EconPapers    
Economics at your fingertips  
 

SSQLi: A Black-Box Adversarial Attack Method for SQL Injection Based on Reinforcement Learning

Yuting Guan, Junjiang He (), Tao Li, Hui Zhao and Baoqiang Ma
Additional contact information
Yuting Guan: School of cyber Science and Engineering, Sichuan University, Chengdu 610065, China
Junjiang He: School of cyber Science and Engineering, Sichuan University, Chengdu 610065, China
Tao Li: School of cyber Science and Engineering, Sichuan University, Chengdu 610065, China
Hui Zhao: School of cyber Science and Engineering, Sichuan University, Chengdu 610065, China
Baoqiang Ma: School of cyber Science and Engineering, Sichuan University, Chengdu 610065, China

Future Internet, 2023, vol. 15, issue 4, 1-18

Abstract: SQL injection is a highly detrimental web attack technique that can result in significant data leakage and compromise system integrity. To counteract the harm caused by such attacks, researchers have devoted much attention to the examination of SQL injection detection techniques, which have progressed from traditional signature-based detection methods to machine- and deep-learning-based detection models. These detection techniques have demonstrated promising results on existing datasets; however, most studies have overlooked the impact of adversarial attacks, particularly black-box adversarial attacks, on detection methods. This study addressed the shortcomings of current SQL injection detection techniques and proposed a reinforcement-learning-based black-box adversarial attack method. The proposal included an innovative vector transformation approach for the original SQL injection payload, a comprehensive attack-rule matrix, and a reinforcement-learning-based method for the adaptive generation of adversarial examples. Our approach was evaluated on existing web application firewalls (WAF) and detection models based on machine- and deep-learning methods, and the generated adversarial examples successfully bypassed the detection method at a rate of up to 97.39%. Furthermore, there was a substantial decrease in the detection accuracy of the model after multiple attacks had been carried out on the detection model via the adversarial examples.

Keywords: SQL injection; adversarial attack; black-box attack; reinforcement learning; attack-rule matrix; adversarial example (search for similar items in EconPapers)
JEL-codes: O3 (search for similar items in EconPapers)
Date: 2023
References: View references in EconPapers View complete reference list from CitEc
Citations:

Downloads: (external link)
https://www.mdpi.com/1999-5903/15/4/133/pdf (application/pdf)
https://www.mdpi.com/1999-5903/15/4/133/ (text/html)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:gam:jftint:v:15:y:2023:i:4:p:133-:d:1111793

Access Statistics for this article

Future Internet is currently edited by Ms. Grace You

More articles in Future Internet from MDPI
Bibliographic data for series maintained by MDPI Indexing Manager ().

 
Page updated 2025-03-19
Handle: RePEc:gam:jftint:v:15:y:2023:i:4:p:133-:d:1111793