Vol. 28, No. 6, (2019), pp. 130-135
Taxonomy of Information System Security Vulnerability in e-learning and its Handling
Resa Pramudita1, Hari Supriyadi2 Faculty of Engineering Widyatama University Bandung, Indonesia [email protected]
Abstract—E-learning is an educational concept that utilizes information technology in the process of learning and teaching. At present, the e-learning system has become one of the required parts to support the creation of better learning in every educational institution in Indonesia. Some developers in the field of education recognize that digital learning systems have many good influences for all people who use them both teachers, students and schools. In general, e-learning systems include learning carried out in electronic media (internet) both formally and informally. Formally E-learning, for example, learning uses ordinary learning tools that have been prepared based on schedules that have been made by related parties (teachers and students), where the system consists of tutors and participants. from internet networks, hardware (such as computers, mobile phones, tablets), software and also security protection systems (such as finger print, cameras and passwords). However, e-learning systems are vulnerable to security threats, this is caused by the presence of several security holes that can be penetrated by a hacker to be able to manipulate data. So that e-learning system security can be disturbed / hijacked by hackers. This paper is a literature review which generally discusses: 1) several security vulnerabilities that may occur in e- learning systems, 2) categorization for e-learning protection based on sources of vulnerability, 3) several methods or handling that can be done to overcome several vulnerabilities security, and 4) examples of security models that can be applied in e-learning systems.
Keywords—Information Security, e-learning, Security Vulnerability I. INTRODUCTION
The development of learning systems has undergone many changes every day, this happens one of which is motivated by a conventional learning system between tutors and students who feel less efficient. So from these problems a development is needed that aims to improve the effectiveness of learning, especially in terms of the allocation of time between students and tutors who usually only occur in class. One of the breakthroughs to overcome this problem is the presence of e-learning based learning system which is a type of teaching and learning innovation that enables teaching materials to be delivered to students using internet media. So far, the e-learning system is commonly used by open and long distance education providers.
Based on the issuance of the Decree of the Minister of National Education No.107 / U / 2001 concerning 'Implementation of the
addition, e-learning alone enables remote learning that allows benefits such as improving the quality of learning, providing better access to education and training activities, reducing costs and make it effective.
With all the advantages offered by the information system applied in the world of education it turns out there are still factors that might be detrimental, namely the security factor in the e- learning system [1]. Security in a system is certainly needed to maintain the integrity of the data contained in the system [15].
The challenge to maintain data integrity comes after the system is connected to a computer network and connected to the internet.
The integrity and security of the data stored in the system must be kept authentic. So that it can be ascertained that the data cannot be modified again so that authenticity is maintained, except for data that is indeed flexible to be modified. Certainty that the system can be accessed from anywhere must be considered, so that the availability of the system can be fulfilled.
With the connection of the system to computer networks and the internet, the opportunity to change or damage the data will be increasingly wide open, because users of e-learning systems that are potentially dangerous (malicious users) will easily enter the system through a computer / internet network. S. Mandala et al.
[2], reported that hackers often steal users' personal data for resale. In addition, the protection of content in e-learning must also be able to provide more protection to intellectual property rights in the subject matter made. In addition, of course, attacks from hackers who target the web itself..
This paper is a literature study in general discussing several security vulnerabilities that may occur in e-learning systems, categorization of e-learning protection based on sources of vulnerability, and several methods or handling that can be done to overcome some of these security vulnerabilities.
II. E-LEARNING:DEFINITION AND CATEGORIZATION Definition of e-learning according to Hartley [3] that the use of the internet, intranet and the use of other computer network media can be a teaching and learning method that allows interaction through sending teaching materials to students. In addition, J. Kumar [4] defines E-learning as a method of
Vol. 28, No. 6, (2019), pp. 130-135 electronics is used as a term for all technologies that are used as
teaching tools through internet electronic technology [6].
Referring to some definitions proposed by some of these experts, the authors conclude that e-learning is a type of teaching and learning that can be done anytime and anywhere using electronic media as a learning medium. Regarding the category, S. Mandala, et al. [2] in the literature divides e-learning into two categories, namely, synchronous and asynchronous e-learning.
The description of the two categorizations is explained as follows
A. Asynchronous Learning
In this e-learning system, students can access the system to download documents and send messages to teachers or colleagues at any time. usually there are media facilities such as e-mail and board discussions to support collaborative work between students and instructors whenever it is not necessary for both parties to be equally online. the main idea of an asynchronous system is flexible e-learning. With this nature, chances are that many people will choose online courses.
B. Synchronous Learning
In this type, students will have synchronous and real-time sessions for direct interaction between instructors. this system is generally supported by media devices that allow students to communicate directly and develop learning communities such as additional video conference and chat features.
While T. Ayodele, et al. [5] categorize e-learning into four main fields, namely as follows :
• Self-Paced Online e-learning: In this type, students can access databases from online course sources via Intranet or the Internet. These are forms of forums, chat rooms, e-mail conversations, and instant messages. This type is a bit more interactive as an online media that offers opportunities for more specific questions and answers, as well as more urgent answers.
• Offline Self-Paced e-learning: In this type, students can access learning resources such as databases or computer assisted offline learning packages (eg learning from standalone computers or through hard drives, CDs or DVDs).
• Synchronous Group-based e-learning: In this type, learning is done in real-time with instructors who directly facilitate learning. Each student can access at the appointed time and can communicate directly with the instructor. This type of media allows students to hold several study sessions and only takes place through Website Internet sites, audio or video conferencing, internet telephones or through live broadcasts in classrooms.
• Asynchronous Group-based e-learning: This type is online learning that is not determined by where the location of the student is located, and where the exchange of knowledge occurs with time delays (not in real-time). Common examples of such activities include online discussions
through electronic mail lists and text-based conferences in learning management systems.
III. DEVELOPMENT OF E-LEARNING FUNCTIONALITY AND IDEAL SPECIFICATIONS
The development of e-learning systems has been developed several times, in fact e-learning systems are increasingly becoming more functional. Figure 1 is the growth development functions in e-learning system. Initially the e-learning system only placed learning content on the Internet so that anytime and anywhere students could access. Then the function is expanded to allow sessions to be carried out anywhere and anytime in real- time between users (including instructors and students). at this time e-learning makes it possible to post graduation certification online, assessment, and registration. in addition, even though currently its use is not fully used now mobile learning has been introduced. As a function, e-learning continues to grow so that environment is vulnerable to attacks so network security is needed. That is, with more and more functions making e- learning a more open and easy system or vulnerable to security threats. According to M.A. Helmiawan [4], an e-learning system must meet several categories including the following:
Figure.1 Growth of e-learning functions [6].
1. Access to the e-learning system must be kept confidential from outside access which may be illegal. Besides that, the user's identity must also be kept confidential
2. In the control system, it is explained that only users who are registered in e-learning systems can access, in terms of downloading activities, taking exams and manipulating user data themselves. Setting access control for users and components of the e-learning system must exist.
3. Setting up the database, in this case the data manipulation process can only be done by users who are legal to the system
4. Relating to the accountability or truth of the data, namely conducting a history of the activities that occur in the system
Vol. 28, No. 6, (2019), pp. 130-135 5. The security system must be manageable and not interfere
with system performance. Availability of systems to authenticate user access, and eliminate the risk of activities that can damage the system
6. The system must be able to do good authentication IV. E-LEARNINGARCHITECTURE
In this paper, e-learning is a system that can be used to manage online lectures that can be accessed through a website (Internet). In general, e-learning system consists of two parts, namely the hardware system and website interface. The website interface can be in the form of a website or application software that can be used by users, whether it's students or tutors in order to interact directly or indirectly. The second part is hardware which is generally shown in Figure 2.
Figure.2 Architecture of e-learning system [4]
As shown in Figure 2 that in e-learning systems there are several parts including servers that are directly connected to the website server and function as databases. This section is managed by administrators, LANs and Internet network infrastructure needed to access the online lecture system. On the other hand, there is also the need for LAN and Internet connections that allow access to servers from outside the dam as well as the availability of client computers, both in the educational environment such as laboratories or outside laboratories.
V. INFORMATION SECURITY STANDARDS IN E-LEARNING SYSTEMS
According to H.F. Aldheleai, et al. [7], information security standards in e-learning systems include six things including:
• Identification, is determining which parties can enter the system where only certain users have the right to access. In this case, of course, those who act as users are students and tutors.
• Authorization, is the process of distinguishing and determining between confirmed users who have privileges or privileges, where the authority of this account is in accordance with the portion needed to access this service, in this case related to the authority between students, tutors, and administrators.
• Confidentiality, e-learning system that has many users where users can be guests, Administrators, tutors, and student who
have access to the database and the confidentiality of users of this system can be accounted for.
• Integrity, access control is the main factor that must be considered in matters of integrity. where illegal attempts to change content and systems are not permitted where the User is only authorized to access and only a few parties can update the data content.
• Availability, it is imperative that data information can be accessed by users anywhere and anytime when needed to be seen.
•
Non-denial, System must ensure that there is no rejection of this service must ensure that there is no rejection of entry into the system caused by many things.VI. THREATS OF ATTACKS ON E-LEARNING SYSTEMS In every information system attack, there must be valuable assets targeted by hackers and must be protected if we do not want the assets to be known by hackers, according to H.F.
Aldheleai, et al. [7], assets in the e-learning system that are usually targeted by hackers are as follows: 1) Content or data on the E-learning system; 2) Personal Data from the user; 3) Messages sent or received by the user; 4) Network Connectivity;
and 5) Bandwidth.
Of the several targets targeted by hackers, According to C.
Savulescu, et al. [1], the most serious threat of online learning systems is if targets can be broken down by hackers, potential gaps include: 1) Worms, denial of service, can be a virus delivery or intentional attacks from the Bug software. Can be malfunctioning software; 2) espionage, the act of collecting personal data; 3) vandalism or sabotage, destruction of information; 4) failure of equipment or hardware used which can cause technical failure; 5) Copyright piracy violations that sacrifice intellectual property rights (IPR); and 6) Extortion for information disclosure.
From these threats, information system vulnerability in e- learning can be categorized into three parts, including the following:
1. User Privacy Vulnerability of the e-learning system
Leaks of individual privacy can have a major impact on victims, which causes damage to social status. teaching and learning situations can be bad if the e-learning system cannot maintain user privacy. Because if the user's privacy is not safe, it is feared there will be disclosure of confidential information from the user through deliberate actions and even exposing the user's privacy data. sniffing, data theft and selling user data without permission can be done by hackers. One way for hackers to attack user privacy on the e-learning system is to attack through the internet browser used. Recently, hackers can easily reveal detailed information about user browsing history by using attack codes that are available online on the internet to
Vol. 28, No. 6, (2019), pp. 130-135 expose user privacy in Firefox 16. According to [2], to reveal
and extract personal information contained in the URL of another site the hacker only needs about 10 seconds.
2. Vulnerability Content that has an e-learning system
Protection of content is one of the important problems in e- learning system security. Changes in the content of the data that enters the system is very important to be detected, therefore the authentication system has become one of the most important problems in e-learning. Unauthorized presentation files, tutorial videos, software, modules, and books are e-learning content that must be protected by intellectual property rights, where many legitimate e-learning users easily violate digital IPR, nowadays many e-learning systems do not consider IPR digital property protection for e-learning content and provide content integrity protection [2].
3. Website vulnerability e-learning system applications
Website-based applications are widely used in e-learning systems. Thus, the e-learning system also inherits all information system vulnerabilities on each website-based application. There are several reasons why this website-based application is vulnerable to various attacks including the following: a) No web server security patch updates, website applications and developer machines; 2) e-learning developers lack the security system in the script; and new vulnerabilities due to increasing interactive websites.
On the other hand, there are two groups of dark sides of the internet that can interfere with website-based applications (including e-learning) so they are vulnerable to many attacks.
The first group is centric technology and the second is non- concentric technology. In terms of technology centric, hackers use technology to attack website-based applications. However, hackers use "social engineering" in exploiting user weaknesses to control website-based applications. In addition, those that have been categorized as technology centrist include phishing, spam, click fraud, malware, hacking, DOS, and violations of digital IPR. In addition, online theft activities, online fraud, cyber-oppression, spreading false information, illegal online gambling, helping crime and other despicable behaviors in the digital world include non-concentric technology [2-18].
Sysadmin, Audit, Network, Security (SANS) Institute mentions that as many as twenty-five errors that are most often experienced by software, especially in e-learning systems include: 1) SQL injection reaches 7%; 2) Cross Site Scripting reaches 39%; 3) information leakage reaches 32%; 4) insufficient transport layer protection reaches 4%; 5) fingerprinting reaches 4%; and the HTTP response splitting reaches 3% [8], as shown in Figure 3.
Active attacks and passive attacks are two categories of types of attacks that target e-learning assets. The explanation for this type of attack is [7-19] Tablel 3 describes passive attacks and active attacks. where forms of violation of confidentiality use several ways of interception but do not cause damage to the content, these types of attacks include threatening standard security and are called passive attacks. While attacks that can modify computer content and networks and are very dangerous are active attacks.
Table.3 E-learning Types of Attacks
VII. HANDLINGOFE-LEARNINGVULNERABILITY As discussed in the previous sub-section, information system vulnerability on e-learning websites is categorized into three categories, namely user privacy vulnerability, content vulnerability, and web application vulnerability, in this section we will explain how to deal with attacks from these three categories:
1. User Privacy Protection
According to H.F. Aldheleai, et al. [7], protection of user privacy in e-learning systems has three principles, namely:
• Authentication, is a way to verify the user's identity by getting a kind of certificate. If the certificate is valid, the authorization process starts [14]. to secure the e-learning environment, the first step to take is the process of authorization and authentication. I-S. Fan, et al. [6], recommends identification of the authentication process and
Vol. 28, No. 6, (2019), pp. 130-135 the authentication process is directed and related to the
authorization process as shown in Figure 3.
Figure 3. Authentication process [7]
• Identification, The authentication process is applied after securing our system from any attack, then the identity process starts to find out the identity of the user
• Presence and continuous, to ensure the presence of a new student or student for a certain period of time.
Some other solutions are also proposed to overcome security issues on the side of user privacy, among others, reported by Kambourakis, et al. [9] who propose that users of e-learning systems use certain marks for Mobile learning (m-learning) and e-learning . there are four main domains in the proposed system, including e-learning servers, clients, servers to maintain trust, and public key infrastructure servers (PKI). there is a difference where the authentication system based on username and password is replaced by the unique authentication sign that is applied in this scenario.
In addition, from other literature, S. Mandala, et al. [2]
proposed that the e-learning platform be integrated with the privacy identity enhancement management system (PIM) to improve security in user privacy. With the use of PIM, users can manage access to their own personal information to be able to choose any data that can be seen by others. In this method, pseudonyms can be used to identify partial identities. To be able to interact with others there are many different pseudonyms that can be used by the user, for example: to interact with users again in the same role used pseudonyms, to communicate with the same communication pair used pseudonyms, and people's nicknames are applied to all contexts.
2. Protection of Content
Use of Digital Right Management (DRM) to deal with content vulnerability as done by Sajjadi et al. [10] where it is done on Moodle e-learning. In addition, to determine the level of sharing of learning resources accessed online, a content aggregation model was introduced. where content aggregation has four levels including courses, learning objects, assets, and lessons. where the most basic form of learning resources is.
Whereas the top level is only content aggregation, which collects several lessons. In this study, each learning object will be protected from copyright violations where the role of DRM will protect it..
3. Protection of Web Aplications
The use of virtual private networks (VPN) and firewalls proposed by S. Mandala et al. [2] to protect data integrity, user privacy, privacy and availability of e-learning systems. The firewall has been used as the first barrier that can filter all network traffic that will access e-learning, while VPN has been used as a service for users of e-learning systems off campus and provides safe remote access for users. in addition to being able to evaluate whether data traffic entering the e-learning system is dangerous or not used e-learning protection based on Intrusion Detection System (IDS) discussed in this literature is called the protection system with Intrusion block System (IBS), where IBS uses intrusion detection engine. if the data is in the dangerous category, the access will be blocked and the report will be made for this reason. They claim that IBS can prevent five general website attacks, as described in Section 6.2. Furthermore, M.
Serrhini, et al. [11-17] conducted research on e-learning security by increasing the security of the browser's website with a stand- alone e-learning awareness application
VIII. MODEL OF APPLICATION OF INFORMATION SECURITY IN E- LEARNING SYSTEMS
There are several examples of e-learning security models that are not easily penetrated by hackers, for example, as stated by S.
Ahmed, et al. [12] including the following:
1. Information Security uses the SMS mechanism
In this model, the system will generate keywords that can be used to access e-learning, and send them via SMS messages to registered numbers, then users enter keywords for the authentication process.
2. Information Security Using the Biometrics Mechanism This method uses unique physical characteristics to be able to authenticate, for example unique and different physical characteristics in each person are fingerprints, in this system all users are required to register their physical characteristics or behavior, which is stored in an encrypted database of modification.
Vol. 28, No. 6, (2019), pp. 130-135 3. Information Security Using the Token Mechanism
This method uses a more stringent authentication system, namely by using a token / smart card, so that for certain access only certain logins can be done using special tokens.
4. Information Security Using Digital Signature Mechanisms In this model, to be able to select the identity of e-learning actors during interaction, a digital signature method can be used to authenticate e-learning actors who will access entry and operate.
this system aims to make the data sent by the teacher not changed by other parties..
IX. CONCLUSION
Some aspects of e-learning systems often experience security vulnerabilities, including those related to the user's privacy or the leakage of individual privacy [16]. Next is the data integrity vulnerability in the content, and finally the vulnerability on the application side of the website because generally e-learning systems are website-based applications. The types of attacks carried out by hackers can be divided into two types: active attacks and passive attacks. Some treatments that can be done to limit these attacks include user privacy attacks, it must strengthen the authentication process. Furthermore, if there is a content attack, then the example of handling that is done is by implementing Digital Right Management (DRM) to protect the content from violations of digital IPR. Then, if there is an attack on a website application, it must strengthen the security side of the website such as the use of firewalls and VPNs to ensure confidentiality and integrity in the e-learning system.
REFERENCES
[1] C. Savulescu, D.I. Cosmin, dan Z. Polkowski, B.C. Elena, “Security in e-learning systems”, Electronics, Computers and Artificial Intelligence (ECAI) International Conference, PP. WE-19–WE-24, 2015.
[2] S. Mandala, A.H. Abdullah, dan A.S. Ismail, " A Survey of E-learning Security " , International Conference on ICT for Smart Society, PP. 1-6, 2013.
[3] H. A Majid, M. A. Majid, M.I. Ibrahim, W.N. Safawati Wan, & M.R.
Ramli, " Investigation of Security Awareness on e-learning System Among Lecturers and Students in Higher Education Institution ", International Conference on Computer, Communication, and Control Technology (I4CT) , PP. 216 - 220 , 2015.
[4] M.A. Helmiawan, " KEAMANAN E-LEARNING MENGGUNAKAN METODE SQUARE (Studi Kasus STMIK Sumedang) ", www.academia.edu , 20 maret 2013 [ online ]. tersedia di :https://www.academia.edu/18056542/KEAMANAN_E-
LEARNING_MENGGUNAKAN_METODE_SQUARE[diaksespada tanggal 30november 2016 ].
[5] T. Ayodele, C.A. Shoniregun, dan G. Akmayeva ," Towards E-learning Security” : A Machine Learning Approach ", International Conference on Information Society (i-Society), PP. 490 - 492 , 2011.
[6] N.H.M. Alwi dan I.S. Fan, " Information Security Management in E- learning " , International Conference for Internet Technology and Secured Transactions (ICITST), PP. 1-6, 2009.
[7] H.F.Aldheleai, M.U.Bokhari, dan H.S.A. Hamatta, " User Security in E- learning System ", International Conference on Communication Systems and Network Technologies, PP. 767-770, 2015.
[8] G.E. Violettas, T.L. Theodorou, dan G.C. Stephanides, " E-learning Software Security Tested for Security Vulnerabilities & Issues ", International Conference on e-learning "Best Practices in Management, Design and Development of e-Courses: Standards of Excellence and Creativity", PP. 233 – 240 , 2013.
[9] G. Kambourakis, D.-P. N. Kontoni, A. Rouskas, dan S. Gritzalis, “A PKI approach fordeploying modern secure distributed e-learning and m-learning environments, ”Computers & Education, vol. 48, no. 1, pp.
1-16, 2007.
[10] Z. Sajjadi, A.A. Khodami, N. Modiri, " Learning Contents Integrity verification on E-learning Systems Using Digital Watermarking Technique " , International Conference on Information and Communication Technologies: From Theory toApplications, PP. 1-3 , 2008.
[11] M. Serrhini, A. Dargham, A.A. Moussa, " Improve security of web Browser with stand-alone e-learning awareness application ", International Conference on Multimedia Computing and Systems, PP.
852 – 857 , 2012.
[12] Rostami, M. A., & Balmaki, B. (2018). Biostratigraphy and Paleoecology of Maastrichtian and Paleocene Sediments in the Northern Alborz, Iran, Using Foraminifera. International Journal of Geography and Geology, 7(3), 56-72.
[13] Saberi, A. R. (2013). Growth Analysis of Forage Sorghum (Sorghum Bicolor L) Varieties under Varying Salinity and Irrigation Frequency.
The International Journal of Biotechnology, 2(7), 130-140.
[14] Saberi, A. R. (2013). Nutrient Concentration of Forage Sorghum (Sorghum Bicolor L) Varieties Under Influenced Of Salinity and Irrigation Frequency. The International Journal of Biotechnology, 2(10), 163-170.
[15] S. Ahmed, K. Buragga; A.K. Ramani ," Security Issues Concern for E- learning by Saudi Universities ", International Conference on Advanced Communication Technology (ICACT), PP. 1579 – 1582 , 2011.
[16] Resa Pramudita . "Simulation of Low Noise Amplifier (LNA) of GEOS Satellite Signal Receiver for Mobile Terminal Satellite Application at S- Band Frequency." Universal Journal of Electrical and Electronic Engineering 6.2A (2019) 22 - 28. doi: 10.13189/ujeee.2019.061305.
[17] R. Pramudita, F I Hariadi, A S Achmad, “ Development of IoT authentication mechanisms for microgrid applications”, International Symposium on Electronics and Smart Devices (ISESD), PP. 12-17 , 2017
[18] AC Swastika, R Pramudita, R Hakimi, “ IoT-based smart grid system design for smart home “, 3rd International Conference on Wireless and Telematics (ICWT), PP. 49-53, 2017
[19] Jabarullah, N.H. and Hussain, H.I. (2019) The Effectiveness of Problem-Based Learning in Technical and Vocational Education in Malaysia, Education + Training, 61 (5), 552-567.
