Please use this identifier to cite or link to this item:
Title: A combined approach of fine Role-Based Access Control and dynamic/static parse tree comparison to mediate SQL Injection Attacks within a selected West African case system and context
Authors: Dogbe, Evans 
Issue Date: 28-Apr-2020
Business legacy systems, when migrated to the Web, often face increased chances of Structured
Query Language (SQL) injection attacks; these attacks are compounded when this system lacks
proper security mechanisms and security training for its staff. This study seeks to determine
how the researcher’s new theory of amalgamating two established techniques for defence
namely; fine-grained Role-Based Access Control (RBAC) and static/dynamic parse tree
comparison; can be combined to form a single centralized defence in order to effectively
mitigate SQL injection attacks in a web-based environment, using a selected recently migrated
legacy system as an exemplar. This proposed defence first involves redefining existing RBAC
security to a fine-grained RBAC to act as the first tier of defence. Those queries, legitimate or
not, which successfully pass through the first tier are analysed by the second tier of defence
that is designed to both do a static and dynamic parse tree analysis and comparison of the
queries in order to identify legitimate queries from illegitimate queues. During the study, it was
discovered that the basic RBAC in control system and the fine grained RBAC could only
mitigate a fraction of the selected test cases and thereby generated a number of false positives
but no false negatives. However, those false positives were successfully identified and
mitigated by the second tier of static/dynamic parse tree comparison. As such the measurement
of performance using precision, recall and f-measure were determined in three cases namely
basic RBAC defence in control with 31% precision,100% recall and f-measure of 32%; Fine grained RBAC without dynamic parse tree comparism with 54% precision ,100% recall and fmeaure of 54% and hybrid defence of fine grained RBAC and dynamic parse tree comparism
with 100 % precision with a 100 % recall and f-measure of 100% with the test cases used in a
repeated experimentation. However extensive real-world testing might expose weaknesses not
observed during experimentation and such is the recommendation of the study. This entire approach is centralized in a security aspect in order to easily incorporate it into vulnerable
newly migrated legacy systems to the web which requires minimal training of security staff for
deployment. The hybrid was then tested using a case sample system that represents the West
African context of inadequate security mechanisms and poor staff training. Standard test cases
were used to test each defence tier in the hybrid as well as the individual tiers. This testing
detected and halted illegitimate SQL queues and demonstrated this aspect’s effectiveness and
suitability for the West African context.
Thesis submitted in partial fulfilment of the requirements for the award of Master of Information and Communications Technology, Durban University of Technology, Durban, South Africa, 2020.
Appears in Collections:Theses and dissertations (Accounting and Informatics)

Files in This Item:
File Description SizeFormat
DogbeE_2020.pdf3.75 MBAdobe PDFView/Open
Show full item record

Page view(s)

checked on Dec 2, 2021


checked on Dec 2, 2021

Google ScholarTM




Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.