Visible to the public Biblio

Found 1012 results

Filters: First Letter Of Title is C  [Clear All Filters]
A B [C] D E F G H I J K L M N O P Q R S T U V W X Y Z   [Show ALL]
Zhu, Suwen, Lu, Long, Singh, Kapil.  2016.  CASE: Comprehensive Application Security Enforcement on COTS Mobile Devices. Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services. :375–386.

Without violating existing app security enforcement, malicious modules inside apps, such as a library or an external class, can steal private data and abuse sensitive capabilities meant for other modules inside the same apps. These so-called "module-level attacks" are quickly emerging, fueled by the pervasive use of third-party code in apps and the lack of module-level security enforcement on mobile platforms. To systematically thwart the threats, we build CASE, an automatic app patching tool used by app developers to enable module-level security in their apps built for COTS Android devices. During runtime, patched apps enforce developer-supplied security policies that regulate interactions among modules at the granularity of a Java class. Requiring no changes or special support from the Android OS, the enforcement is complete in covering inter-module crossings in apps and is robust against malicious Java and native app modules. We evaluate CASE with 420 popular apps and a set of Android's unit tests. The results show that CASE is fully compatible with the tested apps and incurs an average performance overhead of 4.9%.

Manson, Daniel, Pike, Ronald.  2014.  The Case for Depth in Cybersecurity Education. ACM Inroads. 5:47–52.

In his book Outliers, Malcom Gladwell describes the 10,000-Hour Rule, a key to success in any field, as simply a matter of practicing a specific task that can be accomplished with 20 hours of work a week for 10 years [10]. Ongoing changes in technology and national security needs require aspiring excellent cybersecurity professionals to set a goal of 10,000 hours of relevant, hands-on skill development. The education system today is ill prepared to meet the challenge of producing an adequate number of cybersecurity professionals, but programs that use competitions and learning environments that teach depth are filling this void.


Noor, Joseph, Ali-Eldin, Ahmed, Garcia, Luis, Rao, Chirag, Dasari, Venkat R., Ganesan, Deepak, Jalaian, Brian, Shenoy, Prashant, Srivastava, Mani.  2019.  The Case for Robust Adaptation: Autonomic Resource Management is a Vulnerability. MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM). :821–826.
Autonomic resource management for distributed edge computing systems provides an effective means of enabling dynamic placement and adaptation in the face of network changes, load dynamics, and failures. However, adaptation in-and-of-itself offers a side channel by which malicious entities can extract valuable information. An attacker can take advantage of autonomic resource management techniques to fool a system into misallocating resources and crippling applications. Using a few scenarios, we outline how attacks can be launched using partial knowledge of the resource management substrate - with as little as a single compromised node. We argue that any system that provides adaptation must consider resource management as an attack surface. As such, we propose ADAPT2, a framework that incorporates concepts taken from Moving-Target Defense and state estimation techniques to ensure correctness and obfuscate resource management, thereby protecting valuable system and application information from leaking.
Levy, Amit, Campbell, Bradford, Ghena, Branden, Pannuto, Pat, Dutta, Prabal, Levis, Philip.  2017.  The Case for Writing a Kernel in Rust. Proceedings of the 8th Asia-Pacific Workshop on Systems. :1:1–1:7.

An operating system kernel written in the Rust language would have extremely fine-grained isolation boundaries, have no memory leaks, and be safe from a wide range of security threats and memory bugs. Previous efforts towards this end concluded that writing a kernel requires changing Rust. This paper reaches a different conclusion, that no changes to Rust are needed and a kernel can be implemented with a very small amount of unsafe code. It describes how three sample kernel mechanisms–-DMA, USB, and buffer caches–-can be built using these abstractions.

Schroeder, Bianca.  2016.  Case Studies from the Real World: The Importance of Measurement and Analysis in Building Better Systems. Proceedings of the 7th ACM/SPEC on International Conference on Performance Engineering. :1–1.

At the core of the "Big Data" revolution lie frameworks and systems that allow for the massively parallel processing of large amounts of data. Ironically, while they have been designed for processing large amounts of data, these systems are at the same time major producers of data: to support the administration and management of these huge-scale systems, they are configured to generate detailed log and monitoring data, periodically capturing the system state across all nodes, components and jobs in the system. While such logging information is used routinely by sysadmins for ad-hoc trouble-shooting and problem diagnosis, we point out that there is a tremendous value in analyzing such data from a research point of view. In this talk, we will go over several case studies that demonstrate how measuring and analyzing measurement data from production systems can provide new insights into how systems work and fail, and how these new insights can help in designing better systems.

Zhao, Jianfeng.  2018.  Case Study: Discovering Hardware Trojans Based on Model Checking. Proceedings of the 8th International Conference on Communication and Network Security. :64–68.

Hardware Trojan may cause changes in system functions, system information leakage, and system damage or system paralysis. According to the hardware Trojan classification method, this paper discusses the hardware Trojan that belongs to the design stage, the behavior level description, the internal trigger, and it changes the function of processor, it is a hardware Trojan of combinational logic. The domestic and foreign research institutions put forward a variety of methods for the detection of hardware Trojans. In this paper, based on the open source processor OR1200 RTL source code, Aiming at a kind of hardware Trojan, which is composed of combinational logic trigger, one of the formal methods, the model checking technique, is used to detect the hardware Trojan. The experiment uses the open source EBMC model detection tool, uses the RTL source code as the model input, and uses SVA to describe the property input. The experimental results show that the model checking technique can be used as an effective hardware Trojan detection method.

Erdem, Ö, Turan, M..  2017.  A Case Study for Automatic Detection of Steganographic Images in Network Traffic. 2017 10th International Conference on Electrical and Electronics Engineering (ELECO). :885–889.

Detection and prevention of data breaches in corporate networks is one of the most important security problems of today's world. The techniques and applications proposed for solution are not successful when attackers attempt to steal data using steganography. Steganography is the art of storing data in a file called cover, such as picture, sound and video. The concealed data cannot be directly recognized in the cover. Steganalysis is the process of revealing the presence of embedded messages in these files. There are many statistical and signature based steganalysis algorithms. In this work, the detection of steganographic images with steganalysis techniques is reviewed and a system has been developed which automatically detects steganographic images in network traffic by using open source tools.

Wilson, Rodney, Chi, Hongmei.  2017.  A Case Study for Mobile Device Forensics Tools. Proceedings of the SouthEast Conference. :154–157.
Smartphones have become a prominent part of our technology driven world. When it comes to uncovering, analyzing and submitting evidence in today's criminal investigations, mobile phones play a more critical role. Thus, there is a strong need for software tools that can help investigators in the digital forensics field effectively analyze smart phone data to solve crimes. This paper will accentuate how digital forensic tools assist investigators in getting data acquisition, particularly messages, from applications on iOS smartphones. In addition, we will lay out the framework how to build a tool for verifying data integrity for any digital forensics tool.
Formby, David, Walid, Anwar, Beyah, Raheem.  2017.  A Case Study in Power Substation Network Dynamics. Proceedings of the 2017 ACM SIGMETRICS / International Conference on Measurement and Modeling of Computer Systems. :66–66.

The modern world is becoming increasingly dependent on computing and communication technology to function, but unfortunately its application and impact on areas such as critical infrastructure and industrial control system (ICS) networks remains to be thoroughly studied. Significant research has been conducted to address the myriad security concerns in these areas, but they are virtually all based on artificial testbeds or simulations designed on assumptions about their behavior either from knowledge of traditional IT networking or from basic principles of ICS operation. In this work, we provide the most detailed characterization of an example ICS to date in order to determine if these common assumptions hold true. A live power distribution substation is observed over the course of two and a half years to measure its behavior and evolution over time. Then, a horizontal study is conducted that compared this behavior with three other substations from the same company. Although most predictions were found to be correct, some unexpected behavior was observed that highlights the fundamental differences between ICS and IT networks including round trip times dominated by processing speed as opposed to network delay, several well known TCP features being largely irrelevant, and surprisingly large jitter from devices running real-time operating systems. The impact of these observations is discussed in terms of generality to other embedded networks, network security applications, and the suitability of the TCP protocol for this environment.

K. P. B. Anushka, Chamantha, A. P. Karunaweera, P. R. Priyashantha, H. D. R. Wickramasinghe, W. A. V. M. G. Wijethunge.  2015.  "Case study on exploitation, detection and prevention of user account DoS through Advanced Persistent Threats". 2015 Fifteenth International Conference on Advances in ICT for Emerging Regions (ICTer). :190-194.

Security analysts implement various security mechanisms to protect systems from attackers. Even though these mechanisms try to secure systems, a talented attacker may use these same techniques to launch a sophisticated attack. This paper discuss about such an attack called as user account Denial of Service (DoS) where an attacker uses user account lockout features of the application to lockout all user accounts causing an enterprise wide DoS. The attack has being simulated usingastealthy attack mechanism called as Advanced Persistent Threats (APT) using a XMPP based botnet. Through the simulation, researchers discuss about the patterns associated with the attack which can be used to detect the attack in real time and how the attack can be prevented from the perspective of developers, system engineers and security analysts.

Konstantinou, Charalambos, Maniatakos, Michail.  2016.  A Case Study on Implementing False Data Injection Attacks Against Nonlinear State Estimation. Proceedings of the 2Nd ACM Workshop on Cyber-Physical Systems Security and Privacy. :81–92.

Smart grid aims to improve control and monitoring routines to ensure reliable and efficient supply of electricity. The rapid advancements in information and communication technologies of Supervisory Control And Data Acquisition (SCADA) networks, however, have resulted in complex cyber physical systems. This added complexity has broadened the attack surface of power-related applications, amplifying their susceptibility to cyber threats. A particular class of system integrity attacks against the smart grid is False Data Injection (FDI). In a successful FDI attack, an adversary compromises the readings of grid sensors in such a way that errors introduced into estimates of state variables remain undetected. This paper presents an end-to-end case study of how to instantiate real FDI attacks to the Alternating Current (AC) –nonlinear– State Estimation (SE) process. The attack is realized through firmware modifications of the microprocessor-based remote terminal systems, falsifying the data transmitted to the SE routine, and proceeds regardless of perfect or imperfect knowledge of the current system state. The case study concludes with an investigation of an attack on the IEEE 14 bus system using load data from the New York Independent System Operator (NYISO).

Trescak, Tomas, Bogdanovych, Anton.  2017.  Case-Based Planning for Large Virtual Agent Societies. Proceedings of the 23rd ACM Symposium on Virtual Reality Software and Technology. :33:1–33:10.
In this paper we discuss building large scale virtual reality reconstructions of historical heritage sites and populating it with crowds of virtual agents. Such agents are capable of performing complex actions, while respecting the cultural and historical accuracy of agent behaviour. In many commercial video games such agents either have very limited range of actions (resulting primitive behaviour) or are manually designed (resulting high development costs). In contrast, we follow the principles of automatic goal generation and automatic planning. Automatic goal generation in our approach is achieved through simulating agent needs and then producing a goal in response to those needs that require satisfaction. Automatic planning refers to techniques that are concerned with producing sequences of actions that can successfully change the state of an agent to the state where its goals are satisfied. Classical planning algorithms are computationally costly and it is difficult to achieve real-time performance for our problem domain with those. We explain how real-time performance can be achieved with Case-Based Planning, where agents build plan libraries and learn how to reuse and combine existing plans to archive their dynamically changing goals. We illustrate the novelty of our approach, its complexity and associated performance gains through a case-study focused on developing a virtual reality reconstruction of an ancient Mesopotamian settlement in 5000 B.C.
Tiwari, Trishita, Trachtenberg, Ari.  2018.  Cashing in on the File-System Cache. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. :2303-2305.

We consider the disk cache (file-system cache) information channel, and show how it can be exploited on various systems to yield potentially sensitive information. Our approach can be used locally by an unprivileged adversary to detect whether another user is writing to disk, and if so, the rate at which data is being written. Further, we also show how an attacker can detect whether specific files have been recently accessed by the victim. We then extend this attack to remote access through a web server, using timing analysis to identify recent access of chosen pages.

Wu, Rongxin, Xiao, Xiao, Cheung, Shing-Chi, Zhang, Hongyu, Zhang, Charles.  2016.  Casper: An Efficient Approach to Call Trace Collection. Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. :678–690.

