Profiling Database Application to Detect SQL Injection Attacks
Abstract
Countering threats to an organization's internal databases from database applications is an important area of research. In this paper, we propose a novel framework based on anomaly detection techniques, to detect malicious behaviour of database application programs. Specifically, we create a fingerprint of an application program based on SQL queries submitted by it to a database. We then use association rule mining techniques on this fingerprint to extract useful rules. These rules succinctly represent the normal behaviour of the database application. We then apply an anomaly detection algorithm to detect queries that do not conform to these rules. We further demonstrate how this model can be used to detect SQL Injection attacks on databases. We show the validity and usefulness of our approach on synthetically generated datasets and SQL Injected queries. Experimental results show that our techniques are effective in addressing various types of SQL Injection threat scenarios
Keywords
databases, applications, SQL, anomaly detection, malicious behaviour, query, validity
Date of this Version
4-2007
Comments
Performance, Computing, and Communications Conference, 2007. IPCCC 2007.
April 2007, page(s): 449 - 458, New Orleans, LA, USA