Machine learning used to block SQL injection hacks

UK company Secerno has devised an innovative way to detect when a database is being attacked using the SQL (Structured Query Language) injection hacking technique.

UK company Secerno has devised an innovative way to detect when a database is being attacked using the SQL (Structured Query Language) injection hacking technique.

The databases at the heart of internet applications are vulnerable to this relatively straightforward type of attack, which is difficult to detect and block because it uses carefully crafted standard SQL commands.

The technique used by Secerno to determine whether database queries are valid was discovered by company founder and chief technology officer Steve Moyle while he was researching his PhD in computer learning at Oxford University.

By combining research in computational linguistics with work in symbolic machine learning, Moyle's company has developed an appliance that performs application-level protocol intrusion detection.

The product uses computational lingustics to "understand" SQL queries and symobolic machine learning to associate by example what is valid and what is abnormal behaviour.

There are two parts to the product. A configuration tool works by understanding normal usage of the database and assessing database logs, which are presented to the IT administrators using a graphical tool.

Database queries are then categorised into a hierarchical list. The administrator is able to scan the list to allow, flag a warning, or prevent categories of database query.

When the database application is run, the second part of the product, an appliance, blocks unauthorised database queries as abnormal behaviour.

The company worked with online DVD retailer to help develop the product. Using the retailer's database application, Secerno monitored normal database activity.

To test whether the appliance could stop real attacks, Secerno hired security consultancy NGS Software to run a series of mock attacks on the database application.

Along with tracking unusual activity, Moyle said, "We can check if older database functions are still being used by the application," which he said would allow a database to lock-down the server so that only functions required by the application are activated.

ICI chief security officer Paul Simmonds, who first looked at the product nine months ago, said the information it produced was "very useful". Simmonds said he believed the approach taken by Sercerno would also reduce the chance of valid queries being stopped.

The Secerno appliance is due to be released in late September.

Vote for your IT greats

Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?

Vote now at:

Read more on Database software

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.