Call traces, i.e., sequences of function calls and returns, are fundamental to a wide range of program analyses such as bug reproduction, fault diagnosis, performance analysis, and many others. The conventional approach to collect call traces that instruments each function call and return site incurs large space and time overhead. Our approach aims at reducing the recording overheads by instrumenting only a small amount of call sites while keeping the capability of recovering the full trace. We propose a call trace model and a logged call trace model based on an LL(1) grammar, which enables us to define the criteria of a feasible solution to call trace collection. Based on the two models, we prove that to collect call traces with minimal instrumentation is an NP-hard problem. We then propose an efficient approach to obtaining a suboptimal solution. We implemented our approach as a tool Casper and evaluated it using the DaCapo benchmark suite. The experiment results show that our approach causes significantly lower runtime (and space) overhead than two state-of-the-arts approaches.

Santos, J. C. S., Tarrit, K., Mirakhorli, M..  2017.  A Catalog of Security Architecture Weaknesses. 2017 IEEE International Conference on Software Architecture Workshops (ICSAW). :220–223.

Secure by design is an approach to developing secure software systems from the ground up. In such approach, the alternate security tactics are first thought, among them, the best are selected and enforced by the architecture design, and then used as guiding principles for developers. Thus, design flaws in the architecture of a software system mean that successful attacks could result in enormous consequences. Therefore, secure by design shifts the main focus of software assurance from finding security bugs to identifying architectural flaws in the design. Current research in software security has been neglecting vulnerabilities which are caused by flaws in a software architecture design and/or deteriorations of the implementation of the architectural decisions. In this paper, we present the concept of Common Architectural Weakness Enumeration (CAWE), a catalog which enumerates common types of vulnerabilities rooted in the architecture of a software and provides mitigation techniques to address them. The CAWE catalog organizes the architectural flaws according to known security tactics. We developed an interactive web-based solution which helps designers and developers explore this catalog based on architectural choices made in their project. CAWE catalog contains 224 weaknesses related to security architecture. Through this catalog, we aim to promote the awareness of security architectural flaws and stimulate the security design thinking of developers, software engineers, and architects.

Quan Jia, Huangxin Wang, Fleck, D., Fei Li, Stavrou, A., Powell, W..  2014.  Catch Me If You Can: A Cloud-Enabled DDoS Defense. Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on. :264-275.

We introduce a cloud-enabled defense mechanism for Internet services against network and computational Distributed Denial-of-Service (DDoS) attacks. Our approach performs selective server replication and intelligent client re-assignment, turning victim servers into moving targets for attack isolation. We introduce a novel system architecture that leverages a "shuffling" mechanism to compute the optimal re-assignment strategy for clients on attacked servers, effectively separating benign clients from even sophisticated adversaries that persistently follow the moving targets. We introduce a family of algorithms to optimize the runtime client-to-server re-assignment plans and minimize the number of shuffles to achieve attack mitigation. The proposed shuffling-based moving target mechanism enables effective attack containment using fewer resources than attack dilution strategies using pure server expansion. Our simulations and proof-of-concept prototype using Amazon EC2 [1] demonstrate that we can successfully mitigate large-scale DDoS attacks in a small number of shuffles, each of which incurs a few seconds of user-perceived latency.

Fraunholz, Daniel, Krohmer, Daniel, Duque Anton, Simon, Schotten, Hans Dieter.  2018.  Catch Me If You Can: Dynamic Concealment of Network Entities. Proceedings of the 5th ACM Workshop on Moving Target Defense. :31–39.
In this paper, a framework for Moving Target Defense is introduced. This framework bases on three pillars: network address mutation, communication stack randomization and the dynamic deployment of decoys. The network address mutation is based on the concept of domain generation algorithms, where different features are included to fulfill the system requirements. Those requirements are time dependency, unpredictability and determinism. Communication stack randomization is applied additionally to increase the complexity of reconnaissance activity. By employing communication stack randomization, previously fingerprinted systems do not only differ in the network address but also in their communication pattern behavior. And finally, decoys are integrated into the proposed framework to detect attackers that have breached the perimeter. Furthermore, attacker's resources can be bound by interacting with the decoy systems. Additionally, the framework can be extended with more advanced Moving Target Defense methods such as obscuring port numbers of services.
Rastogi, V., Yan Chen, Xuxian Jiang.  2014.  Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks. Information Forensics and Security, IEEE Transactions on. 9:99-108.

Mobile malware threats (e.g., on Android) have recently become a real concern. In this paper, we evaluate the state-of-the-art commercial mobile anti-malware products for Android and test how resistant they are against various common obfuscation techniques (even with known malware). Such an evaluation is important for not only measuring the available defense against mobile malware threats, but also proposing effective, next-generation solutions. We developed DroidChameleon, a systematic framework with various transformation techniques, and used it for our study. Our results on 10 popular commercial anti-malware applications for Android are worrisome: none of these tools is resistant against common malware transformation techniques. In addition, a majority of them can be trivially defeated by applying slight transformation over known malware with little effort for malware authors. Finally, in light of our results, we propose possible remedies for improving the current state of malware detection on mobile devices.

Tabiban, Azadeh, Jarraya, Yosr, Zhang, Mengyuan, Pourzandi, Makan, Wang, Lingyu, Debbabi, Mourad.  2020.  Catching Falling Dominoes: Cloud Management-Level Provenance Analysis with Application to OpenStack. 2020 IEEE Conference on Communications and Network Security (CNS). :1—9.

The dynamicity and complexity of clouds highlight the importance of automated root cause analysis solutions for explaining what might have caused a security incident. Most existing works focus on either locating malfunctioning clouds components, e.g., switches, or tracing changes at lower abstraction levels, e.g., system calls. On the other hand, a management-level solution can provide a big picture about the root cause in a more scalable manner. In this paper, we propose DOMINOCATCHER, a novel provenance-based solution for explaining the root cause of security incidents in terms of management operations in clouds. Specifically, we first define our provenance model to capture the interdependencies between cloud management operations, virtual resources and inputs. Based on this model, we design a framework to intercept cloud management operations and to extract and prune provenance metadata. We implement DOMINOCATCHER on OpenStack platform as an attached middleware and validate its effectiveness using security incidents based on real-world attacks. We also evaluate the performance through experiments on our testbed, and the results demonstrate that DOMINOCATCHER incurs insignificant overhead and is scalable for clouds.

Alrwais, Sumayah, Yuan, Kan, Alowaisheq, Eihal, Liao, Xiaojing, Oprea, Alina, Wang, XiaoFeng, Li, Zhou.  2016.  Catching Predators at Watering Holes: Finding and Understanding Strategically Compromised Websites. Proceedings of the 32Nd Annual Conference on Computer Security Applications. :153–166.

Unlike a random, run-of-the-mill website infection, in a strategic web attack, the adversary carefully chooses the target frequently visited by an organization or a group of individuals to compromise, for the purpose of gaining a step closer to the organization or collecting information from the group. This type of attacks, called "watering hole", have been increasingly utilized by APT actors to get into the internal networks of big companies and government agencies or monitor politically oriented groups. With its importance, little has been done so far to understand how the attack works, not to mention any concrete step to counter this threat. In this paper, we report our first step toward better understanding this emerging threat, through systematically discovering and analyzing new watering hole instances and attack campaigns. This was made possible by a carefully designed methodology, which repeatedly monitors a large number potential watering hole targets to detect unusual changes that could be indicative of strategic compromises. Running this system on the HTTP traffic generated from visits to 61K websites for over 5 years, we are able to discover and confirm 17 watering holes and 6 campaigns never reported before. Given so far there are merely 29 watering holes reported by blogs and technical reports, the findings we made contribute to the research on this attack vector, by adding 59% more attack instances and information about how they work to the public knowledge. Analyzing the new watering holes allows us to gain deeper understanding of these attacks, such as repeated compromises of political websites, their long lifetimes, unique evasion strategy (leveraging other compromised sites to serve attack payloads) and new exploit techniques (no malware delivery, web only information gathering). Also, our study brings to light interesting new observations, including the discovery of a recent JSONP attack on an NGO website that has been widely reported and apparently forced the attack to stop.

Sachdeva, A., Kapoor, R., Sharma, A., Mishra, A..  2017.  Categorical Classification and Deletion of Spam Images on Smartphones Using Image Processing and Machine Learning. 2017 International Conference on Machine Learning and Data Science (MLDS). :23–30.

