Server-Side Code Injection Attack Detection Based on Kullback-Leibler Distance

Authors

Hossain Shahriar, Kennesaw State UniversityFollow
Sarah M. North, Kennesaw State UniversityFollow
Yoonji Lee
Roger Hu

Department

Computer Science

Document Type

Article

Publication Date

2014

Abstract

In this paper, we apply a well-known measure from information theory domain called Kullback-Leibler distance (or divergence) (KLD) to detect the symptoms of code injection attacks early during programme runtime. We take advantage of the observation that during code injection attack, the intended structure deviates from the expected structure. The KLD can be a suitable measure to capture the deviation. Our contribution includes the development of a server-side framework to compute KLD. In particular, we apply a smoothing algorithm to avoid the infinite KLD distance during attack detection stage. We evaluate our approach with three PHP applications having SQLI and XSS vulnerabilities. The initial results show that KLD can be an effective measurement technique to detect the occurrence of code injection attacks. The approach suffers from lower false positive and negative rates, and imposes negligible runtime overhead.

Journal Title

International Journal of Internet Technology and Secured Transactions

Journal ISSN

1748-5703

Volume

5

Issue

3

First Page

240

Last Page

261

Digital Object Identifier (DOI)

10.1504/14.65184