Kurdistan Regional Government Ministry of Higher Education and Scientific Research University of Sulaimani College of Commerce

Design and Implement Online SQL Injection Detection System Based on Query Signature A Thesis Submitted to the Council of the College of Commerce University of Sulaimani, in Partial Fulfillment of the Requirements for the Degree of Master in Information Technology

By Awezan Aso Omer BSc in Statistic and Computer (2010)

Supervised By Lecturer Dr. Alaa Khalil Jumaa

March 2017

Nawroz 2717

‫‪‬‬ ‫‪‬‬ ‫‪‬‬ ‫‪‬‬ ‫‪‬‬ ‫ُل ذِي عِِل ٍم عَلِيمٌ‪‬‬ ‫‪‬نَرِفَعُ دَرَجَات منَّنشَاء وَفَوِقَ ك ِّ‬

‫‪‬‬ ‫‪‬‬

‫‪‬‬

‫‪‬‬

‫سورة يوسف‪ -‬االية ‪76‬‬

‫‪‬‬ ‫‪‬‬

Supervisor Certification I certify that the preparation of this thesis entitled ―Design and Implement Online SQL Injection Detection System Based on Query Signature‖ accomplished by Awezan Aso Omar, was prepared under my supervision in the Statistics and Computer Department, College of Commerce at the University of Sulaimani, as partial fulfillment of the requirements for the degree of Master in Information Technology.

Signature: Name: Dr. Alaa Khalil Jumaa Address:Head of Department of Database College of Informatics/ Sulaimani Polytechnic University Title: Lecturer Date : / / 2017

In view of the available recommendation, I forward this thesis for debate by the examining committee.

Signature: Name: Mahdi Mohammed Younis College of Commerce/ University of Sulaimani Title:Assistant Lecturer Date : / / 2017

Examining Committee Certification We Certify that we have read this thesis entitled “Design and Implement Online SQL Injection Detection System Based on Query Signature” prepared by “Awezan Aso Omar” and as Examining Committee ,examined the student in its content and in what is connected with it, and in our opinion it meets the basic requirements toward the degree of Masters of Science in Information Technology.

Signature: Name: Dr. Nizar A.Ali Title: Assistant Professor Date: / / 2017 (Chairman)

Signature: Name: Dr. Soran A. Mohammed Title: Assistant Professor Date: / / 2017 (Member)

Signature: Name: Dr. Hars R. Hassan Title: Lecturer Date: / / 2017 (Member)

Signature: Name: Dr. Alaa K.Jumaa Title: Lecturer Date: / / 2017 (Supervisor)

Approved by the Dean of College of Commerce. Signature: Name: Dr. Narmeen M. Ghafoor Title: Assistant Professor Date: / / 2017

Language Evaluation Certification

I hereby certify that this thesis entitled “Design and Implementation of Online Database Intrusion Detection System Based on Query Signatures” Prepared by Awezan Aso Omar has been read and checked and after indicating all of the grammatical and spelling mistakes; the thesis was given again to the candidate to make the adequate corrections. After the second reading, I found that the candidate corrected the indicated mistakes. Therefore, I certify that this thesis is free from mistakes.

Signature: Proofreader: Ranji Shorsh Rauf Date: /

/ 2017

Position: Department of English, School of Languages, Faculty of Humanities, University of Sulaimani

Dedication I dedicate this work to:  My Father’s Spirit who always inspired me to push my limit to the extreme.  My mother who keeps encouraging me to do my best and not to give up.  My dear husband.  My lovely daughter, Gasha.  My loving brothers and sister.

Awezan

ACKNOWLEDGEMENT

First praise be to God for all his Graces in granting me patience and faith to complete this thesis. I would like to express my special thanks and appreciations to my supervisor, (Dr. Alaa Khalil Jumaa) for his guidance, encouragement, and the advice that he gave me throughout the progress of this study. Special thanks to (Dr. Rezan Hama Rashid) for her support and encouragement and being my model for a strong and successful woman. I want to thank the dean of College of Commerce (Dr.Narmeen Maroof Ghafoor) for her help and support. My thanks to IT Dept. - College of Commerce, especially my best friend (Snwr), that was my companion in this road. Finally, I would like to express my deepest gratitude to my dear mother (Gashaw) for her constant encouragement, continuous care and support during the course of my study. Also , thanks go to my dear husband (Botan) for his patience, and care. This accomplishment would not have been possible without them. Thank you.

Awezan

Abstract SQL injection (SQLI) is a major type of attack that threatens the integrity, confidentiality and authenticity or functionality of any database driven web application. It allows the attacker to gain unauthorized access to the back-end database by exploiting the vulnerabilities within the system. Preventive and detective measures must be taken including the design of any database driven web application and define security policy of that organization to practice excellent protection of their client‘s privacy. Intrusion Detection is the defense against SQLI that is used as detection and prevention technique to protect any database driven web application. The proposed system used a signature-based method to detect intrusions, the detection take place by going through two stages. Offline stage, creating signatures of safe queries that is used within the system, by adapting whitelist technique the legitimate transactions are whitelisted and then encrypted using SHA-256 producing signatures of safe transactions, signatures are reserved in a knowledge base (text file) for later use. Online stage, is where the detection taking place by taking input from user (possible attacker) and extract special keywords from the input then produce an SHA-256 signature of the transaction. The product signature is compared to the signatures in the text file, if a match is found then the program let the query pass and classify it as valid transaction, if not then it distinguish the transaction as an intrusion and stop the query from accessing the DBMS, producing an alert to the DBA and blocking user IP address and prevent him from entering the web site again. Experimental results showed that the proposed solution is feasible in terms of efficiency and completeness. Furthermore, the website access time is not effected when the proposed system are used.

i

Table of Contents Abstract ..................................................................................................................... i Table of Contents .................................................................................................... ii List of Figures ......................................................................................................... vi List of Tables ........................................................................................................ viii Abbreviations ......................................................................................................... ix Chapter One : General Introduction 1.1. Introduction .............................................................................................. 1 1.2. Web Applications ..................................................................................... 2 1.2.1. Web Application Tiers ....................................................................... 3 1.2.2. Web Application Vulnerability .......................................................... 4 1.3. Database Systems ..................................................................................... 5 1.3.1. Database Security ............................................................................... 6 1.3.2. Database Intrusion Detection System ................................................ 6 1.4. Problem statement .................................................................................... 7 1.5. Literature Survey ...................................................................................... 8 1.6. Aim of the Thesis ................................................................................... 12 1.7. Thesis Layout ......................................................................................... 12 Chapter Two : Theoretical Background 2.1. Introduction ............................................................................................ 14 2.2. Computer Security .................................................................................. 15 2.2.1. Risk .................................................................................................. 16 2.2.2. Risk Management ............................................................................ 17 ii

2.2.2.1. Risk Assessment ...................................................................... 18 2.2.2.2. Risk Mitigation ........................................................................ 21 2.2.2.3. Risk Evaluation and Assessment ............................................. 22 2.2.3. Vulnerabilities .................................................................................. 22 2.2.4. Threat and threat agents ................................................................... 23 2.2.4.1. Common Threat Sources ......................................................... 23 2.2.4.2. Common Threat Types ............................................................ 24 2.2.5. Hackers ............................................................................................. 25 2.2.6. Hacktivists ........................................................................................ 27 2.2.7. Security Policies ............................................................................... 27 2.2.8. The Security Trinity ......................................................................... 27 2.3. Database Security ................................................................................... 29 2.4. Database Security Issues ........................................................................ 29 2.5. Threats to Databases ............................................................................... 30 2.6. Intrusion Detection System .................................................................... 31 2.6.1. Types of Intrusion Detection Systems(IDS) .................................... 32 2.7.1.1. IDS Type Based on Detection Methods .................................. 33 2.7.1.2. IDS Based on Location and Input Information ..................... 34 2.7.1.3. IDS Type Based on Behavior at Detection .............................. 35 2.6.2. Efficiency of intrusion-detection systems ........................................ 36 2.7. Database Intrusion Detection System .................................................... 36 2.8. Structured Query Language (SQL) ........................................................ 37 2.9. Structured Query Language Injection Attack (SQLIA) ......................... 38 2.9.1. Forms of Vulnerability ..................................................................... 39 iii

2.9.2. SQL Injection Threat Modeling ....................................................... 39 2.9.3. Motivation of SQL injection attack ................................................. 40 2.9.4. Classification of SQL Injection Attack ............................................ 41 2.9.4.1. Types SQL injection Based on Input Source .......................... 41 2.9.4.2. Types of SQL Injection Based on Technical Aspect............... 41 2.9.5. Steps of Performing SQLIA ............................................................. 44 2.9.6. Avoidance Strategies Against SQL Injection Attacks ..................... 44 2.10.

Secure Hash Algorithm (SHA) ........................................................... 45

2.11.

Introduction for IP tables in Shell Script Programming ..................... 47 Chapter Three : The Proposed DB Intrusion Detection System

3.1. Introduction ............................................................................................ 49 3.2. The Proposed Database Intrusion Detection System ............................. 50 3.2.1. Offline phase (building query profiler) ............................................ 52 3.2.1.1. Query Keyword Extraction Process ........................................ 53 3.2.1.2. Signature Creation Process ...................................................... 55 3.2.2. Online phase (Detection and Prevention) ........................................ 58 3.2.2.1. Detection process ..................................................................... 60 3.2.2.2. Prevention Process ................................................................... 63 Chapter Four : Performance Analysis of the proposed DIDS 4.1. Introduction ............................................................................................ 64 4.2. Test Proposed DIDS using Traditional Way .......................................... 64 4.3. Test Proposed DIDS Performance using SQLMAP .............................. 67 4.3.1. Test the Non-Protected System Using SQLMAP ............................ 67 4.3.2. Test the Proposed DIDS Using SQLMAP ....................................... 70 iv

4.4. Calculating Average Access Time ......................................................... 72 4.4.1. Web application performance tool ................................................... 72 4.4.1.1. Performance before protection ................................................ 73 4.4.1.2. Performance after Protection ................................................... 74 4.4.2. Comparison of test results ................................................................ 74 4.5. Experimental Results Analysis............................................................... 76 Chapter Five : Conclusions and Future Work 5.1. Conclusion .............................................................................................. 77 5.2. Future Work............................................................................................ 78 Bibliography ...........................................................................................................79

v

List of Figures Figure (‎1.1): Web Application Architecture ......................................................... 4 Figure (‎2.1): The Security Requirements Triad .................................................. 16 Figure (‎2.2): A Diagram Shows the Information Security Risk Management Lifecycle [30] ...................................................................................................... 18 Figure (‎2.3): Risk Assessment Methodology Flowchart [29] ............................ 20 Figure (‎2.4): Percent of breaches per threat actor ............................................... 25 Figure (‎2.5) :Relationship Among Vulnerabilities, Exploits , Attacks [28] ...... 26 Figure (‎2.6): The Security Trinity [31] ............................................................... 28 Figure (‎2.7): IDS taxonomy ................................................................................ 32 Figure (‎2.8): A Typical SQL Injection Attack [54] ............................................ 38 Figure (‎3.1): General Architecture of the Proposed System............................... 51 Figure (‎3.2): The extraction process of special SQL keywords ........................ 54 Figure (‎3.3): Executing Create_Signature_SHA.java program from terminal ... 55 Figure (‎3.4): Providing the query to give it a unique signature .......................... 56 Figure (‎3.5): Output of the (Create_Signature_SHA) program from offline stage ............................................................................................................................. 56 Figure (‎3.6): Content of QUERYPROFILE.TXT that includes signatures of safe queries. ................................................................................................................ 56 Figure (‎3.7): Flowchart for creating query signatures ........................................ 57 Figure (‎3.8): A flow chart for online detection and prevention processes ......... 59 Figure (‎3.9): The Query_Signature_Com.JAR File injected to the PHP code ... 62 Figure ‎4.1): Malicious try to access non- protected website .............................. 65 Figure (‎4.2): Malicious access to the non- protected website ............................ 65 Figure (‎4.3): Malicious access tries to access the protected website .................. 66 Figure (‎4.4): Attacker failed to breach the system ............................................. 66 Figure (‎4.5): SQLMAP project attempt to hack the non-protected website....... 67 Figure (‎4.6): SQLMAP project hacked non-protect website .............................. 68 vi

Figure (‎4.7): Sqlmap project try to extract the Database name .......................... 68 Figure (‎4.8): SQLMAP project gained the Database name ................................ 69 Figure (‎4.9): SQLMAP project tries to gain table names of the back end DB ... 69 Figure (‎4.10): SQLMAP was successful in gaining the name of the table USER and it's contents ................................................................................................... 70 Figure (‎4.11): SQLMAP attempt to breach the protected system ...................... 71 Figure (‎4.12): SQLMAP failing attempts to hack the protected system ............ 71 Figure (‎4.13):SQLMAP project fails to inject the protected website ................. 71 Figure (‎4.14): SQLMAP requests used to attack non-protected and protected website................................................................................................................. 72 Figure (‎4.15): WAPT Tool window shows the specified testing scenario ......... 73 Figure (‎4.16): Average Response Time for all 500 session of the 20 users for protected and non-protected system.................................................................... 75 Figure (‎4.17): Average response time for protected and non-protected system. 75

vii

List of Tables

Table (‎2.1): Classification of SQL Injection Attacking Vector of 2010 ............ 43 Table(‎4.1): Response time per second for the Non-Protected website............... 74 Table (‎4.2): Average Response time per second in protected website ............... 74

viii

Abbreviations

Abbreviations Stands For ANSI

American National Standard Insitiution

AVG

Average

CERN

French Conseil Européen pour la Recherche Nucléaire European Organization for Nuclear Research

DBMS

Database Management System

DCL

Data Control Language

DDL

Data Definition Language

DIDAFIT

Detecting Intrusions in DAtabases through FIngerprinting Transaction

DIDAR

Database Intrusion Detection with Automated Recovery

DIDS

Database Intrusion Detection System

DML

Data Manipulation Language

HIDS

Host-based Intrusion Detection

HTTP

Hypertext Transfer Protocol

IDS

Intrusion Detection System

IP

Internet Protocol

IPS

Intrusion Prevention System

ix

NIDS

Network-based Intrusion Detection

OWASP

Open application security project

PDS

Prevention Detection System

PHP

Hypertext Preprocessor

SHA

Secure Hash Algorithm

SQL

Structured Query Language

SQLIA

Structured Query Language Injection Attack

SQLiDDS

SQL Injection Detection using query transformation and Document Similarity

SQL-IDS

SQL-Injection Detection System

SQLIPA

SQL Injection Protector for Authentication

VPN

Virtual Private Network

WAPT

Web application performance tool

XSS

Cross-Site Script

x

Chapter One General Introduction 1.1.

Introduction Internet, is an environment for the world that offers the ability to

communicate at an easy manner, with all of the glory… the internet is bless and curse at the same time, two faces of the same coin. Web applications are used as a revolutionized solution for communication by any organization or company that represents smooth accessibility to users and clients over the world via internet. Web applications correspond to user‘s input by interacting with the database behind it and output pertinent data for the user. Secret and critical information usually conserved in the back-end database such as financial records or medical information that is considered to be sensitive data that are desired by attackers[1]. The SQLIA (structured query language injection attack) be formed of inserting or "injection" a SQL query by inputting data from the client to the web application with the backend database. It takes advantage of vulnerabilities that exist within the system‘s security policy to manage an effective SQL injection attack. The attacker will gain unauthorized access by granting administrative privileges and misleading the SQL query logically to execute commands that deviates from the programmer original intent and serve the attacker‘s objective, to access and read sensitive data from the database. Also the attacker will be able to modify database data by inserting, updating or deleting table records; Like having a chance to practice administrative functionalities on the database such as locking down the DBMS or claiming the right to see the content of a given file existing on the DBMS file system or in extreme cases commanding

1

Chapter 1

General Introduction

the operating system. In another meaning SQL injection is the pursue to constitute and change the resultant of predefined SQL commands execution [2]. Many approaches exist for a user to input data in to a web application. So performing a poor input validation creates the vulnerability that offers a chance for committing SQLI attack and creates a passage to the backend database, without proper authorization which defiantly leads to the loss of secrecy (confidentiality) and integrity of the system and finally negatively altering the market value of the organization [1]. According to the open web application security project (OWASP) ranked SQLI as first of top ten list at years 2010 and 2013, regarding the ease of exploitability and severity of impact, Proves the danger of this kind of attack over the years [2]. Since the first public discussions of SQL injection started to appear around 1998 by Rain Forest Puppy that wrote an article titled ―NT Web Technology Vulnerabilities‖; Many researchers had developed verity of methods in order to detect and prevent SQL injection attack and Intrusion Detection System is considered to be one of the most important defensive techniques against it [3]. 1.2.

Web Applications Most people lives are regularly around web applications and they may not

notice it, they use them in a daily basis either for accessing their e- mail, or for booking for a flight or hotel, or to check out the weather ,purchase an item from online store, and so on. Web applications come in various shapes and sizes.[4] Web applications developed gradually from Web sites or Web systems. The first web site, created by Tim Berners-Lee while at CERN (the European Laboratory for Particle Physics), formed a document control system for sharing information resources among researchers that offered the ability for researchers to gain access to documents and information published by fellow researchers, 2

Chapter 1

General Introduction

directly from their computers. A Web application builds on and prolongs a Web system to add business functionality. In other words, a Web application is a Web system that gives the ability for its users to perform business logic with a Web browser[5]. In web-enabled society web applications are very popular, they share two main characteristics regardless of the programming language in which they were written, that is interactivity and in most cases, they are database-driven. A typical web application contain a back end database with Web pages having server-side script written in programming language that is enabling smooth extraction of certain information from the database depending on how it interacts dynamically with the front user[4]. 1.2.1. Web Application Tiers A database-driven Web application consists of three main tiers: 1) Presentation tier (a Web browser or rendering engine) 2) Logic or business tier (a programming language, such as C#, ASP, .NET, PHP, JSP,etc) 3) Storage tier (a database such as Microsoft SQL Server, MySQL, Oracle, etc.). The Web browser (the presentation tier, such as Internet Explorer, Safari, Firefox, etc.) sends requests to the middle tier (the logic tier), which services the requests by making queries and updates against the database (the storage tier)[4]. These three tiers are shown in Figure (‎1.1).

3

Chapter 1

General Introduction

Calling User

services

Presentation tier Logic Tier Storage Tier

Figure (1.1): Web Application Architecture

[6]

1.2.2. Web Application Vulnerability With the rapid growth of the Internet, more and more web applications are being employed as they are utilized for offering services to users over the world. By their nature, web applications are often widely accessible to the Internet hence they are exposed to a very large number of potential attackers. These were key agents that have caused web applications to become a very attractive target for attackers and the appearance of novel attacks. The following are five common web application vulnerabilities[7]: 1) SQL Injection attacks: happens when attackers take advantage of sites that allow users to input data directly to the system that generates SQL queries without checking the validity of the input query. This allows an attacker to submit malicious SQL queries and generate commands directly to the back-end database. We focused on the protection of this kind of attack in this thesis. 4

Chapter 1

General Introduction

2) Cross-site scripting (XSS) attacks: target an application's user by using code injection, commonly a client-side script such as JavaScript, into the output of a web application. Anytime the compromised output or page is viewed, the injected code is executed by the web browser, allowing an attacker to hijack user sessions, redirect the user to a malicious site or simply damage the page. 3) Insecure direct object references: This is another flaw that comes from weak application design based on the false assumption that users will always follow the application rules. For instance, if a user's account ID is shown in the page URL or in a hidden field, there is a probability that the ID of another user be guessed and be able resubmit the request to access their data, especially if the ID is a predictable value. 4) Broken authentication and session management: HTTP does not provide the capability of establishing sessions or managing user authentication. So it is the responsibility of web applications to do this task, in order to keep track of each user's requests as all authentication credentials and session identifiers must be protected with encryption at all times. 5) Security misconfiguration: The infrastructure that supports a Web application comprises a complex variety of devices and software, including servers, firewalls, databases and OS and application software these should not be neglected and must be configured correctly to assure good security control . 1.3.

Database Systems As stated earlier web applications commonly are database driven, in

other meanings behind most web applications there is core database at the back end that represent the beating heart of the system for which it contains the important and ―sensitive‖ information that is considered to be the basis of a web 5

Chapter 1

General Introduction

application. A database is a collection of data, typically describing the activities of one or more related organizations [8]. 1.3.1. Database Security Database security is a branch of knowledge that research methods to protect data stored at DBMSs from intrusions, invalid modifications, theft, and illicit disclosure of private information. This is achieved through a set of security services, which meet the security requirements of both the system and the data sources. Database security is a general term that includes a lot of processes, tools and methodologies that guarantee security within a database environment. Various techniques and strategies have been developed by researchers overtime to assure data confidentiality, integrity, and availability in DBMSs. However, despite such progress, the database security area faces several new challenges, as attackers always find their way to invent new intrusions and craft new attacks.[9]

1.3.2. Database Intrusion Detection System There exist a lot of defensive techniques to protect databases from SQL injection, but database intrusion detection system is defined as one of the mechanisms to safe guard any database driven web application from illegal intrusions and suspicious transactions or behavior, especially from SQL injection attack. Database intrusion detection system is a software that detects and prevents intrusions or transactions that attempt to access or modify data without permission automatically.[10]

6

Chapter 1 1.4.

General Introduction

Problem statement From the time when computers and web technology has dominated every

aspect of humans lives, Database security has been a dialectical issue; behind any web application there is a core database that stores valuable and sensitive information that is presumed to be potential targets for hackers that are trying to intrude their way to get their hands on these information for their own financial profit or for other reasons. The most famous attack that is practiced by attackers and considered the most dangerous and popular attack technique is SQL injection. This kind of attack is widely used by attackers due to the simplicity of implementation and ease of exploitability with destructive results. An attacker would exploit vulnerabilities that exist within the target system to attack the web application in an attempt to gain unauthorized access to the back-end database motivated by malicious intent to either access or tamper with sensitive data that holds. Depending on the intellectual capacity of the attacker, the effect of his/her database intrusion vary. At first glimpse, it may sound like the protection of database from SQL Injection Attack (SQLIA) is an easy treat. By simply using firewall and applying some input sanitization and restriction technique with the use of static queries, SQLIA is avoidable. However, this strategy fails to accomplish security measures as hackers are always inventing new attack methods and come out to brilliant ways to outsmart the system‘s security policy. Here comes the role of Database Intrusion Detection System (DIDS) to protect database systems from unauthorized access by attackers, especially to prevent SQL injection attack. Though there are many types and methods for DIDS has been presented by researchers through time, but a perfect database intrusion detection system does not exist yet. This thesis offers a new proven technique to apply database intrusion detection system by using signature based detection technique and secures hash 7

Chapter 1

General Introduction

algorithm SHA-256 encryption method to protect database systems from SQL injection attack.

1.5.

Literature Survey Many researchers focused on SQL Injection Attack and its techniques,

and studied methods to detect and prevent SQLIA in order to secure database systems and web applications from such attack by using Database Intrusion Detection and Prevention System as a defense technique. Below are some of these researchers along with their proposed DIDS: In [2000] V.Lee et al. explained a way for detecting intrusions in realtime database systems. The study took advantages of real time data to serve intrusion detection. Data objects were flagged with time-stamps that draw assumptions about update rates that are unknown to intruders, their concepts of time signatures can be used to detect security policy violations. A secret cyclic update rate that can detect unauthorized update requests as they will not supposed to be done at that time; this method contributes in minimizing the high false rate [11]. In [2002] S. Lee .et al presented a technique called (DIDAFIT) that can sufficiently detect anomalous accesses to the database. This approach distinguishes legitimate access by finger printing their constituent SQL statement. Then these finger prints are tested to identify illegitimate accesses to the database. It has been proved by the researchers that this approach can be used in typical client-server database setup. Positive rate is noticed because users cannot construct their own SQL statements also an increasing in performance of database is spotted. The problem with this approach is that it can‘t detect intrusions before the execution of the SQL statement hence the detection is not in real time[12]. In [2007] A.Sharma et al. proposed a more ingenious solution (DIDAR); DIDAR aims to detect the intrusions in real time along with damage control and 8

Chapter 1

General Introduction

auto recovery feature. DIDAR provides intrusion indulgence by working on two stages: learning stage and detection stage. During the learning stage they built a model for authorized quires for every user derive from currently executing query transaction and later use that model to detect the illegal transactions. Their prototype had affirmative results based on initial test on synthetic database. The framework is inclusive and provides support for fast damage recovery, full auto recovery and signature based detection of intrusions by consuming minimum resources a high detection rate is achieved [13]. In [2008] K.Kemalis et al. endowed a prototype called (SQL-IDS) This approach employs specification that define the intended syntactic structure of SQL queries that are produced and executed by the web application and at the same time observes the applications for an execution of query that deviates from the specifications. The system detects SQL injection attacks in real time by monitoring java based application. The most traits of this method is that it detects all kind of SQL injection attacks and it is self-sufficient and being autonomous besides it has a ready to use feature for any specific target system application environment or DBMS; that it doesn‘t need source code modification to be applicable. It is stated by the researchers that after elementary tests, this approach recorded no false alarm rate [14]. In [2009] S.Ali et al. built the prototype (SQLIPA) a simple approach yet strong one to block SQL injection attacks, they believed that protecting the authentication of web driven database is the key success of defense against attacks specially tautology attack that seeks to bypass login authentications. They calculated a hash value of all username and passwords of the system to improve the authentication process. SQLIPA is tested on sample data of different records in user-account table, it takes very little time overhead of 1.3 ms for authentication process, and proven its performance [15]. In [2012] S.Hidhaya et al.

Proposed a method to detect the SQL

injection. They used a Reverse proxy and MD5 algorithm to search for SQL 9

Chapter 1

General Introduction

injection in URL‘s in user input, by using grammar expression rules. The system showed significant improvement in eliminating SQLIA on standard tested applications [16] . In [2014] K.Randhe et al. A reverse proxy is deployed between the client and the server in a way that the presence of the proxy is unknown to the user. In it the sanitization process is done by using data cleaning algorithm and message digest algorithm to sanitize applications, using this method enables the detection of both SQL injection and cross-site scripting attacks. The disadvantage of this method is it minimizes the performance of the system by slowing it down [17]. In [2015] P.Mehta et al. created a scheme, (SQLshield) that prevents SQL injection attacks in web applications with backend database. SQLshield Modifies the user input data before the SQL query is executed in the database server by deploying a randomization technique that it makes it impossible for the execution resultant of SQL query to deflect from its programmer intended execution [18]. In [2015] R.Latha et al. presented an efficient method that it can be used with confidential web application, Based on replacing the SQL query parameter values. The detection of SQL injection is done by tampering input features of query strings, analysis of query peruse the suitability for both static and dynamic manipulation of user queries. The main advancement of the proposed algorithm that it executes the detection mechanism without the need of any proxy server [19]. In [2015] D.Parchand et al. provided a database detection system and gave preventive measures to avoid or reduce future attacks. A data mining algorithm is used in order to detect abnormal transactions by structuring a data dependency miner of a banking database system. Their approach extract readwrite dependency rule to be used later for identifying suspicious transactions and also come to the conclusion whether the read-write transaction are violation or done without permission. It can extract interesting rules that have lower 10

Chapter 1

General Introduction

frequency than minimum support threshold; also it has the capability of managing these rules and dodging the extraction of uninteresting rules [20]. In [2015] S.Souissi et al. introduce a categorization-based detection system which supplies a structured zone to evaluate, identify, classify and present a defense mechanism against advanced attacks. Their approach contributes in simplifying complicated rule expressions and alert management using a modular design and instinctive rules defining with a strong expression language. The proposed system is adaptable and takes into consideration many attack properties in order to clarify attack handling and totalize defense mechanisms and it has the ability to learn from previous attack detects. The main significance of this method is that the detection is not focused on the attack itself instead it is concentrated on attack category; this property helps to sum up defense mechanisms and automates response [21]. In [2015] D.Kar et al. presents an approach for real-time detection of SQL injection attacks using transformation and resemblance measure. Performing as a database firewall, they proposed a system named (SQLiDDS), able to protect multiple web applications using a database server, in addition of a human expert input SQLiDDS can become more durable and solid overtime. In a reference hash table the MD5 hash value of each structure is calculated and stored separately .which assist the avoidance of repeating the computation of similar incoming query at runtime. The adopted master plan here is examining the (WHERE) clause only and ignore the (INSERT) queries which was based on two compelling observations made at the time of research. This approach confirmed its effectiveness in detection and prevention of SQL injection attacks accurately with trivial effect on performance of the system. The presented method was tested on web applications built using PHP and MySQL, however it can be simply deployed in other platform with minimum changes [22].

11

Chapter 1 1.6.

General Introduction

Aim of the Thesis The main aim of this thesis is to work within security requirements for

the database system by developing a Database Intrusion Detection System (DIDS) to protect any database driven web application from malicious transaction especially SQL injection attack. Since this kind of attack is considered one of the most viral attacks in the world with a catastrophic impact on the targeted system depending on the fluency of the attacker. Researcher has developed a lot of techniques and methods against SQLIA using DIDS but it has to be said that there is no such a complete and perfect detection system that eliminate this threat for good. The key objectives can be summed up within the following points: 1) Create a novel technique to protect the database from SQL Injection Attack. 2) Create a new algorithm to distinguish special SQL keywords from queries in a tokenizing process. 3) Create a dataset of hash signatures by using Secure Hash Algorithm. 4) Create a prevention technique to prevent future SQL Injection Attack by blocking detected IP address of the attacker.

1.7.

Thesis Layout In addition to current chapter, this thesis is organized in four remaining

chapters as follows: Chapter two: Is entitled “Theoretical Background” an overview of SQL injection and intrusion detection system (IDS)is presented, types, classifications , techniques and a brief explanation of algorithms and method that is used that make it easier for readers to understand the rest of the thesis. Chapter three: Is entitled “The Proposed DB Intrusion Detection System” Include wide explanation of the application system theoretically and practically

12

Chapter 1

General Introduction

, explains how the system was build and in how many stages also the encryption process is included that was used in the designed system. Chapter four: Is entitled “Performance Analysis of the proposed DIDS” Consists of experiments to prove the applicability, and efficiency of the proposed (DIDS), and their results, and justification and discussion of the results. Chapter five: Is entitled ―Conclusions and Future Work Suggestions” Offers conclusions of the study and future work.

13

Chapter Two

Theoretical Background 2.1. Introduction Since the internet is combined with people‘s daily life basis, even though with its fast growing popularity globally and the vast defensive technologies used to minimize the risk of information exposure and data breaches, the protection of their privacy has yet become harder overtime. The world of the internet can generally be seen in different ways: ―as a free marketplace and source of information, or a battleground. Everything that is internet connected has the potential of being breached‖ [23]. Most people think that they are familiar of SQL Injection and know enough about it, but the fact is they are too far from it, all they have informed about or faced are insignificant examples. SQL injection is one of the most destructive vulnerabilities that effect on business, as it can cause disclosure of all of the critical information stored in an application‘s database, including useful information such as usernames, passwords, names, addresses, contact numbers, and credit card detail [4] [24]. SQL Injection is the flaw or vulnerability that results when you give an attacker leverage to control the Structured Query Language (SQL) queries that is sent by an application to the back-end database. By having the capability to decide what is passed to the database, the attacker can influence the syntax and abilities of SQL itself, and it is certain that the attacker‘s intent is criminal or has espionage or financial motivation for sure and his/her SQL alteration to the genuine purpose of the SQL query cause harmful resultant. This viral attack more likely has come to existence ever after the first time were SQL databases connected to web applications and these malign commands do not get sensed fully by the firewalls and endpoint defenses [4]. 14

Chapter 2

Theoretical Background

This chapter includes a short glimpse at computer security in general and some of its important definitions, then a brief overview are written on SQL injection and its causes and the impact of it. In addition, some of protection techniques against such kind of attack are offered. Then the chapter will continue with an overview of Intrusion Detection techniques especially Database Intrusion Detection Technique and finally a brief introduction to encryption techniques is presented within this chapter.

2.2. Computer Security Reliance on computers and technology nowadays, made the term ―computer security‖ vivid to all of users of computer and its broad services. Many companies and organizations use web application in a manner to communicate and deliver their services to their audience and consumers, in order to make this process safe, flawless and private…computer security is valued [25]. The term computer security is also known as cyber security or IT security, refers to the protection of computing system by applying special techniques for ensuring the safety of data stored within its Information system, provides the protection against theft, damages of both hardware, software and information on them, as well as from corruption and misleading of the services provided by the system [26]. The NIST Computer Security Handbook defines the term computer security as: ―the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources‖ (includes hardware, software, firmware, information/data, and telecommunications)‖[27]. Computer security is based on three fundamentals; together they are called the Security Triangle or the CIA of security as Figure (‎2.1) demonstrate

15

Chapter 2

Theoretical Background

it that An intrusion tries to compromise one or all of these fundamentals [26] [27] : 1) Confidentiality: Is a necessity acquiring information system secrecy. That sensitive information and data to be concealed from public and denying third parties from accessing such private information 2) Integrity: An information system has integrity when it delivers the information in a (timely, accurate, complete, consistent and credible) manner. 3) Availability: Is making sure that the system is functioning correctly for authorized users any time needed, providing them legitimate access of services and resources.

Figure (2.1): The Security Requirements Triad [26].

2.2.1. Risk Is the measure of the critically of a situation, the probability of something being attacked .Risk is based on several metrics or factors such as threats, vulnerabilities, and impact. It can be said that risk is a combination of system‘s vulnerability of attack, possibility of attack (Threat), and consequences of the attack (Impact) [28]. 16

Chapter 2

Theoretical Background

2.2.2. Risk Management Risk management composes of three processes: risk assessment, risk mitigation, and evaluation and assessment. Risk management is the process that enables IT managers to stabilize the operational and financial expenses of protective measures and attain earnings in mission capability by protecting the IT systems and data that support their organizations‘ missions. The head of an organizational unit must guarantee that the organization has the abilities needed to perform its mission. The owners of these tasks must define the security capacity that their IT systems must have to provide the desired level of mission support against the various threats that exist in the real world. Most organizations have short budgets for IT security; therefore, IT security expenses must be studied as carefully as other management decisions. Using a wellstructured risk management methodology, in an efficient manner, can help management to pinpoint appropriate controls for supplying the mission-essential security abilities [29]. Management is involved with many kinds of risk. Computer security risk management identifies risks from an organization's use of information technology. In discussing risk management, it is essential to recognize its basic, most fundamental assumption: computers cannot ever be fully secured. There is always risk surrounding it [27] . A basic risk management process flow is shown in Figure (‎2.2); each stage in the process includes a short description along with the responsible party for that step in the process. Responsibilities for many of these steps are mutual between the information security team and the business owner because the security team cannot be the only side managing risk for the organization. The security team is able to guide the process, provide oversight, and make recommendations, but eventually it is the business that owns the risk [30].

17

Chapter 2

Theoretical Background

6. Assessment

Figure (‎2.2): A Diagram Shows the Information Security Risk Management Lifecycle [30] .

2.2.2.1. Risk Assessment Risk assessment is the first process in the risk management methodology. It is the procedure in which a system or data is evaluated regarding to its significance and decisions are made with respect to number of resources that should be devoted to its protection. The main point is that different types of data should be protected at different security levels, not the same level of protection. The resultant of risk assessment helps to identify suitable controls for minimizing or excluding risk during the risk mitigation process. One important point to keep in mind is that the sensitivity of a resource may change over time if the intended use for that resource changes, new types of sensitive data are added, or the priorities of the organization change. Any major changes to the design, intended use, customer base, or implementation should trigger a new assessment hence the classification of it changes if the information is no longer the same level of sensitivity, which means that the required controls will also 18

Chapter 2

Theoretical Background

change. The same applicable for resources: if the sensitivity of the data being processed changes, then the controls around that resource need to be reevaluated [28]. Risk is a moving target, the environments that are protected are continuously changing, and this means that there is a need to consider for shifts in threats and exposures in the process of risk assessment workflow. There are many times when a re- assessment is needed (basically starting the assessment cycle over) including the following [30]: 1) A change in the sensitivity of the target resource 2) A significant shift in the threat landscape 3) A change in legal/regulatory requirements 4) A change in security policy 5) On a schedule, based on the resource‘s sensitivity to risk There are steps that needs to be taken into consideration when performing a

risk assessment, a risk assessment methodology is going through nine

primary steps [29]: 1) System Characterization. 2) Threat Identification. 3) Vulnerability Identification. 4) Control Analysis. 5) Likelihood Determination. 6) Impact Analysis. 7) Risk Determination. 8) Control Recommendations. 9) Results Documentation. Steps 2, 3, 4, and 6 can be performed in parallel after Step 1 has been completed. Figure (‎2.3) depicts these steps and the inputs to and outputs from each step. 19

Chapter 2

Theoretical Background

Input       

Risk Assessment Activities

Hardware Software Software System Interfaces Data & Information People System Mission

Step 1.System Characterization

output    

System boundary System Functions System & Data Criticality System & Data Sensitivity



History of System Attack  Data from intelligence Agencies

Step 2.Threat Identification

Threat Statement



Reports from prior risk assessments  Any audit comments  Security requirements  Security test results

Step 3. Vulnerability Identification

List of Potential Vulnerabilities

Step 4. Control Analysis

List of Current & Planned Controls

Step 5. Likelihood Determination

Likelihood Rating

Mission Impact Analysis  Asset Critically Assessment  Data criticality  Data Sensitivity

Step 6. Impact Analysis • Loss of Intigrity • Loss of Availability • Loss of Confidentiality

Impact Rating



Step 7. Risk Determination

Risks & Associated Risk Levels

 

Current Controls Planned Controls



Threat-Source motivation  Threat Capacity  Nature of Vulnerability  Current Controls



Likelihood of Threat Exploitation  Magnitude of Impact  Adequacy of planned or current controls

Step 8. Control Recommendations

Step 9. Results Documentation Figure (2.3): Risk Assessment Methodology Flowchart [29].

20

Recommended Controls Risk Assessment Report

Chapter 2

Theoretical Background

2.2.2.2. Risk Mitigation Risk mitigation, the second process of risk management; consist of prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. It is the responsibility of senior management and functional and business managers to use the minimum-cost method and apply the most appropriate controls to reduce mission risk to an acceptable level, with minimal adverse impact on the organization‘s resources and mission , since the elimination of all risk is usually unrealistic or close to impossible [29]. Risk mitigation is a systematic methodology used by senior management to reduce mission risk. Risk mitigation can be achieved through any of the following risk mitigation options [29] [27]: 1) Risk Assumption: To assent the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level. 2) Risk Avoidance: the avoidance is done through the elimination of risk cause and/or its consequence. 3) Risk Limitation: the implementation of controls leads to minimize the adverse impact of a threat‘s exercising a vulnerability (e.g., use of supporting, preventive, detective controls) in which limits the risk. 4) Risk Planning: To practice risk management by developing a risk mitigation plan that prioritizes, implements, and maintains controls 5) Research and Acknowledgment: To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability 6) Risk Transference: To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.

21

Chapter 2

Theoretical Background

2.2.2.3. Risk Evaluation and Assessment In most organizations, the network structure will constantly be changed, by performing expansion or updating its components, and its software applications to newer versions. In addition, personnel changes will occur and security policies are probably change over time. These modifications mean that new risks will arise and risks previously mitigated may again become a concern. Thus, the risk management process is ongoing and evolving [29]. 2.2.3. Vulnerabilities Vulnerability is an inherent weakness in the design, configuration, or implementation of a network or system that makes it prone to a threat. Most vulnerabilities can usually be traced back to one of three sources [31]: 1) Poor design: Hardware and software systems that contain design flaws that can be exploited by attackers. In essence, the systems are created with security holes. 2) Poor implementation: Systems that are wrongly configured, which makes it vulnerable to attack. The inexperience of the designer creates This type of vulnerability, insufficient training, or sloppy work. An example of this type of vulnerability would be a system that does not have restricted-access privileges on critical executable files, thereby allowing these files to be altered by unauthorized users. 3) Poor management: Insufficient procedures, inadequate checks, and balances. Security measures need to be documented and monitored. Every little detail such as a simple daily backup of a system needs to be confirmed. Responsibilities should be described for some functions and dual custody for others. In this manner, an organization can guarantee that procedures are being tracked and that no one person has total control of a system.

22

Chapter 2

Theoretical Background

While there are only three sources of vulnerabilities, they can manifest themselves in many ways. 2.2.4. Threat and threat agents Threat is a measure of the possibility that a computer system will be attacked or the confidentiality of information lost. It is a determinant for deciding if information is at risk or not [28]. Threat agents refer to entities that cause or contribute to an incident. There can be more than one agent involved in any incident and their involvement can be malicious or non-malicious, intentional or accidental, direct or indirect. Critical to any forensic investigation is to identify the source of the breach, not only for purposes of response and containment, but also for implementing current and future defensive strategies. Verizon recognizes three primary categories of threat agents—External, Internal, and Partner [32]. The term Threat Agent is used to indicate an individual or group that can manifest a threat, they can be human (intentional or unintentional) or natural cause (flood, fire, etc...). It is fundamental to identify who would want to exploit the assets of a company, and how they might use them against the company [2]. 2.2.4.1. Common Threat Sources There are a many sources of threat exists in the world, but they are mainly categorized as three kinds [27]: 1) Natural Threats: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events. 2) Human Threats: Events that are either supported by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information). 3) Environmental Threats: Long-term power failure, pollution, chemicals, liquid leakage. 23

Chapter 2

Theoretical Background

2.2.4.2. Common Threat Types We can assess any threat as being one of four kinds: interception, interruption, modification, and fabrication. Each threat exploits vulnerabilities of the assets in the target computing systems [33]. 1) Interception: It is the access of some party to an asset without proper authorization. The outside party can be a person, a program, or a computing system. Examples of this type of failure are illegal copying of program or data files, or gaining data from a network by wiretapping it. 2) Interruption: an asset of the system becomes lost, unavailable, or unusable. A hardware device may be maliciously damaged , the removal of a program or data file, or an operating system file manager may be malfunctioned so that it cannot find a particular disk file, are examples of such kind of attack. 3) Modification: If an unauthorized party not only gain access but also alters an asset, the threat is a modification. For example, the attacker may change the values within a database, modify a program so that it performs an

additional

computation,

or

modify

data

being

transmitted

electronically. It is even possible to modify hardware. Some cases of modification can be detected with simple measures, but other, more subtle, changes may be almost impossible to detect. 4) Fabrication: an unauthorized party might create a fabrication of counterfeit objects on a computing system. The intruder may insert spurious transactions to a network communication system or add records to an existing database. Sometimes these additions can be detected as forgeries, but if skillfully done, they are virtually indistinguishable from the real thing. These four classes of threats interception, interruption, modification, and fabrication describe the kinds of problems we might encounter. In the next 24

Chapter 2

Theoretical Background

section, we look more closely at a system's vulnerabilities and how we can use them to set security goals. 2.2.5. Hackers The threat from Hackers is complex, which perhaps infects internal workings of a system, computers and computer networks in particular. Generally a hacker is someone who illegally has the ability to gain unauthorized access to a computer system or server with malicious intent [34]. According to the 2016 Data Breach Investigations Report, No local industry or organization is bulletproof when it comes to the compromise of data. There are many sources of attacks on a computer system (external, Internal, Partner and Collision) the report says that most of the attacks come from outside of the company or organization besides logically there are more people outside than inside so most intrusion are external ones as it demonstrated in Figure (‎2.4). However, what drive them to commit such act is vary. It has said to be ―financial motivation‖ mostly, and as a secondary motive to be considered is, ―Espionage‖ to be precise 89% of breaches had a financial or espionage motive, that is what their investigation came to conclude [35]

Figure (2.4): Percent of breaches per threat actor

25

[35].

Chapter 2

Theoretical Background

Even though the main reason of hackers that push them to hack in to systems is for financial gain, but there is no such a massive damage caused by that intent, But it is the secondary motive ―Espionage‖ or in other meaning ―spying‖ is more vicious, due to its purpose to lead or to assist another attack [35]. So in order for web applications and database systems to be safe from these threats , having a good security policy and a good risk analysis with welleducated users will make the system more secure to intrusions [36]. An attack is considered as the actual use of crafted code by a hacker to commit his attack, and there is chronological relationship between vulnerabilities, exploits, attack code and the attack itself. Vulnerabilities may stay hidden for years in the system and programs not discovered by hackers. Even when they are found it would not be easy to exploit them. The time interval between when a vulnerability is spotted and an exploit designed can take anything from days ,to weeks or even longer period of time. The time may vary between the attack code creation and the spreading of the attack too. Figure (‎2.5) shows the this relationship that depends on time [28].

Time Figure (‎2.5) :Relationship Among Vulnerabilities, Exploits , Attacks [28].

A malicious attacker must possess three elements otherwise denying any of those three things the attack will not happen. However, it is not simple eliminate them. these elements are the following three [33]:

26

Chapter 2

Theoretical Background

1) method: The skills, knowledge, tools, and other things with which to be able to the attack. 2) opportunity: The time and access to accomplish the attack. 3) motive: The intention and cause that drive the attacker to commit this attack against the target system. 2.2.6. Hacktivists A thin line that distinguishes a hacker from hacktivist or activist, and that line would be the motive behind the attack. While hackers do their attack for self-interest, hacktivists are with more significant motive, their motive might include social or political objective [37]. Attackers may hack into computer systems to serve a specific cause, their attack may shape organized crime (cybercrime), and they may give themselves the right for their action under the banner of awareness. Governments hack into other governments system to commit espionage and steel valuable secrets [38].

2.2.7. Security Policies The term security policy is used to refer to the specific security rules for particular systems, or it may be is defined as the "documentation of computer security decisions". security policy is a definition of what it means to be secure for a system, organization or other entity [27]. 2.2.8. The Security Trinity The three legs of the "security trinity," prevention, detection, and response, comprise the basis for Information security as it is demonstrated in Figure (‎2.6). The security trinity should be the foundation for all security policies and measures that an organization develops and deploys[31].

27

Chapter 2

Theoretical Background

Figure (‎2.6): The Security Trinity [31].

1) Prevention The foundation of the security trinity is prevention. To provide some level of security, it is crucial to apply measures to avoid the exploitation of vulnerabilities by attackers. Organizations should give high attention on preventative measures over detection and response; preventing a security breach is much easier, more efficient, and much more cost-effective to prevent a security breach than to detect or respond to one. It is impossible to develop a security scheme that will prevent all vulnerabilities from being exploited, but companies should make sure that their preventative measures are strong enough to block possible criminal acts. 2) Detection After implementing preventive measures, actions need to be taken in consideration to detect potential problems or security breaches; in the event, preventative measures fail to accomplish its mission. It is significant that intrusions be detected immediately. The sooner a problem is detected the easier it is to correct and recover. 3) Response Appropriate response to a security breach is needed to be planned carefully by organizations. The plan should be documented and must identify responsibilities of individuals and their actions during response process against 28

Chapter 2

Theoretical Background

the security breach. In addition, the documentation should include the various response techniques and levels of escalation.

2.3. Database Security Database management systems are growing popularity and being used to store information about all aspects of an enterprise to an increasing extent. Most often, the data stored in a DBMS is considered vital to the business benefits of the organization and is viewed as a corporate asset. In addition to protecting the intrinsic value of the data, the privacy and control access to data must be taken into consideration by corporations to ensure that sensitive data will not be exposed to certain groups of users for various reasons [39].

