Multi-Agent Honeypot-Based Request-Response Context Dataset for Improved SQL Injection Detection Performance

TL;DR

This paper introduces a multi-agent honeypot system to create a rich request-response dataset that significantly improves SQL injection detection accuracy by incorporating contextual information often missing in traditional payload-only methods.

Contribution

The paper presents a novel multi-agent honeypot framework for constructing a high-quality, context-enriched dataset that enhances SQL injection detection performance over existing payload-only approaches.

Findings

Models trained on the context dataset outperform payload-only models by over 40% accuracy.

The dataset contains 140,973 labeled request-response pairs with contextual cues.

Context-aware models better detect obfuscated and evolving SQL injection attacks.

Abstract

SQL injection remains a major threat to web applications, as existing defenses often fail against obfuscation and evolving attacks because of neglecting the request-response context. This paper presents a context-enriched SQL injection detection framework, focusing on constructing a high-quality request-response dataset via a multi-agent honeypot system: the Request Generator Agent produces diverse malicious/benign requests, the Database Response Agent mediates interactions to ensure authentic responses while protecting production data, and the Traffic Monitor pairs requests with responses, assigns labels, and cleans data, yielding totally 140,973 labeled pairs with contextual cues absent in payload-only data. Experiments show that models trained on this context dataset outperform payload-only counterparts: CNN and BiLSTM achieve over 40\% accuracy improvement in different tasks, validating that the request-response context enhances the detection of evolving and obfuscated attacks.