A deep learning approach based on multi-view consensus for SQL injection detection

SQL injections can consist of different attributes such as SQL related keywords, characters, parameters, usernames, passwords or table names. In order to accelerate the training of a learning model and increase the detection rate, it is very important to accurately reveal more meaningful attributes among the attributes of the input through the pre-processing process. Therefore, the proposed method performs the following three stages in the pre-processing module:

In this section, the proposed deep learning architecture for SQL injection detection is presented. The proposed system is shown in Fig. 2. It firstly combines obtained multiple views from SQL inputs and obtains a corpus \(Q\) containing all generated representations of \(T\), \(C\), \(E\). Thereafter, it uses an embedding layer as the first hidden layer of a network in order to generate input vectors. The embedding layer enables us to convert each SQL token into a fixed-length vector of predetermined size \(d\). In natural language processing, embedding approaches are used for capturing the morphological, syntactic and semantic information of words. Similarly, in the proposed model, the embedding layer transforms each unique SQL term \(q_i \in Q\) to a real-valued low-dimensional vector \(\phi _i\) by discovering relationships in SQL strings considering sequential distributions of those strings.

Since SQL strings are a type of sequential data, BiLSTM (bidirectional LSTM) layer is used to properly capture both long-term dependencies. BiLSTM is a variant of recurrent neural network (RNN) model that is commonly used for processing time-series data and other sequential data to capture high-order data correlations and patterns. While traditional deep neural networks assume that the inputs and outputs are independent of each other, RNNs have an architecture that can model short-term dependencies using memory units (hidden states) that allow them to persist data. It uses previous outputs as inputs to influence the current input and output. Among many variants of RNNs, long short-term memory (LSTM) is the most popular architecture, which is capable of learning long-term dependencies. LSTM is composed of a set of recurrently connected memory cells and three gates as an input gate, an output gate and a forget gate. The gates are used for providing write, read and reset operations for the cells, which means selectively remembering part of information and passing it on to the next state to control the information flow. The LSTM network can only preserve information from the past. To take the advantage of the future context, another variant of LSTM, called as BiLSTM (bidirectional LSTM), was designed. BiLSTM consists of two LSTMs: one receiving the input in a forward direction, and the other in a backward direction. Thus, it has a capability of capturing bidirectional long-term dependencies between time steps of sequence data.

Let \(\phi _i^s \in R^d\) be the \(d\)-dimensional embedding vectors for the \(i\)-th term in a given SQL string \(s\). Let \(\phi ^s \in R^{nxd}\) refer to the string \(s\) where \(n\) denotes the length of \(s\). BiLSTM layer is fed by the embedding matrix \(\phi \). LSTM treats each token of the SQL string as a separate input occurring at time \(t\). At time-step \(t\), the memory \(c_t\) and the hidden state \(h_t\) are updated with the following equations:where \(W\) represents the recurrent connection between the preceding hidden layer to the current hidden layer, \(U\) denotes the weight matrix that establishes connections from the inputs to the hidden layer, \(C\) is a candidate hidden state derived from the current input and the previous hidden state, and \(c\) represents the internal memory of the unit, which is a combination of the previous memory, multiplied by the forget gate, and the newly computed hidden state, multiplied by the input gate [26]. \(b_i\), \(b_f\) and \(b_o\) are biases, and \(\sigma \) and \(tanh\) represent to the sigmoid function and the hyperbolic tangent function, respectively. The initial stage involves determining which information should be preserved and which should be discarded from the cell. To accomplish this task, within the forgetting gate layer, both the current input \(\phi _t\) and the previous hidden state \(h_{t-1}\) are processed through the sigmoid function. The function produces an output that falls within the range of 0 to 1. When this output approaches 1, it signifies the complete retention of information. Conversely, if the value approaches 0, it indicates the complete elimination or forgetting of the information. Input gate processes \(h_{t-1}\) and \(\phi _t\) through a sigmoid function to determine which information should be updated. Subsequently, a new candidate cell \(C_t\) is computed using a \(tanh\) function. The input from the previous cell state \(c_{t-1}\) is multiplied by the forget gate output \(f_t\). This output is then combined with the output of the input gate \(i_t\) to update the new candidate cell state \(C_t\). Following this, the output gate passes \(h_{t-1}\) and current input \(\phi _t\) to the sigmoid function. To generate the current hidden state, the result of this multiplication is combined with the output of the \(tanh\) function of \(C_t\). The ultimate outputs of the LSTM network consist of the current state \(c_t\) and the current hidden state \(h_{t}\). The weight matrices of the forget, input, and output of the LSTM are represented by \(U_f\), \(U_i\), and \(U_o\), respectively. Since BiLSTM contains two opposite networks for the forward and backward sequence context, an annotation is obtained by concatenating forward and backward contexts as follows:where \(\overrightarrow{h_t}=\{\overrightarrow{h_1},\overrightarrow{h_2},...,\overrightarrow{h_n}\}\) and \(\overleftarrow{h_t}=\{\overleftarrow{h_1},\overleftarrow{h_2},...,\overleftarrow{h_n}\}\) correspond to two hidden state sequences from the forward and the backward directions, respectively. With this way, the each SQL sequence can be represented as \(h =\{h_1, h_2,...,h_n\}\).

In the next step, the outputs of the embedding layer and bidirectional layer are concatenated to preserve both long-term dependencies and correlations between SQL tokens. In addition, the input data for the next layer are enriched using this feature aggregation phase. These two outputs are concatenated to form a new global feature vector matrix as follows:where \(\oplus \) is a matrix concatenating operation.

The vector matrix \(H\) is passed to a CNN network to capture discriminative local SQL patterns. CNNs consist of one or more convolution layers and are used in the Natural Language Processing applications for local feature extraction. Similarly, to extract the most influential n-grams of different semantic aspects from the SQL queries, it is aimed to utilize convolution and the max-pooling operations. Within the convolutional layer, a collection of \(k\) filters is employed to process sub-matrices of the vector matrix \(H\). Each filter \(F\in R\) with dimensions \(l\times w\), where \(l\) and \(w\) correspond to the height and width of convolution filter, is employed to process a window comprising \(l\) words to create a new feature \(v_i\) from a window of vectors \(H_{i:i+l-1}\) as follows:where \(b\in R\),\(f\) and \(H_{i:i+l-1}\) are the bias, the nonlinear activation function rectified linear unit \(ReLU\) and the concatenation of \(H_i,...,H_{i+l-1}\), respectively. The filter scans each possible window of the matrix \(H\) and conducts convolution operations, resulting in the generation of a feature map \(m\) where \(m\) refers to \( [v_0, v_1,..., v_{n-l+1}]\). Using \(k\) convolution filters, \(k\) different feature maps are generated. In the final component of the convolutional layers, the rectified linear unit (ReLU) function is employed as an activation function to enhance nonlinearity in the outputs. The ReLU function sets all negative values in the vectors to zero while retaining all positive values. Additionally, zero padding is applied to maintain the original size of all sequences when convolutional filters are applied.

Following the application of a convolutional layer, it is customary to incorporate a pooling layer with the objective of reducing the dimension of the feature maps. In the proposed system, a pooling layer is employed, which utilizes the max-pooling operation over the feature map \(m\) and extracts the maximum value, denoted as \(\hat{m}=max(m)\), as the ultimate feature. This pooling process facilitates the identification of the most prominent feature for each filter. After revealing \(k\) features from the feature map, the pooling results are merged \(\hat{m} = {\hat{m_1}, \hat{m_2},...,\hat{m_k} }\) to generate the output of the CNN layer.

To capture the correlations of the given SQL input in different n-gram ranges, the proposed architecture applies multiple parallel convolutional neural networks that process the vector matrix using different kernel sizes. It consists of three filter region sizes: 2, 3 and 4. Since three different convolutional processes were carried out in the convolutional layer, in the pooling layer, pooling operation is performed separately for all three different feature map sets. In the next step, the feature maps obtained from three different sets are concatenated to form a single feature matrix \(M\) as follows:This feature vector is then passed to a fully connected layer consisting 250 hidden units with ReLU activation function. Since SQL injection detection is a supervised binary classification problem that assigns the samples into one of two classes: malicious or legitimate SQL payloads, this hidden layer is followed by a sigmoid classifier that returns the probability score of each class. The sigmoid binary cross-entropy is used to optimize a class one-versus-all loss based on max-entropy. Adam stochastic optimizer algorithm is used for training the network using the back-propagation algorithm.

In the detection phase, tokenized, converted and enriched views are generated for a new coming SQL input. For each view, the detection stage is applied using BiCNN. Three different sigmoid results from BiCNNs are used as input values for a function \(f\). The function \(f\) sums the three sigmoid values and produces a detection result by applying a threshold value \(th\). A value less than the threshold indicates that this SQL query is legitimate, and a value greater than the threshold indicates that the query is an attack.

⁴ The experiments have been conducted on publicly available four different datasets, which are commonly used in the literature [6, 10]. Table 2 summarizes the statistics of the datasets. These datasets were downloaded from Github and Kaggle websites. In addition, we combined these datasets by removing repetitive samples observed across multiple datasets and adding new legitimate samples and then constructed new dataset that consists of 20002 malicious SQLi samples and 29379 benign samples. The final dataset contains different types of SQLi payloads such as time-based, union-based, Boolean-based or error-based. Moreover, the dataset consists of injections from different SQL databases such as MSSQL, MYSQL, Oracle, or NoSQL. After filtering noisy tokens, the number of unique tokens is 476 for the tokenized version of SQL data, 21 for the converted version, and 488 for the enriched version. The truncating and padding strategy has been used for making all sequences the same length. The length of sequences is set to \(50\). To ensure a balanced distribution of SQL injection (SQLi) and legitimate samples, 80% of the samples in each class were determined as train and 20% as test. The fivefold cross-validation is applied to create training and test samples.⁵

⁶ For the LSTM model, the number of hidden units was tested in the range of [16, 32, 64]. For the CNN model, the number of filters was tested in the range of [16, 32, 64]. In the context of experimental tests focusing on accuracy performance, the number of memory units for the LSTM layer is specified as 32, the number of filters for the CNN layer is set to 32, and the embedding dimension is set to 32. The size of hidden units of dense fully connected layer is set to 250 using a search strategy. For output layer, the sigmoid activation function is selected as the binary classifier. The training batch size is set to 100. To train the network using the back-propagation algorithm, Adam stochastic optimizer is selected. Binary cross-entropy is used as the loss function. To mitigate overfitting, early stopping is applied, with validation loss monitoring in the “max” mode, and the patience is set to 3.

⁷ All experiments were carried out in PC with an Intel(R) Xeon(R) CPU (2.20GHz) with 13GB RAM. We use Python 3.7.13, sklearn 1.0.2 library for machine learning algorithms, keras 2.8.0 to build neural and Tensorflow 1.4.1 as a backend computation.

Five different learning models are selected as baseline methods to be used for comparison:

TF-IDF+RF: This model uses the term and inverse term frequency (TF-IDF) transform to represent features. It indicates how frequently an SQL token occurs in the SQL input. IDF reduces the weight of terms that occur very frequently in the set of SQL inputs and increases the weight of terms that occur rarely. After obtaining TF-IDF feature space, RandomForest model was used for the learning and testing phases.

FastText: FastText [27] is a simple and efficient model for learning word representations and sentence classification. It allows us to quickly represent attributes at word level or character-n-gram level. It allows representations of n-gram words to be represented as sums of n-gram vectors. It provides a fast and memory-efficient mapping of the n-grams using the hashing trick. The model uses a simple neural network with only one layer. The text representations are first fed into a lookup layer, where the embeddings are fetched for every single word. Then, an average pooling is applied to obtain a single averaged embedding for the whole text. Finally, the output of the pooling phase is fed to a linear classifier.

CNN: This model applies a one-dimensional convolutional layer to the input embedding vectors. Then, a max-pooling is performed to reduce the dimensionality of the local features. The details are described in Section 3.

LSTM: This model performs a BiLSTM layer to the input embedding vectors. The details are described in Section 3.

TextCNN: The model [28] is a variant of the CNN model that uses multiple convolutional networks in parallel. This model mainly uses a one-dimensional convolutional layer that performs multiple sizes of filters with various window sizes to discover different granularities of features. In this study, the filter sizes are selected as 2, 3, and 4, respectively.

To evaluate the effectiveness of the proposed method, false-positive (FP), false-negative (FN), accuracy and detection rate metrics are used. FN refers to the number of SQLi samples incorrectly predicted as benign, and FP refers to the number of benign samples incorrectly predicted as SQLi attacks. Accuracy corresponds to the ratio of number of correct predictions to the total number of input samples. This metric is calculated as follows:where P and N represent the total number of SQLi and legitimate samples, respectively. TP is the number of SQLi attacks that are classified as injection attack. True negative (TN) is the number of legitimate queries that are classified as benign. The TP rate (TPR), alternatively referred to as detection rate (DR), represents the percentage of the total SQLi samples that are correctly recognized as SQLi. This metric is quantified as follows:

The detection results of different methods are shown in Table 3 and Table 4. The best performance results are given in bold text. First, the detection performances of the baseline methods and the proposed BiCNN architecture have been evaluated using the views obtained by the proposed method. Each view obtained in the multi-view generation process was used as input data separately, and learning–testing processes were applied for each method.

