Top

previous article A Fairness-Enhanced Micropayment Scheme

next article Secure Data Access and Sharing Scheme for Cloud...

Hint

Swipe to navigate through the articles of this issue

03-10-2016 | Issue 4/2017

A Countermeasure to SQL Injection Attack for Cloud Environment

Journal:: Wireless Personal Communications > Issue 4/2017

Authors:: Tsu-Yang Wu, Chien-Ming Chen, Xiuyang Sun, Shuai Liu, Jerry Chun-Wei Lin

» Get access to the full-text

Abstract

Although cloud computing becomes a new computing model, a variety of security threats have been described. Among these threats, SQL injection attack (SQLIA) has received increasing attention recently. In the past, many researchers had proposed several methods to counter SQLIAs. However, these countermeasures of SQLIAs cannot be applied to cloud environments directly. In this paper, we propose a mechanism called CCSD (Cloud Computing SQLIA Detection) to detect SQLIAs. CCSD does not require any access to the application’s source code. Hence, it can be directly applied to existing cloud environments. The experimental results demonstrate that CCSD has high accuracy, low false positive rates and low time consumption.

Please log in to get access to this content

To get access to this content you need the following product:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 50.000 Bücher
über 380 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Umwelt
Maschinenbau + Werkstoffe

Testen Sie jetzt 30 Tage kostenlos.

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 69.000 Bücher
über 500 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Umwelt
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Testen Sie jetzt 30 Tage kostenlos.

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 58.000 Bücher
über 300 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Testen Sie jetzt 30 Tage kostenlos.

inform now

Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., et al. (2010). A view of cloud computing. Communications of the ACM, 53(4), 50–58. CrossRef

Bello, L., & Russo, A. (2012). Towards a taint mode for cloud computing web applications. In Proceedings of the 7th workshop on programming languages and analysis for security (p. 7). ACM.

Bisht, P., Madhusudan, P., & Venkatakrishnan, V. (2010). Candid: Dynamic candidate evaluations for automatic prevention of sql injection attacks. ACM Transactions on Information and System Security 13(2) .

Boyd, S. W., & Keromytis, A. D. (2004). Sqlrand: Preventing sql injection attacks. In Applied cryptography and network security (pp. 292–302). Berlin: Springer.

Bravenboer, M., Dolstra, E., & Visser, E. (2007). Preventing injection attacks with syntax embeddings. In Proceedings of the 6th international conference on generative programming and component engineering (pp. 3–12). ACM.

Buehrer, G., Weide, B.W., & Sivilotti, P.A. (2005). Using parse tree validation to prevent sql injection attacks. In Proceedings of the 5th international workshop on software engineering and middleware (pp. 106–113). ACM.

Clarke, J. (2012). SQL injection attacks and defense. Access Online via Elsevier.

Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., & Tao, L. (2007). A static analysis framework for detecting sql injection vulnerabilities. In Proceedings of the 31st international conference on computer software and applications vol. 1, (pp. 87–96). IEEE.

Gould, C., Su, Z., & Devanbu, P. (2004). Jdbc checker: A static analysis tool for sql/jdbc applications. In Proceedings of the 26th international conference on software engineering (pp. 697–698). IEEE Computer Society.

10.

Halfond, W. G., Orso, A., & Manolios, P. (2008). Wasp: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering, 34(1), 65–81. CrossRef

11.

Halfond, W., Viegas, J., & Orso, A. (2006). A classification of sql-injection attacks and countermeasures. In Proceedings of the IEEE international symposium on secure software engineering (pp. 13–15).

12.

Halfond, W.G., & Orso, A. (2005). Amnesia: Analysis and monitoring for neutralizing sql-injection attacks. In Proceedings of the 20th IEEE/ACM international conference on automated software engineering (pp. 174–183). ACM.

13.

Halfond, W.G., & Orso, A. (2005). Combining static analysis and runtime monitoring to counter sql-injection attacks. In ACM SIGSOFT software engineering notes vol. 30, (pp. 1–7). ACM.

14.

Halfond, W.G., & Orso, A. (2006). Preventing sql injection attacks using amnesia. In Proceedings of the 28th international conference on software engineering (pp. 795–798). ACM.

15.

Halfond, W.G., Orso, A., & Manolios, P. (2006). Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering (pp. 175–185).

16.

http://dev.mysql.com/.

17.

https://javacc.java.net/doc/jjtree.html.

18.

http://en.wikipedia.org/wiki/call_stack.

19.

http://en.wikipedia.org/wiki/parse_tree.

20.

http://javacc.java.net/.

21.

http://jsqlparser.sourceforge.net/.

22.

http://tomcat.apache.org/.

23.

http://www-bcf.usc.edu/~halfond/testbed.html.

24.

http://www.gotocode.com/.

25.

http://www.vmware.com/cn/.

26.

Huang, Y.W., Huang, S.K., Lin, T.P., & Tsai, C.H. (2003). Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12th international conference on World Wide Web (pp. 148–159). ACM.

27.

Jansen, W., & Grance, T. (2011). Guidelines on security and privacy in public cloud computing. NIST special publication (pp. 800–144).

28.

Kaufman, L. M. (2009). Data security in the world of cloud computing. IEEE Security & Privacy, 7(4), 61–64. CrossRef

29.

Komiya, R., Paik, I., & Hisada, M. (2011). Classification of malicious web code by machine learning. In Proceedings of the 3rd conference on awareness science and technology (pp. 406–411). IEEE.

30.

Kosuga, Y., Kernel, K., Hanaoka, M., Hishiyama, M., & Takahama, Y. (2007). Sania: Syntactic and semantic analysis for automated testing against sql injection. In Proceedings of the conference on computer security applications (pp. 107–117). IEEE.

31.

Lam, M.S., Whaley, J., Livshits, V.B., Martin, M.C., Avots, D., Carbin, M., & Unkel, C. (2005). Context-sensitive program analysis as database queries. In Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on principles of database systems (pp. 1–12). ACM.

32.

Lee, I., Jeong, S., Yeo, S., & Moon, J. (2012). A novel method for sql injection attack detection based on removing sql query attribute values. Mathematical and Computer Modelling, 55(1), 58–68. MathSciNetCrossRefMATH

33.

Liu, A., Yuan, Y., Wijesekera, D., & Stavrou, A. (2009). Sqlprob: A proxy-based architecture towards preventing sql injection attacks. In Proceedings of the 2009 ACM Symposium on Applied Computing (pp. 2054–2061). ACM.

34.

McClure, R.A., & Kruger, I.H. (2005). Sql dom: Compile time checking of dynamic sql statements. In Proceedings. 27th international conference on software engineering (pp. 88–96). IEEE.

35.

Mitropoulos, D., & Spinellis, D. (2009). Sdriver: Location-specific signatures prevent sql injection attacks. Computers & Security, 28(3–4), 121–129. CrossRef

36.

Pachauri, A. (2008). Tcp/ip malicious packet detection (sql injection detection). Ph.D. thesis, Napier University, Edinburgh.

37.

Paros. http://www.parosproxy.org/.

38.

Ron, A., Shulman-Peleg, A., & Bronshtein, E. (2015). No sql, no injection? Examining nosql security. arXiv:1506.04082.

39.

Son, S., McKinley, K.S., & Shmatikov, V. (2013). Diglossia: Detecting code injection attacks with precision and efficiency. In Proceedings of the 2013 ACM SIGSAC conference on computer & communications security (pp. 1181–1192). ACM.

40.

Valeur, F., Mutz, D., & Vigna, G.(2005). A learning-based approach to the detection of sql attacks. In Detection of intrusions and malware, and vulnerability assessment (pp. 123–140). Berlin: Springer.

41.

Valeur, F., Mutz, D., & Vigna, G. (2005). A learning-based approach to the detection of sql attacks. In Detection of intrusions and malware, and vulnerability assessment (pp. 123–140). Berlin: Springer

42.

Wang, C., Wang, Q., Ren, K., & Lou, W. (2010). Privacy-preserving public auditing for data storage security in cloud computing. In INFOCOM, 2010 Proceedings IEEE (pp. 1–9). IEEE.

43.

Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation Computer Systems, 28(3), 583–592. CrossRef

Title: A Countermeasure to SQL Injection Attack for Cloud Environment
Authors:: Tsu-Yang Wu
Chien-Ming Chen
Xiuyang Sun
Shuai Liu
Jerry Chun-Wei Lin
Publication date: 03-10-2016
DOI: https://doi.org/10.1007/s11277-016-3741-7
Publisher: Springer US
Journal: Wireless Personal Communications An International Journal
Issue 4/2017
Print ISSN: 0929-6212
Electronic ISSN: 1572-834X

Springer Professional

Hint

Swipe to navigate through the articles of this issue

Abstract

Please log in to get access to this content

To get access to this content you need the following product:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 4/2017

Two Novel Adaptive Transmission Schemes in a Decode-and-Forward Relaying Network

Cyclic Delay Diversity with Phase Shift in Low Rate SC-FDMA Uplink

Performance Modeling of Link Duration in Vehicular Ad Hoc Networks Under Weibull Fading Channel Conditions

DK-LEACH: An Optimized Cluster Structure Routing Method Based on LEACH in Wireless Sensor Networks

A Novel Reliability and Traffic Aware Gateway Selection Scheme in Wireless Mesh Networks

FFT-Based Channel Estimation Scheme in LTE-A Downlink System