188 IEEE TRANSACTIONS ON RELIABILITY, VOL. 69, NO. 1, MARCH 2020 DIAVA: A Traffic-Based Framework for Detection of SQL Injection Attacks and Vulnerability Analysis of Leaked Data Haifeng Gu , Student Member, IEEE, Jianning Zhang, Tian Liu ,MingHu, Student Member, IEEE, Junlong Zhou , Member, IEEE, Tongquan Wei , Member, IEEE, and Mingsong Chen , Senior Member, IEEE Abstract—SQL injection attack (SQLIA) is among the most com- NOMENCLATURE mon security threats to web-based services that are deployed on cloud. By exploiting web software vulnerabilities, SQL injection CPU Central processing unit. attackers can run arbitrary malicious code on target databases to CUDA Compute unified device architecture. acquire or compromise sensitive data. Although web application DBMS Database management system. firewalls (WAFs) are offered by most cloud service providers, ten- GPU Graphic processing unit. ants are reluctant to pay for them, since there are few approaches that can report accurate SQLIA statistics for their deployed ser- HTTP HyperText transfer protocol. vices. Traditional WAFs focus on blocking suspicious SQL requests. JSON JavaScript object notation. Few of them can accurately decide whether an attack is really harm- MD5 Message digest 5. ful and quickly answer how severe the attack is. To raise the ten- NIC Network interface card. ants’ awareness of the seriousness of SQLIAs, in this paper, we RegExp Regular expression. introduce a novel traffic-based SQLIA detection and vulnerabil- ity analysis framework named DIAVA, which can proactively send SHA Secure hash algorithm. warnings to tenants promptly. By analyzing the bidirectional net- SIMD Single instruction multiple data. work traffic of SQL operations and applying our proposed mul- SQL Structured query language. tilevel regular expression model, DIAVA can accurately identify SQLIA SQL Injection attack. successful SQLIAs among all the suspects. Meanwhile, the severity WAF Web application firewall. of such SQLIAs and the vulnerabilities of the corresponding leaked data can be quickly evaluated by DIAVA based on its GPU-based Notations dictionary attack analysis engine. Experimental results show that algo Encryption algorithm. DIAVA not only outperforms state-of-the-art WAFs in detecting SQLAs from the perspectives of precision and recall, but also en- cptxt Given ciphertext. ables real-time vulnerability evaluation of leaked data caused by dataList List of extracted data. SQL injection. dict Selected dictionary. Index Terms—GPU, network traffic, regular expression, SQL num Size of dictionary segment. injection attack, web application firewall. ptxt Decrypted plaintext. re3 The third-level RegExps. req String containing the HTTP request. resp String containing the HTTP response. Manuscript received June 5, 2018; revised October 20, 2018 and April 9, succ Indicator of attack success. 2019; accepted June 19, 2019. Date of publication July 24, 2019; date of current sup Set of supplemental prefixes and suffixes. version March 2, 2020. This work was supported in part by the National Key Research and Development Program of China under Grant 2018YFB2101300, in part by the Natural Science Foundation of China under Grant 61872147 and I. INTRODUCTION Grant 61802185, and in part by the Natural Science Foundation of Jiangsu under Grant BK20180470. Associate Editor: W. Eric Wong. (Corresponding author: UE TO the outstanding merits (e.g., continuous availabil- Mingsong Chen.) H. Gu, J. Zhang, T. Liu, M. Hu, and T. Wei are with the Shanghai Key D ity, easy accessibility, flexibility) of world wide web, an Laboratory of Trustworthy Computing, East China Normal University, Shang- increasing number of enterprises and individuals from different hai 200062, China (e-mail: [email protected]; 10142510262@ business sectors, such as online shopping, e-banking, health- ecnu.cn; [email protected]; [email protected]; [email protected]). J. Zhou is with the Department of Computer Science and Technology, care, e-government, and social media have made their services Nanjing University of Science and Technology, Nanjing 210094, China available on the web. This shift will be further accelerated due (e-mail: [email protected]). to the maturity of the latest web technologies (e.g., HTML5), M. Chen is with the Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, Shanghai 200062, China, and also with the Shanghai which enable richer web applications and more enhanced user Institute of Intelligent Science and Technology, Tongji University, Shanghai experiences. 