Intelligent Anomaly Detection in Database Security: A Triple-Loop Learning Framework

Relational Database Management Systems (RDBMSs) are foundational to operations across finance, healthcare, and government sectors. However, they remain susceptible to advanced threats such as polymorphic SQL injection, insider misuse, and timing-based data exfiltration.Traditional intrusion detectio...

Full description

Saved in:
Bibliographic Details
Published in:2025 5th Intelligent Cybersecurity Conference (ICSC) pp. 420 - 426
Main Author: Kandolo, William
Format: Conference Proceeding
Language:English
Published: IEEE 19.05.2025
Subjects:
Adaptation models
Anomaly detection
Autoencoders
Database Security
Deep Q-Networks (DQN)
Low latency communication
Medical services
Meta-Learning
Metalearning
Model-Agnostic Meta-Learning (MAML)
RDBMS
Reinforcement learning
Relational databases
SQL injection
Supervised learning
Triple Loop Learning
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Relational Database Management Systems (RDBMSs) are foundational to operations across finance, healthcare, and government sectors. However, they remain susceptible to advanced threats such as polymorphic SQL injection, insider misuse, and timing-based data exfiltration.Traditional intrusion detection systems (IDSs), including signature-based and static machine learning models, often struggle to detect evolving and obfuscated attacks, resulting in high false-positive rates and limited adaptability.This paper presents the Triple Loop Learning (TLL) framework-a recursive, multi-tiered architecture that integrates supervised learning, reinforcement learning (RL), and meta-learning for real-time anomaly detection in SQL-based environments. To the best of our knowledge, TLL is the first framework to unify these three learning paradigms into a recursive, explainable, and low-latency anomaly detection system specifically tailored for structured SQL workloads.TLL comprises three interdependent loops: (i) an operational loop utilizing SQL-aware autoencoders for fine-grained anomaly detection, (ii) a tactical loop leveraging Deep Q-Networks (DQN) for adaptive threshold calibration, and (iii) a strategic loop based on Model-Agnostic Meta-Learning (MAML) for rapid cross-domain adaptation.TLL was evaluated on a composite dataset comprising the UNSW-NB15 benchmark, anonymized SQL logs from financial and healthcare institutions, and adversarial samples generated with MAD-GAN. The framework achieved an F1 score of 0.94, an AUC of 0.976, and an average inference latency of 84 ms.The results demonstrate that TLL enables robust, low-latency detection of zero-day and obfuscated SQL threats. Its explain-ability is enhanced through SHAP-based attributions, and its deployment is version-controlled and reproducible, ensuring traceability, compliance, and production readiness.
DOI:10.1109/ICSC65596.2025.11140396