Abstract
With the development of network technology, database-driven web applications (apps) provide flexible, convenient, available, and various services for users. User can send requests to these web apps by using browser over the Internet to get services such as e-commerce services, entertainments, and financial services. Though web environments have several advantages, various security threats have been described. Among these threats, SQL injection attack (SQLIA) is one of the most serious threats. SQLIA is a code injection attack that exploits secure vulnerabilities consisting in source codes to attack databases. SQLIA allows attackers to bypass authentication, access private information, modify data, and even destroy databases. Since many sensitive and confidential data stored in database must be kept private and secure, a mechanism to detect SQLIAs for web environments is necessary. In this paper, we define a framework named DSD (Dynamic SQLIAs Detection) to counter SQLIAs in web environments. Then, a concrete detection mechanism based on DSD is proposed to detect SQLIAs by using parse tree. The experimental results are demonstrated that our mechanism has higher accuracy, lower false positive rate, and false negative rate.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Bisht, P., Madhusudan, P., Venkatakrishnan, V.: Candid: Dynamic candidate evaluations for automatic prevention of sql injection attacks. ACM Transactions on Information and System Security (TISSEC) 13(2), 14 (2010)
Boyd, S.W., Keromytis, A.D.: Sqlrand: Preventing sql injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)
Bravenboer, M., Dolstra, E., Visser, E.: Preventing injection attacks with syntax embeddings. In: Proceedings of the 6th International Conference on Generative Programming and Component Engineering, pp. 3–12. ACM (2007)
Buehrer, G., Weide, B.W., Sivilotti, P.A.: Using parse tree validation to prevent sql injection attacks. In: Proceedings of the 5th International Workshop on Software Engineering and Middleware, pp. 106–113. ACM (2005)
Chen, C.M., Zheng, X., Wu, T.Y.: A complete hierarchical key management scheme for heterogeneous wireless sensor networks. The Scientific World Journal 2014, Article ID 816549, 13 pages (2014)
Christey, S., Martin, R.A.: Vulnerability type distributions in cve (2007)
Clarke, J.: SQL injection attacks and defense. Elsevier (2012)
Dhamankar, R., Dausin, M., Eisenbarth, M., King, J., Kandek, W., Ullrich, J., Skoudis, E., Lee, R.: The top cyber security risks. TippingPoint, Qualys, the Internet Storm Center and the SANS Institute faculty. Tech. Rep. (2009)
Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., Tao, L.: A static analysis framework for detecting sql injection vulnerabilities. In: Proceedings of the 31st Annual International Computer Software and Applications Conference (COMPSAC 2007), vol. 1, pp. 87–96. IEEE (2007)
Guo, C., Chang, C.C., Sun, C.Y.: Chaotic maps-based mutual authentication and key agreement using smart cards for wireless communications. Journal of Information Hiding and Multimedia Signal Processing 4(2), 99–109 (2013)
Halfond, W., Viegas, J., Orso, A.: A classification of sql-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, Arlington, VA, USA, pp. 13–15 (2006)
Halfond, W.G., Orso, A.: Amnesia: analysis and monitoring for neutralizing sql-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183. ACM (2005)
Halfond, W.G., Orso, A.: Preventing sql injection attacks using amnesia. In: Proceedings of the 28th International Conference on Software Engineering, pp. 795–798. ACM (2006)
Halfond, W.G., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 175–185. ACM (2006)
Halfond, W.G., Orso, A., Manolios, P.: Wasp: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering 34(1), 65–81 (2008)
He, B.Z., Chen, C.M., Su, Y.P., Sun, H.M.: A defence scheme against identity theft attack based on multiple social networks. Expert Systems with Applications 41(5), 2345–2352 (2014)
Huang, Y.W., Huang, S.K., Lin, T.P., Tsai, C.H.: Web application security assessment by fault injection and behavior monitoring. In: Proceedings of the 12th International Conference on World Wide Web, pp. 148–159. ACM (2003)
Komiya, R., Paik, I., Hisada, M.: Classification of malicious web code by machine learning. In: Proceedings of the 3rd International Conference on Awareness Science and Technology (iCAST 2011), pp. 406–411. IEEE (2011)
Kosuga, Y., Kernel, K., Hanaoka, M., Hishiyama, M., Takahama, Y.: Sania: Syntactic and semantic analysis for automated testing against sql injection. In: 23th Annual Computer Security Applications Conference (ACSAC 2007), pp. 107–117. IEEE (2007)
Lam, M.S., Whaley, J., Livshits, V.B., Martin, M.C., Avots, D., Carbin, M., Unkel, C.: Context-sensitive program analysis as database queries. In: Proceedings of the 24th ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, pp. 1–12. ACM (2005)
Lee, I., Jeong, S., Yeo, S., Moon, J.: A novel method for sql injection attack detection based on removing sql query attribute values. Mathematical and Computer Modelling 55(1), 58–68 (2012)
Lin, C.W., Hong, T.P., Chang, C.C., Wang, S.L.: A greedy-based approach for hiding sensitive itemsets by transaction insertion. Journal of Information Hiding and Multimedia Signal Processing 4(4), 201–227 (2013)
Lin, C.W., Hong, T.P., Hsu, H.C.: Reducing side effects of hiding sensitive itemsets in privacy preserving data mining. The Scientific World Journal 2014, Article ID 235837, 12 pages (2014)
McClure, R.A., Kruger, I.H.: Sql dom: compile time checking of dynamic sql statements. In: Proceedings of the 27th International Conference on Software Engineering (ICSE 2005), pp. 88–96. IEEE (2005)
Mitropoulos, D., Spinellis, D.: Sdriver: Location-specific signatures prevent sql injection attacks. Computers & Security 28(3), 121–129 (2009)
Valeur, F., Mutz, D., Vigna, G.: A learning-based approach to the detection of sql attacks. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 123–140. Springer, Heidelberg (2005)
Wu, T.Y., Tsai, T.T., Tseng, Y.M.: A revocable id-based signcryption scheme. Journal of Information Hiding and Multimedia Signal Processing 3(3), 240–251 (2012)
Wu, T.Y., Tsai, T.T., Tseng, Y.M.: A provably secure revocable id-based authenticated group key exchange protocol with identifying malicious participants. The Scientific World Journal 2014, Article ID 367264, 10 pages (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Wu, TY., Pan, JS., Chen, CM., Lin, CW. (2015). Towards SQL Injection Attacks Detection Mechanism Using Parse Tree. In: Sun, H., Yang, CY., Lin, CW., Pan, JS., Snasel, V., Abraham, A. (eds) Genetic and Evolutionary Computing. Advances in Intelligent Systems and Computing, vol 329. Springer, Cham. https://doi.org/10.1007/978-3-319-12286-1_38
Download citation
DOI: https://doi.org/10.1007/978-3-319-12286-1_38
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12285-4
Online ISBN: 978-3-319-12286-1
eBook Packages: EngineeringEngineering (R0)