(IJACSA) International Journal of Advanced Computer Science and Applications,

Vol. 7, No. 6, 2016

Detection of SQL Injection Using a Genetic Fuzzy

Classifier System
Christine Basta, Ahmed elfatatry, Saad Darwish
Information Technology department
Institute of Graduate Studies and Research
Alexandria, Egypt

Abstract—SQL Injection (SQLI) is one of the most popular developed techniques to bypass web application firewall (WAF
vulnerabilities of web applications. The consequences of SQL bypassing). The security agents started to use buffer overflow
injection attack include the possibility of stealing sensitive methods and applied new bypassing methods like special
information or bypassing authentication procedures. SQL characters bypassing. The various types of injections at
injection attacks have different forms and variations. One different levels require a solution that can cope with such
difficulty in detecting malicious attacks is that such attacks do changes.
not have a specific pattern. A new fuzzy rule-based classification
system (FBRCS) can tackle the requirements of the current stage A number of approaches address detection of SQLI attacks.
of security measures. This paper proposes a genetic fuzzy system Such approaches include static analysis, dynamic analysis, and
for detection of SQLI where not only the accuracy is a priority, combined approach. Researchers developed other approaches
but also the learning and the flexibility of the obtained rules. To like mutation based approach, query tokenization and applying
create the rules having high generalization capabilities, our regular expressions. These approaches suffer from a number of
algorithm builds on initial rules, data-dependent parameters, and problems preventing them from being the optimal solutions [6].
an enhancing function that modifies the rule evaluation Those techniques lack flexibility and scalability; they cannot
measures. The enhancing function helps to assess the candidate deal with unknown types or larger ranges of injections [7].
rules more effectively based on decision subspace. The proposed Lack of learning capabilities is a vital problem. Most solutions
system has been evaluated using a number of well-known data parse user input and confirm match limited to fixed and very
sets. Results show a significant enhancement in the detection
small patterns, which are modeled by reference to existing
procedure.
malicious web code. However, there are new malicious web
Keywords—SQL injection; web security; genetic fuzzy system; codes which can deliberately be developed to avoid being
fuzzy rule learning matched with the registered patterns [8]. The available parsing
techniques can also cause high computational overhead
I. INTRODUCTION affecting real-time detection [9].
Web applications are vulnerable to numerous attacks. SQL Recently, machine learning techniques are adapted to
injection is a widely common threat, which remains on top of overcome previously mentioned problems as they can give
the list of web application attacks as ranked by OWASP (the leverage for the broader range of malicious web code and can
Open Web Application Security Project) [1]. Various be adapted to variations and changes [8]. Machine learning
techniques of SQL injection are used by hackers to achieve techniques explore the study and construction of
different purposes: bypassing a login system, modifying a table algorithms that can learn from and make predictions
in a database, shutting down SQL server, getting database on data. Such algorithms operate by building a model from
information from the returned error message, or executing example inputs in order to make data-driven predictions or
stored procedures [2]. decisions, rather than following strictly static program
SQL injection attacks are a type of vulnerability that is instructions [10]. Some existing machine learning techniques
ultimately caused by insufficient input validation. Such attacks suffer from high computational overhead; the training of
occur when data provided by the user is not properly validated classifiers in those techniques is time-consuming and causes
and included directly in an SQL query. By leveraging these computational overhead. Furthermore, a number of existing
vulnerabilities, an attacker can submit SQL commands directly solutions lack adaptation capability to detect new attacks [9].
to the database. Web applications are threatened by this kind of Uncertainty and fuzziness are popular phenomena in
vulnerability that uses user input to form SQL queries to access applications of machine learning. Different types of uncertainty
an underlying database [3]. Generally, SQL injection attacks can be observed: (i) Noise, outliers, and errors affect the input
are classified into seven types: tautologies, illegal/logically data. A machine learning method has to deal with this type of
incorrect queries, piggy-backed queries, stored queries, fuzzy information, showing robustness with respect to such
inference and alternate encodings [2] [4] [5]. disturbances. (ii) Distribution and fuzziness influence
Attackers continuously develop new ways to bypass representation of information within a machine learning
controls added by developers. In the recent years, hackers system. According to these different locations and goals of
started to use different styles to perform SQLI. Hackers fuzzy information, a variety of different models exist which
allow machine learning to deal with uncertain information as

129 | P a g e
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 7, No. 6, 2016

input, output, or internal representation [11]. Fuzzy rule-based II. LITERATURE REVIEW AND RELATED WORK
systems (FRBSs) are well-known methods within soft In general, SQL injection attacks can be divided into the
computing, based on fuzzy concepts that address complex real- three main categories: in-band, out-of-band and inferential
world problems. They are powerful methods to address [14]. In the in-band attacks, the information is extracted from
uncertainty, imprecision, and non-linearity [12]. the same channel that is used for the attack. For example, the
Fuzzy rule-based classification systems (FRBCSs) are list of users will appear in the current page. In out-of-band
specialized in handling classification tasks. A main attack, the extracted information is sent back to the attacker
characteristic of classification is that the outputs are categorical using another channel such as email. For inferential, which is
data. Therefore, in this model type, we preserve the antecedent also known as a blind injection, no data is sent back directly to
part of linguistic variables and change the consequent part to be the attacker. However, the attacker can reconstruct the data by
a class Cj from a pre-specified class set C = {C1,.......,CM}. trying the different attacks and observing the behavior of the
FRBCS aim at representing the knowledge of human experts in web application.
a set of fuzzy IF-THEN rules. Instead of using crisp sets as in In the literature, SQLI detection techniques can be
classical rules, fuzzy rules use fuzzy sets. Rules were initially classified into the dynamic analysis, static analysis, combined
derived from human experts through knowledge engineering approach, machine learning, and other approaches (e.g. Hash
processes. However, this approach may not be feasible when technique, Black Box Testing) [3][15-19]. Static analysis
facing complex tasks or when human experts are not available. checks whether every flow from a source to a sink is subject to
An effective alternative is to generate the FRBCS model an input validation and/or input sanitizing routine [20];
automatically from data by using learning methods. FRBCSs whereas dynamic analysis is based on dynamically mining the
have demonstrated their ability to handle control problems, programmer’s intended query structure on any input and
modeling, classification or data mining in a huge number of detects attacks by comparing it against the structure of the
applications [13]. actual query issued [21].
The automatic definition of FRBCS rules can be seen as an AMNESIA, as a combined approach, is a model-based
optimization problem. Genetic Algorithms (GAs) are global technique that combines the static and dynamic analysis for
search techniques with the ability to explore a large search detection and prevention of SQLI attacks [3]. In the static
space for suitable solutions only requiring a performance phase, to build the models of the SQL queries that are
measure. In addition to their ability to find near optimal generated at points of access to the database, AMNESIA uses a
solutions in complex search spaces, the generic code structure static analysis. In the dynamic phase, AMNESIA intercepts all
and independent performance features of GAs qualifies them to the SQL queries before they are sent to the database and checks
incorporate a priori knowledge. In the case of FRBCSs, this a each query against the statically built models. Queries that
priori knowledge may be in the form of linguistic variables, violate the model are identified as SQLI attacks. The accuracy
fuzzy membership function parameters, fuzzy rules, number of of AMNESIA depends on the static analysis stage.
rules (Genetic rule learning), etc. These capabilities extended Unfortunately, certain types of complicated codes and/or query
the use of GAs in the development of a wide range of generation techniques make this step less precise and generate
approaches for designing FRBSs over the last few years. both false positives and negatives [22].
Therefore, GAs remain today as one of the fewest knowledge
schemes available to design and optimize FRBCSs with respect As mentioned above, several approaches for detection of
to the design decisions. According to the performance SQL injection were developed. The literature survey
measures, decision makers decide which components are fixed emphasizes on the machine learning techniques which are
and which need to change [13]. relevant to our proposed system. Valeur et al. [23] proposed an
intrusion detection system capable of detecting a variety of
In this work, we investigate the FRBCS technique for SQL injection attacks. Profiles of normal access to the database
detection of SQLI; we suggest a new technique to address the are built using statistical methods. At runtime, queries that do
uncertainty, fuzziness and adaptation problems associated with not match any built model are identified as a possible attack.
existing machine learning techniques. The rule selection As with most learning-based anomaly detection techniques, the
mechanism in FRBCS induces competition among rules by system requires a training phase prior to detection. The main
only considering the quality of matching performed by each problem of this technique besides the false positives and
rule. To increase the generalization power of the classifier, we negatives is its execution and storage overhead, due to
have proposed a genetic fuzzy approach that creates more difficulty in training on all the possible normal benign queries
cooperative rules in the final population. The proposed system with normal behavior [24].
uses genetic algorithm (GA) for optimizing the FRBCS
technique to enhance its learning and adaptation capabilities. In [9], the authors proposed an SQLI detection technique
in adversarial environments by K-centers. They introduced a
The rest of the paper is organized as follows: Section 2 new online learning technique in which samples are learned
discusses related work reported in the literature. An overview one by one, and as a result, number and centers of the clusters
of the proposed fuzzy genetic system is explained in Section 3. are adjusted accordingly. Therefore, the K-centred technique
The experimental result and evaluation of the proposed system can adapt to different kinds of attacks. The experimental results
are discussed in Section 4. Finally, in Section 5 the conclusion show that their method has a satisfying result on the SQLI
and future research directions are presented. attacks detection in the adversarial environment. The main

130 | P a g e
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 7, No. 6, 2016

drawback of their method is that it must receive a true label of SQLI is proposed in [30]. In this technique, levels of SQLI are
each statement after classification [25]. The concept of pattern detected using template matching. The ultimate goal of the
classifiers to detect injection attacks and protect web genetic algorithm is to optimize the matching rules of SQLI
applications is introduced in [24]. HTTP requests are captured queue in the template library. These rules are in the form of IF
and converted into numeric attributes. Numeric attributes (condition) THEN (execution); where conditions refer to attack
include the length and the number of keywords of parameters. sequence matches. However, the algorithm relies on template
Using these attributes, the system classifies the parameters by sequence to define SQLIA. Therefore, the system fails to detect
Bayesian classifier to judge whether the parameters are the attacks of different sequences that are not included in the
injection patterns or not. The main drawback is that the system template library.
depends on limited types of features.
The main objective of this paper is to propose a combined
The major contributions of the work in [26] are the approach where FRBS and the genetic algorithm can be used
proposal of a novel method based on the genetic algorithm together to improve the accuracy of the system for detection of
applied to SQLI attack detection task and correlation of a SQLI, consequently, new SQLI attacks can be processed and
number of detection tools altogether with the novel method. In detected. To the best of our knowledge, there is no previous
this work, the authors prove that correlating several sources of work that uses FRBS for detecting SQLI attacks. To enhance
information and then performing reasoning on the correlated the accuracy of learning capability, we extend FRBS with the
information can improve the results of attacks detection. The genetic algorithm to find the most suitable rules for FRBCS.
main disadvantage of this algorithm is the overhead in
performance and storage caused by the correlation approach. III. PROPOSED SQL INJECTION DETECTION SYSTEM USING
FUZZY GENETIC
The implementation of Artificial Neural Networks (ANN)
as a biologically inspired computing is investigated in [2] to This paper introduces a GA based method to generate a
detect SQLI attacks. Multilayer Feed forward Networks fuzzy rule base for SQLI detection. With the specific structure
(MLN) was used in the implemented system. It has the ability of the chromosome, the GA operations and the adequate fitness
to learn and store the empirical knowledge, the nonlinearity function, the proposed method produces a fuzzy rule base
nature of the neural networks, the ability to generalize the (FRB) with proper rules. Designers usually cannot guarantee
solutions and to adapt when the context changes, and suitable that the fuzzy control system designed with trial-and-error for
computational performance. The limitations include depending building fuzzy rules has a reliable performance. Fig. 1
on the appearance of certain SQL keywords along with illustrates the flow diagram of the proposed system.
suspicious characters without considering the relative order In this work, the fuzzy rule base is tuned automatically by
between them. For this reason, despite the different order of the GA, known as Genetic Fuzzy System (GFS). The fuzzy logic
keywords, if a normal signature contains many keywords and produces controllers that are suitable for dealing with
suspicious characters that often appear together in an SQLI, it uncertainty and imprecision. Second, fuzzy behaviors can be
is highly likely to be misclassified. Another work, related to conveniently synthesized by a set of IF-THEN rules using
ANN-based SQLI detection, is introduced in [27, 28]. It easy-to-understand linguistic terms to encode expert
depends on limited SQL patterns for training so it is knowledge. Finally, the interpolative nature of fuzzy systems
susceptible to generate false positives. helps express partial and simultaneous simulations of SQLI
TF-IDF has been used in [8] for weight calculation of features, and the smooth transitions between these features
tokens to evaluate the performance of three machine learning [30].
approaches: SVM, Naive-Bayes, and K-NN. This method has GA starts with a population of randomly generated
low computation time complexity but susceptible to chromosomes, and advance towards better chromosomes by
generating false positives [9]. Furthermore, Gene Expression applying genetic operators inspired by the genetic process
Programming (GEP) for detection of SQLI is discussed in [29]. occurring in nature. The population undergoes evolution in a
At the beginning, chromosomes are generated randomly. Then, form of natural selection. During successive iterations, called
in each iteration of GEP, a linear chromosome is expressed in generation, chromosomes in the population are evaluated for
the form of expression tree and executed. The fitness value is their adaptation as solutions, and on the basis of this
calculated and termination condition is checked. The best evaluation, a new population of chromosomes is formed using
individual is preserved through the next iteration. Afterward, a selection mechanism, crossover, and mutation operators. A
the populations are subjected to genetic operators with defined fitness function must be devised for each problem to be solved.
probability. New individuals in temporary population Each chromosome is evaluated using the fitness function,
constitute the current population. Classification accuracy returning a single numerical value. The probability of selection
received from GEP depicts great efficiency for SQL queries of a certain chromosome is directly proportional to its fitness
constituted from 10 to 15 tokens. For longer statements, the function [31]. A GA-tuned fuzzy system with seven inputs and
averaged FP and FN is approximately 23%. one output will be illustrated to explain the SQLI detection
Among the approaches, genetic algorithm for detection of process.

131 | P a g e
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 7, No. 6, 2016

information_schema, load_file, select, shutdown,

cmdshell, hex, ascii).
 f 3 : Frequency of punctuations like (<, >, *, ; , _, -, (,
), =, {, }, @, ., , &, [, ], +, -, ?, %, !, :, \, /).
 f 4 : Frequency of SQL tokens like (where, table, like,
select, update, and, or, set, like, in, having, values, into,
alter, as, create, revoke, deny, convert, exec, concat,
char, tuncat, ASCII, any, asc, desc, check, group by,
order by, delete from, insert into, drop table, union,
join).
 f 5 : Length of SQL statement.

