IJIEEB Vol. 8, No. 2, 8 Mar. 2016
Cover page and Table of Contents: PDF (size: 665KB)
SQL Injection Attack, Hot Query Bank, Web Application, AMNESIA, SQLGuard, Parallel-SQLIA Detectors
An SQL injection attack compromises the interactive web based applications, running database in the backend. The applications provide a form to accept user input and convert it into the SQL statement and fire the same to the database. The attackers change the structure of SQL statement by manipulating user inputs. The existing static and dynamic SQLIA detectors are being used for accurate detection of SQL injection, but it ignores the efficiency of the system. These detectors repeatedly verify the same queries inside the system, which causes unnecessary wastages of system resources. This paper contains the design approach of a parallel algorithm for the detection of SQL injection. The Algorithm uses the concept of Hot Query Bank (HQB) to cooperate with the existing SQLIA detectors (e.g. AMNESIA, SQLGuard, etc) and enhances the system performance. It simply keeps the information of previously verified queries in order to skip the verification process on the next appearance. The system performance has been observed by conducting a series of experiments on multi core processors. The experimental results have shown that parallel-SQLIA detector is 65% more efficient in term of time complexity. Further this design can be implemented in real web application environment; and the design interface can be standardized to cooperate with web application and the SQLIA detectors.
Pankaj Kumar, C.P. Katti, "A Parallel-SQLIA Detector for Web Security", International Journal of Information Engineering and Electronic Business(IJIEEB), Vol.8, No.2, pp.66-75, 2016. DOI:10.5815/ijieeb.2016.02.08
[1]OWASP Top Ten Project. Owasp top 10 application security risks, 2010.
[2]W.G. Halfond,J. Viegas, and A. Orso, “A classification of SQL-injection attacks and countermeasures,” In Proc.of the IEEE Intl .Symp. on Secure Software Engineering, Mar 2006.
[3]C. A. Mackay (Jan 2005), SQL Injection Attacks and Some Tips on How to Prevent Them [Online]. Available: http://www.codeproject.com/cs/database/SQlInjectionAttacks.asp.
[4]G. Buehrer, B. W.Weide, and P. A. G. Sivilotti, “Using parse tree validation to prevent SQL injection attacks,” In Proc. of the 5th intl. Workshop on Software engineering and middleware, SEM ’05, New York, NY, USA, pp.106–113, 2005.
[5]W. G. Halfond and A. Orso, “AMNESIA: Analysis and monitoring for neutralizing SQL-injection attacks,” In Proc. of the IEEE and ACM Intel. Conf. on Automated Software Engineering (ASE 2005), Long Beach, CA, USA, Nov 2005.
[6]S.W. Boyd and A.D. Keromytis, “SQLrand: Preventing SQL injection attacks,” In Proc. of the 2nd Applied Cryptography and Network Security (ACNS’04) Conference, pp. 292-302, Jun 2004.
[7]Z. Su, and G. Wassermann, “The essence of command injection attacks in web application,” In ACM Symposium on Principles of Programming Languages (POPL’2006), Jan 2006.
[8]Y.W. Huang, F. Yu, C. Hang, C.H. Tsai, D.T. Lee, and S.Y Kuo, “Securing web application code by static analysis and runtime protection,” In Proc. of the 13th Intl. Conf. on World Wide Web, New York, pp. 40-52, 2004.
[9]M. Martin, B. Livshits and M. S. Lam, ”Finding application error and security flaws using PQL: A program query language,” In Proc. of the 20th annual ACM SIGPLAN conference on Object oriented programming systems, languages and applications (OOPSLA 2005), pp. 365-383, 2005.
[10]R.A. McClure, and I.H. Kruger, “SQL DOM: Compile time checking of dynamic SQL statements,” In Proc. of the 27th Intl. Conf. on Software Engineering (ICSE 2005),nos. 15-21, pp. 88-96, May 2005.
[11]P. Bisht, P. Madhusudan, and V.N. Venkatakrishnan, “CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks,” ACM Transactions on Information and System Security, vol. 13, no. 2, 2010.
[12]S. Ali, S.K. Shahzad, and H. Javed, “SQLIPA: An authentication mechanism against SQL injection,” European Journal of Scientific Research, vol. 38, no. 4, pp. 604-621, 2009.
[13]M. Junjin, “An approach for SQL injection vulnerability detection,” In Proc. of the 6th Intl. Conf. on Information Technology: New Generations 2009 (ITNG’09), nos. 27-29, pp. 1411-1414, Apr 2009.
[14]Y.C. Chang,M.C. Wu, Y.C. Chen, W.K. Chang, “A hot query bank approach to improve detection performance against SQL injection attacks,” Computers& Security, vol. 31, no. 2, pp. 233-248, Mar 2012.
[15]D. Guo, J. Wu, H. Chen, Y. Yuan, and X. Luo, “The dynamic bloom filters, ”IEEE Transaction on Knowledge and Data Engineering, vol. 22, no. 1, pp.120-133, Jan 2010.