Biblio

In this paper, we present a combinatorial testing methodology for testing web applications in regards to SQL injection vulnerabilities. We describe three attack grammars that were developed and used to generate concrete attack vectors. Furthermore, we present and evaluate two different oracles used to observe the application's behavior when subjected to such attack vectors. We also present a prototype tool called SQLInjector capable of automated SQL injection vulnerability testing for web applications. The developed methodology can be applied to any web application that uses server side scripting and HTML for handling user input and has a SQL database backend. Our approach relies on the use of a database proxy, making this a gray-box testing method. We establish the effectiveness of the proposed tool with the WAVSEP verification framework and conduct a case study on real-world web applications, where we are able to discover both known vulnerabilities and additional previously undiscovered flaws.

Stealing confidential information from a database has become a severe vulnerability issue for web applications. The attacks can be prevented by defining a whitelist of SQL queries issued by web applications and detecting queries not in list. For large-scale web applications, automated generation of the whitelist is conducted because manually defining numerous query patterns is impractical for developers. Conventional methods for automated generation are unable to detect attacks immediately because of the long time required for collecting legitimate queries. Moreover, they require application-specific implementations that reduce the versatility of the methods. As described herein, we propose a method to generate a whitelist automatically using queries issued during web application tests. Our proposed method uses the queries generated during application tests. It is independent of specific applications, which yields improved timeliness against attacks and versatility for multiple applications.

This SQL injection attack is one of the common means for hackers to attack database. With the development of B/S mode application development, more and more programmers use this mode to write applications. However, due to the uneven level and experience of programmers, a considerable number of programmers do not judge the legitimacy of user input data when writing code, which makes the application security risks. Users can submit a database query code and get some data they want to know according to the results of the program. SQL injection attack belongs to one of the means of database security attack. It can be effectively protected by database security protection technology. This paper introduces the principle of SQL injection, the main form of SQL injection attack, the types of injection attack, and how to prevent SQL injection. Discussed and illustrated with examples.

SQL injection has always been a major threat in the field of web application security. Traditional methods such as the rule-matching-based SQL injection detection solutions, which are inefficient to cope with the ever-changing SQL injection techniques and there is always a risk of bypassing variants. In this paper, we extract SQL injection attack related payloads from network flow and propose a SQL injection detection model based on Convolutional Neural Network (CNN), which can take the advantages of high-dimensional features of SQL injection behavior to deal with this issue. The proposed approach was tested in a real-traffic case study along with ModSecurity, which is the representative rule-matching-based method. The experimental results show that the CNN based model has higher accuracy, precision and recall rate, which validate its detection effectiveness and robustness against obfuscation of attacks.

In the last few years, the usage and dependency on web applications and websites has significantly increased across a number of different areas such as online banking, shopping, financial transactions etc. amongst the several other areas. This has even directly multiplied the threat of SQL injection issue. A number of past studies have suggested that SQL injection should be handled as effectively as possible in order to avoid long term threats and dangers. This paper in specific attempts to discuss and evaluate some of the main SQL injection prevention methods.

With the rapid growth in online services, hacking (alternatively attacking) on online database applications has become a grave concern now. Attacks on online database application are being frequently reported. Among these attacks, the SQL injection attack is at the top of the list. The hackers alter the SQL query sent by the user and inject malicious code therein. Hence, they access the database and manipulate the data. It is reported in the literature that the traditional SQL injection detection algorithms fail to prevent this type of attack. In this paper, we propose a machine learning based heuristic algorithm to prevent the SQL injection attack. We use a dataset of 616 SQL statements to train and test 23 different machine learning classifiers. Among these classifiers, we select the best five classifiers based on their detection accuracy and develop a Graphical User Interface (GUI) application based on these five classifiers. We test our proposed algorithm and the results show that our algorithm is able to detect the SQL injection attack with a high accuracy (93.8%).

SQL injection attacks are a kind of the greatest security risks on Web applications. Much research has been done to detect SQL injection attacks by rule matching and syntax tree. However, due to the complexity and variety of SQL injection vulnerabilities, these approaches fail to detect unknown and variable SQL injection attacks. In this paper, we propose a model, ATTAR, to detect SQL injection attacks using grammar pattern recognition and access behavior mining. The most important idea of our model is to extract and analyze features of SQL injection attacks in Web access logs. To achieve this goal, we first extract and customize Web access log fields from Web applications. Then we design a grammar pattern recognizer and an access behavior miner to obtain the grammatical and behavioral features of SQL injection attacks, respectively. Finally, based on two feature sets, machine learning algorithms, e.g., Naive Bayesian, SVM, ID3, Random Forest, and K-means, are used to train and detect our model. We evaluated our model on these two feature sets, and the results show that the proposed model can effectively detect SQL injection attacks with lower false negative rate and false positive rate. In addition, comparing the accuracy of our model based on different algorithms, ID3 and Random Forest have a better ability to detect various kinds of SQL injection attacks.

This paper defines a class of SQL-injection attacks that are based on injecting identifiers, such as table and column names, into SQL statements. An automated analysis of GitHub shows that 15.7% of 120,412 posted Java source files contain code vulnerable to SQL-Identifier Injection Attacks (SQL-IDIAs). We have manually verified that some of the 18,939 Java files identified during the automated analysis are indeed vulnerable to SQL-ID IAs, including deployed Electronic Medical Record software for which SQL-IDIAs enable discovery of confidential patient information. Although prepared statements are the standard defense against SQL injection attacks, existing prepared-statement APIs do not protect against SQL-IDIAs. This paper therefore proposes and evaluates an extended prepared-statement API to protect against SQL-IDIAs.

SQL injection is among the most dangerous vulnerabilities in web applications that allow attackers to bypass the authentication and access the application database. Security testing is one of the techniques required to detect the existence of SQL injection vulnerability in a web application. However, inadequate test data during testing can affect the effectiveness of security testing. Therefore, in this paper, the new algorithm is designed and developed by applying the Cartesian Product technique in order to generate a set of invalid test data automatically. A total of 624 invalid test data were generated in order to increase the detection rate of SQL injection vulnerability. Finally, the ideas obtained from our method is able to detect the vulnerability of SQL injection in web application.

This research conducted a security evaluation website with Penetration Testing terms. This Penetration testing is performed using the Man-In-The-Middle Attack method. This method is still widely used by hackers who are not responsible for performing Sniffing, which used for tapping from a targeted computer that aims to search for sensitive data. This research uses some penetration testing techniques, namely SQL Injection, XSS (Cross-site Scripting), and Brute Force Attack. Penetration testing in this study was conducted to determine the security hole (vulnerability), so the company will know about their weakness in their system. The result is 85% success for the penetration testing that finds the vulnerability on the website.

Typically, in an assessment project for a web application or database with a large scale and scope, tasks required to be performed by a security analyst are such as SQL injection and penetration testing. To carry out these large-scale tasks, the analyst will have to perform 100 or more SQLi penetration tests on one or more target. This makes the process much more complex and much harder to implement. This paper attempts to compare large-scale SQL injections performed with Manual Methods, which is the benchmark, and the proposed SQLiAutoScript Method. The SQLiAutoScript method uses sqlmap as a tool, in combination with sqlmap scripting and logging features, to facilitate a more effective and manageable approach within a large scale of hundreds or thousands of SQL injection penetration tests. Comparison of the test results for both Manual and SQLiAutoScript approaches and their benefits is included in the comparative analysis. The tests were performed over a scope of 24 SQL injection (SQLi) tests that comprises over 100,000 HTTP requests and injections, and within a total testing run-time period of about 50 hours. The scope of testing also covers both SQLiAutoScript and Manual methods. In the SQLiAutoScript method, each SQL injection test has its own sub-folder and files for data such as results (output), progress (traffic logs) and logging. In this way across all SQLi tests, the results, data and details related to SQLi tests are logged, available, traceable, accurate and not missed out. Available and traceable data also facilitates traceability of failed SQLi tests, and higher recovery and reruns of failed SQLi tests to maximize increased attack surface upon the target.

Machine learning has been adopted widely to perform prediction and classification. Implementing machine learning increases security risks when computation process involves sensitive data on training and testing computations. We present a proposed system to protect machine learning engines in IoT environment without modifying internal machine learning architecture. Our proposed system is designed for passwordless and eliminated the third-party in executing machine learning transactions. To evaluate our a proposed system, we conduct experimental with machine learning transactions on IoT board and measure computation time each transaction. The experimental results show that our proposed system can address security issues on machine learning computation with low time consumption.

The Internet of Things (IoT) is transforming the way we live and work by increasing the connectedness of people and things on a scale that was once unimaginable. However, the vulnerabilities in the IoT supply chain have raised serious concerns about the security and trustworthiness of IoT devices and components within them. Testing for device provenance, detection of counterfeit integrated circuits (ICs) and systems, and traceability of IoT devices are challenging issues to address. In this article, we develop a novel radio-frequency identification (RFID)-based system suitable for counterfeit detection, traceability, and authentication in the IoT supply chain called CDTA. CDTA is composed of different types of on-chip sensors and in-system structures that collect necessary information to detect multiple counterfeit IC types (recycled, cloned, etc.), track and trace IoT devices, and verify the overall system authenticity. Central to CDTA is an RFID tag employed as storage and a channel to read the information from different types of chips on the printed circuit board (PCB) in both power-on and power-off scenarios. CDTA sensor data can also be sent to the remote server for authentication via an encrypted Ethernet channel when the IoT device is deployed in the field. A novel board ID generator is implemented by combining outputs of physical unclonable functions (PUFs) embedded in the RFID tag and different chips on the PCB. A light-weight RFID protocol is proposed to enable mutual authentication between RFID readers and tags. We also implement a secure interchip communication on the PCB. Simulations and experimental results using Spartan 3E FPGAs demonstrate the effectiveness of this system. The efficiency of the radio-frequency (RF) communication has also been verified via a PCB prototype with a printed slot antenna.

