SQL Injection Attack Detection & Prevention over Cloud ... · SQL Injection Attack Detection &...

SQL Injection Attack Detection & Prevention over

Cloud Services

Niharika Singh Ajay Jangra Upasana Lakhina Rajat Sharma

Department of Computer Science and Engineering, University Institute of Engineering and Technology

Kurukshetra University, Kurukshetra, INDIA

Abstract — Web servers which provide customer services

are usually connected to highly sensitive information

contained backend databases. The incrementing bar of

deploying such web applications initiated in ranging the

corresponding bar of number of attacks that target such

applications. SQL Injection Attacks come about when

data provided by external user are directly included in

SQL query but is not properly validated. The paper

proposes a novel detection & a prevention mechanism of

SQL Injection Attacks using three-tier system. As the

methodology is concerned over static, dynamic & runtime

detection and prevention mechanism which also filters out

the malicious queries and inspires the system to be well

prepared for the secure working environment, regardless

of being concerned over the database server only. The

cloud proposes the services like SaaS, IaaS, PaaS, DaaS,

EaaS. As previous solutions are achieved for the database

queries for DaaS service only, but this paper enhances the

scope of other services as well. It adapts to maintain

security of the whole system even when it is for any of the

cloud platforms. The solution includes detection &

filtration that reduces attacks to 80% in comparison to

other algorithms.

Keywords—Cloud computing; Cloud Security; Architecture,

design; Cloud services; Deployment models; SQL Injections;

I. INTRODUCTION

Cloud computing is an on demand, resource pooling, self-

service, multilevel virtualization that is independent and is

ubiquitous network access which visualize the next

generation computing. It is actually inspired by the grid,

parallel and distributed computing over the internet deploying

highly optimized data setters to provide the resources like

hardware, software, data, and platform as required by any

application. The concept evolved in 1950 by IBM known as

RJE (Remote Job Entry process). In recent years, the

popularity and swift growth in storage and processing

technologies and computing resources have become cheaper.

Involving the third party over the internet proposes many

unreliable strings which can be proved as loopholes.[11] [3]

The cloud is storing a huge amount of data including personal

and confidential details, thus, securing the data in the cloud

tends to a major point of concern. The successes of the

internet have turned more powerful, efficient, thus are

pervasively available than ever before. In 2006 Amazon

implemented its first cloud AWS (Amazon Web Service) [1].

It offers a new style of application program that can work as

a platform which supports dynamically organized services

simultaneously. To understand the concepts of the cloud

computing technology a performance based efficient

approach will be required for new paradigms to systematize

the usually shared information and to deploy & develop the

affiliated changes in different user-oriented platform models

[2]. Applying the various but suitable methods for providing

privacy checks to the escapes is itself a major challenge of the

cloud computing. [13] Web servers which provide customer

services are usually connected to highly sensitive information

contained backend databases. The incrementing bar of

deploying such web applications initiated in ranging the

corresponding bar of number of attacks that target such

applications. According to a study, it was stated that 80% of

cyber-attacks are outperformed at the application layer & over

the audited websites where 98% of them are clearly targeted.

SQL Injection Attacks (SQLIAs) are being identified as one

of the foremost security threats to the web applications. [12]

It initiates a vulnerable query to destroy the connected server

systems and give attackers unauthorized access to underlying

databases & rights to delete, modify and retrieve valuable and

confidential information stored in databases.

II. CLOUD PLATFORMS

The section describes that there are four platforms which are

being designed to meet the needs and expectations of cloud

computing technology [8]. Injecting the SQL queries harms

the database on the client server, but it might be possible that

the attack might happen in any of the following cloud types

that are as follows [11].

International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 4, April 2016

256 https://sites.google.com/site/ijcsis/ ISSN 1947-5500

mailto:[email protected]

mailto:[email protected]

Public cloud: Computing infrastructure is hosted by a cloud

vendor on vendor premises and can be shared by various

organizations. E.g. Amazon, Google, Salesforce.com,

Microsoft etc.

