Abstract
With the development of network technology, web services become more convenient and popular. However, web services are also facing serious security threats, especially SQL injection attack(SQLIA). Due to the diversity of attack techniques and the static of defense configurations, it is difficult for existing passive defence methods to effectively defend against all SQLIAs. To reduce the risk of successful SQLIAs and increase the difficulty of the attacker, an effective defence technique based on moving target defence (MTD) called dynamic defence to SQLIA (DTSA) was presented in this article. DTSA diversifies the types of databases and implementation languages dynamically, turns the Web server into an untraceable and unpredictable moving target and slows down SQLIAs. Moreover, the period of mutation was determined by the concept of dynamic programming so as to reduce the hazards caused by SQLIAs and minimize the impact on normal users as much as possible. Final, the experimental results showed that the proposed defence method can effectively defend against injection attacks in relational databases.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Xu, Y., Wang, G., Ren, J., Zhang, Y.: An adaptive and configurable protection framework against android privilege escalation threats. Future Gener. Comput. Syst. 92, 210–224 (2019)
Xu, Y., Ren, J., Wang, G., Zhang, C., Yang, J., Zhang, Y.: A blockchain-basednon-repudiation network computing service scheme for industrial IoT. IEEE Trans. Ind. Inf. (2019)
OWASP Top 10 Application Security Risks. https://www.owasp.org/index.php/Top_10-2017_Top_10. Accessed 27 Mar 2018
Holz, T., Marechal, S., Raynal, F.: New threats and attacks on the world wide web. IEEE Secur. Priv. 4(2), 72–75 (2006)
Chong, F., et al.: National cyber leap year summit 2009: Co-chairs report. NITRD Program (2009)
Kindy, D.A., Pathan, A.S.K.: A survey on sql injection: vulnerabilities, attacks, and prevention techniques. In: 2011 IEEE 15th International Symposium on Consumer Electronics (ISCE), pp. 468–471. IEEE (2011)
Halfond, W.G., et al.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, vol. 1, pp. 13–15. IEEE (2006)
Gould, C., Su, Z., Devanbu, P.: JDBC checker: a static analysis tool for SQL/JDBC applications. In: Proceedings of the 26th International Conference on Software Engineering, pp. 697–698. IEEE (2004)
Chunmei, W.U., Xia, N., Mao, B.: A comparison of static analysis technology for intrusion prevention. Comput. Eng. 32(3), 174–176 (2006)
Kosuga, Y., Kono, K., Hanaoka, M., Hishiyama, M., Takahama, Y.: Sania: syntactic and semantic analysis for automated testing against SQL injection. In: Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), pp. 107–117. IEEE (2007)
Naderi-Afooshteh, A., Nguyen-Tuong, A., Bagheri-Marzijarani, M., Hiser, J.D., Davidson, J.W.: Joza: hybrid taint inference for defeating web application SQL injection attacks. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 172–183. IEEE (2015)
Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: Sasaki, R., Qing, S., Okamoto, E., Yoshiura, H. (eds.) SEC 2005. IAICT, vol. 181, pp. 295–307. Springer, Boston, MA (2005). https://doi.org/10.1007/0-387-25660-1_20
Lee, I., Jeong, S., Yeo, S., Moon, J.: A novel method for SQL injection attack detection based on removing SQL query attribute values. Math. Comput. Modell. 55(1–2), 58–68 (2012)
Chen, Z., Guo, M., et al.: Research on SQL injection detection technology based on SVM. In: MATEC Web of Conferences. vol. 173, p. 01004. EDP Sciences (2018)
Wu, T.Y., Chen, C.M., Sun, X., Liu, S., Lin, J.C.W.: A countermeasure to SQL injection attack for cloud environment. Wireless Pers. Commun. 96(4), 5279–5293 (2017)
Li, Q., Wang, F., Wang, J., Li, W.: LSTM-based SQL injection detection method for intelligent transportation system. IEEE Trans. Veh. Technol. 68(5), 4182–4191 (2019)
Yan, R., Xiao, X., Hu, G., Peng, S., Jiang, Y.: New deep learning method to detect code injection attacks on hybrid applications. J. Syst. Softw. 137, 67–77 (2018)
Hou, B., Shi, Y., Qian, K., Tao, L.: Towards analyzing mongodb nosql security and designing injection defense solution. In: 2017 IEEE 3rd International Conference on Big Data Security on Cloud (bigdatasecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS), pp. 90–95. IEEE (2017)
Patil, P., Gaikwad, A., Badekar, R., Urade, A., Hirve, R.: Analysis and diminution of NoSQL injection attacks. IJRDO - J. Comput. Sci. Eng. 3(3), 01–07 (2017). ISSN 2456–1843, https://www.ijrdo.org/index.php/cse/article/view/481
Algarni, A., Alsolami, F., Eassa, F., Alsubhi, K., Jambi, K., Khemakhem, M.: An open tool architecture for security testing of NoSQL-based applications. In: 2017 IEEE/ACS 14th International Conference on Computer Systems and Applications (AICCSA), pp. 220–225. IEEE (2017)
Ron, A., Shulman-Peleg, A., Puzanov, A.: Analysis and mitigation of NoSQL injections. IEEE Secur. Priv. 14(2), 30–39 (2016)
Hou, B., Qian, K., Li, L., Shi, Y., Tao, L., Liu, J.: Mongodb NoSQL injection analysis and detection. In: 2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 75–78. IEEE (2016)
Son, S., McKinley, K.S., Shmatikov, V.: Diglossia: detecting code injection attacks with precision and efficiency. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1181–1192. ACM (2013)
Eassa, A.M., Al-Tarawneh, O.H., El-Bakry, H.M., Salama, A.S.: NoSQL racket: a testing tool for detecting NoSQL injection attacks in web applicationss. Int. J. Adv. Comput. Sci. Appl 8(11), 614–622 (2017)
Eassa, A.M., Elhoseny, M., El-Bakry, H.M., Salama, A.S.: NoSQL injection attack detection in web applications using restful service. Program. Comput. Softw. 44(6), 435–444 (2018)
Appelt, D., Nguyen, C.D., Briand, L.C., Alshahwan, N.: Automated testing for SQL injection vulnerabilities: an input mutation approach. In: Proceedings of the 2014 International Symposium on Software Testing and Analysis. pp. 259–269. ACM (2014)
Taguinod, M., Doupé, A., Zhao, Z., Ahn, G.J.: Toward a moving target defense for web applications. In: 2015 IEEE International Conference on Information Reuse and Integration, pp. 510–517. IEEE (2015)
Vikram, S., Yang, C., Gu, G.: Nomad: towards non-intrusive moving-target defense against web bots. In: 2013 IEEE Conference on Communications and Network Security (CNS), pp. 55–63. IEEE (2013)
Keromytis, A.D.: Randomized instruction sets and runtime environments past research and future directions. IEEE Secur. Priv. 7(1), 18–25 (2009)
Boyd, S.W., Keromytis, A.D.: SQLrand: preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24852-1_21
Allier, S., Barais, O., Baudry, B., Bourcier, J., Daubert, E., Fleurey, F., Monperrus, M., Song, H., Tricoire, M.: Multitier diversification in web-based software applications. IEEE Softw. 32(1), 83–90 (2014)
Zhang, H., Zheng, K., Wang, X., Luo, S., Wu, B.: Efficient strategy selection for moving target defense under multiple attacks. IEEE Access (2019)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Zhang, H., Zheng, K., Yan, X., Luo, S., Wu, B. (2020). Moving Target Defense Against Injection Attacks. In: Wen, S., Zomaya, A., Yang, L. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2019. Lecture Notes in Computer Science(), vol 11944. Springer, Cham. https://doi.org/10.1007/978-3-030-38991-8_34
Download citation
DOI: https://doi.org/10.1007/978-3-030-38991-8_34
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38990-1
Online ISBN: 978-3-030-38991-8
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)Springer Nature Proceedings excluding Computer Science
