IRO Journals
Journal of Trends in Computer Science and Smart Technology

Detecting Intrusions in MongoDB NoSQL Databases Using Machine Learning

Open Access
Published: 05 June, 2026
Pages: 473-493
  • Abdelilah Belhaj , Abdelilah Belhaj
    Intelligent Processing Systems and Security (IPSS) Team Faculty of Sciences, Mohammed V University, Rabat, Morocco
    Intelligent Processing Systems and Security (IPSS) Team Faculty of Sciences, Mohammed V University, Rabat, Morocco
  • Soumia Ziti , Soumia Ziti
    Intelligent Processing Systems and Security (IPSS) Team Faculty of Sciences, Mohammed V University, Rabat, Morocco
    Intelligent Processing Systems and Security (IPSS) Team Faculty of Sciences, Mohammed V University, Rabat, Morocco
  • Khalil Ladrham , Khalil Ladrham
    Intelligent Processing Systems and Security (IPSS) Team Faculty of Sciences, Mohammed V University, Rabat, Morocco
    Intelligent Processing Systems and Security (IPSS) Team Faculty of Sciences, Mohammed V University, Rabat, Morocco
  • Souad Najoua Lagmiri , Souad Najoua Lagmiri
    IRSM, Higher Institute of Management, Administration and Computer Engineering, Rabat, Morocco
    IRSM, Higher Institute of Management, Administration and Computer Engineering, Rabat, Morocco
  • Karim El Bouchti Karim El Bouchti
    Laboratory of Computer Systems Engineering (LISI), Faculty of Science Semlalia, Cadi Ayyad University, Marrakech, Morocco
    Laboratory of Computer Systems Engineering (LISI), Faculty of Science Semlalia, Cadi Ayyad University, Marrakech, Morocco
view PDF
view PDF

How to Cite

Belhaj, Abdelilah, Soumia Ziti, Khalil Ladrham, Souad Najoua Lagmiri, and Karim El Bouchti. 2026. “Detecting Intrusions in MongoDB NoSQL Databases Using Machine Learning”. Journal of Trends in Computer Science and Smart Technology 8 (3): 473-93. https://doi.org/10.36548/jtcsst.2026.3.003.
ACM ACS APA ABNT Chicago Harvard IEEE MLA Turabian Vancouver AMA

Download Citation

Endnote/Zotero/Mendeley (RIS) BibTeX

Keywords

Machine Learning
Intrusion Detection System
Random Forest
XGBoost
MongoDB
Multi-Class Cloud Environment

Abstract

Due to their flexibility and scalability, NoSQL databases, most notably MongoDB, are widely adopted in the modern cloud environment. However, this popularity introduces new security vulnerabilities, such as NoSQL injections, brute-force attacks, and denial-of-service attacks, which traditional Intrusion Detection Systems (IDS) struggle to detect. In this paper, machine learning is adapted to detect five types of attacks targeting MongoDB including NoSQL injections, XSS through the $where operator, brute-force attacks, denial-of-service attacks through expensive queries, and preparatory scanning. For this purpose, the ToN_IoT dataset is adapted to the MongoDB context by selecting 150,000 representative samples and 9 native features, and implementing four composite features. Three models are evaluated: Random Forest, XGBoost, and MLP Classifier. XGBoost achieves the best performance with an inference time of 0.019 ms, an accuracy of 98.9% and a macro F1-score of 0.9889. Performance per class indicates that scanning attacks and brute-force attacks are the easiest to detect (F1 > 0.98). However, injection attacks and XSS attacks are more difficult to detect (F1 < 0.98) due to their signatures associated with the application level, which are difficult to detect. The present method outperforms previous methods reporting 96-98% accuracy while offering MongoDB specificity and interpretability. These experiments reveal that real-time detection of attacks on MongoDB is achievable with high efficiency, allowing it to be deployed in cloud environments.