Private cloud: The computing infrastructure of private cloud

is not shared with other organizations, but rather is dedicated

to a particular organization. It is more expensive but reliable

in comparison to the public cloud. E.g.: HP data centers, IBM

sun, Oracle, 3tera etc.

Hybrid cloud: When public & private cloud works together it

is called hybrid cloud “Organizations may host critical

applications on private clouds, whereas relatively less secure

concern on public cloud”.

Community cloud: The cloud is shared by two or more private,

public or community cloud. E.g.: Group of schools comes

under specific university [8].

III. FORMATION OF CLOUD COMPUTING

This part of the paper describes the organization of the

technology. In simple terms “the cloud” can be predicted as a

metaphor for the internet that is quite familiar cliché, but when

it is integrated to the term “computing” its meaning gets

bigger & hazy. Cloud computing offers the opportunity to

organizations that could simply connect to the cloud and use

the available resources on a PAY PER USE basis, which

avoids the company’s capital expenditure on additional of

premises infrastructure resources and instantly scale up and

scale down according to business requirements [3]. Cloud

computing consists of cloud client, services, applications,

platform, storage & infrastructure measured services. Cloud

computing is the highly automated utility based paradigm

shift consists of optimized and efficient framework that

includes servers, virtual desktops allocates services for

computer network over the internet prescribing software

platform and applications for easy and agile deployment of

secure data management [5].

Accessing & storing content through cloud initiates many

different levels of checkpoints to get authorization. SQLIAs

are the way that may harm at any of the checkpoint level

including any of the XaaS (X as a service) The technology

provides broad network access using resource pooling, on

demand self-service with rapid elasticity, resulting in

continuous high availability, interoperability and

standardized scalability for the hardware and software

components providing data secrecy and ease for capital

investment [2] [6].

IV. MOTIVATION

Study says about SQLIAs that the queries are injected to

attack databases of the client. Whether it is on the internet or

if attacker attacks a cloud, the data is possessed to be affected,

but if the SQLIAs are attacked to modify the configuration of

any server system or to spoof a platform where one is working

over a confidential work? It is always considered to get

detection & prevention solutions for SQLIAs on the DaasS

level but one must find solutions for SaaS, PaaS, IaaS, & EaaS

level. The solutions that are found are supposed to be much

more effective as for the DaaS to get 70-90% of the success.

The fig-1 is depicted the insertion of SQL Injected query in

the network that penetrates firewall and breakthrough the

other levels of servers at the client end.

V. DEPLOYMENT MODELS & EVALUATION

Cloud computing is the type of internet-based computing,

where different services such as servers, data storage modules

are delivered to any organization computers and devices

through the internet. The internet cloud can communicate

through various devices like PC, mini note, notebook, remote

desktop, remote server, database, mobile phones, etc. contains

three different service layers that are software, platforms and

infrastructure[1][2]. This helps the users to get better services,

but it is counted as a single phase. On the other hand, attackers

are ready to hack, spoof, or harm the systems that might

belong to any of the following service categories. [8].

Software as a service (SaaS): It refers to an application that

can be accessed from anywhere over the world as long as you

have an internet connection. They have certain features like

SSL encryption, a cryptographic protocol. Ex: G-mail, yahoo-

mail, Google apps, MS office 365.

Platform as a service (PaaS): This service layer delivers a

computing platform typically includes an operating system,

programming language, etc. It is a platform for developers to

write and create their own applications. For ex: AWS elastic

beanstalk Google app engine, salesforce.com, windows azure,

etc.

Infrastructure as a service (IaaS): It provides hardware and

infrastructure to the users to rent and tariff for a limited period

of time. It is also known as “Hardware as a Service”. Ex:

firewalls Google computes engine, Amazon HP cloud, EC2

etc. The three layers are the basic service layers that were

discovered in the early sixties and on analyzing modern

research and study projects, some new service layers have

been discovered that are listed out as [4].

Data as a service (DaaS): A large amount of data over the

internet is stored in an unmanaged way which requires to be

maintained by applying sorting algorithms and defining data

allocation methods. Thus the model work over the bulk

amount of data retrieval initiates the availability, security and

data management leads to concurrency & efficiency in data

storage maintenance. It benefits in gaining the agility, cost-

effectiveness and data quality. Ex: VMware, Citrix etc.

Education as a service (EaaS): This service layer includes the

e-learning and smart classes’ concepts that are demonstrated

as an education-oriented services. The model establishes

distant learning programs that help users accessing the

knowledge and services independent of their location. E.g.

Educomp, Indiamart, and Microsoft smart class library, etc.

To meet the requirements and to efficiently use such services

there are many service providers that can be listed out in the

following way. See Fig.2. The fig also depicts that at every

level it requires some kind of security protocols that must be

strong enough to handle any kind of breakthrough possibility

& stop the attacker to affect the system.



Fig. 1: Representation of the way SQL Injection Attack is initiated.

Fig. 2: Examples of Different Service Providers

VI. SQLIAs SOLUTION FOR DIFFERENT CLOUD

SERVICES

When the system is divided over three-tier architecture: The

introducing approach is fairly a runtime detection &

prevention methodology following three-tier (Client-Logic

Access- Data Server) organization to process, access and

exchange queries. As it ensures that the Data-Server tier will

probably not execute any vulnerable code which affects the

system or the hosted operating systems & devices partially or

completely. The technique is working over the database

server side being associated with a distributed cloud

environment to provide a security controlling system for

ensuring the secure execution of all requested queries without

any database hacking or fabrication.

Procedure Receive_Query Unveil_Message (T: Tier level number)

begin Update row T of access table to increase input count;

end

Procedure Finish_Query (T: Tier level number)

begin Update row T of access table to increase consumed

count;

End Procedure Upon_Idle

Begin Report to server controller non-zero difference for

previously unreported rows of access table;

End

The algorithm for tier-architecture detects the completion of

the query exchange process at tier level. As the queries 𝑄 ={𝑞1, 𝑞2, 𝑞3 … 𝑞𝑠} go through a tier architecture representation

for 𝑇 = {𝑡1, 𝑡2, 𝑡3 … 𝑡𝑛}, that is for the proposed scenario

works over up to n=3 levels. A general example to understand

the SQL query injection can be studied through fig-3. The

architecture is dependent upon the three-tier architecture

system which is divided as follows:

Fig-3 general example of SQL query injection. [7]

First tier (client tier) - The tier consists of applications that

access a server which is usually located on a different machine

from the server making a distributed environment. As here it

is concerned to web browsers, servers or standalone

application running on different machines that processes

queries to request & response through the servers. If there are



S servers that share a communication through Q queries, the

ratio of detecting a breakthrough would be directly

proportional to R number of activities run where 𝑅 ={𝑟1, 𝑟2, 𝑟3 … 𝑟𝑡}. Where on the whole the query associativity

would be:

𝑸𝒊 = ∑ 𝑹

𝒕

𝒊=𝟏

𝑸𝒊 = ∑(𝑟1 + 𝑟2 + 𝑟3 … 𝑟𝑡)

𝒕

𝒊=𝟏

As, each R outperforms s number of queries. Thus,

𝑸𝒊 = (𝑞1, 𝑞2, 𝑞3 … 𝑞𝑠)1 + (𝑞1, 𝑞2, 𝑞3 … 𝑞𝑠)2 + ⋯+ (𝑞1, 𝑞2, 𝑞3 … 𝑞𝑠)𝑡

𝑸𝒊 = 𝒕(𝑞1, 𝑞2, 𝑞3 … 𝑞𝑠)

𝑸𝒊 = 𝑡𝑄

For which, if we have 𝑖 = 1,

𝑄 ≅ 𝑡

The queries when are processed through distributed servers it gives

the result into HTML form webpages. The webpages are uniquely

identified with their corresponding 𝑢𝑟𝑙. To find the associative

probability it is further divided by 100 for the overall evaluation.

Second tier (logic access tier) – The layer concerns over the

server codes that may include platform or such software

applications which processes and set up communication

behavior in between far over placed servers and systems,

outperforming over C#, JSP, ASP.NET, VB, PHP etc. on the

behalf, the layer is responsible for the authentication,

authorization, caching, coupling & cohesion, exception

management, validation and though is effectively logs & audit

the progressive queries, say Q.

