SQL injection attacks rank among the most significant threats to data security. While AI and machine learning have advanced considerably, their application in cybersecurity remains relatively undeveloped. This work mainly aims to solve the IT-related challenge of insufficient knowledge bases and tools for security practitioners to monitor and mitigate SQL Injection attacks with AI/ML techniques. The study uses a mixed-methods approach to evaluate how well different AI and ML algorithms identify SQL injection attacks by combining algorithmic evaluation with empirical investigation. Datasets of well-known SQL injection attack patterns and AI/ML models intended for cybersecurity anomaly detection are among the resources underexplored; these findings show the potential for boosting detection capabilities by deploying ML and AI-based security solutions; specific algorithms have demonstrated success rates of up to 80% in detecting SQL injections. Despite this promising performance, around 75% of survey participants acknowledged a decrease in harmful content, with a similar number highlighting increased efficiency in their roles as security researchers or incident responders. Nevertheless, the tool’s adoption among cybersecurity professionals remains under 30%. This underscores a gap between the capabilities these technologies offer and their current level of adoption among professionals. This will help lay the groundwork for future work in identifying the best solutions and providing potential approaches to incorporating AI/ML into cybersecurity frameworks. The implications of this study indicate that adopting robust defenses against SQL injection and other cyber threats could increase many folds if we continue to research and implement AI ML. technologies.

SQL injection; machine learning; artificial intelligence; cybersecurity; SQL injection attack

A. S. P. Boggs et al., ‘National Institute of Standards and Technology environmental scan 2023 : societal and technology landscape to inform science and technology research’, National Institute of Standards and Technology (U.S.), Gaithersburg, MD, NIST IR 8482, Aug. 2023. doi: 10.6028/NIST.IR.8482.

F. Faisal Fadlalla and H. T. Elshoush, ‘Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-Art’, IEEE Access, vol. 11, pp. 40128–40161, 2023, doi: 10.1109/ACCESS.2023.3266385.

U. Farooq, ‘Ensemble Machine Learning Approaches for Detection of SQL Injection Attack’, Teh. Glas., vol. 15, no. 1, pp. 112–120, Mar. 2021, doi: 10.31803/tg-20210205101347.

N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami, ‘Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks’, in 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA: IEEE, May 2016, pp. 582–597. doi: 10.1109/SP.2016.41.

S. A. K. Hacham and O. N. UÇan, ‘Detection of Malicious SQL Injections Using SVM and KNN Algorithms’, in 2023 7th International Symposium on Innovative Approaches in Smart Technologies (ISAS), Istanbul, Turkiye: IEEE, Nov. 2023, pp. 1–5. doi: 10.1109/ISAS60782.2023.10391560.

H. Bahruddin, V. Suryani, and A. A. Wardana, ‘Adversary Simulation of Structured Query Language (SQL) Injection Attack Using Genetic Algorithm for Web Application Firewalls (WAF) Bypass’, in Intelligent Systems and Applications, vol. 823, K. Arai, Ed., in Lecture Notes in Networks and Systems, vol. 823. , Cham: Springer Nature Switzerland, 2024, pp. 656–669. doi: 10.1007/978-3-031-47724-9_43.

E. G. H. Grata et al., ‘Artificial Intelligence for Threat Anomaly Detection Using Graph Databases – A Semantic Outlook’, in Applying Artificial Intelligence in Cybersecurity Analytics and Cyber Threat Detection, 1st ed., S. Mahajan, M. Khurana, and V. V. Estrela, Eds., Wiley, 2024, pp. 249–278. doi: 10.1002/9781394196470.ch13.

M. Hossain Hadi and K. Hashim Al-Saedi, ‘Adaptive Hybrid Learning for Websites Vulnerability prediction’, J. Al-Qadisiyah Comput. Sci. Math., vol. 16, no. 1, Mar. 2024, doi: 10.29304/jqcsm.2024.16.11433.

