COMBINATORIAL APPROACH FOR PREVENTING SQL INJECTION ATTACKS
#1

COMBINATORIAL APPROACH FOR PREVENTING SQL INJECTION ATTACKS

A combinatorial approach for protecting Web applications against SQL injection is discussed in this paper, which is a novel idea of incorporating the uniqueness of Signature based method and auditing method. The major issue of web application security is the SQL Injection, which can give the attackers unrestricted access to the database that underlie Web applications and has become increasingly frequent and serious. From signature based method standpoint of view, it presents a detection mode for SQL injection using pair wise sequence alignment of amino acid code formulated from web application form parameter sent via web server. On the other hand from the Auditing based method standpoint of view, it analyzes the transaction to find out the malicious access. In signature based method It uses an approach called Hirschberg algorithm, it is a divide and conquer approach to reduce the time and space complexity. This system was able to stop all of the successful attacks and did not generate any false positives.

Technology to use: JAVA
Reply
#2
I want brief explanation on COMBINATORIAL-APPROACH-FOR-PREVENTING-SQL-INJECTION-ATTACKS
Reply
#3

Presented By:
R. Ezumalai, G. Aghila
Department of Computer Science, Pondicherry University


I. INTRODUCTION
Today's modern web era, expects the organization to concentrate more on web application security. This is the major challenge faced by all the organization to protect their precious data against malicious access or corruptions. Generally the program developers show keen interest in developing the application with usability rather than incorporating security policy rules. Input validation issue is a security issue if an attacker finds that an application makes unfounded assumptions about the type, length, format, or range of input data. The attacker can then supply a malicious input that compromises an application. When a network and host level entry points are fully secured; the public interfaces exposed by an application become the only source of attack. The cross site scripting attacks, SQL Injections attacks and Buffer Overflow are the major threat in the web application security through this input validation security issues . Especially SQL Injection attacks breach the database mechanism such as Integration, Authentication, Availability and authorization . Since 2002, nearly 50% of total cyber vulnerabilities were input validation vulnerabilities.
Since 2002, 20% of the input validation issues are SQL Injection vulnerabilities (SQLIVs) and, therefore, 10%o of total cyber vulnerabilities since 2002 . SQL injection attack involves placing SQL statements in the user input for corrupting or accessing the Database . Even the SQL Injection attacks can bypass the security mechanism such as Firewall, cryptography and traditional Intrusion detection systems. If the trend of providing web-based services continues, the prevalence of SQLIVs is likely to increase.
The most worrying aspect of SQL Injection attack are; it is very easy to perform, even if the developers of the application are well known about this type of attacks. The basic idea behind in this attack is that the malicious user counterfeits the data that a web application sends to the database aiming at the modification of the SQL Query that will be executed by the DBMS software. Input validation issues can allow the attackers to gain complete access to such databases. Technologies vulnerable to SQL Injection attacks are dynamic Script languages like ASP, ASP.net, PHP, JSP, CGI, etc. In addition, all types of database have been severely vulnerable in such type of SQL Injection attacks .
Researchers have proposed a different techniques to provide a solution for SQLIAs (SQL Injection attacks), but many of these solutions have limitations that affect their effectiveness and practicality. Researchers have indicated that solution to these types of attacks may be based on defense coding practices. But it's not efficient because of three reasons. First, it is very hard to bring out a rigorous defensive coding discipline. Second, many solutions based on defensive coding address only a subset of the possible attacks. Third, legacy software poses a particularly difficult problem because of the cost and complexity of retrofitting existing code so that it is compliant with defensive coding practices. In this work, an attempt has been made to increase the efficiency of the above techniques by a combinatorial approach for protecting web application against SQL Injection attacks.
The remainder of the paper is organized as follows: Section 2 contains background and related work; Section 3 describes our proposed approach. Section 4 describes the conclusion and future work


read full report
http://ieeexplore.ieeexpl/freeabs_all.js...er=4809188

and please read related document
http://ethesis.nitrkl.ac1504/1/thesis_to_upload.pdf
http://eurojournalsejsr_38_4_11.pdf
Reply
#4
pls giv the ppt presentation and full report for the project-
AN INTRUSION PREVENTION SYSTEM USING ADVANCED SQL INJECTION BLOCKER- A COMBINATORIAL APPROACH
Reply
#5
Hi,
visit this thread for more details on this topic:
http://studentbank.in/report-combinatori...8#pid22688

the page link to ppt is also posted there
Reply
#6
[attachment=10220]
Combinatorial Approach for Preventing SQL Injection Attacks
Abstract:

A combinatorial approach for protecting Web applications against SQL injection is discussed in this paper, which is a novel idea of incorporating the uniqueness of Signature based method and auditing method. The major issue of web application security is the SQL Injection, which can give the attackers unrestricted access to the database that underlie Web applications.Many software systems have evolved to include a Web-based component that makes them available to the public via the Internet and can expose them to a variety of Web-based attacks. One of these attacks is SQL injection, which can give attackers unrestricted access to the databases that underlie Web applications and has become increasingly frequent and serious. This paper presents a new highly automated approach for protecting Web applications against SQL injection that has both conceptual and practical advantages over most existing techniques. From a conceptual standpoint, the approach is based on the novel idea of positive tainting and on the concept of syntax-aware evaluation. From a practical standpoint, our technique is precise and efficient, has minimal deployment requirements, and incurs a negligible performance overhead in most cases. We have implemented our techniques in the Web Application SQL-injection Preventer (WASP) tool, which we used to perform an empirical evaluation on a wide range of Web applications that we subjected to a large and varied set of attacks and legitimate accesses. WASP was able to stop all of the otherwise successful attacks and did not generate any false positives.
Existing System:
In existing the checked only the untrusted data dynamic tainting approaches mark certain untrusted data (typicallyuser input) as tainted, track the flow of tainted data at runtime, and prevent this data from being used in potentially harmful ways
Researchers have proposed a wide range of alternative techniques to address SQLIAs, but many of these solutions have limitations that affect their effectiveness and practicality. For example, one common class of solutions is based on defensive coding practices, which have been less than successful for three main reasons. First, it is difficult to implement and enforce a rigorous defensive coding discipline. Second, many solutions based on defensive coding address only a subset of the possible attacks. Third, legacy software poses particularly difficult problem because of the cost and complexity of retrofitting existing code so that it is compliant with defensive coding practices .In this paper, we propose a new highly automated approach for dynamic detection and prevention of SQLIAs. Intuitively, our approach works by identifying “trusted” strings in an application and allowing only these trusted strings to be used to create the semantically relevant parts of a SQL query such as keywords or operators. The general mechanism that we use to implement this approach is based on dynamic tainting, which marks and tracks certain data in a program at run time .The kind of dynamic tainting that we use gives our approach several important advantages over techniques based on other mechanisms. Many techniques rely on complex static analyses in order to find potential vulnerabilities in the code These kinds of conservative static analyses can generate high rates of false positives and can have scalability issues when Compared to other existing techniques based on dynamic tainting our approach makes several conceptual and practical improvements that take advantage of the specific characteristics of SQLIAs. The first conceptual advantage of our approach is the use of positive tainting. Positive tainting identifies and tracks trusted data, whereas traditional (“negative”) tainting focuses on untrusted data. In the context of SQLIAs, there are several reasons why positive tainting is more effective than negative tainting. First, in Web applications, sources of trusted data can more easily and accurately be identified than untrusted data sources. Therefore, the use of positive tainting leads to increased automation. Second, the two approaches significantly differ in how they are affected by incompleteness. With negative tainting, failure to identify th e complete set of untrusted data sources can result in false negatives, that is, successful and undetected attacks. With positive tainting, missing trusted data sources can result in false positives (that is, legitimate accesses can be prevented from completing). False positives that occur in the field would be problematic. Using our approach, however, false positives are likely to be detected during prerelease testing. Our approach provides specific mechanisms for helping developers detect false positives early, identify their sources, and easily eliminate them in future runs by tagging the identified sources as trusted. The second conceptual advantage of our approach is the use of flexible syntax-aware evaluation. Syntax-aware evaluation lets us address security problems that are derived from mixing data and code while still allowing for this mixing to occur. More precisely, it gives developers a mechanism for regulating the usage of string data based not only on its source but also on its syntactical role in a query string. This way, developers can use a wide range of external input sources to build queries while protecting the application from possible attacks introduced via these sources. The practical advantages of our approach are that it imposes a low overhead on the application and it has minimal
deployment requirements. Efficiency is achieved by using a specialized library, called MetaStrings, that accurately and efficiently assigns and tracks trust markings at runtime. The only deployment requirements for our approach are that the Web application must be instrumented and it must be deployed with our MetaStrings library, which is done automatically. The approach does not require any customized runtime system or additional infrastructure.
Disadvantage:
First, it is difficult to implement and enforce a rigorous defensive coding discipline
Second, many solutions based on defensive coding address only a subset of the possible attacks.
Third, legacy software poses a particularly difficult problem because of the cost and complexity of retrofitting existing code so that it is compliant with defensive coding practices
Proposed System:
First, unlike existing dynamic tainting techniques, our approach is based on the novel concept of positive tainting, that is, the identification and marking of trusted, instead of untrusted
Second, our approach performs accurate and efficient taint propagation by precisely tracking trust markings at the character level.
Third, it performs syntax-aware evaluation of query strings before they are sent to the database and blocks all queries whose nonliteral parts
Advantage:
In this it contains three techniques by use of this technique we can find the injection data’s and send the correct query to the sqlserver.
1. Positive-Tainting
2. Character-level tainting.
3. Syntax aware
Modules:
1. Admin
2. Customer
3. Credit Card
4. Loans
HARDWARE SPECIFICATION
Processor : Any Processor above 500 MHz.
Ram : 128Mb.
Hard Disk : 10 GB.
Input device : Standard Keyboard and Mouse.
Output device : VGA and High Resolution Monitor.
SOFTWARE SPECIFICATION
Operating System : Windows Family.
Pages developed using : Java Server Pages and HTML.
Techniques : Apache Tomcat Web Server 5.0, JDK 1.5 or higher
Web Browser : Microsoft Internet Explorer.
Data Bases : SQlServer 2000
Client Side Scripting : Java Script
Reply
#7
Please I need the full report on this topic. Thanks.
Reply
#8

to get information about the topic Preventing SQL injection full report ppt and related topic refer the page link bellow

http://studentbank.in/report-combinatori...on-attacks

http://studentbank.in/report-prevention-...r-approach
Reply

Important Note..!

If you are not satisfied with above reply ,..Please

ASK HERE

So that we will collect data for you and will made reply to the request....OR try below "QUICK REPLY" box to add a reply to this page
Popular Searches: sql injection full seminar contents, converting sentences to sql, dowload seminar report on sql injection, java sql resultset getint null, php sql injection, sql pl sql interview, hirschberg algorithm in sql prevention,

[-]
Quick Reply
Message
Type your reply to this message here.

Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Possibly Related Threads...
Thread Author Replies Views Last Post
  A Link-Based Cluster Ensemble Approach for Categorical Data Clustering 1 1,062 16-02-2017, 10:51 AM
Last Post: jaseela123d
  Packet-Hiding Methods for Preventing Selective Jamming Attacks 1 656 14-02-2017, 11:35 AM
Last Post: ijasti
  An Acknowledgement-Based Approach for the Detection of routing misbehavior in MANETs mechanical engineering crazy 2 2,941 26-05-2015, 03:04 PM
Last Post: seminar report asees
  An Acknowledgment-Based Approach For The Detection Of Routing Misbehavior In MANETs electronics seminars 7 4,671 27-01-2015, 12:09 AM
Last Post: Guest
  A PROACTIVE APPROACH TO NETWORK SECURITY nit_cal 1 2,241 19-09-2014, 12:52 AM
Last Post: [email protected]
  Packet-Hiding Methods for Preventing Selective Jamming Attacks Projects9 5 4,344 30-07-2013, 05:30 PM
Last Post: mounikabujji
  Revisiting Defenses against Large-Scale Online Password Guessing Attacks Projects9 5 3,899 18-03-2013, 12:25 PM
Last Post: computer topic
  PREVENTION OF SQL INJECTION AND DATA THEFTS USING DIVIDE AND CONQUER APPROACH seminar presentation 3 4,160 24-10-2012, 01:09 PM
Last Post: seminar details
  A Geometric Approach to Improving Active Packet Loss Measurement full report project topics 2 2,617 09-04-2012, 06:01 PM
Last Post: [email protected]
  Layered Approach Using Conditional Random Fields For Intrusion Detection project topics 2 1,663 06-03-2012, 11:35 AM
Last Post: raviteja538

Forum Jump: