A novel three-tier SQLi detection and mitigation scheme for cloud environments

Cloud computing is undoubtedly considered one of the most discussed topics in recent times, both in the research and business sectors. Various schools of thought have attempted to provide a fitting definition from many aspects. This computing paradigm can be defined as a web-based computing model designed to allow both off-site storage and easy data and digital file sharing. The SQL injection, which is certainly one of the top ranking vulnerabilities in cloud systems, is addressed in this paper. Also, a novel three-tier system for detection and mitigation of SQLi attacks is proposed. The methodology is involved over dynamic, static and runtime prevention and detection mechanisms. Moreover, it removes malicious queries and ensures the system is prepared for an environment that is secure despite being focused on the database server only. For the three-tier architecture, the first approach involves detection and prevention that follows the client logic access and data server (three-tier) organization to access, process and exchange queries. Furthermore, it makes sure no vulnerable code is executed that might affect the hosted operating system either partially or entirely. Experimental evaluation schemes demonstrate the efficiency and superiority of the scheme compared with existing approaches.

[1]  Justin Clarke-Salt SQL Injection Attacks and Defense , 2009 .

[2]  Sang-Soo Yeo,et al.  A novel method for SQL injection attack detection based on removing SQL query attribute values , 2012, Math. Comput. Model..

[3]  Yan Hou,et al.  Detection method of SQL injection attack in cloud computing environment , 2016, 2016 IEEE Advanced Information Management, Communicates, Electronic and Automation Control Conference (IMCEC).

[4]  Moses Garuba,et al.  Analysis of Security Vulnerabilities of Cloud Computing Environment Service Models and Its Main Characteristics , 2015, 2015 12th International Conference on Information Technology - New Generations.

[5]  Ellis E. Eghan,et al.  Recovering Semantic Traceability Links between APIs and Security Vulnerabilities: An Ontological Modeling Approach , 2017, 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST).

[6]  Navdeep Kaur,et al.  Mitigation of SQL Injection Attacks using Threat Modeling , 2014, SOEN.

[7]  Bingwei Zhou,et al.  Cloud-based dynamic electrocardiogram monitoring and analysis system , 2016, 2016 9th International Congress on Image and Signal Processing, BioMedical Engineering and Informatics (CISP-BMEI).

[8]  Chitsutha Soomlek,et al.  Machine Learning for SQL injection prevention on server-side scripting , 2016, 2016 International Computer Science and Engineering Conference (ICSEC).

[9]  Suresh Kumar,et al.  SQL injection: Types, methodology, attack queries and prevention , 2016, 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom).

[10]  Omar Abuzaghleh,et al.  Advanced automated SQL injection attacks and defensive mechanisms , 2016, 2016 Annual Connecticut Conference on Industrial Electronics, Technology & Automation (CT-IETA).

[11]  Bernd Grobauer,et al.  Understanding Cloud Computing Vulnerabilities , 2011, IEEE Security & Privacy.

[12]  Sayyed Mohammad Sadegh Sajjadi,et al.  Study of SQL Injection Attacks and Countermeasures , 2013 .

[13]  Rutba Maqsood,et al.  A Scheme for Detecting Intrusions and Minimising Data Loss in Virtual Networks , 2014, 2014 International Conference on Computational Intelligence and Communication Networks.

[14]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[15]  Wei-Shinn Ku,et al.  Analysis of Integrity Vulnerabilities and a Non-repudiation Protocol for Cloud Data Storage Platforms , 2010, 2010 39th International Conference on Parallel Processing Workshops.

[16]  M. Litoiu,et al.  Economics-Driven Resource Scalability on the Cloud , 2016, 2016 IEEE/ACM 11th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS).

[17]  R. Patil Rashmi,et al.  Public auditing system: Improved remote data possession checking protocol for secure cloud storage , 2015, 2015 International Conference on Applied and Theoretical Computing and Communication Technology (iCATccT).

[18]  Suhaimi Ibrahim,et al.  SQL injection detection and prevention techniques , 2011 .