Hybrid method integrating SQL-IF and Naïve Bayes for SQL injection attack avoidance
Indra Hidayatulloh, Universitas Negeri Yogyakarta, Indonesia
Ipam Fuaddina Adam, Telkom Purwokerto Institute of Technology, Indonesia
Abstract
Web applications are the objects most targeted by attackers. The technique most often used to attack web applications is SQL injection. This attack is categorized as dangerous because it can be used to illegally retrieve, modify, delete data, and even take over databases and web applications. To prevent SQL injection attacks from being executed by the database, a system that can identify attack patterns and can learn to detect new patterns from various attack patterns that have occurred is required. This study aims to build a system that acts as a proxy to prevent SQL injection attacks using the Hybrid Method which is a combination of SQL Injection Free Secure (SQL-IF) and Naïve Bayes methods. Tests were carried out to determine the level of accuracy, the effect of constants (K) on SQL-IF, and the number of datasets on Naïve Bayes on the accuracy and efficiency (average load time) of web pages. The test results showed that the Hybrid Method can improve the accuracy of SQL injection attack prevention. Smaller K values and larger dataset will produce better accuracy. The Hybrid Method produces a longer average web page load time than using only the SQL-IF or Naïve Bayes methods.
Full Text:
PDFReferences
V. Prokhorenko, K.-K. R. Choo, and H. Ashman, “Web application protection techniques: A taxonomy,” Journal of Network and Computer Applications, vol. 60, pp. 95-112. 2016.
Verizon, “2017 Data Breach Investigations Report 10th Edition,” Verizon, 2017. [Online]. Available: https://www.verizonenterprise.com/resources/reports/2017_dbir_en_xg.pdf
OWASP, “OWASP Top 10 – 2017 rc 1,” OWASP, 2017. [Online]. Available: https://www.owasp.org/images/3/3c/OWASP_Top_10__2017_Release_Candidate1_English.pdf
J. Clarke, SQL Injection Attacks and Defense. Waltham, MA, USA: Elsevier, 2012.
K. P. Rao, D. A. B.Sasankar dan D. V. Chavan, “Analysis of Detection and Prevention Techniques Against SQL Injection Vulnerabilities,” IJCST, vol. 4, no.1, pp. 50-55. 2013.
C. Basta, A. Elfatatry, and S. Darwish, “Detection of SQL Injection Using a Genetic Fuzzy Classifier System,” IJACSA, vol.7, no.6, pp.129-137. 2016.
Veracode, “State of Software Security Focus on Application Development Supplement to Volume 6,” Veracode, 2015. [Online]. Available:
https://www.veracode.com/sites/default/files/Resources/Reports/state-of-software-security-focusonapplicationdevelopment.pdf?mkt_tok=3RkMMJWWfF9wsRovua3NZKXonjHpfsX%2F6u8uUaag38431UFwdcjKPmjr1YIARcJiI%2BSLDwEYGJlv6SgFTbnFMbprzbgPUhA%3D
M.A. Prabakar, M. KarthiKeyan, and K.Marimuthu, “Wavelength-switched passively coupled single-mode optical network,” in Proc. ICECCN, Tirunelveli, India, 2013, pp. 585–590.
A.Z.N. Saleh, N.A. Rozali, and A.G. Buja, “A Method for Web Application Vulnerabilities Detection by Using Boyer-Moore String Matching Algorithm,” Procedia Computer Science, vol.72, pp.112-121. 2015.
R. Ellysa, M. Husni, and B.A. Pratomo, “Pendeteksi Serangan SQL Injection Menggunakan Algoritma SQL Injection Free Secure pada Aplikasi Web,” Jurnal Teknik Pomits, vol.2, No.1, pp.1-6. 2013.
M.-Y. Kim and D. H. Lee, “Data mining-based SQL injection attack detection using internal query trees,” Expert Systems with Applications, vol.41, No.11, pp.5416-5430. 2014.
A. Joshi and V. Geetha, “SQL Injection Detection using Machine Learning,” in Proc. ICCICCT, Kanyakumari, India, 2014, pp. 1111–1115.
K. Natarajan and S. Sabramani, “Generation of SQL-injection free secure algorithm to detect and prevent SQL-injection attacks,” Procedia Technology, vol.4, pp.790-796. 2012.
A. Saleh, “Implementasi Metode Klasifikasi Naïve Bayes Dalam Memprediksi Besarnya Penggunaan Listrik Rumah Tangga,” Citec Journal, vol.2, No.3, pp.207-217. 2015.
S.A. Pattekari and A. Parveen, “Prediction System for Heart Disease using Naïve Bayes,” International Journal of Advanced Computer and Mathematical Sciences, vol.3, No.3, pp.290-294. 2012.
E.A. Permanasari, I. Hidayah, and I.A. Bustoni, “Forecasting Model for Hotspot Bandwidth Management at Department of Electrical Engineering and Information Technology UGM,” Int. J. Appl. Math. Stat, vol.53, No.4, pp.227-234. 2015.
I. Hidayatulloh and I.A. Bustoni, “Sarima-Egarch Model to Reduce Heterscedasticity Effects in Network Traffic Forecasting,” JATIT, vol.95, No.3, pp.554-560. 2017.
I.A. Bustoni et al., “Fuzzy Logic Tsukamoto for SARIMA On Automation of Bandwidth Allocation,” IJACSA, vol.8, No.1, pp.392-397. 2017.
DOI: https://doi.org/10.21831/jeatech.v1i2.35497
Refbacks
- There are currently no refbacks.
Copyright (c) 2021 Indra Hidayatulloh
Our journal has been indexed by:
Journal of Engineering and Applied Technology (JEATech) by Faculty of Engineering UNY is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.