close
Skip to main content

Moving Target Defense Against Injection Attacks

  • Conference paper
  • First Online:
Algorithms and Architectures for Parallel Processing (ICA3PP 2019)

Abstract

With the development of network technology, web services become more convenient and popular. However, web services are also facing serious security threats, especially SQL injection attack(SQLIA). Due to the diversity of attack techniques and the static of defense configurations, it is difficult for existing passive defence methods to effectively defend against all SQLIAs. To reduce the risk of successful SQLIAs and increase the difficulty of the attacker, an effective defence technique based on moving target defence (MTD) called dynamic defence to SQLIA (DTSA) was presented in this article. DTSA diversifies the types of databases and implementation languages dynamically, turns the Web server into an untraceable and unpredictable moving target and slows down SQLIAs. Moreover, the period of mutation was determined by the concept of dynamic programming so as to reduce the hazards caused by SQLIAs and minimize the impact on normal users as much as possible. Final, the experimental results showed that the proposed defence method can effectively defend against injection attacks in relational databases.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+
from $39.99 /Month
  • Starting from 10 chapters or articles per month
  • Access and download chapters and articles from more than 300k books and 2,500 journals
  • Cancel anytime
View plans

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Free shipping worldwide - view details

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Xu, Y., Wang, G., Ren, J., Zhang, Y.: An adaptive and configurable protection framework against android privilege escalation threats. Future Gener. Comput. Syst. 92, 210–224 (2019)

    Article  Google Scholar 

  2. Xu, Y., Ren, J., Wang, G., Zhang, C., Yang, J., Zhang, Y.: A blockchain-basednon-repudiation network computing service scheme for industrial IoT. IEEE Trans. Ind. Inf. (2019)

    Google Scholar 

  3. OWASP Top 10 Application Security Risks. https://www.owasp.org/index.php/Top_10-2017_Top_10. Accessed 27 Mar 2018

  4. Holz, T., Marechal, S., Raynal, F.: New threats and attacks on the world wide web. IEEE Secur. Priv. 4(2), 72–75 (2006)

    Article  Google Scholar 

  5. Chong, F., et al.: National cyber leap year summit 2009: Co-chairs report. NITRD Program (2009)

    Google Scholar 

  6. Kindy, D.A., Pathan, A.S.K.: A survey on sql injection: vulnerabilities, attacks, and prevention techniques. In: 2011 IEEE 15th International Symposium on Consumer Electronics (ISCE), pp. 468–471. IEEE (2011)

    Google Scholar 

  7. Halfond, W.G., et al.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, vol. 1, pp. 13–15. IEEE (2006)

    Google Scholar 

  8. Gould, C., Su, Z., Devanbu, P.: JDBC checker: a static analysis tool for SQL/JDBC applications. In: Proceedings of the 26th International Conference on Software Engineering, pp. 697–698. IEEE (2004)

    Google Scholar 

  9. Chunmei, W.U., Xia, N., Mao, B.: A comparison of static analysis technology for intrusion prevention. Comput. Eng. 32(3), 174–176 (2006)

    Google Scholar 

  10. Kosuga, Y., Kono, K., Hanaoka, M., Hishiyama, M., Takahama, Y.: Sania: syntactic and semantic analysis for automated testing against SQL injection. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp. 107–117. IEEE (2007)

    Google Scholar 

  11. Naderi-Afooshteh, A., Nguyen-Tuong, A., Bagheri-Marzijarani, M., Hiser, J.D., Davidson, J.W.: Joza: hybrid taint inference for defeating web application SQL injection attacks. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 172–183. IEEE (2015)

    Google Scholar 

  12. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: Sasaki, R., Qing, S., Okamoto, E., Yoshiura, H. (eds.) SEC 2005. IAICT, vol. 181, pp. 295–307. Springer, Boston, MA (2005). https://doi.org/10.1007/0-387-25660-1_20

    Chapter  Google Scholar 

  13. Lee, I., Jeong, S., Yeo, S., Moon, J.: A novel method for SQL injection attack detection based on removing SQL query attribute values. Math. Comput. Modell. 55(1–2), 58–68 (2012)

    Article  MathSciNet  Google Scholar 

  14. Chen, Z., Guo, M., et al.: Research on SQL injection detection technology based on SVM. In: MATEC Web of Conferences. vol. 173, p. 01004. EDP Sciences (2018)

    Google Scholar 

  15. Wu, T.Y., Chen, C.M., Sun, X., Liu, S., Lin, J.C.W.: A countermeasure to SQL injection attack for cloud environment. Wireless Pers. Commun. 96(4), 5279–5293 (2017)

    Article  Google Scholar 

  16. Li, Q., Wang, F., Wang, J., Li, W.: LSTM-based SQL injection detection method for intelligent transportation system. IEEE Trans. Veh. Technol. 68(5), 4182–4191 (2019)

    Google Scholar 

  17. Yan, R., Xiao, X., Hu, G., Peng, S., Jiang, Y.: New deep learning method to detect code injection attacks on hybrid applications. J. Syst. Softw. 137, 67–77 (2018)

    Article  Google Scholar 

  18. Hou, B., Shi, Y., Qian, K., Tao, L.: Towards analyzing mongodb nosql security and designing injection defense solution. In: 2017 IEEE 3rd International Conference on Big Data Security on Cloud (bigdatasecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS), pp. 90–95. IEEE (2017)

    Google Scholar 

  19. Patil, P., Gaikwad, A., Badekar, R., Urade, A., Hirve, R.: Analysis and diminution of NoSQL injection attacks. IJRDO - J. Comput. Sci. Eng. 3(3), 01–07 (2017). ISSN 2456–1843, https://www.ijrdo.org/index.php/cse/article/view/481

    Google Scholar 

  20. Algarni, A., Alsolami, F., Eassa, F., Alsubhi, K., Jambi, K., Khemakhem, M.: An open tool architecture for security testing of NoSQL-based applications. In: 2017 IEEE/ACS 14th International Conference on Computer Systems and Applications (AICCSA), pp. 220–225. IEEE (2017)

    Google Scholar 

  21. Ron, A., Shulman-Peleg, A., Puzanov, A.: Analysis and mitigation of NoSQL injections. IEEE Secur. Priv. 14(2), 30–39 (2016)

    Article  Google Scholar 

  22. Hou, B., Qian, K., Li, L., Shi, Y., Tao, L., Liu, J.: Mongodb NoSQL injection analysis and detection. In: 2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 75–78. IEEE (2016)

    Google Scholar 

  23. Son, S., McKinley, K.S., Shmatikov, V.: Diglossia: detecting code injection attacks with precision and efficiency. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1181–1192. ACM (2013)

    Google Scholar 

  24. Eassa, A.M., Al-Tarawneh, O.H., El-Bakry, H.M., Salama, A.S.: NoSQL racket: a testing tool for detecting NoSQL injection attacks in web applicationss. Int. J. Adv. Comput. Sci. Appl 8(11), 614–622 (2017)

    Google Scholar 

  25. Eassa, A.M., Elhoseny, M., El-Bakry, H.M., Salama, A.S.: NoSQL injection attack detection in web applications using restful service. Program. Comput. Softw. 44(6), 435–444 (2018)

    Article  Google Scholar 

  26. Appelt, D., Nguyen, C.D., Briand, L.C., Alshahwan, N.: Automated testing for SQL injection vulnerabilities: an input mutation approach. In: Proceedings of the 2014 International Symposium on Software Testing and Analysis. pp. 259–269. ACM (2014)

    Google Scholar 

  27. Taguinod, M., Doupé, A., Zhao, Z., Ahn, G.J.: Toward a moving target defense for web applications. In: 2015 IEEE International Conference on Information Reuse and Integration, pp. 510–517. IEEE (2015)

    Google Scholar 

  28. Vikram, S., Yang, C., Gu, G.: Nomad: towards non-intrusive moving-target defense against web bots. In: 2013 IEEE Conference on Communications and Network Security (CNS), pp. 55–63. IEEE (2013)

    Google Scholar 

  29. Keromytis, A.D.: Randomized instruction sets and runtime environments past research and future directions. IEEE Secur. Priv. 7(1), 18–25 (2009)

    Article  Google Scholar 

  30. Boyd, S.W., Keromytis, A.D.: SQLrand: preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24852-1_21

    Chapter  Google Scholar 

  31. Allier, S., Barais, O., Baudry, B., Bourcier, J., Daubert, E., Fleurey, F., Monperrus, M., Song, H., Tricoire, M.: Multitier diversification in web-based software applications. IEEE Softw. 32(1), 83–90 (2014)

    Article  Google Scholar 

  32. Zhang, H., Zheng, K., Wang, X., Luo, S., Wu, B.: Efficient strategy selection for moving target defense under multiple attacks. IEEE Access (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Kangfeng Zheng or Xiaodan Yan.

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhang, H., Zheng, K., Yan, X., Luo, S., Wu, B. (2020). Moving Target Defense Against Injection Attacks. In: Wen, S., Zomaya, A., Yang, L. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2019. Lecture Notes in Computer Science(), vol 11944. Springer, Cham. https://doi.org/10.1007/978-3-030-38991-8_34

Download citation

Keywords

Publish with us

Policies and ethics