Abstract
SQL injection attacks are widely used by the imposters due to its less complexity and high flexibility. The proposed methodology is intended to perform detection and prevention of such malware scripted SQL queries using SVM. The model first trained with various malware strings and then tested with unknown scripts. It also performs prevention of web application from the SQL malware string using string analyzer and dynamic candidate evaluation. The string analyzer is a grammar-based algorithm that locates the context on the string using regular grammar. Dynamic candidate solution is used to dynamically identifies the malware script using review policy network in which it first generate the parse tree of the input query and then it analyze each node of the tree. It also finds the variation of detection time with respect to accuracy. For the prevention system, simplicity calculates ratio of prevented attack queries out of total number of input queries. The accuracy of the model is good and also the fault rate is minimal.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
R. Muhammad, R. Muhammad, R. Bashir, S. Habib, Detection and prevention of SQL injection attack by dynamic analyzer and testing model. Int. J. Adv. Comput. Sci. Appl. 8(8), 209–214 (2017). https://doi.org/10.14569/ijacsa.2017.080827
A. Ciampa, C.A. Visaggio, M. Di Penta, A heuristic-based approach for detecting SQL-injection vulnerabilities in web applications, in Proceedings of International Conference on Software Engineering (2010), pp. 43–49. https://doi.org/10.1145/1809100.1809107
P. Bisht, P. Madhusudan, V.N. Venkatakrishnan, CANDID: dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13(2), 1–38 (2010). https://doi.org/10.1145/1698750.1698754
R.A. McClure, I.H. Krüger, SQL DOM: compile time checking of dynamic SQL statements, in Proceedings of 27th International Conference on Software Engineering ICSE05 (2005), pp. 88–96. https://doi.org/10.1109/icse.2005.1553551
G. Buehrer, B.W. Weide, P.A.G. Sivilotti, Using parse tree validation to prevent SQL injection attacks, in SEM 2005—Proceedings of 5th International Workshop on Software Engineering and Middleware, Sept 2005, pp. 106–113. https://doi.org/10.1145/1108473.1108496
W.G.J. Halfond, A. Orso, Preventing SQL code injection by combining static and runtime analysis. Distribution (2008)
B.A. Pham, V.H. Subburaj, An experimental setup for detecting SQLi attacks using machine learning algorithms. J. Colloq. Inf. Syst. Secur. Educ. 8(1), 1–13 (2020). [Online]. Available: https://cisse.info/journal/index.php/cisse/article/view/124
P.S. Naidu, R. Kharat, Security in Computing and Communications, vol. 625 (2016)
M. Alenezi, M. Nadeem, R. Asif, SQL injection attacks countermeasures assessments. Indones. J. Electr. Eng. Comput. Sci. 21(2), 1121–1131 (2020). https://doi.org/10.11591/ijeecs.v21.i2.pp1121-1131
Y. Kosuga, A study on dynamic detection of web application vulnerabilities, Aug 2011, p. 113
S.O. Uwagbole, W.J. Buchanan, L. Fan, An applied pattern-driven corpus to predictive analytics in mitigating SQL injection attack, in Proceedings of 2017 7th International Conference on Emerging Security Technologies EST 2017, Sept 2017, pp. 12–17. https://doi.org/10.1109/EST.2017.8090392
S.W. Boyd, A.D. Keromytis, SQLrand: preventing SQL injection attacks, in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 3089 (2004), pp. 292–302. https://doi.org/10.1007/978-3-540-24852-1_21
M.S. Aliero, A.A. Ardo, I. Ghani, M. Atiku, Classification of SQL injection detection and prevention measure. IOSR J. Eng. 06(02), 6–17 (2016). [Online]. Available: www.iosrjen.org
D. Appelt, N. Alshahwan, L. Briand, Assessing the impact of firewalls and database proxies on SQL injection testing, in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 8432, Nov 2013 (2014), pp. 32–47. https://doi.org/10.1007/978-3-319-07785-7_2
W.G.J. Halfond, A. Orso, AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks, in 20th IEEE/ACM International Conference on Automated Software Engineering ASE 2005 (2005), pp. 174–183. https://doi.org/10.1145/1101908.1101935
Z. Su, G. Wassermann, The essence of command injection attacks in web applications, in Conference Record of the Annual ACM Symposium on Principles of Programming Languages (2006), pp. 372–382. https://doi.org/10.1145/1111037.1111070
C. Gould, Z. Su, P. Devanbu, JDBC checker: a static analysis tool for SQL/JDBC applications, in Proceedings of International Conference on Software Engineering, vol. 26 (2004), pp. 697–698. https://doi.org/10.1109/icse.2004.1317494
S. Panda, S. Ramani, Protection of web application against SQL injection attacks. Int. J. Mod. Eng. Res. 3(1), 166–168 (2013)
N. Shah, Securing Database Users from the Threat of SQL Injection Attacks (2017). [Online]. Available: http://digitalrepository.smu.edu
A. Joshi, V. Geetha, SQL injection detection using machine learning, in 2014 International Conference on Control, Instrumentation, Communication and Computational Technologies ICCICCT 2014, no. 2 (2014), pp. 1111–1115. https://doi.org/10.1109/ICCICCT.2014.6993127
D.S. Shakya, D.S. Smys, Anomalies detection in fog computing architectures using deep learning. J. Trends Comput. Sci. Smart Technol. 2(1), 46–55 (2020). https://doi.org/10.36548/jtcsst.2020.1.005
D. Sivaganesan, Novel influence maximization algorithm for social network behavior management. J. ISMAC 3(1), 60–68 (2021). https://doi.org/10.36548/jismac.2021.1.006
S.R. Mugunthan, T. Vijayakumar, Design of improved version of sigmoidal function with biases for classification task in ELM domain. J. Soft Comput. Paradig. 3(2), 70–82 (2021). https://doi.org/10.36548/jscp.2021.2.002
R. Bastola, S. Shakya, Developing domain ontology for issuing certificate of citizenship of Nepal. J. Inf. Technol. Digit. World 2(2), 73–90 (2020). https://doi.org/10.36548/jitdw.2020.2.001
A. Ladole, D. Phalke, SQL injection attack and user behavior detection by using query tree, fisher score and SVM classification. Int. Res. J. Eng. Technol. 03(06), 1505–1509 (2016)
M. Hasan, Z. Balbahaith, M. Tarique, Detection of SQL injection attacks: a machine learning approach, in 2019 International Conference on Electrical and Computing Technologies and Applications ICECTA 2019 (2019). https://doi.org/10.1109/ICECTA48151.2019.8959617
N. YawAsabere, W. Kwawu Torgby, Structured query language injection (SQLI) attacks: detection and prevention techniques in web application technologies. Int. J. Comput. Appl. 71(11), 29–39 (2013). https://doi.org/10.5120/12404-8908
D. Appelt, Automated security testing of web-based systems against SQL injection attacks (SOFIA), June 2016, p. 140
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Bharati, V., Kumar, A. (2022). An Efficient Approach Toward Security of Web Application Using SQL Attack Detection and Prevention Technique. In: Smys, S., Balas, V.E., Palanisamy, R. (eds) Inventive Computation and Information Technologies. Lecture Notes in Networks and Systems, vol 336. Springer, Singapore. https://doi.org/10.1007/978-981-16-6723-7_58
Download citation
DOI: https://doi.org/10.1007/978-981-16-6723-7_58
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-16-6722-0
Online ISBN: 978-981-16-6723-7
eBook Packages: EngineeringEngineering (R0)