nach oben

Wireless Personal Communications

Erschienen in:

03.10.2016

A Countermeasure to SQL Injection Attack for Cloud Environment

verfasst von: Tsu-Yang Wu, Chien-Ming Chen, Xiuyang Sun, Shuai Liu, Jerry Chun-Wei Lin

Erschienen in: Wireless Personal Communications | Ausgabe 4/2017

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Although cloud computing becomes a new computing model, a variety of security threats have been described. Among these threats, SQL injection attack (SQLIA) has received increasing attention recently. In the past, many researchers had proposed several methods to counter SQLIAs. However, these countermeasures of SQLIAs cannot be applied to cloud environments directly. In this paper, we propose a mechanism called CCSD (Cloud Computing SQLIA Detection) to detect SQLIAs. CCSD does not require any access to the application’s source code. Hence, it can be directly applied to existing cloud environments. The experimental results demonstrate that CCSD has high accuracy, low false positive rates and low time consumption.

Vorheriger Artikel A Fairness-Enhanced Micropayment Scheme

Nächster Artikel Secure Data Access and Sharing Scheme for Cloud Storage

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., et al. (2010). A view of cloud computing. Communications of the ACM, 53(4), 50–58.CrossRef

Bello, L., & Russo, A. (2012). Towards a taint mode for cloud computing web applications. In Proceedings of the 7th workshop on programming languages and analysis for security (p. 7). ACM.

Bisht, P., Madhusudan, P., & Venkatakrishnan, V. (2010). Candid: Dynamic candidate evaluations for automatic prevention of sql injection attacks. ACM Transactions on Information and System Security 13(2) .

Boyd, S. W., & Keromytis, A. D. (2004). Sqlrand: Preventing sql injection attacks. In Applied cryptography and network security (pp. 292–302). Berlin: Springer.

Bravenboer, M., Dolstra, E., & Visser, E. (2007). Preventing injection attacks with syntax embeddings. In Proceedings of the 6th international conference on generative programming and component engineering (pp. 3–12). ACM.

Buehrer, G., Weide, B.W., & Sivilotti, P.A. (2005). Using parse tree validation to prevent sql injection attacks. In Proceedings of the 5th international workshop on software engineering and middleware (pp. 106–113). ACM.

Clarke, J. (2012). SQL injection attacks and defense. Access Online via Elsevier.

Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., & Tao, L. (2007). A static analysis framework for detecting sql injection vulnerabilities. In Proceedings of the 31st international conference on computer software and applications vol. 1, (pp. 87–96). IEEE.

Gould, C., Su, Z., & Devanbu, P. (2004). Jdbc checker: A static analysis tool for sql/jdbc applications. In Proceedings of the 26th international conference on software engineering (pp. 697–698). IEEE Computer Society.

10.

Halfond, W. G., Orso, A., & Manolios, P. (2008). Wasp: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering, 34(1), 65–81.CrossRef

11.

Halfond, W., Viegas, J., & Orso, A. (2006). A classification of sql-injection attacks and countermeasures. In Proceedings of the IEEE international symposium on secure software engineering (pp. 13–15).

12.

Halfond, W.G., & Orso, A. (2005). Amnesia: Analysis and monitoring for neutralizing sql-injection attacks. In Proceedings of the 20th IEEE/ACM international conference on automated software engineering (pp. 174–183). ACM.

13.

Halfond, W.G., & Orso, A. (2005). Combining static analysis and runtime monitoring to counter sql-injection attacks. In ACM SIGSOFT software engineering notes vol. 30, (pp. 1–7). ACM.

14.

Halfond, W.G., & Orso, A. (2006). Preventing sql injection attacks using amnesia. In Proceedings of the 28th international conference on software engineering (pp. 795–798). ACM.

15.

Halfond, W.G., Orso, A., & Manolios, P. (2006). Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering (pp. 175–185).

16.

http://dev.mysql.com/.

17.

https://javacc.java.net/doc/jjtree.html.

18.

http://en.wikipedia.org/wiki/call_stack.

19.

http://en.wikipedia.org/wiki/parse_tree.

20.

http://javacc.java.net/.

21.

http://jsqlparser.sourceforge.net/.

22.

http://tomcat.apache.org/.

23.

http://www-bcf.usc.edu/~halfond/testbed.html.

24.

http://www.gotocode.com/.

25.

http://www.vmware.com/cn/.

26.

Huang, Y.W., Huang, S.K., Lin, T.P., & Tsai, C.H. (2003). Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12th international conference on World Wide Web (pp. 148–159). ACM.

27.

Jansen, W., & Grance, T. (2011). Guidelines on security and privacy in public cloud computing. NIST special publication (pp. 800–144).

28.

Kaufman, L. M. (2009). Data security in the world of cloud computing. IEEE Security & Privacy, 7(4), 61–64.CrossRef

29.

Komiya, R., Paik, I., & Hisada, M. (2011). Classification of malicious web code by machine learning. In Proceedings of the 3rd conference on awareness science and technology (pp. 406–411). IEEE.

30.

Kosuga, Y., Kernel, K., Hanaoka, M., Hishiyama, M., & Takahama, Y. (2007). Sania: Syntactic and semantic analysis for automated testing against sql injection. In Proceedings of the conference on computer security applications (pp. 107–117). IEEE.

31.

Lam, M.S., Whaley, J., Livshits, V.B., Martin, M.C., Avots, D., Carbin, M., & Unkel, C. (2005). Context-sensitive program analysis as database queries. In Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on principles of database systems (pp. 1–12). ACM.

32.

Lee, I., Jeong, S., Yeo, S., & Moon, J. (2012). A novel method for sql injection attack detection based on removing sql query attribute values. Mathematical and Computer Modelling, 55(1), 58–68.MathSciNetCrossRefMATH

33.

Liu, A., Yuan, Y., Wijesekera, D., & Stavrou, A. (2009). Sqlprob: A proxy-based architecture towards preventing sql injection attacks. In Proceedings of the 2009 ACM Symposium on Applied Computing (pp. 2054–2061). ACM.

34.

McClure, R.A., & Kruger, I.H. (2005). Sql dom: Compile time checking of dynamic sql statements. In Proceedings. 27th international conference on software engineering (pp. 88–96). IEEE.

35.

Mitropoulos, D., & Spinellis, D. (2009). Sdriver: Location-specific signatures prevent sql injection attacks. Computers & Security, 28(3–4), 121–129.CrossRef

36.

Pachauri, A. (2008). Tcp/ip malicious packet detection (sql injection detection). Ph.D. thesis, Napier University, Edinburgh.

37.

Paros. http://www.parosproxy.org/.

38.

Ron, A., Shulman-Peleg, A., & Bronshtein, E. (2015). No sql, no injection? Examining nosql security. arXiv:1506.04082.

39.

Son, S., McKinley, K.S., & Shmatikov, V. (2013). Diglossia: Detecting code injection attacks with precision and efficiency. In Proceedings of the 2013 ACM SIGSAC conference on computer & communications security (pp. 1181–1192). ACM.

40.

Valeur, F., Mutz, D., & Vigna, G.(2005). A learning-based approach to the detection of sql attacks. In Detection of intrusions and malware, and vulnerability assessment (pp. 123–140). Berlin: Springer.

41.

Valeur, F., Mutz, D., & Vigna, G. (2005). A learning-based approach to the detection of sql attacks. In Detection of intrusions and malware, and vulnerability assessment (pp. 123–140). Berlin: Springer

42.

Wang, C., Wang, Q., Ren, K., & Lou, W. (2010). Privacy-preserving public auditing for data storage security in cloud computing. In INFOCOM, 2010 Proceedings IEEE (pp. 1–9). IEEE.

43.

Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation Computer Systems, 28(3), 583–592.CrossRef

Titel: A Countermeasure to SQL Injection Attack for Cloud Environment
verfasst von: Tsu-Yang Wu
Chien-Ming Chen
Xiuyang Sun
Shuai Liu
Jerry Chun-Wei Lin
Publikationsdatum: 03.10.2016
Verlag: Springer US
Erschienen in: Wireless Personal Communications / Ausgabe 4/2017
Print ISSN: 0929-6212
Elektronische ISSN: 1572-834X
DOI: https://doi.org/10.1007/s11277-016-3741-7

Neuer Inhalt

Bildnachweise

VDI-Icon, Profil Icon, inhalt2, Springer Professional Modul/© Springer Fachmedien Wiesbaden GmbH, Internationaler Motorenkongress/© [M] ATZlive | Chisnikov / Fotolia.com, Search Icon, Banner Hanser, Thorsten Mücke/© Alexandra Bachran, Gamification/© Sergey Shulgin / Getty Images / iStock, Benedikt Bonnmann von Adesso/© Adesso, Zeitschrift Wissensmanagement Cover, PatentFit-Logo/© Springer Fachmedien Wiesbaden GmbH, 2023_Antrieb/© supervisuell, ATZ-Webinar: Prototypenfreie Entwicklung durch Offline- und Driver-in-the-Loop-HiL-Tests /© (c) VI-grade, chassis.tech plus 2023/© [M] ATZlive / TÜV SÜD PRODUCT SERVICE GMBH

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 4/2017

Attacks on and Countermeasures for Two RFID Protocols

A Novel Urban Vehicular Content-Centric Networking Frame

The Entanglement Level and the Detection of Quantum Data Transfer Correctness in Short Qutrit Spin Chains

Relay Selection Algorithm for Cognitive Relay Network

Timing Synchronization Performance of Preamble Signal with Orthogonal Frequency Multiplexed Data Signal in the Presence of Frequency Offset

Design and Performance Analysis of Soft Decision-Based Network-Assisted Interference Cancellation and Suppression Scheme

Neuer Inhalt

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.