Submit Manuscript

Journal of Artificial Intelligence

Year: 2019 | Volume: 12 | Issue: 1 | Page No.: 11-17
Research Article

A Two-Phase Pattern Matching-parse Tree Validation Approach for Efficient SQL Injection Attacks Detection

Randa Osman Morsi
Department of Computer Engineering, Faculty of Engineering, Cairo University, Giza, Egypt
LiveDNA: 20.24430
Mona Farouk Ahmed
Department of Computer Engineering, Faculty of Engineering, Cairo University, Giza, Egypt
Background and Objective: Data is one of the most valuable assets as it is the core for any organization website. SQL Injection Attack (SQLIA) is the way by which hackers gain access to data. An approach was proposed in this paper to efficiently detect SQLIA. Methodology: One of the most powerful algorithms, Parsing Tree validation (PT), depends only on accurate detection but takes much time so combining it with a fast dynamic algorithm with the purpose of learning and storing the malicious input patterns to compare with the next coming inputs will be a great achievement. An algorithm was proposed that is based on the combination of two of the existing detection algorithms: pattern matching algorithm using Aho-Corasick (AC) and PT. Results: Experiments showed that the proposed approach guarantees high accuracy of 99.9%, reasonable time which was 53.6% of PT's time and less memory usage. Conclusion: SQLIA is one of the most severe threats to the database. In general, the approaches that provide the best guard for the database against SQLIA are those that make use of a mix of primitive approaches as this leads to strengthening their merits and improving their weaknesses.
PDF Fulltext XML References Citation

Leave a Comment

Your email address will not be published. Required fields are marked *

Article Trend

Total views 6648

References

  1. John, A., A. Agarwal and M. Bhardwaj, 2015. An adaptive algorithm to prevent SQL injection. Am. J. Networks Commun., 4: 12-15.
    CrossRefDirect Link
  2. Venkatesan, K.G.S., R. Resmi and R. Remya, 2014. Anonymizing geographic routing for preserving location privacy using unlinkability and unobservability. Int. J. Adv. Res. Comput. Sci. Software Eng., 4: 523-528.
    Direct Link
  3. Venkatesan, K.G.S. and V. Khanaa, 2012. Inclusion of flow management for automatic and dynamic route discovery system by ARS. Int. J. Adv. Res. Comput. Sci. Software Eng., 2: 1-9.
  4. Shahriar, H., S. North and W.C. Chen, 2013. Client-Side Detection of SQL Injection Attack. In: Advanced Information Systems Engineering Workshops, (Lecture Notes in Business Information Processing, Vol. 148), Franch, X. and P. Soffer (Eds.)., Springer, Berlin, Heidelberg, pp: 512-517.
  5. Moosa, A., 2010. Artificial neural network based web application firewall for SQL injection. Int. Schol. Scient. Res. Innovat., 4: 610-619.
    Direct Link
  6. Makiou, A., Y. Begriche and A. Serhrouchni, 2015. Improving web application firewalls to detect advanced SQL injection attacks. Proceedings of the 10th IEEE International Conference on Information Assurance and Security (IAS), November, 2014, Okinawa, Japan, pp: 35-40.
  7. Kumar, S., S. Dey, R. Karthikeyan and S. Venkatesan, 2015. Prevention of SQL injection attack on web applications. Int. J. Innov. Res. Comput. Commun. Eng., 3: 2313-2320.
    Direct Link
  8. Alwan, Z.S. and M.F. Younis, 2017. Detection and prevention of SQL Injection attack: A survey. Int. J. Comput. Sci. Mobile Comput., 6: 5-17.
    Direct Link
  9. Shin, Y., L. Williams and T. Xie, 2009. SQLunitgen: Test case generation for SQL injection detection. North Carolina State University, Raleigh Technical Report.
  10. Wassermann, G., D. Yu, A. Chander, D. Dhurjati, H. Inamura and Z. Su, 2008. Dynamic test input generation for web applications. Proceedings of the 2008 International Symposium on Software Testing and Analysis, July 20-24, 2008, Seattle, WA., USA., pp: 249-259.
  11. Ruse, M., T. Sarkar and S. Basu, 2010. Analysis & detection of SQL injection vulnerabilities via automatic test case generation of programs. Proceedings of the 10th IEEE/IPSJ International Symposium on Applications and the Internet, July 19-23, 2010, Seoul, Korea, pp: 31-37.
    CrossRefDirect Link
  12. Bisht, P., T. Hinrichs, N. Skrupsky, R. Bobrowicz and V.N. Venkatakrishnan, 2010. NoTamper: Automatic blackbox detection of parameter tampering opportunities in web applications. Proceedings of the 17th ACM Conference on Computer and Communications Security, October 04-08, 2010, Chicago, Illinois, USA., pp: 607-618.
    CrossRefDirect Link
  13. Roy, S., A.K. Singh and A.S. Sairam, 2011. Detecting and defeating SQL injection attacks. Int. J. Inform. Electron. Eng., 1: 38-46.
    Direct Link
  14. Wang, Y. and Z. Li, 2012. SQL injection detection via program tracing and machine learning. Proceedings of the International Conference on Internet and Distributed Computing Systems, November 2012, Springer, Berlin, Heidelberg, pp: 264-274.
  15. Alazab, A. and A. Khresiat, 2016. New strategy for mitigating of SQL injection attack. Int. J. Comput. Applic., 154: 1-10.
    Direct Link
  16. Buehrer, G., B.W. Weide and P.A.G. Sivilotti, 2005. Using parse tree validation to prevent SQL injection attacks. Proceedings of the 5th International Workshop on Software Engineering and Middleware, September 5-6, 2005, Lisbon, Portugal, pp: 106-113.
  17. Prabakar, M.A., M.K. Keyan and K. Marimuthu, 2013. An efficient technique for preventing SQL injection attack using pattern matching algorithm. Proceedings of the IEEE International Conference on Emerging Trends in Computing, Communication and Nanotechnology (ICE-CCN), June 13, 2013, Tirunelveli, India, pp: 503-506.
  18. Kar, D., S. Panigrahi and S. Sundararajan, 2016. SQLiGoT: Detecting SQL injection attacks using graph of tokens and SVM. Comput. Secur., 60: 206-225.
    CrossRefDirect Link
  19. Kemalis, K. and T. Tzouramanis, 2008. SQL-IDS: A specification-based approach for SQL-injection detection. Proceedings of the 2008 ACM Symposium on Applied Computing, March 16-20, 2008, Fortaleza, Ceara, Brazil, pp: 2153-2158.
  20. Zhang, K., C. Lin, S. Chen, Y. Hwang, H. Huang and F. Hsu, 2011. TransSQL: A translation and validation-based solution for SQL-injection attacks. Proceedings of the 1st IEEE International Conference on Robot, Vision and Signal Processing (RVSP), November 23, 2011, Kaohsiung, Taiwan, pp: 248-251.
  21. Jang, Y.S. and J.Y. Choi, 2014. Detecting SQL injection attacks using query result size. Comput. Secur., 44: 104-118.
    CrossRefDirect Link
  22. Kim, M.Y. and D.H. Lee, 2014. Data-mining based SQL injection attack detection using internal query trees. Expert Syst. Applic., 41: 5416-5430.
    CrossRefDirect Link
  23. Jawanja, S., S. Shegokar, V. Nandurkar, R. Ardak, S. Chaudhari, S. Rithe and S. Sontake, 2018. An efficient technique for detection and prevention of SQL injection attack in cloud. Int. J. Res. Applied Sci. Eng. Technol., 6: 2670-2674.
    Direct Link
  24. Elia, I.A., J. Fonseca and M. Vieira, 2010. Comparing SQL injection detection tools using attack injection: An experimental study. Proceedings of the IEEE 21st International Symposium on Software Reliability Engineering, November 1-4, 2010, San Jose, CA., USA.
    CrossRefDirect Link
  25. Hiteshkumar, C., A.V. Nadargi, B. Narendra and S. Sushil, 2015. Doubleguard: Detecting intrusions in multi-tier web applications. Int. J. Adv. Res. Comput. Commun. Eng., 4: 473-476.
    CrossRefDirect Link
  26. Balasundaram, I. and E. Ramaraj, 2012. An efficient technique for detection and prevention of SQL injection attack using ASCII based string matching. Procedia Eng., 30: 183-190.
    CrossRefDirect Link

Keywords