A combined approach of fine Role-Based Access Control and dynamic/static parse tree comparison to mediate SQL Injection Attacks within a selected West African case system and context

Abstract

Business legacy systems, when migrated to the Web, often face increased chances of Structured Query Language (SQL) injection attacks; these attacks are compounded when this system lacks proper security mechanisms and security training for its staff. This study seeks to determine how the researcher’s new theory of amalgamating two established techniques for defence namely; fine-grained Role-Based Access Control (RBAC) and static/dynamic parse tree comparison; can be combined to form a single centralized defence in order to effectively mitigate SQL injection attacks in a web-based environment, using a selected recently migrated legacy system as an exemplar. This proposed defence first involves redefining existing RBAC security to a fine-grained RBAC to act as the first tier of defence. Those queries, legitimate or not, which successfully pass through the first tier are analysed by the second tier of defence that is designed to both do a static and dynamic parse tree analysis and comparison of the queries in order to identify legitimate queries from illegitimate queues. During the study, it was discovered that the basic RBAC in control system and the fine grained RBAC could only mitigate a fraction of the selected test cases and thereby generated a number of false positives but no false negatives. However, those false positives were successfully identified and mitigated by the second tier of static/dynamic parse tree comparison. As such the measurement of performance using precision, recall and f-measure were determined in three cases namely basic RBAC defence in control with 31% precision,100% recall and f-measure of 32%; Fine grained RBAC without dynamic parse tree comparism with 54% precision ,100% recall and fmeaure of 54% and hybrid defence of fine grained RBAC and dynamic parse tree comparism with 100 % precision with a 100 % recall and f-measure of 100% with the test cases used in a repeated experimentation. However extensive real-world testing might expose weaknesses not observed during experimentation and such is the recommendation of the study. This entire approach is centralized in a security aspect in order to easily incorporate it into vulnerable newly migrated legacy systems to the web which requires minimal training of security staff for deployment. The hybrid was then tested using a case sample system that represents the West African context of inadequate security mechanisms and poor staff training. Standard test cases were used to test each defence tier in the hybrid as well as the individual tiers. This testing detected and halted illegitimate SQL queues and demonstrated this aspect’s effectiveness and suitability for the West African context.