Notification: Our email services are now fully restored after a brief, temporary outage caused by a denial-of-service (DoS) attack. If you sent an email on Dec 6 and haven't received a response, please resend your email.
CFP last date
20 December 2024
Reseach Article

A Proposed Architecture for Query Anomaly Detection and Prevention against SQL Injection Attacks

by T.K. George, Poulose Jacob
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 137 - Number 7
Year of Publication: 2016
Authors: T.K. George, Poulose Jacob
10.5120/ijca2016908808

T.K. George, Poulose Jacob . A Proposed Architecture for Query Anomaly Detection and Prevention against SQL Injection Attacks. International Journal of Computer Applications. 137, 7 ( March 2016), 11-14. DOI=10.5120/ijca2016908808

@article{ 10.5120/ijca2016908808,
author = { T.K. George, Poulose Jacob },
title = { A Proposed Architecture for Query Anomaly Detection and Prevention against SQL Injection Attacks },
journal = { International Journal of Computer Applications },
issue_date = { March 2016 },
volume = { 137 },
number = { 7 },
month = { March },
year = { 2016 },
issn = { 0975-8887 },
pages = { 11-14 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume137/number7/24286-2016908808/ },
doi = { 10.5120/ijca2016908808 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T23:37:43.931900+05:30
%A T.K. George
%A Poulose Jacob
%T A Proposed Architecture for Query Anomaly Detection and Prevention against SQL Injection Attacks
%J International Journal of Computer Applications
%@ 0975-8887
%V 137
%N 7
%P 11-14
%D 2016
%I Foundation of Computer Science (FCS), NY, USA
Abstract

SQL injection is a predominant type of attack which targets web applications and databases. SQL injection bypasses the authentication logic and breaks the confidentiality of the database or manipulates the database. It helps the attacker to obtain unauthorized access into the back end database. Vulnerability exists within a web application when it does not provide a proper validation system for the data entered by the user in the input field. Vulnerability scanners aid in checking vulnerabilities embedded in a web application and has the potential to test invalid forms of input query. However, the limitation lies in the reduction of system availability due to denial of service, especially in case of false positives. In this paper, an approach which focuses on query template based detection of SQL injection attack and reconstruction of queries is proposed. Thus the proposed architecture can mitigate the denial of service and increase the availability by potentially reconstructing malicious queries.

References
  1. Kumar, Pranaw, and R. K. Pateriya. "A Survey on SQL injection attacks, detection and prevention techniques". Computing Communication & Networking Technologies (ICCCNT), 2012 Third International Conference on. IEEE, 2012.
  2. Vanitha, A., and N. Radhika. "Multidimensional Analysis of SQL Injection Attacks in Web Application."
  3. Bosworth, Seymour, and Michel E. Kabay, eds. Computer security handbook. John Wiley & Sons, 2002.Tavel, P. 2007 Modeling and Simulation Design. AK Peters Ltd.
  4. Boyd, Stephen W., and Angelos D. Keromytis. "SQLrand: Preventing SQL injection attacks." Applied Cryptography and Network Security. Springer Berlin Heidelberg, 2004.
  5. Avireddy, Srinivas, et al. "Random4: an application specific randomized encryption algorithm to prevent SQL injection." Trust, Security and Privacy in Computing and Communications (TrustCom), 2012 IEEE 11th International Conference on. IEEE, 2012.
  6. Bisht, Prithvi, Parthasarathy Madhusudan, and V. N. Venkatakrishnan. "CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks." ACM Transactions on Information and System Security (TISSEC) 13.2 (2010): 14.
  7. Halfond, William GJ, and Alessandro Orso. "AMNESIA: analysis and monitoring for Neutralizing SQL-injection attacks." Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering. ACM, 2005.
  8. Ezumalai, R., and G. Aghila. "Combinatorial approach for preventing SQL injection attacks." Advance Computing Conference, 2009. IACC 2009. IEEE International. IEEE, 2009.
  9. Halfond, William GJ, Alessandro Orso, and Panagiotis Manolios. "WASP: Protecting Web applications using positive tainting and syntax-aware evaluation." Software Engineering, IEEE Transactions on 34.1 (2008): 65-81.
  10. McClure, Russell A., and Ingolf H. Krüger. "SQL DOM: compile time checking of dynamic SQL statements." Software Engineering, 2005. ICSE 2005. Proceedings. 27th International Conference on. IEEE, 2005.
  11. Johari, Rahul, and Pankaj Sharma. "A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection." Communication Systems and Network Technologies (CSNT), 2012 International Conference on. IEEE, 2012.
  12. Ezumalai, R., and G. Aghila. "Combinatorial approach for preventing SQL injection attacks". Advance Computing Conference, 2009. IACC 2009. IEEE International. IEEE, 2009.
  13. Parker, Donn B. "Toward a new framework for information security." FLY(2002): 501.
  14. Parker, Donn B. "Toward a new framework for information security." FLY(2002): 501.
  15. Xie, Yichen, and Alex Aiken. "Static Detection of Security Vulnerabilities in Scripting Languages." USENIX Security. Vol. 6. 2006.
  16. Buehrer, Gregory, Bruce W. Weide, and Paolo AG Sivilotti. "Using parse tree validation to prevent SQL injection attacks." Proceedings of the 5th international workshop on Software engineering and middleware. ACM, 2005.
  17. Halfond, William G., Jeremy Viegas, and Alessandro Orso. "A classification of SQL-injection attacks and countermeasures." Proceedings of the IEEE International Symposium on Secure Software Engineering. Vol. 1. IEEE, 2006.
Index Terms

Computer Science
Information Sciences

Keywords

SQL Injection Authentication Vulnerability Validation Malicious Reconstruct.