SQLiDDS: : SQL injection detection using document similarity measure
Abstract
SQL injection attack has been a major security threat to web applications for over a decade. Now a days, attackers use automated tools to discover vulnerable websites from search engines and launch attacks on multiple websites simultaneously. Being extremely heterogeneous in nature, accurate run-time detection of SQL injection attacks, particularly those previously unseen, is still a challenge using regular-expression or parse-tree matching techniques suggested in the literature. In this paper, we present a novel approach for real-time detection of SQL injection attacks by applying document similarity measure on run-time queries after normalizing them into sentence-like form. The proposed approach acts as a database firewall and can protect multiple web applications using the database server. With additional inputs from human expert, the system can also become more robust over time. We implemented the approach in a tool named SQLiDDS and the experimental results are very encouraging. The approach can effectively detect all types of SQL injection attacks and previously unseen attacks with substantial accuracy yet negligible impact on overall performance of web applications. The tool was built with PHP and tested on web applications built with PHP and MySQL, but it can be adapted to other platforms with minimal changes.
References
[1]
C.C. Aggarwal and C. Zhai, A survey of text clustering algorithms, in: Mining Text Data, Springer, 2012, pp. 77–128. https://doi.org/10.1007/978-1-4614-3223-4_4.
[2]
M. Basavaraju and D.R. Prabhakar, A novel method of spam mail detection using text based clustering approach, International Journal of Computer Applications 5(4) (2010), 15–25. https://doi.org/10.5120/906-1283.
[3]
M. Benedikt, J. Freire and P. Godefroid, VeriWeb: Automatically testing dynamic web sites, in: Proceedings of the 11th International World Wide Web Conference (WWW’2002), 2002.
[4]
P. Bisht, P. Madhusudan and V. Venkatakrishnan, CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks, ACM Transactions on Information and System Security (TISSEC) 13(2) (2010), 14.
[5]
S. Boyd and A. Keromytis, SQLrand: Preventing SQL injection attacks, in: Applied Cryptography and Network Security, Springer, 2004, pp. 292–302. https://doi.org/10.1007/978-3-540-24852-1_21.
[6]
G. Buehrer, B. Weide and P. Sivilotti, Using parse tree validation to prevent SQL injection attacks, in: Proceedings of the 5th International Workshop on Software Engineering and Middleware, ACM, 2005, pp. 106–113. https://doi.org/10.1145/1108473.1108496.
[7]
W.-H. Chen, S.-H. Hsu and H.-P. Shen, Application of SVM and ANN for intrusion detection, Computers & Operations Research 32(10) (2005), 2617–2634. https://doi.org/10.1016/j.cor.2004.03.019.
[8]
J. Choi, H. Kim, C. Choi and P. Kim, Efficient malicious code detection using N-gram analysis and SVM, in: 2011 International Conference on Network-Based Information Systems (NBiS), IEEE, 2011, pp. 618–621.
[9]
M. Cova, D. Balzarotti, V. Felmetsger and G. Vigna, Swaddler: An approach for the anomaly-based detection of state violations in web applications, in: Recent Advances in Intrusion Detection, Springer, 2007, pp. 63–86. https://doi.org/10.1007/978-3-540-74320-0_4.
[10]
S. Curtis, Barclays: 97 percent of data breaches still due to SQL injection, 2012, available at: http://news.techworld.com/security/3331283/barclays-97-percent-of-data-breaches-still-due-to-sql-injection/.
[11]
J. Dahse, Exploiting hard filtered SQL Injections, 2010, available at: http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/. Accessed: 2011-06-23.
[12]
T.G. Dietterich, Approximate statistical tests for comparing supervised classification learning algorithms, Neural Computation 10(7) (1998), 1895–1923. https://doi.org/10.1162/089976698300017197.
[13]
F. Donovan, SQL injection attacks: Stop the madness, 2014, available at: http://www.fierceitsecurity.com/story/sql-injection-attacks-stop-madness/2014-03-04. Accessed: 2014-05-05.
[14]
D.A. Dos Santos and R. Deutsch, The positive matching index: A new similarity measure with optimal characteristics, Pattern Recognition Letters 31(12) (2010), 1570–1576. https://doi.org/10.1016/j.patrec.2010.03.010.
[15]
A. Douglen, SQL smuggling, or, the attack that wasn’t there, 2007, available at: https://dl.packetstormsecurity.net/papers/database/SQL_Smuggling.pdf. Accessed: 2015-02-12.
[16]
B. Gallagher and T. Eliassi-Rad, Classification of HTTP attacks: A study on the ECML/PKDD 2007 discovery challenge, in: Center for Advanced Signal and Image Sciences (CASIS) Workshop, 2008.
[17]
J.J. García Adeva and J.M. Pikatza Atxa, Intrusion detection in web applications using text mining, Engineering Applications of Artificial Intelligence 20(4) (2007), 555–566. https://doi.org/10.1016/j.engappai.2006.09.001.
[18]
C.A. Glasbey, An analysis of histogram-based thresholding algorithms, CVGIP: Graphical Models and Image Processing 55(6) (1993), 532–537.
[19]
W. Halfond and A. Orso, AMNESIA: Analysis and monitoring for NEutralizing SQL-injection attacks, in: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, ACM, 2005, pp. 174–183. https://doi.org/10.1145/1101908.1101935.
[20]
W. Halfond, J. Viegas and A. Orso, A classification of SQL-injection attacks and countermeasures, in: International Symposium on Secure Software Engineering (ISSSE), 2006, pp. 12–23.
[21]
L. Hayek, Analysis of amphibian biodiversity data, in: Measuring and Monitoring Biological Diversity: Standard Methods for Amphibians, 1994, pp. 207–270.
[22]
M. Johns, C. Beyerlein, R. Giesecke and J. Posegga, Secure code generation for web applications, in: Engineering Secure Software and Systems, 2010, pp. 96–113. https://doi.org/10.1007/978-3-642-11747-3_8.
[23]
S. Kals, E. Kirda, C. Kruegel and N. Jovanovic, Secubat: A web vulnerability scanner, in: Proceedings of the 15th International Conference on World Wide Web (WWW’2006), ACM, 2006, pp. 247–256. https://doi.org/10.1145/1135777.1135817.
[24]
D. Kar and S. Panigrahi, Prevention of SQL injection attack using query transformation and hashing, in: Proceedings of the 3rd IEEE International Advance Computing Conference (IACC), IEEE, 2013, pp. 1317–1323.
[25]
D. Kar, S. Panigrahi and S. Sundararajan, SQLiDDS: SQL injection detection using query transformation and document similarity, in: Distributed Computing and Internet Technology, Springer, 2015, pp. 377–390.
[26]
S.M. Kerner, How was SQL injection discovered? 2013, available at: http://www.esecurityplanet.com/network-security/how-was-sql-injection-discovered.html. Accessed: 2013-12-12.
[27]
M.-Y. Kim and D.H. Lee, Data-mining based SQL injection attack detection using internal query trees, Expert Systems with Applications 41(11) (2014), 5416–5430. https://doi.org/10.1016/j.eswa.2014.02.041.
[28]
R. Kozik and M. Choraś, Machine learning techniques for cyber attacks detection, in: Image Processing and Communications Challenges 5, Springer, 2014, pp. 391–398. https://doi.org/10.1007/978-3-319-01622-1_44.
[29]
I. Lee, S. Jeong, S. Yeo and J. Moon, A novel method for SQL injection attack detection based on removing SQL query attribute values, Mathematical and Computer Modelling 55 (2011), 58–68. https://doi.org/10.1016/j.mcm.2011.01.050.
[30]
Y. Liao and V.R. Vemuri, Using text categorization techniques for intrusion detection, in: USENIX Security Symposium, Vol. 12, 2002, pp. 51–59.
[31]
A. Liu, Y. Yuan, D. Wijesekera and A. Stavrou, SQLProb: A proxy-based architecture towards preventing SQL injection attacks, in: Proceedings of the 2009 ACM Symposium on Applied Computing, ACM, 2009, pp. 2054–2061. https://doi.org/10.1145/1529282.1529737.
[32]
B. Livshits and Ú. Erlingsson, Using web application construction frameworks to protect against code injection attacks, in: Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security, ACM, 2007, pp. 95–104. https://doi.org/10.1145/1255329.1255346.
[33]
D. Maciejak and G. Lovet, Botnet-powered SQL injection attacks: A deeper look within, in: Virus Bulletin Conference, 2009, pp. 286–288.
[34]
C.D. Manning, P. Raghavan and H. Schütze, Introduction to Information Retrieval, Vol. 1, Cambridge University Press, Cambridge, 2008, available at: http://nlp.stanford.edu/IR-book/pdf/irbookonlinereading.pdf.
[35]
O. Maor and A. Shulman, SQL injection signatures evasion, White paper, Imperva Inc., 2004, available at: http://www.issa-sac.org/info_resources/ISSA_20050519_iMperva_SQLInjection.pdf.
[36]
R. McClure and I. Kruger, SQL DOM: Compile time checking of dynamic SQL statements, in: Proceedings of the 27th International Conference on Software Engineering (ICSE 2005), IEEE, 2005, pp. 88–96.
[37]
A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley and D. Evans, Automatically hardening web applications using precise tainting, in: Security and Privacy in the Age of Ubiquitous Computing, 2005, pp. 295–307.
