Augmented attack tree modeling of SQL injection attacks

Author

Wang, Jie ; Phan, Raphael C -W ; Whitley, John N. ; Parish, David J.

Author_Institution

Dept. of Electron. & Electr. Eng., Loughborough Univ., Loughborough, UK

fYear

2010

fDate

16-18 April 2010

Firstpage

182

Lastpage

186

Abstract

The SQL injection attacks (SQLIAs) vulnerability is extremely widespread and poses a serious security threat to web applications with built-in access to databases. The SQLIA adversary intelligently exploits the SQL statement parsing operation by web servers via specially constructed SQL statements that subtly lead to non-explicit executions or modifications of corresponding database tables. In this paper, we present a formal and methodical way of modeling SQLIAs by way of augmented attack trees. This modeling explicitly captures the particular subtle incidents triggered by SQLIA adversaries and corresponding state transitions. To the best of our knowledge, this is the first known attack tree modelling of SQL injection attacks.

Keywords

Internet; SQL; file servers; query processing; security of data; SQL injection attacks; SQL query; Web security; Web servers; augmented attack tree modeling; database tables; Authentication; Communication channels; Computer crime; Computer hacking; Data mining; Data security; Deductive databases; High-speed networks; Information analysis; Web server; Augmented Attack Tree; Modelling; SQL Injection Attack;

fLanguage

English

Publisher

ieee

Conference_Titel

Information Management and Engineering (ICIME), 2010 The 2nd IEEE International Conference on

Conference_Location

Chengdu

Print_ISBN

978-1-4244-5263-7

Electronic_ISBN

978-1-4244-5265-1

Type

conf

DOI

10.1109/ICIME.2010.5478321

Filename

5478321