SQL Injection Attack classification through the feature extraction of SQL query strings using a Gap-Weighted String Subsequence Kernel

Abstract SQL Injection Attacks are one of the most common methods behind data security breaches. Previous research has attempted to produce viable detection solutions in order to filter SQL Injection Attacks from regular queries. Unfortunately it has proven to be a challenging problem with many solutions suffering from disadvantages such as being unable to process in real time as a preventative solution, a lack of adaptability to differing types of attack and the requirement for access to difficult-to-obtain information about the source application. This paper presents a novel solution of classifying SQL queries purely on the features of the initial query string. A Gap-Weighted String Subsequence Kernel algorithm is implemented to identify subsequences of shared characters between query strings for the output of a similarity metric. Finally a Support Vector Machine is trained on the similarity metrics between known query strings which are then used to classify unknown test queries. By gathering all feature data from the query strings, additional information from the source application is not required. The probabilistic nature of the learned models allows the solution to adapt to new threats whilst in operation. The proposed solution is evaluated using a number of test datasets derived from the Amnesia testbed datasets. The demonstration software achieved 97.07% accuracy for Select type queries and 92.48% accuracy for Insert type queries. This limited success rate is due to unsanitized quotation marks within legitimate inputs confusing the feature extraction. Using a test dataset that denies legitimate queries the use of unsanitized quotation marks, the Select and Insert query accuracy rose.

[1]  V. N. Venkatakrishnan,et al.  NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications , 2010, CCS '10.

[2]  Javier Bajo,et al.  idMAS-SQL: Intrusion Detection Based on MAS to Detect and Block SQL injection through data mining , 2013, Inf. Sci..

[3]  Angelos Stavrou,et al.  DoubleGuard: Detecting Intrusions in Multitier Web Applications , 2012, IEEE Transactions on Dependable and Secure Computing.

[4]  Nello Cristianini,et al.  Classification using String Kernels , 2000 .

[5]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[6]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[7]  Debabrata Kar,et al.  SQLiGoT: Detecting SQL injection attacks using graph of tokens and SVM , 2016, Comput. Secur..

[8]  S. B. Needleman,et al.  A general method applicable to the search for similarities in the amino acid sequence of two proteins. , 1970, Journal of molecular biology.

[9]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[10]  Juho Rousu,et al.  Efficient Computation of Gapped Substring Kernels on Large Alphabets , 2005, J. Mach. Learn. Res..

[11]  Alessandro Orso,et al.  A Classification of SQL-Injection Attacks and Countermeasures , 2006 .

[12]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[13]  Shih-Jen Chen,et al.  TransSQL: A Translation and Validation-Based Solution for SQL-injection Attacks , 2011, 2011 First International Conference on Robot, Vision and Signal Processing.

[14]  Hossain Shahriar,et al.  Client-Side Detection of SQL Injection Attack , 2013, CAiSE Workshops.

[15]  Sang-Soo Yeo,et al.  A novel method for SQL injection attack detection based on removing SQL query attribute values , 2012, Math. Comput. Model..

[16]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[17]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[18]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[19]  Asaad Moosa,et al.  Artificial Neural Network based Web Application Firewall for SQL Injection , 2010 .

[20]  Ahmed Serhrouchni,et al.  Improving Web Application Firewalls to detect advanced SQL injection attacks , 2014, 2014 10th International Conference on Information Assurance and Security.

[21]  Angelos Stavrou,et al.  SQLProb: a proxy-based architecture towards preventing SQL injection attacks , 2009, SAC '09.