Skip to main content
SpringerLink
Log in
Book cover

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2005: Detection of Intrusions and Malware, and Vulnerability Assessment pp 123–140Cite as

A Learning-Based Approach to the Detection of SQL Attacks

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3548))

Abstract

Web-based systems are often a composition of infrastructure components, such as web servers and databases, and of application-specific code, such as HTML-embedded scripts and server-side applications. While the infrastructure components are usually developed by experienced programmers with solid security skills, the application-specific code is often developed under strict time constraints by programmers with little security training. As a result, vulnerable web-applications are deployed and made available to the Internet at large, creating easily-exploitable entry points for the compromise of entire networks.

Web-based applications often rely on back-end database servers to manage application-specific persistent state. The data is usually extracted by performing queries that are assembled using input provided by the users of the applications. If user input is not sanitized correctly, it is possible to mount a variety of attacks that leverage web-based applications to compromise the security of back-end databases. Unfortunately, it is not always possible to identify these attacks using signature-based intrusion detection systems, because of the ad hoc nature of many web-based applications. Signatures are rarely written for this class of applications due to the substantial investment of time and expertise this would require.

We have developed an anomaly-based system that learns the profiles of the normal database access performed by web-based applications using a number of different models. These models allow for the detection of unknown attacks with reduced false positives and limited overhead. In addition, our solution represents an improvement with respect to previous approaches because it reduces the possibility of executing SQL-based mimicry attacks.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. libAnomaly project homepage, http://www.cs.ucsb.edu/~rsg/libAnomaly

  2. Almgren, M., Debar, H., Dacier, M.: A lightweight tool for detecting web server attacks. In: Proceedings of the ISOC Symposium on Network and Distributed Systems Security, San Diego, CA (February 2000)

    Google Scholar 

  3. Almgren, M., Lindqvist, U.: Application-Integrated Data Collection for Security Monitoring. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 22–36. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  4. Billingsley, P.: Probability and Measure, 3rd edn. Wiley-Interscience, New York (1995)

    MATH  Google Scholar 

  5. Burzi, F.: Php-nuke website (2005), http://phpnuke.org/

  6. CERT/CC. Code Red Worm Exploiting Buffer Overflow In IIS Indexing Service DLL. Advisory CA-2001-19 (July 2001)

    Google Scholar 

  7. Denning, D.E.: An Intrusion Detection Model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)

    Article  Google Scholar 

  8. Flanagan, D.: JavaScript: The Definitive Guide, 4th edn. (December 2001)

    Google Scholar 

  9. Forrest, S.: A Sense of Self for UNIX Processes. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1996, pp. 120–128 (1996)

    Google Scholar 

  10. Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the Detection of Anomalous System Call Arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  11. Kruegel, C., Toth, T., Kirda, E.: Service Specific Anomaly Detection for Network Intrusion Detection. In: Symposium on Applied Computing (SAC), March 2002. ACM Scientific Press, New York (2002)

    Google Scholar 

  12. Kruegel, C., Vigna, G.: Anomaly Detection of Web-based Attacks. In: Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS 2003), Washington, DC, October 2003, pp. 251–261. ACM Press, New York (2003)

    Chapter  Google Scholar 

  13. Lee, S., Low, W., Wong, P.: Learning Fingerprints for a Database Intrusion Detection System. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, p. 264. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  14. Liljenstam, M., Nicol, D., Berk, V., Gray, R.: Simulating realistic network worm traffic for worm warning system design and testing. In: Proceedings of the ACM Workshop on Rapid Malcode, Washington, DC, pp. 24–33 (2003)

    Google Scholar 

  15. Mahoney, M., Chan, P.: Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks. In: Proceedings of the 8th International Conference on Knowledge Discovery and Data Mining, Edmonton, Alberta, Canada, pp. 376–385 (2002)

    Google Scholar 

  16. Portnoy, L., Eskin, E., Stolfo, S.: Intrusion Detection with Unlabeled Data Using Clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security, Philadelphia, PA (November 2001)

    Google Scholar 

  17. Security Focus Homepage (2002), http://www.securityfocus.com/

  18. Stolcke, A., Omohundro, S.: Hidden Markov Model Induction by Bayesian Model Merging. In: Advances in Neural Information Processing Systems (1993)

    Google Scholar 

  19. Stolcke, A., Omohundro, S.: Inducing probabilistic grammars by bayesian model merging. In: International Conference on Grammatical Inference (1994)

    Google Scholar 

  20. Tan, K., Killourhy, K., Maxion, R.: Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits. In: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland, October 2002, pp. 54–73 (2002)

    Google Scholar 

  21. Vigna, G., Robertson, W., Kher, V., Kemmerer, R.A.: A Stateful Intrusion Detection System for World-Wide Web Servers. In: Omondi, A.R., Sedukhin, S.G. (eds.) ACSAC 2003. LNCS, vol. 2823, pp. 34–43. Springer, Heidelberg (2003)

    Google Scholar 

  22. Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington DC, USA, November 2002, pp. 255–264 (2002)

    Google Scholar 

  23. Warrender, C., Forrest, S., Pearlmutter, B.A.: Detecting intrusions using system calls: Alternative data models. In: IEEE Symposium on Security and Privacy, pp. 133–145 (1999)

    Google Scholar 

  24. Watchfire. AppShield Web Intrusion Prevention (2005), http://www.watchfire.com/products/appshield/default.aspx

Download references

Author information

Authors and Affiliations

  1. Reliable Software Group, Department of Computer Science, University of California, Santa Barbara

    Fredrik Valeur, Darren Mutz & Giovanni Vigna

Authors
  1. Fredrik Valeur
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Darren Mutz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Giovanni Vigna
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Research GmbH, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Klaus Julisch

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Valeur, F., Mutz, D., Vigna, G. (2005). A Learning-Based Approach to the Detection of SQL Attacks. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_8

Download citation

  • DOI: https://doi.org/10.1007/11506881_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-26613-6

  • Online ISBN: 978-3-540-31645-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation