{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T03:32:13Z","timestamp":1760239933689,"version":"build-2065373602"},"reference-count":38,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2019,2,15]],"date-time":"2019-02-15T00:00:00Z","timestamp":1550188800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>Web applications are relied upon by many for the services they provide. It is essential that applications implement appropriate security measures to prevent security incidents. Currently, web applications focus resources towards the preventative side of security. While prevention is an essential part of the security process, developers must also implement a level of attack awareness into their web applications. Being able to detect when an attack is occurring provides applications with the ability to execute responses against malicious users in an attempt to slow down or deter their attacks. This research seeks to improve web application security by identifying malicious behavior from within the context of web applications using our tool BlackWatch. The tool is a Python-based application which analyzes suspicious events occurring within client web applications, with the objective of identifying malicious patterns of behavior. This approach avoids issues typically encountered with traditional web application firewalls. Based on the results from a preliminary study, BlackWatch was effective at detecting attacks from both authenticated and unauthenticated users. Furthermore, user tests with developers indicated BlackWatch was user-friendly, and was easy to integrate into existing applications. Future work seeks to develop the BlackWatch solution further for public release.<\/jats:p>","DOI":"10.3390\/fi11020044","type":"journal-article","created":{"date-parts":[[2019,2,17]],"date-time":"2019-02-17T22:11:50Z","timestamp":1550441510000},"page":"44","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["BlackWatch: Increasing Attack Awareness within Web Applications"],"prefix":"10.3390","volume":"11","author":[{"given":"Calum","family":"Hall","sequence":"first","affiliation":[{"name":"MWR InfoSecurity, London SE1 3RS, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1082-1174","authenticated-orcid":false,"given":"Lynsay","family":"Shepherd","sequence":"additional","affiliation":[{"name":"School of Design and Informatics, Abertay University, Dundee DD1 1HG, UK"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0681-9888","authenticated-orcid":false,"given":"Natalie","family":"Coull","sequence":"additional","affiliation":[{"name":"School of Design and Informatics, Abertay University, Dundee DD1 1HG, UK"}]}],"member":"1968","published-online":{"date-parts":[[2019,2,15]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"261","DOI":"10.1109\/TDSC.2015.2410795","article-title":"Measuring the influence of perceived cybercrime risk on online service avoidance","volume":"13","author":"Riek","year":"2016","journal-title":"IEEE Trans. Dependable Secure Comput."},{"doi-asserted-by":"crossref","unstructured":"Kumar, S., Mahajan, R., Kumar, N., and Khatri, S.K. (2017, January 20\u201322). A study on web application security and detecting security vulnerabilities. Proceedings of the IEEE 2017 6th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO), Noida, India.","key":"ref_2","DOI":"10.1109\/ICRITO.2017.8342469"},{"unstructured":"Rodriguez, C., and Martinez, R. (2012). The Growing Hacking Threat to Websites: An Ongoing Commitment to Web Application Security. A Frost & Sullivan White Paper, Frost and Sullivan.","key":"ref_3"},{"unstructured":"Verizon (2018, November 17). Data Breach Investigations Report. Available online: https:\/\/www.verizonenterprise.com\/resources\/reports\/rp_DBIR_2018_Report_en_xg.pdf.","key":"ref_4"},{"doi-asserted-by":"crossref","unstructured":"Shepherd, L.A., Archibald, J., and Ferguson, R.I. (2013, January 21\u201326). Perception of risky security behaviour by users: Survey of current approaches. Proceedings of the Human Aspects of Information Security, Privacy, and Trust: First International Conference, HAS 2013, Held as Part of HCI International 2013, Las