18 research outputs found
SOFIA: an automated security oracle for black-box testing of SQL-injection vulnerabilities
Security testing is a pivotal activity in engineering secure software. It consists of two phases: generating attack inputs to test the system, and assessing whether test executions expose any vulnerabilities. The latter phase is known as the security oracle problem.
In this work, we present SOFIA, a Security Oracle for SQL-Injection Vulnerabilities. SOFIA is programming-language and source-code independent, and can be used with various attack generation tools. Moreover, because it does not rely on known attacks for learning, SOFIA is meant to also detect types of SQLi attacks that might be unknown at learning time. The oracle challenge is recast as a one-class classification problem where we learn to characterise legitimate SQL statements to accurately distinguish them from SQLi attack statements.
We have carried out an experimental validation on six applications, among which two are large and widely-used. SOFIA was used to detect real SQLi vulnerabilities with inputs generated by three attack generation tools. The obtained results show that SOFIA is computationally fast and achieves a recall rate of 100% (i.e., missing no attacks) with a low false positive rate (0.6%)
Classification agent-based techniques for detecting intrusions in databases
This paper presents an agent specially designed for the prevention and detection of SQL injection at the database layer of an application. The agent incorporates a Case-based reasoning mechanism whose main characteristic involves a mixture of neural networks that carry out the task of filtering attacks. The agent had been tested and the results obtained are presented in this study.Sin financiaciónNo data (2008)UE
Recommended from our members
Summary of the clinical practice guideline for the treatment of posttraumatic stress disorder (PTSD) in adults
The American Psychological Association (APA) developed a clinical practice guideline (CPG) to provide recommendations on psychological and pharmacological treatments for posttraumatic stress disorder (PTSD) in adults. This paper is a summary of the CPG, including the development process. Members of the guideline development panel (GDP) used a comprehensive systematic review conducted by the Research Triangle Institute-University of North Carolina Evidence-based Practice Center (RTI-UNC EPC) as its primary evidence base (Jonas et al., 2013). The GDP consisted of health professionals from psychology, psychiatry, social work, and family medicine as well as community members who self-identified as having had PTSD. PTSD symptom reduction and serious harms were selected by the GDP as critical outcomes for making recommendations. The GDP strongly recommends use of the following psychotherapies/interventions (in alphabetical order) for adults with PTSD: cognitive–behavioral therapy, cognitive processing therapy, cognitive therapy, and prolonged exposure therapy. The GDP conditionally recommends the use of brief eclectic psychotherapy, eye movement desensitization and reprocessing (EMDR), and narrative exposure therapy (NET). For medications, the GDP conditionally recommends the following (in alphabetical order): fluoxetine, paroxetine, sertraline, and venlafaxine. There is insufficient evidence to recommend for or against offering Seeking Safety, relaxation, risperidone, and topiramate. A subgroup of the GDP reviewed studies published after the systematic review for those treatments that received substantive recommendations; the GDP concluded that future systematic reviews that incorporated those new studies could change the recommendations for EMDR and NET from conditional to strong. For all other treatments, results of the update indicated that recommendations were unlikely to change or that there were no new trials for comparison. The target audience for this CPG includes clinicians, researchers, patients, and policymakers