A Pattern Recognition Neural Network Model for Detection and Classification of SQL Injection Attacks
Thousands of organisations store important and
confidential information related to them, their customers, and their
business partners in databases all across the world. The stored data
ranges from less sensitive (e.g. first name, last name, date of birth) to
more sensitive data (e.g. password, pin code, and credit card
information). Losing data, disclosing confidential information or
even changing the value of data are the severe damages that
Structured Query Language injection (SQLi) attack can cause on a
given database. It is a code injection technique where malicious SQL
statements are inserted into a given SQL database by simply using a
web browser. In this paper, we propose an effective pattern
recognition neural network model for detection and classification of
SQLi attacks. The proposed model is built from three main elements
of: a Uniform Resource Locator (URL) generator in order to generate
thousands of malicious and benign URLs, a URL classifier in order
to: 1) classify each generated URL to either a benign URL or a
malicious URL and 2) classify the malicious URLs into different
SQLi attack categories, and a NN model in order to: 1) detect either a
given URL is a malicious URL or a benign URL and 2) identify the
type of SQLi attack for each malicious URL. The model is first
trained and then evaluated by employing thousands of benign and
malicious URLs. The results of the experiments are presented in
order to demonstrate the effectiveness of the proposed approach.
 W. G. Halfond, J. Viegas, and A. Orso, “A Classification of SQLInjection
Attacks and countermeasures”, in Proc. of the Internet
Symposium on Secure Software Engineering (ISSSE 2006), Mar. 2006.
 R. Romil, R. Shailendra, "SQL injection attack Detection using SVM",
in International Journal of Computer Applications, V.42, N.13, March
 C. Gould, Z. Su, and P. Devanbu, "JDBC checker: A static analysis tool
for SQL/JDBC applications," 2004, pp. 697- 698.
 N. A. Lambert and K. Song Lin, “Use of Query Tokenization to detect
and prevent SQL Injection Attacks”, IEEE, 2010.
 A. Srinivas, G. Narayan, S. Ram, “Random4: An Application Specific
Randomized Encryption Algorithm to prevent SQL injection, in Trust,
Security and Privacy in Computing and Communications (TrustCom)”,
2012 IEEE 11th International Conference, pp.no. 1327 – 133, 25-27
 V. Shanmughaneethi, C. Emilin Shyni and S. Swamynathan,
“SBSQLID: Securing Web Applications with Service Based SQL
Injection Detection” 2009 International Conference on Advances in
Computing, Control, and Telecommunication Technologies, 978-0-
7695-3915-7/09, 2009 IEEE.
 K. Zhang, Ch. Lin, Sh. Chen, Y. Hwang, H. Huang, and F. Hsu,
“TransSQL: A Translation and Validation-based Solution for SQLInjection
Attacks”, First International Conference on Robot, Vision and
Signal Processing, IEEE, 2011.
 W. G. Halfond and A. Orso, “AMNESIA: Analysis and Monitoring for
NEutralizing SQL-Injection Attacks”, In Proceedings of the IEEE and
ACM International Conference on Automated Software Engineering
(ASE 2005), Long Beach, CA, USA, Nov 2005.
 R. McClure and I. Kruger, “SQL DOM: Compile Time Checking of
Dynamic SQL Statements”, In Proceedings of the 27th International
Conference on Software Engineering (ICSE 05), pages 88–96, 2005.
 Stephen W. Boyd, Angelos D. Keromytis, “SQLrand: Preventing SQL
 Y. Huang, S. Huang, T. Lin, and C. Tsai, “Web Application Security
Assessment by Fault Injection and Behavior Monitoring”, In
Proceedings of the 11th International World Wide Web Conference
(WWW 03), May 2003.
 Z. Su and G. Wassermann, “The Essence of Command Injection Attacks
in Web Applications”, In the 33rd Annual Symposium on Principles of
Programming Languages (POPL 2006), Jan. 2006.
 Open Web Application Security Project (OWASP), available at:
https://www.owasp.org/index.php/About_OWASP (retrieved: Dec,
 Open Web Application Security Project (OWASP) top 10, available at:
 MATLAB R2014a, available at: http://www.mathworks.co.uk
(retrieved: Dec, 2014).
 N. Moradpoor, “Employing Neural Networks for the Detection of SQL
Injection Attack”, In The 7th conference on Security of Information and
Networks (SIN2014), Sep 2014.
 Alexa, Bringing Information into Focus, available at:
http://www.alexa.com/topsites/countries/GB (retrieved: Dec, 2014).
 Introduction to SQL, available at:
http://www.w3schools.com/sql/sql_intro.asp (retrieved: June, 2015).