Vegas, NV, USA.","key":"ref_5","DOI":"10.1007\/978-3-642-39345-7_19"},{"unstructured":"Mathew, S., Britt, D., Giomundo, R., Upadhyaya, S., Sudit, M., and Stotz, A. (2005, January 17\u201320). Real-time multistage attack awareness through enhanced intrusion alert clustering. Proceedings of the Military Communications Conference (MILCOM 2005), Atlantic City, NJ, USA.","key":"ref_6"},{"unstructured":"Ben-Meir, E. (2018, November 17). Prevention vs. Detection in Cyber Security: Why Not Both?. Available online: https:\/\/blog.cyberint.com\/prevention-vs-detection-in-cybersecurity-why-not-both.","key":"ref_7"},{"unstructured":"MWRInfoSecurity (2018, November 17). Tips for Success When Building a Detection Capability. Available online: https:\/\/www.mwrinfosecurity.com\/our-thinking\/building-attack-detection-capability\/.","key":"ref_8"},{"unstructured":"PCISSC (2018, November 17). Payment Card Industry Data Security Standard\u2014Requirements and Security Assessment Procedures. Available online: https:\/\/www.pcisecuritystandards.org\/documents\/PCI_DSS_v3-2.pdf.","key":"ref_9"},{"unstructured":"High-Tech Bridge Security Research (2018, October 19). Patching Complex Web Vulnerabilities Using ModSecurity WAF. Available online: https:\/\/www.htbridge.com\/blog\/patching-complex-web-vulnerabilities-using-modsecurity-waf.html.","key":"ref_10"},{"unstructured":"Kolochenko, I. (2018, October 19). Web Application Firewall: A Must-Have Security Control or an Outdated Technology?. Available online: https:\/\/www.csoonline.com\/article\/3032743\/application-development\/web-application-firewall-a-must-have-security-control-or-an-outdated-technology.html.","key":"ref_11"},{"unstructured":"Ahmed, M. (2018, November 17). Evading All Web-Application Firewalls XSS Filters. Available online: https:\/\/mazinahmed.net\/uploads\/Evading%20All%20Web-Application%20Firewalls%20XSS%20Filters.pdf.","key":"ref_12"},{"doi-asserted-by":"crossref","unstructured":"Clincy, V., and Shahriar, H. (2018, January 23\u201327). Web Application Firewall: Network Security Models and Configuration. Proceedings of the 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC), Tokyo, Japan.","key":"ref_13","DOI":"10.1109\/COMPSAC.2018.00144"},{"key":"ref_14","first-page":"29","article-title":"Secure coding: Building security into the software development life cycle","volume":"13","author":"Jones","year":"2004","journal-title":"Inf. Syst. Secur."},{"unstructured":"Goertzel, K.M., and Winograd, T. (2008). Enhancing the Development Life Cycle to Produce Secure Software.","key":"ref_15"},{"unstructured":"Hoff, J. (2018, November 17). 6 Ways to Strengthen Web App Security. Available online: https:\/\/www.darkreading.com\/risk-management\/6-ways-to-strengthen-web-app-security\/d\/d-id\/1106197.","key":"ref_16"},{"unstructured":"Haridas, N. (2018, November 17). Software Engineering\u2014Security as a Process in the SDLC. Available online: https:\/\/www.sans.org\/reading-room\/whitepapers\/securecode\/paper\/1846.","key":"ref_17"},{"doi-asserted-by":"crossref","unstructured":"Hasan, A.M., Meva, D.T., Roy, A.K., and Doshi, J. (2017, January 22\u201323). Perusal of web application security approach. Proceedings of the 2017 International Conference on Intelligent Communication and Computational Techniques (ICCT), Jaipur, India.","key":"ref_18","DOI":"10.1109\/INTELCCT.2017.8324026"},{"doi-asserted-by":"crossref","unstructured":"Futcher, L., and von Solms, R. (2007). SecSDM: A model for integrating security into the software development life cycle. Fifth World Conference on Information Security Education, Springer.","key":"ref_19","DOI":"10.1007\/978-0-387-73269-5_6"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"5333","DOI":"10.1002\/sec.1700","article-title":"The practice of secure software development in SDLC: An investigation through existing model and a case study","volume":"9","author":"Karim","year":"2016","journal-title":"Secur. Commun. Netw."