生成器,从Web应用系统图形模型直接生成整个Web应用系统。最后通过一个WebShopping实例详细介绍了模型驱动下的Web应用系统生成方法及生成过程。经测试,所生成的Web应用系统可以在Windows操作系统中的Web应用服务器上正确运行。     

Testing input validation in Web applications through automated model recovery

Input validation is essential and critical in Web applications. It is the enforcement of constraints that any input must satisfy before it is accepted to raise external effects. We have discovered some empirical properties for characterizing input validation in Web applications. In this paper, we propose an approach for automated recovery of input validation model from program source code. The model recovered is represented in a variant of control flow graph, called validation flow graph, which shows essential input validation features implemented in programs. Based on the model, we then formulate two coverage criteria for testing input validation. The two criteria can be used to guide the structural testing of input validation in Web applications. We have evaluated the proposed approach through case studies and experiments.     

面向方面程序的简化动态依赖图切片方法

程序切片是一种重要的程序分析技术,广泛应用于程序的调试、测试与维护等领域。面向方面程序设计作为一种新的软件开发范型,能够实现横切关注点的模块化,其特有的语言元素和功能为切片增加了难度。从静态切片和动态切片两种类型,讨论了面向方面程序切片技术。在此基础上,提出了一种基于简化动态依赖图的面向方面程序切片方法,可以减少动态依赖图中节点和边的数量,生成准确的面向方面程序的动态切片,从而有助于人们更好地对面向方面程序进行分析和理解。     

在Visual C++6.0下实现动态HTML浏览视窗

动态的HTML(超文本标记语言)是一种用来创建Web页的脚本语言,现在IE浏览器和Netscape Navigator都支持的动态的HTML,动态的HTML也称之为DHTML。在Visual C++应用程序中也都支持HTML,在制作程序时可将一个动态的HTML脚本作为资源嵌入到应用程序中。     

采用图遍历算法的服务端请求伪造漏洞检测

针对基于PHP语言开发的Web应用系统,提出了一种基于图遍历算法的服务端请求伪造漏洞检测和利用方法。通过构建抽象语法树,获取每个文件的数据流信息,进而利用数据流中的传递依赖关系构造全局的代码属性图,使用图遍历算法对生成的代码属性图进行污点分析,得到污点变量的代码传递依赖路径图,最后使用约束求解的方法对路径图中的经过函数信息进行漏洞检测并生成可利用的攻击向量。实验结果表明,这种检测方式相较于传统的静态审计方法能够很好地发现服务端请求伪造漏洞,并能够自动化生成可绕过的攻击向量。     

Dynamic generation of adaptive Internet-based courses

In this paper we describe a new approach for developing adaptive Web based courses. These courses are defined by means of teaching tasks which correspond to basic knowledge units, and rules which describe how teaching tasks are divided into subtasks. Both tasks and rules are used at execution time to guide the students during their learning process by determining the set of achievable tasks to be presented to the student at every step. Adaptivity is implemented by presenting students with different HTML pages depending on their profile, their previous actions, and the active learning strategy. The HTML pages presented to the students are generated dynamically from general information about the type of media elements associated to each task and their layout. The whole approach is exemplified by means of a course on traffic signs.     

Framework and authoring tool for an extension of the UIML language

This paper presents a framework for the design of User Interfaces (UIs). By applying model transformations, the framework allows different UIs to be generated for different computing platforms. The tool presented in this work helps designers to build an abstract user interface which is later transformed into a concrete user interface by means of transformation techniques based on graph grammars. These techniques can be used to generate implementation code for several UI platforms including desktop applications, dynamic websites and mobile applications. The generated user interfaces are integrated with a multi-tier application by referencing external services and communicating with the application core over Web Service protocols. Our tool also allows the concrete interfaces to be enhanced before generating the final UI. The approach uses an adaptation of UIML (User Interface Markup Language). The adaptation focuses on defining a data model and a services model, and it also introduces a navigation model that allows data communication from one UI to another. The obtained UIs together with Web Services can conform complete applications instead of just being prototypes.     

Automatic discovery of Web Query Interfaces using machine learning techniques

The amount of information contained in databases available on the Web has grown explosively in the last years. This information, known as the Deep Web, is heterogeneous and dynamically generated by querying these back-end (relational) databases through Web Query Interfaces (WQIs) that are a special type of HTML forms. The problem of accessing to the information of Deep Web is a great challenge because the information existing usually is not indexed by general-purpose search engines. Therefore, it is necessary to create efficient mechanisms to access, extract and integrate information contained in the Deep Web. Since WQIs are the only means to access to the Deep Web, the automatic identification of WQIs plays an important role. It facilitates traditional search engines to increase the coverage and the access to interesting information not available on the indexable Web. The accurate identification of Deep Web data sources are key issues in the information retrieval process. In this paper we propose a new strategy for automatic discovery of WQIs. This novel proposal makes an adequate selection of HTML elements extracted from HTML forms, which are used in a set of heuristic rules that help to identify WQIs. The proposed strategy uses machine learning algorithms for classification of searchable (WQIs) and non-searchable (non-WQI) HTML forms using a prototypes selection algorithm that allows to remove irrelevant or redundant data in the training set. The internal content of Web Query Interfaces was analyzed with the objective of identifying only those HTML elements that are frequently appearing provide relevant information for the WQIs identification. For testing, we use three groups of datasets, two available at the UIUC repository and a new dataset that we created using a generic crawler supported by human experts that includes advanced and simple query interfaces. The experimental results show that the proposed strategy outperforms others previously reported works.     

网页数据自动抽取系统

在Internet中存在着大量的半结构化的HTML网页。为了使用这些丰富的网页数据,需要将这些数据从网页中重新抽取出来。该文介绍了一种新的基于树状结构的信息提取方法和一个自动产生包装器的系统DAE(DOMbasedAutomaticExtraction),将HTML网页数据转换为XML数据,在提取的过程中基本上不需要人工干预,因而实现了抽取过程的自动化。该方法可以应用于信息搜索agent中,或者应用于数据集成系统中等。     

基于Web的嵌入式系统设计与实现

随着互联网的迅猛发展及其应用的广泛普及,越来越多的嵌入式系统出现了。论文提出了一个基于Web的嵌入式系统设计方案,通过HTML或VRML页面可以实现对信息电器的远程监控。论文简要介绍了信息家电、嵌入式In-ternet/Web系统和虚拟现实技术,较详细地阐述了该系统实现过程中软硬件的设计思想和技术特点。     

Highly Optimized Code Generation for Stencil Codes with Computation Reuse for GPUs

Computation reuse is known as an effective optimization technique. However, due to the complexity of modern GPU architectures, there is yet not enough understanding regarding the intriguing implications of the interplay of computation reuse and hardware specifics on application performance. In this paper, we propose an automatic code generator for a class of stencil codes with inherent computation reuse on GPUs. For such applications, the proper reuse of intermediate results, combined with careful register and on-chip local memory usage, has profound implications on performance. Current state of the art does not address this problem in depth, partially due to the lack of a good program representation that can expose all potential computation reuse. In this paper, we leverage the computation overlap graph (COG), a simple representation of data dependence and data reuse with “element view”, to expose potential reuse opportunities. Using COG, we propose a portable code generation and tuning framework for GPUs. Compared with current state-of-the-art code generators, our experimental results show up to 56.7 % performance improvement on modern GPUs such as NVIDIA C2050.