Artificial Neural Network based Web Application Firewall for SQL Injection
In recent years with the rapid development of Internet and the Web, more and more web applications have been deployed in many fields and organizations such as finance, military, and government. Together with that, hackers have found more subtle ways to attack web applications. According to international statistics, SQL Injection is one of the most popular vulnerabilities of web applications. The consequences of this type of attacks are quite dangerous, such as sensitive information could be stolen or authentication systems might be by-passed. To mitigate the situation, several techniques have been adopted. In this research, a security solution is proposed using Artificial Neural Network to protect web applications against this type of attacks. The solution has been experimented on sample datasets and has given promising result. The solution has also been developed in a prototypic web application firewall called ANNbWAF.
[1] F. Ahmadi, Z. M. J. Valadan, H. Ebadi, and M. Mokhtarzade. "The
Application Of Neural Networks, Image Processing And CAD-Based
Environments Facilities In Automatic Road Extraction And
Vectorization From High Resolution Satellite Images". The
International Archives of the Photogrammetry, Remote Sensing and
Spatial Information Sciences. Beijing, pp. 37, 2008.
[2] A. Alfantookh, "An automated universal server level solution for SQL
injection security flaw". International Conference on Electrical,
Electronic and Computer Engineering. pp. 131-135, 2004.
[3] C. Anley, "Advanced SQL Injection In SQL Server Applications".
White Paper. Next Generation Security Software, 2002.
[4] C. Anley, "(more) Advanced SQL Injection". White Paper. Next
Generation Security Software, 2002.
[5] C. Anley, "Hackproofing MySQL". White Paper. Next Generation
Security Software, 2004.
[6] M. Becher, Web Application Firewalls, Applied Web applications
security. Berlin, 2007.
[7] D. Endler, "The Evolution of Cross-Site Scripting Attacks". White Paper
iDEFENSE Incorporation, 2002.
[8] M. Gavin, J.A. Mulligan, L. Koetzle, and S. Bernhardt, ModSecurity's
Web Application Firewall Leads In Deployment Numbers But Lags In
Usability. 2006, (Online) Available: http://www.forrester.com/Research/
Document/Excerpt/0,7211,39714,00.html
[9] W. G. J. Halfond, A. Orso, and P. Manolios, "WASP: Protecting Web
Applications Using Positive Tainting and Syntax-Aware Evaluation".
Software Engineering, IEEE Transactions. vol. 34, no. 1, pp. 65-81,
2008.
[10] S. Haykin, "Neural Networks, A Comprehensive Foundation". 2nd
Edition. New Jersey, USA. Prentice-Hall Inc, 1999.
[11] T. Kubo, M. Obuchi, G. Ohashi, and Y. Shimodaira, "Image processing
system for direction detection of an object using neural network". The
1998 IEEE Asia-Pacific Conference on Circuits and Systems. pp. 571-
574.
[12] Y. Loh, W. Yau, C. Wong, and W. Ho, "Design and Implementation of
an XML Firewall". International Conference on Computational
Intelligence and Security. pp. 1147-1150, 2006.
[13] O. Maor and A. Shulman, "SQL Injection Signature Evasions". White
Paper. IMPERA Application Defense Center, 2004.
[14] O. Maor and A. Shulman, "Blind SQL Injection". Imperva. (Online)
http://www.imperva.com/resources/adc/blind_sql_server_injection.html
[15] Mathworks, Matlab® The MathWorks™, (Online) Available:
http://www.mathworks.com/
[16] F. Mavituna, "Fast Way to Extract Data From Error Based SQL
Injection". Mavituna (Online) Available: http://ferruh.mavituna.com/
fast-way-to-extract-data-from-error-based-sql-injections-oku/
[17] F. Mavituna, "Fast Way to Extract Data From Error Based SQL
Injection". Mavituna (Online) Available: http://ferruh.mavituna.com/
fast-way-to-extract-data-from-error-based-sql-injections-oku/
[18] F. Mavituna, "SQL Injection Cheat Sheet". Mavituna (Online)
Available: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
[19] Breach Security, ModSecurity Open Source Web Application Firewall.
(Online) Available: http://www.modsecurity.org/
[20] M. Moradi and M. Zulkernine, "A Neural Network Based System for
Intrusion Detection and Classification of Attacks". Proceeding of the
2004 IEEE International Conference on Advances in Intelligent Systems
- Theory and Applications. Luxembourg. pp.148-153.
[21] S. Mukkamala, G. Janoski, and A. Sung, "Intrusion detection using
neural networks and support vector machines". Proceedings of the 2002
International Joint Conference on Neural Networks. pp. 1702-1707.
[22] M. Muthuprasanna, K. Wei, and S. Kothari, "Eliminating SQL Injection
Attacks - A Transparent Defense Mechanism". Eighth IEEE
International Symposium on Web Site Evolution. pp. 22-32, 2006.
[23] N-Stalker® N-Stalker Web Application Security Scanner. (Online)
Available: http://www.nstalker.com
[24] Openwall Project, John the Ripper Password Cracker. (Online)
Available: http://www.openwall.com/john
[25] OWASP, Top Ten 2007. (Online) Available:
http://www.owasp.org/index.php/Top_10_2007
[26] OWASP, Top Ten 2010. (Online) Available:
http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf
[27] J. Ryan, M. J. Lin, and R. Miikkulainen "Intrusion Detection with
Neural Networks". Advances in Neural Information Processing Systems
10. Cambridge, MA: MIT Press, 1998.
[28] Securiteam, SQL Injection Walkthrough. (Online) Available:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html.
[29] C. Snake, XSS (Cross Site Scripting) Cheat Sheet. (Online) Available:
http://ha.ckers.org/xss.html
[30] SunForums, Sun Forums. (Online) Available:
http://forums.sun.com/index.jspa
[31] Technicalinfo, HTML Code Injection and Cross-site scripting. (Online)
Available: http://www.technicalinfo.net/papers/CSS.html
[32] Unixwiz, SQL Injection Attacks by Example. (Online) Available:
http://www.unixwiz.net/techtips/sql-injection.html
[33] M. Valeur, D. Mutz, and G. Vigna, "A Learning-Based Approach to the
Detection of SQL Attacks". Conference on Detection of Intrusions and
Malware & Vulnerability Assessment. 2005.
[34] M. C. Vittie, "SQL Injection Evasion Detection". White Paper. F5
Networks Inc. 2007.
[35] WASC, Web Hacking Incidents Database. (Online) Available:
http://www.webappsec.org/projects/whid/
[36] WASC, Web Security Glossary. (Online) Available:
http://www.webappsec.org/projects/glossary/
[37] K. Wei, M. Muthuprasanna, and S. Kothari, "Preventing SQL Injection
Attacks in Stored Procedures". Australian Software Engineer
Conference, Australia, 2006.
[38] The Perl Web Server Project. Type-O-Serve (Online) Available:
http://perlwebserver.sourceforge.net/
[39] Microsoft Corporation, Intelligent Application Gateway. United States:
Whale Communications, 2007.
[1] F. Ahmadi, Z. M. J. Valadan, H. Ebadi, and M. Mokhtarzade. "The
Application Of Neural Networks, Image Processing And CAD-Based
Environments Facilities In Automatic Road Extraction And
Vectorization From High Resolution Satellite Images". The
International Archives of the Photogrammetry, Remote Sensing and
Spatial Information Sciences. Beijing, pp. 37, 2008.
[2] A. Alfantookh, "An automated universal server level solution for SQL
injection security flaw". International Conference on Electrical,
Electronic and Computer Engineering. pp. 131-135, 2004.
[3] C. Anley, "Advanced SQL Injection In SQL Server Applications".
White Paper. Next Generation Security Software, 2002.
[4] C. Anley, "(more) Advanced SQL Injection". White Paper. Next
Generation Security Software, 2002.
[5] C. Anley, "Hackproofing MySQL". White Paper. Next Generation
Security Software, 2004.
[6] M. Becher, Web Application Firewalls, Applied Web applications
security. Berlin, 2007.
[7] D. Endler, "The Evolution of Cross-Site Scripting Attacks". White Paper
iDEFENSE Incorporation, 2002.
[8] M. Gavin, J.A. Mulligan, L. Koetzle, and S. Bernhardt, ModSecurity's
Web Application Firewall Leads In Deployment Numbers But Lags In
Usability. 2006, (Online) Available: http://www.forrester.com/Research/
Document/Excerpt/0,7211,39714,00.html
[9] W. G. J. Halfond, A. Orso, and P. Manolios, "WASP: Protecting Web
Applications Using Positive Tainting and Syntax-Aware Evaluation".
Software Engineering, IEEE Transactions. vol. 34, no. 1, pp. 65-81,
2008.
[10] S. Haykin, "Neural Networks, A Comprehensive Foundation". 2nd
Edition. New Jersey, USA. Prentice-Hall Inc, 1999.
[11] T. Kubo, M. Obuchi, G. Ohashi, and Y. Shimodaira, "Image processing
system for direction detection of an object using neural network". The
1998 IEEE Asia-Pacific Conference on Circuits and Systems. pp. 571-
574.
[12] Y. Loh, W. Yau, C. Wong, and W. Ho, "Design and Implementation of
an XML Firewall". International Conference on Computational
Intelligence and Security. pp. 1147-1150, 2006.
[13] O. Maor and A. Shulman, "SQL Injection Signature Evasions". White
Paper. IMPERA Application Defense Center, 2004.
[14] O. Maor and A. Shulman, "Blind SQL Injection". Imperva. (Online)
http://www.imperva.com/resources/adc/blind_sql_server_injection.html
[15] Mathworks, Matlab® The MathWorks™, (Online) Available:
http://www.mathworks.com/
[16] F. Mavituna, "Fast Way to Extract Data From Error Based SQL
Injection". Mavituna (Online) Available: http://ferruh.mavituna.com/
fast-way-to-extract-data-from-error-based-sql-injections-oku/
[17] F. Mavituna, "Fast Way to Extract Data From Error Based SQL
Injection". Mavituna (Online) Available: http://ferruh.mavituna.com/
fast-way-to-extract-data-from-error-based-sql-injections-oku/
[18] F. Mavituna, "SQL Injection Cheat Sheet". Mavituna (Online)
Available: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
[19] Breach Security, ModSecurity Open Source Web Application Firewall.
(Online) Available: http://www.modsecurity.org/
[20] M. Moradi and M. Zulkernine, "A Neural Network Based System for
Intrusion Detection and Classification of Attacks". Proceeding of the
2004 IEEE International Conference on Advances in Intelligent Systems
- Theory and Applications. Luxembourg. pp.148-153.
[21] S. Mukkamala, G. Janoski, and A. Sung, "Intrusion detection using
neural networks and support vector machines". Proceedings of the 2002
International Joint Conference on Neural Networks. pp. 1702-1707.
[22] M. Muthuprasanna, K. Wei, and S. Kothari, "Eliminating SQL Injection
Attacks - A Transparent Defense Mechanism". Eighth IEEE
International Symposium on Web Site Evolution. pp. 22-32, 2006.
[23] N-Stalker® N-Stalker Web Application Security Scanner. (Online)
Available: http://www.nstalker.com
[24] Openwall Project, John the Ripper Password Cracker. (Online)
Available: http://www.openwall.com/john
[25] OWASP, Top Ten 2007. (Online) Available:
http://www.owasp.org/index.php/Top_10_2007
[26] OWASP, Top Ten 2010. (Online) Available:
http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf
[27] J. Ryan, M. J. Lin, and R. Miikkulainen "Intrusion Detection with
Neural Networks". Advances in Neural Information Processing Systems
10. Cambridge, MA: MIT Press, 1998.
[28] Securiteam, SQL Injection Walkthrough. (Online) Available:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html.
[29] C. Snake, XSS (Cross Site Scripting) Cheat Sheet. (Online) Available:
http://ha.ckers.org/xss.html
[30] SunForums, Sun Forums. (Online) Available:
http://forums.sun.com/index.jspa
[31] Technicalinfo, HTML Code Injection and Cross-site scripting. (Online)
Available: http://www.technicalinfo.net/papers/CSS.html
[32] Unixwiz, SQL Injection Attacks by Example. (Online) Available:
http://www.unixwiz.net/techtips/sql-injection.html
[33] M. Valeur, D. Mutz, and G. Vigna, "A Learning-Based Approach to the
Detection of SQL Attacks". Conference on Detection of Intrusions and
Malware & Vulnerability Assessment. 2005.
[34] M. C. Vittie, "SQL Injection Evasion Detection". White Paper. F5
Networks Inc. 2007.
[35] WASC, Web Hacking Incidents Database. (Online) Available:
http://www.webappsec.org/projects/whid/
[36] WASC, Web Security Glossary. (Online) Available:
http://www.webappsec.org/projects/glossary/
[37] K. Wei, M. Muthuprasanna, and S. Kothari, "Preventing SQL Injection
Attacks in Stored Procedures". Australian Software Engineer
Conference, Australia, 2006.
[38] The Perl Web Server Project. Type-O-Serve (Online) Available:
http://perlwebserver.sourceforge.net/
[39] Microsoft Corporation, Intelligent Application Gateway. United States:
Whale Communications, 2007.
@article{"International Journal of Information, Control and Computer Sciences:50146", author = "Asaad Moosa", title = "Artificial Neural Network based Web Application Firewall for SQL Injection", abstract = "In recent years with the rapid development of Internet and the Web, more and more web applications have been deployed in many fields and organizations such as finance, military, and government. Together with that, hackers have found more subtle ways to attack web applications. According to international statistics, SQL Injection is one of the most popular vulnerabilities of web applications. The consequences of this type of attacks are quite dangerous, such as sensitive information could be stolen or authentication systems might be by-passed. To mitigate the situation, several techniques have been adopted. In this research, a security solution is proposed using Artificial Neural Network to protect web applications against this type of attacks. The solution has been experimented on sample datasets and has given promising result. The solution has also been developed in a prototypic web application firewall called ANNbWAF.
", keywords = "Artificial Neural Networks ANN, SQL Injection,Web Application Firewall WAF, Web Application Scanner WAS.", volume = "4", number = "4", pages = "639-10", }
