Moving Target Defense Against Injection Attacks
作者: Huan Zhang , Kangfeng Zheng , Xiaodan Yan , Shoushan Luo , Bin Wu
DOI: 10.1007/978-3-030-38991-8_34
关键词:
摘要: With the development of network technology, web services become more convenient and popular. However, are also facing serious security threats, especially SQL injection attack(SQLIA). Due to diversity attack techniques static defense configurations, it is difficult for existing passive defence methods effectively defend against all SQLIAs. To reduce risk successful SQLIAs increase difficulty attacker, an effective technique based on moving target (MTD) called dynamic SQLIA (DTSA) was presented in this article. DTSA diversifies types databases implementation languages dynamically, turns Web server into untraceable unpredictable slows down Moreover, period mutation determined by concept programming so as hazards caused minimize impact normal users much possible. Final, experimental results showed that proposed method can attacks relational databases.
springer.com
sci-hub.st 参考文章(29)
William G.J. Halfond, Alessandro Orso, Jeremy Viegas, A Classification of SQL-Injection Attacks and Countermeasures Proceedings of the International Symposium on Secure Software Engineering. ,(2006)
Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans, Automatically Hardening Web Applications Using Precise Tainting information security conference. pp. 295- 307 ,(2004) , 10.1007/0-387-25660-1_20
Stephen W. Boyd, Angelos D. Keromytis, SQLrand: Preventing SQL Injection Attacks applied cryptography and network security. pp. 292- 302 ,(2004) , 10.1007/978-3-540-24852-1_21
Marthony Taguinod, Adam Doupe, Ziming Zhao, Gail-Joon Ahn, Toward a Moving Target Defense for Web Applications information reuse and integration. pp. 510- 517 ,(2015) , 10.1109/IRI.2015.84
Angelos D. Keromytis, Randomized Instruction Sets and Runtime Environments Past Research and Future Directions ieee symposium on security and privacy. ,vol. 7, pp. 18- 25 ,(2009) , 10.1109/MSP.2009.15
Inyong Lee, Soonki Jeong, Sangsoo Yeo, Jongsub Moon, A novel method for SQL injection attack detection based on removing SQL query attribute values Mathematical and Computer Modelling. ,vol. 55, pp. 58- 68 ,(2012) , 10.1016/J.MCM.2011.01.050
Shardul Vikram, Chao Yang, Guofei Gu, NOMAD: Towards non-intrusive moving-target defense against web bots communications and networking symposium. pp. 55- 63 ,(2013) , 10.1109/CNS.2013.6682692
Dennis Appelt, Cu Duy Nguyen, Lionel C. Briand, Nadia Alshahwan, Automated testing for SQL injection vulnerabilities: an input mutation approach Proceedings of the 2014 International Symposium on Software Testing and Analysis - ISSTA 2014. pp. 259- 269 ,(2014) , 10.1145/2610384.2610403
Simon Allier, Olivier Barais, Benoit Baudry, Johann Bourcier, Erwan Daubert, Franck Fleurey, Martin Monperrus, Hui Song, Maxime Tricoire, Multitier Diversification in Web-Based Software Applications IEEE Software. ,vol. 32, pp. 83- 90 ,(2015) , 10.1109/MS.2014.150
Sooel Son, Kathryn S. McKinley, Vitaly Shmatikov, Diglossia: detecting code injection attacks with precision and efficiency computer and communications security. pp. 1181- 1192 ,(2013) , 10.1145/2508859.2516696