About | Contact Us | Register | Login
ProceedingsSeriesJournalsSearchEAI
sesa 18(16): e5

Research Article

Opportunistic Diversity-Based Detection of Injection Attacks in Web Applications

Download1683 downloads
Cite
BibTeX Plain Text
  • @ARTICLE{10.4108/eai.11-12-2018.156032,
        author={Wenyu Qu and Wei Huo and Lingyu Wang},
        title={Opportunistic Diversity-Based Detection of Injection Attacks in Web Applications},
        journal={EAI Endorsed Transactions on Security and Safety},
        volume={5},
        number={16},
        publisher={EAI},
        journal_a={SESA},
        year={2018},
        month={12},
        keywords={Diversity, SQL Injection, Web Application Security, Intrusion Detection},
        doi={10.4108/eai.11-12-2018.156032}
    }
    
  • Wenyu Qu
    Wei Huo
    Lingyu Wang
    Year: 2018
    Opportunistic Diversity-Based Detection of Injection Attacks in Web Applications
    SESA
    EAI
    DOI: 10.4108/eai.11-12-2018.156032
Wenyu Qu1, Wei Huo2, Lingyu Wang2,*
  • 1: School of Computer Software, Tianjin University, Tianjin, China
  • 2: Concordia Institute For Information Systems Engineering, Concordia University, Montreal, Canada
*Contact email: wang@ciise.concordia.ca

Abstract

Web-based applications delivered using clouds are becoming increasingly popular due to less demand of client-side resources and easier maintenance than desktop counterparts. At the same time, larger attack surfaces and developers’ lack of security proficiency or awareness leave Web applications particularly vulnerable to security attacks. On the other hand, diversity has long been considered as a viable approach to detecting security attacks since functionally similar but internally different variants of an application will likely respond to the same attack in different ways. However, most diversity-by-design approaches have met difficulties in practice due to the prohibitive cost in terms of both development and maintenance. In this work, we propose to employ opportunistic diversity inherent to Web applications and their database backends to detect injection attacks. We first conduct a case study of common vulnerabilities to confirm the potential of opportunistic diversity for detecting potential attacks. We then devise a multi-stage approach to examine features extracted from the database queries, their effect on the database, the query results, as well as the user-end results. Next, we combine the partial results obtained from different stages using a learning-based approach to further improve the detection accuracy. Finally, we evaluate our approach using a real world Web application.

Keywords
Diversity, SQL Injection, Web Application Security, Intrusion Detection
Received
2018-11-21
Accepted
2018-12-04
Published
2018-12-11
Publisher
EAI
http://dx.doi.org/10.4108/eai.11-12-2018.156032

Copyright © 2018 Wenyu Qu et al., licensed to EAI. This is an open access article distributed under the terms of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/), which permits unlimited use, distribution and reproduction in any medium so long as the original work is properly cited.

EBSCOProQuestDBLPDOAJPortico
EAI Logo

About EAI

  • Who We Are
  • Leadership
  • Research Areas
  • Partners
  • Media Center

Community

  • Membership
  • Conference
  • Recognition
  • Sponsor Us

Publish with EAI

  • Publishing
  • Journals
  • Proceedings
  • Books
  • EUDL