 f 6 : Frequency of spaces within the parameter of the

query, which leads to the possibility of attacks.
 f 7 : Existence of statements that always result in true
value, for example "1=1" or "@=@" or "124=124".
The appropriate selection of these features plays a crucial
role in several aspects of the design of robust and feasible
SQLI detection systems. The rationale for choosing these types
of features is its ability to identify most of SQIA types like
tautologies, union, piggybacked, illegal/logically incorrect,
alternate encodings and stored procedures which are treated the
same as SQL queries. Other features can be included to
increase the scalability of the system to detect new malicious
code. In addition, by reducing the number of features (by
eliminating redundant or irrelevant features), the performance
of rule induction system can be improved as well as the
classification performance of the rules produced.
B. K-means clustering
To transfer the extracted numerical features (all mentioned
above features except the 7th feature into linguistic terms
low (L), medium (M) and high (H); the system utilizes K-
means clustering algorithm. k-means is one of the simplest
unsupervised learning algorithms that solve the well-known
clustering problem. The procedure follows a simple
Fig. 1. Proposed SQL Injection Detection System
and easy way to classify a given data set through a certain
A. Extracting SQLI features from dataset number of clusters (assume k clusters) fixed Apriori. Let
The SQLI attack keywords are the popular keywords
X  {x1 , x2 ,..., xn } be the set of data points, that represents
in SQL language which are generally used in order to the f i i  1,...,6 values across the queries and
perform operations on the tables inside a given SQL V  {v1 , v2 ,..., vn } be the set of initial centers. Algorithmic
database. This approach extracts tokens (keywords) which
steps [32, 33] for k-means clustering are:
consist of specific terms of malicious web code as features.
Tokenization is a process of breaking a sentence into a list of 1) Randomly select k cluster centers, k =3 in our case.
words. In other words, a tokenizer parses a sentence into a list 2) Calculate the distance between each data point and
of tokens. Based on these tokens, the system extract the cluster centers.
features, and represent each query as a sequence of numbers, 3) Assign the data point to the cluster center whose
each number represents one of the features mentioned below
distance from the cluster center is the minimum of all the
[2] [8] [9] [27] [26].
cluster centers.
 f1 : Frequency of special characters (dangerous 4) Recalculate the new cluster center:
characters) like (--, #, /*, ', '', ||, \\, =, /**/,@@). 1 c
vi    ji1 xi , where ci represents the number of data
 f 2 : Frequency of special tokens (dangerous tokens)  ci 
like (rename, drop, delete, insert, create, exec, update, points in cluster.
union, set, Alter, database, and, or,

132 | P a g e
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 7, No. 6, 2016

5) Recalculate the distance between each data point and  If more than half input variables are ‘H’, the output
the new obtained cluster centers. If no data point is reassigned variable is set to ‘H’.
then stop, otherwise repeat from step 3. This algorithm aims at
 If both f 7 and f 2 are ‘H’, the output variable is set to
minimizing an objective function, in this case, a squared error
function. ‘H’.
 If both
k
J (V )   ji1 ( xi  v j ) ,
c 2
(1) f 7 and f1 are ‘H’, the output variable is set to
i 1 ‘H’.
ci is the number of data points in ith cluster, and k is the
number of cluster centers.  If both f1 and f 2 are ‘H’, the output variable is set to
‘H’.
C. Fuzzy Logic System
Owing to low computational requirement and capability of  If f 7 , f 2 and f1 are ‘H’, the output variable is set to
modeling human perception, fuzzy Logic (FL) is an efficient ‘H’.
and flexible method for managing degrees of uncertainty in
attack detection. Problems can be described in natural  If any of f 7 , f 2 and f1 is ‘H’, the output variable is set
descriptions, linguistic terms, rather than the numerical values. to ‘M’.
The FL system consists of (i) fuzzifier that takes input values
and determines the degree to which they belong to each of the  If both f1 and f 2 are ‘M’, the output variable is set to
fuzzy sets via membership functions (MFs); (ii) fuzzy ‘M’.
inference system that defines a non-linear mapping of the input
data vector into a scalar output, using fuzzy rules and (3) Other rules are obtained using the Cartesian product
defuzzifier that maps output fuzzy sets into a crisp number method of the seven features; which is to consider all the
[34]. A fuzzy set [35] is defined as [2]: combinations of antecedent linguistic values and generate a
fuzzy rule for each combination. The output variable of each
D  x,  D x  | x  X ,  D x   0,1 , (2) case depends on the nature of dataset. The rules altogether deal
where X represents the universal set, x is an element of X, D with the weight assignments impliedly in the same way that
is a fuzzy subset in X and μD(x) is the membership function of humans think. The fuzzy inference processes all of the cases in
fuzzy set D. A membership function is a curve that defines a parallel manner, which makes the decision more reasonable.
how each point in the input space is mapped to a membership
value (or degree of membership) between 0 and 1 [35]. The output of the fuzzy system is the probability of SQLI
(PSQLI) and it is also described by three fuzzy variables,
Next we will fuzzify the input (features of SQLI) and the including ‘high’, ‘medium’ and ‘low’ with triangular MFs. The
output (probability of injection), i.e. input and output are outputs of fuzzy values are then defuzzified to generate a crisp
mapped into a set of fuzzy partitions. Here, a seven-input value for the variable. The most popular defuzzification
single-output fuzzy system is used, which is given by method is the centroid, which calculates and returns the center
f : U  R m  Z  R n , where U  U1  ....  U 7 is the input of gravity of the aggregated fuzzy set [36] and is given by
space and Z is the output space. Three fuzzy variables s

including ‘low’, ‘medium’ and ‘high’ (L, M, H) are used to 

r 1

(r) (r)

, (4)
describe the features. Their respective MFs (µA) [36] are  s
triangular function calculated as:
 (r)

xa cx r 1
f ( x; a, c)  max(min( , ),0) where  (r ) is the center of the suggested output at rule r, n
ba c b , (3)
is the number of rules and  is the MF at rule r. The
(r )
where a, b and c are the outputs of the k-mean clustering
that represent lower, center and upper limits of a cluster obtained crisp value is then mapped to its range (low, medium,
respectively. To achieve overlap between the membership high) to indicate the potential of SQLI attack.
functions (overlapped fuzzy-sets) of each feature, the system
D. Rule Induction using Genetic Algorithm
makes an intersection with 15% -20% between the consecutive
MFs. In general, a rule base can be constructed by human experts
or by machine learning techniques from datasets. The machine
Once the system acquires the fuzzy descriptions of the learning approach is useful where it is desired to extract rules
features distance, the Mamdani rule base (fuzzy reasoning) can from the analysis that can be related to conceivable human
be built to make an inference of detection of SQLI. Fuzzy behavior. The essential feature of a GA is that a population of
reasoning, which is formulated by the group of fuzzy IF– proposed solutions (coded using a “chromosome”) is modified
THEN rules, presents a degree of presence or absence of using biologically inspired operators (especially crossover and
association or interaction between the elements of two or more mutation), and incorporating a random component, to explore a
sets. In the proposed system, reasoning is carried out through solution space [37]. Formally, let P(g) and S(g) be parents and
the following rules: offspring in generation g; the GA is working as follows:

133 | P a g e
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 7, No. 6, 2016

TABLE I. GENETIC PARAMETERS

Parameter Value Description

Population type Bit string Input data type to the fitness function
The initial population Randomly Cartesian product of all features
Population size 200 -1458 Number of chromosomes in each generation
Number of generation Satisfying criteria The highest ranking solution's fitness is reaching
2 bits for all features
Gene length Length of unsigned bit string for each variable
+ 1 bit for feature7 + 2 bits for the output
Chromosome length 15 bits (2×6)+1+2
Probability of cross-over 0.5 Default, combine two parents to form children in the next generation
Probability of mutation 0.015 Default, apply random changes to individual parents to form children
A number Tour of individuals is chosen randomly from the population and the best
Selection function Tournament
individual from this group is selected as parent.
Fitness function Maximize attack detection The objective is to maximize detection ratio between parents and children.
medium and "11" for high linguistic term; whereas the bit at
Procedure (GA)
BEGIN position 13 identifies a feature f 7 with values "0" to non-
g ←0 existing and "1" for existing and finally the last two bits
Initialize P(g) represents PSQLI with "00" for low, "01" for medium and "11"
Evaluate P(g) for high linguistic term.
While (not matching the ending conditions) f1 f2 f3 f4 f5 f6 f7 PSQLI
Recombine P(g) to yield S(g) 11 00 10 11 01 01 1 11
Evaluate S(g)
Select P(g+1) from P(g) and S(g)
g ← g +1 Rule antecedent part Consequent part
END
In general, the methods that combine the genetic and fuzzy
approaches for generation of knowledge bases (KBs) can be Fig. 2. Example of codification of rules
divided into two main groups: genetic tuning and genetic
learning [13]. If there exists a KB, we apply a genetic tuning 2) Fitness Function
process for improving the FRBS performance while preserving In order to use genetic algorithms as the search procedure,
the existing RB. That is, to adjust FRBS parameters for it is necessary to define a fitness function which properly
improving its performance, maintaining the same RB. The assesses the rules. The fitness function must be able to
second possibility is to learn KB components (an adaptive discriminate between the legal and illegal classification of
inference engine can be included). That is, to involve the queries. Finding an appropriate function is not a trivial task,
learning of KB components among other FRBS components. due to the variations associated with the SQLI types. In
Our system employs the genetic learning to learn the flexible general, the quality of rules in an FRBS is one of the
inference engine. parameters that favor accuracy, while the number of rules is the
The first step in applying GAs to the problem of rule parameter that favors transparency, an FRBS with a small
learning is to map the initial rules (initial RB) into a suitable number of rules can make the model easily understood by the
representation for genetic operations. The system that has been user. Several approaches in the field of FRBS reduce the FRB
used is Michigan GA [13]. In Michigan GA, the population size at the expense of accuracy [38]. In this work, the primary
consists of multiple individuals, each individual codifies objective is to enhance the accuracy; therefore, the numbers of
single rule, and the whole rule set is provided by combining rules are left as they are.
several individuals in a population. For this problem, the In this work, the method suggested by the authors in [39] is
variables (genes) are the linguistic values of each feature (low, refined to improve the evaluation step performed by the GA in
medium, high). Many trials of different values of GA order to optimize the rules in the final FRB during the search
parameters were performed. Finally, the best-evaluated values process. The fitness value is calculated using the Correct
of parameters were chosen as mentioned in Table I. The Classification Rate (CCR) represented by each chromosome.
codification scheme and the fitness calculation are described
below. Fitness = CCR =    , (5)
A B
1) Chromosome Codification where A is the total number of attack records, B is the total
The pre-selection of candidate rules (initial RB) used here number of normal records,  is a total number of attack
allows each rule to be uniquely identified. The identification
records correctly identified as attack and  is the total number
induces a simple binary codification of each rule in each
chromosome and, consequently, the use of simple processes to of normal records incorrectly classified as attack (False
create and handle the chromosomes. Fig. 2 illustrates a positive).
chromosome with 15 bits, represented in binary system, where
IV. EXPERIMENTAL RESULTS
each consecutive two bits from the position 1 to position 12
indicate a feature f i (i=1 to 6) with "00" for low, "01" for To evaluate the performance of the proposed system, a
desktop application that integrates Java and MATLAB has