Third tier (data server tier) – it represents and considers

database services over distinct servers. This layer embraces

all the database objects that might be used by applications,

such as schemas, views, tables and stored procedures.

Definitions of the instance-level objects available for SQL

server objects are stored over the databases over the data

server tier. The tools of the layer can be listed out as:

Application Developer, Database Administrator, Independent

Software Vendor, IT Administrator, etc. supporting the

operations EXTRACT, DEPLOY, REGISTER,

UNREGISTER, UPGRADE which might help in EXPORT-

IMPORT of the request –response queries.

Fig. 4: Representation of the way SQL Injection Attack is detected and filtered & stops malicious query.

The proposed methodology indulges this 3-tier architecture

which defines the level-wise security from SQLIA’s attacks.

By proposing the proxy server over the cloud DSP (Data

Service Provide) 40% of the attacks reduces. For excluding

the other 60% of the attacks Valid Security tool can be

installed over the proxy server that helps queries to get

compared from the original one using some metrics already

stored over the security tool that filters out the malicious

queries. It protects the firewall to get crossed-over, see fig-4.

VII. IMPLEMENTATION & EVALUATION

ANALYSIS

The experimental process is under progress that is required to

do on a large scale, including SQL, NOsql & NewSQL

databases and also the application oriented scenarios. On the

basis of the work done till the date it possesses to evaluate at

75-87% success to get success probability associativity using

the proposed formula. It secures the data of all the cloud types

and the services provided. The system guidelines can be

predicted through table-2.

Initiating over a supercomputer sometimes is a difficult task,

but here an archetype is to be designed for execution of

queries and transactions for carrying up over inter and intra-

cloud. Thus, in concern, Table-1 shows system configuration

scenario instigating technical attributes like RAM, OS, Hard-

disk etc. required for the implementation of the proposed

solution. In fig-4 the smallest average (for 4 different queries

for the comparison table-1) over which the lines have

contracted is represented which has a very small difference of

negotiation. One complete single cycle includes the static &

dynamic variability and the process that leads to filtration

after the detection of injected SQL queries. In the graph (see

fig-5) for the practical evaluation the following queries are

picked with 57 vulnerable instructions at the same:

Table-1 details of considered query comparison for evaluation.

Query cycle Query type

Query-1 it takes 57 Read instructions in a single go

Query-2 it takes 57 Write instructions simultaneously



Query-3 takes 57 Update instructions

Query-4 it takes 57 Retrieve instructions in parallel

Table-2 technical details of implementation environment

Setup phase Technical attributes Configuration

System setup

RAM Capacity 8 GB

Processor Intel(R) Core(TM) i7 CPU Q 740 @ 1.73GHz 1.73GHz

Turbo up to 1.93 GHz

Operating system Windows 7 ultimate

Hard-disk 1 TB

Graphic card (if required) NVIDIA GeForce GT 425M-2GB

Fig-5 Average negotiation comparison for 4 random queries with 57 transactions included in a single query

Fig-6(a)-6(b) Query tested through SQL inject me simulation.



To evaluate the work and to deal with the static and dynamic

queries the online SQL inject me is used. To validate the work

queries are run in bulk followed by different cycles parallel.

Fig-6 shows and observes the work flow presented with a flow

where 6(a) depicts the process to fire the query through one

system and 6(b) representing the random server to be

attacked. Studying the facts and the process grows further

major trends as well that will be evaluated in future.

VIII. CONCLUSION

The introducing approach is fairly a runtime detection &

prevention methodology following three-tier (Client-Logic

Access- Data Server) organization to process, access and

exchange queries. As it ensures that the Data-Server tier will

probably not execute any vulnerable code which affects the

system or the hosted operating systems & devices, partially or

completely. The technique is working over the database

server side being associated with a distributed cloud

environment to provide a security controlling system for

ensuring the secure execution of all requested queries without

any database hacking or fabrication. By proposing the proxy

server over the cloud DSP (Data Service Provide) 40% of the

attacks reduces. For excluding the other 60% of the attack

security tool is installed over the proxy server helping queries

to get compared from the original one using some metrics

already stored over the security tool that filters out the

malicious queries & protects the firewall to get crossed-over.

REFERENCES [1] 1. Towards safer information sharing in the cloud. Casassa-

Mont, Marco, et al., et al. Berlin : Springer, August 23 , 2014,

International Journal of Information Security, pp. 319-334.

10.1007/s10207-014-0258-5.

[2] “Next generation of computing through cloud computing

technology”, Muhammad baqer mullah, Kazi reazul islam,

Sikder sunbeam Islam, 2012 25th IEEE Canadian Conference

on Electrical and Computer Engineering (CCECE).

[3] “cloud computing features,Issues and Challenges:A big

picture”, Deepak puthal, B.P.S Sahoo, Sambit Mishra,

Satyabrata swain,2015 International Conference on

Computational Intelligence & Networks, pp. 116-123.

[4] An approach to enable cloud service providers to arrange IaaS,

PaaS and SaaS using external virtualization infrastructures”,

Antonio celesti, Francesco tusa, Massimo villari, Antonio

puliafito, “2011 IEEE World congress on services, pp. 607-611

[5] “SLA-based resource allocation for software as a service

provider (SaaS) in cloud computing environments”,Lillin wu,

Saurabh kumar garg, Rajkumar buyya, 2011 11th

IEEE/ACM International symposium on cluster, cloud and grid

computing, pp.195-204.

[6] “Open learning optimization based on cloud technology: case

study implementation in personalization E-learning”, Nungki

selviandro, Mira suryani, Zainal A. Hasibuan, February

16~19, 2014, pp. 541-546.

[7] “Implement of cloud computing for e-Learning system”,

Manop phankokruad,2012 International Conference on

Computer & Information Science (ICCIS), pp. 7-11

[8] 2. Extended results on privacy against coalitions of users in

user-private information retrieval protocols. Colleen M.

Swanson, Douglas R. Stinson. 4, s.l. : Springer, February 12 ,

2015, Cryptography and Communications, Vol. 7, pp. 415-437.

[9] 3. Global sensitivity measures from given data. Elmar

Plischkea, Emanuele Borgonovob, Curtis L. Smithc. 3, s.l. :

elsevier, may 1, 2013, European Journal of Operational

Research, Vol. 226, pp. 536-550. 10.1016/j.ejor.2012.11.047.

[10] 4. Cache Serializability: Reducing Inconsistency in Edge

Transactions. Eyal, I., Birman, K. and van Renesse, R.

columbus, OH : IEEE, june-july 29-2, 2015, 2015 IEEE 35th

International Conference on Distributed Computing Systems

(ICDCS), pp. 686-695. 10.1109/ICDCS.2015.75.

[11] 5. Combining Static Analysis and Runtime Monitoring to

Counter SQL-Injection Attacks. W. Halfond, A. Orso. s.l. :

IEEE, Proceeding of the Third International ICSE Workshop on

Dynamic Analysis .

[12] 6. Detection and Prevention of SQL Injection Attacks. Halfond,

William G.J. and Orso, Alessandro. s.l. : Springer, 2007, pp.

85-109.

[13] 7. CANDID: Preventing SQL Injection Attacks using Dynamic

Candidate Evaluations. Bandhakavi, Sruthi, et al., et al.

Alexandria, Virginia, USA : ACM, October-November 29-2,

2007.

[14] 8. Privacy-enhanced architecture for smart metering. Félix

Gómez Mármol, Christoph Sorge, Ronald Petrlic, Osman

Ugus, Dirk Westhoff, Gregorio Martínez Pérez. 2, s.l. :

Springer, november 28, 2012, International Journal of

Information Security, Vol. 12, pp. 67-82. 10.1007/s10207-012-

0181-6.



SQL Injection Attack Detection & Prevention over Cloud ... · SQL Injection Attack Detection &...

Documents

Transcript of SQL Injection Attack Detection & Prevention over Cloud ... · SQL Injection Attack Detection &...