Abstract
The database stores important information about the user, which make it a core part of the website. Therefore, database injection has become a serious cyber-attack. Traditional database injection defenses are passive defenses, which cannot detect new vulnerability before it is exposed. The Moving Target Defense (MTD) method that emerged in recent years has become a breakthrough to solve this problem. This paper mainly establishes the model to verify the possibility of dynamic defense application in database injection defense. This paper first introduces the related concepts SQLI and MTD, then we build models to compare the attack surface of the traditional static defense model and MTD one. It is concluded that with certain conditions, the dynamic defense model has a smaller attack surface, which indicate stronger defense ability.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The following uses the word “docker” to refer to the “containerization technology”.
References
Zhang, H., Yi, Y., Wang, J., Cao, N., Duan, Q.: Network security situation awareness framework based on threat intelligence. CMC: Comput. Mater. Continua 56(3), 381–399 (2018)
Qbea’h, M., Alshraideh, M., Sabri, K.E.: Detecting and preventing SQL injection attacks: a formal approach. In: 2016 Cybersecurity and Cyberforensics Conference (CCC) (2016)
Yeole, A.S., Meshram, B.B.: Analysis of different techniques for detection of SQL injection. Association for Computing Machinery, Mumbai, India (2011)
Wei, K., Muthuprasanna, M., Kothari, S.: Preventing SQL injection attacks in stored procedures. In: Australian Software Engineering Conference (ASWEC 2006) (2006)
Dalai, A.K., Jena, S.K.: Neutralizing SQL injection attack using server side code modification in web applications. Secur. Commun. Netw. 2017, 12 (2017)
Ping, C.: A second-order SQL injection detection method. In: 2017 IEEE 2nd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC) (2017)
Chen-Wang, H.A.N., Hui, L.I.N., et al.: SQL injection filtering method based on proxy mode. Comput. Syst. Appl. 27(1), 98–105 (2018)
Cai, G.L., et al.: Moving target defense: state of the art and characteristics. Front. Inf. Technol. Electron. Eng. 17(11), 1122–1153 (2016)
Okhravi, H., Streilein, W.W., Bauer, K.S.: Moving target techniques: leveraging uncertainty for cyber defense. Lincoln Lab. J. 22, 1 (2016)
Cox, B., et al.: N-variant systems: a secretless framework for security through diversity. In: Proceedings of the 15th Conference on USENIX Security Symposium, vol. 15. USENIX Association, Vancouver (2006)
Nguyen, Q., Sood, A.: A comparison of intrusion-tolerant system architectures. IEEE Secur. Privacy 9(4), 24–31 (2011)
Yuan, E., Malek, S.: A taxonomy and survey of self-protecting software systems. In: SEAMS 2012, Zürich, Switzerland (2012)
Yang, L., et al.: Performance assessment technique of moving target defense based on attack surface measurement. J. Command Control 1(04), 453–457 (2015)
Xie, X., Yuan, T., Zhou, X., Cheng, X.: Research on trust model in container-based cloud service. CMC: Comput. Mater. Continua 56(2), 273–283 (2018)
Huang, R., Zhang, H., Liu, Y., et al.: RELOCATE: a container based moving target defense approach. In: 7th International Conference on Computer Engineering and Networks (2017)
Acknowledgments
This work is partially supported by CERNET innovation Project (NGII20180407).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Feng, K., Gu, X., Peng, W., Yang, D. (2019). Moving Target Defense in Preventing SQL Injection. In: Sun, X., Pan, Z., Bertino, E. (eds) Artificial Intelligence and Security. ICAIS 2019. Lecture Notes in Computer Science(), vol 11635. Springer, Cham. https://doi.org/10.1007/978-3-030-24268-8_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-24268-8_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-24267-1
Online ISBN: 978-3-030-24268-8
eBook Packages: Computer ScienceComputer Science (R0)