Authors: Naghmeh Moradpoor Sheykhkanloo

Abstract:

Thousands of organisations store important and confidential information related to them, their customers, and their business partners in databases all across the world. The stored data ranges from less sensitive (e.g. first name, last name, date of birth) to more sensitive data (e.g. password, pin code, and credit card information). Losing data, disclosing confidential information or even changing the value of data are the severe damages that Structured Query Language injection (SQLi) attack can cause on a given database. It is a code injection technique where malicious SQL statements are inserted into a given SQL database by simply using a web browser. In this paper, we propose an effective pattern recognition neural network model for detection and classification of SQLi attacks. The proposed model is built from three main elements of: a Uniform Resource Locator (URL) generator in order to generate thousands of malicious and benign URLs, a URL classifier in order to: 1) classify each generated URL to either a benign URL or a malicious URL and 2) classify the malicious URLs into different SQLi attack categories, and a NN model in order to: 1) detect either a given URL is a malicious URL or a benign URL and 2) identify the type of SQLi attack for each malicious URL. The model is first trained and then evaluated by employing thousands of benign and malicious URLs. The results of the experiments are presented in order to demonstrate the effectiveness of the proposed approach.

Keywords: Neural Networks, pattern recognition, SQL injection attacks, SQL injection attack classification, SQL injection attack detection.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1106929

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 2770

References:

[1] W. G. Halfond, J. Viegas, and A. Orso, “A Classification of SQLInjection Attacks and countermeasures”, in Proc. of the Internet Symposium on Secure Software Engineering (ISSSE 2006), Mar. 2006.
[2] R. Romil, R. Shailendra, "SQL injection attack Detection using SVM", in International Journal of Computer Applications, V.42, N.13, March 2012.
[3] C. Gould, Z. Su, and P. Devanbu, "JDBC checker: A static analysis tool for SQL/JDBC applications," 2004, pp. 697- 698.
[4] N. A. Lambert and K. Song Lin, “Use of Query Tokenization to detect and prevent SQL Injection Attacks”, IEEE, 2010.
[5] A. Srinivas, G. Narayan, S. Ram, “Random4: An Application Specific Randomized Encryption Algorithm to prevent SQL injection, in Trust, Security and Privacy in Computing and Communications (TrustCom)”, 2012 IEEE 11th International Conference, pp.no. 1327 – 133, 25-27 June 2012.
[6] V. Shanmughaneethi, C. Emilin Shyni and S. Swamynathan, “SBSQLID: Securing Web Applications with Service Based SQL Injection Detection” 2009 International Conference on Advances in Computing, Control, and Telecommunication Technologies, 978-0- 7695-3915-7/09, 2009 IEEE.
[7] K. Zhang, Ch. Lin, Sh. Chen, Y. Hwang, H. Huang, and F. Hsu, “TransSQL: A Translation and Validation-based Solution for SQLInjection Attacks”, First International Conference on Robot, Vision and Signal Processing, IEEE, 2011.
[8] W. G. Halfond and A. Orso, “AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks”, In Proceedings of the IEEE and ACM International Conference on Automated Software Engineering (ASE 2005), Long Beach, CA, USA, Nov 2005.
[9] R. McClure and I. Kruger, “SQL DOM: Compile Time Checking of Dynamic SQL Statements”, In Proceedings of the 27th International Conference on Software Engineering (ICSE 05), pages 88–96, 2005.
[10] Stephen W. Boyd, Angelos D. Keromytis, “SQLrand: Preventing SQL injection Attacks”.
[11] Y. Huang, S. Huang, T. Lin, and C. Tsai, “Web Application Security Assessment by Fault Injection and Behavior Monitoring”, In Proceedings of the 11th International World Wide Web Conference (WWW 03), May 2003.
[12] Z. Su and G. Wassermann, “The Essence of Command Injection Attacks in Web Applications”, In the 33rd Annual Symposium on Principles of Programming Languages (POPL 2006), Jan. 2006.
[13] Open Web Application Security Project (OWASP), available at: https://www.owasp.org/index.php/About_OWASP (retrieved: Dec, 2014).
[14] Open Web Application Security Project (OWASP) top 10, available at: https://www.owasp.org/index.php/Top_10_2013-Top_10 (retrieved: Dec, 2014).
[15] MATLAB R2014a, available at: http://www.mathworks.co.uk (retrieved: Dec, 2014).
[16] N. Moradpoor, “Employing Neural Networks for the Detection of SQL Injection Attack”, In The 7th conference on Security of Information and Networks (SIN2014), Sep 2014.
[17] Alexa, Bringing Information into Focus, available at: http://www.alexa.com/topsites/countries/GB (retrieved: Dec, 2014).
[18] Introduction to SQL, available at: http://www.w3schools.com/sql/sql_intro.asp (retrieved: June, 2015).