Data-mining based SQL injection attack detection using internal query trees |
| |
| Affiliation: | 1. Instituto para el Desarrollo Tecnológico y la Innovación en Comunicaciones (IDeTIC), Universidad de Las Palmas de Gran Canaria, Despacho D-102, Pabellón B, Ed. de Eletrónica y Comunicaciones, Campus de Tafira, 35017 Las Palmas, Spain;2. Escuela de Biología, Universidad de Costa Rica, Costa Rica;3. Systems Engineering and Automation Department, Universidad del País Vasco/Euskal Herriko Unibertsitatea, Spain;1. Department of Computer Science and Statistics (DCCE), São Paulo State University (UNESP), São José do Rio Preto, SP, Brazil;2. Faculty of Computation (FACOM), Federal University of Uberlândia (UFU), Uberlândia, MG, Brazil;3. Center of Mathematics, Computing and Cognition, Federal University of ABC (UFABC), Santo André, SP, Brazil;4. Federal Institute of Triângulo Mineiro (IFTM), Ituiutaba, MG, Brazil;5. Transdisciplinary Center for Study of Chaos and Complexity (NUTECC), São José do Rio Preto Medical School, São José do Rio Preto, SP, Brazil;6. Kidney Transplant Surgical Service, Base Hospital, Fundação Faculdade Regional de Medicina (FUNFARME), São José do Rio Preto, SP, Brazil;7. Pathologic Anatomy Service, Base Hospital, Fundação Faculdade Regional de Medicina (FUNFARME), São José do Rio Preto, SP, Brazil;1. Khalifa University of Science, Technology and Research, P.O. Box 127788, Abu Dhabi, United Arab Emirates;2. Etisalat BT Innovation Center, P.O. Box 127788, Abu Dhabi, United Arab Emirates;1. Computer Science Department, Federal University of Maranhão (UFMA), São Luís, MA, Brazil;2. Department of Informatics, University of Minho, Braga, Portugal;1. School of Information Systems, Singapore Management University, 80 Stamford Road, Singapore 178902, Singapore;2. School of Electrical and Electronic Engineering, Nanyang Technological University, Nanyang Avenue, Singapore 639798, Singapore;3. Manufacturing Execution and Control Group, Singapore Institute of Manufacturing Technology, Nanyang Drive, Singapore 638075, Singapore |
| |
| Abstract: | Detecting SQL injection attacks (SQLIAs) is becoming increasingly important in database-driven web sites. Until now, most of the studies on SQLIA detection have focused on the structured query language (SQL) structure at the application level. Unfortunately, this approach inevitably fails to detect those attacks that use already stored procedure and data within the database system. In this paper, we propose a framework to detect SQLIAs at database level by using SVM classification and various kernel functions. The key issue of SQLIA detection framework is how to represent the internal query tree collected from database log suitable for SVM classification algorithm in order to acquire good performance in detecting SQLIAs. To solve the issue, we first propose a novel method to convert the query tree into an n-dimensional feature vector by using a multi-dimensional sequence as an intermediate representation. The reason that it is difficult to directly convert the query tree into an n-dimensional feature vector is the complexity and variability of the query tree structure. Second, we propose a method to extract the syntactic features, as well as the semantic features when generating feature vector. Third, we propose a method to transform string feature values into numeric feature values, combining multiple statistical models. The combined model maps one string value to one numeric value by containing the multiple characteristic of each string value. In order to demonstrate the feasibility of our proposals in practical environments, we implement the SQLIA detection system based on PostgreSQL, a popular open source database system, and we perform experiments. The experimental results using the internal query trees of PostgreSQL validate that our proposal is effective in detecting SQLIAs, with at least 99.6% of the probability that the probability for malicious queries to be correctly predicted as SQLIA is greater than the probability for normal queries to be incorrectly predicted as SQLIA. Finally, we perform additional experiments to compare our proposal with syntax-focused feature extraction and single statistical model based on feature transformation. The experimental results show that our proposal significantly increases the probability of correctly detecting SQLIAs for various SQL statements, when compared to the previous methods. |
| |
| Keywords: | Intrusion detection SQL injection attack Database Data mining SVM |
| 本文献已被 ScienceDirect 等数据库收录! |
|
