SQL Injection Attack Detection & Prevention over ...

International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 4, April 2016

SQL Injection Attack Detection & Prevention over Cloud Services Niharika Singh

Ajay Jangra

Upasana Lakhina

Rajat Sharma

Department of Computer Science and Engineering, University Institute of Engineering and Technology Kurukshetra University, Kurukshetra, INDIA

Abstract — Web servers which provide customer services

are usually connected to highly sensitive information contained backend databases. The incrementing bar of deploying such web applications initiated in ranging the corresponding bar of number of attacks that target such applications. SQL Injection Attacks come about when data provided by external user are directly included in SQL query but is not properly validated. The paper proposes a novel detection & a prevention mechanism of SQL Injection Attacks using three-tier system. As the methodology is concerned over static, dynamic & runtime detection and prevention mechanism which also filters out the malicious queries and inspires the system to be well prepared for the secure working environment, regardless of being concerned over the database server only. The cloud proposes the services like SaaS, IaaS, PaaS, DaaS, EaaS. As previous solutions are achieved for the database queries for DaaS service only, but this paper enhances the scope of other services as well. It adapts to maintain security of the whole system even when it is for any of the cloud platforms. The solution includes detection & filtration that reduces attacks to 80% in comparison to other algorithms. Keywords—Cloud computing; Cloud Security; Architecture, design; Cloud services; Deployment models; SQL Injections;

I.

INTRODUCTION

Cloud computing is an on demand, resource pooling, selfservice, multilevel virtualization that is independent and is ubiquitous network access which visualize the next generation computing. It is actually inspired by the grid, parallel and distributed computing over the internet deploying highly optimized data setters to provide the resources like hardware, software, data, and platform as required by any application. The concept evolved in 1950 by IBM known as RJE (Remote Job Entry process). In recent years, the popularity and swift growth in storage and processing technologies and computing resources have become cheaper.

256

Involving the third party over the internet proposes many unreliable strings which can be proved as loopholes.[11] [3] The cloud is storing a huge amount of data including personal and confidential details, thus, securing the data in the cloud tends to a major point of concern. The successes of the internet have turned more powerful, efficient, thus are pervasively available than ever before. In 2006 Amazon implemented its first cloud AWS (Amazon Web Service) [1]. It offers a new style of application program that can work as a platform which supports dynamically organized services simultaneously. To understand the concepts of the cloud computing technology a performance based efficient approach will be required for new paradigms to systematize the usually shared information and to deploy & develop the affiliated changes in different user-oriented platform models [2]. Applying the various but suitable methods for providing privacy checks to the escapes is itself a major challenge of the cloud computing. [13] Web servers which provide customer services are usually connected to highly sensitive information contained backend databases. The incrementing bar of deploying such web applications initiated in ranging the corresponding bar of number of attacks that target such applications. According to a study, it was stated that 80% of cyber-attacks are outperformed at the application layer & over the audited websites where 98% of them are clearly targeted. SQL Injection Attacks (SQLIAs) are being identified as one of the foremost security threats to the web applications. [12] It initiates a vulnerable query to destroy the connected server systems and give attackers unauthorized access to underlying databases & rights to delete, modify and retrieve valuable and confidential information stored in databases. II.

CLOUD PLATFORMS

The section describes that there are four platforms which are being designed to meet the needs and expectations of cloud computing technology [8]. Injecting the SQL queries harms the database on the client server, but it might be possible that the attack might happen in any of the following cloud types that are as follows [11].

https://sites.google.com/site/ijcsis/ ISSN 1947-5500


Public cloud: Computing infrastructure is hosted by a cloud vendor on vendor premises and can be shared by various organizations. E.g. Amazon, Google, Salesforce.com, Microsoft etc. Private cloud: The computing infrastructure of private cloud is not shared with other organizations, but rather is dedicated to a particular organization. It is more expensive but reliable in comparison to the public cloud. E.g.: HP data centers, IBM sun, Oracle, 3tera etc. Hybrid cloud: When public & private cloud works together it is called hybrid cloud “Organizations may host critical applications on private clouds, whereas relatively less secure concern on public cloud”. Community cloud: The cloud is shared by two or more private, public or community cloud. E.g.: Group of schools comes under specific university [8]. III.

FORMATION OF CLOUD COMPUTING

This part of the paper describes the organization of the technology. In simple terms “the cloud” can be predicted as a metaphor for the internet that is quite familiar cliché, but when it is integrated to the term “computing” its meaning gets bigger & hazy. Cloud computing offers the opportunity to organizations that could simply connect to the cloud and use the available resources on a PAY PER USE basis, which avoids the company’s capital expenditure on additional of premises infrastructure resources and instantly scale up and scale down according to business requirements [3]. Cloud computing consists of cloud client, services, applications, platform, storage & infrastructure measured services. Cloud computing is the highly automated utility based paradigm shift consists of optimized and efficient framework that includes servers, virtual desktops allocates services for computer network over the internet prescribing software platform and applications for easy and agile deployment of secure data management [5]. Accessing & storing content through cloud initiates many different levels of checkpoints to get authorization. SQLIAs are the way that may harm at any of the checkpoint level including any of the XaaS (X as a service) The technology provides broad network access using resource pooling, on demand self-service with rapid elasticity, resulting in continuous high availability, interoperability and standardized scalability for the hardware and software components providing data secrecy and ease for capital investment [2] [6]. IV.

MOTIVATION

Study says about SQLIAs that the queries are injected to attack databases of the client. Whether it is on the internet or if attacker attacks a cloud, the data is possessed to be affected, but if the SQLIAs are attacked to modify the configuration of any server system or to spoof a platform where one is working over a confidential work? It is always considered to get detection & prevention solutions for SQLIAs on the DaasS level but one must find solutions for SaaS, PaaS, IaaS, & EaaS level. The solutions that are found are supposed to be much more effective as for the DaaS to get 70-90% of the success.

257

The fig-1 is depicted the insertion of SQL Injected query in the network that penetrates firewall and breakthrough the other levels of servers at the client end. V.

DEPLOYMENT MODELS & EVALUATION

Cloud computing is the type of internet-based computing, where different services such as servers, data storage modules are delivered to any organization computers and devices through the internet. The internet cloud can communicate through various devices like PC, mini note, notebook, remote desktop, remote server, database, mobile phones, etc. contains three different service layers that are software, platforms and infrastructure[1][2]. This helps the users to get better services, but it is counted as a single phase. On the other hand, attackers are ready to hack, spoof, or harm the systems that might belong to any of the following service categories. [8]. Software as a service (SaaS): It refers to an application that can be accessed from anywhere over the world as long as you have an internet connection. They have certain features like SSL encryption, a cryptographic protocol. Ex: G-mail, yahoomail, Google apps, MS office 365. Platform as a service (PaaS): This service layer delivers a computing platform typically includes an operating system, programming language, etc. It is a platform for developers to write and create their own applications. For ex: AWS elastic beanstalk Google app engine, salesforce.com, windows azure, etc. Infrastructure as a service (IaaS): It provides hardware and infrastructure to the users to rent and tariff for a limited period of time. It is also known as “Hardware as a Service”. Ex: firewalls Google computes engine, Amazon HP cloud, EC2 etc. The three layers are the basic service layers that were discovered in the early sixties and on analyzing modern research and study projects, some new service layers have been discovered that are listed out as [4]. Data as a service (DaaS): A large amount of data over the internet is stored in an unmanaged way which requires to be maintained by applying sorting algorithms and defining data allocation methods. Thus the model work over the bulk amount of data retrieval initiates the availability, security and data management leads to concurrency & efficiency in data storage maintenance. It benefits in gaining the agility, costeffectiveness and data quality. Ex: VMware, Citrix etc. Education as a service (EaaS): This service layer includes the e-learning and smart classes’ concepts that are demonstrated as an education-oriented services. The model establishes distant learning programs that help users accessing the knowledge and services independent of their location. E.g. Educomp, Indiamart, and Microsoft smart class library, etc. To meet the requirements and to efficiently use such services there are many service providers that can be listed out in the following way. See Fig.2. The fig also depicts that at every level it requires some kind of security protocols that must be strong enough to handle any kind of breakthrough possibility & stop the attacker to affect the system.



Fig. 1: Representation of the way SQL Injection Attack is initiated. Procedure Receive_Query Unveil_Message (T: Tier level number) begin Update row T of access table to increase input count; end Procedure Finish_Query (T: Tier level number) begin Update row T of access table to increase consumed count; End Procedure Upon_Idle Begin Report to server controller non-zero difference for previously unreported rows of access table; End The algorithm for tier-architecture detects the completion of the query exchange process at tier level. As the queries 𝑄 = {𝑞1 , 𝑞2 , 𝑞3 … 𝑞𝑠 } go through a tier architecture representation for 𝑇 = {𝑡1 , 𝑡2 , 𝑡3 … 𝑡𝑛 }, that is for the proposed scenario works over up to n=3 levels. A general example to understand the SQL query injection can be studied through fig-3. The architecture is dependent upon the three-tier architecture system which is divided as follows:

Fig. 2: Examples of Different Service Providers VI.

SQLIAs SOLUTION FOR DIFFERENT CLOUD SERVICES

When the system is divided over three-tier architecture: The introducing approach is fairly a runtime detection & prevention methodology following three-tier (Client-Logic Access- Data Server) organization to process, access and exchange queries. As it ensures that the Data-Server tier will probably not execute any vulnerable code which affects the system or the hosted operating systems & devices partially or completely. The technique is working over the database server side being associated with a distributed cloud environment to provide a security controlling system for ensuring the secure execution of all requested queries without any database hacking or fabrication.

