Intrusion Detection Systems for Mitigating SQL Injection Attacks: Review and State-of-Practice

Intrusion Detection Systems for Mitigating SQL Injection Attacks: Review and State-of-Practice

Rui Filipe Silva, Raul Barbosa, Jorge Bernardino
Copyright: © 2020 |Pages: 21
DOI: 10.4018/IJISP.2020040102
(Individual Articles)
No Current Special Offers


Databases are widely used by organizations to store business-critical information, which makes them one of the most attractive targets for security attacks. SQL Injection is the most common attack to webpages with dynamic content. To mitigate it, organizations use Intrusion Detection Systems (IDS) as part of the security infrastructure, to detect this type of attack. However, the authors observe a gap between the comprehensive state-of-the-art in detecting SQL Injection attacks and the state-of-practice regarding existing tools capable of detecting such attacks. The majority of IDS implementations provide little or no protection against SQL Injection attacks, with exceptions like the tools Bro and ModSecurity. In this article, the authors compare these tools using the CSIC dataset in order to examine the state-of-practice in database protection from SQL Injection attacks, identifying the main characteristics and implementation details needed for IDSs to successfully detect such attacks. The experiments indicate that signature-based IDS provide the greatest coverage against SQL Injection.
Article Preview


Databases support almost all organizational operations, and often store business secrets (Basit et al., 2019). Consequently, ensuring the security of databases is fundamental to prevent data breaches and should therefore be addressed as part of the overall security strategy of any organization. Nowadays, Intrusion Detection Systems (IDS) are a fundamental component of an organization’s security infrastructure, given than these systems have the ability to detect network attacks. The most common network attacks have as target web applications and databases with the goal of obtaining confidential data, thereby having the potential to seriously affect an organization.

The majority of attacks to web applications and databases are based on code injection. This type of attacks consists of injecting malicious code to change the structure of a SQL query. The injection of code can be done by inserting malicious data in forms of the web page or through its URL (Santos et al., 2011).

Attackers often resort to SQL Injection – a well-known type of attack that allows the attacker to obtain, alter or delete information from an organizational database. Therefore, it is very important to mitigate this type of attack in order to prevent serious losses for enterprises.

There are several international standards that provide some guidelines to mitigate SQL Injection attacks. Some of those standards are ISO-27002 (International Organization for Standardization [ISO], 2013), OWASP (OWASP, 2016), COBIT (Control Objectives for Information and Related Technologies, 2012) and NIST (National Institute of Standards Technology, 2007).

Some of the guidelines presented in the previous standards are the following:

  • Review of source code;

  • Validating all data from input fields;

  • Reject binary, escape and comment characters;

  • Verification of user privileges when connecting to database;

  • Strong password for system administrator;

  • Use secure hash algorithms;

  • Use least privilege rule.

Another way to mitigate SQL Injection attacks is to deploy an IDS that is effective in detecting such attacks. In this paper, the authors review the literature in order to identify the state-of-the-art in detecting and mitigating SQL Injection attacks and benchmark existing practical implementations in order to study the current state-of-practice.

One important observation is that the vast majority of existing IDSs provide little or no protection against SQL Injection attacks. Among open-source IDSs, Bro and ModSecurity are able to detect SQL Injection attacks. Both of them can operate as a Network Intrusion Detection System (NIDS). Bro is only configurable for UNIX platforms and it is an IDS that inspects network traffic looking for anomalous activity (Arabo et al., 2019). ModSecurity is an open-source Web Application Firewall (WAF) which is an IDS that just inspect HTTP traffic. ModSecurity is the most widely deployed WAF because it is mature in terms of features, stability and reliability (Hall et al., 2019). Only these two IDSs met the inclusion criteria to be further analyzed and compared, given that all other IDSs provided no protection against SQL Injection.

This paper experimentally evaluates Bro and ModSecurity using different metrics in order to identify the most efficient IDS in protecting information stored in organizational databases from unauthorized accesses using SQL Injection attacks. The results of this analysis, which are in favor of ModSecurity, shed light into the main characteristics required for an IDS to be successful in detecting SQL Injection attacks, thereby indicating the developments that will be necessary for other IDSs to mature and reach the state-of-the-art in detecting SQL Injection attacks.

Complete Article List

Search this Journal:
Volume 17: 1 Issue (2023)
Volume 16: 4 Issues (2022): 2 Released, 2 Forthcoming
Volume 15: 4 Issues (2021)
Volume 14: 4 Issues (2020)
Volume 13: 4 Issues (2019)
Volume 12: 4 Issues (2018)
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing