Skip to main content
SpringerLink
Log in

Malware Detection and Prevention in RFID Systems

  • Chapter
Book cover Internet of Things and Inter-cooperative Computational Technologies for Collective Intelligence

Part of the book series: Studies in Computational Intelligence ((SCI,volume 460))

  • 2157 Accesses

Abstract

The threat that malware poses to RFID systems was identified only recently. Fortunately, all currently known RFID malware is based on SQLIA. Therefore, in this chapter we propose a dual pronged, tag based SQLIA detection and prevention method optimized for RFID systems. The first technique is a SQL query matching approach that uses simple string comparisons and provides strong security against a majority of the SQLIA types possible on RFID systems. To provide security against second order SQLIA, which is a major gap in the current literature, we also propose a tag data validation and sanitization technique. The preliminary evaluation of our query matching technique is very promising, showing 100% detection rates and 0% false positives for all attacks other than second order injection.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Rieback, M., Simpson, P., Crispo, B., Tanenbaum, A.: RFID malware: Design principles and examples. Pervasive and Mobile Computing 2(4), 405–426 (2006)

    Article  Google Scholar 

  2. Fernando, H., Abawajy, J.: Securing RFID Systems from SQLIA. In: Xiang, Y., Cuzzocrea, A., Hobbs, M., Zhou, W. (eds.) ICA3PP 2011, Part II. LNCS, vol. 7017, pp. 245–254. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  3. Amirtahmasebi, K., Jalalinia, S.R., Khadem, S.: A survey of SQL injection defense mechanisms. In: 6th International Conference for Internet Technology and Secured Transactions, London, UK, November 9-12, pp. 1–8. IEEE (2009)

    Google Scholar 

  4. Schuster, E.W., Allen, S.J., Brock, D.L.: Global RFID. Springer, Berlin (2007)

    Google Scholar 

  5. Kindy, D.A., Pathan, A.K.: A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques. In: IEEE 15th International Symposium on Consumer Electronics (ISCE), Singapore, June 14-17, pp. 468–471 (2011)

    Google Scholar 

  6. Halfond, W., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: International Symposium on Secure Software Engineering. Citeseer (2006)

    Google Scholar 

  7. Rieback, M., Tanenbaum, A., Crispo, B.: RFID Malware: Truth vs. Myth. IEEE Security and Privacy 4(4), 70–72 (2006)

    Article  Google Scholar 

  8. Suliman, A., Shankarapani, M., Mukkamala, S., Sung, A.: RFID malware fragmentation attacks. In: International Symposium on Collaborative Technologies and Systems, Irvine, CA, pp. 533–539. IEEE (2008)

    Google Scholar 

  9. Fernando, H., Abawajy, J.: A RFID Architecture Framework for Global Supply Chain Applications. In: 11th International Conference on Information Integration and Web-based Application and Services, Kular Lampur, Malaysia. ACM (2009)

    Google Scholar 

  10. Brabrand, C., Møller, A., Ricky, M., Schwartzbach, M.I.: Powerforms: Declarative client-side form field validation. World Wide Web 3(4), 205–214 (2000)

    Article  MATH  Google Scholar 

  11. McClure, R.A., Krüger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: 27th International Conference on Software Engineering, Missouri, USA, pp. 88–96. ACM (2005)

    Google Scholar 

  12. Valeur, F., Mutz, D., Vigna, G.: A Learning-Based Approach to the Detection of SQL Attacks. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 123–140. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  13. Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  14. Wassermann, G., Su, Z.: An analysis framework for security in Web applications. In: First FSE Workshop on Specification and Verification of Component-Based Systems, p. 70 (2004)

    Google Scholar 

  15. Gould, C., Su, Z., Devanbu, P.: JDBC checker: A static analysis tool for SQL/JDBC applications. In: 26th International Conference on Software Engineering, pp. 697–698. IEEE (2004)

    Google Scholar 

  16. Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In: 3rd International ICSE Workshop on Dynamic Analysis, MO, USA, pp. 174–183. ACM (2005)

    Google Scholar 

  17. Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: International Conference on Software Engineering and Middleware, pp. 106–113. ACM (2005)

    Google Scholar 

  18. Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: 33rd Annual Symposium on Principles of Programming Languages, pp. 372–382. ACM (January 2006)

    Google Scholar 

  19. Sulaiman, A., Mukkamala, S., Sung, A.: SQL infections through RFID. Journal in Computer Virology 4(4), 347–356 (2008)

    Article  Google Scholar 

  20. Zhang, Q., Wang, X.: SQL Injections through Back-End of RFID System. In: International Symposium on Computer Network and Multimedia Technology, pp. 1–4. IEEE (2009)

    Google Scholar 

  21. Kyaw, A.K.: Digital Forensics in small devices: RFID tag investigation. AUT University, Auckland (2011)

    Google Scholar 

  22. Das, D., Sharma, U., Bhattacharyya, D.: An Approach to Detection of SQL Injection Vulnerabilities Based on Dynamic Query Matching. International Journal of Computer Applications IJCA 1(25), 39–45 (2010)

    Article  Google Scholar 

  23. Gould, C., Su, Z., Devanbu, P.: Static checking of dynamically generated queries in database applications. In: 26th International Conference on Software Engineering (2004)

    Google Scholar 

  24. Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Transactions on Information Systems Security 13(2), 1–39 (2010), doi:10.1145/1698750.1698754

    Article  Google Scholar 

  25. McClure, R.A., Kruger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: 27th International Conference on Software Engineering, May 15-21, pp. 88–96 (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Deakin University, Geelong, Australia

    Harinda Fernando & Jemal Abawajy

Authors
  1. Harinda Fernando
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jemal Abawajy
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Harinda Fernando .

Editor information

Editors and Affiliations

  1. , School Of Computer Science, University of Derby, Derby, DE22 1GB, United Kingdom

    Nik Bessis

  2. , Departament De Llenguatges I, Universitat Politècnica De Catalunya, C/Jordi Girona, Campus Nord, ed. Omega 1-3, Barcelona, 08034, Spain

    Fatos Xhafa

  3. School Of Electrical & Computer Engineer, Division Of Communication,, National Technical University Of Athens, Iroon Polytechniou 9, Athens, 15780, Greece

    Dora Varvarigou

  4. School Of Computer Science, and Mathematics, University of Derby, Kedleston Road, Derby, DE22 1GB, United Kingdom

    Richard Hill

  5. School Of Engineering And Design, Department Of Electronic And, Brunel University, Middlesex, Uxbridge, UB8 3PH, United Kingdom

    Maozhen Li

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Fernando, H., Abawajy, J. (2013). Malware Detection and Prevention in RFID Systems. In: Bessis, N., Xhafa, F., Varvarigou, D., Hill, R., Li, M. (eds) Internet of Things and Inter-cooperative Computational Technologies for Collective Intelligence. Studies in Computational Intelligence, vol 460. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34952-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-34952-2_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34951-5

  • Online ISBN: 978-3-642-34952-2

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation