An Agent Based Intelligent Dynamic Vulnerability Analysis Framework for Critical SQLIA Attacks: Intelligent SQLIA Vulnerability Analyzer Agent

An Agent Based Intelligent Dynamic Vulnerability Analysis Framework for Critical SQLIA Attacks: Intelligent SQLIA Vulnerability Analyzer Agent

Jeya Mala Dharmalingam (Thiagarajar College of Engineering, Madurai, India) and M Eswaran (Zoho Corporation, Chennai, India)
Copyright: © 2018 |Pages: 27
DOI: 10.4018/IJIIT.2018070104

Abstract

This article describes how software vulnerability analysis and testing for web applications should detect not only the common attacks but also dynamic vulnerability attacks. These are the attacks such as structured query language injection attacks (SQLIAs) which will extract the most crucial user information from the targeted database. In this proposed approach, an intelligent agent namely intelligent vulnerability analyzer agent (IVA) is proposed in which the external attacks due to dynamic user inputs are identified using a heuristic-guided intelligent graph searching and then a pre and post condition based analysis is performed to identify the dynamic vulnerabilities. Further, the proposed approach is compared with some of the existing works based on the number of false positives and false negatives of attacks detection and confirmed that the proposed work is a novel and effective one in finding out SQLIAs.
Article Preview

Introduction

In general, web applications are real-time applications that include online sales, online auctions, online banking, online stock forecasting and so on. These applications have to be deployed with higher degree of reliability, confidentiality and efficiency. As these applications are vulnerable to various kinds of attack, protecting such applications from them is essential (Balasundaram and Ramaraj, 2012). The OWASP’s Top 10 most critical web application security risks are: Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, Security misconfiguration, Sensitive Data Exposure, Missing Function Level Access Control, etc. (OWASP Report, 2017)

Many of the web based applications are two-tier or three-tier architecture ones, in which the business information or customer related crucial information will be stored in back-end databases. The Structured Query Language (SQL) is used to communicate with such back-end databases to store, process and update the information.

The attackers or intruders generally use these SQL statements present in the server-side code of the web application and inject them with malicious input along with the dynamic user input. This helps them to access and retrieve the crucial information stored in these databases without the knowledge of the users of the websites and even the administrators of the website. This type of attack which is called as SQL Injection Attack (SQLIA) allows the intruders to retrieve information from the backend databases directly. Depending on the security measures of the application, the risk of SQL Injection attack can vary from remote code execution and total system compromise to basic information disclosure (Tajpour et al., 2011).

According to Teska Labs report (2016), today’s malicious hackers have an average of 312 days to exploit “zero-day” computer software flaws before human cyber security experts can find and fix these flaws. Due to the severity level of such attacks, several researchers’ have proposed different approaches to reduce their impact for secured online transactions. Based on the literature reviews, it has been identified that, most of the existing works are using static code analysis techniques with some persistent storage to store different attack types to evaluate the vulnerabilities of user inputs. But, as these will cause second order attacks by the intruders on these backend tables again by means of SQL injection attacks, the existing works are proven to be error-prone. Some of the dynamic execution based analysis techniques depend on mutation based analysis which requires huge amount of storage space to store different versions of the queries for each kind of attack and also higher execution time is required to execute both mutated queries and actual queries to compare their results.

The vulnerability and severity level of SQLIAs and the insights gained over the problems in the existing works have been the motivation behind this research work to find an alternative mechanism that will prevent SQLIAs and also does not have any second order attacks with less time consumption.

Hence, the objective of this research work is twofold: (1) to identify the potential SQL queries that are vulnerable to attack and (2) to provide an alternate mechanism to rewrite them in order to prevent SQLIA type of attacks using an intelligent agent with heuristic guided graph searching technique.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 15: 4 Issues (2019): Forthcoming, Available for Pre-Order
Volume 14: 4 Issues (2018): 3 Released, 1 Forthcoming
Volume 13: 4 Issues (2017)
Volume 12: 4 Issues (2016)
Volume 11: 4 Issues (2015)
Volume 10: 4 Issues (2014)
Volume 9: 4 Issues (2013)
Volume 8: 4 Issues (2012)
Volume 7: 4 Issues (2011)
Volume 6: 4 Issues (2010)
Volume 5: 4 Issues (2009)
Volume 4: 4 Issues (2008)
Volume 3: 4 Issues (2007)
Volume 2: 4 Issues (2006)
Volume 1: 4 Issues (2005)
View Complete Journal Contents Listing