The results in Table 3 demonstrate that the proposed BiCNN outperforms the baseline methods in terms of FP and FN scores for Dataset 3, Dataset 4, and Dataset 5, which are considerably larger than other datasets. It is observed that our method has comparable performance to CNN and TextCNN for Dataset 1 and Dataset 2. For all datasets, the lowest FP and FN scores were obtained by BiCNN, which takes enriched SQL representations as input. Similarly, almost all methods achieve better performance for all datasets when they use the enriched representations as input obtained by the proposed method. This result shows that the enriching process is very effective in revealing malicious patterns in SQL queries.

Considering Dataset 5 containing all datasets, the second highest results were obtained by TextCNN. The performance of this method was followed by CNN. This is because the TextCNN method, unlike CNN, performs multiple parallel convolutional operations, which allows it to discover a much larger number of sequential multi-word expressions in different n-gram ranges. LSTM has comparable performance with CNN in terms of FP and FN results. However, FastText, which takes trigrams generated from SQL expressions as inputs, gives relatively lower detection scores than TF-IDF+RF that is performed without considering the order of the expressions in the query. The results show that all methods achieve better performance when they use enriched versions of SQL inputs as input. The likely reason is that SQL semantic tags, which provide a better understanding of the role of a particular SQL command or symbol, help more effectively discover functional similarities and correlations between original SQL tokens.

The detection performance values of the proposed MVC-BiCNN are given in Table 4. According to the results, MVC-BiCNN provides higher detection performance than BiCNN that uses only enriched representations. This result shows that MVC-BiCNN more successfully uncovers meaningful latent patterns in SQL injection queries by learning a joint space consisting of three different view representations.

Figure 3 demonstrates FP and FN results obtained by varying the threshold value parameter used in the function that generates the consensus decision of the method. Different detection results were obtained by varying the total sigmoid value between 0.5 and 2.5. The lowest FP and FN values for all datasets were generally obtained when the total sigmoid value was equal to 1.5. As the value of the total sigmoid value increases, the FN values tend to increase and the FP values tend to decrease. In the opposite case, FN values generally decrease and FP values increase. However, since the value of FN is even more important in detecting SQL injection, it is concluded that the most appropriate values for the proposed method are the values between 0.5 and 1.5.

Figure 4 presents a comparative analysis between MVC-BiCNN and the baseline approaches that directly utilize original SQL queries as their input. MVC-BiCNN improves the detection performance by approximately \(15\%\) for Dataset 1, \(2\%\) for Dataset 2, \(0.44\%\) for Dataset 3, \(3\%\) for Dataset 4, and \(3.23\%\) for Dataset 5 when contrasted with TF-IDF with RF. In comparison with deep learning-based methods, MVC-BiCNN provides the highest detection rates for all datasets. TextCNN gives the second highest detection results for Dataset 1 and Dataset 2, while BiCNN obtains the second highest detection results for Dataset 3, Dataset 4, and Dataset 5, which contains more samples compared to the other datasets. Similar results are observed in the accuracy values of the methods given in Fig. 5.

The proposed detection system is compared to some state-of-the-art methods that provide SQLi detection. However, the accuracy performances of these methods in the literature were obtained using different datasets or the same datasets including different numbers of samples. The results presented in Table 5 show that MVC-BiCNN achieves higher accuracy than other methods. MVC-BiCNN demonstrates an enhancement in detection accuracy of approximately 3% when compared to the CODDLE system [10]. The most likely reason for this might be that the CODDLE method enriches queries using only three different semantic tags. However, our system uses 21 different tags for the enrichment phase, which enables better modeling of functional similarity between queries. The other most important reason is that MVC-BiCNN uses a hybrid architecture consisting of a BiLSTM and CNN that takes into account both previous and subsequent contexts in queries, while CODDLE uses only CNN architecture. The second highest result was achieved in the study referenced as [9]. They created syntax trees of SQL entries to use them as LSTM inputs. However, the number of samples they use in the learning and testing phase is quite low compared to the number of samples used in our proposed method. The extent to which methods validated with a limited dataset may not be reliably extended to new SQLi instances.

Figure 6 is presented to show the loss and accuracy performances of the proposed deep model over 50 epoch for one fold dataset. The figure contains the performances of both the training and validation processes. It is observed that the model loss performance increases after the \(10^{th}\) epoch. It is seen that the accuracy performance of the model reaches its maximum in the first few epochs and converges to between 99.6 and 99.4 after the \(10^{th}\) epoch. In this study, the number of epochs was determined as 10 based on the loss performance of the model, and in addition, the early stopping approach was used to stop the training when no improvement was observed in the loss function for 3 iterations to prevent overfitting.

In this section, the LIME model is used to explain the decision-making process of the proposed model over some sample inputs. LIME is an Explainable AI tool that provides explanations of individual predictions of the proposed model by taking into account certain local features [30]. To achieve this objective, LIME employs an approach aimed at minimizing the loss function, which quantifies the proximity between a locally interpretable model and the original model in relation to the specific observation.

Figure 7 shows SQLi test examples that are correctly classified by the proposed model. The proposed model takes tokenized, converted, and enriched representations as separate inputs, giving a probability estimate for each input. In Fig. 7, the probabilities produced by the model for these three views, the attributes that are effective in the model’s decision-making process and the weights of those attributes are demonstrated. The proposed model correctly predicts that the first SQLi example input is SQLi with a 97 % probability. In the realm of our analysis, it becomes evident that a crucial determinant in the model’s decision-making process is the ’by’ attribute, often referred to as a keyword. It is seen that the ’order’ attribute contributes positively to the probability of the sample SQLi entry being in the Legitimate class. In this case, it is observed that this attribute contradicts the decision of the model. However, it is imperative to emphasize that our deep learning model derives its final decision not merely from the discrete evaluation of these two attributes but also from the correlation between them. The LIME results reveal that the converted representation of first SQLi example results in a 2% enhancement in the model’s probability, as compared to the tokenized representation. The most distinctive attribute here is the ’operator’ attribute, which actually represents ’-’. Other effective attributes, respectively, are ’integer’ and ’keyword’, which actually correspond to ’9087’, and the ’order’ attributes. The enriched representation significantly bolsters the model’s decision, yielding a 100-percent probability of identifying the input as SQLi. This outcome surpasses the detection probabilities obtained through the other two representations. It is notable that the attributes governing the model’s decision are largely consistent across both representations.

For the second SQLi sample input, the model correctly predicts with a 95-percent probability that the sample is SQLi. The attributes that support the model’s decision are ’resource’, ’grant’, ’name’, ’to’, and ’connect’ attributes. The pivotal attribute influencing this outcome is the ’identifier’, which refers to the ’name’ attribute. When the enriched version is given as input, the model gives the highest value for the probability of being SQLi. As seen here, the ’identifier’ attribute still conflicts with the model’s decision, but has a lower weight. The attribute ’keyword’ is listed as the most distinctive attribute that supports the model’s decision.

Figure 8 provides LIME explanations of the model’s results when legal samples are used as inputs. The proposed model correctly predicts that the first example input is legitimate with a 93 % probability. The ’health’ attribute aligns with the model’s decision, whereas the ’statistics’ attribute appears to contradict it. This discrepancy primarily arises from the fact that, despite ’statistics’ serving as a clear identifier in this context, the model categorizes it as a ’keyword’. It can be inferred that the primary reason for this keyword conflicting with the model’s judgment is its frequent occurrence in SQL injection (SQLi) examples. When we consider the converted representation, the probability of the input being legitimate is computed at 97 percent. In this context, the ’keyword’ attribute also lends support to the model’s decision. It can be deduced that the utilization of a keyword following an identifier is predominantly observed in legitimate examples. Notably, using the enriched version of the input, the model yields a probability of 100 percent, indicating that all existing features exert a positive contribution on the model’s decision. The model misclassifies the second example input with a high probability. Attributes that support this decision are ’select’ or ’from’ etc. are general SQL tags. For the converted version of this example, on the contrary, the model achieves 100% accuracy. The SQL tags used also have a positive impact on the model’s decision. The enriched representation of the input enables the model to make the correct decision in this example, but to obtain a lower prediction probability value compared to the converted representation.

In summation, our analysis underscores the positive contribution of enriched input representations for both examples in enhancing the model’s decision-making process. LIME results show that the enriched representation can reduce the probability of misclassification that would be obtained when using only the converted version or only the tokenized version, and therefore can be effective in obtaining lower FP and TN values.