SQL Injection Attack Detection Based on Similarity Matching Between Vectors Extracted From Design Time and Run-Time Queries

Jayanto Kumar Chowdhury; Dilip Kumar Yadav; Chandra Mouli P.V.S.S.R

doi:10.52756/ijerr.2024.v42.001

Authors

Jayanto Kumar Chowdhury Department of Computer Science and Engineering, National Institute of Technology, Jamshedpur-831014, Jharkhand, India https://orcid.org/0009-0002-1570-1873
Dilip Kumar Yadav Department of Computer Science and Engineering, National Institute of Technology, Jamshedpur-831014, Jharkhand, India https://orcid.org/0000-0002-1334-7500
Chandra Mouli P.V.S.S.R Department of Computer Science, Central University of Tamil Nadu, Thiruvarur-610005, Tamil Nadu, India https://orcid.org/0000-0001-7909-9733

DOI:

https://doi.org/10.52756/ijerr.2024.v42.001

Keywords:

Database security, dynamic method, security vulnerabilities, SQL injection, web application

Abstract

Everyone uses web-based applications to carry out daily business and personal tasks. These programmes are vulnerable to attack by hackers, who may also misuse the data. The most serious attack with the greatest damaging potential on digital platforms is the structured query language injection attack (SQLiA). The backend databases could be corrupted or destroyed by SQLiA if it manages to breach security protections. Using SQLiA tactics, hackers can get unauthorized access, steal important data, and take over the network completely or partially. An automatic SQL injection prevention and detection technique is needed to safeguard web-based applications from SQLiA. This research suggests a novel similarity-matching algorithm of vectors extracted from design time and run-time queries. This technique allocates the weights of different SQL keywords used in design time and run-time queries and further design time and run-time vectors have been created from respective queries. The similarity between the design time and run time vector is determined by calculating the angle between these two vectors. The angle of deviation between the design time vector and run time vector is calculated and if the angle of deviation is zero, then it is concluded as no SQL injection otherwise, it indicates the existence of SQLiA vulnerability. The proposed algorithm is validated against the GitHub dataset. In the first dataset, out of 1300 injected queries, the proposed method identifies 1219 injected queries; out of 300 normal queries, it identifies 290 normal queries with 93.76% and 96.66% detection accuracy, respectively. Similarly, for the second dataset, out of 10489 injected queries, it identifies 10280 injected queries and out of 301 normal queries, it identifies 280 normal queries with 98.01% and 93.02% detection accuracy, respectively.

References

Ali, A. B. M., Shakhatreh, A. Y. I., Abdullah, M. S., & Alostad, J. (2011). SQL-injection vulnerability scanning tool for automatic creation of SQL-injection attacks. Procedia Computer Science, 3, 453–458.

https://doi.org/10.1016/j.procs.2010.12.076

Buehrer, G., Weide, B. W., & Sivilotti, PP. A. G. (2005). Using parse tree validation to prevent SQL injection attacks. In Proceedings of the 5th International Workshop on Software Engineering and Middleware (SEM ’05), pp.106–113. https://doi.org/10.1145/1108473.1108496

Chowdhury, S., Nandi, A., Ahmad, M., Jain, A., & Pawar, M. (2021). A Comprehensive Survey for Detection and Prevention of SQL Injection. In Proceedings of the 7th International Conference on Advanced Computing and Communication Systems (ICACCS, 2021), pp. 434–437. https://doi.org/10.1109/icaccs51430.2021.9442012

Cook, W., & Rai, S. (2005). Safe query objects: statically typed objects as remotely executable queries. In Proceedings of the 27th International Conference on Software Engineering, 2005, pp. 97-106. https://doi.org/10.1109/icse.2005.1553552

Elia, I. A., Fonseca, J., & Vieira, M. (2010). Comparing SQL Injection Detection Tools Using Attack Injection: An Experimental Study. In Proceedings of the IEEE 21st International Symposium on Software Reliability Engineering, pp. 289–298. https://doi.org/10.1109/issre.2010.32

Ghafarian, A. (2017). A hybrid method for detection and prevention of SQL injection attacks. In Proceedings of the Computing Conference, 2017, pp. 833-838. https://doi.org/10.1109/sai.2017.8252192

Gogoi, B., Ahmed, T., & Dinda, R. G. (2022a). PHP web shell detection through static analysis of AST using LSTM based deep learning. In Proceedings of the 14th Conference on USENIX Security Symposium, pp. 14. https://doi.org/10.1109/icaitpr51569.2022.9844206

Gogoi, B., Ahmed, T., & Dinda, R. G. (2022b). PHP web shell detection through static analysis of AST using LSTM based deep learning. In Proceedings of the 2022 First International Conference on Artificial Intelligence Trends and Pattern Recognition (ICAITPR), pp. 1–6. https://doi.org/10.1109/icaitpr51569.2022.9844206

Gould, C., Su, N. Z., & Devanbu, PP. (2004). JDBC checker: a static analysis tool for SQL/JDBC applications. In Proceedings of the 26th International Conference on Software Engineering, pp. 697-698.

https://doi.org/10.1109/icse.2004.1317494

Haldar, V., Chandra, D., & Franz, M. (2006). Dynamic Taint Propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC’05), pp. 309–311. https://doi.org/10.1109/csac.2005.21

Halfond, W. G. J., & Orso, A. (2005). AMNESIA: analysis and monitoring for Neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE ’05). Association for Computing Machinery, pp. 174–183. https://doi.org/10.1145/1101908.1101935

Halfond, W., Orso, A., & Manolios, PP. (2008). WASP: Protecting Web Applications using Positive Tainting and Syntax-Aware Evaluation. IEEE Transactions on Software Engineering, 34(1), 65–81. https://doi.org/10.1109/tse.2007.70748

Hlaing, Z. C. S. S., & Khaing, M. (2020). A Detection and Prevention Technique on SQL Injection Attacks. In Proceedings of the IEEE Conference on Computer Applications (ICCA, 2020), pp. 1–6. https://doi.org/10.1109/icca49400.2020.9022833

Huang, Y., Huang, S., Lin, T., & Tsai, C. (2003a). Web application security assessment by fault injection and behavior monitoring. Mathematical and Computer Modelling, 55(1-2), 58–68. https://doi.org/10.1145/775152.775174

Huang, Y., Huang, S., Lin, T., & Tsai, C. (2003b). Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12th International Conference on World Wide Web (WWW’03), Association for Computing Machinery, pp. 148–159. https://doi.org/10.1145/775152.775174

Jamar, R., Sogani, A., Mudgal, S., Bhadra, Y., & Churi, PP. PP. (2018). Website attack prevention using E-Shield as a IDPS tool. In Proceedings of the IEEE International Conference on System, Computation, Automation and Networking (ICSCA, 2018), pp. 1-7. https://doi.org/10.1109/icscan.2018.8541152

Jana, A., & Maity, D. (2020). Code-based Analysis Approach to Detect and Prevent SQL Injection Attacks. In Proceedings of the 11th International Conference on Computing, Communication and Networking Technologies (ICCCNT, 2020), pp. 1–6. https://doi.org/10.1109/icccnt49239.2020.9225575

Kumar, A., Dutta, S., & Pranav, P. (2023). Supervised learning for Attack Detection in Cloud. Int. J. Exp. Res. Rev., 31(Spl Volume), 74-84. https://doi.org/10.52756/10.52756/ijerr.2023.v31spl.008

Lee, I., Jeong, S., Yeo, S., & Moon, J. (2012). A novel method for SQL injection attack detection based on removing SQL query attribute values. Mathematical and Computer Modelling, 55(1–2), 58–68. https://doi.org/10.1016/j.mcm.2011.01.050

Martin, M., Livshits, B., & Lam, M. S. (2005). Finding application errors and security flaws using PQL. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications (OOPSLA ’05), Association for Computing Machinery, pp. 365–383. https://doi.org/10.1145/1094811.1094840

