Application of Hidden Markov Model in SQL Injection Detection

• Published in: 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC) Vol. 2; pp. 578 - 583
• Main Authors: Peng Li, Lei Liu, Jing Xu, Hongji Yang, Liying Yuan, Chenkai Guo, Xiujuan Ji
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.07.2017
• Subjects: Analytical models; attack detection; Complexity theory; hidden Markov model; Hidden Markov models; Markov processes; Security; Software; SQL injection; user model; Web pages; web vulnerability
• ISSN: 0730-3157
• DOI: 10.1109/COMPSAC.2017.64

Due to the increasing complexity of web and client application's structure, security problem has become more and more critical. Among all the threats reported, SQL Injection Attacks (SQLIAs) have always been top-ranked in recent years, and network logs, which are very important for the detection of SQLIA, are often utilized to analyze the user's attacking behaviors. However, the collection of network logs is often compromised due to the growing complexity of network structure, leading to a great challenge to the log-based SQLIA detection. In view of this, this paper proposes a novel approach to the detection of SQLIA based on log analyzing with Hidden Markov Model (HMM), combined with statistical characteristic and feature matching. At first, we build browsing behavior models of attackers and legal users. Furthermore, we use HMM to restore user's browsing procedure from the customised user logs. Finally, the method detects SQLIAs by analyzing the behavior of users in reality, without requiring sensitive information submitted by users. Our experiments show that the proposed method can detect possible SQLIAs and identify malicious users effectively, and has higher accuracy in comparison with the Kmeans method.