The potential risk of agricultural product supply chain is huge because of the complex attributes specific to it. Actually the safety incidents of edible agricultural product emerge frequently in recent years, which expose the fragility of the agricultural product supply chain. In this paper the possible risk factors in agricultural product supply chain is analyzed in detail, the agricultural product supply chain risk evaluation index system and evaluation model are established, and an empirical analysis is made using BP neural network method. The results show that the risk ranking of the simulated evaluation is consistent with the target value ranking, and the risk assessment model has a good generalization and extension ability, and the model has a good reference value for preventing agricultural product supply chain risk.

Aiming at the composite uncertainty characteristics and high-dimensional data stream characteristics of the evaluation index with both ambiguity and randomness, this paper proposes a emergency severity assessment method for cluster supply chain based on cloud fuzzy clustering algorithm. The summary cloud model generation algorithm is created. And the multi-data fusion method is applied to the cloud model processing of the evaluation indexes for high-dimensional data stream with ambiguity and randomness. The synopsis data of the emergency severity assessment indexes are extracted. Based on time attenuation model and sliding window model, the data stream fuzzy clustering algorithm for emergency severity assessment is established. The evaluation results are rationally optimized according to the generalized Euclidean distances of the cluster centers and cluster microcluster weights, and the severity grade of cluster supply chain emergency is dynamically evaluated. The experimental results show that the proposed algorithm improves the clustering accuracy and reduces the operation time, as well as can provide more accurate theoretical support for the early warning decision of cluster supply chain emergency.

Blockchain may have a potential to prove its value for the new US FDA regulatory requirements defined in the Drug Supply Chain Security Act (DSCSA) as innovative solutions are needed to support the highly complex pharmaceutical industry supply chain as it seeks to comply. In this paper, we examine how blockchain can be applied to meet with the security compliance requirement for the pharmaceutical supply chain. We explore the online playground of Hyperledger Composer, a set of tools for building blockchain business networks, to model the data and access control rules for the drug supply chain. Our experiment shows that this solution can provide a prototyping opportunity for compliance checking with certain limitations.

The globalization of the semiconductor supply chain introduces ever-increasing security and privacy risks. Two major concerns are IP theft through reverse engineering and malicious modification of the design. The latter concern in part relies on successful reverse engineering of the design as well. IC camouflaging and logic locking are two of the techniques under research that can thwart reverse engineering by end-users or foundries. However, developing low overhead locking/camouflaging schemes that can resist the ever-evolving state-of-the-art attacks has been a challenge for several years. This article provides a comprehensive review of the state of the art with respect to locking/camouflaging techniques. We start by defining a systematic threat model for these techniques and discuss how various real-world scenarios relate to each threat model. We then discuss the evolution of generic algorithmic attacks under each threat model eventually leading to the strongest existing attacks. The article then systematizes defences and along the way discusses attacks that are more specific to certain kinds of locking/camouflaging. The article then concludes by discussing open problems and future directions.

Motivated by the September 11 attacks, we are addressing the problem of policy analysis of supply-chain security. Considering the potential economic and operational impacts of inspection together with the inherent difficulty of assigning a reasonable cost to an inspection failure call for a policy analysis methodology in which stakeholders can understand the trade-offs between the diverse and potentially conflicting objectives. To obtain this information, we used a simulation-based methodology to characterize the set of Pareto optimal solutions with respect to the multiple objectives represented in the decision problem. Our methodology relies on simulation and the response surface method (RSM) to model the relationships between inspection policies and relevant stakeholder objectives in order to construct a set of Pareto optimal solutions. The approach is illustrated with an application to a real-world supply chain.

Currently, organisations find it difficult to design a Decision Support System (DSS) that can predict various operational risks, such as financial and quality issues, with operational risks responsible for significant economic losses and damage to an organisation's reputation in the market. This paper proposes a new DSS for risk assessment, called the Fuzzy Inference DSS (FIDSS) mechanism, which uses fuzzy inference methods based on an organisation's big data collection. It includes the Emerging Association Patterns (EAP) technique that identifies the important features of each risk event. Then, the Mamdani fuzzy inference technique and several membership functions are evaluated using the firm's data sources. The FIDSS mechanism can enhance an organisation's decision-making processes by quantifying the severity of a risk as low, medium or high. When it automatically predicts a medium or high level, it assists organisations in taking further actions that reduce this severity level.