134 | P a g e
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 7, No. 6, 2016

been implemented. The dataset is downloaded from testbed

[40] which is used to evaluate Amnesia approach in [3]. The TABLE IV. RESULTS OF SQLI DETECTION OF TESTING SET (TOTAL OF
test bed has two sets of inputs: "legit" set, which consists of 13079 ATTACKS, 3016 LEGIT URLS OF THE FOUR TESTING FOLDERS)
legitimate inputs for the application, and "attack" set, which Membership Membership
consists of attempted SQLIAs. All types of attacks were Population
function of function of
represented in this set except for multi-phase attacks. The Type of population 20% 15%
size
intersection intersection
multi-phase attacks include inference attacks and
TP% FP% TP% FP%
illegal/logically incorrect queries, such attacks require human Random 200 79.7 0 76.5 0
intervention and interpretation. The testbed includes seven Random 600 81.8 0 77.6 0
folders, three of them are used for training and the rest for Random 1000 82.6 0 80.3 0
testing. The result is analyzed using: (1) True negative (TN), Original Cartesian 1458 84.5 0 82.8 0
which means the label of the SQL statement is normal and Enhanced Cartesian 1465 98.38 1.6 98 1.7
the classifier has classified it as normal. (2) True positive
(TP) means that the classified label is the same as the true Table II indicates that the system can achieve high accuracy
label which is abnormal. (3) False negative (FN) means that using the enhanced Cartesian rule with 96.8% TP for the attack
the classifier has made a classification mistake concerning the set and 1.2% FP for the legit set of the Checkers dataset. The
abnormal SQL statements. (4) False positive (FP), which enhanced Cartesian rules improve the detection accuracy of
means that a normal statement is misclassified to be an attacks with a slightly increased false positive rate for the legit
abnormal statement [9]. The tests are conducted according to set. One reason for this increase is the fact that using the
Table I, and the fuzzy parameters are set as membership enhanced version activates some rules concerned with f1 which
function type is triangular with 20% overlap. exists with high frequency in normal URLs. For example, the
frequency of a character like ‘=’ can be high in normal URLs.
The first experiment was conducted on the three different
training sets to investigate the performance of the proposed When compared to the results in Table III, the enhanced
system under both original Cartesian rules and enhanced Cartesian rules achieve higher accuracy in detection of SQLI in
version. The original Cartesian rules were the initial rules of the three folders of the testing set with average increase of 3%
the GA formed by all combinations of the seven features that TP and average decrease of 1% TN. One explanation of such
have been previously mentioned in Section 3. Whereas the result is that there are some attack URLs like
enhanced version contains the Cartesian version plus seven “Password='&ret_page='''''&querystring='” resulted after
rules that contain only three features (f1, f2, and f7), which have preprocessing stage in the training set. Such URLs do not
the higher impact on SQLI detection. Each other individual consider most of SQLI features; thus they are not matched with
rule in the original Cartesian set contains all the seven features any rule resulting in false negative (wrong classification).
together. Regarding the Office Talk testing set, it has been noticed that
the obtained results have the same range as the results of the
TABLE II. RESULTS OF SQLI DETECTION OF TRAINING SET training set due to the similarity of the URLs structure.
Original From the obtained results in table IV, it is confirmed that
Enhanced the proposed system provides good accuracy on the subject of
Training No. of No. of Cartesian
Cartesian rules
Folder's attacks legit Rules
(1465 rules) increasing population size (number of initial rules). In general,
subject URLS URLS (1458 rules) increasing the population size leads to increasing the diversity
TP% FP% TP% FP% of chromosomes. This diversity results in new offspring's in
Bookstore 3033 608 76.5 0 95.8 0.5
Checkers 3442 1359 67.3 0 96.8 1.2
each generation that gives rise to increasing accuracy.
Classifieds 3346 576 69.8 0 95.0 0 However, increasing the number of rules increases the
overhead. Furthermore, the experiments reveal that the
TABLE III. RESULTS OF SQLI DETECTION OF TESTING SET system’s accuracy can be improved as the level of fuzzification
increases inside the membership function (intersection area). In
Original the case of increasing the intersection by 5%, the accuracy
Enhanced
Testing No. of No. of Cartesian
Folder's attacks legit Rules
Cartesian rules changed by 2-4%. One explanation for this result is that the
subject URLS URLS (1458 rules)
(1465 rules) system’s ability to deal with uncertainty is directly proportional
TP% FP% TP% FP% with increasing the fuzzification level. Increasing the
Events 3002 900 89.7 0 100 1.5 intersection level between membership functions for each
Employee 3497 660 89.9 0 100 0.6 feature will increase the ability of the fuzzy logic system to
Office Talk 3612 424 72.6 0 94.2 1.1 infer the result from the activated rules through fuzzy logic
Portal 2968 1080 90.8 0 100 2.6
operation (min, and max).

135 | P a g e
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 7, No. 6, 2016

[4] W. Y. Win and H. H. Htun, "Detection of SQL Injection Attacks by

TABLE V. COMPARATIVE STUDY Combining Static Analysis and Runtime Validation," International
Methods Correct Responses Conference on Advances in Engineering and Technology, pp. 95-99,
The proposed system 98.4% Singapore, March 2014.
Neural Network system [28] 96.8% [5] V. Nithya, R. Regan, and J. Vijayaraghavan, "A survey on SQL injection
attacks, their detection and prevention techniques," International Journal
In the last experiment, the accuracy (correct responses) of of Engineering and Computer Science, vol. 2, issue 4, pp. 886-905, 2013.
the proposed system that employs genetic fuzzy algorithm to [6] A. Tajpour, S. Ibrahim, and M. Masrom, "SQL injection detection and
detect SQLI and the comparative algorithm suggested by prevention techniques," International Journal of Advancements in
Computing Technology, vol. 3, no. 7, pp. 82-91, 2011.
N. Sheykhkanloo [28] is given in Table V. The comparative
system utilizes an effective pattern recognition Neural Network [7] S. Rohilla and P. K. Mittal, "Database security by preventing SQL
injection attacks in stored procedures," International Journal of Advanced
(NN) model for detection and classification of the SQLI Research in Computer Science and Software Engineering, vol. 3, no. 11,
attacks. From the illustrated results, our system outperforms the pp. 915-919, 2013.
other one by 1.5%. In general, the correct responses of the [8] R. Komiya, I. Paik, and M. Hisada, "Classification of malicious web code
neural network system depend mainly on the number of hidden by machine learning," 3rd International Conference on Awareness
layers that is commonly determined by the user. On contrast, Science and Technology, pp. 406-411, China, Sept. 2011.
the accuracy of our system depends on the number of utilized [9] X.-R. Wu and P. P. Chan, "SQL injection attacks detection in adversarial
features and consequently the constructed rules, which environments by K-centers," International Conference on Machine
Learning and Cybernetics, pp. 406-410, China, 2012.
characterize the flexibility factor for our system. Furthermore,
[10] J. G. Carbonell, R. S. Michalski, and T. M. Mitchell, "An overview of
the initialization parameters of GA can affect the performance machine learning," in Machine learning, ed: Springer, pp. 3-23, 1983
of our system. These parameters are configured in the learning
[11] B. Hammer and T. Villmann, "How to process uncertainty in machine
phase (offline processing), which consumes more time. In the learning?," European Symposium on Artificial Neural Networks, pp. 79-
testing phase (online processing), the computation time for 90, Belgium, 2007.
detection is reasonable and acceptable. The duration is about [12] L. S. Riza, C. Bergmeir, F. Herrera and J. M. Benítez, "Frbs: fuzzy rule-
217 sec for 13079 attacks, i.e. 16.6 ms for one attack. based systems for classification and regression in R," Journal of
Statistical Software, vol. 65, no. 1, pp. 1-30, 2015.
V. CONCLUSION [13] F. Herrera, "Genetic fuzzy systems: taxonomy, current research trends
and prospects," Evolutionary Intelligence, vol. 1, no. 1, pp. 27-46, 2008.
In this article, we proposed a genetic- fuzzy rule-based
[14] A. Sadeghian, M. Zamani and S. Ibrahim, "SQL injection is still alive: a
classification system for the SQLI attack detection. In the study on SQL injection signature evasion techniques," International
proposed system, the SQL statement is treated as a feature Conference on Informatics and Creative Multimedia, pp. 265-268,
vector that characterizes the SQLI attack keywords. The Malaysia, 2013.
genetic algorithm is adapted for FRBCS to improve the quality [15] G. Wassermann and Z. Su, "An analysis framework for security in Web
of matching implemented by each rule by means of adjusting applications," Proceedings of the FSE Workshop on Specification and
FRBS parameters to increase the generalization power of the Verification of component-Based Systems, pp. 70-78, 2004
classifier. The quality of the proposed system depends mainly [16] G. Buehrer, B. W. Weide and P. A. Sivilotti, "Using parse tree validation
on the selection of the attributes used to build the feature to prevent SQL injection attacks," ACM Proceedings of the 5th
International Workshop on Software Engineering and Middleware, pp.
vector. It has the potential to give a higher accuracy when 106-113, 2005.
comparing to other solutions that use SQL keywords separately [17] S. Bandhakavi, P. Bisht, P. Madhusudan, and V. Venkatakrishnan,
for the problem of SQL injection. For new patterns that the "CANDID: preventing sql injection attacks using dynamic candidate
proposed system cannot recognize, the system can be retrained evaluations," Proceedings of the 14th ACM Conference on Computer
so that it can detect the new patterns without a significant and Communications Security, pp. 12-24, 2007.
increase in processing time. The solution can be used in [18] S. Ali, A. Rauf, and H. Javed, "Sqlipa: An authentication mechanism
combination with positive logic based filtering as in the against sql injection," European Journal of Scientific Research, vol. 38,
no. 4, pp. 604-611, 2009.
prototype implementation. We have presented the evaluation
[19] Y. Huang, S. Huang, T. Lin, and C. Tsai, "Web application security
methodology and reported the results that prove that: (i) The assessment by fault injection and behavior monitoring," Proceedings of
proposed method outperforms other state-of-the art NN the 12th international conference on World Wide Web, pp. 148-159,
method. (ii) Enhanced Cartesian of GA population type Hungary, 2003.
improves detection results. Future work includes investigating [20] L. K. Shar and H. B. K. Tan, "Defeating SQL injection", Computer,
more features to enhance the performance of the detection, and vol. 46, no. 3, pp. 69-77, March 2013.
the ability to automatically reduce the number of rules in the [21] A. Tajpour and M. JorJor Zade Shooshtari, "Evaluation of SQL injection
rule base to improve the detection. detection and prevention techniques," Second IEEE International
Conference on Computational Intelligence, Communication Systems and
REFERENCES Networks, pp. 216-221, UK, 2010.
[1] OWASP. (1 November, 2015). O.W.A.S.P. Top 10 Vulnerabilities. [22] R. Dharam and S. G. Shiva, "Runtime monitors to detect and prevent
Available: https://www.owasp.org/index.php/Top_10_2013-Top_10. union query based SQL injection attacks," Tenth International
[2] A. Moosa, "Artificial neural network based web application firewall for Conference on Information Technology: New Generations, pp. 357-362,
SQL injection," World Academy of Science, Engineering & Technology, USA, 2013.
vol. 64, no. 4, pp. 12-21, April 2010. [23] F. Valeur, D. Mutz and G. Vigna, "A learning-based approach to the
[3] W. G. Halfond and A. Orso, "AMNESIA: analysis and monitoring for detection of SQL attacks," Proceedings of the Conference on Detection
neutralizing SQL-injection attacks, " Proceedings of the 20th IEEE/ACM of Intrusions and Malware, and Vulnerability Assessment, pp. 123-140,
International Conference on Automated Software Engineering, pp. 174- Austria, 2005.
183, 2005.

