Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Multi-Agent Honeypot-Based Request-Response Context Dataset for Improved SQL Injection Detection Performance

Hao Yu, Hui Li, FengYuan Shi, Wenjie Yu, PinHan Ho, Zehua Wang, Bin Wang

TL;DR

Experiments show that models trained on this context dataset outperform payload-only counterparts: CNN and BiLSTM achieve over 40\% accuracy improvement in different tasks, validating that the request-response context enhances the detection of evolving and obfuscated attacks.

Abstract

SQL injection remains a major threat to web applications, as existing defenses often fail against obfuscation and evolving attacks because of neglecting the request-response context. This paper presents a context-enriched SQL injection detection framework, focusing on constructing a high-quality request-response dataset via a multi-agent honeypot system: the Request Generator Agent produces diverse malicious/benign requests, the Database Response Agent mediates interactions to ensure authentic responses while protecting production data, and the Traffic Monitor pairs requests with responses, assigns labels, and cleans data, yielding totally 140,973 labeled pairs with contextual cues absent in payload-only data. Experiments show that models trained on this context dataset outperform payload-only counterparts: CNN and BiLSTM achieve over 40\% accuracy improvement in different tasks, validating that the request-response context enhances the detection of evolving and obfuscated attacks.

Multi-Agent Honeypot-Based Request-Response Context Dataset for Improved SQL Injection Detection Performance

TL;DR

Experiments show that models trained on this context dataset outperform payload-only counterparts: CNN and BiLSTM achieve over 40\% accuracy improvement in different tasks, validating that the request-response context enhances the detection of evolving and obfuscated attacks.

Abstract

SQL injection remains a major threat to web applications, as existing defenses often fail against obfuscation and evolving attacks because of neglecting the request-response context. This paper presents a context-enriched SQL injection detection framework, focusing on constructing a high-quality request-response dataset via a multi-agent honeypot system: the Request Generator Agent produces diverse malicious/benign requests, the Database Response Agent mediates interactions to ensure authentic responses while protecting production data, and the Traffic Monitor pairs requests with responses, assigns labels, and cleans data, yielding totally 140,973 labeled pairs with contextual cues absent in payload-only data. Experiments show that models trained on this context dataset outperform payload-only counterparts: CNN and BiLSTM achieve over 40\% accuracy improvement in different tasks, validating that the request-response context enhances the detection of evolving and obfuscated attacks.
Paper Structure (15 sections, 1 equation, 3 figures)

This paper contains 15 sections, 1 equation, 3 figures.

Table of Contents

  1. Introduction
  2. Related work
  3. Traditional Methods
  4. Machine Learning Methods
  5. Dataset Building Framework
  6. Request Generator Agent
  7. Database Response Agent
  8. Traffic Monitor Agent
  9. Request-Response Context Dataset
  10. Evaluation and Analysis
  11. Model Selection
  12. Datasets
  13. Performance of Context Dataset on Lightweight Models
  14. Performance of Context Dataset on Knowledge Distillation
  15. Conclusion

Figures (3)

  • Figure 1: This graph shows the framework of data collecting procedure.
  • Figure 2: Accuracy comparison of traditional models on Payload vs. Context datasets
  • Figure 3: Accuracy comparison of knowledge distilled models on Payload vs. Context datasets