sql injection attack detection & prevention over cloud ... · sql injection attack detection...
TRANSCRIPT
SQL Injection Attack Detection & Prevention over
Cloud Services
Niharika Singh Ajay Jangra Upasana Lakhina Rajat Sharma
Department of Computer Science and Engineering, University Institute of Engineering and Technology
Kurukshetra University, Kurukshetra, INDIA
Abstract — Web servers which provide customer services
are usually connected to highly sensitive information
contained backend databases. The incrementing bar of
deploying such web applications initiated in ranging the
corresponding bar of number of attacks that target such
applications. SQL Injection Attacks come about when
data provided by external user are directly included in
SQL query but is not properly validated. The paper
proposes a novel detection & a prevention mechanism of
SQL Injection Attacks using three-tier system. As the
methodology is concerned over static, dynamic & runtime
detection and prevention mechanism which also filters out
the malicious queries and inspires the system to be well
prepared for the secure working environment, regardless
of being concerned over the database server only. The
cloud proposes the services like SaaS, IaaS, PaaS, DaaS,
EaaS. As previous solutions are achieved for the database
queries for DaaS service only, but this paper enhances the
scope of other services as well. It adapts to maintain
security of the whole system even when it is for any of the
cloud platforms. The solution includes detection &
filtration that reduces attacks to 80% in comparison to
other algorithms.
Keywords—Cloud computing; Cloud Security; Architecture,
design; Cloud services; Deployment models; SQL Injections;
I. INTRODUCTION
Cloud computing is an on demand, resource pooling, self-
service, multilevel virtualization that is independent and is
ubiquitous network access which visualize the next
generation computing. It is actually inspired by the grid,
parallel and distributed computing over the internet deploying
highly optimized data setters to provide the resources like
hardware, software, data, and platform as required by any
application. The concept evolved in 1950 by IBM known as
RJE (Remote Job Entry process). In recent years, the
popularity and swift growth in storage and processing
technologies and computing resources have become cheaper.
Involving the third party over the internet proposes many
unreliable strings which can be proved as loopholes.[11] [3]
The cloud is storing a huge amount of data including personal
and confidential details, thus, securing the data in the cloud
tends to a major point of concern. The successes of the
internet have turned more powerful, efficient, thus are
pervasively available than ever before. In 2006 Amazon
implemented its first cloud AWS (Amazon Web Service) [1].
It offers a new style of application program that can work as
a platform which supports dynamically organized services
simultaneously. To understand the concepts of the cloud
computing technology a performance based efficient
approach will be required for new paradigms to systematize
the usually shared information and to deploy & develop the
affiliated changes in different user-oriented platform models
[2]. Applying the various but suitable methods for providing
privacy checks to the escapes is itself a major challenge of the
cloud computing. [13] Web servers which provide customer
services are usually connected to highly sensitive information
contained backend databases. The incrementing bar of
deploying such web applications initiated in ranging the
corresponding bar of number of attacks that target such
applications. According to a study, it was stated that 80% of
cyber-attacks are outperformed at the application layer & over
the audited websites where 98% of them are clearly targeted.
SQL Injection Attacks (SQLIAs) are being identified as one
of the foremost security threats to the web applications. [12]
It initiates a vulnerable query to destroy the connected server
systems and give attackers unauthorized access to underlying
databases & rights to delete, modify and retrieve valuable and
confidential information stored in databases.
II. CLOUD PLATFORMS
The section describes that there are four platforms which are
being designed to meet the needs and expectations of cloud
computing technology [8]. Injecting the SQL queries harms
the database on the client server, but it might be possible that
the attack might happen in any of the following cloud types
that are as follows [11].
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 4, April 2016
256 https://sites.google.com/site/ijcsis/ ISSN 1947-5500
Public cloud: Computing infrastructure is hosted by a cloud
vendor on vendor premises and can be shared by various
organizations. E.g. Amazon, Google, Salesforce.com,
Microsoft etc.
Private cloud: The computing infrastructure of private cloud
is not shared with other organizations, but rather is dedicated
to a particular organization. It is more expensive but reliable
in comparison to the public cloud. E.g.: HP data centers, IBM
sun, Oracle, 3tera etc.
Hybrid cloud: When public & private cloud works together it
is called hybrid cloud “Organizations may host critical
applications on private clouds, whereas relatively less secure
concern on public cloud”.
Community cloud: The cloud is shared by two or more private,
public or community cloud. E.g.: Group of schools comes
under specific university [8].
III. FORMATION OF CLOUD COMPUTING
This part of the paper describes the organization of the
technology. In simple terms “the cloud” can be predicted as a
metaphor for the internet that is quite familiar cliché, but when
it is integrated to the term “computing” its meaning gets
bigger & hazy. Cloud computing offers the opportunity to
organizations that could simply connect to the cloud and use
the available resources on a PAY PER USE basis, which
avoids the company’s capital expenditure on additional of
premises infrastructure resources and instantly scale up and
scale down according to business requirements [3]. Cloud
computing consists of cloud client, services, applications,
platform, storage & infrastructure measured services. Cloud
computing is the highly automated utility based paradigm
shift consists of optimized and efficient framework that
includes servers, virtual desktops allocates services for
computer network over the internet prescribing software
platform and applications for easy and agile deployment of
secure data management [5].
Accessing & storing content through cloud initiates many
different levels of checkpoints to get authorization. SQLIAs
are the way that may harm at any of the checkpoint level
including any of the XaaS (X as a service) The technology
provides broad network access using resource pooling, on
demand self-service with rapid elasticity, resulting in
continuous high availability, interoperability and
standardized scalability for the hardware and software
components providing data secrecy and ease for capital
investment [2] [6].
IV. MOTIVATION
Study says about SQLIAs that the queries are injected to
attack databases of the client. Whether it is on the internet or
if attacker attacks a cloud, the data is possessed to be affected,
but if the SQLIAs are attacked to modify the configuration of
any server system or to spoof a platform where one is working
over a confidential work? It is always considered to get
detection & prevention solutions for SQLIAs on the DaasS
level but one must find solutions for SaaS, PaaS, IaaS, & EaaS
level. The solutions that are found are supposed to be much
more effective as for the DaaS to get 70-90% of the success.
The fig-1 is depicted the insertion of SQL Injected query in
the network that penetrates firewall and breakthrough the
other levels of servers at the client end.
V. DEPLOYMENT MODELS & EVALUATION
Cloud computing is the type of internet-based computing,
where different services such as servers, data storage modules
are delivered to any organization computers and devices
through the internet. The internet cloud can communicate
through various devices like PC, mini note, notebook, remote
desktop, remote server, database, mobile phones, etc. contains
three different service layers that are software, platforms and
infrastructure[1][2]. This helps the users to get better services,
but it is counted as a single phase. On the other hand, attackers
are ready to hack, spoof, or harm the systems that might
belong to any of the following service categories. [8].
Software as a service (SaaS): It refers to an application that
can be accessed from anywhere over the world as long as you
have an internet connection. They have certain features like
SSL encryption, a cryptographic protocol. Ex: G-mail, yahoo-
mail, Google apps, MS office 365.
Platform as a service (PaaS): This service layer delivers a
computing platform typically includes an operating system,
programming language, etc. It is a platform for developers to
write and create their own applications. For ex: AWS elastic
beanstalk Google app engine, salesforce.com, windows azure,
etc.
Infrastructure as a service (IaaS): It provides hardware and
infrastructure to the users to rent and tariff for a limited period
of time. It is also known as “Hardware as a Service”. Ex:
firewalls Google computes engine, Amazon HP cloud, EC2
etc. The three layers are the basic service layers that were
discovered in the early sixties and on analyzing modern
research and study projects, some new service layers have
been discovered that are listed out as [4].
Data as a service (DaaS): A large amount of data over the
internet is stored in an unmanaged way which requires to be
maintained by applying sorting algorithms and defining data
allocation methods. Thus the model work over the bulk
amount of data retrieval initiates the availability, security and
data management leads to concurrency & efficiency in data
storage maintenance. It benefits in gaining the agility, cost-
effectiveness and data quality. Ex: VMware, Citrix etc.
Education as a service (EaaS): This service layer includes the
e-learning and smart classes’ concepts that are demonstrated
as an education-oriented services. The model establishes
distant learning programs that help users accessing the
knowledge and services independent of their location. E.g.
Educomp, Indiamart, and Microsoft smart class library, etc.
To meet the requirements and to efficiently use such services
there are many service providers that can be listed out in the
following way. See Fig.2. The fig also depicts that at every
level it requires some kind of security protocols that must be
strong enough to handle any kind of breakthrough possibility
& stop the attacker to affect the system.
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 4, April 2016
257 https://sites.google.com/site/ijcsis/ ISSN 1947-5500
Fig. 1: Representation of the way SQL Injection Attack is initiated.
Fig. 2: Examples of Different Service Providers
VI. SQLIAs SOLUTION FOR DIFFERENT CLOUD
SERVICES
When the system is divided over three-tier architecture: The
introducing approach is fairly a runtime detection &
prevention methodology following three-tier (Client-Logic
Access- Data Server) organization to process, access and
exchange queries. As it ensures that the Data-Server tier will
probably not execute any vulnerable code which affects the
system or the hosted operating systems & devices partially or
completely. The technique is working over the database
server side being associated with a distributed cloud
environment to provide a security controlling system for
ensuring the secure execution of all requested queries without
any database hacking or fabrication.
Procedure Receive_Query Unveil_Message (T: Tier level number)
begin Update row T of access table to increase input count;
end
Procedure Finish_Query (T: Tier level number)
begin Update row T of access table to increase consumed
count;
End Procedure Upon_Idle
Begin Report to server controller non-zero difference for
previously unreported rows of access table;
End
The algorithm for tier-architecture detects the completion of
the query exchange process at tier level. As the queries 𝑄 ={𝑞1, 𝑞2, 𝑞3 … 𝑞𝑠} go through a tier architecture representation
for 𝑇 = {𝑡1, 𝑡2, 𝑡3 … 𝑡𝑛}, that is for the proposed scenario
works over up to n=3 levels. A general example to understand
the SQL query injection can be studied through fig-3. The
architecture is dependent upon the three-tier architecture
system which is divided as follows:
Fig-3 general example of SQL query injection. [7]
First tier (client tier) - The tier consists of applications that
access a server which is usually located on a different machine
from the server making a distributed environment. As here it
is concerned to web browsers, servers or standalone
application running on different machines that processes
queries to request & response through the servers. If there are
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 4, April 2016
258 https://sites.google.com/site/ijcsis/ ISSN 1947-5500
S servers that share a communication through Q queries, the
ratio of detecting a breakthrough would be directly
proportional to R number of activities run where 𝑅 ={𝑟1, 𝑟2, 𝑟3 … 𝑟𝑡}. Where on the whole the query associativity
would be:
𝑸𝒊 = ∑ 𝑹
𝒕
𝒊=𝟏
𝑸𝒊 = ∑(𝑟1 + 𝑟2 + 𝑟3 … 𝑟𝑡)
𝒕
𝒊=𝟏
As, each R outperforms s number of queries. Thus,
𝑸𝒊 = (𝑞1, 𝑞2, 𝑞3 … 𝑞𝑠)1 + (𝑞1, 𝑞2, 𝑞3 … 𝑞𝑠)2 + ⋯+ (𝑞1, 𝑞2, 𝑞3 … 𝑞𝑠)𝑡
𝑸𝒊 = 𝒕(𝑞1, 𝑞2, 𝑞3 … 𝑞𝑠)
𝑸𝒊 = 𝑡𝑄
For which, if we have 𝑖 = 1,
𝑄 ≅ 𝑡
The queries when are processed through distributed servers it gives
the result into HTML form webpages. The webpages are uniquely
identified with their corresponding 𝑢𝑟𝑙. To find the associative
probability it is further divided by 100 for the overall evaluation.
Second tier (logic access tier) – The layer concerns over the
server codes that may include platform or such software
applications which processes and set up communication
behavior in between far over placed servers and systems,
outperforming over C#, JSP, ASP.NET, VB, PHP etc. on the
behalf, the layer is responsible for the authentication,
authorization, caching, coupling & cohesion, exception
management, validation and though is effectively logs & audit
the progressive queries, say Q.
