Advanced Detection and Prevention of SQL Injection Attacks Using Machine Learning Techniques for Enhanced Web Security

Pooja Panadiya; Prof. Manish Kumar Singhal

doi:10.32628/IJSRST241161101

Authors

Pooja Panadiya Department of Information Technology (IT), NRI Institute of Information Science and Technology, Bhopal, Madhya Pradesh, India Author
Prof. Manish Kumar Singhal Department of Information Technology (IT), NRI Institute of Information Science and Technology, Bhopal, Madhya Pradesh, India Author

DOI:

https://doi.org/10.32628/IJSRST241161101

Keywords:

SQL injection attack, SQLIA prevention, Query Transformation, Normalization of Queries, Document Similarity, Hidden Markov Model, Support Vector Machine, Graph of Tokens, Centrality Measures, Feature Selection

Abstract

In this paper the SQL injection attacks (SQLIAs) continue to pose significant threats to web applications, exploiting vulnerabilities in poorly secured databases. Traditional detection and prevention mechanisms often struggle to adapt to the evolving techniques employed by attackers. This paper presents an advanced framework for detecting and preventing SQL injection attacks using machine learning techniques to enhance web security. The proposed system employs a combination of supervised and unsupervised learning models to analyze query patterns, identify anomalies, and classify malicious inputs in real time. Our methodology involves preprocessing web application traffic, feature extraction from SQL queries, and model training using labeled datasets. Various algorithms, including decision trees, support vector machines, and neural networks, were evaluated to determine their effectiveness in detecting SQLIAs. The results demonstrate that machine learning-based approaches can significantly improve the detection and prevention of SQL injection attacks compared to traditional rule-based methods. This study also highlights the importance of continuous learning and adaptation in cyber security frameworks. The proposed solution provides a robust and scalable tool for enhancing web application security, paving the way for further research into the integration of artificial intelligence in cyber security.

Downloads

Download data is not yet available.

References

Ankita Ghosh, Sudip Diyasi, Siddhartha Chatterjee “Enhancing SQL Injection Prevention: Advanced Machine Learning and LSTM-Based Techniques” Volume 78, July 202 Vol. 01, Iss. 01, S. No. 002, pp. 20-31, July 2024, ISSN (E): 3048-8516.

Hilmi Salih Abdullah, Adnan Mohsin Abdulazeez “Detection of SQL Injection Attacks Based on Supervised Machine Learning Algorithms” 25 Apr 2024. DOI: https://doi.org/10.34010/injiiscom.v5i2.12731

Nanang Cahyadi, Syifa Nurgaida Yutia, Pietra Dorand “Enhancing SQL Injection Protection Through Integration, Automation, and Privacy” J. OF ICT, VOL. 5, NO.2, PP.138-148, DEC. 2023. DOI: https://doi.org/10.52661/j_ict.v5i2.233

Wazir Muhammad, Supavadee Aramvith ,Takao Onoye “SQL Injection Detection using Machine Learning” 5 July 2023.

Taseer Muhammad1, Hamayoon Ghafory “SQL Injection Attack Detection Using Machine Learning Algorithm” Vol.2022, pp. 5–17. DOI: https://doi.org/10.58496/MJCS/2022/002

S. Steiner, D. Conte de Leon, and J. Alves-Foss. (2017). AStructured Analysis of SQL Injection Runtime MitigationTechniques. Proc. 50th Hawaii Int. Conf. Syst. Sci., 2887-2895.Doi: 10.24251/hicss.2017.349. DOI: https://doi.org/10.24251/HICSS.2017.349

W. G. J. Halfond, J. Viegas, and A. Orso. (2008). AClassification of SQL Injection Attacks and Countermeasures.Prev. Sql Code Inject. By Comb. Static Runtime Anal., 53.

P. Kumar and R. K. Pateriya. (2012). ASurveyonSQLInjection Attacks, Detection and Prevention Techniques. 20123rd Int. Conf. Comput. Commun. Netw. Technol. ICCCNT2012.Doi: 10.1109/ICCCNT.2012.6396096. DOI: https://doi.org/10.1109/ICCCNT.2012.6396096

G. Wassermann and Z. Su. (2004). An Analysis FrameworkforSecurity in Web Applications. SAVCBS 2004 Specif. Verif.Component-Based Syst., 70. [Online]. Available:http://web.cs.ucdavis.edu/~su/publications/savcbs.pdf%0Ahttp://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.72.2255&rep=rep1&type=pdf#page=82.

Y. Kosuga, K. Kono, M. Hanaoka, M. Hishiyama, and Y. Takahama. (2007). Sania: Syntactic and Semantic Analysis for Automated Testing Against SQL Injection. Proc. - Annu. Comput. Secur. Appl. Conf. ACSAC, 107-116. Doi: 10.1109/ACSAC.2007.20.

X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao. (2007). A Static Analysis Framework for Detecting SQL Injection Vulnerabilities. Proc. - Int. Comput. Softw. Appl. Conf., 1(August), 87-94. Doi: 10.1109/COMPSAC.2007.43. DOI: https://doi.org/10.1109/COMPSAC.2007.43

D. Appelt, C. D. Nguyen, L. C. Briand, and N. Alshahwan. (2014). Automated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach. 2014 Int. Symp. Softw. Test. Anal. ISSTA 2014 - Proc., May, 259-269. Doi: 10.1145/2610384.2610403. DOI: https://doi.org/10.1145/2610384.2610403

A. Ciampa, C. A. Visaggio, and M. Di Penta. (2010). A Heuristic-based Approach for Detecting SQL-injection Vulnerabilities in Web Applications. Proc. - Int. Conf. Softw. Eng., January, 43-49. Doi: 10.1145/1809100.1809107. DOI: https://doi.org/10.1145/1809100.1809107

Y. Shin. (2004). Improving the Identification of Actual InputManipulation Vulnerabilities, 1-4.

W. G. J. Halfond and A. Orso. (2005). AMNESIA: Analysisand Monitoring for Neutralizing SQL-injection Attacks. 20thIEEE/ACM Int. Conf. Autom. Softw. Eng. ASE2005, 174-183.Doi: 10.1145/1101908.1101935.

R. Mui and P. Frankl. (2010). Preventing SQLInjectionthrough Automatic Query Sanitization with ASSIST. Electron.Proc. Theor. Comput. Sci., 35, 27-38. Doi: 10.4204/eptcs.35.3. DOI: https://doi.org/10.4204/EPTCS.35.3

R. Dharam and S. G. Shiva. (2012). Runtime MonitoringTechnique to handle Tautology based SQL InjectionAttacks.Int. J. Cyber-Security Digit. Forensics (IJCSDF), 1(3), 189-203,

W. Qing and C. He. (2016). The Research of anAOP-basedApproach to the Detection and Defense of SQLInjectionAttack, 731-737. Doi: 10.2991/aest-16.2016.98. DOI: https://doi.org/10.2991/aest-16.2016.98

A. Ghafarian. (2018). A Hybrid Method for DetectionandPrevention of SQL Injection Attacks. Proc. Comput. Conf.2017, 833-838. Doi: 10.1109/SAI.2017.8252192. DOI: https://doi.org/10.1109/SAI.2017.8252192

William G.J. Halfond, Alessandro Orso, "AMNESIA: analysis and monitoring for NEutralizing SQLinjection attacks", Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, November 07-11, 2005. DOI: https://doi.org/10.1145/1101908.1101935

F. Valeur, D. Mutz, and G. Vigna, “A Learning-Based Approach to the Detection of SQL Attacks,” 123–140, 2005. DOI: https://doi.org/10.1007/11506881_8

C. Gould, Zhendong Su and P. Devanbu, "JDBC checker: a static analysis tool for SQL/JDBC applications," Proceedings. 26th International Conference on Software Engineering, Edinburgh, UK, 2004, 697-698.

C. Bockermann, M. Apel, and M. Meier, “Learning SQL for database intrusion detection using context-sensitive modelling (extended abstract),” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 5587 LNCS, 196–205, 2009. DOI: https://doi.org/10.1007/978-3-642-02918-9_12

Y. Kosuga, K. Kono, M. Hanaoka, ―Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection. The 23rd Annual Computer Security Applications Conference, 107- 116. DOI: https://doi.org/10.1109/ACSAC.2007.20

Wei, K., Muthuprasanna, M., & Suraj Kothari. (2006). Preventing SQL injection attacks in stored procedures. Software Engineering IEEE Conference. 2007. http://ieeexplore.ieee.org. DOI: https://doi.org/10.1109/ASWEC.2006.40

Y. Pan, F. Sun, J. White, D.C. Schmidt, J. Staples, and L. Krause, “Detecting Web Attacks with Endto-End Deep Learning,” Acm, 1–14, 2019. https://www.dre.vanderbilt.edu/{∼} schmidt/PDF/machine-learning-feasibility-study.pdf DOI: https://doi.org/10.1186/s13174-019-0115-x