Abstract
Database systems are indispensable in modern web applications in order to process and store business information. Due to the contained valuable information, these systems are highly interesting to hackers and their diverse and enormous amount of attacks severely undermine the effectiveness of classical signature-based detection. In this work we propose a novel hybrid approach for learning SQL statements with program tracing techniques in order to detect malicious behavior between the database and application. The approach incorporates the program trace hashing technique and tree structure of SQL queries as well as query name similarity as characteristic to distinguish malicious from benign queries. An prototype learning system integrated in PHP is demonstrated to show the usefulness of our approach on real-world application.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. of LISA, pp. 229–238. USENIX (1999)
Ristic, I.: ModSecurity - A Filter-Module for the Apache web server (1998)
Kruegel, C., Vigna, G.: Anomaly Detection of Web-based Attacks. In: Proc. of ACM CCS, pp. 251–261. ACM Press, New York (2003)
Kruegel, C., Vigna, G., Robertson, W.: A Multi-model Approach to the Detection of Web-based Attacks. Computer Networks 48(5), 717–738 (2005)
Cova, M., Balzarotti, D., Felmetsger, V., Vigna, G.: Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 63–86. Springer, Heidelberg (2007)
Wassermann, G., Su, Z.: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In: Conference on Programming Language Design and Implementation, PLDI (2007)
Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: ICSE (2008)
Martin, M., Lam, M.S.: Automatic generation of XSS and Sql injection attacks with goal-directed model checking. In: 17th USENIX Security Symposium (2008)
Collins, M., Duffy, N.: New ranking algorithms for parsing and tagging: Kernels over discrete structures, and the voted perceptron. In: ACL (2002)
Vishwanathan, S.V.N., Smola, A.J.: Fast kernels on strings and trees. In: Proceedings of Neural Information Processing Systems (2002)
Lodhi, H., Saunders, C., Shawe-Taylor, J., Cristianini, N., Watkins, C.: Text classification using string kernels. In: NIPS 2002, Vancouver, Canada (2000)
Zelenko, D., Aone, C., Richardella, A.: Kernel methods for relation extraction. Journal of Machine Learning Research (2003)
Moschitti, A.: Making tree kernels practical for natural language learning. In: Proceedings of the Eleventh International Conference on European Association for Computational Linguistics, Trento, Italy (2006)
Lee, S.-Y., Low, W.L., Wong, P.Y.: Learning Fingerprints for a Database Intrusion Detection System. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 264–280. Springer, Heidelberg (2002)
Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent sql injection attacks. In: Proc. of SEM, pp. 106–113. ACM, New York (2005)
Gerstenberger, R.: Anomaliebasierte Angriffserkennung im FTP-Protokoll. Master’s thesis, University of Potsdam, Germany (2008)
Düssel, P., Gehl, C., Laskov, P., Rieck, K.: Incorporation of Application Layer Protocol Syntax into Anomaly Detection. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 188–202. Springer, Heidelberg (2008)
Bockermann, C., Apel, M., Meier, M.: Learning SQL for Database Intrusion Detection Using Context-Sensitive Modelling (Extended Abstract). In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 196–205. Springer, Heidelberg (2009)
Dewhurst, R.: Damn Vulnerable Web Application, DVWA (2012), http://www.dvwa.co.uk/
Bernardo Damele, A.G., Stampar, M.: Sqlmap: automatic SQL injection and database takeover tool (2012), http://sqlmap.sourceforge.net/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, Y., Li, Z. (2012). SQL Injection Detection via Program Tracing and Machine Learning. In: Xiang, Y., Pathan, M., Tao, X., Wang, H. (eds) Internet and Distributed Computing Systems. IDCS 2012. Lecture Notes in Computer Science, vol 7646. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34883-9_21
Download citation
DOI: https://doi.org/10.1007/978-3-642-34883-9_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34882-2
Online ISBN: 978-3-642-34883-9
eBook Packages: Computer ScienceComputer Science (R0)