Over 20 Years of SQL Injection Attacks in the Wild - Time to Refine and Optimize Web Attack Detection by Using Data Mining Techniques
Conference: OWASP 20th Anniversary Event
2021-09-24
Authors: Or Katz
Summary
Using data mining techniques to refine and optimize web attack detection, specifically for SQL injection attacks, by analyzing CDN logs and breaking payloads into keywords to gain new insights.
- SQL injection attacks have been around for over 20 years and some defensive capabilities have stayed obsolete and manual
- CDN logs classified as SQL injection attacks can be used to refine and optimize security rules
- Data mining techniques, specifically elements taken from Natural Language Processing, can be used to analyze SQL injection payloads, clean and curate them, break them into keywords, and find the best relation between them to gain new insights
- The process includes five steps: collecting and cleaning the data, choosing keywords, creating a matrix, creating relationships between keywords, and clustering keywords to gain insights
- An anecdote is shared about encountering a registration website that did not allow certain characters in the first and last name fields, potentially as a protective detection mechanism against web application attacks
Abstract
Abstract:SQL injection was initially introduced to the wild over 20 years ago and some of the defensive capabilities, the process building and maintaining them, stayed obsolete and manual. In this presentation, I will show how Content Delivery Network (CDN) logs classified as SQL injection attacks can be used to refine and optimize security rules, improve detection of future attacks, and detect emerging attacks targeting new vulnerabilities.The process used includes elements taken from Natural Language Processing (NLP) to analyze SQL injection payloads, clean and curate them, break them into keywords and find the best relation between them to be able to get new and valuable insights.
Materials: