Collaborative SQL-injections detection system with machine learning

TL;DR

This paper presents a machine learning-based system for detecting SQL injection attacks by analyzing web server logs, classifying attack vectors, and deploying a distributed network to prevent malicious queries.

Contribution

It introduces a novel approach combining behavior analysis, pattern extraction, and distributed machine learning for accurate SQL injection detection.

Findings

Detection accuracy between 97% and 99%

Effective classification of attack risk levels

Distributed network for real-time attack blocking

Abstract

Data mining and information extraction from data is a field that has gained relevance in recent years thanks to techniques based on artificial intelligence and use of machine and deep learning. The main aim of the present work is the development of a tool based on a previous behaviour study of security audit tools (oriented to SQL pentesting) with the purpose of creating testing sets capable of performing an accurate detection of a SQL attack. The study is based on the information collected through the generated web server logs in a pentesting laboratory environment. Then, making use of the common extracted patterns from the logs, each attack vector has been classified in risk levels (dangerous attack, normal attack, non-attack, etc.). Finally, a training with the generated data was performed in order to obtain a classifier system that has a variable performance between 97 and 99 percent in positive attack detection. The training data is shared to other servers in order to create a distributed network capable of deciding if a query is an attack or is a real petition and inform to connected clients in order to block the petitions from the attacker's IP.