Application of Hidden Markov Model in SQL Injection Detection

Due to the increasing complexity of web and client application's structure, security problem has become more and more critical. Among all the threats reported, SQL Injection Attacks (SQLIAs) have always been top-ranked in recent years, and network logs, which are very important for the detection of SQLIA, are often utilized to analyze the user's attacking behaviors. However, the collection of network logs is often compromised due to the growing complexity of network structure, leading to a great challenge to the log-based SQLIA detection. In view of this, this paper proposes a novel approach to the detection of SQLIA based on log analyzing with Hidden Markov Model (HMM), combined with statistical characteristic and feature matching. At first, we build browsing behavior models of attackers and legal users. Furthermore, we use HMM to restore user's browsing procedure from the customised user logs. Finally, the method detects SQLIAs by analyzing the behavior of users in reality, without requiring sensitive information submitted by users. Our experiments show that the proposed method can detect possible SQLIAs and identify malicious users effectively, and has higher accuracy in comparison with the Kmeans method.

[1]  Debabrata Kar,et al.  SQLiDDS: SQL Injection Detection Using Query Transformation and Document Similarity , 2015, ICDCIT.

[2]  Lwin Khin Shar,et al.  Predicting common web application vulnerabilities from input validation and sanitization code patterns , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[3]  Zhang Chao,et al.  SQL Injection Prevention Based on Sensitive Characters , 2016 .

[4]  Wes Masri,et al.  SQLPIL: SQL injection prevention by input labeling , 2015, Secur. Commun. Networks.

[5]  M. V. Jahan,et al.  Fuzzy Detection of Malicious Attacks on Web Applications Based on Hidden Markov Model Ensemble , 2012, 2012 Third International Conference on Intelligent Systems Modelling and Simulation.

[6]  Xie Yi,et al.  Anomaly Intrusion Behavior Detection Based on Fuzzy Clustering and Features Selection , 2015 .

[7]  Xie Yi,et al.  Anomaly Detection Based on Web Users’ Browsing Behaviors , 2007 .

[8]  Panos J. Antsaklis,et al.  Risk-Sensitive Control Under Markov Modulated Denial-of-Service (DoS) Attack Strategies , 2015, IEEE Transactions on Automatic Control.

[9]  Wei Wang,et al.  Web Reviews and Events Matching Based on Event Feature Segments and Semi-Markov Conditional Random Fields , 2014, J. Softw..

[10]  Ajit Kumar Sahoo,et al.  Detection of SQL injection attacks using Hidden Markov Model , 2016, 2016 IEEE International Conference on Engineering and Technology (ICETECH).

[11]  Vitaly Shmatikov,et al.  Diglossia: detecting code injection attacks with precision and efficiency , 2013, CCS.

[12]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[13]  Guofeng Zhao,et al.  A novel model for user clicks identification based on hidden semi-Markov , 2013, J. Netw. Comput. Appl..

[14]  Debabrata Kar,et al.  SQLiGoT: Detecting SQL injection attacks using graph of tokens and SVM , 2016, Comput. Secur..

[15]  Angelos Stavrou,et al.  SQLProb: a proxy-based architecture towards preventing SQL injection attacks , 2009, SAC '09.