This paper presents an access control modelling that integrates risk assessment elements in the attribute-based model to organize the identification, authentication and authorization rules. Access control is complex in integrated systems, which have different actors accessing different information in multiple levels. In addition, systems are composed by different components, much of them from different developers. This requires a complete supply chain trust to protect the many existent actors, their privacy and the entire ecosystem. The incorporation of the risk assessment element introduces additional variables like the current environment of the subjects and objects, time of the day and other variables to help produce more efficient and effective decisions in terms of granting access to specific objects. The risk-based attributed access control modelling was applied in a health platform, Project CityZen.

Cloud computing is widely believed to be the future of computing. It has grown from being a promising idea to one of the fastest research and development paradigms of the computing industry. However, security and privacy concerns represent a significant hindrance to the widespread adoption of cloud computing services. Likewise, the attributes of the cloud such as multi-tenancy, dynamic supply chain, limited visibility of security controls and system complexity, have exacerbated the challenge of assessing cloud risks. In this paper, we conduct a real-world case study to validate the use of a supply chaininclusive risk assessment model in assessing the risks of a multicloud SaaS application. Using the components of the Cloud Supply Chain Cyber Risk Assessment (CSCCRA) model, we show how the model enables cloud service providers (CSPs) to identify critical suppliers, map their supply chain, identify weak security spots within the chain, and analyse the risk of the SaaS application, while also presenting the value of the risk in monetary terms. A key novelty of the CSCCRA model is that it caters for the complexities involved in the delivery of SaaS applications and adapts to the dynamic nature of the cloud, enabling CSPs to conduct risk assessments at a higher frequency, in response to a change in the supply chain.

More and more industrial devices are expected to connect to the internet seamlessly. IPv6-based industrial wireless network can solve the address resources limitation problem. It is a challenge about how to ensure the wireless node join security after introducing the IPv6. In this paper, we propose a multiple nodes join mechanism, which includes a timeslot allocation method and secure join process for the IPv6 over IEEE 802.15.4e network. The timeslot allocation method is designed in order to configure communication resources in the join process for the new nodes. The test platform is implemented to verify the feasibility of the mechanism. The result shows that the proposed mechanism can reduce the communication cost for multiple nodes join process and improve the efficiency.

Understanding the IP address depletion and the importance of handling security issues in IPv6 deployment can make IT personnel becomes more functional and helpful to the organization. It also applied to the management people who are responsible for approving the budget or organization policy related to network security. Unfortunately, new employees or fresh graduates may not really understand the challenge related to IPv6 deployment. In order to be equipped with appropriate knowledge and skills, these people may require a few weeks of attending workshops or training. Thus, of course involving some implementation cost as well as sacrificing allocated working hours. As an alternative to save cost and to help new IT personnel become quickly educated and familiar with IPv6 deployment issues, this paper presented a learning kit that has been designed to include self-learning features that can help neophytes to learn about IPv6 at their own pace. The kit contains some compact notes, brief security model and framework as well as a guided module with supporting quizzes to maintain a better understanding of the topics. Since IPv6 is still in the early phase of implementation in most of developing countries, this kit can be an additional assisting tool to accelerate the deployment of IPv6 environment in any organization. The kit also can be used by teachers and trainers as a supporting tool in the classroom. The pre-alpha testing has attracted some potential users and the findings proved their acceptance. The kit has prospective to be further enhanced and commercialized.

Cyber-Physical Systems (CPS) attract growing interest from architects and attackers, given their potential effect on privacy and safety of ecosystems and users. Architectural tactics have been proposed as a design-time abstraction useful to guide and evaluate systems design decisions that address specific system qualities, but there is little published evidence of how Security Tactics help to mitigate security threats in the context of Cyber-Physical Systems. This article reports the principled derivation of architectural tactics for an actual SCADA-SAP bridge, where security was the key concern; the key inputs were (1) a well-known taxonomies of architectural tactics, and (2) a detailed record of trade-offs among these tactics. The project architects used client-specified quality attributes to identify relevant tactics in the taxonomy, and information on their trade-offs to guide top-level decisions on system global shape. We venture that all architectural tactics taxonomies should be enriched with explicit trade-offs, allowing architects to compare alternative solutions that seem equally good on principle but are not so in practice.

The increasing diffusion of malware endowed with steganographic techniques requires to carefully identify and evaluate a new set of threats. The creation of a covert channel to hide a communication within network traffic is one of the most relevant, as it can be used to exfiltrate information or orchestrate attacks. Even if network steganography is becoming a well-studied topic, only few works focus on IPv6 and consider real network scenarios. Therefore, this paper investigates IPv6 covert channels deployed in the wild. Also, it presents a performance evaluation of six different data hiding techniques for IPv6 including their ability to bypass some intrusion detection systems. Lastly, ideas to detect IPv6 covert channels are presented.