(IJACSA) International Journal of Advanced Computer Science and Applications,Vol. 3, No. 3, 2012
123 |Page www.ijacsa.thesai.org
Web Anomaly Misuse Intrusion DetectionFramework for SQL Injection Detection
Shaimaa Ezzat Salama, Mohamed I. Marie, Laila M. El-Fangary & Yehia K. Helmy
Information System Department,Faculty of Computers and InformationHelwan University, Cairo, Egypt
Databases at the background of e-commerceapplications are vulnerable to SQL injection attack which isconsidered as one of the most dangerous web attacks. In thispaper we propose a framework based on misuse and anomalydetection techniques to detect SQL injection attack. The mainidea of this framework is to create a profile for legitimatedatabase behavior extracted from applying association rules onXML file containing queries submitted from application to thedatabase. As a second step in the detection process, the structureof the query under observation will be compared against thelegitimate queries stored in the XML file thus minimizing falsepositive alarms.
Keywords-SQL injection; association rule; anomaly detection;intrusion detection.
Database-driven web applications have become widelydeployed on the Internet, and organizations use them to providea broad range of services to their customers. Theseapplications, and their underlying databases, often containconfidential, or even sensitive, information, such as customerand financial records. However, as the availability of theseapplications has increased, there has been a correspondingincrease in the number and sophistication of attacks that targetthem. One of the most serious types of attack against webapplications is SQL injection. In fact, the Open WebApplication Security Project (OWASP), an internationalorganization of web developers, has placed SQL injectionattack (SQLIA) at the top of the top ten vulnerabilities that aweb application can have . Similarly, software companiessuch as Microsoft have cited SQLIAs as one of the mostcritical vulnerabilities that software developers must address. As the name implies, this type of attack is directed towarddatabase layer of the web applications. Most web applicationsare typically constructed in a two- or three-tiered architectureas illustrated in Fig.1 .
SQLIA is a type of code-injection attack in which anattacker uses specially crafted inputs to trick the database intoexecuting attacker-specified database commands. SQLIAs cangive attackers direct access to the underlying databases of aweb application and, with that, the power to leak, modify, oreven delete information that is stored on them. The root causeof SQLIAs is insufficient input validation [4, 5]. SQLIAs occurwhen data provided by a user is not properly validated and isincluded directly in a SQL query . We will provide a simpleexample of SQLIA to illustrate the problem.
Select * from users where user_name=’” & name & “’ and password=’” & pass & “’
The previous example works well if the user supplies validuser name and password. But the problem arises whenmalicious user exploits the invalidated input and changes thestructure of the query to achieve one or more of the differentattack intents [4, 7]. The structure of the query will be altered if
the user_name attribute have the following value: ‘ or 1=1
--.The full text of the previous query becomes:
Select * from users where user_name=’’ or 1=1
The injected code will delete the password constraintthrough the use of SQL comment - - and makes the conditionof the query always evaluate to true.One mechanism to defend against web attacks is to useintrusion detection systems (IDS) and especially network intrusion detection systems (NIDS). IDS use misuse oranomaly or both techniques to defend against attacks . IDSthat use anomaly detection technique establish a baseline of normal usage patterns, and anything that widely deviates fromit gets flagged as a possible intrusion. Misuse detectiontechnique uses specifically known patterns of unauthorizedbehavior to predict and detect subsequent similar attempts.These specific patterns are called signatures [8,9].
Unfortunately, NIDS are not efficient or even useful in webintrusion detection. Since many web attacks focus onapplications that have no evidence on the underlying network or system activities, they are seen as normal traffic to thegeneral NIDS and pass through them successfully [7, 10, 11].NIDS are mostly sitting on the lower (network/transport)level of network model while web services are running on thehigher (application) level as illustrated in Fig. 2 .
Web BrowserInternet WebServerApplicationServerDatabaseServer