References

  1. Gidado, Abdulrauf A., and C. I. Ezeife. "UniqueNOSD: A Novel Framework for NoSQL over SQL Databases." Journal of Big Data 12, no. 1 (2025): 255. https://doi.org/10.1186/s40537-025-01307-2
  2. Rahman, Md Mahbubur, Shaharia Al Shakil, and Mizanur Rahman Mustakim. "A Survey on Intrusion Detection System in IoT Networks." Cyber Security and Applications 3 (2025): 100082.
  3. Ciumac, Mădălina, Cornelia Aurora Győrödi, Robert Ștefan Győrödi, and Felicia Mirabela Costea. "Performance Evaluation of MongoDB and RavenDB in IIoT-Inspired Data-Intensive Mobile and Web Applications." Future Internet 18, no. 1 (2026): 57.
  4. Van Landuyt, Dimitri, Vincent Wijshoff, and Wouter Joosen. "A Study of NoSQL Query Injection in Neo4j." Computers & Security 137 (2024): 103590.
  5. Diro, Abebe Abeshu, and Naveen Chilamkurti. "Distributed Attack Detection Scheme Using Deep Learning Approach for Internet of Things." Future Generation Computer Systems 82 (2018): 761-768.
  6. Mondragon, Jose Carlos, Paula Branco, Guy-Vincent Jourdan, Andres Eduardo Gutierrez-Rodriguez, and Rajesh Roshan Biswal. "Advanced IDS: A Comparative Study of Datasets and Machine Learning Algorithms for Network Flow-Based Intrusion Detection Systems: JC Mondragon et al." Applied Intelligence 55, no. 7 (2025): 608.
  7. Kumar, Vikash, Ayan Kumar Das, and Ditipriya Sinha. "Statistical Analysis of the UNSW-NB15 Dataset for Intrusion Detection." In Computational Intelligence in Pattern Recognition: Proceedings of CIPR 2019, Singapore: Springer Singapore, 2019, 279-294.
  8. Stiawan, Deris, Mohd Yazid Bin Idris, Alwi M. Bamhdi, and Rahmat Budiarto. "CICIDS-2017 Dataset Feature Analysis with Information Gain for Anomaly Detection." IEEE access 8 (2020): 132911-132921.
  9. Mejia-Cabrera, Heber I., Daniel Paico-Chileno, Jhon H. Valdera-Contreras, Victor A. Tuesta-Monteza, and Manuel G. Forero. "Automatic Detection of Injection Attacks by Machine Learning in NoSQL Databases." In Mexican Conference on Pattern Recognition, Cham: Springer International Publishing, 2021, 23-32.
  10. Moustafa, Nour. "ToN_IoT Cybersecurity Dataset." UNSW Canberra Cyber, 2019. https://research.unsw.edu.au/projects/toniot-datasets.
  11. Manzali, Youness, and Mohamed Elfar. "Random Forest Pruning Techniques: A Recent Review." In Operations research forum, vol. 4, no. 2, Cham: Springer International Publishing, 2023, 43.
  12. Bentéjac, C., Csörgő, A. & Martínez-Muñoz, G. A Comparative Analysis of Gradient Boosting Algorithms. Artif Intell Rev 54, 1937–1967 (2021).
  13. Zhao, Qihao, Fuwei Wang, Weimin Wang, Tianxin Zhang, Haodong Wu, and Weijun Ning. "Research on Intrusion Detection Model Based on Improved MLP Algorithm." Scientific reports 15, no. 1 (2025): 5159.
  14. Hozouri, Ali, Abbas Mirzaei, and Mehdi Effatparvar. "A Comprehensive Survey on Intrusion Detection Systems with Advances in Machine Learning, Deep Learning and Emerging Cybersecurity Challenges." Discover Artificial Intelligence 5, no. 1 (2025): 314.
  15. Rehman, Hafiz Muhammad Raza Ur, Saira Liaquat, Muhammad Junaid Gul, Muhammad Zeeshan Jhandir, Daniel Gavilanes, Manuel Masias Vergara, and Imran Ashraf. "A Systematic Literature Study of Machine Learning Techniques Based Intrusion Detection: Datasets, Models, Challenges, and Future Directions." Journal of Big Data 12, no. 1 (2025): 264.
  16. Ahmed, Usama, Mohammad Nazir, Amna Sarwar, Tariq Ali, El-Hadi M. Aggoune, Tariq Shahzad, and Muhammad Adnan Khan. "Signature-Based Intrusion Detection Using Machine Learning and Deep Learning Approaches Empowered with Fuzzy Clustering." Scientific Reports 15, no. 1 (2025): 1726.
  17. Mohale, Vincent Zibi, and Ibidun Christiana Obagbuwa. "Evaluating Machine Learning-Based Intrusion Detection Systems with Explainable AI: Enhancing Transparency and Interpretability." Frontiers in Computer Science 7 (2025): 1520741.
  18. Sharma, Anshika, Himanshi Babbar, and Avinash Sharma. "Ton-IoT: Detection of Attacks on Internet of Things in Vehicular Networks." In 2022 6th International Conference on Electronics, Communication and Aerospace Technology, IEEE, 2022, 539-545.
  19. Elsayed, Rania, Reem Hamada, Mohammad Hammoudeh, Mahmoud Abdalla, and Shaimaa Ahmed Elsaid. "A Hierarchical Deep Learning-Based Intrusion Detection Architecture for Clustered Internet of Things." Journal of Sensor and Actuator Networks 12, no. 1 (2022): 3.
  20. Sicari, Sabrina, Alessandra Rizzardi, and Alberto Coen-Porisini. "Security&privacy Issues and Challenges in NoSQL Databases." Computer Networks 206 (2022): 108828.
  21. Rameshwar, D., and S. Nagasundari. "The MongoDB Injection Dataset: A Comprehensive Collection of MongoDB-NoSQL Injection Attempts and Vulnerabilities." Data in Brief 54 (2024): 110289.
  22. Sadhwani, Sapna, Baranidharan Manibalan, Raja Muthalagu, and Pranav Pawar. "A Lightweight Model for DDoS Attack Detection Using Machine Learning Techniques." Applied Sciences 13, no. 17 (2023): 9937.