2.4. Database Security Issues Database security is a very comprehensive area that identifies many issues, including the following [40]: 1) Legal and ethical issues: These issues are about the right to access certain information. Some information may be considered private and cannot be accessed legally by unauthorized persons. 2) Policy issues: Every governmental, institutional, or corporate has its own policy of what sort of information should be kept secret and to not be exposed to public for example, credit ratings and personal medical records. 3) System-related: It address issues about system levels, and at which different security functions should be applied such as, whether a security function should be handled at the physical hardware level, the operating system level, or the DBMS level. Organizations need to identify several security levels and to categorize the data and users based on these classifications. The categorization can vary from one system to another, with respect to the business owner and its function; 29

Chapter 2

Theoretical Background

cooperation may classify the data as top secret, secret, confidential, and unclassified. The enforcement of security policy of the organization regarding to permit access to various classifications of data is obligatory [28] [40].

2.5. Threats to Databases Threats to databases result in the loss or degradation of some or all of the following security goals: integrity, availability, and confidentiality [41]. 1) Loss of integrity: Database integrity denotes to the necessity that information be protected from improper modification. Modification of data involves creation, insertion, alteration, changing the status of data, and deletion. Integrity is lost if illicit changes are made to the data by either intentional or accidental acts. If the loss of system or data integrity is not fixed, continued to use of the contaminated system or corrupted data could result in inaccuracy, fraud, or erroneous decisions. 2) Loss of availability: Database availability refers to a characteristic of making objects available to a human user or a program to which they have a valid access right. 3) Loss of confidentiality: Database confidentiality indicates to the protection of data from unauthorized disclosure in means that sensitive data must remain secret and confidential and should not be exposed to public. The impact of unauthorized disclosure of confidential information can range from violation of the Data Privacy Act to the jeopardization of national security. In addition, loss of public trust, embarrassment, or legal action against the organization can arise from illegal, unexpected, or accidental disclosure of data within the database system that the organization depends on. To protect databases against these types of threats countermeasures can be applied such as access control, encryption techniques and automated 30

Chapter 2

Theoretical Background

defensive software. In this thesis database intrusion detection and prevention system is used based on query signatures as a database firewall to protect databases from external SQL injection attacks and eliminate previously addressed threats on the database systems.

2.6. Intrusion Detection System Intrusion detection is the procedure in which database events that is occurring in a computer system or network is monitored and analyzed for signs of possible incidents, which are violations or impending threats of violation of computer security policies, acceptable use policies, or standard security practices, or any other threat that compromise the security of the system. attackers gaining unauthorized access to systems from the Internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized [41]. Experienced system administrators always observe their systems for intrusions. The process usually involved reviewing logs on a daily basis. Intrusions were that rare that reviews were usually adequate to address any possible problems. Unfortunately, times have changed drastically. After-the-fact reviews are no longer adequate; real-time or near real-time responses to intrusions are necessary. As a result, it is not humanly possible to analys the amount of information in today's log files without some automated process. Without the automation of the review and monitoring process, it could be weeks before a system administrator knows about an intrusion to his or her system. In general terms an "intrusion" can be defined as an unauthorized attempt or achievement to access, alter, render unavailable, or destroy information on a system or the system itself [31]. Basically, an intrusion is an attacker‘s effort to breach or misuse a system. Some researchers separate misuse and intrusion, the separation is based on the source of the attack. The term intrusion is usually used if the attacks originated from outside of an organization (external attack), but the term Misuse 31

Chapter 2

Theoretical Background

is usually used to refer to an attack that arises from inside of the organization or system (internal attack). However, not everyone makes this differentiation [31]. Intrusion

detection

is

the

process

of

detecting

unauthorized,

inappropriate, or anomalous activity. The art of intrusion detection has been practiced by system and network administrators for years. However, intrusion detection has recently received given more importance because it is efficient in generating real-time alerts, and even launches countermeasures or reconfigures routers or firewalls to counter an attack [42]. An intrusion detection system (IDS) is software that automates the intrusion detection process. Intrusion prevention system (IPS) is the process that has the same potential of intrusion detection system but with additional ability in which beside the detection; it can stop an ongoing attack and prevent it from attempting to breach the protected system again [41].

2.6.1. Types of Intrusion Detection Systems(IDS) There are several aspects in categorizing the types of IDS, based on the location of the system where it will be deployed and its inputs, based on the way that an IDS react to an intrusion and how it handle the attack, last but not least based on the methodology used to analyze and implement detection. Figure (‎2.7) explains this taxonomy. Misuse or Signature Detection

IDS Types

Detection method

Anomaly Detection Hybrid Detection

Location of auidit information

Host-based - HIDS

Network-based - NIDS Passive IDS

Reaction on detection Active IDS Figure (2.7): IDS taxonomy

32

[43].

the intrusion

Chapter 2

Theoretical Background

2.6.1.1. IDS Type Based on Detection Methods There are two main methods used to detect intrusions in intrusion detection systems based on the input information used for their analysis: 1) Signature Based Detection or Misuse Detection: The first type of IDS created and implemented was in a form of misuse detection for mainframe systems. This type of IDS analyzes user input and compare it to what be called signature patterns. The signatures of known intrusions are stored in a knowledge base database, whenever a user will try to input data it will be converted to signatures to be used for later comparison [44]. These misuse patterns are very often of the same nature as patterns in strings or regular expressions, and in the area of IDSs are referred to as signatures. Consequently, misuse-based intrusion detection systems are also known as signature-based intrusion detection systems (and sometimes knowledge- or rule based IDSs) .Rules are pre-defined on the system before it start processing .The only downside of this method its inability to detect novel or unknown attacks, for this reason constant update of new misuse signature are required and this is a difficult task that require superior expertise and security insight and consciousness [45] [46]. 2) Behavior Based Detection or Anomaly Detection Unlike the previous method, anomaly or behavior based intrusion detection system is depending on the behavior of a subject or user. The IDS analyzes behavior features using statistics or data-mining approaches and machine-learning techniques such as expert systems etc…, any behavior deviates from normal behavior is determined to be abnormal or suspicious behavior. whereas misuse detection is defining the abnormal signature as an input ,in anomaly detection normal behavior is defined by the programmer or system administrator besides new rules also defined by the IDS using selflearning techniques to empower and enabling this kind of IDS to detect 33

Chapter 2

Theoretical Background

unknown attacks. Even though this is a strengthen point over misuse detection but the disadvantage of this method that it generates more false negative alarms or true positive rate. After training, anomalies are detected and flagged as attacks. But, anomalous behavior does not always signal that an attack is taking place, so anomaly detection systems need to be carefully tuned to avoid high false alarm rates [47]. Anomaly detectors construct profiles representing the normal behavior of users, hosts or network connections. These profiles are constructed from historical data collected during normal operation. The detectors collect data from the events and use a variety of measures to determine when the monitored activity deviates from normal activity [36]. 3) Hybrid Detection Method In some intrusion detection systems both of the addressed detection methods (signature and anomaly) are used in order to empower each other weaknesses and create a more powerful detection this kind of detection has capabilities of both signature and hybrid methods hence it is more powerful and preferred [41].

2.6.1.2. IDS Based on Location and Input Information There are two types of intrusion detection system based on the placement of the IDS and the input parameters, network based and host based. 1) Host Based IDS Host-based intrusion detection was the first area explored in intrusion detection. Host based intrusion detection (HIDS) refers to intrusion detection that takes place on a single host system. Currently, HIDS involves installing an agent on the local host that monitors and reports on the system configuration and application activity. Often referred to as HIDS, host based intrusion detection attempts to distinguish unauthorized, illegal, and anomalous behavior on a certain device. In general, HIDS include the participation of an agent 34

Chapter 2

Theoretical Background

installed on each system; also, it is responsible for monitoring and alerting on local OS and application activity. The installed agents use a combination of signatures, rules, and heuristics to identify unauthorized activity. It can be said that gathering, identifying, logging, and alerting are the role of HIDS, that is why it is considered to be a passive IDS [48] [49]. 2) Network Based IDS Network-based IDS (NIDS) monitors network traffic for particular network segment or devices and analyzes the network activity to identify suspicious activity. Network intrusion detection is the process that identifies abnormal behaviors that aim at a network and its resources. It can recognize many different types of events of interest. It is most commonly deployed in between network boundaries, such as in proximity to border firewalls or routers, virtual private network (VPN) servers, remote access servers, and wireless networks [41] [50].

2.6.1.3. IDS Type Based on Behavior at Detection When an intrusion detection system detects an intrusion or an attack (regardless of the implemented method of detection or input information) it enters to reaction mode, how the IDS behaves at the time of detection determines its type. There are two types of reactions [43] : 1) Passive IDS: If the reaction was only alerting the security administrator of the system or users of the protected system, by for example sending an alerting email without any action to stop the actual attack, then it said to be passive IDS. 2) Active IDS: reacts the same as passive IDS when it detect security breach in terms of alerting the security but along with it fixes the security vulnerability or security hole , and it stops the attack to avoid the attack damage by shutting down the services or directing the attacker to another

35

Chapter 2

Theoretical Background

service not allowing him/her to continue the attack. Hence, it reacts actively and directly to the detected attack.

2.6.2. Efficiency of intrusion-detection systems The efficiency of an IDS is based on some characteristics , have proposed the following [49] [51]: 1) Accuracy: It is the ability of the IDS to detect intrusions accurately, it is measured by two parameters detection rate and false alarm rate; as higher detection rate gets and lower false alarm noticed the more accuracy would be achieved. 2) Performance: IDS performance is the rate at which audit events are processed. Poor performance will make it impossible for the IDS to work in real time detection properly. 3) Completeness: This condition requires the IDS to detect all attacks performed on the system .That is why the most difficult criterion of an intrusion detection system is completeness ,since it is out of question for an IDS to have knowledge of all attack signatures, or abuse of prerogatives. 4) Response time: The amount of time it takes for an IDS to detect and react to the attack; this is more valuable condition in real-time based IDS.

2.7. Database Intrusion Detection System The main concern about database security is about the protection of database from unauthorized access. The attack may be in form of execution of anomalous transactions that may compromise the security of database that threatens the integrity of the database system. Database designers and web developers must avoid and protect their system from these kinds of database intrusions. Many researchers to eliminate these kinds of attacks use database intrusion detection system (DIDS); it is deployed and implemented as a defense mechanism to protect databases especially from SQL injection attacks in which 36

Chapter 2

Theoretical Background

considered the most viral attack among security threats. Usually database security attacks can be categorized as external attack and insider attack. In external attack the attacker is an outsider that tries to breach the system and gain unauthorized access to the database system, while insider attack is from authorized users of the database system that try to exceed their privileges and gain more rights over the database system to control the system and eventually perform malicious actions [52].

2.8. Structured Query Language (SQL) SQL (pronounced "ess-que-el") stands for Structured Query Language. SQL is used in order to communicate with a database. According to ANSI (American National Standards Institute), it is the standard language for relational database management systems. SQL statements are used to carry out actions such as update data on a database, or recall data from a database, so overall SQL is used for managing relational databases and execute different operations on the data in them. Initially created in the 1970s, database administrators as well as developers use SQL constantly to write data integration scripts. SQL is also used by data analysts for looking and to set up or to run analytical queries. The standard SQL commands such as "Select", "Insert", "Update", "Delete", "Create", and "Drop" can be used to accomplish almost everything that one needs to do with a database [53]. In order to retrieve and manipulate data, The Data Manipulation Language (DML) command is used, while Data Definition Language (DDL) statements are used to define and modify database structures. The transaction controls help manage transaction processing, ensuring that transactions are either completed or rolled back if errors or problems occur. As for Data Control Language (DCL) they are security statements used to control database access as well as to create user roles and permissions [54].

37

Chapter 2

Theoretical Background

2.9. Structured Query Language Injection Attack (SQLIA) Web servers must allow communications; it is in their nature. Websites often allow the interaction between users and the database. Any part of a website that lets user interaction is also a potential access point for attempting a web-based attack [25]. SQLIA stands for (Structured Query Language Injection Attack); this kind of attack targets interactive web applications that utilize database services. Such applications accept input from user, and then implicate this input in database requests, mainly SQL statements. In SQL injection, the attacker supply user input that produce a database request that is vary from what was intended by the application programmer. That is, the interpretation of the user input as part of a larger SQL statement, results in a SQL statement of a different form than originally intended [55]. SQL Injection occurs when an attacker exploits vulnerability in the system that enables him/her to insert a series of SQL statements into a 'query' by manipulating data input into an application. A typical SQLIA is shown in Figure (2.8) [56].

Connects through Internet

•

MySql Database

The Attecker Sends malicouse Script

Target Web Server

userrname = „ OR 1=1- -

Figure (2.8): A Typical SQL Injection Attack [54].

38

Chapter 2

Theoretical Background

2.9.1. Forms of Vulnerability There are many vulnerabilities exists within a database driven web application that create an opportunity for an attacker to inject malicious code to the target system, however two main types of vulnerabilities exist within a system as the following [57] [58]: 1) Incorrectly filtered escape characters: This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL statement, which results in the potential manipulation of the statements performed by an attacker. 2) Incorrect type handling: Incorrect type handling based SQL injections occur when an input is not checked for type constraints. In simple language this could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric. 2.9.2. SQL Injection Threat Modeling SQLIA considered being one of the destructive types of attack on any web application with back-end database. So in order for database designers, database administrators, or any web developer to be safe from such attack he/she should be aware the threat from SQLIA and fully understand the serious impact of it. The following is a general model of SQL injection attack threat[59]: 1) SQL injection attacks allow attackers to become administrators of the database server. This is done by letting the attacker to steal identity, play with existing data, cause rejection issues such as voiding transactions or changing balances, simply cause a complete exposure of all data on the system, destroy the data or make it otherwise unavailable. 2) SQL Injection is very widespread with PHP and ASP applications due to the predominance of older functional interfaces. Moreover, the quality of 39

Chapter 2

Theoretical Background

programmatic interfaces available, J2EE and ASP.NET applications are probably harder to be exploited with SQL injections. 3) The severity of SQL Injection attacks is limited by the attacker‘s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity. 2.9.3. Motivation of SQL injection attack Many reasons and intentions motivate an attacker to commit an attack using SQL injection, the following are some of them [60] : 1) Data Extraction: The attacker may commit SQLI in order to retrieve sensitive information from the utilized back end database for further data processing and analyzing. 2) Data Modification: After an attacker has read the data, the next logical step is to alter it. In which he will gain administrative permission to (Add, Remove, Insert, Modify, Delete) any value within the database. 3) Database Fingerprinting: In order for an attacker to successfully exploit SQL injection vulnerability, capturing the backend database of a web application is one major step. For example detecting the version of the database is vital for an attacker to commit his attack [61]. 4) Denial of Service: A ―denial of service‖ (sometimes called a ―distributed denial of service‖ or DDoS) is to make a server unavailable, by flooding the server with large number of requests causing it‘s resources to overload eventually the system simply locks up and shuts down.

40

Chapter 2

Theoretical Background

2.9.4. Classification of SQL Injection Attack SQLIA types are categorized depending on the method and intent of the attacker. Each type differs in terms of difficulty and amount of time to be consumed by him/her for a successful SQL injection attack to breach the targeted system and hacking it for gaining secret and sensitive information, to be used later for his/her personal profit or motive. Table (‎2.1) shows the types, intent, and method of SQL Injection attack. 2.9.4.1.

Types SQL injection Based on Input Source

There are varieties of SQL injection types based on the method of attack, or the way an attacker injects a database driven web application. Here are some methods through which SQL statements are injected into vulnerable systems by attackers [62]: 1) Injected through user input. 2) Injection through cookie fields contains attack strings. 3) Injection through Server Variables. 4) Second-Order Injection where hidden statements to be executed at another time by another function. 2.9.4.2.

