SSQLi: A Black-Box Adversarial Attack Method for SQL Injection Based on Reinforcement Learning-Reference-Cited by-同舟云学术

SSQLi: A Black-Box Adversarial Attack Method for SQL Injection Based on Reinforcement Learning

Published:2023-03-30 Issue:4 Volume:15 Page:133
ISSN:1999-5903
Container-title:Future Internet
language:en
Short-container-title:Future Internet

Author:

Guan Yuting¹,He Junjiang¹,Li Tao¹,Zhao Hui¹,Ma Baoqiang¹

Affiliation:

1. School of cyber Science and Engineering, Sichuan University, Chengdu 610065, China

Abstract

SQL injection is a highly detrimental web attack technique that can result in significant data leakage and compromise system integrity. To counteract the harm caused by such attacks, researchers have devoted much attention to the examination of SQL injection detection techniques, which have progressed from traditional signature-based detection methods to machine- and deep-learning-based detection models. These detection techniques have demonstrated promising results on existing datasets; however, most studies have overlooked the impact of adversarial attacks, particularly black-box adversarial attacks, on detection methods. This study addressed the shortcomings of current SQL injection detection techniques and proposed a reinforcement-learning-based black-box adversarial attack method. The proposal included an innovative vector transformation approach for the original SQL injection payload, a comprehensive attack-rule matrix, and a reinforcement-learning-based method for the adaptive generation of adversarial examples. Our approach was evaluated on existing web application firewalls (WAF) and detection models based on machine- and deep-learning methods, and the generated adversarial examples successfully bypassed the detection method at a rate of up to 97.39%. Furthermore, there was a substantial decrease in the detection accuracy of the model after multiple attacks had been carried out on the detection model via the adversarial examples.

Funder

National Key Research and Development Program of China

National Natural Science Foundation of China

China Postdoctoral Science Foundation

Fundamental Research Funds for the Central Universities

Publisher

MDPI AG

Subject

Computer Networks and Communications

Link

https://www.mdpi.com/1999-5903/15/4/133/pdf

Reference34 articles.

1. OWASP (2022, June 04). OWASP Top Ten. Available online: https://owasp.org/.

2. Clay Keller (2021, March 20). Vulnerability Dstribution of CVE Security Vulnerabilities by Types. Available online: https://www.cvedetails.com/vulnerabilities-by-types.php.

3. An ensemble classification-based approach to detect attack level of SQL injections;Kasim;J. Inf. Secur. Appl.,2021

4. SQLiGoT: Detecting SQL injection attacks using graph of tokens and SVM;Kar;Comput. Secur.,2016

5. LSTM-based SQL injection detection method for intelligent transportation system;Li;IEEE Trans. Veh. Technol.,2019

Cited by 6 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. SqliGPT: Evaluating and Utilizing Large Language Models for Automated SQL Injection Black-Box Detection;Applied Sciences;2024-08-07

2. Comparative analysis of adversarial AI injection attacks: A preliminary study;2024 International Conference on Artificial Intelligence, Computer, Data Sciences and Applications (ACDSA);2024-02-01

3. Analysis of SQL injection attacks in the cloud and in WEB applications;SECURITY AND PRIVACY;2024-01-18

4. Increase The SQLi Attack Success Rate using SqlMap with the use of Tamper Selection Scripts;2023 International Conference on Technology, Engineering, and Computing Applications (ICTECA);2023-12-20

5. Comparing Machine Learning for SQL Injection Detection in Web Systems;2023 10th International Conference on Soft Computing & Machine Intelligence (ISCMI);2023-11-25