A Learning-Based Approach to the Detection of SQL Attacks

  • Fredrik Valeur
  • Darren Mutz
  • Giovanni Vigna
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3548)


Web-based systems are often a composition of infrastructure components, such as web servers and databases, and of application-specific code, such as HTML-embedded scripts and server-side applications. While the infrastructure components are usually developed by experienced programmers with solid security skills, the application-specific code is often developed under strict time constraints by programmers with little security training. As a result, vulnerable web-applications are deployed and made available to the Internet at large, creating easily-exploitable entry points for the compromise of entire networks.

Web-based applications often rely on back-end database servers to manage application-specific persistent state. The data is usually extracted by performing queries that are assembled using input provided by the users of the applications. If user input is not sanitized correctly, it is possible to mount a variety of attacks that leverage web-based applications to compromise the security of back-end databases. Unfortunately, it is not always possible to identify these attacks using signature-based intrusion detection systems, because of the ad hoc nature of many web-based applications. Signatures are rarely written for this class of applications due to the substantial investment of time and expertise this would require.

We have developed an anomaly-based system that learns the profiles of the normal database access performed by web-based applications using a number of different models. These models allow for the detection of unknown attacks with reduced false positives and limited overhead. In addition, our solution represents an improvement with respect to previous approaches because it reduces the possibility of executing SQL-based mimicry attacks.


Intrusion Detection Machine Learning Web Attacks Data bases 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    libAnomaly project homepage,
  2. 2.
    Almgren, M., Debar, H., Dacier, M.: A lightweight tool for detecting web server attacks. In: Proceedings of the ISOC Symposium on Network and Distributed Systems Security, San Diego, CA (February 2000)Google Scholar
  3. 3.
    Almgren, M., Lindqvist, U.: Application-Integrated Data Collection for Security Monitoring. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 22–36. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Billingsley, P.: Probability and Measure, 3rd edn. Wiley-Interscience, New York (1995)zbMATHGoogle Scholar
  5. 5.
    Burzi, F.: Php-nuke website (2005),
  6. 6.
    CERT/CC. Code Red Worm Exploiting Buffer Overflow In IIS Indexing Service DLL. Advisory CA-2001-19 (July 2001)Google Scholar
  7. 7.
    Denning, D.E.: An Intrusion Detection Model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)CrossRefGoogle Scholar
  8. 8.
    Flanagan, D.: JavaScript: The Definitive Guide, 4th edn. (December 2001)Google Scholar
  9. 9.
    Forrest, S.: A Sense of Self for UNIX Processes. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1996, pp. 120–128 (1996)Google Scholar
  10. 10.
    Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the Detection of Anomalous System Call Arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Kruegel, C., Toth, T., Kirda, E.: Service Specific Anomaly Detection for Network Intrusion Detection. In: Symposium on Applied Computing (SAC), March 2002. ACM Scientific Press, New York (2002)Google Scholar
  12. 12.
    Kruegel, C., Vigna, G.: Anomaly Detection of Web-based Attacks. In: Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS 2003), Washington, DC, October 2003, pp. 251–261. ACM Press, New York (2003)CrossRefGoogle Scholar
  13. 13.
    Lee, S., Low, W., Wong, P.: Learning Fingerprints for a Database Intrusion Detection System. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, p. 264. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Liljenstam, M., Nicol, D., Berk, V., Gray, R.: Simulating realistic network worm traffic for worm warning system design and testing. In: Proceedings of the ACM Workshop on Rapid Malcode, Washington, DC, pp. 24–33 (2003)Google Scholar
  15. 15.
    Mahoney, M., Chan, P.: Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks. In: Proceedings of the 8th International Conference on Knowledge Discovery and Data Mining, Edmonton, Alberta, Canada, pp. 376–385 (2002)Google Scholar
  16. 16.
    Portnoy, L., Eskin, E., Stolfo, S.: Intrusion Detection with Unlabeled Data Using Clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security, Philadelphia, PA (November 2001)Google Scholar
  17. 17.
    Security Focus Homepage (2002),
  18. 18.
    Stolcke, A., Omohundro, S.: Hidden Markov Model Induction by Bayesian Model Merging. In: Advances in Neural Information Processing Systems (1993)Google Scholar
  19. 19.
    Stolcke, A., Omohundro, S.: Inducing probabilistic grammars by bayesian model merging. In: International Conference on Grammatical Inference (1994)Google Scholar
  20. 20.
    Tan, K., Killourhy, K., Maxion, R.: Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits. In: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland, October 2002, pp. 54–73 (2002)Google Scholar
  21. 21.
    Vigna, G., Robertson, W., Kher, V., Kemmerer, R.A.: A Stateful Intrusion Detection System for World-Wide Web Servers. In: Omondi, A.R., Sedukhin, S.G. (eds.) ACSAC 2003. LNCS, vol. 2823, pp. 34–43. Springer, Heidelberg (2003)Google Scholar
  22. 22.
    Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington DC, USA, November 2002, pp. 255–264 (2002)Google Scholar
  23. 23.
    Warrender, C., Forrest, S., Pearlmutter, B.A.: Detecting intrusions using system calls: Alternative data models. In: IEEE Symposium on Security and Privacy, pp. 133–145 (1999)Google Scholar
  24. 24.
    Watchfire. AppShield Web Intrusion Prevention (2005),

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Fredrik Valeur
    • 1
  • Darren Mutz
    • 1
  • Giovanni Vigna
    • 1
  1. 1.Reliable Software Group, Department of Computer ScienceUniversity of CaliforniaSanta Barbara

Personalised recommendations