J. Zulu, B. Han, I. Alsmadi, and G. Liang, ‘Enhancing Machine Learning Based SQL Injection Detection Using Contextualized Word Embedding’, in Proceedings of the 2024 ACM Southeast Conference on ZZZ, Marietta GA USA: ACM, Apr. 2024, pp. 211–216. doi: 10.1145/3603287.3651187.

S. Kum, S. Oh, J. Yeom, and J. Moon, ‘Optimization of Edge Resources for Deep Learning Application with Batch and Model Management’, Sensors, vol. 22, no. 17, p. 6717, Sep. 2022, doi: 10.3390/s22176717.

A. Odeh and A. Abu Taleb, ‘Ensemble-Based Deep Learning Models for Enhancing IoT Intrusion Detection’, Appl. Sci., vol. 13, no. 21, p. 11985, Nov. 2023, doi: 10.3390/app132111985.

D. Dasgupta, Z. Akhtar, and S. Sen, ‘Machine learning in cybersecurity: a comprehensive survey’, J. Def. Model. Simul. Appl. Methodol. Technol., vol. 19, no. 1, pp. 57–106, Jan. 2022, doi: 10.1177/1548512920951275.

Z. Marashdeh, K. Suwais, and M. Alia, ‘A Survey on SQL Injection Attack: Detection and Challenges’, in 2021 International Conference on Information Technology (ICIT), Amman, Jordan: IEEE, Jul. 2021, pp. 957–962. doi: 10.1109/ICIT52682.2021.9491117.

B. Zhang, R. Ren, J. Liu, M. Jiang, J. Ren, and J. Li, ‘SQLPsdem: A Proxy-Based Mechanism Towards Detecting, Locating and Preventing Second-Order SQL Injections’, IEEE Trans. Softw. Eng., vol. 50, no. 7, pp. 1807–1826, Jul. 2024, doi: 10.1109/TSE.2024.3400404.

S. O. Abioye et al., ‘Artificial intelligence in the construction industry: A review of present status, opportunities and future challenges’, J. Build. Eng., vol. 44, p. 103299, Dec. 2021, doi: 10.1016/j.jobe.2021.103299.

J. Shahid, M. K. Hameed, I. T. Javed, K. N. Qureshi, M. Ali, and N. Crespi, ‘A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions’, Appl. Sci., vol. 12, no. 8, p. 4077, Apr. 2022, doi: 10.3390/app12084077.

S. Chakraborty, S. K. Pandey, S. Maity, and L. Dey, ‘Detection and Classification of Novel Attacks and Anomaly in IoT Network using Rule based Deep Learning Model’, SN Comput. Sci., vol. 5, no. 8, p. 1056, Nov. 2024, doi: 10.1007/s42979-024-03429-5.

J.-P. A. Yaacoub, O. Salman, H. N. Noura, N. Kaaniche, A. Chehab, and M. Malli, ‘Cyber-physical systems security: Limitations, issues and future trends’, Microprocess. Microsyst., vol. 77, p. 103201, Sep. 2020, doi: 10.1016/j.micpro.2020.103201.

C. Turner, R. Jeremiah, D. Richards, and A. Joseph, ‘A Rule Status Monitoring Algorithm for Rule-Based Intrusion Detection and Prevention Systems’, Procedia Comput. Sci., vol. 95, pp. 361–368, 2016, doi: 10.1016/j.procs.2016.09.346.

A. K. Tyagi and P. Chahal, ‘Artificial Intelligence and Machine Learning Algorithms’:, in Advances in Computer and Electrical Engineering, R. Kashyap and A. V. S. Kumar, Eds., IGI Global, 2020, pp. 188–219. doi: 10.4018/978-1-7998-0182-5.ch008.

S. K. Shandilya, A. Datta, Y. Kartik, and A. Nagar, ‘Role of Artificial Intelligence and Machine Learning’, in Digital Resilience: Navigating Disruption and Safeguarding Data Privacy, in EAI/Springer Innovations in Communication and Computing. , Cham: Springer Nature Switzerland, 2024, pp. 313–399. doi: 10.1007/978-3-031-53290-0_6.

M. Alqhtani, D. Alghazzawi, and S. Alarifi, ‘Black-Box Adversarial Attacks Against SQL Injection Detection Model’, Contemp. Math., pp. 5098–5112, Nov. 2024, doi: 10.37256/cm.5420245292.

M. W. A. Ashraf, A. R. Singh, A. Pandian, R. S. Rathore, M. Bajaj, and I. Zaitsev, ‘A hybrid approach using support vector machine rule-based system: detecting cyber threats in internet of things’, Sci. Rep., vol. 14, no. 1, p. 27058, Nov. 2024, doi: 10.1038/s41598-024-78976-1.

N. Chaabouni, M. Mosbah, A. Zemmari, C. Sauvignac, and P. Faruki, ‘Network Intrusion Detection for IoT Security Based on Learning Techniques’, IEEE Commun. Surv. Tutor., vol. 21, no. 3, pp. 2671–2701, 2019, doi: 10.1109/COMST.2019.2896380.

R. Chalapathy and S. Chawla, ‘Deep Learning for Anomaly Detection: A Survey’, 2019, arXiv. doi: 10.48550/ARXIV.1901.03407.

S. Sharma, P. Zavarsky, and S. Butakov, ‘Machine Learning based Intrusion Detection System for Web-Based Attacks’, in 2020 IEEE 6th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS), Baltimore, MD, USA: IEEE, May 2020, pp. 227–230. doi: 10.1109/BigDataSecurity-HPSC-IDS49724.2020.00048.

M. S. Darweesh et al., ‘Random Forest-Based NIDS: Advancing Network Threat Detection’, Aug. 07, 2024, In Review. doi: 10.21203/rs.3.rs-4737281/v1.

M. Homaei, Ó. Mogollón-Gutiérrez, J. C. Sancho, M. Ávila, and A. Caro, ‘A review of digital twins and their application in cybersecurity based on artificial intelligence’, Artif. Intell. Rev., vol. 57, no. 8, p. 201, Jul. 2024, doi: 10.1007/s10462-024-10805-3.

Ö. Kasim, ‘An ensemble classification-based approach to detect attack level of SQL injections’, J. Inf. Secur. Appl., vol. 59, p. 102852, Jun. 2021, doi: 10.1016/j.jisa.2021.102852.

A. Kumar, S. Dutta, and P. Pranav, ‘Analysis of SQL injection attacks in the cloud and in WEB applications’, Secur. Priv., vol. 7, no. 3, p. e370, May 2024, doi: 10.1002/spy2.370.

P. S. Muhuri, P. Chatterjee, X. Yuan, K. Roy, and A. Esterline, ‘Using a Long Short-Term Memory Recurrent Neural Network (LSTM-RNN) to Classify Network Attacks’, Information, vol. 11, no. 5, p. 243, May 2020, doi: 10.3390/info11050243.

K. Dwivedi, A. Agrawal, A. Bhatia, and K. Tiwari, ‘A Novel Classification of Attacks on Blockchain Layers: Vulnerabilities, Attacks, Mitigations, and Research Directions’, 2024, arXiv. doi: 10.48550/ARXIV.2404.18090.

F. O. Okello, D. Kaburu, and N. G. John, ‘Automation-Based User Input Sql Injection Detection and Prevention Framework’, Comput. Inf. Sci., vol. 16, no. 2, p. 51, May 2023, doi: 10.5539/cis.v16n2p51.

A. Luo, W. Huang, and W. Fan, ‘A CNN-based Approach to the Detection of SQL Injection Attacks’, in 2019 IEEE/ACIS 18th International Conference on Computer and Information Science (ICIS), Beijing, China: IEEE, Jun. 2019, pp. 320–324. doi: 10.1109/ICIS46139.2019.8940196.

A. Paleyes, R.-G. Urma, and N. D. Lawrence, ‘Challenges in Deploying Machine Learning: A Survey of Case Studies’, ACM Comput. Surv., vol. 55, no. 6, pp. 1–29, Jul. 2023, doi: 10.1145/3533378.

M. F. Gholami, F. Daneshgar, G. Beydoun, and F. Rabhi, ‘Challenges in migrating legacy software systems to the cloud — an empirical study’, Inf. Syst., vol. 67, pp. 100–113, Jul. 2017, doi: 10.1016/j.is.2017.03.008.

Y. Liu and Y. Dai, ‘Deep Learning in Cybersecurity: A Hybrid BERT–LSTM Network for SQL Injection Attack Detection’, IET Inf. Secur., vol. 2024, pp. 1–16, Apr. 2024, doi: 10.1049/2024/5565950.

D. Pessach and E. Shmueli, ‘A Review on Fairness in Machine Learning’, ACM Comput. Surv., vol. 55, no. 3, pp. 1–44, Mar. 2023, doi: 10.1145/3494672.

H. Chen and M. A. Babar, ‘Security for Machine Learning-based Software Systems: A Survey of Threats, Practices, and Challenges’, ACM Comput. Surv., vol. 56, no. 6, pp. 1–38, Jun. 2024, doi: 10.1145/3638531.

Y. Yuan, Y. Lu, K. Zhu, H. Huang, L. Yu, and J. Zhao, ‘A Static Detection Method for SQL Injection Vulnerability Based on Program Transformation’, Appl. Sci., vol. 13, no. 21, p. 11763, Oct. 2023, doi: 10.3390/app132111763.

Y. Liu and Y. Dai, ‘Deep Learning in Cybersecurity: A Hybrid BERT–LSTM Network for SQL Injection Attack Detection’, IET Inf. Secur., vol. 2024, pp. 1–16, Apr. 2024, doi: 10.1049/2024/5565950.

F. Q. Kareem et al., ‘SQL Injection Attacks Prevention System Technology: Review’, Asian J. Res. Comput. Sci., pp. 13–32, Jul. 2021, doi: 10.9734/ajrcos/2021/v10i330242.

Z. Marashdeh, K. Suwais, and M. Alia, ‘A Survey on SQL Injection Attack: Detection and Challenges’, in 2021 International Conference on Information Technology (ICIT), Amman, Jordan: IEEE, Jul. 2021, pp. 957–962. doi: 10.1109/ICIT52682.2021.9491117.

Z. C. S. S. Hlaing and M. Khaing, ‘A Detection and Prevention Technique on SQL Injection Attacks’, in 2020 IEEE Conference on Computer Applications(ICCA), Yangon, Myanmar: IEEE, Feb. 2020, pp. 1–6. doi: 10.1109/ICCA49400.2020.9022833.

S. Kumar, M. Mahajan, and S. Batra, ‘A Recent Study of Machine Learning Based Techniques for the Detection of Cyber-Attacks on Web Applications’, in 2023 6th International Conference on Contemporary Computing and Informatics (IC3I), Gautam Buddha Nagar, India: IEEE, Sep. 2023, pp. 153–158. doi: 10.1109/IC3I59117.2023.10397832.

D. Mitropoulos, P. Louridas, M. Polychronakis, and A. D. Keromytis, ‘Defending Against Web Application Attacks: Approaches, Challenges and Implications’, IEEE Trans. Dependable Secure Comput., vol. 16, no. 2, pp. 188–203, Mar. 2019, doi: 10.1109/TDSC.2017.2665620.

