Skip to main content
SpringerLink
Log in
Book cover

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2009: Detection of Intrusions and Malware, and Vulnerability Assessment pp 196–205Cite as

Learning SQL for Database Intrusion Detection Using Context-Sensitive Modelling (Extended Abstract)

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5587))

Abstract

Modern multi-tier application systems are generally based on high performance database systems in order to process and store business information. Containing valuable business information, these systems are highly interesting to attackers and special care needs to be taken to prevent any malicious access to this database layer. In this work we propose a novel approach for modelling SQL statements to apply machine learning techniques, such as clustering or outlier detection, in order to detect malicious behaviour at the database transaction level. The approach incorporates the parse tree structure of SQL queries as characteristic e.g. for correlating SQL queries with applications and distinguishing benign and malicious queries. We demonstrate the usefulness of our approach on real-world data.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Open Web Application Security Project. The Top list of most severe web application vulnerabilities (2004)

    Google Scholar 

  2. Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. of LISA, pp. 229–238. USENIX (1999)

    Google Scholar 

  3. Ristic, I.: ModSecurity - A Filter-Module for the Apache Webserver (1998)

    Google Scholar 

  4. Kruegel, C., Vigna, G.: Anomaly Detection of Web-based Attacks. In: Proc. of ACM CCS, pp. 251–261. ACM Press, New York (2003)

    Google Scholar 

  5. Kruegel, C., Vigna, G., Robertson, W.: A Multi-model Approach to the Detection of Web-based Attacks. Computer Networks 48(5), 717–738 (2005)

    Article  Google Scholar 

  6. Valeur, F., Vigna, G., Kruegel, C., Kirda, E.: An Anomaly-driven Reverse Proxy for Web Applications. In: Proc. of ACM SAC (2006)

    Google Scholar 

  7. Bockermann, C., Mierswa, I., Morik, K.: On the automated creation of understandable positive security models for web applications. In: Proc. of IEEE PerCom, pp. 554–559. IEEE Computer Society, Los Alamitos (2008)

    Google Scholar 

  8. Shezaf, O., Grossman, J.: Web Hacking Incident Database (2008)

    Google Scholar 

  9. Lee, S.-Y., Low, W.L., Wong, P.Y.: Learning fingerprints for a database intrusion detection system. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 264–280. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  10. Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent sql injection attacks. In: Proc. of SEM, pp. 106–113. ACM, New York (2005)

    Google Scholar 

  11. Gerstenberger, R.: Anomaliebasierte Angriffserkennung im FTP-Protokoll. Master’s thesis, University of Potsdam, Germany (2008)

    Google Scholar 

  12. Düssel, P., Gehl, C., Laskov, P., Rieck, K.: Incorporation of application layer protocol syntax into anomaly detection. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 188–202. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  13. Hu, Y., Panda, B.: A data mining approach for database intrusion detection. In: Proc. of ACM SAC, pp. 711–716. ACM, New York (2004)

    Google Scholar 

  14. Srivastava, A., Sural, S., Majumdar, A.K.: Database intrusion detection using weighted sequence mining. JCP 1(4), 8–17 (2006)

    Article  Google Scholar 

  15. Roichman, A., Gudes, E.: DIWeDa - detecting intrusions in web databases. In: Atluri, V. (ed.) DAS 2008. LNCS, vol. 5094, pp. 313–329. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  16. Lewis, D.D.: Naive (bayes) at forty: The independence assumption in information retrieval. In: Nédellec, C., Rouveirol, C. (eds.) ECML 1998. LNCS, vol. 1398, pp. 4–15. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  17. Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  18. Haussler, D.: Convolution kernels on discrete structures. Technical report, Dept. of Computer Science, UC Santa Cruz (1999)

    Google Scholar 

  19. Collins, M., Duffy, N.: Convolution kernels for natural language. In: Advances in Neural Information Processing Systems 14, pp. 625–632. MIT Press, Cambridge (2001)

    Google Scholar 

  20. Zhou, G.D., Zhang, M., Ji, D.H., Zhu, Q.M.: Tree kernel-based relation extraction with context-sensitive structured parse tree information. In: Proc. of Joint Conf. on Empirical Methods in Natural Language Processing and Computational Natural Language Learning, pp. 728–736. Assoc. for Computer Linguistics (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Artificial Intelligence Group, Department of Computer Science, Technische Universität Dortmund, Germany

    Christian Bockermann

  2. Information Systems and Security Group, Department of Computer Science, Technische Universität Dortmund, Germany

    Martin Apel & Michael Meier

Authors
  1. Christian Bockermann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martin Apel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Meier
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. SAP Research Center Karlsruhe, Karlsruhe, Germany

    Ulrich Flegel

  2. Dipartimento di Informatica e Comunicazione, Università degli Studi di Milano, Milano, Italy

    Danilo Bruschi

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bockermann, C., Apel, M., Meier, M. (2009). Learning SQL for Database Intrusion Detection Using Context-Sensitive Modelling (Extended Abstract). In: Flegel, U., Bruschi, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2009. Lecture Notes in Computer Science, vol 5587. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02918-9_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-02918-9_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-02917-2

  • Online ISBN: 978-3-642-02918-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation