2016 3rd International Conference on Advanced Computing and Communication Systems (ICACCS -2016), Jan.
22 & 23, 2016, Coimbatore, INDIA
Hybrid SQL Injection Detection System
B. Deva Priyaa (PG Student)
Department of Computer Science and Engineering
Kamaraj College of Engineering and Technology
Virudhunagar, India
devapriyaa92@gmail.com
Abstract — The use of database driven web applications are
increasing every day. Attacks on those web applications are also
increasing. One of the common web application attacks is SQL
Injection attack. These attacks are a code injection or insertion of
SQL query via input data from the client to the application.
There are many detection techniques implemented, but they have
focused on the SQL structure at the application level. So those
techniques failed to detect some of the attacks at the database
level. The existing approaches use classification techniques and
suitable kernel functions to detect the attack at the database
level. As the SVM classification is the supervised learning
algorithm, the unknown attacks can’t be detected. In this paper,
we propose a hybrid framework using the EDADT (Efficient
Data Adaptive Decision Tree) algorithm which is the semi –
supervised algorithm and SVM classification algorithm. It uses
the internal query tree from the database log for good
performance of framework. To get internal query tree, the query
tree is converted to n – dimensional feature vector by using multi
– dimensional sequence. The semantic features are used as the
component of feature vector. And also the syntactic and semantic
feature is used to generate multi – dimensional sequences. Then
the extracted feature is converted into numeric value, if the
feature contains any string value. Experimental results show
that the proposed approach is more accurate in detecting the
attacks than existing approaches.
Keywords—SQL Injection Attack, Database, Data mining, SVM
I. INTRODUCTION
The World Wide Web grows rapidly with many web
applications for meeting various purposes such as financial
transactions, educational endeavors, and countless other
activities. Computer files started to replace the paper files as
electronic records everywhere replacing carbon based
counterparts. Everyone using the computer technology also
uses the internet and web applications. Web applications
provide the user interface for various tasks in database such as
inserting data, updating data, making queries and so forth.
Those databases contain information such as customer names,
preferences, credit card numbers, and purchase orders.
Therefore, it is very important to prevent attackers from
gaining unauthorized access to the web application from
accessing private information. The web application
communicates with database using Structured Query
Language (SQL).
Many web developers believe that SQL queries are
secured one. But SQL queries can be meddled by the
Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:12:06 UTC from IEEE Xplore. Restrictions apply.
M.Indra Devi (Professor)
Department of Computer Science and Engineering
Kamaraj College of Engineering and Technology
Virudhunagar, India
indradevicse@kamarajengg.edu.in
attackers. It means that attackers can bypass authentication,
authorization checks and even sometimes allow access to
operating system level commands. The SQLIA (Structured
Query Language Injection Attack) is a code injection attack
commonly used for attacking websites or web applications.
Open Web Application Security Project (OWASP) ranks
SQLIA is the one of top security in 2013[1]. They are
frequently used by malicious users for various reasons like
financial fraud, theft of confidential data, web site defacement,
sabotage and so forth. Some of the SQL injection attacks are
tautology, Illegal/Incorrect queries, Union query, Piggy
backed query, Alternate encoding, Stored procedures,
Inference, Evasion technology, Stack queries etc.
Many techniques have been proposed to detect SQLI
attacks. These include pattern or string matching, input
sanitation, randomization of SQL keywords, rule based
verification, positive tainting, entropy computations, reverse
proxy, semantic comparisons, statement sequence digest and
so forth. However, these techniques do not cover up all known
attacks and also cannot be implemented in all platforms.
II. LITERATURE SURVEY
Yi Wang and Zhoujun Li[2] proposed a novel approach for
finding the malicious SQL statements. They used machine
learning techniques such as SVM one class classification, to
detect unauthorized between the database and application.
Their approach was developed by incorporating the query tree
structure of SQL queries as well as input parameter and query
value similarity. They used this to distinguish malicious
queries from benign queries. They used tree-vector-kernels in
SVM for SQL statements to prevent SQL injection in web
applications was done by incorporating the syntax information
of query and semantic context from application in analyzing
SQL queries.
Cristian I. Pinzon, Javier Bajo, Alvaro Herrero, Juan F. De
Paz, Emilio Corchado, and Juan M. Corchado[3] proposed a
technique, incorporating a new classification model. They
combined a neural network and a Support Vector Machine to
classify SQL queries in a reliable way. The latter was
combining clustering and neural projection techniques to
support the visual analysis and identification of target attacks.
Their idea was a multi – agent architecture. The analysis,
classification and decision making capabilities, among others,
were distributed throughout several layers in their proposed
idMAS-SQL architecture.
 2016 3rd International Conference on Advanced Computing and Communication Systems (ICACCS -2016), Jan. 22 & 23, 2016, Coimbatore, INDIA
Shailendra Kumar Shrivastav and Romil Rawat[4]
determined the framework for detecting SQL-injection attack
using Support Vector Machine algorithm. The classification of
suspicious query was done by analyzing the datasets of
Original query and suspicious query. Their classifier learned
the dataset and according to learning procedure, it classified the
queries. They compared SQL query strings and blocks with
suspicious SQL-query strings and blocks for detection.
Jashan Koshal and Monark Bag[5] used two hybrid
algorithms for developing the intrusion detection system. C4.5
decision tree and Support Vector Machine (SVM).
G.V.Nadiammai and M.Hemalatha[6] proposed the
EDADT algorithm which is the semi – supervised learning
algorithm. They applied PSO technique and extracted the
efficient features from the training datasets. The result was
applied to the ACO and identified the local and global values.
Based that the unique value found and classified the specified
class and no value left behind unspecified. To achieve this they
used the probability to split the unique values.
III. SQL INJECTION METHOD
A. Based on the extraction channel
1) Inband or inline : SQL injections that use the same
communication channel as input to dump the information
back are called inband or inline SQL injections. EX: A
query parameter.
2) Out – of – band : Injections that use a secondary or
different communication channel to dump the output of
queries performed via input channel are referred to as out – of
– band SQL injections. EX: Injection made through the web
application and a via DNS query.
B. Based on the response from the server
1) Error – based SQL Injection : Error – based SQL
injections are primarily those in which the SQL server dumps
some errors back to the user via the web application and this
error aids in successful exploitation.
a) Union query type
b) Double query injection
2) Blind SQL Injection : Blind SQL injections are those
injections in which the backend database reacts to the input,
but somehow the errors are concealed by the web application
and not displayed to the end users. Or the output is not
dumped directly into the screen. Therefore the name ‘blind’
comes from that the injector is blindly injected using some
calculated assumptions and tries.
a) Boolean – based blind injection
b) Time based blind injection
C. Based on how input treated
1) String – based
2) Numeric – or integer based
Based on how the input parameter would be treated in
the back end SQL query, an injection can be classified as
string – or integer – based.
Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:12:06 UTC from IEEE Xplore. Restrictions apply.
D. Based on degree or Order of injection
1) First – order injections
2) Second – order injections
The degree or the order of injection identifies the way in
which the injection yields the output. If the injection directly
delivers the result, it is considered to be a first – order
injection. But if the injection input yields no successful result
in extraction, but instead impacts some other place/page, it is
called a second – order injection. In the second – order
injections, where the input stored in the application and later
rendered on some other page, thereby impacting that page
indirectly because of initial malicious input.
E. Based on the injection point of location
1) Injection through user input form fields : Here,
attackers inject SQL commands by using suitably crafted user
input. Based on the application’s environment, the web
application reads the user input in several ways. Most of the
attacker’s input come from form submission which send to the
web application via HTTP GET or POST requests.
2) Injection through cookies : Cookies are files that
contain state information generated by Web applications and
stored on the client machine. When a client returns to a Web
application, cookies can be used to restore the client’s state
information. Since the client has control over the storage of
the cookie, a malicious client could tamper with the cookie’s
contents. If a Web application uses the cookie’s contents to
build SQL queries, an attacker could easily submit an attack
by embedding it in the cookie.
3) Injection through server variables(header – based
injection): Server variables are a collection of variables that
contain HTTP, network headers, and environmental variables.
Web applications use these server variables in a variety of
ways, such as logging usage statistics and identifying
browsing trends. If these variables are logged to a database
without sanitization, this could create SQL injection
vulnerability. Because attackers can forge the values that are
placed in HTTP and network headers, they can exploit this
vulnerability by placing an SQLIA directly into the headers.
When the query to log the server variable is issued to the
database, the attack in the forged header is then triggered.
IV. SQLIA DETECTION FRAMEWORK
To determine whether the SQL statement is malicious or
not, we want to build a SQLI detection framework shown in
“fig.1” using EDADT algorithm[6] and SVM algorithm[7]
with suitable kernel functions.
 2016 3rd International Conference on Advanced Computing and Communication Systems (ICACCS -2016), Jan. 22 & 23, 2016, Coimbatore, INDIA
Fig. 1. SQLIA Detection Framework
A. Collection Phase
In this phase, the data are collected from an attacker or
normal user who submits the input parameters into the web
applications through the HTTP URL, based on POST method.
The submitted queries will be stored in the database logs as
query trees. Query Tree Log Collector will be used to collect
the query trees that are stored in log files of database system.
B. Pre – processing phase
Here the query trees is converted into n-dimensional feature
vectors. For converting the n-dimensional feature vector, the
following steps are used.
1) Feature Extraction : It fetches the query tree from the
database logs[8] and loads it into memory by linear scan. The
query tree in the memory is implemented using the java
objects. The name top level class is represented as the label of
root node. The name of attribute is represented as the labels of
internal nodes. The value of attributes is represented as the
labels of leaf nodes. When loading the query tree, the feature
extractor extracts the internal node and leaf node. The result of
the feature extraction of the query is multi-dimensional
sequences. The leaf nodes are used as the features in the multi-
dimensional sequences. The structure of the query will vary
for each query tree. In order to maintain same sequential
dimension for all query trees, we need to determine the basis
to generate each sequences. So we are using the internal paths
of the query tree based on the full SQL grammar, instead of
considering individual internal paths of various query trees.
To search the internal path of the full query tree, it is traversed
by Depth – First – Search (DFS) and the label of internal
nodes on the path are listed by a pre – processing in the order
in which they first visited by DFS. This searched internal path
generates the criteria sequence. The length of sequence
dimension of multi-dimensional sequence will be set to the
criteria sequence. Then the leaf nodes are extracted to generate
multi – dimensional sequences. In our method, the sequence
will possess both syntactic and semantic features[9]. The order
and length of the sequences imply the syntactic features of the
Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:12:06 UTC from IEEE Xplore. Restrictions apply.
query tree. Then the object of sequence explicitly expresses
the semantic feature of the query tree.
2) Feature Transformation : In the multi – dimensional
sequences, if the feature value is string type, the feature
extraction will request the feature transformer in order to
transform the string value. It replaces the string value with
numeric value based on the nature of the string value by
combining statistical models. The string value extracted from
the query tree is categorized into three cases: a constant that is
used as a column value of a table, a constant that is used as a
parameter of a function and the type of the node.
∑ In the case of column value, the transformation
method will combine the string length model and the
histogram model. The histogram stored in the
database system catalog represents the distribution
for specific column value. The histogram model will
determine whether the string value is placed within
the bound of histogram and the will calculate the
indicator which will be expressed in Boolean value
{true=1, false=-1}. Then the string value replace with
numeric value will have the result of multiplying
string length and indicator.
∑ In case function parameter, the transformation
method will combine string length model and the
character distribution model. The character
distribution model will be used to determine whether
the each character of the string value is an element of
the set of the previously observed character and
indicator will be calculated and will be expressed in
Boolean value. Then the numeric value will be found
by multiplying the string length with the value of
indicator.
∑ In the case of type of node, string value is treated as
the nominal value and will be replaced with the
numeric value of enumeration.
3) N – dimensional feature vector generation : We build
the vector generator, which concatenates the sequences of
multi – dimensional sequences with the padding value and
will add a length of the SQL statement to the end of
concatenated sequences. The vector generator generates a set
of instances using the WEKA – library[11]. Each instance will
express an n – dimensional feature vector. The generated
instances will be then used as the input of the SVM
classification.
C. Training Phase
The training module is built by cascading the EDADT and
SVM for the accurate classification.
1) EDADT (Efficient Data Adapted Decision Tree) :
The EDADT algorithm is a semi – supervised learning
algorithm. We split the data set into the attack or normal
without leaving any data as unclassified using this
algorithm. It splits the data set into three different class
label known as same class label, different class label and
relevant class label. Initially PSO technique[11] was
applied to extract the efficient features from the given
 2016 3rd International Conference on Advanced Computing and Communication Systems (ICACCS -2016), Jan. 22 & 23, 2016, Coimbatore, INDIA

training datasets. The best features applied to the ACO[12]
as input then pheromone will be initialized to obtain the
optimal solution. Classification will be made based on the
class label. Probability of each class values was found to
find the class label for each value accurately. Then the
normalized information gain found for each attribute. And
the decision node that split the best attribute with highest
normalized information gain is created.
2) SVM (Support Vector Machine) : This module
contains two phases known as model generator and model
evaluator. We generate several SVM binary classification
models using the model generator. The EDADT result is
used to train SVM classifier. The model evaluator chooses
the optimal binary classifier from the generated models. To
increase the accuracy of the classification suitable kernel
function and kernel parameter for the kernel function are
used. To optimize the SVM, SVM learning algorithm
Sequential Minimal Optimization model is utilized which
handles the large training datasets. The model evaluator
evaluates the performance of the binary classification
models using the k – fold cross validation. The model
evaluator performs the k – fold cross validation for each
SMO model. The evaluator reports the performance of the
classifier using several measurements, such as true positive
rate, false positive rate, accuracy, AUC and reports.
Depending on the results, the best SVM model will be
chosen.
D. Detection Phase
In this module, the class label for the testing data is
predicted. The n – dimensional feature vector for the testing
data is converted from query tree of testing data in the manner
similar to the training data. The SQLIA classifier determines
the new testing feature vector is normal or malicious with the
optimized SVM classification model.
V. QUERY TREE CONVERSION
A. Multi – Dimensional sequence generation
C. N – Dimensional vector generation
We convert the multi – dimensional sequences into
the n – dimensional vector using the converted sequences
Px . This Px is transformed to Vx = { o11 , o12, ….. o1l1, o21 ,
o22, ….. o2l2, ….., ok1 , ok2, ….. oklk} where the length of the
k
vector |Vx | = ∑ i=1 li .
VI. FRAMEWORK EVALUATION
To perform the experimentation, we develop a system for
movie recommendation which consisting of user login, rating
and movie details. We create the web application using the
PHP and PostgreSQL v9.4 database. We accessed the
PostgreSQL database through the XAMPP web server v3.2.1.
The database for our system is created by using the Movielens
dataset.
The dataset for our framework is created by the movie
recommendation system: A normal query dataset, and a
malicious query dataset.
We used the normal and malicious query generator to
submit the queries into the web applications. We categorize
these queries into three different groups depending on the type
of the command. SELECT statements are belongs to the
Group 1. INSERT statements are belongs to the GROUP 2.
Stored Procedures are belongs to the GROUP 3.
Whenever these queries are submitted into the web
application, the system stores the log file for the submitted
queries in the form of query tree. We collect these queries to
get the multi – dimensional sequences. The average time taken
to generate the multi – dimensional sequences for all the three
groups is 14.811 seconds for normal queries and 19.775
seconds for malicious queries.
The n – dimensional feature vector is obtained from the
multi – dimensional sequences by utilizing the average time
1.25 seconds.
We use those vectors as the instances for our hybrid
detection framework for the better performances. “Table I”
shows the result of our proposed framework for each groups.

The input for our framework is gathered from the database TABLE I. Result of Our Framework
logs of the database system in the form of query tree. The Groups Accuracy True Positive False Positive
result of feature extraction from the query tree T is the multi Group 1 99.96% 0.999 0.0
– dimensional sequences S. The criteria sequence P = { P1, Group 2 99.96% 1.0 0.0
P2, … Pk }, where k is the number of internal nodes, is generated Group 3 99.7% 0.996 0.02
from the internal path of each internal node ni i.e., (root(T),
ni). The length of the multi – dimensional sequences of each Table II shows the comparative analysis of our
query is set to criteria sequences. The leaf nodes of each framework with some previous techniques.
internal node are extracted as the features. Hence it generates
the sequence Pi = {oi1 , oi2, ….. oil} where l is the number of TABLE II. Comparative Analysis of Our Framework
children (ni ). Techniques Accuracy
Our Hybrid Approach 99.87%
B. Feature Transformation Composite kernel in SVM[2] 99.6%
If any of the feature in the multi – dimensional sequences idMAS – SQL[3] 99.01%
is a string value, then they will converted into the numeric SVM[4] 96.47%
values based on the category of the string value mentioned C4.5 and SVM[5] 99.87%
above.
EDADT[6] 98.12%

Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:12:06 UTC from IEEE Xplore. Restrictions apply.
 2016 3rd International Conference on Advanced Computing and Communication Systems (ICACCS -2016), Jan. 22 & 23, 2016, Coimbatore, INDIA
VII. CONCLUSION
In this paper, we proposed the framework for detecting
SQL Injection Attacks at the database level using the SVM
and the EDADT algorithm. The main contribution of this
paper is combining the EDADT and Binary SVM
classification algorithm to efficiently learn about the unknown
attacks also. From the comparative results, it shows that our
framework detects the malicious queries accurately compared
to the previous works.
REFERENCES
[1] https://www.owasp.org/index.php/Top_10_2013-Top_10
[2] Yi Wang and Zhoujun Li, “ SQL Injection Detection with Composite
Kernel in Support Vector Machine ”, Internal Journal of Security and its
applications, vol. 6, No. 2, April 2012.
[3] Cristian I. Pinzon, Javier Bajo, Alvaro Herrero, Juan F. De Paz, Emilio
Corchado, and Juan M. Corchado, “idMAS-SQL: Intrusion Detection
based on MAS to Detect and Block SQL injection through data mining”,
Elsevier : Information Sciences journal, 2011.
Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:12:06 UTC from IEEE Xplore. Restrictions apply.
[4] Shailendra Kumar Shrivastav and Romil Rawat, “SQL Injection Attack
detection using SVM”, International Journal of Science Applications,
vol. 42, No. 13, March 2012.
[5] Jashan Koshal and Monark Bag, “Cascading of C4.5 Decision Tree and
Support Vector Machine for Rule Based Intrusion Detection System”,
I.J. Computer Network and Information Security, pp. 8 – 20, August
2012.
[6] G.V.Nadiammai and M.Hemalatha, “Effective approach toward
Intrusion Detection System using data mining techniques”, Elsevier :
Egyptian Informatics Journal, pp. 37 – 50, December 2013.
[7] Jiawei Han, Micheline Kamber , Jian Pei, “Data Mining : Concepts and
Techniques”, Elsevier, Edi. 3rd, pp. 408 – 415, 2012.
[8] Low.W. L., Lee. J., &Teoh. P., “DIDAFIT : Detecting intrusions in
databases through fingerprinting transactions, Springer : Databases and
Information systems integrations, pp. 121 – 128, 2010.
[9] Lee. S. Y., Low. W. L., & Wong. P. Y., “Leaning fingerprints for the
database intrusion detection system”, Springer : In Computer Security,
pp. 264 – 279, 2002.
[10] Witten. I. H., Frank. E., & Hall. M. A., “Data mining: Practical machine
learning tolls and techniques. Elsevier, 2011.
[11] Fatima Ardjani, Kaddour Sadouni, “Optimization of SVM Multiclass by
Particle Swarm (PSO - SVM)”, I.J. Modern Education and Computer
Science, no.2, pp. 32 - 38, 2010.
[12] Praveen Kumar. K, kamakshi. P, “Ant colony optimization algorithm for
computer intrusion detection”, 2006.