Types of SQL Injection Based on Technical Aspect

The effect of SQL injection attacks may differ from collecting critical data to manipulate information stored within the database, and from executing system-level commands to denial of service of the application. The effect also depends on the database on the target machine and the roles and privileges the SQL statement runs with. Researchers have divided injection attacks into three categories [63]: 1) First Order Attack: The attacker can easily enter a malicious string and cause the manipulated code to be executed immediately. Example of this kind of attack includes: 41

Chapter 2

Theoretical Background

i. Adding UNIONS to an existing statement to execute a second statement. ii. Sub query added to an existing statement. iii. Existing SQL short-circuited to bring back all the data (for example, adding a query condition such as OR 1=1). 2) Second Order Attack: The attacker injects into constant storage (such as a table row) which is considered as a trusted source. An attack is subsequently executed by another activity. 3) Lateral Injection : The attacker can manipulate the implicit function To_Char() by changing the values of the environment variables, NLS_Date_Format or NLS_Numeric_Characters.

42

Chapter 2

Theoretical Background

Table (2.1): Classification of SQL Injection Attacking Vector of 2010

43

[64]

Chapter 2

Theoretical Background

2.9.5. Steps of Performing SQLIA An attacker or hacker should go through a series of steps in order to accomplish SQLI successfully on a database driven web based application system [63]: 1) Identifying the vulnerabilities of the targeted system. 2) Finger printing the backend database of the system. 3) Particularizing and pulling out data that is most appealing to the hacker. 4) When the possessed information is feasible, the exploitation of the system can be carried out. (Invading the OS, modification, manipulation, destruction, etc…). 2.9.6. Avoidance Strategies Against SQL Injection Attacks There are several strategies to avoid SQLIA here are a brief explanation of them [41] [65]: 1) Reduce the attack surface: Ensure that all excess database privileges are revoked and that only those routines that are intended for end-user access are exposed. Though this does not entirely eliminate SQL injection vulnerabilities, it mitigates the impact of the attacks. 2) Avoid dynamic SQL with concatenated input: Dynamic SQL built with concatenated input values presents the easiest entry point for SQL injections. Avoid constructing dynamic SQL this way. 3) Use of bind arguments: Parameterize queries by using bind arguments. Bind arguments eliminate the possibility of SQL injections and enhance performance. 4) Filter and sanitize input: sanitize user input can help in guarding against SQL injection in applications that use dynamic SQL built with concatenated input values. 5) Using Database Detection and Prevention System: Intrusion detection is the process of observing the events happening in a computer system or 44

Chapter 2

Theoretical Background

network and analyzing them for any indication of probable incidents, which compromise computer security policies, acceptable use policies, or standard security practices. An intrusion detection system (IDS) is software that automatically detects intrusions. An intrusion prevention system (IPS) is software that has the same functionality of an intrusion detection system along with the ability to stop possible incidents.

2.10. Secure Hash Algorithm (SHA) A cryptographic hash function is a unique class of hash function that has particular features, which make it convenient for use in cryptography. It is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash function) which is designed to also be a one-way function, that is, a function which is infeasible to invert. The only approach to restructure the input data from an ideal cryptographic hash function's output is to try a brute-force search of possible inputs to see if they yield a match, or use a rainbow table of matched hashes. The input data is often named as the message, and the output (the hash value or hash) is often referred to as the message digest or simply the digest. The ideal cryptographic hash function has five main properties [66]: 1) The same message outcomes in the same hash each time that is why it is deterministic. 2) It is fast to compute the hash value for any given message. 3) It is impossible to generate a message from its hash value except by trying all possible messages. 4) A trivial alteration to a message should alter the hash value so extensively that the new hash value appears uncorrelated with the old hash value. 5) It is infeasible to find two different messages with the same hash value. There are many information-security applications that implement and use cryptographic hash functions, such as in digital signatures, message authentication codes (MACs), and other forms of authentication. They can also 45

Chapter 2

Theoretical Background

be used as ordinary hash functions, to index data in hash tables, for fingerprinting, to detect duplicate data or uniquely identify files, and as checksums to detect accidental data corruption. Cryptographic hash values are sometimes called (digital) fingerprints, checksums, or just hash values, even though all these terms stand for more general functions with rather different properties and purposes In information-security contexts,.[67] SHA was developed by the National Institute of Standards and Technology (NIST) and published as a federal information processing standard (FIPS 180) in 1993.SHA has been the most broadly used hash function in recent years. Since almost every other popular hash function had been found to have significant cryptanalytic weaknesses, SHA was more or less the last remaining standardized hash algorithm until 2005 .When weaknesses were discovered in SHA, now known as SHA-0, a revised version was issued as FIPS 180-1 in 1995 and is referred to as SHA-1[26]. SHA-1 products a hash value of 160 bits. In 2002, NIST produced a revised version of the standard, FIPS 180-2, that defined three new versions of SHA, with hash value lengths of 256, 384, and 512 bits, known as SHA-256, SHA-384, and SHA-512, respectively. Collectively, these hash algorithms are known as SHA-2. These new versions have the same underlying structure and use the same types of modular arithmetic and logical binary operations as SHA1. In 2005, NIST announced the intention to phase out approval of SHA-1 and move to a reliance on SHA-2 by 2010 [26].

2.10.1. General Description of SHA-256 SHA-256 (secure hash algorithm, FIPS 182-2) is a cryptographic hash function with digest length of 256 bits. It is a keyless hash function; that is, an MDC (Manipulation Detection Code). A message is processed by blocks of 512 = 16 × 32 bits, each block requiring 64 rounds .

46

Chapter 2

Theoretical Background

2.10.2. Basic operations SHA-256 uses some basic mathematical operation , these operation are listed below as follows [66]: Boolean operations AND, XOR and OR, denoted by ,  and , respectively. 1) Bitwise complement, denoted by ¯. 2) Integer addition modulo 232, denoted by A + B. SHA-256 operates in the manner of MD4, MD5, and SHA-1: The message to be hashed is first [66]: 1) padded with its length in suchaway that the result is a multiple of 512 bits long, and then 2) parsed into 512-bit message blocks M(1) , M(2),……., M(N). The message blocks are processed one at a time: Beginning with a fixed initial hash value H(0) , sequentially compute H(i) = H(i-1) + CM(i) (H(i-1)); Where C is the SHA-256 compression function and + means word-wise mod 232 addition. H(N) is the hash of M.

2.11. Introduction for IP tables in Shell Script Programming Shell programming is a program that interprets commands and allows a user to execute commands by typing them manually at a terminal, or automatically in programs called shell scripts. A shell is not an operating system. It is a way to interface with the operating system and run commands [68]. IPtables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may contain user-defined chains. Each chain is a list of rules which can match a set of packets. Each rule specifies 47

Chapter 2

Theoretical Background

what to do with a packet that matches. This is called a ‗target‘, which may be a jump to a user-defined chain in the same table [69]. In this thesis, the IPtable was used to prevent the intruder from accessing the system again by blocking his/her IP address. The following example show how the Iptables used to block any IP address. #!/bin/bash iptables -A INPUT -s $1 -j DROP echo " Your IP Address $1 is Blocked"

48

Chapter Three The Proposed DB Intrusion Detection System

3.1. Introduction The era of internet and web application has positioned it‘s users in a critical situation against security compromises and threats. SQL Injection is considered one of the most dangerous and effective attack among the various types of security attacks with respect to the ease of exploitability and the severity of its impact regarding the proficiency of the attacker. The popularity of web applications makes this threat even more serious since behind every web application is a core database that is storing sensitive information and the exposure of such information will lead to the loss of confidentiality and effect the integrity of the whole system. Database Intrusion Detection System (DIDS) is offered to defend database systems against security attacks especially from SQLIA. There are many approaches for database intrusion detection system. In this chapter, the proposed detection system is broadly explained theoretically. The proposed Database Intrusion Detection System used a new technique for detection and prevention by employing signature-based method to detect external intrusion attempts at the detection process of SQLIA. After detection process, the system will prevent the attacker from accessing the website again hence it works as database intrusion prevention system too. The general architecture of the proposed system addressed with broad clarification of the steps performed in the process of creating the proposed DIDS along with related flowcharts.

49

Chapter Three

The Proposed DB Intrusion Detection System

3.2. The Proposed Database Intrusion Detection System As it is stated in previous chapter, many approaches and techniques can be used to build a database intrusion detection system each of which has its own advantage and disadvantages in terms of adequacy and performance. In the proposed database intrusion and prevention system, the detection is done by going through two stages, they are offline stage and online stage. Javaprogramming language is used in both of stages. Figure (3.1) shows the general architecture for the proposed database intrusion detection and prevention system. At offline stage, all safe keywords of all queries that are used at the website have been extracted and signed using SHA-256 algorithm. Afterwards the signed keywords are stored in a text file, for later comparison with the output from online stage. Online stage includes two programs; first program is detection program using java-programming language. As the same process that is used in first stage, the keywords of input query for the external user is being extracted and signed with SHA-256 to create a signature. Then the output will be compared with the signatures that are stored in the text file from the previous stage. If a match is to be found then the system will let the query pass and classify the input as a safe transaction and the user is recognized as an authorized user. But if a match is not found then the system will classify the input query as a malicious query and distinguish the user as an attacker. At this point after SQLIA detection the system will use the second program to prohibit the attacker from future attempts of committing SQL injection attack by employing the intrusion prevention program that are written using shell script programming. The prevention is done by storing the IP address of the attacker in a text file and then by using another shell script

50

Chapter Three

The Proposed DB Intrusion Detection System

program the system will block this IP address and prevent any requests

DIDS

Extract SQL query from web page

Input SQL query

Extract SQL keywords from the query

Take SQL query from input

Extract SQL keywords from query

ON LINE

OFF LINE

coming from this IP address from sending transaction to the database system.

Sign extracted SQL keywords with SHA-256

The calculated hash signature is then compared to the safe signatures from the text file

Sign extracted SQL keywords with SHA-256

Legal User (Possible Attacker)

Match Found? YES (true)

Valid signatures are stored in a text file for later comparison

NO (false)

The transaction is safe

Allow query to access the database BLOCK IP (Prevention Process)

GET IP

Reject query

SQL Injection Attack is Detected

Figure (3.1): General Architecture of the Proposed System.

51

Chapter Three

The Proposed DB Intrusion Detection System

3.2.1. Offline phase (building query profiler) The proposed approach for database intrusion detection system is based on misuse detection i.e. signature-based detection. This technique is used for detecting external SQL injection attack that is attempting to compromise the security of the target system by finding a hole in the security policy of the web application and by taking advantage of vulnerability that exists within the system, that attacker will be able to breach the system and commit his/her attack. Typically the signature-based database intrusion detection system only detect known intrusion i.e. the ability of this technique is specific for known signature and cannot distinguish unknown attack; But the proposed approach utilized the signature based detection in away , not only it detects known intrusions, it also capable of detecting novel attacks as well. This was possible by applying white list technique instead of black list technique; we will explain this aspect in details later. The main aim of this phase is to create a query profile of safe signatures for the website. The extraction process will be applied to extract SQL keywords from all queries that have been used in the website to communicate with the backend database. After that, the extracted keywords of each single query in the website will be giving a unique signature. The signature creation process was accomplished by signing the extracted keywords using Secure Hash Algorithm (SHA-256). Then the file named (QuerySignature.txt) in text format was created to store all produced signatures of safe queries, these signatures need to be stored in this text file, and by doing this, a white list of safe signatures is created for which they will be used for later comparison with the input from the front user of the web application. The difference between whitelist and Blacklist techniques is that, a list of safe signatures is created in whitelist method. But in blacklist technique a profile of known malicious signatures are used in the process of intrusion detection, this technique is difficult to apply because it is impossible to keep 52

Chapter Three

The Proposed DB Intrusion Detection System

track of every new attack crafted in the world and the administrator should update the profile periodically in order to add new attack signatures and this is not feasible. Hence applying whitelist method is better in terms of efficiency and accuracy with the ability to catch novel attacks.

3.2.1.1. Query Keyword Extraction Process The query keyword extraction process represent the process that are used for extracting SQL keywords from each SQL query that is integrated within the website, and eliminating all other words within the query .By extracting special characters from the queries it is meant extracting special keywords like ( SELECT , WHERE , OR ,etc…). A program is created by using java-programming language to extract all special keywords from the queries that have been used within the site in a form of JAR file. This program will eliminate all unneeded words like (table names, column names, etc…) and only take the special ones that are SQL keywords. These extracted keywords will be used for signature creation later at the next step. The following example represents a SQL query that has been used for login validation at the first page of the website: $Query= " select * from user where username = '$ID' and password = '$Password' " The java program named (Query_Signature_SHA.java) will analyze and extract the special SQL keywords as follows:

First Step :- If the input query contains upper case letters, the program will convert it to lower case. This is helpful for ignoring any upper case letter that is being fed with the context of the query into the program.

53

Chapter Three

The Proposed DB Intrusion Detection System

Second Step :- The query will be sent to a method that tokenizes the query string, tokenizing, is splitting the input query into separate words by specifying a string delimiter. Here the words of a given query will be separated by using white space (― ―) delimiter i.e. the query will split and separate its words depending on white spaces. It returns an array of strings computed by splitting this query string around matches of the given delimiter. Figure (3.2) shows the SQL keywords extraction process.

Third Step :- In this step, the query extraction process will be lunched. The output array of separated words from previous step will be compared to the array of special SQL keywords that is assigned to an array named (keywords[ ]). If a match is to be found the program will extract that SQL keyword to be used in the next step of encryption process later. The query extraction process is explained in below Figure (‎3.2):

'$ID'

user

username

password

'$password'

O

The Output

Figure (3.2): The extraction process of special SQL keywords.

As the diagram shows that the extracted SQL keywords from the input query will be ( select*fromwhere=and= ).

54

Chapter Three

The Proposed DB Intrusion Detection System

3.2.1.2. Signature Creation Process The resultant output from previous step will be sent to encryption process. The extracted SQL keywords are signed using secure hash algorithm (SHA-256) to give them a unique signature. This signature is the signature of the

input

query

that

is

being

provided

to

the

java

program

(Query_Signature_SHA.java). For the previous example, a signature for input validation SQL query is calculated. The signature will then be stored in the text file (QuerySignatures.txt). This file will contain all signatures of extracted SQL queries that exist within the web application. The SHA-256 signature of extracted keywords from the mentioned example ( select*fromwhere=and= ) is: 94484996be2c29fe781c3caff9b81f600eff13a671b983cf8cd038af5e52df63 Figure (3.4) to Figure (‎3.5) are showing offline phase program execution in Linux terminal it asks the administrator to verify the number of query that he/she wants to sign. For instance, here the administrator replied (one). After this step, the program will asks him/her to input the required query that he/she wants to sign, and in this example he/she entered the input validation query from the login page of the website as it shown in Figure (‎3.3) in order to encrypt it using SHA-256 algorithm.

Figure (3.3): Executing Create_Signature_SHA.java program from terminal.

55

Chapter Three

The Proposed DB Intrusion Detection System

Figure (3.4): Providing the query to give it a unique signature.

After entering the desired query for signing then the program will output the following results as it seen in the below figure:

Figure (‎3.5): Output of the (Create_Signature_SHA) program from offline stage

Figure (‎3.6) reveal the content of the query profile (QeurySignatrues.txt) of safe signatures created from extracted SQL keywords included in each query within the proposed system.

Figure (‎3.6): Content of QUERYPROFILE.TXT that includes signatures of safe queries.

56

Chapter Three

The Proposed DB Intrusion Detection System

The Flowchart of producing the above signatures by encrypting the extracted keywords from a specified query using secure hash algorithm (SHA256), is explained in Figure (‎3.7).

START

Input Query i = 0;

Extract SQL keywords

Sign SQL keywords with SHA-256

Save Signatures in QuerySignature.txt

i=i+1

NO i = n?

YES END

Figure (3.7): Flowchart for creating query signatures Where n = maximum number of queries, and i= 1, 2, 3 … n.

57

Chapter Three

The Proposed DB Intrusion Detection System

The main objective of offline phase is to create a white list of safe signatures that is highly significant for the next phase of the program (online phase). As stated earlier the detection program will compare the contents of the (QuerySignature.txt) file with product signature from input query that is fed to the website by a user (possible attacker) in online phase. The comparison procedure is lunched in order to decide and classify the input; whether it is malicious and stop the request, or authorize it as a benign transaction hence letting it to access our backend database.

3.2.2. Online phase (Detection and Prevention) This phase consists of two processes (programs) each of them have different roles; the first one is used to detect intrusions from user input query or classify input queries as valid or invalid query. The online database intrusion detection and prevention system is designed to detect external SQL injection attacks whenever they occur by adapting white list technique to detect intrusion attempts to the protected database. After detecting a SQLI attack attempt by detection program, the second process (program) is invoked, it will act as a Database Intrusion Prevention System (DIPS). The system will react to the attack immediately. It stops the ongoing attack by canceling the malicious transaction that is performed by the attacker using SQLI attack technique before it accesses the database. The DIPS prevents the attacker from attempting to breach the website again. Figure (3.8) shows the flowchart for online phase of the proposed system and the following sub-sections will contain details about this phase.

58

Chapter Three

The Proposed DB Intrusion Detection System

START

Input Query

Extract SQL keywords

Signed SQL Keywords with SHA-256 Compared with the Signatures in QuerySignature.txt

NO

The Query is rejected

Match Found YES Allow Query to Access The Backend DB

Get Attacker IP Address

Block IP Address

END Figure (3.8): A flow chart for online detection and prevention processes.

59

Chapter Three

The Proposed DB Intrusion Detection System

3.2.2.1. Detection process The detection process performed by a program that is written in Java language and converted to executable JAR file which is integrated in the PHP website, this JAR file (QuerySignature_Comp.JAR) does the following steps: 1) Keyword Extraction: It takes the input query from the front user and analyzes it for keyword extraction process; it uses the same process that is used in offline phase. The input from the user that he/she may be motivated (financially or personally), to commit a SQL injection attack upon the web application. All keywords from the supplied input query extracted to be processed by next step. 2) Signature creation: The extracted keywords from previous step will be signed (encrypted) with Secure Hash Algorithm (SHA-256), in order to get a unique signature. 3) Comparison: The product signature is then going through a comparison procedure. It is compared with the white list of website query signatures that is stored in the profile of safe signatures (QuerySignature.txt) that was built earlier in offline phase. 4) Classification and Decision: Classify the input query as SQL injection attack or as safe transaction based on the comparison result between signatures crafted from input query and the stored signature from (QuerySignature.txt) from offline phase. There are two cases here; either there will be a match(True) or not (False): i. TRUE: If the detection program finds a match within the signatures of safe query profile (QuerySignature.txt). Then the system will classify the input as valid request and authorize the user to access the database. ii. FALSE: If the comparison is evaluated to false, that means there was no match found between the input signature and the safe profile signatures, hence the DIDS will classify the input as a SQL injection 60

Chapter Three

The Proposed DB Intrusion Detection System

attack and the user as an attacker motivated by anomalous goals trying to gain unauthorized access to the website and its relying resources. At this point of SQL injection detection, the DIDS will apply some preventive measures for the system that is explained later.

Figure (3.9) shows how the Query_Signature_Com.JAR program was injected within PHP code. This program should be invoked before any execution for the SQL query that is try to access the backend database system in PHP code

61

Chapter Three

The Proposed DB Intrusion Detection System

Input Query from the login page Calling the jar file for signature comparison If a match is not found then reject the query Getting the IP address of the attacker Adding the IP of the attacker to BlockIP.txt to block his IP

The proposed DIDS is integrated within the PHP code and positioned before authentication process, to prevent any malicious code entering the system.

Authentication Process check user credentials

to

Figure (3.9): The Query_Signature_Com.JAR File injected to the PHP code.

62

Chapter Three

The Proposed DB Intrusion Detection System

3.2.2.2. Prevention Process The Database Intrusion detection system detects intrusions in real time. So the prevention process is activated after the DIDS classifies the input as a SQL injection attack. This prevention process adds a strong capability to the DIDS to initiate an active response after detection. It react to SQL injection attack actively, this feature will make the DIDS to act instantly against the current attack to stop the attack by denying its unauthorized request to access the database. After stopping the attack, the program will simply practice avoidance strategies by blocking the attacker, prevent him/her from accessing the website again and eliminating the threat of compromising the confidentiality and integrity of the database from the attacker. The prevention process includes two programs that are written in Shell script language with Linux OS. Prevention procedure is done throughout these stages: 1) The first program invokes after the system classified the input user as an intrusion, as it is clarified in prior pages the prevention program will be activated right after the DIDS detects a SQL injection attack.

This

program takes the IP address of the attacker and stores the IP address in the text file called block.txt. 2) The second prevention program works every 30 seconds and read the contents of the block.txt file. After that, the program will block all the IP‘s

that

are

saved

in

this

file

and

prevent

them

from

accessing the system again. This can be done by using packet-filtering process. This process performed using IPtables command in Linux, so the prevention program works like a firewall and it prevents the intruder from accessing the website again according to his IP address.

63

Chapter Four Performance Analysis of the proposed DIDS 4.1.

Introduction The experiments for the proposed system performed on a notebook CPU

core i7 2.4-GHz and 8 GB memory, Apache_2.4.10 HTTP web server and MySQL-5.0.12 server are installed under Linux-Debian-8.3 operating system. To prove the accuracy of the presented DIDS, the system was tested using two techniques traditional technique done by malicious input by the user and doing various attempts to bypass the login authentication using SQLI attack techniques. The second technique for testing our detection system was done by using SQLMAP project. Both tests showed that the proposed system is functional, achieved high performance with respect to accuracy and integrity and completeness, and scored minimum response time. The Employee Attendance System Website was used in the experiments. (AttSytem) is the name of the web site that is without the proposed protection system, while (AttSytem1) is the name of the web site that includes the proposed Database Intrusion Detection System that is deployed within the website to protect the backend database against SQLI Attack. 4.2.

Test Proposed DIDS using Traditional Way The first test for the proposed system is a traditional test, it can be done

by using the malicious input for SQL injection like using ―OR „1‟ = „1‟. Error! eference source not found.1) and Figure (4.22) shows that the SQL injection was successful and the malicious user can access the non-protected website (AttSytem) by using a fake username and password. At the contrary, Figure (‎4.3) Figure (‎4.4) show that the malicious user cannot access the protected

64

Chapter Four

Performance Analysis of the proposed DIDS

website (AttSytem1) and the system detected SQL injection attack attempt and give an the alert to the administrator about this malicious act.

Figure(‎4.1): Malicious try to access non- protected website.

Figure (4.2): Malicious access to the non- protected website

65

Chapter Four

Performance Analysis of the proposed DIDS

Figure (4.3): Malicious access tries to access the protected website

Figure (‎4.4): Attacker failed to breach the system

66

Chapter Four 4.3.

Performance Analysis of the proposed DIDS

Test Proposed DIDS Performance using SQLMAP SQLMAP is an open source python based tool used to test penetration

ability in a way that makes the detection and exploitation of SQL injection flaws and taking over of database servers an automatic process. It has a strong detection engine that can easily detect and exploit the vulnerabilities exist within any database driven web application. The software is downloaded from (http://sqlmap.org/)

or

it

can

be

found

in

the

following

link

(https://github.com/sqlmapproject/sqlmap)[70]. Therefore, the second test for the proposed system implemented by Sqlmapproject package. 4.3.1. Test the Non-Protected System Using SQLMAP At the beginning, the SQLMAP tool used to attack the website before protection (AttSytem website). It can be given the URL parameters for the nonprotected website that are include website Domain (192.168.1.108) and website name (AttSytem/connectivity1.php) to the SQLMAP tool, the SQLMAP try to access the non-protected website. Figure (‎4.5) shows how the SQLMAP tool tries to attack the non-protected website.

Figure (‎4.5): SQLMAP project attempt to hack the non-protected website.

From Figure (‎4.6) it can be seen that the SQLMAPP ROJECT tool hacked the non-protected website system with the total 15366 HTTP requests and the time it needed to accomplish such a successful attack was about 361.0 seconds. 67

Chapter Four

Performance Analysis of the proposed DIDS

In addition, it can be seen that the Operating System type, Webserver version and MySQL Server version are extracted.

Figure (4.6): SQLMAP project hacked non-protect website.

In the above figure, it is shown how the SQLMAP tool was able to get critical information about the target system. After only (15366) requests it was able to gain operating system version, and getting the web server version, and MySQL version too. Figure (‎4.7) and Figure (‎4.8) shows how the SQLMAP tool can get and extract the database name (attendance_system).

Figure (4.7): Sqlmap project try to extract the Database name.

68

Chapter Four

Performance Analysis of the proposed DIDS

Figure (4.8): SQLMAP project gained the Database name.

After extracting the database name, it can be passed as a parameter to SQLMAP in order to extract more information about the database. Hence, it is shown in Error! Reference source not found.) and Figure (‎4.9) shows how the USER table for the attendance_system database was hacked and all its contents are extracted.

Figure (4.9): SQLMAP project tries to gain table names of the back end DB.

69

Chapter Four

Performance Analysis of the proposed DIDS

Figure (4.10): SQLMAP was successful in gaining the name of the table USER and it's contents.

4.3.2. Test the Proposed DIDS Using SQLMAP In this section, the proposed DIDS was tested by using the SQLMAP tool. Figure (‎4.11) shows how the SQLMAP tool try to access the website (―AttSytem1‖) which is protected by the proposed DIDS, with the same level of security and risk factor as it was used for the non-protected system. Figure (‎4.12) and Figure (‎4.13) shows the SQLMAP tool failed of trying to hack the protected system, so it demonstrates that the attacking tools of SQLMAP has failed for accessing the protected website, and it was confirmed that the target system is not injectable. The proposed system will check all the request queries used by attacking tools and prevent them from accessing the database system. In this test the SQLMAP tool used about 240000 HTTP requests with total time 6137.0 seconds.

70

Chapter Four

Performance Analysis of the proposed DIDS

Figure (‎4.11): SQLMAP attempt to breach the protected system.

Figure (4.12): SQLMAP failing attempts to hack the protected system.

Figure (‎4.13):SQLMAP project fails to inject the protected website.

71

Chapter Four

Performance Analysis of the proposed DIDS

Figure (‎4.14) show the number of HTTP requests used by SQLMAP tool for accessing the non-protected and protected website.

Figure (4.14): SQLMAP requests used to attack non-protected and protected website.

4.4.

Calculating Average Access Time To know the effect of the proposed DIDS on the efficiency of the

protected website, the web application performance tool (WAPT) was used. This application was used to evaluate the differences of average response time for the website before and after deploying the proposed DIDS.

4.4.1. Web application performance tool A web application performance tool (WAPT) is used to test web applications and web related interfaces. WAPT have a tendency to simulate virtual users which will repeat either recorded URLs or specified URL and allows the users to specify number of times or iterations that the virtual users will have to repeat the recorded URLs [71].

72

Chapter Four

Performance Analysis of the proposed DIDS

WAPT Tool were used to test the average access time of the website before deploying the proposed database intrusion detection system, and it was used again after deployment of the DIDS. So, the difference access time between the two system before and after protection can give the drawback that have been made by the proposed DIDS after integrating it within the database driven web application. The Scenarios created for each test are the same, twenty (20) virtual user were created in WAPT tool, and about five hundred (500) sessions were repeated by these virtual user so that to output a reliable test result as it shown in Figure (‎4.15).

Figure (‎4.15): WAPT Tool window shows the specified testing scenario

4.4.1.1.

Performance before protection

By using WAPT tool, the response time of the website was measured before protection and from the Table(‎4.1) it is noticed that average response time is (0.03) second.

73

Chapter Four

Performance Analysis of the proposed DIDS

0:00:24 0:00:54

0:00:54 0:01:18

0:01:18 0:01:42

0:01:42 0:02:06

0:02:06 0:02:30

0:02:30 0:02:54

0:02:54 0:03:18

0:03:18 0:03:42

0:03:42 0:04:00

Profile

0:00:00 0:00:24

Table(‎4.1): Response time per second for the Non-Protected website. Total

Number of sessions

58

73

52

54

54

57

48

45

53

6

500

Avg. Response Time

0.05

0.02

Time

AttSytem

4.4.1.2.

0.01 0.01 0.01 0.01 0.06 0.09 0.04 0.03 0.03

Performance after Protection

The same as previous the WAPT tool has calculated average response time for the protected system. In addition, from Table (‎4.2) it is noticed that average response time is (1.64) second.

0:00:24 0:00:54

0:00:54 0:01:18

0:01:18 0:01:42

0:01:42 0:02:06

0:02:06 0:02:30

0:02:30 0:02:54

0:02:54 0:03:18

0:03:18 0:03:42

0:03:42 0:04:00

Profile

0:00:00 0:00:24

Table (4.2): Average Response time per second in protected website. Total

Number of sessions

47

42

61

48

56

45

51

63

43

44

500

Avg. Response Time

2.1

1.70

1.54 1.89 1.69 1.73 1.47 1.17 1.58 1.51

Time

AttSytem1

1.64

4.4.2. Comparison of test results After putting both non-protected and protected systems (Attsytem, AttSytem1) under performance tests using WAPT performance tool, a comparison is performed for their results. The average response time characteristic of web application is the most important one that affects the performance of the web application. A comparison was done between the test results of both systems to see the change on this property after integrating the proposed DIDS within the system. As it

74

Chapter Four

Performance Analysis of the proposed DIDS

shown in Figure (‎4.17) the average access time was affected slightly by only (1.61) second which is insignificant.

2.1 1.8

Times in Second

1.5 1.2 0.9 0.6 0.3 0 Non-Protected System

Protected System

Figure (‎4.16): Average Response Time for all 500 session of the 20 users for protected and non-protected system.

1.8 1.6

Time In Second

1.4 1.2 1 0.8 0.6 0.4 0.2 0 non-protected system

Protected system

Figure (‎4.17): Average response time for protected and non-protected system.

75

Chapter Four 4.5.

Performance Analysis of the proposed DIDS

Experimental Results Analysis The analysis for the experimental results can be done according to the

two factors, Detection Process, and Website Response Time. About the detection process, from the implementations of both Traditional and SQLMAP tool attacks for the non-protected and protected system, the results shows that the proposed Database Detection System (DIDS) was able to detect all the intrusions that used the SQL injection attack for accessing the system, and it can protect the website and the Database system with a good performance and high efficiency, without raising any false alarm rates. About the website response time, also from the tests that are done for the average response time in protected and non-protected system, it can be observed that the protected website was responding a little slower than the non-protected website, this difference does not effects for the system performance because it is a short period of time (in few seconds). That is because all the designed programs (jar files, shell scripts file, and text files) that are used in the proposed DIDS was hosted and saved inside the same location ( website folder) in the web server, so when the system needs to access these programs it does not need additional processing time because they are saved in the same location.

76

Chapter Five Conclusions and Future Work 5.1.

Conclusion In this thesis, a new technique was proposed for database intrusion

detection system. Details of Design and implementations have been presented, implementations and analysis that is performed on the proposed DIDS, offered an opportunity to draw some conclusions during the performance test carried out for both non-protected and protected scenarios. The following important points are concluded: 1) The proposed system work in real time as an online detection system to detect and prevent SQL injection attacks. 2) It can detect SQL injection attacks affectively and prevent them from accessing the website again. 3) Experimental results show that the proposed system solution is feasible in terms of efficiency and completeness. 4) The effect on website response time was trivial when the proposed system is used. 5) The proposed system achieved high detection rate, since it is capable of detecting all kind of SQL injection attacks. Hence, there is no false alarm raised by system and this proves the accuracy of the presented DIDS. 6) Even though the proposed DIDS used misuse detection method to detect intrusions but it capable of detecting unknown intrusions too.

77

Chapter Five

5.2.

Conclusions and Future Works

Future Work The following suggestions can be taken into consideration for future

research work:

1) This system can be developed to protect websites from internal attacks, this can be done by extracting database-user behavior form the user log file and build the Intrusion Detection System by using Data Mining or Neural Network techniques and Expert System methods.

