Revisiting Defenses against Large-Scale Online Password Guessing Attacks

   December 9, 2017    Comments Off on Revisiting Defenses against Large-Scale Online Password Guessing Attacks    Posted in: .Net, IEEE 2017

Revisiting Defenses against Large-Scale Online Password Guessing Attacks

ABSTRACT:

Brute force and dictionary attacks on password-only remote login services are now widespread and ever increasing. Enabling convenient login for legitimate users while preventing such attacks is a difficult problem. Automated Turing Tests (ATTs) continue to be an effective, easy-to-deploy approach to identify automated malicious login attempts with reasonable cost of inconvenience to users. In this paper, we discuss the inadequacy of existing and proposed login protocols designed to address large scale online dictionary attacks (e.g., from a botnet of hundreds of thousands of nodes). We propose a new Password Guessing Resistant Protocol (PGRP), derived upon revisiting prior proposals designed to restrict such attacks. While PGRP limits the total number of login attempts from unknown remote hosts to as low as a single attempt per username, legitimate users in most cases (e.g., when attempts are made from known, frequently-used machines) can make several failed login attempts before being challenged with an ATT. We analyze the performance of PGRP with two real-world data sets and find it more promising than existing proposals.

 

EXISTING SYSTEM:

 

Wire Sniffing: Most of the time when we talk of passive online attack we consider it as sniffing the password on wired or wireless networks. The password is captured during authentication phase and then compared to dictionary file or word list.

 

The majority of Sniffer tools are ideally suited to sniff data in hub environment. These tools are also known as passive sniffers as they passively wait for data to be sent before capturing the information. User account passwords are commonly hashed or encrypted when sent on the network to prevent unauthorized access and use. In such cases hacker uses his special tools to crack password.

 

Brute Force: The most time-consuming type of attack is a brute-force attack, which tries every possible combination of uppercase and lowercase letters, numbers, and symbols.

 

A brute-force attack is the slowest of the three types of attacks because of the many possible combination of characters in the password. However, brute force is effective; given enough time and processing power, all passwords can eventually be identified.

 

During these attacks user can’t find the attackers.

 

 

 

PROPOSED SYSTEM:

 

Our method of protection against online password-guessing attacks and re-lated denial-of-service attacks, the owner and the users granted administrative privileges are referred to as administrators. Only the owner registers with the application provider other user accounts are created by administrators using a Web interface.

Our proposed system objectives for PGRP include the following:

The login protocol should make brute force and dictionary attacks ineffective even for adversaries with access to large botnets (i.e., capable of launching the attack from many remote hosts).

The protocol should not have any significant impact on usability (user convenience). For example: for legitimate users, any additional steps besides entering login credentials should be minimal. Increasing the security of the protocol must have minimal effect in decreasing the login usability.

The protocol should be easy to deploy and scalable, requiring minimum computational resources in terms of memory, processing time, and disk space.

 

PGRP: Password Guessing Resistant Protocol:

 

HARDWARE REQUIREMENTS

 

  • SYSTEM : Pentium IV 2.4 GHz
  • HARD DISK : 40 GB
  • FLOPPY DRIVE : 1.44 MB
  • MONITOR : 15 VGA colour
  • MOUSE : Logitech.
  • RAM : 256 MB
  • KEYBOARD : 110 keys enhanced.

 

SOFTWARE REQUIREMENTS

 

  • Operating system :-  Windows XP Professional
  • Front End            :-  Microsoft Visual Studio .Net 2008
  • Coding Language : – C# .NET.
  • Database :- SQL Server 2005

 

REFERENCE:

Mansour Alsaleh, Mohammad Mannan, and P.C. van Oorschot, Member, IEEE, “Revisiting Defenses against Large-Scale Online Password Guessing Attacks”, IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 1, JANUARY/FEBRUARY 2012.

  

Comments are closed.