[38]
OWASP, Top 10 security threats 2013, available at: https://www.owasp.org/index.php/Top_10_2013-A1-Injection. Accessed: 2013-11-15.
[39]
S. Quartini and M. Rondini, Blind SQL injection with regular expressions attack, 2011, available at: http://www.ihteam.net/papers/blind-sqli-regexp-attack.pdf.
[40]
RFP, NT web technology vulnerabilities, Phrack Magazine 8(54) (1998), 8, available at: http://phrack.org/issues.html?issue=54&id=8#article.
[41]
A. Shabtai, R. Moskovitch, C. Feher, S. Dolev and Y. Elovici, Detecting unknown malicious code by applying classification techniques on OpCode patterns, Security Informatics 1(1) (2012), 1–22. https://doi.org/10.1186/2190-8532-1-1.
[42]
S. Small, J. Mason, F. Monrose, N. Provos and A. Stubblefield, To catch a predator: A natural language approach for eliciting malicious payloads, in: USENIX Security Symposium, 2008, pp. 171–184.
[43]
S.-T. Sun and K.B. Sqlprevent, Effective dynamic detection and prevention of SQL injection attacks without access to the application source code, Technical report LERSSE-TR-2008-01, Laboratory for Education and Research in Secure Systems Engineering, University of British Columbia, 2008.
[44]
TrustWave, Trustwave 2012 global security report, 2012, available at: https://www.trustwave.com/global-security-report. Accessed: 2013-06-24.
[45]
R.E. Tulloss, Assessment of similarity indices for undesirable properties and a new tripartite similarity index based on cost functions, in: Mycology in Sustainable Development: Expanding Concepts, Vanishing Borders, 1997, pp. 122–143.
[46]
C. Ulmer and M. Gokhale, A configurable-hardware document-similarity classifier to detect web attacks, in: 2010 IEEE International Symposium on Parallel & Distributed Processing, Workshops and Phd Forum (IPDPSW), Vol. 4, IEEE, 2010, pp. 1–8.
[47]
C. Ulmer, M. Gokhale, B. Gallagher, P. Top and T. Eliassi-Rad, Massively parallel acceleration of a document-similarity classifier to detect web attacks, Journal of Parallel and Distributed Computing 71(2) (2011), 225–235. https://doi.org/10.1016/j.jpdc.2010.07.005.
[48]
A. Walenstein, M. Venable, M. Hayes, C. Thompson and A. Lakhotia, Exploiting similarity between variants to defeat malware, in: Proceedings of BlackHat 2007 DC Briefings, BlackHat, 2007.
[49]
Y. Wang and Z. Li, SQL injection detection via program tracing and machine learning, in: Internet and Distributed Computing Systems, Springer, 2012, pp. 264–274. https://doi.org/10.1007/978-3-642-34883-9_21.
[50]
G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura and Z. Su, Dynamic test input generation for web applications, in: Proceedings of the 2008 International Symposium on Software Testing and Analysis, ACM, 2008, pp. 249–260.
[51]
Y. Zhang, J.I. Hong and L.F. Cranor, CANTINA: A content-based approach to detecting phishing web sites, in: Proceedings of the 16th International Conference on World Wide Web (WWW’2007), ACM, 2007, pp. 639–648. https://doi.org/10.1145/1242572.1242659.
Index Terms
- SQLiDDS: SQL injection detection using document similarity measure
Index terms have been assigned to the content through auto-classification.
Recommendations
SQLiDDS: SQL Injection Detection Using Query Transformation and Document Similarity
ICDCIT 2015: Proceedings of the 11th International Conference on Distributed Computing and Internet Technology - Volume 8956SQL Injection Attack has been a major security threat to web applications since last 15 years. Nowadays, hackers use automated tools to discover vulnerable websites and launch mass injection attacks. Accurate run-time detection of SQL injection has been ...
SQLiGoT
SQL injection attacks have been predominant on web databases since the last 15 years. Exploiting input validation flaws, attackers inject SQL code through the front-end of websites and steal data from the back-end databases. Detection of SQL injection ...
Protecting web applications from SQL injection attacks by using framework and database firewall
ICACCI '12: Proceedings of the International Conference on Advances in Computing, Communications and InformaticsSQL Injection attacks are the costly and critical attacks on web applications: it is a code injection technique that allows attackers to obtain unrestricted access to the databases and potentially sensitive information like usernames, passwords, email ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
IOS Press and the authors. All rights reserved.
Publisher
IOS Press
Netherlands
Publication History
Published: 01 January 2016
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 24 Nov 2024
Other Metrics
Citations
Cited By
View allView Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in