Free Essay

Sql Injection Attacks: Techniques and Protection Mechanisms

In: Computers and Technology

Submitted By interactiv3
Words 1951
Pages 8
Nikita Patel et al. / International Journal on Computer Science and Engineering (IJCSE)

SQL Injection Attacks: Techniques and Protection Mechanisms
Nikita Patel
Department of Info. Tech. Patel College of Science & Technology Bhopal, India

Fahim Mohammed
Department of Computer Science Research Scholar NIT Bhopal, India

Santosh Soni
Department of Computer Science Patel College of Science & Technology Bhopal, India

Abstract-- When an internet user interacts in web environment by surfing the Net, sending electronic mail messages and participating in online forums lot of data is generated which may have user’s private information. If this information is captured by third party tools and techniques; it may cause a breach in end user privacy. In the Web environment, end user privacy is one of the most controversial legal issues. In this paper issues related to information leakage through SQL injection attacks are presented and protection mechanisms are also discussed. Keywords: - Privacy, Security, Code Injection, SQL Injection, web application security, Malicious Code, Vulnerability. I. INTRODUCTION

As the Internet is growing day by day, most of the people are not aware of security and privacy. Internet is a widespread information infrastructure; it is basically an insecure channel for exchanging information. Web security is the set of rules and measures taken against web security threats. Web privacy is the ability of hiding end user’s information. Nowadays most of the applications have the vulnerability (weakness) that makes a threat possible. An attack may be possible due to poor design, configuration mistakes, or poor written code of the web application. A threat can be harmful for database, control of web application, and other components of web application, that are needed to be protected from all types of threat. All types of code injection or SQL injection are very dangerous for these components of the web application. To build secure applications, security and privacy must be considered, and developer must be aware about it. The main goals of information security are Confidentiality, Integrity and availability. Confidentiality means the information available on a system should be safe from unauthorized people; Integrity means the information available in an organization should be complete and whole. It shouldn't be altered by any unauthorized person. Availability is as important as Confidentiality and Integrity. It means the information requested or required by the authorized users should always be available. II. CODE INJECTION ATTACKS

Code Injection is a term used when malicious code/script is injected into a program/web application from an outside source, for example input field which is provided by the web application to take input from the end-user. This attack makes use of lack of accurate input/output data validation. The injected malicious code executes as a part of the application. The consequences of a successful code injection attack may result in either damage to an asset, or an undesirable operation. Attack can be performed within software, web application etc in which the weakness is present. Weakness contribute to the introduction of vulnerabilities within that software or web applications, vulnerability can be used by the attacker to exploit the web applications to gain unintended access to data, denial of services, or perform incorrect operations. HTML Injection Attack, Cross Site Scripting Attack, SQL Injection Attack, Shell Attack, Content Spoofing, HTTP Response Splitting, HTTP Request Splitting and XML Poisoning Attack are some examples of the code injection attack. SQL Injection: - SQL injection is an attack technique which can be used by the attacker to exploit the web application; as a result the attacker may gain unauthorized access to a database or to retrieve information directly from the database. Attacker can exploit SQL injection vulnerabilities remotely without any database or application authentication. SQL injection attacks are straightforward in nature – an attacker just passes malicious string as an input to an application for stealing confidential information.

ISSN : 0975-3397

Vol. 3 No. 1 Jan 2011

199

Nikita Patel et al. / International Journal on Computer Science and Engineering (IJCSE)

I.

SQL Injection using Dynamic Strings

Most of the web based application takes input from the end user for constructing dynamic SQL statement [2]. Query = “SELECT * FROM student WHERE sname = ‘studentname’ ”;

II. Example 1 - Dynamically built SQL command string

Consider a web application that takes input from the students and displays the result of the student, with the logic of the above SQL query, the result of the above query is as follows Suppose an attacker submits a student name that looks like the following: Student Name: nikita’ OR '1’=’1 The SQL command string built from this input would be as follows: SELECT * FROM student WHERE sname = ‘nikita’ OR ‘1’=’1 This query will return all rows from the student's database, regardless of whether "nikita" is a real user name. This is due to the OR statement appended to the WHERE clause. The comparison '1'='1' will always return a "true" result, making the overall WHERE clause evaluate to true for all rows in the table. If this is used for authentication purposes, the attacker will often be logged in as the first or last user in the table. III. CATEGORIES OF SQL INJECTION ATTACKS

There are four main kinds of SQL Injection attacks 1. SQL Manipulation 2. Code Injection 3. Function Call Injection 4. Buffer Overflows SQL manipulation usually involves modifying the SQL query through altering the WHERE clause. In this class of attack, amend the WHERE clause of the statement so the WHERE clause constantly results in TRUE [2]www.integrigy.com/.../Integrigy_Oracle_SQL_Injection_Attacks]. In the case of Code injection an attacker introduces new SQL statements into the input field instead of valid input. The classic code or statement appends a SQL Server command to make SQL statement vulnerable. Code injection only works when multiple SQL statements per database request are supported or keywords like AND, OR are supported by the database. Function call injection is the addition of database functions or user defined functions into a vulnerable SQL queries. These function calls can be used to make internal calls or modify data in the database that can be harmful to the users [2]. SQL injection of buffer overflows is a subset of function call injection. In several commercial and open-source databases, vulnerabilities exist in a few database functions that may result in a buffer overflow. IV. SQL INJECTION METHODS

There are four types of SQL Injection attacks A. SQL Manipulation

The most common type of SQL Injection attack is SQL manipulation. The attacker attempts to modify the present SQL statement by adding elements to the WHERE clause. An example of SQL manipulation can be given by a simple search application. This application takes student roll number as input and displays its result. The web application may run the following query [4]. SELECT * FROM student WHERE rollnum = ''

ISSN : 0975-3397

Vol. 3 No. 1 Jan 2011

200

Nikita Patel et al. / International Journal on Computer Science and Engineering (IJCSE)

This query will return the result of the student, but if the attacker attempts to manipulate the SQL statement to execute as –

Figure 1 Taking Input from User

SELECT * FROM student WHERE rollnum = '' or '1' = '1'

Figure 2 Result of the Malicious Code

The WHERE clause becomes true for every row and as a result it fetches all entries of the database, in this way the attacker gains access to the application. V. METHODS FOR PROTECTION AGAINST SQL INJECTION ATTACKS

SQL Injection attacks can be protected with simple changes in server site programming as well as client side programming. Developers must be aware of all types of attacks and take care for all possible attacks. Each and Every dynamic SQL statement must be sanitized. A single unprotected query can be harmful for the application, data, or database server. B. Taking User Input From Predefined Choices

In this way the web application can be secured from malicious attacks. The attacker cannot insert custom queries or any type of harmful script which can disturb the integrity of the database. This is a simple yet effective way to curb web application attacks. This can be established by making simple changes into the server site code.

Figure 3 Taking Input From Predefined Choices

ISSN : 0975-3397

Vol. 3 No. 1 Jan 2011

201

Nikita Patel et al. / International Journal on Computer Science and Engineering (IJCSE)

C.

Bind Variables Mechanism

Bind variable is another technique to control SQL injection attacks. Using bind variables helps in improving web application performance. The web application developer should use bind variables in all SQL statements. In java language there is a mechanism called prepared statement, this implements the concept of bind variables mechanism. PreparedStatement pstate; pstate=con.prepareStatement("select * from student where rollnum = ?"); pstate.setString(1, "sroll"); D. Parameterized Statements

To defend SQL injection attacks, user input must not be directly passed in SQL queries. Instead, parameterized statements must be preferred, or else user input should be sanitized or filtered carefully [17]. To sanitize the given user input it must be assigned (bound) to a parameter and passed through a filtering or sanitizing function like one present in PHP (mysql_real_escape_string($user_input)). The use of this function adds a back slash (\) against all of the escape characters such that the malicious script present is not executed. The result of that function can be viewed in figure 4.

Figure 4 Result of Using Predefined Function

E.

Input Validation

This is the simplest method for defence against SQL injection attacks. Every passed string parameter ought to be validated. Many web applications use hidden fields and other techniques, which also must be validated. If a bind variable is not being used, special database characters must be removed or escaped.

Figure 5 Input Validation Using Client Site Script

In most databases the single quote character and other special characters are a big issue, the simplest method to avoid them is to escape all single quotes. This can be established by using client side scripting language VI. CONCLUSION

Code injection attacks, especially SQL injection attack is one of the infamous issues. Controlling the malicious SQL code/script on the web application and maintaining the end privacy is still a key challenge for the web developer. These issues must be considered seriously by the web developers involved in developing websites using databases. This paper describes how an attacker can exploit the web application by using SQL injection attack to get confidential information from a database. Different protection mechanisms against SQL injection attack are also proposed.

ISSN : 0975-3397

Vol. 3 No. 1 Jan 2011

202

Nikita Patel et al. / International Journal on Computer Science and Engineering (IJCSE)

ACKNOWLEDGMENT The research presented in this paper would not have been possible without our college, PCST, Bhopal. We wish to express our appreciation to all the people who helped turn the World-Wide Web into the useful and popular distributed hypertext and providing information as it is anywhere. We also wish to thank the anonymous reviewers for their valuable suggestions, who helped in improving our paper content. REFERENCES
[1] “An Introduction to SQL Injection Attacks for Oracle Developers,” [Online]. Available: www.integrigy.com/Integrigy_Oracle_SQL_Injection_Attacks [Accessed: Oct.02, 2010]. [2] “SQL Injection” [Online] Available: http://projects.webappsec.org/w/page/13246963/SQL-Injection [Accessed: Oct 12,2010] [3] “Wikipedia,” [Online]. Available: http://en.wikipedia.org/wiki [Accessed: Oct.5,2010]. [4] “SQL Injection Prevention,” [Online] Available: http://www.owasp.org/index.php/SQL_Injection_Prevention [Accessed: Nov.10, 2010]. [5] “Prepared Statements” [Online] Available: http://www.owasp.org/index.php/SQL_Injection_Prevention [Accessed: Nov 12, 2010]. [6] “Blind SQL Injection ” Kavin Spet White Paper. [Online] Available: [7] “Second Order Code Injection Attack” Gunter Ollmann [Online] Available: [8] “Web Application Attack Prevention for Tiered Internet Service ” Susanta Nanda, Lap Chung Lam, Fourth Intenational Conference IEEE 2008.

ISSN : 0975-3397

Vol. 3 No. 1 Jan 2011

203

Similar Documents

Premium Essay

A Survey of Sql Injection Defense Mechanisms

...A Survey of SQL Injection Defense Mechanisms Kasra Amirtahmasebi, Seyed Reza Jalalinia and Saghar Khadem Chalmers University of Technology, Sweden akasra, seyedj, saghar{@student.chalmers.se} Abstract SQL Injection Attack (SQLIA) is a prevalent method which makes it possible for the attackers to gain direct access to the database and culminates in extracting sensitive information from the firm’s database. In this survey, we have presented and analyzed six different SQL Injection prevention techniques which can be used for securing the data storage over the Internet. The survey starts by presenting Variable Normalization and will continue with AMNESIA, Prepared statements, SQL DOM, SQLrand and SQLIA prevention in stored procedures respectively. that determining whether a SQL statement is allowable or not is done by checking the existence of normalized statement in the ready-sorted allowable list. 2.1. Background Many web pages ask users to input some data and make a SQL queries to the database based on the information received from the user i.e. username and passwords. By sending crafted input a malicious user can change the SQL statement structure and execute arbitrary SQL commands on the vulnerable system. Consider the following username and password example, in order to login to the web site, the user inputs his username and password, by clicking on the submit button the following SQL query is generated: SELECT * FROM user_table WHERE user_id = ‘john’ and......

Words: 5643 - Pages: 23

Free Essay

Web Server Application Attacks

...Web Server Application Attacks Christopher Jones Theories of Security Management Dr. Alaba Oluyomi Most web attacks are executed by several different methods to interrupt the functions of web servers. Web applications incorporate several applications to make it work properly. The web administrator must monitor the databases, extended markup languages, and script interpreters to stay ahead of hackers. All website that are running on a web server are prone to compromise, even though they are coded. Attackers take advantage of vulnerabilities of the web server. Attacker takes advantage of vulnerabilities within the implementation of TCP/IP protocol suites. With the slow reactions to correct these deficiencies, attackers are shifting to the application layers and mainly the web. This is in part caused by most companies open their firewall systems to web traffic. Most of the attacks are broad, and comes in many versions that fall into similar categories. Companies are making their web servers more secure, so attacks are moving to the vulnerability of web application flaws. Below are types of attacks on a web server 1 Web application vulnerabilities can be categorized as follows; Web server vulnerabilities, Manipulation of URLs, Exploitation of weaknesses in session identifiers and authentication systems, HTML code Injection and Cross-Site Scripting, and SQL Injection. SQL injection is a technique often used to attack data driven applications. This is......

Words: 1565 - Pages: 7

Premium Essay

Computer Network

...TRADEMARK LAW AND CYBERSPACE Paras Nath Singh M.Tech. Cyber Security Centre for Computer Science & Technology Central University of Punjab, Bathinda (Punjab). Abstract—Trademark law aids consumers who use trademarks in the marketplace to identify swiftly and without problems a product they liked or disliked in the past, distinguishing among the different competing manufacturers of a product. No one is entitled to sell or deliver commodities under the appearance that the commodities derive from someone else. The importance of consumer protection cannot be overemphasized and the average consumer standard should remain the central point of the inquiry, even under domain name litigation. Replacing the initial interest confusion doctrine is one decisive step, along with the introduction of a doctrine representing the fact that there should be no confusion at the point the sale, and this doctrine would intervene to allow for the capacity of the consumer to choose freely the products they want. Keywords: - trademarks; cyberspace; generic; domain names I. INTRODUCTION Trademarks have been used to designate the source or origin of products for years and a trademark is “any word, name, symbol, or device, or any combination thereof”1 used by a company to identify itself as the source of particular goods and distinguish its goods from those manufactured or sold by competitors. Section 2 of the Canadian Trademark Act2 considers “trademarks” as: * a mark that......

Words: 2830 - Pages: 12

Free Essay

Obesity

...the form of fake notifications from banks, providers, e-pay systems and other organizations to encourage a recipient to urgently update or enter their personal data. This is a major concern for eLite Bankers Limited as banks and other e-pay systems are major targets for phishers. This indicates that the fraudsters are more interested in personal data which provides access to money which can bankrupt a victim of phishing. Session Hijacking Session Hijacking is the exploitation of a valid computer session to gain unauthorized access to information on a computer system. A Session Hijacking attack compromises the session token by stealing or predicting a valid session token. A session token could be compromised in different way such as; Predictable Session Token, Session Sniffing, Client-Side Attacks (malicious codes, Trojans, etc.), Man-In-The-Middle Attacks and Man-In-The-Browser Attacks. This is a major threat to the eLite Bankers Company if steps are not taken to prevent these hijackings as hijackers may get unauthorized access to important files and documents. It is advisable to encrypt data traffic being passed...

Words: 986 - Pages: 4

Free Essay

Web Application Security

...Web Server Application Attacks Brooks Gunn Professor Nyeanchi CIS 502 July 10, 2013 Web Server Application Attacks Many organizations have begun to use web applications instead of client/server or distributed applications. These applications has provided organizations with better network performance, lower cost of ownership, thinner clients, and a way for any user to access the application. We applications significantly reduce the number of software programs that must be installed and maintained in end user workstations (Gregory 2010). Web applications are becoming a primary target for cyber criminals and hackers. They have become major targets because of the enormous amounts of data being shared through these applications and they are so often used to manage valuable information. Some criminals simply just want vandalize and cause harm to operations. There are several different types of web application attacks. Directory traversal, buffer overflows, and SQL injections are three of the more common attacks. One of the most common attacks on web based applications is directory traversal. This attack’s main purpose is the have an application access a computer file that is not intended to be accessible. It is a form of HTTP exploit in which the hacker will use the software on a Web server to access data in a directory other than the server’s root directory. The hacker could possibly execute......

Words: 1620 - Pages: 7

Premium Essay

Computer Tricks

...EC-Council Press | The Experts: EC-Council EC-Council’s mission is to address the need for well educated and certified information security and e-business practitioners. EC-Council is a global, member based organization comprised of hundreds of industry and subject matter experts all working together to set the standards and raise the bar in Information Security certification and education. EC-Council certifications are viewed as the essential certifications needed where standard configuration and security policy courses fall short. Providing a true, hands-on, tactical approach to security, individuals armed with the knowledge disseminated by EC-Council programs are securing networks around the world and beating the hackers at their own game. The Solution: EC-Council Press The EC-Council | Press marks an innovation in academic text books and courses of study in information security, computer forensics, disaster recovery, and end-user security. By repurposing the essential content of EC-Council’s world class professional certification programs to fit academic programs, the EC-Council | Press was formed. With 8 Full Series, comprised of 27 different books, the EC-Council | Press is set to revolutionize global information security programs and ultimately create a new breed of practitioners capable of combating this growing epidemic of cybercrime and the rising threat of cyber war. This Certification: C|EH – Certified Ethical Hacker Certified Ethical Hacker is a certification...

Words: 61838 - Pages: 248

Premium Essay

Database Security

...CSS330-1502A-01 Database Security Individual Project Key Assignment Chris Pangburn 27 April, 2015 Table of Contents Week 1: Database Security Architecture 4 Differentiate between a Database Management System and a database 4 Network Infrastructure for the best security posture 4 Additional Security mechanisms to protect the Database Server 6 Week 2: User Account Security 7 Creating Schemas 7 Creating Users, Creating Roles, Assigning Privileges based on Access Control Lists 7 Creating Views 10 Week 3: Database Vulnerabilities 11 Description of tools used to perform scans 11 Scan Information 11 False Positive Information 12 Discuss SQL injection attack 12 Week 4: Auditing Techniques 14 Security hardened network design 14 Research of auditing features 14 Description of a trigger 14 Implementation of auditing 14 Week 5: Auditing Policies 15 Write SQL 15 Report based on access 15 Report based on system privileged 15 Audit report showing connection details 15 Report showing object access 15 References 16 Week 1: Database Security Architecture Differentiate between a Database Management System and a database Databases at their essence are nothing more than a collection of organized information (Mullins, 2013). A database can contain stored procedures, tables, fields, indexes, functions, views, security, and many other objects. Relationships between the data can be created which brings more meaning to how the data can......

Words: 1807 - Pages: 8

Free Essay

Week 5

...Unit 3 Lab4 Chris Hann Zy Powell 1. Dictionary attacks and rule-based search attacks. 2. Cross-site scripting allows for attackers to bypass client-side security mechanisms normally forced on web content by current browsers. 3. You can do this by disabling scripting when it is not necessary. Do not trust links to other sites on email or message boards, and do not follow links from sites that lead to security-sensitive information directly through its address. 4. The attacker can use redirect vulnerability, where a webpage uses a script to redirect the user somewhere other than the intended site. So then the hacker takes advantage of the script and you are sent to an external page instead of an internal one. 5. It can be denial of access, data loss or corruption, and unnecessary account privileges. 6. Blind SQL injection ask question that can only have a yes or no answer. Yet with normal SQL injection ask questions that will confuse the applications into returning answers in error message and. 7. Because XSS is a hacking technique in which a malicious user enters a short snippet of JavaScript into a textbox so that this script will be saved in the database. Therefore when a user retrieves and displays this later, the browser will execute the script. 8. When a user tries to enter their credentials, the url is explaining that the password is wrong. 9. By removing all unwanted input and accept only expected input,......

