KADD
KADD is an AI-based anomaly data detection library of Kunpeng BoostKit for IDA. It provides SQL injection (SQLi) detection capabilities.
SQLi Detection Library
In WAF applications, common attacks such as SQLi are detected by using regular expressions or fingerprints to describe attack features and perform text matching. This requires expert capabilities to build and maintain rule libraries. In actual deployment, rule-based detection methods are likely to be bypassed by attackers using rule vulnerabilities, and the method of parsing text to generate fingerprints for matching suffers from low detection throughput. To lower the threshold for building rule sets and improve detection accuracy and throughput, the AI-based SQLi attack detection technology has emerged, which enables fast SQL syntax parsing, SQLi feature extraction, and SQLi detection and inference based on text.

As shown in the preceding figure, the first step of detection is to use the lexical analyzer to perform SQL syntax parsing on the text to be detected and output a token sequence. The core of the lexical analyzer in the runtime is the deterministic finite automaton (DFA) engine. It performs table lookup and state transition based on the content of the text to be detected and the state transition table, and outputs the corresponding token when the accepting state is activated. The state transition table contains a large number of state IDs, which are inconvenient for direct writing, reading, and debugging. To address this, KADD provides syntax for describing DFAs, namely DFALang. Accordingly, the SQL syntax parsing logic is described in the format defined by DFALang. In addition, KADD provides a DFA compiler to compile DFALang into a state transition table.

As shown in the preceding figure, the second step of detection is to perform SQLi feature extraction and calculation based on the token sequence output by the lexical analyzer. Feature extraction consists of two parts. First, a sliding window representing the distance weight is used as a convolution kernel to perform convolution calculation on the token sequence. Then, histogram statistics are collected on the convolution result by the token type dimension, and the token sequence is converted into a feature vector with a fixed dimension.

As shown in the preceding figure, the third step of detection is to perform inference and detection using the inference engine based on the feature vector and model output by the feature extractor. Random forest is used in detection to perform binary classification on the feature vector to determine whether the attack is an SQLi attack. The inference engine is built based on ONNX Runtime.
Key technologies:
Lexical analyzer, feature extraction engine, and inference engine.
Applicable scenarios:
SQLi detection, etc.