Profiling Database Application to Detect SQL Injection Attacks

Countering threats to an organization´s internal databases from database applications is an important area of research. In this paper, we propose a novel framework based on anomaly detection techniques, to detect malicious behaviour of database application programs. Specifically, we create a fingerprint of an application program based on SQL queries submitted by it to a database. We then use association rule mining techniques on this fingerprint to extract useful rules. These rules succinctly represent the normal behaviour of the database application. We then apply an anomaly detection algorithm to detect queries that do not conform to these rules. We further demonstrate how this model can be used to detect SQL Injection attacks on databases. We show the validity and usefulness of our approach on synthetically generated datasets and SQL Injected queries. Experimental results show that our techniques are effective in addressing various types of SQL Injection threat scenarios.