Machine Learning Blunts the Needle of Advanced SQL Injections

  • Marina Volkova GREYCORTEX, Brno, Czech Republic
  • Petr Chmelar GREYCORTEX, Brno, Czech Republic
  • Lukas Sobotka GREYCORTEX, Brno, Czech Republic
Keywords: SQL injection identication, machine learning, deep learning, recurrent neural networks, text analysis, web application firewall, intrusion detection system

Abstract

SQL injection is one of the most popular and serious information security threats. By exploiting database vulnerabilities, attackers may get access to sensitive data or enable compromised computers to conduct further network attacks. Our research is focused on applying machine learning approaches for identication of injection characteristics in the HTTP query string. We compare results from Rule-based Intrusion Detection System, Support Vector Machines, Multilayer Perceptron, Neural Network with Dropout layers, and Deep Sequential Models (Long Short-Term Memory, and Gated Recurrent Units) using multiple string analysis, bag-of-word techniques, and word embedding for query string vectorization. Results proved benets of applying machine learning approach for detection malicious pattern in HTTP query string.

References

OWASP Top 10 { 2017. 2017. The Ten Most Critical Web Application Security Risks. https://www.owasp.org/images/7/72/OWASP Top 10-2017.pdf [Online; accessed 16-February-2019]

Acunetix Wep Application Vulnerability Report. 2019. https://www.acunetix.com/blog/articles/acunetix-web-application-vulnerability-report-2019/ [Online; accessed 8-April-2019]

Halfond, W. G. and Orso, A. 2005. AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In 20th IEEE/ACM International Conference on Automated Software Engineering. ASE, pp. 174-183. DOI: 10.1145/1101908.1101935

Kruegel, Ch. and Vigna, G. 2003. Anomaly Detection of Web-based Attacks. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, Washington, DC, USA. DOI: 10.1145/948109.948144

Justin, C. 2012. SQL Injection Attacks and Defense, second ed. Syngress Date, Elsevier. [6] Dehariya, H., Shukla, P., and Ahirwar, M. 2016. A Survey on Detection and Prevention Techniques for SQL Injection Attacks. International Journal of Wireless and Microwave Technologies 6, pp. 72-79. DOI: 10.5815/ijwmt.2016.06.08

Halfond, W. G., Viegas, J., and Orso, A. 2006. A Classication of SQL-Injection Attacks and Countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering. Vol 1, IEEE, pp. 13-15.

Saidu Aliero, M., Aliyu Ardo, A., Ghani, I., and Atiku, M. 2016. Classication of Sql Injection Detection And Prevention Measure. IOSR Journal of Engineering 6, pp. 06-17.

Alnabulsi, H., Islam, Md R., Mamun, Q. 2014. Detecting SQL injection attacks using SNORT IDS. In Asia-Pacic World Congress on Computer Science and Engineering. No. 14968012, IEEE. DOI: 10.1109/APWCCSE.2014.7053873

SQL Injection BypassingWAF. 2017. https://www.owasp.org/index.php/SQL_Injection_Bypassingh_WAF. [Online; accessed 16-February-2019]

Ladole, A. and Phalke, M.D. 2016. SQL Injection Attack and User Behavior Detection by Using Query Tree, Fisher Score and SVM Classication. International Research Journal of Engineering and Technology 3, 6, pp. 1505-1509.

Kar, D., Panigrahi, S., and Sundararajan, S. 2016. SQLiGoT: Detecting SQL injection attacks using graph of tokens and SVM. Computers & Security 60, pp. 206-225. DOI: 10.1016/j.cose.2016.04.005

Uwagbole, S., Buchanan, W., and Fan, L. 2017. Applied Machine Learning Predictive Analytics to SQL Injection Attack Detection and Prevention. In 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM). No. 17058611, IEEE. DOI: 0.23919/INM.2017.7987433

Moradpoor, N. 2015. SQL-IDS: Evaluation of SQLi Attack Detection and Classification Based on Machine Learning Techniques. In SIN '15 Proceedings of the 8th International Conference on Security of Information and Networks. ACM, Sochi, Russia, pp. 258-266.

Kar, D., Panigrahi, S., and Sundararajan, S. 2015. SQLiDDS: SQL Injection Detection using Query Transformation and Document Similarity. In International Conference on Distributed Computing and Internet Technology. Lecture Notes in Computer Science, vol 8956. Springer, pp. 377-390. DOI: 10.1007/978-3-319-14977-641

Kar, D., Panigrahi, S., and Sundararajan, S. 2016. SQLiDDS: SQL injection detection using document similarity measure. Journal of Computer Security 24, pp. 507{539. DOI: 10.3233/JCS-160554

Murzina A. and Stepanyuk I. 2019. Detecting Web Attacks with a Seq2Seq Autoencoder https://blog.ptsecurity.com/2019/02/detecting-web-attacks-with-seq2seq.html [Online; accessed 21-January-2019].

Skaruz, J. and Seredynski, F. 2007. Recurrent neural networks towards detection of SQL attacks. In 2007 IEEE International Parallel and Distributed Processing Symposium. No. 9516781, IEEE, pp. 1-8. DOI: 10.1109/IPDPS.2007.370428

Mirsky, Y., Doitshman, T., Elovici, Y., Shabtai, and A. Kitsune. 2018. An Ensemble of Autoencoders for Online Network Intrusion Detection. In Network and Distributed System Security Symposium. DOI: 10.14722/ndss.2018.23211

List of Best Open Source SQL Injection Tools. 2018. https://kalilinuxtutorials.com/sql-injection/. [Online; accessed 21-January-2019]]

Park, S. 2017. Machine Learning. GitHub Repository https://github.com/Scott-Park/MachineLearning/tree/master/Sql-Injection/source/trainingdata [Online; accessed 15-January-2019].

Wylie, B. 2014. SQL Injection. GitHub Repository https://github.com/SuperCowPowers/data hacking/tree/master/sql injection/data [Online; accessed 15-January-2019].

FuzzDB Project. 2016. SQL Injection. GitHub Repository https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/sql-injection [Online; accessed 16-January-2019].

Fujdiak, R., Uher, V., Mlynek, P., et al. 2018. IP Traffic Generator Using Container Virtualization Technology. In 2018 10th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT). Moscow, Russia. DOI: 10.1109/ICUMT.2018.8631248

Basta, C., Elfatatry, A., and Darwish, S. 2016. Detection of SQL Injection Using a Genetic Fuzzy Classifier System. International Journal of Advanced Computer Science and Applications 7, 6, pp. 129-137. DOI: 10.14569/IJACSA.2016.070616

Pedregosa et al. 2011. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research 12, pp. 2825-2830.

Chollet, F. et al. 2015. Keras. https://keras.io.

Published
2019-06-24
How to Cite
[1]
VolkovaM., ChmelarP. and SobotkaL. 2019. Machine Learning Blunts the Needle of Advanced SQL Injections. MENDEL. 25, 1 (Jun. 2019), 23-30. DOI:https://doi.org/10.13164/mendel.2019.1.023.
Section
Articles