136 | P a g e
www.ijacsa.thesai.org
 (IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 7, No. 6, 2016

[24] E. H. Cheon, Z. Huang, and Y. S. Lee, "Preventing SQL injection attack [32] T. Kanungo, D. M. Mount, N. S. Netanyahu, C. D. Piatko, R. Silverman,
based on machine learning," International Journal of Advancements in and A. Y. Wu, "An efficient k-means clustering algorithm: analysis and
Computing Technology, vol. 5, issue 9, pp. 967-974, 2013. implementation," IEEE Transactions on Pattern Analysis and Machine
[25] M. Kaushik and G. Ojha, "SQL injection attack detection and prevention Intelligence, vol. 24, no. 7, pp. 881-892, 2002.
methods: a critical review," International Journal of Innovative Research [33] E. Forgey, "Cluster analysis of multivariate data: Efficiency vs.
in Science, Engineering and Technology, vol. 3, issue 4, pp. 11370- interpretability of classification", Biometrics, vol. 21, no. 3, pp. 768-769,
11377, April 2014. 1965.
[26] M. Choraś, R. Kozik, D. Puchalski, and W. Hołubowicz, "Correlation [34] S. M. Saad, "Application of fuzzy logic and genetic algorithm in
approach for sql injection attacks detection," Advances in Intelligent biometric text-independent writer identification", IET Information
Systems and Computing, Springer, vol. 189, pp. 177-185, 2013. Security, vol. 5, no.1, pp. 1-9, 2011.
[27] N. M. Sheykhkanloo, "Employing neural networks for the detection of sql [35] I. Elamvazuthi, P. Vasant, and J. F. Webb, "The application of mamdani
injection attack," Proceedings of the 7th International Conference on fuzzy model for auto zoom function of a digital camera", arXiv preprint
Security of Information and Networks, pp. 318-323, UK, 2014. arXiv:1001.2279, 2010.
[28] N. M. Sheykhkanloo, "SQL-IDS: evaluation of SQLi attack detection and [36] M. Abdulghafour, "Image segmentation using fuzzy logic and genetic
classification based on machine learning techniques," Proceedings of the algorithms," Journal of WSCG, vol. 11,no. 1, pp.1-8, 2003.
8th International Conference on Security of Information and Networks, [37] J. Ricketts, "Tuning a modified Mamdani fuzzy rulebase system with a
pp. 258-266, USA, 2015. genetic algorithm for travel decisions," 18th World IMACS / MODSIM
[29] J. Skaruz, J. P. Nowacki, A. Drabik, F. Seredynski and P. Bouvry, "Soft Congress, Australia, pp. 768-774, 2009.
computing techniques for intrusion detection of SQL-based attacks," [38] M. E. Cintra and H. D. A. Camargo, "Fuzzy rules generation using
Lecture Notes in Computer Science,Springer, Vol. 5990, pp. 33-42, genetic algorithms with self-adaptive selection," IEEE International
2010. Conference on Information Reuse and Integration, pp. 261-266, USA,
[30] J. Chen, L. Yang, H. Zhang, and Y. Liu, "A GA-based approach for SQL- 2007.
injection detection", Future Information Engineering, vol. 49, p. [39] R. B. Jadhav and M. B. B. Gite, "Real time intrusion detection with
291, 2014. fuzzy, genetic and apriori algorithm," International Journal of Advance
[31] A. Adriansyah and S. H. M. Amin, "Knowledge base tuning using genetic Foundation and Research in Computer (IJAFRC), Vol. 1, Issue 11, pp.
algorithm for fuzzy behavior-based autonomous mobile robot," 34-40, 2014
Proceeding of 9th International Conference on Mechatronics Technology, [40] Willian Halfond, 'Testbed', [Online]. Available: http://www-
pp. 120-125, Malaysia, 2005. bcf.usc.edu/~halfond/testbed.html. [Accessed: 16- JUNE- 2016]

137 | P a g e
www.ijacsa.thesai.org