Title :
A Learning-Based Approach to Secure Web Services from SQL/XPath Injection Attacks
Author :
Laranjeiro, Nuno ; Vieira, Marco ; Madeira, Henrique
Author_Institution :
Dept. of Inf. Eng., Univ. of Coimbra, Coimbra, Portugal
Abstract :
Business critical applications are increasingly being deployed as web services that access database systems, and must provide secure operations to its clients. Although the open web environment emphasizes the need for security, several studies show that web services are still being deployed with command injection vulnerabilities. This paper proposes a learning-based approach to secure web services against SQL and XPath Injection attacks. Our approach is able to transparently learn valid request patterns (learning phase) and then detect and abort potentially harmful requests (protection phase). When it is not possible to have a complete learning phase, a set of heuristics can be used to accept/discard doubtful cases. Our mechanism was applied to secure TPC-App services and open source services. It showed to be extremely effective in stopping all tested attacks, while introducing a negligible performance impact.
Keywords :
SQL; Web services; business data processing; learning (artificial intelligence); relational databases; security of data; SQL/XPath injection attacks; business critical applications; database systems; learning-based approach; secure Web services; SQL/ XPath Injection; Web services; code instrumentation; security; vulnerabilities;
Conference_Titel :
Dependable Computing (PRDC), 2010 IEEE 16th Pacific Rim International Symposium on
Conference_Location :
Tokyo
Print_ISBN :
978-1-4244-8975-6
Electronic_ISBN :
978-0-7695-4289-8
DOI :
10.1109/PRDC.2010.24