},{"unstructured":"Gregory, P.H. (2019, January 07). Security in the Software Development Life-Cycle. Available online: https:\/\/searchsecurity.techtarget.com\/tip\/Security-in-the-software-development-life-cycle.","key":"ref_21"},{"doi-asserted-by":"crossref","unstructured":"Razzaq, A., Hur, A., Shahbaz, S., Masood, M., and Ahmad, H.F. (2013, January 6\u20138). Critical analysis on web application firewall solutions. Proceedings of the 2013 IEEE Eleventh International Symposium on Autonomous Decentralized Systems (ISADS), Mexico City, Mexico.","key":"ref_22","DOI":"10.1109\/ISADS.2013.6513431"},{"doi-asserted-by":"crossref","unstructured":"Singh, J.J., Samuel, H., and Zavarsky, P. (2018, January 8\u201310). Impact of Paranoia Levels on the Effectiveness of the ModSecurity Web Application Firewall. Proceedings of the IEEE 2018 1st International Conference on Data Intelligence and Security (ICDIS), South Padre Island, TX, USA.","key":"ref_23","DOI":"10.1109\/ICDIS.2018.00030"},{"doi-asserted-by":"crossref","unstructured":"Krueger, T., Gehl, C., Rieck, K., and Laskov, P. (2010, January 22\u201326). TokDoc: A self-healing web application firewall. Proceedings of the 2010 ACM Symposium on Applied Computing, Sierre, Switzerland.","key":"ref_24","DOI":"10.1145\/1774088.1774480"},{"unstructured":"OWASP (2018, November 17). OWASP AppSensor. Available online: https:\/\/www.owasp.org\/index.php\/OWASP_AppSensor_Project.","key":"ref_25"},{"unstructured":"Thomassen, P. (2012). AppSensor: Attack-Aware Applications Compared Against a Web Application Firewall and an Intrusion Detection System. [Master\u2019s Thesis, Institutt for Datateknikk og Informasjonsvitenskap].","key":"ref_26"},{"unstructured":"OWASP (2018, November 17). OWASP Top Ten Project. Available online: https:\/\/www.owasp.org\/index.php\/Category:OWASP_Top_Ten_Project.","key":"ref_27"},{"unstructured":"OWASP (2018, November 17). Top 10 2017. Available online: https:\/\/www.owasp.org\/index.php\/Top_10-2017_Top_10.","key":"ref_28"},{"unstructured":"OWASP (2019, February 01). Appsensor-Ws-Rest-Server. Available online: http:\/\/appsensor.org\/docs\/v2.3.0\/api\/ui\/index.html#!\/RestRequestHandler\/resource_RestRequestHandler_addEvent_POST.","key":"ref_29"},{"unstructured":"icons8 (2019, February 01). Hacker Icon. Available online: https:\/\/visualpharm.com\/free-icons\/hacker-595b40b75ba036ed117d616b.","key":"ref_30"},{"unstructured":"Belesi, R. (2018, November 17). How to Change Your IP Address. Available online: https:\/\/blogs.opera.com\/news\/2016\/09\/how-to-change-ip-address\/.","key":"ref_31"},{"doi-asserted-by":"crossref","unstructured":"Abouollo, A., and Almuhammadi, S. (2017, January 4\u20136). Detecting Malicious User Accounts Using Canvas Fingerprint. Proceedings of the 2017 8th International Conference on Information and Communication Systems (ICICS), Irbid, Jordan.","key":"ref_32","DOI":"10.1109\/IACS.2017.7921998"},{"unstructured":"(2018, October 19). MongoDB. Available online: https:\/\/www.mongodb.com\/.","key":"ref_33"},{"unstructured":"West, M. (2017, April 07). An Introduction to Websockets. Available online: http:\/\/blog.teamtreehouse.com\/an-introduction-to-websockets.","key":"ref_34"},{"unstructured":"Grinberg, M. (2018, October 19). Flask-Socketio. Available online: https:\/\/github.com\/miguelgrinberg\/Flask-SocketIO.","key":"ref_35"},{"unstructured":"Dewhurst, R. (2019, February 01). Dewhurst Security\u2014Professional Security Services. Available online: https:\/\/dewhurstsecurity.com\/.","key":"ref_36"},{"unstructured":"DVWA (2018, October 19). Damn Vulnerable Web Application (DVWA). Available online: http:\/\/www.dvwa.co.uk\/.","key":"ref_37"},{"unstructured":"OWASP (2018, October 19). Command Injection. Available online: https:\/\/www.owasp.org\/index.php\/Command_Injection.","key":"ref_38"}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/11\/2\/44\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T12:32:23Z","timestamp":1760185943000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/11\/2\/44"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,2,15]]},"references-count":38,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2019,2]]}},"alternative-id":["fi11020044"],"URL":"https:\/\/doi.org\/10.3390\/fi11020044","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2019,2,15]]}}}