258

Fig-3 general example of SQL query injection. [7]

First tier (client tier) - The tier consists of applications that access a server which is usually located on a different machine from the server making a distributed environment. As here it is concerned to web browsers, servers or standalone application running on different machines that processes queries to request & response through the servers. If there are



S servers that share a communication through Q queries, the ratio of detecting a breakthrough would be directly proportional to R number of activities run where 𝑅 = {𝑟1 , 𝑟2 , 𝑟3 … 𝑟𝑡 }. Where on the whole the query associativity would be: 𝒕

𝑸𝒊 = ∑ 𝑹 𝒊=𝟏

𝒕

𝑸𝒊 = ∑(𝑟1 + 𝑟2 + 𝑟3 … 𝑟𝑡 ) 𝒊=𝟏

As, each R outperforms s number of queries. Thus, 𝑸𝒊 = (𝑞1 , 𝑞2 , 𝑞3 … 𝑞𝑠 )1 + (𝑞1 , 𝑞2 , 𝑞3 … 𝑞𝑠 )2 + ⋯ + (𝑞1 , 𝑞2 , 𝑞3 … 𝑞𝑠 )𝑡 𝑸𝒊 = 𝒕(𝑞1 , 𝑞2 , 𝑞3 … 𝑞𝑠 ) 𝑸𝒊 = 𝑡𝑄 For which, if we have 𝑖 = 1, 𝑄≅𝑡 The queries when are processed through distributed servers it gives the result into HTML form webpages. The webpages are uniquely

identified with their corresponding 𝑢𝑟𝑙. To find the associative probability it is further divided by 100 for the overall evaluation.

Second tier (logic access tier) – The layer concerns over the server codes that may include platform or such software applications which processes and set up communication behavior in between far over placed servers and systems, outperforming over C#, JSP, ASP.NET, VB, PHP etc. on the behalf, the layer is responsible for the authentication, authorization, caching, coupling & cohesion, exception management, validation and though is effectively logs & audit the progressive queries, say Q. Third tier (data server tier) – it represents and considers database services over distinct servers. This layer embraces all the database objects that might be used by applications, such as schemas, views, tables and stored procedures. Definitions of the instance-level objects available for SQL server objects are stored over the databases over the data server tier. The tools of the layer can be listed out as: Application Developer, Database Administrator, Independent Software Vendor, IT Administrator, etc. supporting the operations EXTRACT, DEPLOY, REGISTER, UNREGISTER, UPGRADE which might help in EXPORTIMPORT of the request –response queries.

Fig. 4: Representation of the way SQL Injection Attack is detected and filtered & stops malicious query. The proposed methodology indulges this 3-tier architecture which defines the level-wise security from SQLIA’s attacks. By proposing the proxy server over the cloud DSP (Data Service Provide) 40% of the attacks reduces. For excluding the other 60% of the attacks Valid Security tool can be installed over the proxy server that helps queries to get compared from the original one using some metrics already stored over the security tool that filters out the malicious queries. It protects the firewall to get crossed-over, see fig-4. VII. IMPLEMENTATION & EVALUATION ANALYSIS The experimental process is under progress that is required to do on a large scale, including SQL, NOsql & NewSQL databases and also the application oriented scenarios. On the basis of the work done till the date it possesses to evaluate at 75-87% success to get success probability associativity using

the proposed formula. It secures the data of all the cloud types and the services provided. The system guidelines can be predicted through table-2. Initiating over a supercomputer sometimes is a difficult task, but here an archetype is to be designed for execution of queries and transactions for carrying up over inter and intracloud. Thus, in concern, Table-1 shows system configuration scenario instigating technical attributes like RAM, OS, Harddisk etc. required for the implementation of the proposed solution. In fig-4 the smallest average (for 4 different queries for the comparison table-1) over which the lines have contracted is represented which has a very small difference of negotiation. One complete single cycle includes the static & dynamic variability and the process that leads to filtration after the detection of injected SQL queries. In the graph (see fig-5) for the practical evaluation the following queries are picked with 57 vulnerable instructions at the same:

Table-1 details of considered query comparison for evaluation. Query cycle

Query type

Query-1

it takes 57 Read instructions in a single go

Query-2

it takes 57 Write instructions simultaneously

259



Query-3

takes 57 Update instructions

Query-4

it takes 57 Retrieve instructions in parallel

Table-2 technical details of implementation environment Setup phase

Technical attributes RAM Capacity Processor

Configuration 8 GB Intel(R) Core(TM) i7 CPU Q 740 @ 1.73GHz 1.73GHz Turbo up to 1.93 GHz Windows 7 ultimate 1 TB NVIDIA GeForce GT 425M-2GB

System setup Operating system Hard-disk Graphic card (if required)

Fig-5 Average negotiation comparison for 4 random queries with 57 transactions included in a single query

Fig-6(a)-6(b) Query tested through SQL inject me simulation.

260



To evaluate the work and to deal with the static and dynamic queries the online SQL inject me is used. To validate the work queries are run in bulk followed by different cycles parallel. Fig-6 shows and observes the work flow presented with a flow where 6(a) depicts the process to fire the query through one system and 6(b) representing the random server to be attacked. Studying the facts and the process grows further major trends as well that will be evaluated in future. VIII.

CONCLUSION

The introducing approach is fairly a runtime detection & prevention methodology following three-tier (Client-Logic Access- Data Server) organization to process, access and exchange queries. As it ensures that the Data-Server tier will probably not execute any vulnerable code which affects the system or the hosted operating systems & devices, partially or completely. The technique is working over the database server side being associated with a distributed cloud environment to provide a security controlling system for ensuring the secure execution of all requested queries without any database hacking or fabrication. By proposing the proxy server over the cloud DSP (Data Service Provide) 40% of the attacks reduces. For excluding the other 60% of the attack security tool is installed over the proxy server helping queries to get compared from the original one using some metrics already stored over the security tool that filters out the malicious queries & protects the firewall to get crossed-over.

[8] 2. Extended results on privacy against coalitions of users in user-private information retrieval protocols. Colleen M. Swanson, Douglas R. Stinson. 4, s.l. : Springer, February 12 , 2015, Cryptography and Communications, Vol. 7, pp. 415-437. [9] 3. Global sensitivity measures from given data. Elmar Plischkea, Emanuele Borgonovob, Curtis L. Smithc. 3, s.l. : elsevier, may 1, 2013, European Journal of Operational Research, Vol. 226, pp. 536-550. 10.1016/j.ejor.2012.11.047. [10] 4. Cache Serializability: Reducing Inconsistency in Edge Transactions. Eyal, I., Birman, K. and van Renesse, R. columbus, OH : IEEE, june-july 29-2, 2015, 2015 IEEE 35th International Conference on Distributed Computing Systems (ICDCS), pp. 686-695. 10.1109/ICDCS.2015.75. [11] 5. Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. W. Halfond, A. Orso. s.l. : IEEE, Proceeding of the Third International ICSE Workshop on Dynamic Analysis . [12] 6. Detection and Prevention of SQL Injection Attacks. Halfond, William G.J. and Orso, Alessandro. s.l. : Springer, 2007, pp. 85-109. [13] 7. CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations. Bandhakavi, Sruthi, et al., et al. Alexandria, Virginia, USA : ACM, October-November 29-2, 2007. [14] 8. Privacy-enhanced architecture for smart metering. Félix Gómez Mármol, Christoph Sorge, Ronald Petrlic, Osman Ugus, Dirk Westhoff, Gregorio Martínez Pérez. 2, s.l. : Springer, november 28, 2012, International Journal of Information Security, Vol. 12, pp. 67-82. 10.1007/s10207-0120181-6.

REFERENCES [1] 1. Towards safer information sharing in the cloud. CasassaMont, Marco, et al., et al. Berlin : Springer, August 23 , 2014, International Journal of Information Security, pp. 319-334. 10.1007/s10207-014-0258-5. [2] “Next generation of computing through cloud computing technology”, Muhammad baqer mullah, Kazi reazul islam, Sikder sunbeam Islam, 2012 25th IEEE Canadian Conference on Electrical and Computer Engineering (CCECE). [3] “cloud computing features,Issues and Challenges:A big picture”, Deepak puthal, B.P.S Sahoo, Sambit Mishra, Satyabrata swain,2015 International Conference on Computational Intelligence & Networks, pp. 116-123. [4] An approach to enable cloud service providers to arrange IaaS, PaaS and SaaS using external virtualization infrastructures”, Antonio celesti, Francesco tusa, Massimo villari, Antonio puliafito, “2011 IEEE World congress on services, pp. 607-611 [5] “SLA-based resource allocation for software as a service provider (SaaS) in cloud computing environments”,Lillin wu, Saurabh kumar garg, Rajkumar buyya, 2011 11th IEEE/ACM International symposium on cluster, cloud and grid computing, pp.195-204. [6] “Open learning optimization based on cloud technology: case study implementation in personalization E-learning”, Nungki selviandro, Mira suryani, Zainal A. Hasibuan, February 16~19, 2014, pp. 541-546. [7] “Implement of cloud computing for e-Learning system”, Manop phankokruad,2012 International Conference on Computer & Information Science (ICCIS), pp. 7-11

261