2) The detection system can be embedded to detect other web application attacks such as Cross-Site Scripting (XSS), Brute Force attack and another attack types.

78

Bibliography [1]

Puspendra Kumar and RK Pateriya. (2012) A survey on SQL injection attacks, detection and prevention techniques. in Computing Communication & Networking Technologies (ICCCNT), 2012 Third International Conference on. IEEE.

[2]

OWASP , "Threat agent" ,last modified date: 06/20/2008; last access date access: 14/3/2017 Available from: https://www.owasp.org/index.php/Threat_agent_template

[3]

Rain Forest Puppy, (1998) NT Web Technology Vulnerabilities, Phrack Magazine, vol 8, issu: 56, 8 of 12,Last access date: 14/3/2017, ISSN : 1068 -1035. Available from: http://phrack.org/issues/54/8.html

[4]

Justin Clarke-Salt, (2009) "SQL injection attacks and defense", Elsevier, H. Scherer Series, pp.761, ISBN: 1597499730

[5]

Jim Conallen (1999),"Modeling Web application architectures with UML", Communications of the ACM,vol.42, issue.10,pp.63-70, ISSN: 0001-0782

[6]

Alex Homer, J.D. Meier and David Hill, (2009) "Layers and Tiers " , Microsoft Application Architecture Guide, 2nd Edition,chapter-9-, second edition, Microsoft Corporation Series, ISBN:9780735627109

[7]

Dafydd Stuttard and Marcus Pinto,(2011) "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws", John Wiley & Sons, ISBN: 1118175247

[8]

Raghu Ramakrishnan and Johannes Gehrke,(2000) management systems", McGraw-Hill, ISBN: 0072322063

[9]

Hua Wang, (2012) "Security and privacy for database systems". In Proceedings of the Twenty-Third Australasian Database Conference Volume 124. Melbourne, Australia: Australian Computer Society, Inc.: Melbourne, Australia. pp.5-6.

"Database

[10] Mohammad M Javidi, Mina Sohrabi, and Marjan Kuchaki Rafsanjani (2010) "Intrusion detection in database systems",Communication and Networking, Springer Series , pp.93-101, ISBN: 3642176038.

79

[11] Victor CS Lee, John A Stankovic, and Sang Hyuk Son, (2000) "Intrusion detection in real-time database systems via time signatures". in Real-Time Technology and Applications Symposium, Proceedings. Sixth IEEE. ISBN: 0769507131. [12] Sin Yeung Lee, Wai Lup Low and Pei Yuen Wong. (2002) "Learning fingerprints for a database intrusion detection system", in European Symposium on Research in Computer Security, Porceedings.,Zurich, Switzerland: Springer. ISBN:3-540-44345-2. [13] Asankhaya Sharma , (2007) "DIDAR–Database Intrusion Detection with Automated Recovery",Department of Computer Science and Engineering, National Institute of Technology, ,Warangal (A.P.) – India, advisor: P.D. Somayajulu, pp.51. [14] Konstantinos Kemalis and Theodores Tzouramanis. (2008) SQL-IDS: a specification-based approach for SQL-injection detection. in Proceedings of the 2008 ACM symposium on Applied computing. ACM. ISBN: ISBN: 978-1-595937536 , DOI>10.1145/1363686.1364201 [15] Shaukat Ali, SK Shahzad, and Huma Javed, (2009),"Sqlipa: An authentication mechanism against sql injection", European Journal of Scientific Research,vol.38, issue.4,p.604-611,ISSN:1450-216X. [16] S Fouzul Hidhaya and Angelina Geetha, (2012) "Intrusion Protection against SQL Injection Attacks Using a Reverse Proxy", SIPM, FCST, ITCA, WSE, ACSIT, CS & IT,vol.6,pp.129-144, ISSN: 2278-0661. [17] Kirti Randhe and Vishal Mogal, (2014) "Defense against SQL Injection and Cross Site Scripting Vulnerabilities", International Journal of Science and Research (IJSR) vol.3, issue.11, ISSN: 2319-7064. [18] Punit Mehta, Jigar Sharda, and Manik Lal Das. (2015) "SQLshield: Preventing SQL Injection Attacks by Modifying User Input Data". in International Conference on Information Systems Security. Springer, Cham, ISBN: 978-3-319-26960-3. [19] R Latha and E Ramaraj, (2015) "SQL Injection Detection Based On Replacing The SQL Query Parameter Values", International Journal Of Engineering And Computer Science,vol.4, issue.8, pp.13786-13790, ISSN:2319-7242. [20] Dhanashree Parchand and HK Khanuja, (2015) "Framework to Detect Malicious Transactions in Database System", International Journal of Computer Applications,vol.110, issue.2, ISSN: 0975-8887

[21] Samih Souissi, (2015) "Toward a novel classification-based attack detection and response architecture". in 6th International Conference on the Network of the Future (NOF). IEEE, ISBN: 978-1-4673-8387-5 [22] Debabrata Kar, Suvasini Panigrahi, and Srikanth Sundararajan, (2015) "SQLiDDS: SQL injection detection using query transformation and document similarity". in International Conference on Distributed Computing and Internet Technology. Springer,cham. pp.377-390 ,ISBN: 978-3-319-14976-9 [23] Jeffrey Carr, (2011) "Inside cyber warfare: Mapping the cyber underworld", " O'Reilly Media, Inc.", ISBN: 1449310044 [24] Nikita Gupta and Lalit Sen Sharma, (2016) "A study on SQL Injection Attack and its Prevention Measures at Database Management Level", International Journal of Modern Computer Science (IJMCS),vol.4, issue.3, ISNN: 2320-7868 [25] William Chuck Easttom II,(2016) "Computer security fundamentals, Pearson IT Certification", ISBN: 0134470583 [26] William Stallings, (2011) "Cryptography and network security: principles and practices", Pearson Education India, pp.680. ISBN: 8177587749 [27] Barbara Guttman and Edward A Roback, (1995) "An introduction to computer security: the NIST handbook", DIANE Publishing, Series, ISBN: 0788128302. [28] Douglas Jacobson and Joseph Idziorek, (2016) "Computer Security Literacy: Staying Safe in a Digital World" , CRC Press, ISBN: 1439856192. [29] Gary Stoneburner, Alice Y Goguen, and Alexis Feringa, (2002) "Sp 800-30. Risk management guide for information technology systems" [30] Evan Wheeler,(2011) "Security risk management: Building an information security risk management program from the Ground Up", Elsevier, ISBN: 1597496162

[31] John E Canavan,(2001) "Fundamentals of network security", Artech House,ISBN: 1580531768 [32] WH Baker and A Hylender, (2011) " 2011 data breach investigations report", Verizon RISK Team, Last access date : 22-11-2016 ,pp.1-72. AvailableFrom: www.verizonbusiness.com/resources/reports/rp_databreach investigationsreport-2011_en_xg. pdf . [33] Charles P Pfleeger,(2006) "Security in Computing", Prentice Hall, Series, p.880, ISBN: 0-13-239077-9

[34] Yogita Negi, (2011) "Pragmatic Overview of Hacking & Its Counter Measures". Proceedings of the 5th National Conference, INDIACom, Bharati Vidyapeeth‘s Institute of Computer Applications and Management, New Delhi. ISSN: 0973-7529 [35] verizon ,(2016) "2016 Data Breach Investigations Report", verizon enterprise,p.85. [36] Ignacio Porres Ruiz, and, and María del Mar, (2008) "An Evaluation of current IDS",p.112, MSc thesis Supervisor Viiveke Fak. [37] Steve Ragan, (2012) " Hacktivism: An Inside Look at the Motives and Methods of Cyber Activists" , Elsevier Science & Technology, pp. 352. ISBN: 1597499609. [38] Joshua B Hill and Nancy E Marion, (2016) "Introduction to Cybercrime: Computer Crimes, Laws, and Policing in the 21st Century" ,ABCCLIO, ISBN: 1440832749 [39] Raghu Ramakrishnan, (2000) "Database Management Systems", ISBN: 0072322063 [40] Ramez Elmasri and Sham Navathe, (2004) "Fundamentals of Database Systems, Pearson/Addison Wesley", ISBN: 0321122267 [41] Karen Scarfone and Peter Mell, (2012) "Guide to intrusion detection and prevention systems (idps)", NIST special publication NIST Special publication800-94,vol.800,pp.94,ISBN:14170151693 DOI>10.6028/NIST.SP88-94

[42] Paul E Proctor,(2000) "Practical intrusion detection handbook" , Prentice Hall PTR, ISBN: 0130259608 [43] Paul E Proctor,(2000) "Practical intrusion detection handbook" , Prentice Hall PTR, ISBN: 0130259608 [44] Roberto Di Pietro and Luigi V. Mancini, (2008) " Intrusion Detection Systems", Advances in Information Security , Volume 38, Springer Science & Business Media, pp. 250 , ISBN: 0387772669. [45] James Kelly , (2006) "An Examination of Pattern Matching Algorithms for Intrusion Detection Systems", Carleton University Ottawa advisor: Dr. Paul Van Oorschot

[46] Beata Akselsen , (2016) " Intrusion Detection Systems", Scitus Academics LLC, pp.338, ISBN: 1681172666 [47] Jacob W Ulvila and John E.Gaffney, "Evaluation of Intrusion Detection Systems" , journal of Research of National Institute of Standards and Technology, Vol.100 , number 6 , ISBN: 1422318028 [48] Rebecca Gurley Bace, (2000) "Intrusion Detection", Macmillan technology series, Sams Publishing, pp. 339, ISBN: 1578701856 [49] Herve Debar (2000),"An introduction to intrusion-detection systems", Survey on Intrusion Detection Systems ,Proceedings of Connect,vol.2000, ISSN: 2321-7782 [50] Poonam Sinai Kenkre, Anusha Pai, and Louella Colaco, (2015) "Real time intrusion detection and prevention system", in Proceedings of the 3rd International Conference on Frontiers of Intelligent Computing: Theory and Applications (FICTA) 2014. Springer. [51] Phillip A Porras and Alfonso Valdes. ((1998)) "Live Traffic Analysis of TCP/IP Gateways", Proceedings of the Sixth SIAM International Conference on Data Mining ,Volume 124 of Proceedings in Applied Mathematics Series,Volume 124 of SIAM proceedings series, In Proceedings of the ISOC Symposium on Network and Distributed Systems Security. [52] Udai Pratap Rao and Dhiren R Patel, (2011),"Design and Implementation of Database Intrusion Detection System for Security in Database",

International Journal of Computer Applications,vol.35, issue.9,p.32-40, DOI : 10.5120/4431-6170 [53] James R Groff and Paul N Weinberg, (2002) "SQL: the complete reference", McGraw-Hill/Osborne, Series 2 , vol.2, ISBN : 0-07222559-9 [54] Alan Beaulieu,(2009) "Learning SQL: Master SQL Fundamentals" O'Reilly Media Inc., ISBN: 978-0596520830 [55] Gregory Buehrer, Bruce W Weide, and Paolo AG Sivilotti, (2005) "Using parse tree validation to prevent SQL injection attacks", in Proceedings of the 5th international workshop on Software engineering and middleware. ACM , ISBN: 1595932054 [56] Mariano Ceccato, Cu D. Nguyen, Dennis Appelt and Lionel C. Briand , (2016) "SOFIA: an automated security oracle for black-box testing of SQL-injection vulnerabilities", in Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering. ACM, ISBN :1450338453 [57] Ibéria Medeiros, et al. (2016) Hacking the DBMS to Prevent Injection Attacks. in Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy. ACM. 1450339352 [58] William GJ Halfond and Alessandro Orso, (2006) "Preventing SQL injection attacks using AMNESIA", in 'ICSE 06' Proceedings of the 28th international conference on Software engineering,Pages 795-798 Shanghai,China,ISBN:978-1-4503-3845-5 DOI>10.1145/2970276.2970343 [59] OWASP."SQL Injection" last modified date; last access date access: Available from: https://www.owasp.org/index.php/SQL_Injection [60] Archana Gupta and Surendra Kumar Yadav, (2016) "SQL Injection Attack on Web Application: A Review" Imperial Journal of Interdisciplinary Research,vol.2, issue.6, ISSN: 2454-1362 [61] Ashish Kamra, Elisa Bertino and Guy Lebanon ,(2008) " Mechanisms for database intrusion detection and response", IDAR '08 Proceedings of the 2nd SIGMOD PhD workshop on Innovative database research, pp. 31-36, Vancouver, Canada, ISBN: 978-1-60558-211-5

[62] Gaurav Parmar and Kirti Mathur, (2016)"Proposed Preventive measures and Strategies Against SQL injection Attacks", Indian Journal of Applied Research,vol.5, issue.5, ISSN: 2249-555X

[63] Kabir Umar, Abu Bakar Md Sultan, Hazura Zulzalil, Novia Admodisastro, and Mohd Taufik, (2016), "SQL Injection Attack Roadmap and Fusion", Indian Journal of Science and Technology,vol.9, issue.28, ISSN: 0974-5645 [64] Regan Rajendran, Nithya Venkatachalam, (2016) " A Method to Detect and Prevent SQL Injection Attack", LAP Lambert Academic Publishing, p.p.84 , ISBN: 3659827533 [65] Ankur Tiwari and Isha Sharma, (2015) "Analysis and Implementation of Multilayered Secured algorithm for Assorted Appliactions", International Journal of Computing and Corporate Research vol.5, issue.3, ISSN: 2249-054X [66] Behrouz A. Forouzan,(2008) "Cryptography and Network Security", McGraw-Hill, ISBN: 9780071263610 [67] A. Kumar and S. Bose,(2016) "Cryptography and Network Security", ISBN: 9789332543645 [68] Mark G Sobell,(2005) "A practical guide to Linux commands, editors, and shell programming", Prentice Hall Professional Technical Reference, ISBN: 0131478230

[69] Michael Rash,(2007) "Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort", No Starch Press, ISBN: 9781593271411 [70] SQLMAPPROJECT."SQLMAP" last modified date; last access date access: 16/3/2017 Available from: http://sqlmap.org/ [71] SoftLogica."Web testing" last modified date; last access date access: 16/3/2017 Available from: https://www.loadtestingtool.com/

Conferences  Alaa Khalil Jumaa and Awezan Aso Omar, (2016) “CST First National Conference on Computer Science and Information Technology” (CST-2016), on December11th, at College of Science and Technology University of Human Development Sulaymaniyah, Iraq.

Publications

 Alaa Khalil Jumaa and Awezan Aso Omar , (2017) “Online Database Intrusion Detection System Based on Query Signatures”, Vol. 3, No.1, March 2017,pp. 282- 287, e-ISSN: 2411-7757, p-ISSN: 2411-7765.

‫ارتالص‪١‬‬ ‫(‪ْٛ ٖٛ ) SQL INJECTION‬ع ز‪ٝ٥‬ط‪ َٔ ٞ‬اْ‪ٛ‬اع اهلج‪ ّٛ‬اير‪ٜٗ ٟ‬دد ضالَ‪ٚ ١‬ضس‪ٚ ١ٜ‬أصاي‪ ١‬أ‪ٚ ٚ‬ظ‪ٝ‬ف‪١‬‬ ‫أ‪ ٟ‬قاعد‪ ٠‬ب‪ٝ‬اْات َعتُد عً‪ٗٝ‬ا َٔ قبٌ تطب‪ٝ‬كات امل‪ٛ‬قع االيهرت‪ٖ .ْٞٚ‬را اهلج‪ٜ ّٛ‬ت‪ٝ‬ح يًُٗاجِ اي‪ٛ‬ص‪ ٍٛ‬ايػري‬ ‫املصسح ب٘ إىل قاعد‪ ٠‬ايب‪ٝ‬اْات ارتًف‪ ١ٝ‬يتطب‪ٝ‬كات امل‪ٛ‬اقع االيهرت‪ َٔ ١ْٝٚ‬خالٍ اضتػالٍ ْكاط ايضعف داخٌ ايٓعاّ‬ ‫يريو جيب اختاذ تدابري ‪ٚ‬قا‪َٚ ١ٝ٥‬بتهس‪ ٠‬يتصُ‪ ِٝ‬أ‪ ٟ‬قاعد‪ ٠‬ب‪ٝ‬اْات ‪ ٚ‬حتد‪ٜ‬د ايط‪ٝ‬اض‪ ١‬األَٓ‪ ١ٝ‬هلا َٔ أجٌ ممازض‪١‬‬ ‫محا‪ ١ٜ‬ممتاش‪ ٠‬رتص‪ٛ‬ص‪ ١ٝ‬ايعُ‪.ٌٝ‬‬ ‫ْعاّ نشف ايتطًٌ (‪ ٖٛ )Intrusion Detection System‬ايدفاع ضد حكٔ تعً‪ُٝ‬ات االضتعالّ‬ ‫ايبٓ‪ٚ )SQLI( ١ٜٛٝ‬اير‪ٜ ٟ‬طتددّ تكٓ‪ ١ٝ‬ايهشف ‪ٚ‬اي‪ٛ‬قا‪ ١ٜ‬ذتُا‪ ١ٜ‬أ‪ ٟ‬قاعد‪ ٠‬ب‪ٝ‬اْات َعتُد‪ َٔ ٠‬قبٌ حكٔ‬ ‫تعً‪ُٝ‬ات االضتعالّ ايبٓ‪ ١ٜٛٝ‬فٗ‪ٜ ٛ‬عٌُ نجداز ْاز‪ ٟ‬ذتُا‪ ١ٜ‬قاعد‪ ٠‬ايب‪ٝ‬اْات املستبط‪ ١‬بٗر‪ ٙ‬ايتطب‪ٝ‬كات‪.‬‬ ‫يف ٖر‪ ٙ‬ايسضاي‪ ١‬مت تطب‪ٝ‬ل ْعاّ نشف ايتطًٌ املعتُد عً‪ْ ٢‬عاّ ايت‪ٛ‬ق‪ٝ‬ع ايسقُ‪(signature-based) ٞ‬‬ ‫‪ٚ‬ذيو باضتدداّ ايت‪ٛ‬ق‪ٝ‬ع ايسقُ‪ ٞ‬يهًُات يػ‪ ١‬االضتعالّ ايبٓ‪ (SQL Keywords) ١ٜٛٝ‬امل‪ٛ‬ج‪ٛ‬د‪ ٠‬يف نٌ اضتعالّ‬ ‫‪ٜٚ‬تِ ذيو عٔ طس‪ٜ‬ل اضتدداّ خ‪ٛ‬ازشَ‪ ١ٝ‬ايت‪ٛ‬ق‪ٝ‬ع )‪ (SHA-256‬باعتبازٖا تكٓ‪ ١ٝ‬يًتُ‪ٝٝ‬ص بني ايت‪ٛ‬اق‪ٝ‬ع اآلَٓ‪١‬‬ ‫َٔ تًو ايشاذ‪َٓٚ ٠‬ع حما‪ٚ‬الت ايكسصٓ‪ َٔ ١‬خالٍ َٓع املٗاجِ َٔ اي‪ٛ‬ص‪ ٍٛ‬إىل ايٓعاّ َس‪ ٠‬أخس‪٣‬‬ ‫ايٓعاّ املكرتح اضتددّ طس‪ٜ‬ك‪ ١‬نشف ايتطًٌ اعتُاداً عً‪ْ ٢‬عاّ ايت‪ٛ‬ق‪ٝ‬ع نطس‪ٜ‬ك‪ ١‬يًهشف عٔ االخرتام‪.‬‬ ‫ٖر‪ ٠‬ايطس‪ٜ‬ك‪ ١‬تتِ عً‪َ ٢‬سحًتني‪ ,.‬املسحً‪ ١‬اال‪ٚ‬ىل ٖ‪ ٞ‬املسحً‪ ١‬ايػري املتصً‪ ١‬بايشبه‪ ، (offline) ١‬ح‪ٝ‬ح ‪ٜ‬تِ اْشا‪٤‬‬ ‫ت‪ٛ‬اق‪ٝ‬ع دتُ‪ٝ‬ع االضتعالَات االَٓ‪ ١‬املطتددَ‪ ١‬يف ايٓعاّ ‪ ،‬باضتدساج ايهًُات ايس‪ٝ٥‬ط‪ ١ٝ‬يًػ‪ ١‬االضتعالّ ايبٓ‪١ٜٛٝ‬‬ ‫(‪ ٚ ، )SQLٍ Keywords‬ته‪ ٜٔٛ‬قا‪ ١ُ٥‬ب‪ٝ‬ضا‪ )white list ( ٤‬هلا ح‪ٝ‬ح ‪ٜ‬تِ تشفري نٌ َٔ ٖر‪ ٙ‬االضتعالَات‬ ‫باضتدداّ خ‪ٛ‬ازشَ‪ (SHA-256) ١ٝ‬إلْتاج ايت‪ٛ‬اق‪ٝ‬ع ‪ ٚ‬ختص‪ٜٗٓ‬ا يف ًَف ْص‪ ٞ‬ح‪ٝ‬ح ‪ٜ‬تِ اضتدداَ٘ يف َسحً‪١‬‬ ‫املكازْ‪ ١‬الحكا‪.‬املسحً‪ ١‬ايجاْ‪َ ٖٞ ١ٝ‬سحً‪ ١‬االتصاٍ بشبه‪ ١‬اإلْرتْت (‪ ،)online‬ح‪ٝ‬ح ‪ٜ‬تِ نشف املتطًًني عٔ‬ ‫طس‪ٜ‬ل أخر َدخالت املطتددّ (املٗاجِ ااملشتب٘ ب٘) ‪ ٚ‬اضتدساج ايهًُات ايس‪ٝ٥‬ط‪ ١ٝ‬يًػ‪ ١‬االضتعالّ ايبٓ‪ ٚ ١ٜٛٝ‬اْتاج‬ ‫ت‪ٛ‬ق‪ٝ‬ع )‪ (SHA-256‬هلا ‪َ ٚ‬كازْ‪ ١‬ايت‪ٛ‬ق‪ٝ‬ع املٓتج َع ايت‪ٛ‬اق‪ٝ‬ع امل‪ٛ‬ج‪ٛ‬د‪ ٠‬يف ايكا‪ ١ُ٥‬ايب‪ٝ‬ضا‪ ،٤‬إذا ‪ٚ‬جد ٖٓايو‬ ‫تطابل ‪ٜ‬ك‪ ّٛ‬ايربْاَج بايطُاح مبس‪ٚ‬ز االضتعالّ ‪ٚ‬تصٓ‪ٝ‬ف٘ آَا‪ ،‬أَا اذا مل ‪ٜ‬هٔ ٖٓاى تطابل ف‪ُٝٝ‬ص االضتعالّ عً‪٢‬‬ ‫اْ٘ اضتعالّ غري أَ ‪ٜٚ‬تِ ‪ٚ‬قف٘ ‪َٓٚ‬ع٘ َٔ اي‪ٛ‬ص‪ ٍٛ‬إىل قاعد‪ ٠‬ايب‪ٝ‬اْات ‪ٜٚ ،‬تِ تٓب‪ ٘ٝ‬املشسف عً‪ ٢‬ايٓعاّ عٔ ٖرا‬ ‫ارتسم ‪ٚ‬حيعس عٓ‪ٛ‬إ بس‪ٚ‬ت‪ٛ‬ن‪ ٍٛ‬اإلْرتْت )‪ (IP‬يًُطتددّ ‪َٓٚ‬ع٘ َٔ اي‪ٛ‬ص‪ ٍٛ‬إىل امل‪ٛ‬قع االيهت‪َ ْٞٛ‬س‪ ٠‬أخس‪.٣‬‬ ‫أظٗست ايٓتا‪٥‬ج ايتجس‪ٜ‬ب‪ ١ٝ‬إٔ اذتٌ املكرتح ٖ‪ ٛ‬حٌ َال‪ َٔ ِ٥‬ح‪ٝ‬ح ايهفا‪ٚ ٠٤‬األدا‪ٚ .٤‬عال‪ ٠ٚ‬عً‪ ٢‬ذيو‪ ،‬اْ٘‬ ‫ضجٌ تاثري ض‪ ٌٝ٦‬عً‪ ٢‬اي‪ٛ‬قت ايالشّ يً‪ٛ‬ص‪ ٍٛ‬اىل امل‪ٛ‬قع االنرت‪.)access response time( ْٞٚ‬‬

‫وزارة التعليه العالي و البحث العلني‬ ‫جامعة الصليناىية‪ -‬كلية التجارة‬ ‫قصه االحصاء و الكومبيوتر‬ ‫الدراشات العليا‬

‫ىظاو كصف التصلل لكواعد البياىات‬ ‫رشالة مكدمة لكلية التجارة – جامعة الصليناىية‬ ‫كجسأ مً متطلبات ىيل درجة ماجصتري العلوو يف تكيية املعلومات‬

‫مً قبل‬ ‫ئاويَصان ئاضؤ عمس‬ ‫بكالوريوس يف االحصاء و الكومبيوتر(‪)0202‬‬ ‫باشراف‬ ‫مـــدرس‬ ‫د‪.‬عالْ خمين مجعة‬

‫‪ 0341‬ربيع األول‬

‫‪ 0202‬اذار‬

‫ثوختة‬ ‫(‪ )SQL Injection-SQLI‬جؤزيَكى ضةزةكى ييَسغربدنة كة مةتسضى دةكاتة ضةز ( دزوضتى و‬ ‫تايةمتةندي و متمانةيى ) داتابةيطةكاى كة بهةما و يةلَطوزييَهةزى يةز مالَجةز و ثسؤطساميَكى ويَنب‪.‬ئةم جؤزة‬ ‫ييَسغة ِزيَطة بة ييَسغبةز دةدات كة بتوانيَت ضهوزةكانى ضونةذووزةوة بؤ ناو يةز داتابةيطيَك بػكيَهيَت كة لة‬ ‫ثػتةوة ثسؤطسامي ويَبةكة ياى مالَجةزِةكة كازا دةكات و بطات بةو ماف و داتا و شانيازيانةى كة خاوةندازيَتياى‬ ‫دةطة ِزيَتةوة بؤ كؤمجانيا و ِزيَكخساوةكاى و مايف ييَسغبةز نني‪ .‬ئةجنامدانى ئةم كازةؽ بة ضوودوةزطستو دةبيَت‬ ‫لة الواشى لة ديصايهى ضيطتمى داتابةيظ و مالَجةزةكةدا و طةيػنت بة داتا و ضةزضاوةكاى‪ .‬لة بةز ئةم يوَكازةية‬ ‫كة دةبيَت ديصايهةز و دزوضتكةزى يةز ثسؤطساميَكي ويَب و داتابةيطيَك ثةيسِةوى كسدازى ثازاضنت و ِزيَطسى‬ ‫ثيَوانةيى بكةى لة ديصايهى يةز داتابةيطيَكدا و ديازيكسدنى ضياضةتى ئاضايؼ بؤ ئةو زيَكخساوة لةثيَهاو‬ ‫ثازاضتهى تايبةمتةندي بةغدازبووانياندا و ثازيَصطازيكسدنى ضيطتمةكةياى لة يةز ضوونةذووزةوةيةكي ناياضايى‪.‬‬ ‫) ‪ (Database Intrusion Detection System‬ئةو ضيطتمى بةزطسيكسدنةية كة لة دذى‬ ‫(ٍ‪ )SQLI‬بةكازدةييَهسيَت كة وةك غوزايةك كازدةكات بؤ داتابةضةكة‪ .‬لةم تويَريهةوةيةدا ِزيَطةي ئيمصا‬ ‫(‪ )Signature‬بةكازياتووة بؤ يةموو ووغةكانى (‪ )SQL Query‬ياتوو بؤ ناو ضيطتمةكة و بةبةكازييَهانى‬ ‫تةكهيكى غفسةكسدنى (‪ )SHA-256‬بؤ جياكسدنةوةى ئيمصاى ئاضايى و ئيمصاى نامؤ و ثوضةلَكسدنةوةى ئةو‬ ‫يةوآلنةى بؤ ياكي ضيطتمةكة دةدزيَو بة ِزيَطسيكسدنى زِةياي (‪ )Block‬ييَسغبةزةكة‪ .‬ديصايهى ئةم ضيطتمى‬ ‫بةزطسيية بة دوو قؤناغة (‪ )Offline‬قؤناغي دزوضتكسدني ئيمصاى ئاضايى بؤ ئةو كيوزيانةى لة مالَجةزةكةدا‬ ‫بةكازييَهساوى لة زيَطةى ييَهانى ووغة تايبةتةكانى (ٍ‪ )SQL‬كة ياضايني بؤ يةز كيوزيةك وغفسةكسدنياى بة‬ ‫بةكازييَهانى (‪)SHA-256‬و يةلَطستهياى لة فايميَكي تيَكطتدا‪ .‬قؤناغي دووةم (‪ )Online‬كة بسيتيية لة‬ ‫قؤناغي طستهى ييَسغربةكة و بة وةزطستهى كيوزي ياتوو لةاليةى بةكازييَهةز (طومانميَكساو) و بةدةضتًيَهانى‬ ‫ئيمصايةك بة يةماى غيَوةى قؤناغي ثيَػوو(‪)SHA-256‬و بةزاووزدكسدنى ئةم ئيمصاية بة ئيمصا ياضاييةكانى‬ ‫كة ثيَػرت بةزيةم ييَهسابووى ‪ .‬ئةطةز ليَكضووى يةبوو ئةوا ئيمصاكة ياضاييةو زيَطة بة ضوونةذووزةوة دةدزيَت ‪,‬‬ ‫بة ثيَضةوانةغةوة لة كاتى ليَكهةضووندا زيًطة بة ضوونةذووزةوة نادزيَت و ييَسغبةز بةزثةضدةكسيَتةوة لة‬ ‫اليةى ضيطتمى بةزطسي داتابةيطةكةوة (‪ )DIDS‬بة وةزطستهى (‪ )IP Address‬ي ييَسغبةزةكة بة‬ ‫غيَوةيةك كة نةتوانيَت جازيَكى تس يةولَي ضوونةذووزةوة بدات ‪.‬‬ ‫زِاضتى و دزوضتى تاقيكسدنةوةى ئةم ضيطتمى بةزطسيية ئاماذةية بؤ ضةزكةوتوويى و كازيطةزى‬ ‫ضيطتمةكة ‪ ,‬يةزوةيا بة بةكازييَهانى ضيطتمى ثيَػكةغكساو كازيطةزى شؤز كةمي يةية بؤ كاتى وةآلمدانةوةى‬ ‫مالَجةز(‪ )Response Time‬كة ئةمةؽ ضوضتى ضيطتمةكة دةضةمليَهيَت‪.‬‬

‫حكومةتى هةزيَمى كوزدضتان‬ ‫وةشازةتى خويَندنى باآلَ و تويَرينةوةى شانطتى‬ ‫شانكؤى ضميَمانى‪ -‬كؤليَرى باشزطانى‬ ‫بةغي ئاماز و كؤميوتةز‬

‫ضيطتمى ثازاضتنى داتابةيظ لة ضوونةذووزةوةى ناياضايى‬

‫نامةيةكة ثيَػكةغكساوة بة كؤليَرى باشزطانى‪ -‬ئاماز و كؤمثيوتةز‬ ‫وةك بةغيَك لة ثيَداويطتييةكانى بة دةضتويَنانى بسِوانامةى‬ ‫ماضتةز لة شانطتى تةكنةلؤجياى شانيازى‬

‫لة اليةن‬ ‫ئاويَــصان ئاضــؤ عمس‬ ‫بةكالوزيؤع لة ئامازوكومثيةتةز(‪)0202‬‬

‫بةضةزثةزغتى‬ ‫مامؤضتا‬ ‫د‪.‬عالْ خمين مجعة‬

‫مازع(‪)7102‬‬

‫نةوزؤش(‪)7202‬‬