Development of a compressive framework using machine learning approaches for SQL Injection attacks

• Autorzy: Deriba Fitsum Gizachew , Salau Ayodeji Olalekan , Kassa Tsegay Mullu , Demilie Wubetu Barud

Identyfikatory

DOI

10.15199/48.2022.07.30

Warianty tytułu

PL

Opracowanie spójnego systemua z wykorzystaniem metod uczenia maszynowego w atakach typu SQL Injection

• Języki publikacji: EN

Abstrakty

EN

Web applications play an important role in our daily lives. Various Web applications are used to carry out billions of online transactions. Because of their widespread use, these applications are vulnerable to attacks. SQL injection is the most common attack, which accepts user input and runs queries in the backend and returns the desired results. Various approaches have been proposed to counter the SQL injection attack; however, the majority of them have most times failed to cover the entire scope of the problem. This research paper investigates the frequent SQL injection attack forms, their mechanisms, and a way of identifying them based on the SQL query's existence. In addition, we propose a comprehensive framework to determine the effectiveness of the proposed techniques in addressing a number of issues depending on the type of the attack, by using a hybrid (Statistic and dynamic) approach and machine learning. An extensive examination of the model based on a test set indicates that the Hybrid approach and ANN outperforms Naive Bayes, SVM, and Decision tree in terms of accuracy of classifying injected queries. However, with respect to web loading time during testing, Naive Bayes outperforms the other approaches. The proposed Method improved the accuracy of SQL injection attack prevention, according to the test findings.

PL

Aplikacje internetowe odgrywają ważną rolę w naszym codziennym życiu. Różne aplikacje internetowe służą do przeprowadzania miliardów transakcji online. Ze względu na ich szerokie zastosowanie aplikacje te są podatne na ataki. Wstrzyknięcie SQL jest najczęstszym atakiem, który akceptuje dane wejściowe użytkownika i uruchamia zapytania w zapleczu oraz zwraca pożądane wyniki. Zaproponowano różne podejścia do przeciwdziałania atakowi SQL injection; jednak większość z nich przez większość czasu nie obejmowała całego zakresu problemu. W tym artykule badawczym przeanalizowano częste formy ataków typu SQL injection, ich mechanizmy oraz sposób ich identyfikacji na podstawie istnienia zapytania SQL. Ponadto proponujemy kompleksowe ramy do określania skuteczności technik, które rozwiązują określone problemy w zależności od rodzaju ataku, z wykorzystaniem podejścia hybrydowego (statystycznego i dynamicznego) oraz uczenia maszynowego. Obszerne badanie modelu na podstawie zestawu testowego wskazuje, że podejście hybrydowe i SNN przewyższają Naive Bayes, SVM i drzewo decyzyjne pod względem dokładności klasyfikacji wstrzykiwanych zapytań. Jednak pod względem czasu ładowania sieci podczas testowania, Naive Bayes przewyższa inne podejścia. Zgodnie z wynikami testów, zaproponowana metoda poprawiła dokładność zapobiegania atakom typu SQL injection.

Słowa kluczowe

EN

SQL injection; machine learning; security law

PL

wstrzyknięcie SQL; uczenie maszynowe; luka w zabezpieczeniach

• Wydawca: Wydawnictwo SIGMA-NOT
• Czasopismo: Przegląd Elektrotechniczny
• Rocznik: 2022
• Tom: R. 98, nr 7
• Strony: 181--187
• Opis fizyczny: Bibliogr. 58 poz., rys., tab.

Twórcy

autor

Deriba Fitsum Gizachew

• Department of Computer Science, Wachemo University Hossana, Ethiopia

autor

Salau Ayodeji Olalekan

• Department of Electrical/Electronics and Computer Engineering, Afe Babalola University Ado-Ekiti, Nigeria

autor

Kassa Tsegay Mullu

• Department of Information Technology, Wachemo University Hossana, Ethiopia

autor

Demilie Wubetu Barud

• Department of Information Technology, Wachemo University Hossana, Ethiopia

Bibliografia

• [1] M.A. Yunus et al., “Review of SQL Injection : Problems and Prevention,” International Journal on Informatics Visualization, vol. 2, pp. 215–219, 2018. DOI:10.30630/JOIV.2.3-2.144.
• [2] A. Kumar and S. Binu, “Proposed Method for SQL Injection Detection and its Prevention,” vol. 7, pp. 213–216, 2018.
• [3] G. Hendita and A. Kusuma, “Analysis of SQL Injection Attacks on Website Service,” IEEE, vol. 1, no. 1, 2018.
• [4] O. C. Abikoye, A. Abubakar, A.H. Dokoro, and O. N. Akande,“A novel technique to prevent SQL injection and cross-site scripting attacks using Knuth-Morris-Pratt string match algorithm,” EURASIP J. on Info. Security, 14, 2020. DOI: 10.1186/s13635-020-00113-y.
• [5] T. Qais, T. Mohammad, I. Jamil, A novel method for preventing SQL injection using SHA-1 algorithm and syntax-awareness, International conference on information and communication Technologies for Education and Training and international conference on Computing in Arabic (ICCA-TICET) (IEEE, Khartoum), pp. 1–4, 2017.
• [6] A. Alazab, “New Strategy for Mitigating of SQL Injection Attack,” International Journal of Computer Applications, vol. 154, no. 11, pp. 1–10, 2016.
• [7] A. Gurina and V. Eliseev, “Anomaly-Based Method for Detecting Multiple Classes of Network Attacks,”Information, vol. 10, no. (3), 84; pp. 1–24, 2019. DOI: 10.3390/info10030084.
• [8] R. Jahanshahi, A. Doupé, and M. Egele, “You shall not pass : Mitigating SQL Injection Attacks on Legacy Web Applications,”Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020, pp. 445–457, 2020.
• [9] I. Medeiros, M. Beatriz, N. Neves, and M. Correia, “SEPTIC:Detecting Injection Attacks and Vulnerabilities Inside the DBMS,” IEEE Trans. Reliab., vol. 68, no. 3, pp. 1168–1188, 2019, DOI: 10.1109/tr.2019.2900007.
• [10] M.K. Gupta, M.C. Govil, and G. Singh, “Static analysis approaches to detect SQL injection and cross-site scripting vulnerabilities in web applications: A survey,” Int. Conf. Recent Adv. Innov. Eng. ICRAIE 2014, pp. 9–13, 2014, DOI: 10.1109/ICRAIE.2014.6909173.
• [11] X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao, “A static analysis framework for detecting SQL injection vulnerabilities,” Proc. - Int. Comput. Softw. Appl. Conf., vol. 1, no. Compsac, pp. 87–94, 2007, doi: 10.1109/COMPSAC.2007.43.
• [12] M. Alenezi and Y. Javed, “Open source web application security: A static analysis approach,” Proc. - 2016 Int. Conf. Eng. MIS, ICEMIS 2016, 2016, doi: 10.1109/ICEMIS.2016.7745369.
• [13] F. Spoto et al., “Static Identification of Injection Attacks in Java,” vol. 41, no. 3, 2019.
• [14] bhayakumara S. Basutakara and D.J.P.N, “A Review of Static Code Analysis Methods for Detecting Security Flaws,” J. Univ. Shanghai Sci. Technol., vol. 23, no. 06, pp. 647–653, 2021, DOI: 10.51201/jusst/21/05320.
• [15] D. Das, U. Sharma, and D. Bhattacharyya, “An Approach to Detection of SQL Injection Attack Based on Dynamic Query Matching,” Int. J. Comput. …, vol. 1, no. 25, pp. 28–34, 2010.
• [16] S. Nanda, L.C. Lam, and T.C. Chiueh, “Dynamic multiprocess information flow tracking for web application security,” Proc. 8th ACM/IFIP/USENIX Int. Conf. Middlew. 2007, Middleware’07, pp. 1–20, 2008, DOI: 10.1145/1377943.1377956.
• [17] A. Makiou, Y. Begriche, and A. Serhrouchni, “Hybrid approach to detect SQLi attacks and evasion techniques,” Collab. 2014 - Proc. 10th IEEE Int. Conf. Collab. Comput. Networking, Appl. Work., pp. 452–456, 2015, DOI: 10.4108/icst.collaboratecom.2014.257568.
• [18] F.Y. Hernawan, I. Hidayatulloh, and I. F. Adam, “Hybrid method integrating SQL-IF and Naïve Bayes for SQL injection attack avoidance,” vol. 1, no. 2, pp. 85–96, 2020.
• [19] S.P.K and A. Murugan, “Analysis of Vulnerability Detection Tool for Web Services,” vol. 7, pp. 773–778, 2018.
• [20] P. Techniques et al., “Design and Implementation of SQL Injection Vulnerability Scanning Tool Design and Implementation of SQL Injection Vulnerability Scanning Tool,” 2020, DOI: 10.1088/1742-6596/1575/1/012094.
• [21] B.J.S. Kumar and P.P. Anaswara, “Vulnerability detection and prevention of SQL injection,” International Journal of Engineering and Technology, vol. 7, pp. 16–18, 2018.
• [22] A. Tajpour, M. Massrum, and M. Z. Heydari, “Comparison of SQL injection detection and prevention techniques,” ICETC 2010 - 2010 2nd Int. Conf. Educ. Technol. Comput., vol. 5, pp. 174–179, 2010, DOI: 10.1109/ICETC.2010.5529788.
• [23] A. Sadeghian, M. Zamani, and A. A. Manaf, “A taxonomy of SQL injection detection and prevention techniques,” Proc. - 2013 Int. Conf. Informatics Creat. Multimedia, ICICM 2013, pp. 53–56, 2013, doi: 10.1109/ICICM.2013.18.
• [24] S. Djanali, F. X. Arunanto, B. A. Pratomo, A. Baihaqi, H. Studiawan, and A. Mazharuddin, “Aggressive Web Application Honeypot for Exposing Attacker ‟ s Identity,” no. November 2014, DOI: 10.1109/ICITACEE.2014.7065744.
• [25] W.G.J. Halfond and A. Orso, “Detection and Prevention ofSQL Injection Attacks,” Adv. Inf. Secur., vol. 27, no. 7, pp. 85–109, 2007, DOI: 10.1007/978-0-387-44599-1_5.
• [26] T. Pattewar, H. Patil, H. Patil, N. Patil, M. Taneja, and T. Wadile, “Detection of SQL Injection using Machine Learning : A Survey,” pp. 239–246, 2019.
• [27] M. Zolanvari, S. Member, M. A. Teixeira, S. Member, L. Gupta, and S. Member, “Machine Learning Based Network Vulnerability Analysis of Industrial Internet of Things,” pp. 1–14.
• [28] M.A. Azman, M.F. Marhusin, R. Sulaiman, U. Sains, M.F. Marhusin, and U. Sains, “Machine Learning-Based Technique to Detect SQL Injection Attack,” pp. 1–8, 2021, DOI: 1.3844/jcssp.2021.296.303.
• [29] S.S.A. Krishnan, A. N. Sabu, P. P. Sajan, and A. L. Sreedeep, “SQL Injection Detection Using Machine Learning,” vol 11, no. 3, pp. 300–310.
• [30] B.J.S. Kumar and K. Pujitha, “Web Application Vulnerability Detection Using Hybrid String Matching Algorithm,” vol. 7, pp. 106–109, 2018.
• [31] S. Son, K.S. McKinley, and V. Shmatikov, “Diglossia: Detecting code injection attacks with precision and efficiency,” Proc. ACM Conf. Comput. Commun. Secur., no. 2, pp. 1181–1191, 2013, DOI: 10.1145/2508859.2516696.
• [32] R. Dharam and S.G. Shiva, “Runtime monitors for tautologybased SQL injection attacks,” Proc. 2012 Int. Conf. Cyber Secur. Cyber Warf. Digit. Forensic, CyberSec 2012, pp. 253–258, 2012, DOI: 10.1109/CyberSec.2012.6246104.
• [33] D.Y. Kao, C.J. Lai, and C.W. Su, “A Framework for SQL Injection Investigations: Detection, Investigation, and Forensics,” Proc. - 2018 IEEE Int. Conf. Syst. Man, Cybern. SMC 2018, no. 1, pp. 2838–2843, 2019, DOI: 10.1109/SMC.2018.00483.
• [34] H. Gu et al., “DIAVA: A Traffic-Based Framework for Detection of SQL Injection Attacks and Vulnerability Analysis of Leaked Data,” IEEE Trans. Reliab., vol. 69, no. 1, pp. 188–202, 2020, DOI: 10.1109/TR.2019.2925415.
• [35] Q.I. Li, W. Li, and J. Wang, “A SQL Injection Detection Method Based on Adaptive Deep Forest,” pp. 145385–145394, 2019, DOI: 10.1109/ACCESS.2019.2944951
• [36] S. Ezzat, M.I., L.M., and Y.K., “Web Anomaly Misuse Intrusion Detection Framework for SQL Injection Detection,” Int. J. Adv. Comput. Sci. Appl., vol. 3, no. 3, pp. 123–129, 2012, DOI: 10.14569/ijacsa.2012.030321.
• [37] Y.V.N. Manikanta, “Protecting Web Applications from SQL Injection Attacks,” pp. 609–613, 2012.
• [38] R. Dharam and S.G. Shiva, “Runtime Monitoring Framework for SQL Injection Attacks,” vol. 6, no. 5, 2014, DOI: 10.7763/IJET.2014.V6.731.
• [39] V. Chang, Y.H. Kuo, and M. Ramachandran, “Cloud computing adoption framework: A security framework for business clouds,” Futur. Gener. Comput. Syst., vol. 57, pp. 24–41, 2016, DOI: 10.1016/j.future.2015.09.031.
• [40] M. Yassin, H. Ould-Slimane, C. Talhi, and H. Boucheneb, “SQLIIDaaS: A SQL Injection Intrusion Detection Framework as a Service for SaaS Providers,” Proc. - 4th IEEE Int. Conf. Cyber Secur. Cloud Comput. CSCloud 2017 3rd IEEE Int. Conf. Scalable Smart Cloud, SSC 2017, pp. 163–170, 2017, DOI: 10.1109/CSCloud.2017.27.
• [41] G. Yiğit and M. Arnavutoğlu, “SQL Injection Attacks Detection & Prevention Techniques,” vol. 9, no. 5, 2017, DOI: 10.7763/IJCTE.2017.V9.1165.
• [42] L. Erdődi, Å.Å. Sommervoll, and F. M. Zennaro, “Journal of Information Security and Applications Simulating SQL injection vulnerability exploitation using Q-learning reinforcement learning agents,” J. Inf. Secur. Appl., vol. 61, no. July, p. 102903, 2021, DOI: 10.1016/j.jisa.2021.102903.
• [43] “An Improved SQL Injection Attack Detection Model Using Machine Learning Techniques,” vol. 11, no. 1, pp. 53–57, 2021.
• [44] M. Fan, J. Liu, W. Wang, H. Li, Z. Tian, and T. Liu, “DAPASA: Detecting Android Piggybacked Apps Through Sensitive Subgraph Analysis,” IEEE Trans. Inf. Forensics Secur., vol. 12, no. 8, pp. 1772–1785, 2017, DOI: 10.1109/TIFS.2017.2687880.
• [45] B. Shunmugapriya and B. Paramasivan, “Protection Against SQL Injection Attack in Cloud Computing,” vol. 9, no. 02, pp. 502–510, 2020.
• [46] K. Varshney and R. L. Ujjwal, “LsSQLIDP : Literature survey on SQL injection detection and prevention techniques,” J. Stat. Manag. Syst., vol. 22, no. 2, pp. 257–269, 2019, DOI: 10.1080/09720510.2019.1580904.
• [47] K. Ahmad and M. Karim, “A Method to Prevent SQL Injection Attack using an Improved Parameterized Stored Procedure,” vol. 12, no. 6, pp. 324–332, 2021.
• [48] M. Kareem, “Prevention of SQL Injection Attacks using AWS WAF,” p. 47, 2018, [Online]. Available: http://repository.stcloudstate.edu/cgi/viewcontent.cgi?article=1094&context=msia_etds.
• [49] S. Mohammed, H. Chaki, and M.M. Din, “A Survey on SQL Injection Prevention Methods,” vol. 9, no. 1, pp. 47–54, 2019.
• [50] R. Rawat, “SQL injection attack Detection using SVM,” no. March 2012, 2020, DOI: 10.5120/5749-7043.
• [51] Z. Chen and M. Guo, “Research on SQL injection detection tchnology based on SVM,” vol. 01004, pp. 1–5, 2018.
• [52] A. Banchhor and T. Vaidya, “SQL Injection Detection Using Baye’s Classification,” pp. 313–317.
• [53] M. Olalere et al., “A Naïve Bayes Based Pattern Recognition Model for Detection and Categorization of Structured Query Language Injection Attack,” vol. 7, no. 2, pp. 189–199, 2018.
• [54] M. Liu and T. Chen, “DeepSQLi : Deep Semantic Learning for Testing SQL Injection,” pp. 286–297.
• [55] T. Liu, Y. Qi, L. Shi, and J. Yan, “Locate-Then-Detect : Realtime Web Attack Detection via Attention-based Deep Neural Networks,” pp. 4725–4731, 2016.
• [56] M. Volkova, P. Chmelar, and L. Sobotka, “MACHINE Learning Blunts The Needle Of Advanced Sql Injections,” vol. 25, no. 1, pp. 23–30, 2019.
• [57] X.I.N. Xie, C. Ren, Y. Fu, J.I.E. Xu, and J. Guo, “SQLInjection Detection for Web Applications Based on Elastic-Pooling CNN,” IEEE Access, vol. 7, pp. 151475–151481, 2019, DOI: 10.1109/ACCESS.2019.2947527.
• [58] Salau, A. O. and Jain, S. (2019). Feature Extraction: A Survey of the Types, Techniques, and Applications. 5th IEEEInternational Conference on Signal Processing and Communication (ICSC), Noida, India, pp. 158-164. DOI: 10.1109/ICSC45622.2019.8938371.

Uwagi

Opracowanie rekordu ze środków MEiN, umowa nr SONP/SP/546092/2022 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2022-2023).