Abstract
Although cloud computing becomes a new computing model, a variety of security threats have been described. Among these threats, SQL injection attack (SQLIA) has received increasing attention recently. In the past, many researchers had proposed several methods to counter SQLIAs. However, these countermeasures of SQLIAs cannot be applied to cloud environments directly. In this paper, we propose a mechanism called CCSD (Cloud Computing SQLIA Detection) to detect SQLIAs. CCSD does not require any access to the application’s source code. Hence, it can be directly applied to existing cloud environments. The experimental results demonstrate that CCSD has high accuracy, low false positive rates and low time consumption.
Similar content being viewed by others
References
Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., et al. (2010). A view of cloud computing. Communications of the ACM, 53(4), 50–58.
Bello, L., & Russo, A. (2012). Towards a taint mode for cloud computing web applications. In Proceedings of the 7th workshop on programming languages and analysis for security (p. 7). ACM.
Bisht, P., Madhusudan, P., & Venkatakrishnan, V. (2010). Candid: Dynamic candidate evaluations for automatic prevention of sql injection attacks. ACM Transactions on Information and System Security 13(2) .
Boyd, S. W., & Keromytis, A. D. (2004). Sqlrand: Preventing sql injection attacks. In Applied cryptography and network security (pp. 292–302). Berlin: Springer.
Bravenboer, M., Dolstra, E., & Visser, E. (2007). Preventing injection attacks with syntax embeddings. In Proceedings of the 6th international conference on generative programming and component engineering (pp. 3–12). ACM.
Buehrer, G., Weide, B.W., & Sivilotti, P.A. (2005). Using parse tree validation to prevent sql injection attacks. In Proceedings of the 5th international workshop on software engineering and middleware (pp. 106–113). ACM.
Clarke, J. (2012). SQL injection attacks and defense. Access Online via Elsevier.
Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., & Tao, L. (2007). A static analysis framework for detecting sql injection vulnerabilities. In Proceedings of the 31st international conference on computer software and applications vol. 1, (pp. 87–96). IEEE.
Gould, C., Su, Z., & Devanbu, P. (2004). Jdbc checker: A static analysis tool for sql/jdbc applications. In Proceedings of the 26th international conference on software engineering (pp. 697–698). IEEE Computer Society.
Halfond, W. G., Orso, A., & Manolios, P. (2008). Wasp: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering, 34(1), 65–81.
Halfond, W., Viegas, J., & Orso, A. (2006). A classification of sql-injection attacks and countermeasures. In Proceedings of the IEEE international symposium on secure software engineering (pp. 13–15).
Halfond, W.G., & Orso, A. (2005). Amnesia: Analysis and monitoring for neutralizing sql-injection attacks. In Proceedings of the 20th IEEE/ACM international conference on automated software engineering (pp. 174–183). ACM.
Halfond, W.G., & Orso, A. (2005). Combining static analysis and runtime monitoring to counter sql-injection attacks. In ACM SIGSOFT software engineering notes vol. 30, (pp. 1–7). ACM.
Halfond, W.G., & Orso, A. (2006). Preventing sql injection attacks using amnesia. In Proceedings of the 28th international conference on software engineering (pp. 795–798). ACM.
Halfond, W.G., Orso, A., & Manolios, P. (2006). Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering (pp. 175–185).
Huang, Y.W., Huang, S.K., Lin, T.P., & Tsai, C.H. (2003). Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12th international conference on World Wide Web (pp. 148–159). ACM.
Jansen, W., & Grance, T. (2011). Guidelines on security and privacy in public cloud computing. NIST special publication (pp. 800–144).
Kaufman, L. M. (2009). Data security in the world of cloud computing. IEEE Security & Privacy, 7(4), 61–64.
Komiya, R., Paik, I., & Hisada, M. (2011). Classification of malicious web code by machine learning. In Proceedings of the 3rd conference on awareness science and technology (pp. 406–411). IEEE.
Kosuga, Y., Kernel, K., Hanaoka, M., Hishiyama, M., & Takahama, Y. (2007). Sania: Syntactic and semantic analysis for automated testing against sql injection. In Proceedings of the conference on computer security applications (pp. 107–117). IEEE.
Lam, M.S., Whaley, J., Livshits, V.B., Martin, M.C., Avots, D., Carbin, M., & Unkel, C. (2005). Context-sensitive program analysis as database queries. In Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on principles of database systems (pp. 1–12). ACM.
Lee, I., Jeong, S., Yeo, S., & Moon, J. (2012). A novel method for sql injection attack detection based on removing sql query attribute values. Mathematical and Computer Modelling, 55(1), 58–68.
Liu, A., Yuan, Y., Wijesekera, D., & Stavrou, A. (2009). Sqlprob: A proxy-based architecture towards preventing sql injection attacks. In Proceedings of the 2009 ACM Symposium on Applied Computing (pp. 2054–2061). ACM.
McClure, R.A., & Kruger, I.H. (2005). Sql dom: Compile time checking of dynamic sql statements. In Proceedings. 27th international conference on software engineering (pp. 88–96). IEEE.
Mitropoulos, D., & Spinellis, D. (2009). Sdriver: Location-specific signatures prevent sql injection attacks. Computers & Security, 28(3–4), 121–129.
Pachauri, A. (2008). Tcp/ip malicious packet detection (sql injection detection). Ph.D. thesis, Napier University, Edinburgh.
Paros. http://www.parosproxy.org/.
Ron, A., Shulman-Peleg, A., & Bronshtein, E. (2015). No sql, no injection? Examining nosql security. arXiv:1506.04082.
Son, S., McKinley, K.S., & Shmatikov, V. (2013). Diglossia: Detecting code injection attacks with precision and efficiency. In Proceedings of the 2013 ACM SIGSAC conference on computer & communications security (pp. 1181–1192). ACM.
Valeur, F., Mutz, D., & Vigna, G.(2005). A learning-based approach to the detection of sql attacks. In Detection of intrusions and malware, and vulnerability assessment (pp. 123–140). Berlin: Springer.
Valeur, F., Mutz, D., & Vigna, G. (2005). A learning-based approach to the detection of sql attacks. In Detection of intrusions and malware, and vulnerability assessment (pp. 123–140). Berlin: Springer
Wang, C., Wang, Q., Ren, K., & Lou, W. (2010). Privacy-preserving public auditing for data storage security in cloud computing. In INFOCOM, 2010 Proceedings IEEE (pp. 1–9). IEEE.
Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation Computer Systems, 28(3), 583–592.
Acknowledgments
The work of Tsu-Yang Wu was supported by Natural Scientific Research Innovation Foundation in Harbin Institute of Technology (No. HIT.NSRIF.2015089) and the work of Chien-Ming Chen was supported in part by the Project NSFC (National Natural Science Foundation of China) under Grant number 61402135 and in part by Shenzhen Technical Project under Grant number JCYJ20150513151706574.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Wu, TY., Chen, CM., Sun, X. et al. A Countermeasure to SQL Injection Attack for Cloud Environment. Wireless Pers Commun 96, 5279–5293 (2017). https://doi.org/10.1007/s11277-016-3741-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-016-3741-7