McClure, R., & Kruger, I. (2005). SQL DOM: compile time checking of dynamic SQL statements. In Proceedings of the 27th International Conference on Software Engineering, 2005 (ICSE 2005), pp. 88-96. https://doi.org/10.1109/icse.2005.1553551

Mitropoulos, D., & Spinellis, D. (2009). SDriver: Location-specific signatures prevent SQL injection attacks. Computers & Security, 28(3–4), 121–129. https://doi.org/10.1016/j.cose.2008.09.005

Natarajan, K., & Subramani, S. (2012). Generation of SQL-Injection free secure algorithm to detect and prevent SQL-Injection attacks. Procedia Technology, 4, 790–796. https://doi.org/10.1016/j.protcy.2012.05.129

Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., & Evans, D. (2005). Automatically hardening web applications using precise tainting. IFIP Advances in Information and Communication Technology, 295–307. https://doi.org/10.1007/0-387-25660-1_20

Park, J., & Noh, B. (2007). SQL Injection attack detection: Profiling of web application parameter using the sequence pairwise alignment. In Springer eBooks, pp. 74–82. https://doi.org/10.1007/978-3-540-71093-6_6

Pietraszek, T., & Vanden Berghe, C. (2006). Defending against injection attacks through Context-Sensitive String Evaluation. In Lecture Notes in Computer Science, pp. 124–145. https://doi.org/10.1007/11663812_7

Qbea’h, M., Alshraideh, M., & Sabri, K. E. (2016). Detecting and Preventing SQL Injection Attacks: A Formal Approach. In Proceedings of the Cybersecurity and Cyberforensics Conference (CCC, 2016), pp. 123–129.

https://doi.org/10.1109/ccc.2016.26

Rubaiei, M. A., Yarubi, T. A., Saadi, M. A., & Kumar, B. (2020). SQLIA Detection and Prevention Techniques. In Proceedings of the 9th International Conference System Modeling and Advancement in Research Trends (SMART, 2020, pp. 115–121. https://doi.org/10.1109/smart50582.2020.9336795

Saxena, A., Arora, A., Saxena, S., & Kumar, A. (2022). Detection of web attacks using machine learning based URL classification techniques. In Proceedings of the 2nd International Conference on Intelligent Technologies (CONIT, 2022), pp. 1-13. https://doi.org/10.1109/conit55038.2022.9847838

Sharma, S., P., Chhikara, R., & Khanna, K. (2023). An efficient Android malware detection method using Borutashap algorithm. International Journal of Experimental Research and Review, 34(Special Vol), 86-96.

https://doi.org/10.52756/ijerr.2023.v34spl.009

Scott, D., & Sharp, R. (2002). Abstracting application-level web security. In Proceedings of the 11th International conference on World Wide Web (WWW '02). Association for Computing Machinery, pp. 396–407. https://doi.org/10.1145/511446.511498

Su, Z., & Wassermann, G. (2006). The essence of command injection attacks in web applications. In Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’06). Association for Computing Machinery, pp. 372–382. https://doi.org/10.1145/1111037.1111070

Thomas, S., Williams, L., & Xie, T. (2009). On automated prepared statement generation to remove SQL injection vulnerabilities. Information and Software Technology, 51(3), 589–598. https://doi.org/10.1016/j.infsof.2008.08.002

Valeur, F., Mutz, D., & Vigna, G. (2005). A Learning-Based approach to the detection of SQL attacks. Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. In Lecture Notes in Computer Science, pp. 123–140. https://doi.org/10.1007/11506881_8

Wassermann, G., & Su, Z. (2004). An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems, pp. 70-78. https://api.semanticscholar.org/CorpusID:5102805

Zhang, L., Gu, Q., Peng, S., Chen, X., Zhao, H., & Chen, D. (2010). D-WAV: A Web Application Vulnerabilities Detection Tool Using Characteristics of Web Forms. In Proceedings of the Fifth International Conference on Software Engineering Advances, 2010, pp. 501–507. https://doi.org/10.1109/icsea.2010.85