Hash learning based malicious SQL detection

doi:10.11772/j.issn.1001-9081.2020060967

Journal of Computer Applications ›› 2021, Vol. 41 ›› Issue (1): 121-126.DOI: 10.11772/j.issn.1001-9081.2020060967

Special Issue: 第八届中国数据挖掘会议(CCDM 2020)

• China Conference on Data Mining 2020 (CCDM 2020) • Previous Articles Next Articles

Hash learning based malicious SQL detection

LI Mingwei¹, JIANG Qingyuan¹, XIE Yinpeng¹, HE Jindong², WU Dan²

1. National Key Laboratory for Novel Software Technology(Nanjing university), Nanjing Jiangsu 210023, China;
2. Electric Power Science Research Institute, State Grid Fujian Electric Power Company Limited, Fuzhou Fujian 350007, China

Received:2020-05-31 Revised:2020-08-03 Online:2021-01-10 Published:2021-01-16
Supported by:
This work is partially supported by the Science and Technology Project of State Grid Corporation of China (SGGR0000XTJS1900448).

基于哈希学习的异常SQL检测

李明威¹, 蒋庆远¹, 解银朋¹, 何金栋², 吴丹²

1. 计算机软件新技术国家重点实验室(南京大学), 南京 210023;
2. 国家电网福建省电力有限公司电力科学研究院, 福州 350007

通讯作者: 蒋庆远
作者简介:李明威(1995-),男,江苏南通人,硕士研究生,主要研究方向:机器学习、哈希学习;蒋庆远(1991-),男,云南腾冲人,博士研究生,主要研究方向:机器学习、哈希学习;解银朋(1997-),男,河南项城人,硕士研究生,主要研究方向:分布式机器学习;何金栋(1982-),男,福建福州人,高级工程师,硕士,主要研究方向:网络安全;吴丹(1987-),女,吉林长春人,工程师,硕士,主要研究方向:网络安全。
基金资助:
国家电网总部科技项目（SGGR0000XTJS1900448）。

Abstract

Abstract: To solve the high storage cost and low retrieval speed problems in malicious Structure Query Language (SQL) detection faced by Nearest Neighbor (NN) method, a Hash learning based Malicious SQL Detection (HMSD) method was proposed. In this algorithm, Hash learning was used to learn the binary coding representation for SQL statements. Firstly, the SQL statements were presented as real-valued features by washing and deleting the duplicated SQL statements. Secondly, the isotropic hashing was used to learn the binary coding representation for SQL statements. Lastly, the retrieval procedure was performed and the detection speed was improved by using binary coding representation. Experimental results show that on the malicious SQL detection dataset Wafamole, the dataset is randomly divided so that the training set contains 10 000 SQL statements and the test set contains 30 000 SQL statements, at the length of 128 bits, compared with nearest neighbor method, the proposed algorithm has the detection accuracy increased by 1.3%, the False Positive Rate (FPR) reduced by 0.19%,the False Negative Rate (FNR) decreased by 2.41%, the retrieval time reduced by 94%, the storage cost dropped by 97.5%; compared with support vector machine method, the proposed algorithm has the detection accuracy increased by 0.17%, which demonstrate that the proposed algorithm can solve the problems of nearest neighbor method in malicious SQL detection.

Key words: malicious SQL detection, Nearest Neighbor (NN), binary coding representation, Hash learning, large-scale retrieval

摘要： 针对最近邻（NN）方法在异常结构化查询语句（SQL）检测应用中面临的存储开销大、检索速度慢的问题，提出了一种基于哈希学习的异常SQL检测（HMSD）方法。该算法利用哈希学习来学习查询SQL语句的二值编码表示。首先，对查询SQL语句进行清洗去重，从而将查询SQL语句表示为实值特征形式；然后利用等方差哈希方法来学习查询SQL语句的二值编码表示；最后，通过二值编码表示进行检索并提高异常SQL检测的速度。实验结果表明，在异常SQL检测数据集Wafamole上，将数据集进行随机划分，使训练集包含10 000条SQL语句，测试集包含30 000条SQL语句，在128比特长度下，与最近邻方法相比，所提算法的检测精度提高了1.3%，假正例率（FPR）降低了0.19%，假负例率（FNR）降低了2.41%，检索时间减少了94%，存储开销降低了97.5%；与支持向量机方法相比，所提算法的检测精度提高了0.17%，验证了所提算法能解决最近邻方法在异常SQL检测中存在的问题。

关键词: 异常SQL检测, 最近邻, 二值编码表示, 哈希学习, 大规模检索

CLC Number:

TP391

LI Mingwei, JIANG Qingyuan, XIE Yinpeng, HE Jindong, WU Dan. Hash learning based malicious SQL detection[J]. Journal of Computer Applications, 2021, 41(1): 121-126.

李明威, 蒋庆远, 解银朋, 何金栋, 吴丹. 基于哈希学习的异常SQL检测[J]. 计算机应用, 2021, 41(1): 121-126.

