Advertisement

International Journal of Information Security

, Volume 18, Issue 1, pp 1–22 | Cite as

Defeating SQL injection attack in authentication security: an experimental study

  • Debasish DasEmail author
  • Utpal Sharma
  • D. K. Bhattacharyya
Regular Contribution
  • 491 Downloads

Abstract

Whenever web-application executes dynamic SQL statements it may come under SQL injection attack. To evaluate the existing practices of its detection, we consider two different security scenarios for the web-application authentication that generates dynamic SQL query with the user input data. Accordingly, we generate two different datasets by considering all possible vulnerabilities in the run-time queries. We present proposed approach based on edit-distance to classify a dynamic SQL query as normal or malicious using web-profile prepared with the dynamic SQL queries during training phase. We evaluate the dataset using proposed approach and some well-known supervised classification approaches. Our proposed method is found more effective in detecting SQL injection attack under both the scenarios of authentication security.

Keywords

Web-application SQL injection Naive Bayes SVM Tree-based Edit-distance Classification 

References

  1. 1.
    MITRE/SANS: A vulnerability report. In: Top 25 most Dangerous Software Errors, MITRE Corporation Inc. (2011)Google Scholar
  2. 2.
    CISCO: SQL injection attacks a growing menace. In: CISCO Worldwide Reports, SPAM fighter Products 2003-2011. http://www.spamfighter.com/News-15078-SQL-Injection-Attacks-A-Growing-Menace.htm (2010)
  3. 3.
    Shar, L., Tan, H.B.K.: Defeating SQL injection. IEEE Comput. J. Mag. 46(3), 69–77 (2013)CrossRefGoogle Scholar
  4. 4.
    Su, Z., Wassermann, G.: The essence of command injection attacks in web application. In: In the 33rd Annual Symposium on Principles of Programming Languages, pp. 372–382 (2006)Google Scholar
  5. 5.
    Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13(14), 14–38 (2010)Google Scholar
  6. 6.
    Liu, A., Yuan, Y., Wijesekera, D., Stavrou, A.: SQLProb: A proxy-based architecture towards preventing SQL injection attacks. In: Proceedings of the 2009 ACM Symposium on Applied Computing. http://dl.acm.org/citation.cfm?id=1529737, ACM Digital Library, pp. 2054–2061 (2009)
  7. 7.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting web application vulnerabilities. In: IEEE Symposium on Security and Privacy. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1624016, IEEE Explore, pp. 263–268 (2006)
  8. 8.
    Martin, M., Livshits, B., Lam, M.S.: Finding application errors and security flaws using PQL: a program query language. In: OPSLA ’05 Proceedings of the 20th Annual ACM SIGPLAN conference. http://dl.acm.org/ftgateway.cfm?id=1094840&type=pdf&CFID=268059182&CFTOKEN=41307654. ACM Digital Library (2005)
  9. 9.
    Le, H.T., Loh, P.K.K.: Identification of performance issues in contemporary black-box web application scanners in SQLI. In: Latest Advances in Information Science and Applications. Computer Security Laboratory, Nanyang Technological University, Singapore. http://www.wseas.us/e-library/conferences/2012/Singapore/ACCIDS/ACCIDS-34.pdf
  10. 10.
    Pietraszek, T., Berghe, D.V.: Defending against injection attack through contex-sensitive string evaluation. In: Proceedings of Recent Advances in Intrusion Detection. http://link.springer.com/chapter/10.1007/11663812-7. LNCS, pp. 124–145
  11. 11.
    Halfond, W.G., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In: SIGSOFT’06/FSE-14, Portland Oregon, USA, ACM Digital Library, pp. 175–185 (2006)Google Scholar
  12. 12.
    Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions, and reversals. In: Soviet Physics Doklady. Volume 10. The Smithsonian/NASA Astrophysics Data System. http://www.scribd.com/doc/18654513/levenshtein
  13. 13.
    Pop, I.: An approach of the Naive Bayes classifier for the document classification. Gen. Math. 14(4), 135138 (2006)MathSciNetGoogle Scholar
  14. 14.
    John, G.H., Langley, P.: Estimating continuous distributions in Bayesian classifiers. In: UAI’95 Proceedings of the Eleventh Conference on Uncertainty in Artificial Intelligence (1995)Google Scholar
  15. 15.
    Cortes, C., Vapnik, V.: Support-vector networks. Mach. Learn. 20, 273–297 (1995)zbMATHGoogle Scholar
  16. 16.
    MathWorks-India: Classify using support vector machine-matlab. http://www.mathworks.in/help/bioinfo/ref/svmclassify.html (2008)
  17. 17.
    Soot:: A java optimization framework. http://www.sable.mcgill.ca/soot/
  18. 18.
    Kang, J., Kim, J., Park, C., Park, H., Lee, J.: A multi channel architecture for high-performance nand flash-based storage system. J. Syst. Arch. 53(9), 644–658 (2007)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany 2017

Authors and Affiliations

  • Debasish Das
    • 1
    Email author
  • Utpal Sharma
    • 1
  • D. K. Bhattacharyya
    • 1
  1. 1.Department of Computer Science and EngineeringTezpur UniversityTezpurIndia

Personalised recommendations