Title: Server-side code injection attack detection based on Kullback-Leibler distance

Authors: Hossain Shahriar; Sarah M. North; YoonJi Lee; Roger Hu

Addresses: Department of Computer Science, Kennesaw State University, Kennesaw, Georgia 30144, USA ' Department of Computer Science, Kennesaw State University, Kennesaw, Georgia 30144, USA ' Department of Computer Science, Kennesaw State University, Kennesaw, Georgia 30144, USA ' Department of Computer Science, Kennesaw State University, Kennesaw, Georgia 30144, USA

Abstract: In this paper, we apply a well-known measure from information theory domain called Kullback-Leibler distance (or divergence) (KLD) to detect the symptoms of code injection attacks early during programme runtime. We take advantage of the observation that during code injection attack, the intended structure deviates from the expected structure. The KLD can be a suitable measure to capture the deviation. Our contribution includes the development of a server-side framework to compute KLD. In particular, we apply a smoothing algorithm to avoid the infinite KLD distance during attack detection stage. We evaluate our approach with three PHP applications having SQLI and XSS vulnerabilities. The initial results show that KLD can be an effective measurement technique to detect the occurrence of code injection attacks. The approach suffers from lower false positive and negative rates, and imposes negligible runtime overhead.

Keywords: Kullback-Leibler distance; KLD; code injection attack; web application security; information theory; cross-site scripting; XSS; SQL injection; server-side attack detection; network security.

DOI: 10.1504/IJITST.2014.065184

International Journal of Internet Technology and Secured Transactions, 2014 Vol.5 No.3, pp.240 - 261

Received: 04 Mar 2014
Accepted: 26 Jun 2014

Published online: 28 Oct 2014 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article