References

[1] BOBERSKI M. The ten most critical Web application security risks[R]. Bel Air,MD:OWASP,2010.
[2] CECCATO M,NGUYEN C D,APPELT D,et al. SOFIA:an automated security oracle for black-box testing of SQL-injection vulnerabilities[C]//Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering. Piscataway:IEEE,2016:167-177.
[3] ZHANG L,ZHANG D,WANG C,et al. ART4SQLi:the ART of SQL injection vulnerability discovery[J]. IEEE Transactions on Reliability,2019,68(4):1470-1489.
[4] LI Q,LI W,WANG J,et al. A SQL injection detection method based on adaptive deep forest[J]. IEEE Access,2019,7:145385-145394.
[5] SANTHOSH KUMAR B J, ANASWARA P P. Vulnerability detection and prevention of SQL injection[J]. International Journal of Engineering and Technology,2018,7(2):16-18.
[6] 王溢, 李舟军, 郭涛. 防御代码注入式攻击的字面值污染方法[J]. 计算机研究与发展,2012,49(11):2414-2423.(WANG Y, LI Z J, GUO T. Literal tainting method for preventing code injection attack in web application[J]. Journal of Computer Research and Development,2012,49(11):2414-2423.)
[7] LI L,QI J,LIU N,et al. Static-based test case dynamic generation for SQLIVs detection[C]//Proceedings of the 10th International Conference on Broadband and Wireless Computing,Communication and Applications. Piscataway:IEEE,2015:173-177.
[8] SHAR L K,TAN H B K. Defeating SQL injection[J]. Computer, 2013,46(3):69-77.
[9] CHOI J,KIM H,CHOI C,et al. Efficient malicious code detection using N-gram analysis and SVM[C]//Proceedings of the 14th International Conference on Network-Based Information Systems. Piscataway:IEEE,2011:618-621.
[10] LEI X,QU J,YAO G,et al. Design and implementation of an automatic scanning tool of SQL injection vulnerability based on web crawler[C]//Proceedings of the 2018 International Conference on Security with Intelligent Computing and Big-data Services, AISC 895. Cham:Springer,2018:481-488.
[11] FANG Y,PENG J,LIU L,et al. WOVSQLI:detection of SQL injection behaviors using word vector and LSTM[C]//Proceedings of the 2nd International Conference on Cryptography,Security and Privacy. New York:ACM,2018:170-174.
[12] KOMIYA R,PAIK I,HISADA M. Classification of malicious web code by machine learning[C]//Proceedings of the 3rd International Conference on Awareness Science and Technology. Piscataway:IEEE,2011:406-411.
[13] 何金栋. 基于PHP的Web应用SQL注入漏洞检测系统的设计和实现[J]. 电子测试,2017(24):72-73.(HE J D. Design and implementation of SQL injection vulnerability detection system based on PHP for Web applications[J]. Electronic Test,2017(24):72-73.)
[14] KAR D, PANIGRAHI S, SUNDARARAJAN S. SQLiGoT:detecting SQL injection attacks using graph of tokens and SVM[J]. Computers and Security,2016,60:206-225.
[15] MITROPOULOS D,LOURIDAS P,POLYCHRONAKIS M,et al. Defending against web application attacks:approaches, challenges and implications[J]. IEEE Transactions on Dependable and Secure Computing,2019,16(2):188-203.
[16] KAUR N,KAUR P. Mitigation of SQL injection attacks using threat modeling[J]. ACM SIGSOFT Software Engineering Notes, 2014,39(6):1-6.
[17] 李武军, 周志华. 大数据哈希学习:现状与趋势[J]. 科学通报, 2015,60(5/6):485-490.(LI W J,ZHOU Z H. Learning to hash for big data:current status and future trends[J]. Chinese Science Bulletin,2015,60(5/6):485-490.)
[18] 李武军, 蒋庆远. 哈希学习[J]. 中国人工智能学会通讯, 2016,6(9):9-15.(LI W J,JIANG Q Y. Hash learning[J]. Chinese Association for Artificial Intelligence,2016,6(9):9-15.)
[19] ANDONI A, INDYK P. Near-optimal hashing algorithms for approximate nearest neighbor in high dimensions[C]//Proceedings of the 47th Annual IEEE Symposium on Foundations of Computer Science. Piscataway:IEEE,2006:459-468.
[20] KONG W,LI W. Isotropic hashing[C]//Proceedings of the 25th International Conference on Neural Information Processing Systems. Red Hook,NY:Curran Associates Inc.,2012:1646-1654.
[21] DEMETRIO L,VALENZA A,COSTA G,et al. WAF-A-MoLE:evading web application firewalls through adversarial machine learning[C]//Proceedings of the 35th Annual ACM Symposium on Applied Computing. New York:ACM,2020:1745-1752.

Hash learning based malicious SQL detection

基于哈希学习的异常SQL检测

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 2

Recommended Articles

Metrics

[1]	LI Song, LI Lin, WANG Miao, CUI Huanyu, ZHANG Liping. Construction of rectangle trapezoid circle tree and indeterminate near neighbor relations query [J]. Journal of Computer Applications, 2015, 35(1): 115-120.
[2]	刘星毅 LIU Xing-Yi. Improved kNN algorithm based on Mahalanobis distance and gray analysis [J]. Journal of Computer Applications, 2009, 29(09): 2502-2504.