Detecção de Ameaças de Injeção de SQL em Serviços de Computação Urbana
Resumo
Devido ao expressivo volume de dados heterogêneos gerados pelos espaços urbanos, bem como aos avanços da tecnologia da informação, diversos Serviços de Computação Urbana têm ganhado visibilidade. Estes serviços utilizam bancos de dados relacionais para armazenamento dos dados coletados e são suscetíveis a possíveis ameaças, dentre elas os ataques de SQL Injection (SQLi). Desta forma, se fazem necessárias soluções de segurança que possam, além de trazer eficiência na detecção, atender aos aspectos de tempo de processamento e tempo de resposta. Dentro deste contexto, este artigo apresenta uma solução para Detecção Escalável de Ameaças SQLi (DEA-SQLi) baseada em Expressões Regulares, atuando assim como um serviço de filtragem inicial para proteção contra ameaças de SQLi, a fim de atender a demandas de tempo de resposta e escalabilidade. Os resultados dos experimentos utilizando um conjunto de dados real sugerem que o DEA-SQLi possui uma eficiência adequada para a detecção de ameaças, enquanto atende aos requisitos de escalabilidade dos serviços de computação urbana.
Referências
Devalla, V., Srinivasa Raghavan, S., Maste, S., Kotian, J. D., and Annapurna, D. D. (2022). murli: A tool for detection of malicious urls and injection attacks. Procedia Computer Science, 215:662-676. 4th International Conference on Innovative Data Communication Technology and Application.
Fadolalkarim, D., Bertino, E., and Sallam, A. (2020). An anomaly detection system for the protection of relational database systems against data leakage by application programs. In 2020 IEEE 36th International Conference on Data Engineering (ICDE), pages 265-276.
Geldenhuys, M. K., Will, J., Pfister, B. J. J., Haug, M., Scharmann, A., and Thamsen, L. (2021). Dependable iot data stream processing for monitoring and control of urban infrastructures. In 2021 IEEE International Conference on Cloud Engineering (IC2E), pages 244-250.
Hosam, E., Hosny, H., Ashraf, W., and Kaseb, A. S. (2021). Sql injection detection using machine learning techniques. In 2021 8th International Conference on Soft Computing Machine Intelligence (ISCMI), pages 15-20.
Kumar, P. and Pateriya, R. (2012). A survey on sql injection attacks, detection and prevention techniques. In 2012 Third International Conference on Computing, Communication and Networking Technologies (ICCCNT'12), pages 1-5.
Kuroki, K., Kanemoto, Y., Aoki, K., Noguchi, Y., and Nishigaki, M. (2020). Attack intention estimation based on syntax analysis and dynamic analysis for sql injection. In 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC), pages 1510-1515.
Lages, G. and Pereira, R. (2022). Estudo comparativo entre tecnicas de deteccao e prevencao de ataques de injecao sql. In Anais do XVII Escola Regional de Banco de Dados, pages 135-138, Porto Alegre, RS, Brasil. SBC.
Li, Q., Li, W., Wang, J., and Cheng, M. (2019). A sql injection detection method based on adaptive deep forest. IEEE Access, 7:145385-145394.
Lv, Z., Hu, B., and Lv, H. (2020). Infrastructure monitoring and operation for smart cities based on iot system. IEEE Transactions on Industrial Informatics, 16(3):1957-1962.
M, G. and H B, P. (2022). Semantic query-featured ensemble learning model for sql-injection attack detection in iot-ecosystems. IEEE Transactions on Reliability, 71(2):1057-1074.
Mookhey, K. and Burghate, N. (2004). Detection of sql injection and cross-site scripting attacks. Symantec SecurityFocus.
Moreira, D. A. B., Marques, H. P., Costa, W. L., Celestino, J., Gomes, R. L., and Nogueira, M. (2021). Anomaly detection in smart environments using ai over fog and cloud computing. In 2021 IEEE 18th Annual Consumer Communications Networking Conference (CCNC), pages 1-2.
Musznicki, B., Piechowiak, M., and Zwierzykowski, P. (2022). Modeling real-life urban sensor networks based on open data. Sensors, 22(23).
Parashar, D., Sanagavarapu, L. M., and Reddy, Y. R. (2021). Sql injection vulnerability identification from text. In 14th Innovations in Software Engineering Conference (Formerly Known as India Software Engineering Conference), ISEC 2021, New York, NY, USA. Association for Computing Machinery.
Rahul, S., Vajrala, C., and Thangaraju, B. (2021). A novel method of honeypot inclusive waf to protect from sql injection and xss. In 2021 International Conference on Disruptive Technologies for Multi-Disciplinary Research and Applications (CENTCON), volume 1, pages 135-140.
Rizvi, S., Kurtz, A., Pfeffer, J., and Rizvi, M. (2018). Securing the internet of things (iot): A security taxonomy for iot. In 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pages 163-168.
Rodrigues, D. O., Santos, F. A., Filho, G. P. R., Akabane, A. T., Cabral, R., Immich, R., Junior, W. L., Cunha, F. D., Guidoni, D. L., Silva, T. H., Rosário, D., Cerqueira, E., Loureiro, A. A. F., and Villas, L. A. (2019). Computação urbana da teoria à prática: Fundamentos, aplicações e desafios.
Roy, P., Kumar, R., and Rani, P. (2022). Sql injection attack detection by machine learning classifier. In 2022 International Conference on Applied Artificial Intelligence and Computing (ICAAIC), pages 394-400.
Soewito, B., Gunawan, F. E., Hirzi, and Frumentius (2018). Prevention structured query language injection using regular expression and escape string. Procedia Computer Science, 135:678-687. The 3rd International Conference on Computer Science and Computational Intelligence (ICCSCI 2018) : Empowering Smart Technology in Digital Era for a Better Life.
Tang, P., Qiu, W., Huang, Z., Lian, H., and Liu, G. (2020). Detection of sql injection based on artificial neural network. Knowledge-Based Systems, 190:105528.
Xie, X., Ren, C., Fu, Y., Xu, J., and Guo, J. (2019). Sql injection detection for web applications based on elastic-pooling cnn. IEEE Access, 7:151475-151481.
Yunus, M. A. M., Brohan, M. Z., Nawi, N. M., Surin, E. S. M., Najib, N. A. M., and Liang, C. W. (2018). Review of sql injection: Problems and prevention. JOIV: International Journal on Informatics Visualization, 2(3-2):215-219.
Fadolalkarim, D., Bertino, E., and Sallam, A. (2020). An anomaly detection system for the protection of relational database systems against data leakage by application programs. In 2020 IEEE 36th International Conference on Data Engineering (ICDE), pages 265-276.
Geldenhuys, M. K., Will, J., Pfister, B. J. J., Haug, M., Scharmann, A., and Thamsen, L. (2021). Dependable iot data stream processing for monitoring and control of urban infrastructures. In 2021 IEEE International Conference on Cloud Engineering (IC2E), pages 244-250.
Hosam, E., Hosny, H., Ashraf, W., and Kaseb, A. S. (2021). Sql injection detection using machine learning techniques. In 2021 8th International Conference on Soft Computing Machine Intelligence (ISCMI), pages 15-20.
Kumar, P. and Pateriya, R. (2012). A survey on sql injection attacks, detection and prevention techniques. In 2012 Third International Conference on Computing, Communication and Networking Technologies (ICCCNT'12), pages 1-5.
Kuroki, K., Kanemoto, Y., Aoki, K., Noguchi, Y., and Nishigaki, M. (2020). Attack intention estimation based on syntax analysis and dynamic analysis for sql injection. In 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC), pages 1510-1515.
Lages, G. and Pereira, R. (2022). Estudo comparativo entre tecnicas de deteccao e prevencao de ataques de injecao sql. In Anais do XVII Escola Regional de Banco de Dados, pages 135-138, Porto Alegre, RS, Brasil. SBC.
Li, Q., Li, W., Wang, J., and Cheng, M. (2019). A sql injection detection method based on adaptive deep forest. IEEE Access, 7:145385-145394.
Lv, Z., Hu, B., and Lv, H. (2020). Infrastructure monitoring and operation for smart cities based on iot system. IEEE Transactions on Industrial Informatics, 16(3):1957-1962.
M, G. and H B, P. (2022). Semantic query-featured ensemble learning model for sql-injection attack detection in iot-ecosystems. IEEE Transactions on Reliability, 71(2):1057-1074.
Mookhey, K. and Burghate, N. (2004). Detection of sql injection and cross-site scripting attacks. Symantec SecurityFocus.
Moreira, D. A. B., Marques, H. P., Costa, W. L., Celestino, J., Gomes, R. L., and Nogueira, M. (2021). Anomaly detection in smart environments using ai over fog and cloud computing. In 2021 IEEE 18th Annual Consumer Communications Networking Conference (CCNC), pages 1-2.
Musznicki, B., Piechowiak, M., and Zwierzykowski, P. (2022). Modeling real-life urban sensor networks based on open data. Sensors, 22(23).
Parashar, D., Sanagavarapu, L. M., and Reddy, Y. R. (2021). Sql injection vulnerability identification from text. In 14th Innovations in Software Engineering Conference (Formerly Known as India Software Engineering Conference), ISEC 2021, New York, NY, USA. Association for Computing Machinery.
Rahul, S., Vajrala, C., and Thangaraju, B. (2021). A novel method of honeypot inclusive waf to protect from sql injection and xss. In 2021 International Conference on Disruptive Technologies for Multi-Disciplinary Research and Applications (CENTCON), volume 1, pages 135-140.
Rizvi, S., Kurtz, A., Pfeffer, J., and Rizvi, M. (2018). Securing the internet of things (iot): A security taxonomy for iot. In 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pages 163-168.
Rodrigues, D. O., Santos, F. A., Filho, G. P. R., Akabane, A. T., Cabral, R., Immich, R., Junior, W. L., Cunha, F. D., Guidoni, D. L., Silva, T. H., Rosário, D., Cerqueira, E., Loureiro, A. A. F., and Villas, L. A. (2019). Computação urbana da teoria à prática: Fundamentos, aplicações e desafios.
Roy, P., Kumar, R., and Rani, P. (2022). Sql injection attack detection by machine learning classifier. In 2022 International Conference on Applied Artificial Intelligence and Computing (ICAAIC), pages 394-400.
Soewito, B., Gunawan, F. E., Hirzi, and Frumentius (2018). Prevention structured query language injection using regular expression and escape string. Procedia Computer Science, 135:678-687. The 3rd International Conference on Computer Science and Computational Intelligence (ICCSCI 2018) : Empowering Smart Technology in Digital Era for a Better Life.
Tang, P., Qiu, W., Huang, Z., Lian, H., and Liu, G. (2020). Detection of sql injection based on artificial neural network. Knowledge-Based Systems, 190:105528.
Xie, X., Ren, C., Fu, Y., Xu, J., and Guo, J. (2019). Sql injection detection for web applications based on elastic-pooling cnn. IEEE Access, 7:151475-151481.
Yunus, M. A. M., Brohan, M. Z., Nawi, N. M., Surin, E. S. M., Najib, N. A. M., and Liang, C. W. (2018). Review of sql injection: Problems and prevention. JOIV: International Journal on Informatics Visualization, 2(3-2):215-219.
Publicado
22/05/2023
Como Citar
SOUZA, Michael S.; RIBEIRO, Silvio E.; GOMES, Rafael L..
Detecção de Ameaças de Injeção de SQL em Serviços de Computação Urbana. In: WORKSHOP DE COMPUTAÇÃO URBANA (COURB), 7. , 2023, Brasília/DF.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2023
.
p. 145-158.
ISSN 2595-2706.
DOI: https://doi.org/10.5753/courb.2023.801.
