Skip to main content
SpringerLink
Log in

A Countermeasure to SQL Injection Attack for Cloud Environment

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Although cloud computing becomes a new computing model, a variety of security threats have been described. Among these threats, SQL injection attack (SQLIA) has received increasing attention recently. In the past, many researchers had proposed several methods to counter SQLIAs. However, these countermeasures of SQLIAs cannot be applied to cloud environments directly. In this paper, we propose a mechanism called CCSD (Cloud Computing SQLIA Detection) to detect SQLIAs. CCSD does not require any access to the application’s source code. Hence, it can be directly applied to existing cloud environments. The experimental results demonstrate that CCSD has high accuracy, low false positive rates and low time consumption.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., et al. (2010). A view of cloud computing. Communications of the ACM, 53(4), 50–58.

    Article  Google Scholar 

  2. Bello, L., & Russo, A. (2012). Towards a taint mode for cloud computing web applications. In Proceedings of the 7th workshop on programming languages and analysis for security (p. 7). ACM.

  3. Bisht, P., Madhusudan, P., & Venkatakrishnan, V. (2010). Candid: Dynamic candidate evaluations for automatic prevention of sql injection attacks. ACM Transactions on Information and System Security 13(2) .

  4. Boyd, S. W., & Keromytis, A. D. (2004). Sqlrand: Preventing sql injection attacks. In Applied cryptography and network security (pp. 292–302). Berlin: Springer.

  5. Bravenboer, M., Dolstra, E., & Visser, E. (2007). Preventing injection attacks with syntax embeddings. In Proceedings of the 6th international conference on generative programming and component engineering (pp. 3–12). ACM.

  6. Buehrer, G., Weide, B.W., & Sivilotti, P.A. (2005). Using parse tree validation to prevent sql injection attacks. In Proceedings of the 5th international workshop on software engineering and middleware (pp. 106–113). ACM.

  7. Clarke, J. (2012). SQL injection attacks and defense. Access Online via Elsevier.

  8. Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., & Tao, L. (2007). A static analysis framework for detecting sql injection vulnerabilities. In Proceedings of the 31st international conference on computer software and applications vol. 1, (pp. 87–96). IEEE.

  9. Gould, C., Su, Z., & Devanbu, P. (2004). Jdbc checker: A static analysis tool for sql/jdbc applications. In Proceedings of the 26th international conference on software engineering (pp. 697–698). IEEE Computer Society.

  10. Halfond, W. G., Orso, A., & Manolios, P. (2008). Wasp: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering, 34(1), 65–81.

    Article  Google Scholar 

  11. Halfond, W., Viegas, J., & Orso, A. (2006). A classification of sql-injection attacks and countermeasures. In Proceedings of the IEEE international symposium on secure software engineering (pp. 13–15).

  12. Halfond, W.G., & Orso, A. (2005). Amnesia: Analysis and monitoring for neutralizing sql-injection attacks. In Proceedings of the 20th IEEE/ACM international conference on automated software engineering (pp. 174–183). ACM.

  13. Halfond, W.G., & Orso, A. (2005). Combining static analysis and runtime monitoring to counter sql-injection attacks. In ACM SIGSOFT software engineering notes vol. 30, (pp. 1–7). ACM.

  14. Halfond, W.G., & Orso, A. (2006). Preventing sql injection attacks using amnesia. In Proceedings of the 28th international conference on software engineering (pp. 795–798). ACM.

  15. Halfond, W.G., Orso, A., & Manolios, P. (2006). Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering (pp. 175–185).

  16. http://dev.mysql.com/.

  17. https://javacc.java.net/doc/jjtree.html.

  18. http://en.wikipedia.org/wiki/call_stack.

  19. http://en.wikipedia.org/wiki/parse_tree.

  20. http://javacc.java.net/.

  21. http://jsqlparser.sourceforge.net/.

  22. http://tomcat.apache.org/.

  23. http://www-bcf.usc.edu/~halfond/testbed.html.

  24. http://www.gotocode.com/.

  25. http://www.vmware.com/cn/.

  26. Huang, Y.W., Huang, S.K., Lin, T.P., & Tsai, C.H. (2003). Web application security assessment by fault injection and behavior monitoring. In Proceedings of the 12th international conference on World Wide Web (pp. 148–159). ACM.

  27. Jansen, W., & Grance, T. (2011). Guidelines on security and privacy in public cloud computing. NIST special publication (pp. 800–144).

  28. Kaufman, L. M. (2009). Data security in the world of cloud computing. IEEE Security & Privacy, 7(4), 61–64.

    Article  Google Scholar 

  29. Komiya, R., Paik, I., & Hisada, M. (2011). Classification of malicious web code by machine learning. In Proceedings of the 3rd conference on awareness science and technology (pp. 406–411). IEEE.

  30. Kosuga, Y., Kernel, K., Hanaoka, M., Hishiyama, M., & Takahama, Y. (2007). Sania: Syntactic and semantic analysis for automated testing against sql injection. In Proceedings of the conference on computer security applications (pp. 107–117). IEEE.

  31. Lam, M.S., Whaley, J., Livshits, V.B., Martin, M.C., Avots, D., Carbin, M., & Unkel, C. (2005). Context-sensitive program analysis as database queries. In Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on principles of database systems (pp. 1–12). ACM.

  32. Lee, I., Jeong, S., Yeo, S., & Moon, J. (2012). A novel method for sql injection attack detection based on removing sql query attribute values. Mathematical and Computer Modelling, 55(1), 58–68.

    Article  MathSciNet  MATH  Google Scholar 

  33. Liu, A., Yuan, Y., Wijesekera, D., & Stavrou, A. (2009). Sqlprob: A proxy-based architecture towards preventing sql injection attacks. In Proceedings of the 2009 ACM Symposium on Applied Computing (pp. 2054–2061). ACM.

  34. McClure, R.A., & Kruger, I.H. (2005). Sql dom: Compile time checking of dynamic sql statements. In Proceedings. 27th international conference on software engineering (pp. 88–96). IEEE.

  35. Mitropoulos, D., & Spinellis, D. (2009). Sdriver: Location-specific signatures prevent sql injection attacks. Computers & Security, 28(3–4), 121–129.

    Article  Google Scholar 

  36. Pachauri, A. (2008). Tcp/ip malicious packet detection (sql injection detection). Ph.D. thesis, Napier University, Edinburgh.

  37. Paros. http://www.parosproxy.org/.

  38. Ron, A., Shulman-Peleg, A., & Bronshtein, E. (2015). No sql, no injection? Examining nosql security. arXiv:1506.04082.

  39. Son, S., McKinley, K.S., & Shmatikov, V. (2013). Diglossia: Detecting code injection attacks with precision and efficiency. In Proceedings of the 2013 ACM SIGSAC conference on computer & communications security (pp. 1181–1192). ACM.

  40. Valeur, F., Mutz, D., & Vigna, G.(2005). A learning-based approach to the detection of sql attacks. In Detection of intrusions and malware, and vulnerability assessment (pp. 123–140). Berlin: Springer.

  41. Valeur, F., Mutz, D., & Vigna, G. (2005). A learning-based approach to the detection of sql attacks. In Detection of intrusions and malware, and vulnerability assessment (pp. 123–140). Berlin: Springer

  42. Wang, C., Wang, Q., Ren, K., & Lou, W. (2010). Privacy-preserving public auditing for data storage security in cloud computing. In INFOCOM, 2010 Proceedings IEEE (pp. 1–9). IEEE.

  43. Zissis, D., & Lekkas, D. (2012). Addressing cloud computing security issues. Future Generation Computer Systems, 28(3), 583–592.

    Article  Google Scholar 

Download references

Acknowledgments

The work of Tsu-Yang Wu was supported by Natural Scientific Research Innovation Foundation in Harbin Institute of Technology (No. HIT.NSRIF.2015089) and the work of Chien-Ming Chen was supported in part by the Project NSFC (National Natural Science Foundation of China) under Grant number 61402135 and in part by Shenzhen Technical Project under Grant number JCYJ20150513151706574.

Author information

Authors and Affiliations

  1. School of Computer Sciences and Technology, Harbin Institute of Technology Shenzhen Graduate School, Shenzhen, China

    Tsu-Yang Wu, Chien-Ming Chen, Xiuyang Sun, Shuai Liu & Jerry Chun-Wei Lin

Authors
  1. Tsu-Yang Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chien-Ming Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiuyang Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Shuai Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jerry Chun-Wei Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tsu-Yang Wu.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wu, TY., Chen, CM., Sun, X. et al. A Countermeasure to SQL Injection Attack for Cloud Environment. Wireless Pers Commun 96, 5279–5293 (2017). https://doi.org/10.1007/s11277-016-3741-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-016-3741-7

Keywords

Search

Navigation