Article Preview
TopIntroduction
Databases support almost all organizational operations, and often store business secrets (Basit et al., 2019). Consequently, ensuring the security of databases is fundamental to prevent data breaches and should therefore be addressed as part of the overall security strategy of any organization. Nowadays, Intrusion Detection Systems (IDS) are a fundamental component of an organization’s security infrastructure, given than these systems have the ability to detect network attacks. The most common network attacks have as target web applications and databases with the goal of obtaining confidential data, thereby having the potential to seriously affect an organization.
The majority of attacks to web applications and databases are based on code injection. This type of attacks consists of injecting malicious code to change the structure of a SQL query. The injection of code can be done by inserting malicious data in forms of the web page or through its URL (Santos et al., 2011).
Attackers often resort to SQL Injection – a well-known type of attack that allows the attacker to obtain, alter or delete information from an organizational database. Therefore, it is very important to mitigate this type of attack in order to prevent serious losses for enterprises.
There are several international standards that provide some guidelines to mitigate SQL Injection attacks. Some of those standards are ISO-27002 (International Organization for Standardization [ISO], 2013), OWASP (OWASP, 2016), COBIT (Control Objectives for Information and Related Technologies, 2012) and NIST (National Institute of Standards Technology, 2007).
Some of the guidelines presented in the previous standards are the following:
- •
Review of source code;
- •
Validating all data from input fields;
- •
Reject binary, escape and comment characters;
- •
Verification of user privileges when connecting to database;
- •
Strong password for system administrator;
- •
Use secure hash algorithms;
- •
Use least privilege rule.
Another way to mitigate SQL Injection attacks is to deploy an IDS that is effective in detecting such attacks. In this paper, the authors review the literature in order to identify the state-of-the-art in detecting and mitigating SQL Injection attacks and benchmark existing practical implementations in order to study the current state-of-practice.
One important observation is that the vast majority of existing IDSs provide little or no protection against SQL Injection attacks. Among open-source IDSs, Bro and ModSecurity are able to detect SQL Injection attacks. Both of them can operate as a Network Intrusion Detection System (NIDS). Bro is only configurable for UNIX platforms and it is an IDS that inspects network traffic looking for anomalous activity (Arabo et al., 2019). ModSecurity is an open-source Web Application Firewall (WAF) which is an IDS that just inspect HTTP traffic. ModSecurity is the most widely deployed WAF because it is mature in terms of features, stability and reliability (Hall et al., 2019). Only these two IDSs met the inclusion criteria to be further analyzed and compared, given that all other IDSs provided no protection against SQL Injection.
This paper experimentally evaluates Bro and ModSecurity using different metrics in order to identify the most efficient IDS in protecting information stored in organizational databases from unauthorized accesses using SQL Injection attacks. The results of this analysis, which are in favor of ModSecurity, shed light into the main characteristics required for an IDS to be successful in detecting SQL Injection attacks, thereby indicating the developments that will be necessary for other IDSs to mature and reach the state-of-the-art in detecting SQL Injection attacks.