Third tier (data server tier) – it represents and considers
database services over distinct servers. This layer embraces
all the database objects that might be used by applications,
such as schemas, views, tables and stored procedures.
Definitions of the instance-level objects available for SQL
server objects are stored over the databases over the data
server tier. The tools of the layer can be listed out as:
Application Developer, Database Administrator, Independent
Software Vendor, IT Administrator, etc. supporting the
operations EXTRACT, DEPLOY, REGISTER,
UNREGISTER, UPGRADE which might help in EXPORT-
IMPORT of the request –response queries.
Fig. 4: Representation of the way SQL Injection Attack is detected and filtered & stops malicious query.
The proposed methodology indulges this 3-tier architecture
which defines the level-wise security from SQLIA’s attacks.
By proposing the proxy server over the cloud DSP (Data
Service Provide) 40% of the attacks reduces. For excluding
the other 60% of the attacks Valid Security tool can be
installed over the proxy server that helps queries to get
compared from the original one using some metrics already
stored over the security tool that filters out the malicious
queries. It protects the firewall to get crossed-over, see fig-4.
VII. IMPLEMENTATION & EVALUATION
ANALYSIS
The experimental process is under progress that is required to
do on a large scale, including SQL, NOsql & NewSQL
databases and also the application oriented scenarios. On the
basis of the work done till the date it possesses to evaluate at
75-87% success to get success probability associativity using
the proposed formula. It secures the data of all the cloud types
and the services provided. The system guidelines can be
predicted through table-2.
Initiating over a supercomputer sometimes is a difficult task,
but here an archetype is to be designed for execution of
queries and transactions for carrying up over inter and intra-
cloud. Thus, in concern, Table-1 shows system configuration
scenario instigating technical attributes like RAM, OS, Hard-
disk etc. required for the implementation of the proposed
solution. In fig-4 the smallest average (for 4 different queries
for the comparison table-1) over which the lines have
contracted is represented which has a very small difference of
negotiation. One complete single cycle includes the static &
dynamic variability and the process that leads to filtration
after the detection of injected SQL queries. In the graph (see
fig-5) for the practical evaluation the following queries are
picked with 57 vulnerable instructions at the same:
Table-1 details of considered query comparison for evaluation.
Query cycle Query type
Query-1 it takes 57 Read instructions in a single go
Query-2 it takes 57 Write instructions simultaneously
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 4, April 2016
259 https://sites.google.com/site/ijcsis/ ISSN 1947-5500
Query-3 takes 57 Update instructions
Query-4 it takes 57 Retrieve instructions in parallel
Table-2 technical details of implementation environment
Setup phase Technical attributes Configuration
System setup
RAM Capacity 8 GB
Processor Intel(R) Core(TM) i7 CPU Q 740 @ 1.73GHz 1.73GHz
Turbo up to 1.93 GHz
Operating system Windows 7 ultimate
Hard-disk 1 TB
Graphic card (if required) NVIDIA GeForce GT 425M-2GB
Fig-5 Average negotiation comparison for 4 random queries with 57 transactions included in a single query
Fig-6(a)-6(b) Query tested through SQL inject me simulation.
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 4, April 2016
260 https://sites.google.com/site/ijcsis/ ISSN 1947-5500
To evaluate the work and to deal with the static and dynamic
queries the online SQL inject me is used. To validate the work
queries are run in bulk followed by different cycles parallel.
Fig-6 shows and observes the work flow presented with a flow
where 6(a) depicts the process to fire the query through one
system and 6(b) representing the random server to be
attacked. Studying the facts and the process grows further
major trends as well that will be evaluated in future.
VIII. CONCLUSION
The introducing approach is fairly a runtime detection &
prevention methodology following three-tier (Client-Logic
Access- Data Server) organization to process, access and
exchange queries. As it ensures that the Data-Server tier will
probably not execute any vulnerable code which affects the
system or the hosted operating systems & devices, partially or
completely. The technique is working over the database
server side being associated with a distributed cloud
environment to provide a security controlling system for
ensuring the secure execution of all requested queries without
any database hacking or fabrication. By proposing the proxy
server over the cloud DSP (Data Service Provide) 40% of the
attacks reduces. For excluding the other 60% of the attack
security tool is installed over the proxy server helping queries
to get compared from the original one using some metrics
already stored over the security tool that filters out the
malicious queries & protects the firewall to get crossed-over.
REFERENCES [1] 1. Towards safer information sharing in the cloud. Casassa-
Mont, Marco, et al., et al. Berlin : Springer, August 23 , 2014,
International Journal of Information Security, pp. 319-334.
10.1007/s10207-014-0258-5.
[2] “Next generation of computing through cloud computing
technology”, Muhammad baqer mullah, Kazi reazul islam,
Sikder sunbeam Islam, 2012 25th IEEE Canadian Conference
on Electrical and Computer Engineering (CCECE).
[3] “cloud computing features,Issues and Challenges:A big
picture”, Deepak puthal, B.P.S Sahoo, Sambit Mishra,
Satyabrata swain,2015 International Conference on
Computational Intelligence & Networks, pp. 116-123.
[4] An approach to enable cloud service providers to arrange IaaS,
PaaS and SaaS using external virtualization infrastructures”,
Antonio celesti, Francesco tusa, Massimo villari, Antonio
puliafito, “2011 IEEE World congress on services, pp. 607-611
[5] “SLA-based resource allocation for software as a service
provider (SaaS) in cloud computing environments”,Lillin wu,
Saurabh kumar garg, Rajkumar buyya, 2011 11th
IEEE/ACM International symposium on cluster, cloud and grid
computing, pp.195-204.
[6] “Open learning optimization based on cloud technology: case
study implementation in personalization E-learning”, Nungki
selviandro, Mira suryani, Zainal A. Hasibuan, February
16~19, 2014, pp. 541-546.
[7] “Implement of cloud computing for e-Learning system”,
Manop phankokruad,2012 International Conference on
Computer & Information Science (ICCIS), pp. 7-11
[8] 2. Extended results on privacy against coalitions of users in
user-private information retrieval protocols. Colleen M.
Swanson, Douglas R. Stinson. 4, s.l. : Springer, February 12 ,
2015, Cryptography and Communications, Vol. 7, pp. 415-437.
[9] 3. Global sensitivity measures from given data. Elmar
Plischkea, Emanuele Borgonovob, Curtis L. Smithc. 3, s.l. :
elsevier, may 1, 2013, European Journal of Operational
Research, Vol. 226, pp. 536-550. 10.1016/j.ejor.2012.11.047.
[10] 4. Cache Serializability: Reducing Inconsistency in Edge
Transactions. Eyal, I., Birman, K. and van Renesse, R.
columbus, OH : IEEE, june-july 29-2, 2015, 2015 IEEE 35th
International Conference on Distributed Computing Systems
(ICDCS), pp. 686-695. 10.1109/ICDCS.2015.75.
[11] 5. Combining Static Analysis and Runtime Monitoring to
Counter SQL-Injection Attacks. W. Halfond, A. Orso. s.l. :
IEEE, Proceeding of the Third International ICSE Workshop on
Dynamic Analysis .
[12] 6. Detection and Prevention of SQL Injection Attacks. Halfond,
William G.J. and Orso, Alessandro. s.l. : Springer, 2007, pp.
85-109.
[13] 7. CANDID: Preventing SQL Injection Attacks using Dynamic
Candidate Evaluations. Bandhakavi, Sruthi, et al., et al.
Alexandria, Virginia, USA : ACM, October-November 29-2,
2007.
[14] 8. Privacy-enhanced architecture for smart metering. Félix
Gómez Mármol, Christoph Sorge, Ronald Petrlic, Osman
Ugus, Dirk Westhoff, Gregorio Martínez Pérez. 2, s.l. :
Springer, november 28, 2012, International Journal of
Information Security, Vol. 12, pp. 67-82. 10.1007/s10207-012-
0181-6.
International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 4, April 2016
261 https://sites.google.com/site/ijcsis/ ISSN 1947-5500