A. Abebe, Y. Belay, A. Belay, and S. Gebeyehu, ‘SQL INJECTION ATTACKS DETECTION: A PERFORMANCE COMPARISON ON MULTIPLE CLASSIFICATION MODELS’, Ethiop. Int. J. Eng. Technol., vol. 2, no. 1, pp. 22–38, Jul. 2024, doi: 10.59122/154CFC15.

F. U. Rehman, S. Umbreen, and M. Rehman, ‘MetaCDP: Metamorphic Testing for Quality Assurance of Containerized Data Pipelines’, in 2024 IEEE Cloud Summit, Washington, DC, USA: IEEE, Jun. 2024, pp. 135–142. doi: 10.1109/Cloud-Summit61220.2024.00029.

J. R. Dora, L. Hluchý, and K. Nemoga, ‘Ontology for Blind SQL Injection’, Comput. Inform., vol. 42, no. 2, pp. 480–500, 2023, doi: 10.31577/cai_2023_2_480.

B. Montaruli et al., ‘Adversarial ModSecurity: Countering Adversarial SQL Injections with Robust Machine Learning’, 2023, arXiv. doi: 10.48550/ARXIV.2308.04964.

A. A. Ashlam, A. Badii, and F. Stahl, ‘A Novel Approach Exploiting Machine Learning to Detect SQLi Attacks’, in 2022 5th International Conference on Advanced Systems and Emergent Technologies (IC_ASET), Hammamet, Tunisia: IEEE, Mar. 2022, pp. 513–517. doi: 10.1109/IC_ASET53395.2022.9765948.

A. Kumar, S. Dutta, and P. Pranav, ‘Analysis of SQL injection attacks in the cloud and in WEB applications’, Secur. Priv., vol. 7, no. 3, p. e370, May 2024, doi: 10.1002/spy2.370.

Q. Li, W. Li, J. Wang, and M. Cheng, ‘A SQL Injection Detection Method Based on Adaptive Deep Forest’, IEEE Access, vol. 7, pp. 145385–145394, 2019, doi: 10.1109/ACCESS.2019.2944951.

S. Sharma, P. Zavarsky, and S. Butakov, ‘Machine Learning based Intrusion Detection System for Web-Based Attacks’, in 2020 IEEE 6th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS), Baltimore, MD, USA: IEEE, May 2020, pp. 227–230. doi: 10.1109/BigDataSecurity-HPSC-IDS49724.2020.00048.

M. Thilakraj, S. Anupriya, M. M. Cibi, and A. Divya, ‘Detection of SQL Injection Attacks’, in 2024 International Conference on Inventive Computation Technologies (ICICT), Lalitpur, Nepal: IEEE, Apr. 2024, pp. 1515–1520. doi: 10.1109/ICICT60155.2024.10544579.

J. Zulu, B. Han, I. Alsmadi, and G. Liang, ‘Enhancing Machine Learning Based SQL Injection Detection Using Contextualized Word Embedding’, in Proceedings of the 2024 ACM Southeast Conference on ZZZ, Marietta GA USA: ACM, Apr. 2024, pp. 211–216. doi: 10.1145/3603287.3651187.

E. Peralta-Garcia, J. Quevedo-Monsalbe, V. Tuesta-Monteza, and J. Arcila-Diaz, ‘Detecting Structured Query Language Injections in Web Microservices Using Machine Learning’, Informatics, vol. 11, no. 2, p. 15, Apr. 2024, doi: 10.3390/informatics11020015.

X. Wang, J. Zhai, and H. Yang, ‘Detecting command injection attacks in web applications based on novel deep learning methods’, Sci. Rep., vol. 14, no. 1, p. 25487, Oct. 2024, doi: 10.1038/s41598-024-74350-3.

A. Odeh and A. A. Taleb, ‘Ensemble learning techniques against structured query language injection attacks’, Indones. J. Electr. Eng. Comput. Sci., vol. 35, no. 2, p. 1004, Aug. 2024, doi: 10.11591/ijeecs.v35.i2.pp1004-1012.