Modelling SQL Injection Using Reinforcement Learning
The following code requires numpy, scipy, matplotlib and OpenAI gym; stable-baselines3 (together with pytorch) is used to train reinforcement learning agents.
Warning: Simulation1 and Simulation2 rely at the moment on synthetic SQL server simulators. Simulation1 uses the module mockSQLenv.py. Simulation2 uses the OpenAI gym environment gym-CTF-SQL (check the gym repository for installing and running the environment)
The project CTF-SQL contains the simulations running reinforcement agent on a CTF challenge containing a simple SQL injection vulnerability. Every SimulationX file contains a simulation, including training and analysis.
- Simulation1 runs a tabular Q-learning agent;
- Simulation2 runs a deep Q-learning agent (with different batch settings). Details about the setup and the interpretation may be found in [1].
[1] Erdodi, L., Sommervoll, A.A. and Zennaro, F.M., 2020. Simulating SQL Injection Vulnerability Exploitation Using Q-Learning Reinforcement Learning Agents. arXiv preprint.