Artificial Neural Network based Web Application Firewall for SQL Injection

Asaad Moosa

Commenced in January 2007

Frequency: Monthly

Edition: International

Paper Count: 32799

Artificial Neural Network based Web Application Firewall for SQL Injection

Authors: Asaad Moosa

Abstract:

In recent years with the rapid development of Internet and the Web, more and more web applications have been deployed in many fields and organizations such as finance, military, and government. Together with that, hackers have found more subtle ways to attack web applications. According to international statistics, SQL Injection is one of the most popular vulnerabilities of web applications. The consequences of this type of attacks are quite dangerous, such as sensitive information could be stolen or authentication systems might be by-passed. To mitigate the situation, several techniques have been adopted. In this research, a security solution is proposed using Artificial Neural Network to protect web applications against this type of attacks. The solution has been experimented on sample datasets and has given promising result. The solution has also been developed in a prototypic web application firewall called ANNbWAF.

Keywords: Artificial Neural Networks ANN, SQL Injection, Web Application Firewall WAF, Web Application Scanner WAS.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1329474

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 5570

References:

[1] F. Ahmadi, Z. M. J. Valadan, H. Ebadi, and M. Mokhtarzade. "The Application Of Neural Networks, Image Processing And CAD-Based Environments Facilities In Automatic Road Extraction And Vectorization From High Resolution Satellite Images". The International Archives of the Photogrammetry, Remote Sensing and Spatial Information Sciences. Beijing, pp. 37, 2008.
[2] A. Alfantookh, "An automated universal server level solution for SQL injection security flaw". International Conference on Electrical, Electronic and Computer Engineering. pp. 131-135, 2004.
[3] C. Anley, "Advanced SQL Injection In SQL Server Applications". White Paper. Next Generation Security Software, 2002.
[4] C. Anley, "(more) Advanced SQL Injection". White Paper. Next Generation Security Software, 2002.
[5] C. Anley, "Hackproofing MySQL". White Paper. Next Generation Security Software, 2004.
[6] M. Becher, Web Application Firewalls, Applied Web applications security. Berlin, 2007.
[7] D. Endler, "The Evolution of Cross-Site Scripting Attacks". White Paper iDEFENSE Incorporation, 2002.
[8] M. Gavin, J.A. Mulligan, L. Koetzle, and S. Bernhardt, ModSecurity's Web Application Firewall Leads In Deployment Numbers But Lags In Usability. 2006, (Online) Available: http://www.forrester.com/Research/ Document/Excerpt/0,7211,39714,00.html
[9] W. G. J. Halfond, A. Orso, and P. Manolios, "WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation". Software Engineering, IEEE Transactions. vol. 34, no. 1, pp. 65-81, 2008.
[10] S. Haykin, "Neural Networks, A Comprehensive Foundation". 2nd Edition. New Jersey, USA. Prentice-Hall Inc, 1999.
[11] T. Kubo, M. Obuchi, G. Ohashi, and Y. Shimodaira, "Image processing system for direction detection of an object using neural network". The 1998 IEEE Asia-Pacific Conference on Circuits and Systems. pp. 571- 574.
[12] Y. Loh, W. Yau, C. Wong, and W. Ho, "Design and Implementation of an XML Firewall". International Conference on Computational Intelligence and Security. pp. 1147-1150, 2006.
[13] O. Maor and A. Shulman, "SQL Injection Signature Evasions". White Paper. IMPERA Application Defense Center, 2004.
[14] O. Maor and A. Shulman, "Blind SQL Injection". Imperva. (Online) http://www.imperva.com/resources/adc/blind_sql_server_injection.html
[15] Mathworks, Matlab® The MathWorks™, (Online) Available: http://www.mathworks.com/
[16] F. Mavituna, "Fast Way to Extract Data From Error Based SQL Injection". Mavituna (Online) Available: http://ferruh.mavituna.com/ fast-way-to-extract-data-from-error-based-sql-injections-oku/
[17] F. Mavituna, "Fast Way to Extract Data From Error Based SQL Injection". Mavituna (Online) Available: http://ferruh.mavituna.com/ fast-way-to-extract-data-from-error-based-sql-injections-oku/
[18] F. Mavituna, "SQL Injection Cheat Sheet". Mavituna (Online) Available: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
[19] Breach Security, ModSecurity Open Source Web Application Firewall. (Online) Available: http://www.modsecurity.org/
[20] M. Moradi and M. Zulkernine, "A Neural Network Based System for Intrusion Detection and Classification of Attacks". Proceeding of the 2004 IEEE International Conference on Advances in Intelligent Systems - Theory and Applications. Luxembourg. pp.148-153.
[21] S. Mukkamala, G. Janoski, and A. Sung, "Intrusion detection using neural networks and support vector machines". Proceedings of the 2002 International Joint Conference on Neural Networks. pp. 1702-1707.
[22] M. Muthuprasanna, K. Wei, and S. Kothari, "Eliminating SQL Injection Attacks - A Transparent Defense Mechanism". Eighth IEEE International Symposium on Web Site Evolution. pp. 22-32, 2006.
[23] N-Stalker® N-Stalker Web Application Security Scanner. (Online) Available: http://www.nstalker.com
[24] Openwall Project, John the Ripper Password Cracker. (Online) Available: http://www.openwall.com/john
[25] OWASP, Top Ten 2007. (Online) Available: http://www.owasp.org/index.php/Top_10_2007
[26] OWASP, Top Ten 2010. (Online) Available: http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf
[27] J. Ryan, M. J. Lin, and R. Miikkulainen "Intrusion Detection with Neural Networks". Advances in Neural Information Processing Systems 10. Cambridge, MA: MIT Press, 1998.
[28] Securiteam, SQL Injection Walkthrough. (Online) Available: http://www.securiteam.com/securityreviews/5DP0N1P76E.html.
[29] C. Snake, XSS (Cross Site Scripting) Cheat Sheet. (Online) Available: http://ha.ckers.org/xss.html
[30] SunForums, Sun Forums. (Online) Available: http://forums.sun.com/index.jspa
[31] Technicalinfo, HTML Code Injection and Cross-site scripting. (Online) Available: http://www.technicalinfo.net/papers/CSS.html
[32] Unixwiz, SQL Injection Attacks by Example. (Online) Available: http://www.unixwiz.net/techtips/sql-injection.html
[33] M. Valeur, D. Mutz, and G. Vigna, "A Learning-Based Approach to the Detection of SQL Attacks". Conference on Detection of Intrusions and Malware & Vulnerability Assessment. 2005.
[34] M. C. Vittie, "SQL Injection Evasion Detection". White Paper. F5 Networks Inc. 2007.
[35] WASC, Web Hacking Incidents Database. (Online) Available: http://www.webappsec.org/projects/whid/
[36] WASC, Web Security Glossary. (Online) Available: http://www.webappsec.org/projects/glossary/
[37] K. Wei, M. Muthuprasanna, and S. Kothari, "Preventing SQL Injection Attacks in Stored Procedures". Australian Software Engineer Conference, Australia, 2006.
[38] The Perl Web Server Project. Type-O-Serve (Online) Available: http://perlwebserver.sourceforge.net/
[39] Microsoft Corporation, Intelligent Application Gateway. United States: Whale Communications, 2007.