Hackers and malware are one step ahead of cybersecurity experts, and every time technology is released to the market, vulnerabilities will be quickly discovered and exploited.
How effective can machine learning technology be particularly in the defense against SQL Injection Attacks (SQLi)? Is it the correct approach to the problem?
Machine learning technology is certainly better in scope compared to signature based systems. To your example about SQLi attacks, signatures could look for specific commands/strings within the HTTP payload as means for detection. ML based approach can, instead, define the behavior as process spawned on the db server or unwanted read-only operations etc etc. If there is another novel SQLi attack which escapes the signature (string did not match) but the consequential behavior remains same (process spawned or unwanted read-only operations), then ML approach will come out flying.
Having said that, the ML based approach can only detect a behavior it is trained for. In the above example, if the SQLi attack results in a new reverse tunnel opened to another host, but we did not train the model for this behavior, then the ML approach will not succeed either.
(Answer to the previous question on how signature systems differ from ML based systems)
Yes. Signature checks only for a specific vulnerability and multiple vulnerabilities at best. Machine learning, however, focuses on the behavior of the attack which does not necessarily mean how the exploit was handled, but rather post infection activity etc.
Aside: Developing ML based security systems is my daytime job.