200092, China (e-mail: [email protected]). Along with the prosperity of web applications, inevitably Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. they are becoming the main targets of malicious attackers. It Digital Object Identifier 10.1109/TR.2019.2925415 is reported that in the third quarter of 2017, a web application 0018-9529 © 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information. Authorized licensed use limited to: East China Normal University. Downloaded on March 05,2020 at 01:35:52 UTC from IEEE Xplore. Restrictions apply. GU et al.: DIAVA: A TRAFFIC-BASED FRAMEWORK FOR DETECTION OF SQL INJECTION ATTACKS AND VULNERABILITY ANALYSIS 189 experiences on average 500–700 attacks per day [1]. As one that can accurately capture successful SQL injections lead- of the most serious threats to web applications, SQL Injection ing to the leak of confidential data. Attacks (SQLIAs) are widely used by attackers to obtain unau- 3) Based on GPU, we propose a parallel dictionary collision thorized access to sensitive information. As an example, a forum analysis approach that can quickly figure out the origi- of the popular multiplayer online game “Dota 2” was attacked by nal content of leaked ciphertexts, which enables the quick some SQL injection on July 10, 2016. It raises serious concerns evaluation of the vulnerability of leaked data. about user privacy, since around 2 million player records were Unlike traditional WAFs, DIAVA does not block malicious exposed, including email addresses, IP addresses, usernames, SQLIAs. Note that besides the online monitoring of network user IDs, and corresponding passwords. Although the user pass- traffic for cloud-based web services, DIAVA can be also used words of this forum were encrypted using the MD5 hashing to test the robustness of the newly deployed web applications algorithm, the original passwords can be easily figured out [2]. on cloud against SQLIAs. Experimental results using network Cloud computing [3] has become the mainstream platform to traffic captured from both real and simulated networks show the run web services, since it enables on-demand service provision superiority of our DIAVA framework in identifying malicious in a pay-as-you-go manner and facilitates both the deployment SQLIAs and evaluating the vulnerability of leaked data. and maintenance of web-based software systems. To protect web The rest of this paper is organized as follows. Section II applications on cloud from external attacks, Web Application presents the related work on various detection and analysis Firewalls (WAFs) are an indispensable mechanism that can be techniques for SQLIAs. Section III introduces the preliminary tailored for specific types of attacks. To protect valuable business knowledge of different types of SQLIAs. Section IV provides and customer data under SQLIAs, a WAF checks each input the implementation details of our DIAVA framework. Section V entry in the incoming SQL request. If the value matches an attack compares our framework with two state-of-the-art WAFs and pattern specified with a predefined set of rules (e.g., regular reports the performance evaluation results. Finally, Section VI expressions), the WAF will block the request [4], [5]. Although concludes this paper. WAFs are good at intrusion detection and prevention [6], few of them can answer questions such as “Can this attack cause II. RELATED WORK disastrous damages or data leak?” or “How severe the attack is?” This is mainly because WAFs usually adopt the unidirectional As more and more web applications are deployed on cloud, analysis which only checks the incoming SQL queries without SQL injection attacks have become a major threat to the web- considering the database responses. based services. According to a report [9], over 80% of web ap- Although WAFs are promising in defending most malicious plications on the Internet potentially have at least one serious attacks, few of cloud service providers offer such services for vulnerability. In order to detect and prevent SQLIAs, various free. For example, Alibaba charges its WAFservice according to web application program analysis and SQL injection detection the bandwidth of target web applications. Its enterprise-version techniques have been investigated. WAF costs around 1400 dollars per month to protect a website By analyzing the syntaxes and behaviors of web-based soft- with a limited bandwidth of 30 Mb/s. Consequently, most of ware, the vulnerabilities of web-based applications can be ex- cloud tenants especially small enterprises are reluctant to pay ploited to facilitate the detection of SQL injection attacks. For for this secure option. This is not simply because of the high example, Xie et al. [10] utilized static taint analysis techniques price but rather the unawareness of the severity of