CFP last date
20 January 2025
Reseach Article

Rule based Detection of SQL Injection Attack

by Debasish Das, Utpal Sharma, D. K. Bhattacharyya
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 43 - Number 19
Year of Publication: 2012
Authors: Debasish Das, Utpal Sharma, D. K. Bhattacharyya
10.5120/6210-8812

Debasish Das, Utpal Sharma, D. K. Bhattacharyya . Rule based Detection of SQL Injection Attack. International Journal of Computer Applications. 43, 19 ( April 2012), 15-24. DOI=10.5120/6210-8812

@article{ 10.5120/6210-8812,
author = { Debasish Das, Utpal Sharma, D. K. Bhattacharyya },
title = { Rule based Detection of SQL Injection Attack },
journal = { International Journal of Computer Applications },
issue_date = { April 2012 },
volume = { 43 },
number = { 19 },
month = { April },
year = { 2012 },
issn = { 0975-8887 },
pages = { 15-24 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume43/number19/6210-8812/ },
doi = { 10.5120/6210-8812 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T20:33:49.026457+05:30
%A Debasish Das
%A Utpal Sharma
%A D. K. Bhattacharyya
%T Rule based Detection of SQL Injection Attack
%J International Journal of Computer Applications
%@ 0975-8887
%V 43
%N 19
%P 15-24
%D 2012
%I Foundation of Computer Science (FCS), NY, USA
Abstract

This paper presents an effective detection method RDUD for SQL injection attack. RDUD is an enhanced version of DUD [1]. The method comprises a supervised machine learning approach using a Support Vector Machine(SVM) to learn and to classify a query at runtime. Two web profiles - (i) legitimate web profile and (ii) attack web profile are generated for each of the web-application software which consists of a set of production rules extracted from the dynamic SQL queries. Both the web profiles are generated during training phase. At runtime a dynamic SQL query is matched with each of the web profile and accordingly it classify based on the matching distance. RDUD is independent of the developer's initialization of syntax rules, valid trusted string database, static or pre-generated program code checking, etc. Also the method is significant in view of its simplicity, efficient and its high detection rate in comparison to the earlier method [1].

References
  1. Debasish das, Utpal Sharma & D. K. Bhattacharyya. An approach to detection of SQL injection attack based on dynamic query matching. International Journal of Computer Applications, 1(25), 2010.
  2. Common Weakness Enumeration. 2011 cwe/sans top 25 most dangerous software errors. MITRE Corporation, http://cwe. mitre. org/top25/#Listing, 2011.
  3. SPAM fighter products 2003-2011, CISCO Worldwide. A growing menace. http://spamfighter. com/News-15078-Sql-Injection-Attacks-A-Growing-Menace. htm, 2010. reports Forman, G. 2003. An extensive empirical study.
  4. Reports from Information System and Audit Cell(Indian Bank), Chennai(INDIA). Audit report for Core banking/net banking/ mobile banking/ atm/ data center/ d r site/ networking infrastructure and other integrated systems.
  5. Z. Su and G. Wassermann. The essence of command injection attacks in web application. In the 33rd Annual Symposium on Principlas of Programming Languages, pages 372-382, January 2006.
  6. P. Madhusudan, Prithvi Bisht and V. N. Venkatakrishnan. Dynamic candidate evaluation for automatic prevention of SQL injection attacks. ACM Transactions on Information and System Security, 13, 2(14), 2010.
  7. C. Anley. Advanced SQL injection in SQL server applications. White Paper, Next Generation Security Software, http:/wwwgenss. com/papers/advanced sql injection. pdf, 2002.
  8. D. Litchfield, Director of Security Architecture. Web application dissembly with odbc error message, a report. http://www. atstake. com.
  9. M. Howard and D Le Blane. Writing Secure Code, volume II. Microsoft Press, Redmond, Washington, 2003.
  10. Jeremy Viegas William G. J. Halfond and Alessandro Orso. A classification of SQL injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, Arlington, VA, USA, 2006.
  11. Yi Yuan Anyi Liu and Duminda Wijesekera. Sqlprob: a proxy based architecture towards preventing sql injection attacks. ACM Digital Library, 2009.
  12. Vladimir Vapnik Cornna Cortes. Machine Learning, 20, 273-297(1995).
  13. K. Krithivasan and R. Sitalakshmi. Efficient two dimensional pattern matching in presence of errors. Information Sciences, 43, 1987.
  14. James Law. Path based dynamic impact analysis. In IEEE Explore, Computer Science Department, Oregon State University, 2003.
  15. Steve R. Gunn. Support Vector machines for classification and regression. Technical report, Faculty of engineering, science and mathematics. School of Electronics and Computer Science. ecs. soton. ac. uk/srg/publications/pdf/SVM. pdf, 1998.
  16. F. Bouma. Stored Procedures are Bad, O'Kay, Technical Report. Asp. Net/Weblogs, http://weblogs. asp. net/fbouma /archieve/2003/11/18/38178. aspx, November 2003.
  17. E. M. Fayo. Advanced sql injection databases, technical report. Agencies Information Security, Black hat Briefings, Black Hat U. S. A, 2005.
  18. S. McDoland. SQL Injection, modes of attack, defence and why it matters. GovernmentSecurity. org, April 2006.
  19. F. Finigan. SQL injection and Oracle – part 1 and part 2. Security Focus, November 2002.
Index Terms

Computer Science
Information Sciences

Keywords

Web-application Sql Injection Classification Production Rules Web Profile Rdud