A Weight-Based Symptom Correlation Approach to SQL Injection Attacks

Web applications are vulnerable to a variety of new security threats. SQL Injection Attacks (SQLIAs) are one of the most significant of such threats. Researchers have proposed a wide variety of anomaly detection techniques to address SQLIAs, but all existing solutions have limitations in terms of effectiveness and practicality. We claim that the main cause of such limitations is reliance on a single detection model and/or on information generated by a single source. Correlation of information from diverse sources has been proven to be an effective approach for improving detection performance, i.e. reducing both the rate of false positives and the percentage of undetected intrusions. In order to do so, we collect symptoms of attacks against web-based applications at different architectural layers, and correlate them via a systematic approach that applies a number of different anomaly detection models to combine data from multiple feeds, which are located in different locations within the system, and convey information which is diverse in nature. Preliminary experimental results show that, by rearranging alerts based on knowledge about the ability of individual security probes of spotting a specific malicious action, the proposed approach does indeed reduce false positives rates and increase the detection coverage.