Enhancing SQL Injection Attack Prevention: A Framework for Detection, Secure Development, and Intelligent Techniques

Nanang Cahyadi; Syifa Nurgaida Yutia; Pietra Dorand

doi:10.52661/j_ict.v5i2.233

Authors

Nanang Cahyadi Telkom University
Syifa Nurgaida Yutia Telkom University
Pietra Dorand

DOI:

https://doi.org/10.52661/j_ict.v5i2.233

Keywords:

SQL Injection, Artificial Intelligence, Detection, Prevention

Abstract

SQL injection attacks (SQLIAs) pose increasing threats as more organizations adopt vulnerable web applications and databases. By manipulating queries, SQLIAs access and destroy confidential data. This paper delivers three contributions around improving SQLIA detection research: first, a literature review assessing current detection/prevention systems to produce an SQL injection detection framework; second, specialized deep learning models optimizing session pattern analysis and feature engineering to enhance performance; third, comparing proposed models against previous defenses to surface promising research directions. Results highlight opportunities like real-time systems generalizing across attack variants through emerging techniques. Additionally, with attack complexity rising, systematized SQLIA investigation is warranted. Despite extensive study, current perspectives lack cohesive guidance informing mitigation strategies. Therefore, a framework is proposed holistically mapping knowledge gaps around contemporary SQLIAs, seminal threats in web applications, and security solutions. Furthermore, a multi-faceted framework examines research trends divided into hardening existing apps, detecting attacks on production systems, and integrating secure development practices. Literature suggests comprehensive resilience requires concurrent strength across these areas. Finally, future work remains in integrated frameworks, deep reinforcement learning adoption, automated AI auditing, and differential privacy to advance real-world SQL injection detection and prevention.

References

D. Chen, Q. Yan, C. Wu, and J. Zhao, “SQL Injection Attack Detection and Prevention Techniques Using Deep Learning,” in Journal of Physics: Conference Series, IOP Publishing Ltd, Feb. 2021. doi: 10.1088/1742-6596/1757/1/012055.

I. Lee, S. Jeong, S. Yeo, and J. Moon, “A novel method for SQL injection attack detection based on removing SQL query attribute values,” Math Comput Model, vol. 55, no. 1–2, pp. 58–68, Jan. 2012, doi: 10.1016/j.mcm.2011.01.050.

S. Srivastava, “A Survey On: Attacks due to SQL injection and their prevention method for web application.”

G. Goos et al., “Structured Object-Oriented Formal Language and Method.” [Online]. Available: http://www.springer.com/series/7407

M. Leithner, B. Garn, and D. E. Simos, “HYDRA: Feedback-driven black-box exploitation of injection vulnerabilities,” Inf Softw Technol, vol. 140, Dec. 2021, doi: 10.1016/j.infsof.2021.106703.

S. Abaimov and G. Bianchi, “CODDLE: Code-Injection Detection with Deep Learning,” IEEE Access, vol. 7, pp. 128617–128627, 2019, doi: 10.1109/ACCESS.2019.2939870.

X. Xie, C. Ren, Y. Fu, J. Xu, and J. Guo, “SQL Injection Detection for Web Applications Based on Elastic-Pooling CNN,” IEEE Access, vol. 7, pp. 151475–151481, 2019, doi: 10.1109/ACCESS.2019.2947527.

W. Zhang et al., “Deep Neural Network-Based SQL Injection Detection Method,” Security and Communication Networks, vol. 2022, 2022, doi: 10.1155/2022/4836289.

Q. Li, F. Wang, J. Wang, and W. Li, “LSTM-Based SQL Injection Detection Method for Intelligent Transportation System,” IEEE Trans Veh Technol, vol. 68, no. 5, pp. 4182–4191, May 2019, doi: 10.1109/TVT.2019.2893675.

N. Gandhi, J. Patel, R. Sisodiya, N. Doshi, and S. Mishra, “A CNN-BiLSTM based Approach for Detection of SQL Injection Attacks,” in Proceedings of 2nd IEEE International Conference on Computational Intelligence and Knowledge Economy, ICCIKE 2021, Institute of Electrical and Electronics Engineers Inc., Mar. 2021, pp. 378–383. doi: 10.1109/ICCIKE51210.2021.9410675.

Q. Li, W. Li, J. Wang, and M. Cheng, “A SQL Injection Detection Method Based on Adaptive Deep Forest,” IEEE Access, vol. 7, pp. 145385–145394, 2019, doi: 10.1109/ACCESS.2019.2944951.

R. K. Dhanaraj et al., “Random Forest Bagging and X-Means Clustered Antipattern Detection from SQL Query Log for Accessing Secure Mobile Data,” Wirel Commun Mob Comput, vol. 2021, 2021, doi: 10.1155/2021/2730246.

L. Zhang, D. Zhang, C. Wang, J. Zhao, and Z. Zhang, “ART4SQLi: The ART of SQL Injection Vulnerability Discovery,” IEEE Trans Reliab, vol. 68, no. 4, pp. 1470–1489, Dec. 2019, doi: 10.1109/TR.2019.2910285.

M. Ahmed et al., “PhishCatcher: Client-Side Defense Against Web Spoofing Attacks Using Machine Learning,” IEEE Access, vol. 11, pp. 61249–61263, 2023, doi: 10.1109/ACCESS.2023.3287226.

R. Sreejith and S. Senthil, “Dynamic Data Infrastructure Security for Interoperable e-Healthcare Systems: A Semantic Feature-Driven NoSQL Intrusion Attack Detection Model,” Biomed Res Int, vol. 2022, 2022, doi: 10.1155/2022/4080199.

C. Taylor and S. Sakharkar, “DROP TABLE textbooks: An argument for SQL injection coverage in database textbooks,” in SIGCSE 2019 - Proceedings of the 50th ACM Technical Symposium on Computer Science Education, Association for Computing Machinery, Inc, Feb. 2019, pp. 191–197. doi: 10.1145/3287324.3287429.

B. Aruna and B. Usharani, “SQLID Framework in Order ToPerceive SQL Injection Attack on Web Application,” in IOP Conference Series: Materials Science and Engineering, IOP Publishing Ltd, 2020. doi: 10.1088/1757-899X/981/2/022013.

S. Ibarra-Fiallos, J. B. Higuera, M. Intriago-Pazmino, J. R. B. Higuera, J. A. S. Montalvo, and J. Cubo, “Effective Filter for Common Injection Attacks in Online Web Applications,” IEEE Access, vol. 9, pp. 10378–10391, 2021, doi: 10.1109/ACCESS.2021.3050566.

J. Zheng and X. Shen, “Pattern mining and detection of malicious sql queries on anonymization mechanism,” IEEE Access, vol. 9, pp. 15015–15027, 2021, doi: 10.1109/ACCESS.2021.3052956.

K. Kuroki, Y. Kanemoto, K. Aoki, Y. Noguchi, and M. Nishigaki, “Attack Intention Estimation Based on Syntax Analysis and Dynamic Analysis for SQL Injection,” in Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020, Institute of Electrical and Electronics Engineers Inc., Jul. 2020, pp. 1510–1515. doi: 10.1109/COMPSAC48688.2020.00-41.

Dhvani Patel, D. Neha, and Institute of Electrical and Electronics Engineers, “A System for Prevention of SQLi Attacks,” in Proceedings, International Conference on Smart Electronics and Communication (ICOSEC 2020) : 10-12, September 2020,

H. Gu et al., “DIAVA: A Traffic-Based Framework for Detection of SQL Injection Attacks and Vulnerability Analysis of Leaked Data,” IEEE Trans Reliab, vol. 69, no. 1, pp. 188–202, Mar. 2020, doi: 10.1109/TR.2019.2925415.

S. M. Toapanta, O. A. Escalante Quimis, L. E. Mafla Gallegos, and M. R. Maciel Arellano, “Analysis for the evaluation and security management of a database in a public organization to mitigate cyber attacks,” IEEE Access, vol. 8, pp. 169367–169384, 2020, doi: 10.1109/ACCESS.2020.3022746.

J. C. S. Nunez, A. C. Lindo, and P. G. Rodriguez, “A preventive secure software development model for a software factory: A case study,” IEEE Access, vol. 8, pp. 77653–77665, 2020, doi: 10.1109/ACCESS.2020.2989113.

H. Zhang, K. Zheng, X. Wang, S. Luo, and B. Wu, “Efficient strategy selection for moving target defense under multiple attacks,” IEEE Access, vol. 7, pp. 65982–65995, 2019, doi: 10.1109/ACCESS.2019.2918319.