SQL Injection Detection and Correction Using Machine

Learning Techniques

Garima Singh1, Dev Kant2, Unique Gangwar3, and Akhilesh Pratap Singh4
1
Department of CSE, Jaypee University of Information Technology,
Waknaghat, Solan, H.P, India
garimasingh2841@gmail.com
2
Department of CSE, Indian Institute of Information Technology Allahabad
Deoghat, Jhalwa, Allahabad, U.P, India
devkantg@gmail.com
3
Department of CSE, Jaypee Institute of Information Technology,
Noida, U.P, India
unique.gangwar@gmail.com
4
Department of CSE, Kamla Nehru Institute of Technology,
Sultanpur, U.P, India
akhilesh.chauhan88@gmail.com

Abstract. SQL is a database language which is used to interact with the

database. SQL is a language with the help of which database could be created,
modified and deleted. Nowadays every organization used to have their own
databases which may keep important information which should not be shared
publicly. The SQL injection technique is now one of the most common attacks
on the Internet. This paper is all about SQL injection, SQL injection attacks,
and more important, how to detect and correct SQL injection. This paper
proposes an algorithm to detect not only the SQL injection attack but also
detects unauthorized user by maintaining an audit record using machine
learning technique (clustering).

Keywords: SQL Injection Technique, SQL Injection Attack, Detect & Correct
SQL Injection, Clustering, Audit Record.

1 Introduction
SQL Injection is one of the most effective methods for stealing the data from the
backend, with the help of these attacks hackers can get access to the database and
steal sensitive information. According to the “Open Web Application Security
Project”, injection attack is a technique used in hacking or cracking to access
information or unauthorized activity [1]. Now a day’s most web applications are
being hacked using SQL Injection method [2] Till now many approaches have been
proposed for detecting the injecting query but practical implementation is not
possible. As we have three main technique i.e. Prevention, detection and correction.
So prevention is a little bit complication because none of the proposed method
provides the exact solution for preventing injected query [2, 3, 4], there are many
additional methods through which injection is possible. This paper presents a

© Springer International Publishing Switzerland 2015 435

S.C. Satapathy et al. (eds.), Emerging ICT for Bridging the Future – Volume 1,
Advances in Intelligent Systems and Computing 337, DOI: 10.1007/978-3-319-13728-5_49
436 G. Singh et al.

technique for the detection and correction of different type of SQL attacks. In the
proposed method an audit record should be maintained for each transaction and with
the help of that record, it could be checked that which kind of data is being accessed
by the transaction, which type of resources are being used and whether they have
privilege to query such data and with the help of clustering technique clusters are
made for attacks and if attributes of record falls under attack clusters then that
transaction must be blocked and verified and if negative result comes then that query
must not be executed. In order to solve these problems, researchers have developed
various detection [8-10] and Prevention techniques [11-14]. This paper has been
organized in the following way; section 2 describes the basic idea of SQL Injection
attack (SQLIAs). The proposed algorithm is defined in Section 3. In section 4, the
experimental outcomes are introduced and discussed. Finally section 5 concludes the
complete paper.

2 Types of Attacks

There are various methods of SQL Injection attacks which may be performed either
together or sequentially [5, 6].

Tautologies: Tautology attack injects SQL tokens to the conditional query statement
which is always evaluated as true [18][22][23]. Example;
"SELECT * FROM employee_record WHERE emp_id = '102' and Password ='aa' OR
'1'='1'"

Invalid/Logically Incorrect Queries: when a query is rejected, an error message is

returned from the database [10]. In the given example an attacker makes a type
mismatch error by injecting the following text into the pin input field:
1) Original URL:
http://www .archeive.polimLitieventil?id _ nav=8864
2) SQL Injection:
http://www.archeive.polimi.itleventil?id nav=8864'
3) Error message showed:
SELECT emp_name FROM Employee WHERE id =8864\'

Union Query: With the help of union query attacker can append injected query with
the original query by the word UNION and then can extract information about other
tables from the database [10][18][23].
Piggy-Backed Queries: In this type of attack, unauthorized user exploit database
with the help of query delimiter, such as ";", by appending an extra query with the
original SQL query [10][19][20][22].

Stored Procedure: This is also a part of the database that the programmer can set an
extra abstraction layer on the database [7].
Inference: With the help of inference attack, intruders can change the behavior of a
database or web application. [12].
 SQL Injection Detection and Correction Using Machine Learning Techniques 437

3 Proposed Work
The proposed approach provides a model for the purpose of understanding the behavior
of the object. Thus by observing the behavior of the object it could be verified that
whether the user is authorized or not. An audit record is a fundamental tool for detecting
the behavior of an object. Record of ongoing activity of users must be maintained and
can be used for determined that whether the transaction is valid or not.

3.1 Audit Record Must Contain the Following Fields

Subject: A subject is an end user but might also be process acting on behalf of users
or group of users. All activity arises through SQL commands issued by subjects.
Action: Action involves operations performed by the subject (SQL Command) on or
with an object (Database); for example, login, read, write, perform I/O, execute.
Object: Receptors of actions. The example involves a database.
Exception Condition: Defines which, if any, exception condition is raised on return.
Resource Usage: A list of quantitative elements in which each element gives the
amount used of some resource.
Time-Stamp: It’s a unique time and date stamp used for identifying when the action
took place.

3.2 Measures Must Be Used for Unauthorized Detection

Login and Session Activity: Login frequency by day and time, Time since last login,
Elapsed time per session, session resource utilization, password failures at login.
Command or Program Execution Activity: Execution frequency, Program resource
utilization, Execution denials.
File Access Activity: It involves Read, write, create, delete frequency, records read
and written, failure count for read, write, create and delete.

3.3 These Are the Various Measures Which Can Be Verified in the Audit
Record with the Help of Following Clustering Technique
The following steps of the algorithm are:
Step1-To check the behavior of an object or transaction, an audit record must be
maintained by host agent to record the ongoing activity of an object or transaction.
Step2- The attributes of audit record are clustered with the help of k-mean clustering
technique for detecting attacks by central manager.
Step3- Now, with the help of one-rule classification attacks are classified into classes
to reduce computational time.
Step4- Repeat step2 and step3 until a sufficient number of samples are available.
Step5- Tabulate the various values of the decision criterion and choose the best policy.
438 G. Singh et al.

The proposed model is based on Intrusion Detection System (IDS) to detect SQL
Injection attacks (SQLTAs), which involves a machine learning technique. As the
query parser generates the original query and clustering must be done of the injected
query and there are various attributes have been defined on the basis of which
behavior of the query must be judged. Figure 1 shows the proposed architecture.

3.4 The Algorithm Works on the Basis of the Following Three Main
Components Are as Follows
Host Agent Module: Its purpose is to collect data on the above defined measures of
host and transmit these to the central manager.

Monitor Agent Module: Its work is to check Execution frequency, program resource
utilization and reports the results to the central manager.

Central Manager Module: It receives reports from the above two modules and
processes and correlates these reports to detect unauthorized access.
The agent collects each audit record produced by the native audit collection module.
A filter is implemented that retains only those commands that are of security interest.
Records are then formatted in a standardized format as the host audit record (HAR).
After this, a template driven logic module analysis the SQL commands or unauthorized
commands for suspicious activity. At the lowest stage, the agent scans for interest.
Records are then formatted in a standardized format as the host audit record (HAR).

Fig. 1. Flow chart of Rule creation through clustering and Intrusion detection
 SQL Injection Detection and Correction Using Machine Learning Techniques 439

After this, a template driven logic module analysis the SQL commands or
unauthorized commands for suspicious activity. At the lowest stage, the agent scans
for suspected events that are of interest independent of any past events. Examples
include failed record accesses, accessing system files, and changing a file’s access
control.

Fig. 2. Architecture

At the next higher level, the agent looks for anomalous behavior of an individual
user based on a historical profile of that user, such as the number of programs
accessed or executed, number of records accessed, authorized for accessing the
records etc. When suspicious activity is detected, an alert is sent to the central
manager. The central manager module includes an expert system that can draw
inferences from received data. The manager can also query individual systems for
copies of HARs to correlate with those of other agents.

4 Result and Analysis

4.1 Result

The experiment has done to evaluate the detection rate for SQL Injection; we have
used 3 different types of web applications which is the same method as SQLCheck
[15] and AMNESIA [16].
440 G. Singh et al.

Table 1. Experiment Results

Audit Record Proposed Algorithm SQL Check [11] AMNESIA[12]
Attack\ Detection Attack\ Detection Attack\ Detection
Detection Rate(%) Detection Rate(%) Detection Rate(%)
Employee 257/257 100 3937/3937 100 280/280 100
Record 298/298 100 3473/3473 100 182/182 100
Library 374/374 100 3685/3685 100 140/140 100
Portal

4.2 Analysis

This paper proposes a new SQL injection attack detection method that utilizes
both Static and Dynamic Analysis. An audit record is being used to compare the
attack frequency and detection frequency to calculate the detection rate. As shown
below in table 1 there is no difference in the detection rate compared to other
researchers. This is because the SQL Injection detection methods compare the static
SQL queries with the dynamic SQL queries for detection rather than using machine
learning or statistical methods. It results in a high detection rate. As a result, the
detection rate cannot be used to judge the efficiency of the detection.

Detection/Prevention Tautologies Illegal/Incorrect Union Piggy-Backed Stored Inference Alternate

Method Queries Queries Queries Procedures Encodings
SQLCheck[11]     ×
IDS o o o o o o o
SQLGuard     ×
AMNESIA[12]     ×
Security Gateway       
Proposed Method       

Symbols:
 This symbol defines that detection and prevention is possible.
× Defines that detection and prevention is impossible.
O Defines that detection and prevention are partially possible.
 Defines that there is no relation.

5 Conclusions

In this paper, the various types of SQL injection attacks have been organized. Then
we investigated the SQL injection detection and prevention techniques. After that we
have proposed an algorithm to detect the SQL Injection Attack. As Prevention is little
bit complicated, so focus is on detection and correction of unauthorized access or
transaction. In the future work we will separate techniques which have been
implemented as tools then compare effectiveness, efficiency, stability, flexibility and
performance of tools to show the strength and weakness of the tool.
 SQL Injection Detection and Correction Using Machine Learning Techniques 441

References
[1] Open Web Application Security Project, Top Web application vulnerabilities for (2010),
http://www.owasp.org/index.php/
[2] William, G.J., Fond, H., Orso, A.: Projecting applications using positive tainting and
syntax Member. IEEE Comptter Society 34(I) (January - February 2008)
[3] Halfond, W.G., Viegas, T., Orso, A.: A Classification of SQL injection Attacks and
Counter measures. In: Proc. of the IntI. Symposium on Secure Software Engineering
(March 2006)
[4] Tajpour, A., Masrom, S.M.: SQL Injection Detection and Prevention Techniques. Proc.
International Journal of Advancements in Computing Technology 3(7) (August 2011)
[5] Kindy, D.A., Pathan, A.-S.K.: A Survey On SQL Injection: Vulnerabilities, Attacks And
Prevention Techniques. In: IEEE 15th International Symposium on Consumer Electronics
(2011)
[6] Kavi, S.B., Bisht, P., Madhusudan, P.: CANDID: Preventing SQL injection attacks using
Dynamic candidate Evaluations. ACM, Alexandria (2007)
[7] Cova, M., Balzarotti, D.: Swaddler: An approach for the Anomaly-based Detection of
state violations in web applications. In: Proceedings of the 10th International Symposium
on Recent Advances in Intrusion Detection, Queensland, Australia, pp. 63–86 (September
7, 2007)
[8] Wei, K., Muthuprasanna, M., Kothari, S.: Preventing SQL Injection Attacks in Stored
Procedures. In: Proceedings of the 2006 Australian Software Engineering Conference
(ASWEC). IEEE (2006)
[9] Kruegel, C., Vigna, G.: Anomaly Detection of Web based Attacks, CCS (2003)
[10] McDonald, S.: SQL Injection: Modes of attack, defense, and why it matters. White paper,
Government Security.org (April 2002)
[11] Bertino, E., Kamara, A., Early, J.P.: Profiling Database Application to Detect SQL
Injection Attacks (2007)
[12] Spett, K.: Blind sql injection. White paper, SPI Dynamics, Inc. (2003),
http://www.spidynamics.com/whitepapers/BlindSQLInjection.pdf
[13] Ezumalai, R., Aghila, G.: Combinatorial Approach for Preventing SQL Injection Attacks.
In: International Advance Computing Conference (IACC 2009). IEEE (2009)
[14] Muthuprasanna, M., Wei, K., Kothari, S.: Eliminating SQL Injection Attacks- A
Transparent Defense Mechanism. In: Eight IEEE International Symposium on Web Site
Evolution(WSE 2006) (2006)
[15] Halfond, W.G., Orso, A.: AMNESIA: Analysis and Monitoring for Neutralizing
SQL-Injection Attacks. In: Proceedings of the 20th IEEE/ACM International Conference
on Automated Software Engineering, pp. 174–183 (2005)
[16] Buehrer, G., Weide, B.W., Sivilotti, P.A.: Using Parse Tree Validation to Prevent SQL
Injection Attacks. In: Proceedings of the 5th International Workshop on Software
Engineering and Middleware, pp. 105–113 (2005)
[17] Kim, J.-G.: Injection Attack Detection using the Removal of SQL Query Attribute
Values, pp. 26–29. IEEE (2011)
[18] Anley, C.: Advanced SQL Injection In SQL Server Applications. White paper. Next
Generation Security Software Ltd (2002)
[19] Bouma, F.: Stored Procedures are Bad, O’kay?Technical report, Asp.Net Weblogs
(November 2003), http://weblogs.asp.net/fbouma/archive/
2003/11/18/38178.aspx
442 G. Singh et al.

[20] Fayo, E.M.: Advanced SQL Injection in Oracle Databases. Technical report, Argeniss
Information Security, Black Hat Briefings, Black Hat USA (2005)
[21] Finnigan, P.: SQL Injection and Oracle - Parts 1 & 2. Technical Report, Security Focus
(November 2002), http://securityfocus.com/infocus/1644,
http://securityfocus.com/infocus/1646
[22] Howard, M., LeBlanc, D.: Writing Secure Code, 2nd edn. Microsoft Press, Redmond
(2003)
[23] Labs, S.: SQL Injection. White paper. SPI Dynamics, Inc. (2002),
http://www.spidynamics.com/assets/documents/
WhitepaperSQLInjection.pdf