Countermeasure to Structured Query Language Injection Attack for Web Applications using Hybrid Logistic Regression Technique

https://doi.org/10.46481/jnsps.2022.832

Authors

  • Shehu Magawata Shagari Department of Computer Science, Kebbi State University of Science and Technology, Aliero, Nigeria
  • Danlami Gabi Department of Computer Science, Kebbi State University of Science and Technology, Aliero, Nigeria
  • Nasiru Muhammad Dankolo Department of Computer Science, Kebbi State University of Science and Technology, Aliero, Nigeria
  • Noah Ndakotsu Gana Department of Cyber Security Science, Federal University of Technology, Minna, Nigeria

Keywords:

Database Management System, Logistic Regression, SQL Injection Attack

Abstract

The new generation of security threats has been promoted by real-time applications, where several users develop new ways to communicate on the internet via web applications. Structured Query Language injection Attacks (SQLiAs) is one of the major threats to web application security. Here, unauthorised users usually gain access to the database via web applications. Despite the giant strides made in the detection and prevention of SQLiAs by several researchers, an ideal approach is still far from over as most existing techniques still require improvement, especially in the area of addressing the weak characterisation of input vectors which often leads to low prediction accuracy. To deal with this concern, this paper put forward a hybrid optimised Logistic Regression (LR) model with Improved Term Frequency Inverse Document-Frequency (ITFIDF-LR). To show the effectiveness of the proposed approach, attack datasets is used and evaluated using selected performance metrics, i.e., accuracy, recall, specificity and False Positive Rate. The experimental results via simulation when compared with the benchmarked techniques, achieved performance record of 0.99781 for accuracy, recall and F1-score as well as 0.99782, 0.99409 and 0.00591 for precision, specificity and False Positive Rate (FPR) respectively. This is an indication that the proposed approach is efficient and when deployed is capable of detecting SQLiA on web applications.

Dimensions

Z. Chen & M. Guo, “Research on SQL injection detection technology based on SVM”, International Conference on Smart Materials, Intelligent Manufacturing and Automation (2018) 1. DOI: https://doi.org/10.1051/matecconf/201817301004

S. O. Uwagbole, W. J. Buchanan & L. Fan, “Applied machine learning predictive analytics to SQL injection attack detection and prevention”, IFIP/IEEE Symposium on Integrated Network and Service Management (IM) (2017) 1087.

R. Chandrashekhar, M. Mardithaya, S. Thilagam & D. Saha, “SQL injection attack mechanisms and prevention techniques”, International Conference on Advanced Computing, Networking and Security (2011) 524. DOI: https://doi.org/10.1007/978-3-642-29280-4_61

A. Dasgupta, V. Narasayya & M. Syamala, “A static analysis framework for database applications”, IEEE 25th International Conference on Data Engineering (2009) 1403. DOI: https://doi.org/10.1109/ICDE.2009.98

C. S. Kumar, J. Seetha, S. R. Vinotha, “Security implications of distributed database management system models”, International Journal of Soft Computing and Software Engineering 2 (2012) 20. DOI: https://doi.org/10.7321/jscse.v2.n11.3

S. O. Uwagbole, W. J. Buchanan & L. Fan, “Applied machine learning predictive analytics to SQL injection attack detection and prevention”, IFIP/IEEE Symposium on Integrated Network and Service Management (IM) (2017) 1087. DOI: https://doi.org/10.23919/INM.2017.7987433

C. Anley. “Advanced SQL injection in SQL server applications,”https://crypto.stanford.edu/cs155old/cs155 spring09/papers/sql injection.pdf. Accessed 14 December, 2021.

J. Abirami, R. Devakunchari & C. Valliyammai, “A top web security vulnerability SQL injection attack—survey”, Seventh International Conference on Advanced Computing. (2015) 1. DOI: https://doi.org/10.1109/ICoAC.2015.7562806

D. Gabi, N. M. Dankolo & D. Muhammed, “Towards the use of new forensic approach as a panacea in investigation of cybercrime”, International Journal of Scientific & Engineering Research 5 (2014) 942.

B. Yusuf, R. M. Dima & S. K. Aina, “Optimized breast cancer classification using feature selection and outliers detection”, J. Nig. Soc. Phys. Sci 3 (2021) 298. DOI: https://doi.org/10.46481/jnsps.2021.331

R. O. Oveh, O. Efevberha-Ogodo & F. A. Egbokhare, “Software process ontology: a case study of software organisations software process sub domains”, J. Nig. Soc. Phys.Sci. 1 (2019) 122. DOI: https://doi.org/10.46481/jnsps.2019.28

O. E. Ojo, M. K. Kareem, O. Samuel & C. O. Ugwunna, “An internet-ofthings based real-time monitoring system for smart classroom”, J. Nig. Soc. Phys. Sci 4 (2022) 297. DOI: https://doi.org/10.46481/jnsps.2022.573

D. GABI, “Surveillance on security issues in cloud computing: a view on forensic perspective”, International Journal of Scientific & Engineering Research 5 (2014) 1246.

K. C. Rajeswari, “ SQL injection attack prevention using 448 blowfish encryption standard”, International Journal of Computer Science Trends and Technology (IJCST) 4 (2016) 325.

M. Qbea’h, M. Alshraideh & K.E Sabri. “ Detecting and preventing SQL injection attacks: a formal approach”, Cybersecurity and Cyberforensics Conference (CCC) (2016) 123. DOI: https://doi.org/10.1109/CCC.2016.26

L. Xiao, S. Matsumoto, T. Ishikawa & K. Sakurai, “SQL injection attack detection method using expectation criterion”, 2016 Fourth International Symposium on Computing and Networking (CANDAR) (2016) 649. DOI: https://doi.org/10.1109/CANDAR.2016.0116

B. Aziz, M. Bader & C. Hippolyte, “Search-based sql injection attacks testing using genetic programming”, European Conference on Genetic Programming (2016) 183. DOI: https://doi.org/10.1007/978-3-319-30668-1_12

Q. Temeiza, M. Temeiza & J. Itmazi, “A novel method for preventing SQL injection using SHA-1 algorithm and syntax-awareness”, Joint International Conference on Information and Communication Technologies for Education and Training and International Conference on Computing in Arabic (2017) 1. DOI: https://doi.org/10.1109/ICCA-TICET.2017.8095285

M. Sood, & S. Singh, “SQL injection prevention technique using encryption”, International Journal of Advanced Computational Engineering and Networking 5 (2017) 4.

L. Bossi, E. Bertino & S. R. Hussain, “A system for profiling and monitoring database access patterns by application programs for anomaly detection”, IEEE Transactions on software engineering (2017) 415. DOI: https://doi.org/10.1109/TSE.2016.2598336

S. N. Raj & E. Sherly, “SQL injection attack prevention by direct reverse resemblance technique”, International Journal of Pure and Applied Mathematics 118 (2018) 599.

Y. Li & B. Zhang, “Detection of SQL injection attacks based on improved TFIDF algorithm”, Journal of Physics: Conference Series 1395 (2019) 012013. DOI: https://doi.org/10.1088/1742-6596/1395/1/012013

M. M. Hassan, R. B. Ahmad & T. Ghosh. “SQL injection vulnerability detection using deep learning: a feature-based approach”, Indonesian Journal of Electrical Engineering and Informatics (IJEEI) 9 (2021) 702. DOI: https://doi.org/10.52549/.v9i3.3131

L. Yu, S. Luo & L. Pan, “Detecting SQL injection attacks based on text analysis”, 3rd International Conference on Computer Engineering, Information Science and Application Technology (ICCIA 2019) (2019) 95. DOI: https://doi.org/10.2991/iccia-19.2019.14

Y. Pan, F. Sun, Z. Teng, J. White, D. C. Schmidt, J Staples & L. Krause, “Detecting web attacks with end-to-end deep learning”, Journal of Internet Services and Applications 10 (2019) 1. DOI: https://doi.org/10.1186/s13174-019-0115-x

S. A. Krishnan, A. N. Sabu, P. P. Sajan & A.L Sreedeep, “SQL injection detection using machine learning”, Revista Geintec-Gestao Inovacao E Tecnologias 11 (2021) 300. DOI: https://doi.org/10.47059/revistageintec.v11i3.1939

U. Farooq, “Ensemble machine learning approaches for detection of SQL injection attack”, Tehni?cki glasnik 15 (2021) 112. DOI: https://doi.org/10.31803/tg-20210205101347

M. Gowtham & H. B. Pramod, “Semantic query-featured ensemble learning model for SQL-injection attack detection in IoT-ecosystems”, IEEE Transactions on Reliability (2021) 1. DOI: https://doi.org/10.1109/TR.2021.3124331

P. Aggarwal, A. Kumar, K. Michael, J. Nemade & S. Sharma, “Random decision forest approach for mitigating SQL injection attacks”, IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT) (2021) 1. DOI: https://doi.org/10.1109/CONECCT52877.2021.9622689

H. C. Wu, R. W. P. Luk, K. F. Wong & K. L. Kwok, “Interpreting tfidf term weights as making relevance decisions”, ACM Transactions on Information Systems (TOIS) 26 (2008) 1. DOI: https://doi.org/10.1145/1361684.1361686

V. N. Gudivada, Computational analysis and understanding of natural languages: principles, methods and applications (1st edition), Elsevier (2018).

A. C. Finkelstein, G. Kappel & W. Retschitzegger, “Ubiquitous web application development-a framework for understanding”, 6th World Multiconference on Systemics, Cybernetics and Informatics (2002) 1.

J. Y.-C. Peng, L.K. Lee & M. G. Ingersoll. “An introduction to logistic regression analysis and reporting”, Journal of Educational Research 91 (2002) 3. DOI: https://doi.org/10.1080/00220670209598786

G. A. Seber & A. J. Lee, Linear regression analysis (Vol. 329), John Wiley & Sons (2012).

D. W. Hosmer Jr, S. Lemeshow & R.X, Sturdivant, Applied logistic regression, John Wiley & Sons (2013). DOI: https://doi.org/10.1002/9781118548387

W. Wang & Y. Tang, “Improvement and application of TF-IDF algorithm in text orientation analysis”, Proceedings of the International Conference on Advanced Material Science and Environmental Engineering (2016) 230. DOI: https://doi.org/10.2991/amsee-16.2016.61

S. Syed & H. Hussain, “SQL injection dataset,” https://www.kaggle.com/syedsaqlainhussain/sql-injection-dataset. Accessed 10 December 2021.

S. Abaimov & G. Bianchi,llilk “CODDLE: Code-injection detection with deep learning”, IEEE Access7 (2019) 128617. DOI: https://doi.org/10.1109/ACCESS.2019.2939870

L.Wahab &H. Jiang. “A comparative study on machine learning based algorithms for prediction of motorcycle crash severity,” PLoS one 14 (2019) 1. DOI: https://doi.org/10.1371/journal.pone.0214966

Published

2022-10-01

How to Cite

Shagari, S. M., Gabi, D., Dankolo, N. M. ., & Gana, N. N. . (2022). Countermeasure to Structured Query Language Injection Attack for Web Applications using Hybrid Logistic Regression Technique. Journal of the Nigerian Society of Physical Sciences, 4(4), 832. https://doi.org/10.46481/jnsps.2022.832

Issue

Section

Original Research