The Journey of a Malicious HTTP Request

SQL injection on web applications is a very popular
kind of attack. There are mechanisms such as intrusion detection
systems in order to detect this attack. These strategies often rely on
techniques implemented at high layers of the application but do not
consider the low level of system calls. The problem of only
considering the high level perspective is that an attacker can
circumvent the detection tools using certain techniques such as URL
encoding. One technique currently used for detecting low-level
attacks on privileged processes is the tracing of system calls. System
calls act as a single gate to the Operating System (OS) kernel; they
allow catching the critical data at an appropriate level of detail. Our
basic assumption is that any type of application, be it a system
service, utility program or Web application, “speaks” the language of
system calls when having a conversation with the OS kernel. At this
level we can see the actual attack while it is happening. We conduct
an experiment in order to demonstrate the suitability of system call
analysis for detecting SQL injection. We are able to detect the attack.
Therefore we conclude that system calls are not only powerful in
detecting low-level attacks but that they also enable us to detect highlevel
attacks such as SQL injection.

• M. Mansouri
• P. Jaklitsch
• E. Teiniker

• Linux system calls
• Web attack detection
• Interception.

[1] M. Bernaschi, "Remus: a security-enhanced operating system,” ACM
Trans. on Information and System Security (TISSEC), 2002, pp.36-61.
[2] S. Forrest, S. A. Hofmeyr, "A Sense of Self for Unix Processes,” in
Proc. IEEE Symposium on Security and Privacy, Washington, 1996, pp.
120.
[3] W. Robertson, G. Vigna, "Using Generalization and Characterization
Techniques in the Anomaly-based Detection of Web Attacks, "in Proc.
of the 13th Symposium on Network and Distributed System Security
California, 2006.
[4] C. Kruegel, G. Vigna, "A multi-model approach to the detection of webbased
attacks,” Elsevier Computer Networks: The International Journal
of Computer and Telecommunications Networking - Web security, New
York, 2005,pp. 717 - 738.
[5] S. Peisert, M. Bishop, S. Karin, and K. Marzullo, "Analysis of Computer
Intrusions Using Sequences of Function Calls,” in IEEE Trans. on
Dependable and Secure Computing, 2007, 137-150.
[6] Gustavo Miguel Barroso Assis do Nascimento, "Anomaly detection of
web-based attacks,” Master Thesis. Lisboa, Portugal, Universidade de
Lisboa, 2010.
[7] M. T. Jones, IBM, "Kernel command using Linux system calls,” from
http://www.ibm.com/developerworks/linux/library/l-system-calls, 2010,
Retrieved 12 11, 2013.
[8] Oracle, "The Native Authentication Plug-in,” from
http://dev.mysql.com/doc/refman/5.5/en/native-authenticationplugin.
html, 2013, Retrieved 12 11, 2013.
[9] OWASP, "2013 Top 10 List”, from https://www.owasp.org/
index.php/Top_10_2013-Top_10, Retrieved 9 14, 2014
[10] Oracle, "Chapter 4 Java Servlet Technology: Filtering Requests and
Responses”, http://docs.oracle.com/cd/E19159-01/819-3669/bnafd/
index.html