Words: 295 - Pages: 2

Free Essay

Security Weaknesses Top 25

...awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software. The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors (http://www.sans.org/top20/) and MITRE's Common Weakness Enumeration (CWE) (http://cwe.mitre.org/). MITRE maintains the CWE web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on...

Words: 24162 - Pages: 97

Premium Essay

The Importance Of Computer Security

...business transactions and much more. Networks afford users the opportunity to continuously use computers through wireless connectivity across many different platforms. Any computer connected to a network can be used for many purposes. Just because a computer is located in the workplace does not mean that the computer is used only for work. The pervasive nature of computers and networks means that they are increasingly connected to incidents and crimes, which can be accidental and/or malicious (Mandia et al, 2003). Fig 1. (Schneiderman, 2014) http://www.net-security.org/secworld.php?id=17119 As can be seen from the above pie chart the causes of database security breaches (from 2006 - 2013), are divided quite equally between malicious attacks, human errors and negligence. As the new Senior Database Administrator at YONS Ltd. it is my task with analysing the internal as well as external security breaches that we have experienced over the last 18 months. Some of the specific security threats to the database as well as a recommended prevention strategy will be discussed in this report. The key to successfully preventing and responding to any cyber threat is to identify, collect, preserve and analyse the computer evidence. This typically involves having the necessary knowledge, skills, and tools to effectively respond to an incident, forensically collect computer evidence, and analyse the appropriate logs and files. The reason databases are targeted is they are at the heart of......

Words: 1729 - Pages: 7

Premium Essay

Security in the Cloud

...stack is shared between the user and the operator; the lower the level of abstraction exposed to the user, the more responsibility goes with it. While cloud computing may make external-facing security easier, it does pose the new problem of internal-facing security. Cloud providers must guard against theft or denial-of-service attacks by users. Users need to be protected from one another. The primary security mechanism in today's clouds is virtualization. It is a powerful defense, and protects against most attempts by users to attack one another or the underlying cloud infrastructure. However, not all resources are virtualized and not all virtualization environments are bug-free. Virtualization software has been known to contain bugs that allow virtualized code to "break loose" to some extent. Incorrect network virtualization may allow user code access to sensitive portions of the provider's infrastructure, or to the resources of other users. One last security concern is protecting the cloud user against the provider. The provider will by definition control the "bottom layer" of the software stack, which effectively circumvents most known security techniques. Absent...

Words: 2433 - Pages: 10

Premium Essay

Team Assignment

...Group 1 Team Assignment   CSEC 630- 9026                             Jeff Daniels                                                                  Written by:                            Kevin Alton, Nadia Iqbal, and Alex Polevoy                                                      July 2015 Table of Contents Introduction.…………………………………………………………………..………….3 Section I: iTrust Threats & Vulnerabilities and Countermeasures.……………..…………..3 Section II: Recommended Changes to Security Management Policies………...……………..7 Section III: Adaption of Requirements to Reduce Security Risk……….……………....…......11 Conclusion. …………………………………….…………………………………….…21 References ……………………………………………………………...………………23 Introduction There are multiple benefits of electronic health records (EHR), which include improved care, quicker access to patient files, and increased physician oversight of care.  However, with the benefit of convenience of using EHRs, comes the responsibility of protecting electronic protected health information (ePHI) and safeguarding sensitive patient data.  The Health Insurance Portability and Accountability Act (HIPAA) focuses on protecting ePHI with guidelines to ensure organizations have implemented “reasonable and appropriate” security measures to adhere to HIPAA rules and maintain patient confidentiality. HIPAA requires covered entities to conduct risk assessments to verify compliance and attempt to uncover areas where ePHI is at risk......

Words: 5631 - Pages: 23

Premium Essay

Database Security Plan

...IP: Auditing Policies Database Security Project Plan Reginald “Reggie” Lee Colorado Technical University Online Professor Anita Arceneaux  December 22, 2014 Figure 1: (Microsoft.com, 2014) Table of Contents Database Security Architecture 3 Differences between a database and a DBMS 3 Types of database designs 4 Network Infrastructure for Database Security 5 Common Security Threats for Database Servers: 6 Additional Security Mechanisms for Protecting Database Server 9 User Account Security 11 1. New Schema for HR Database 11 2. Corporate Directory & Manager Information Views: 12 3. Created Users: 14 4. Created Roles: 15 5. Implemented the Following Access Control List using SQL: 15 6. Implementation and Utilization of Roles: 16 7. HR Database SQL 16 Database Vulnerabilities 29 Auditing Techniques 47 Example database Trigger 50 Creating and Implementing a Database Audit 50 Access Reports 61 Logon Activity History 63 Complete Audit Trail 65 DML History 67 Auditing Policies 69 SQL Server 2014 Audit Report Generation 78 Database Security Architecture Differences between a database and a DBMS When discussing the database management systems (DBMS) and databases, the lines can become blurred between the two. Many people consider a DBMS and a database to be one in the same. However, nothing could be further from the truth as they are two separate distinct entities that server specific purposes. To further expound on......

Words: 8566 - Pages: 35

Premium Essay

Perfume

...Computer system security relies on different aspects of a computer system such as security policies, security mechanisms, threat analysis, and countermeasures. This paper provides an ontological approach to capturing and utilizing the fundamental attributes of those key components to determine the effects of vulnerabilities on a system’s security. Our ontology for vulnerability management (OVM) has been populated with all vulnerabilities in NVD (see http://nvd.nist.gov/scap.cfm) with additional inference rules and knowledge discovery mechanisms so that it may provide a promising pathway to make security automation program (NIST Version 1.0, 2007) more effective and reliable. KEYWORDS analysis system security, common vulnerability exposures, ontology, vulnerability Ju An Wang, Michael M. Guo, and Jairo Camargo School of Computing and Software Engineering, Southern Polytechnic State University, Marietta, Georgia, USA J. A. Wang, M. Approach to Computer An Ontological M. Guo, and J. Camargo System Security 1. INTRODUCTION Secure computer systems ensure that confidentiality, integrity, and availability are guaranteed for users, data, and other computing assets. Moreover, security policies should be in place to specify what is secure and nonsecure, and security mechanisms must be implemented to prevent attacks, detect them, and recover a system from those attacks. During a computer system’s design process, developers need to pay special attention to the design to reduce......

Words: 6084 - Pages: 25

Free Essay

Df Sdfsdf Sdfsdf Sdfsdfsdf

...THREAT MODELING AND ITS USAGE IN MITIGATING SECURITY THREATS IN AN APPLICATION Thesis Submitted in partial fulfillment of the requirements for the degree of MASTER OF TECHNOLOGY in COMPUTER SCIENCE & ENGINEERING - INFORMATION SECURITY by EBENEZER JANGAM (07IS02F) DEPARTMENT OF COMPUTER ENGINEERING NATIONAL INSTITUTE OF TECHNOLOGY KARNATAKA SURATHKAL, MANGALORE-575025 JULY, 2009 Dedicated To My Family, Brothers & Suraksha Group Members DECLARATION I hereby declare that the Report of the P.G Project Work entitled "THREAT MODELING AND ITS USAGE IN MITIGATING SECURITY THREATS IN AN APPLICATION" which is being submitted to the National Institute of Technology Karnataka, Surathkal, in partial fulfillment of the requirements for the award of the Degree of Master of Technology in Computer Science & Engineering - Information Security in the Department of Computer Engineering, is a bonafide report of the work carried out by me. The material contained in this report has not been submitted to any University or Institution for the award of any degree. ……………………………………………………………………………….. (Register Number, Name & Signature of the Student) Department of Computer Engineering Place: NITK, SURATHKAL Date: ............................ CERTIFICATE This is to certify that the P.G Project Work Report entitled " THREAT MODELING AND ITS USAGE IN MITIGATING SECURITY THREATS IN AN APPLICATION" submitted by Ebenezer Jangam (Register......

Words: 18945 - Pages: 76