We regularly use communication apps like Facebook and WhatsApp on our smartphones, and the exchange of media, particularly images, has grown at an exponential rate. There are over 3 billion images shared every day on Whatsapp alone. In such a scenario, the management of images on a mobile device has become highly inefficient, and this leads to problems like low storage, manual deletion of images, disorganization etc. In this paper, we present a solution to tackle these issues by automatically classifying every image on a smartphone into a set of predefined categories, thereby segregating spam images from them, allowing the user to delete them seamlessly.

Al-Dhaqm, A., Razak, S. A., Dampier, D. A., Choo, K. R., Siddique, K., Ikuesan, R. A., Alqarni, A., Kebande, V. R..  2020.  Categorization and Organization of Database Forensic Investigation Processes. IEEE Access. 8:112846—112858.
Database forensic investigation (DBFI) is an important area of research within digital forensics. It's importance is growing as digital data becomes more extensive and commonplace. The challenges associated with DBFI are numerous, and one of the challenges is the lack of a harmonized DBFI process for investigators to follow. In this paper, therefore, we conduct a survey of existing literature with the hope of understanding the body of work already accomplished. Furthermore, we build on the existing literature to present a harmonized DBFI process using design science research methodology. This harmonized DBFI process has been developed based on three key categories (i.e. planning, preparation and pre-response, acquisition and preservation, and analysis and reconstruction). Furthermore, the DBFI has been designed to avoid confusion or ambiguity, as well as providing practitioners with a systematic method of performing DBFI with a higher degree of certainty.
Kushal, T. R. B., Gao, Z., Wang, J., Illindala, M. S..  2020.  Causal Chain of Time Delay Attack on Synchronous Generator Control. 2020 IEEE Power Energy Society General Meeting (PESGM). :1—5.

Wide integration of information and communication technology (ICT) in modern power grids has brought many benefits as well as the risk of cyber attacks. A critical step towards defending grid cyber security is to understand the cyber-physical causal chain, which describes the progression of intrusion in cyber-space leading to the formation of consequences on the physical power grid. In this paper, we develop an attack vector for a time delay attack at load frequency control in the power grid. Distinct from existing works, which are separately focused on cyber intrusion, grid response, or testbed validation, the proposed attack vector for the first time provides a full cyber-physical causal chain. It targets specific vulnerabilities in the protocols, performs a denial-of-service (DoS) attack, induces the delays in control loop, and destabilizes grid frequency. The proposed attack vector is proved in theory, presented as an attack tree, and validated in an experimental environment. The results will provide valuable insights to develop security measures and robust controls against time delay attacks.

Zhang, Hao, Yao, Danfeng(Daphne), Ramakrishnan, Naren.  2016.  Causality-based Sensemaking of Network Traffic for Android Application Security. Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security. :47–58.

Malicious Android applications pose serious threats to mobile security. They threaten the data confidentiality and system integrity on Android devices. Monitoring runtime activities serves as an important technique for analyzing dynamic app behaviors. We design a triggering relation model for dynamically analyzing network traffic on Android devices. Our model enables one to infer the dependency of outbound network requests from the device. We describe a new machine learning approach for discovering the dependency of network requests. These request-level dependence relations are used to detect stealthy malware activities. Malicious requests are identified due to the lack of dependency with legitimate triggers. Our prototype is evaluated on 14GB network traffic data and system logs collected from an Android tablet. Experimental results show that our solution achieves a high accuracy (99.1%) in detecting malicious requests sent from new malicious apps.

Mavromoustakos, Stephanos, Patel, Aakash, Chaudhary, Kinjal, Chokshi, Parth, Patel, Shaili.  2016.  Causes and Prevention of SQL Injection Attacks in Web Applications. Proceedings of the 4th International Conference on Information and Network Security. :55–59.

SQL injection is one of the major threats to the security of the web applications. Attackers try to gain unauthorized access to the database, which has vital and private information of the users. Many researchers have provided various techniques and practices to protect the web applications from attackers. There is a plethora of techniques available to perform SQL injection and usually not everyone is familiar with every attack. Hence, this kind of attack is still the most prevalent. In this paper, we have presented the types of SQL injections attacks and most dominant ways to prevent them.