首页 | 本学科首页   官方微博 | 高级检索  
     

面向用户意图的SQL注入检测方法
引用本文:毛辰宇,郭 帆,叶继华. 面向用户意图的SQL注入检测方法[J]. 江西师范大学学报(自然科学版), 2016, 40(4): 386-391
作者姓名:毛辰宇  郭 帆  叶继华
作者单位:江西师范大学计算机信息工程学院,江西 南昌 330022
摘    要:Web程序安全的首要威胁是SQL注入攻击,动态分析技术可有效防御此类攻击.提出面向用户意图的检测方法,在程序发布前预先定义Web程序期望的所有数据库操作,在运行时拦截提交至数据库的操作,阻止不符合意图的操作.设计并实现描述数据库操作意图的语言SQLIDL,将开发者提供的允许操作集合解释为以确定有限自动机(DFA)表示的字符串集合,并支持表名、列名、列值及存储过程名的正则表示.在SecuriBench测试集的实验表明,该方法可有效检测现有SQL攻击模式且运行开销较小.

关 键 词:SQL注入  动态分析  有限自动机  攻击模式

The Intention-Oriented SQL Injection Defense
MAO Chenyu,GUO Fan,YE Jihua. The Intention-Oriented SQL Injection Defense[J]. Journal of Jiangxi Normal University (Natural Sciences Edition), 2016, 40(4): 386-391
Authors:MAO Chenyu  GUO Fan  YE Jihua
Affiliation:College of Computer Information and Engineering,Jiangxi Normal University,Nanchang Jiangxi 330022,China
Abstract:SQL injection attack(SQLIA)is the most serious threat to Web program security,while dynamic analysis may effectively defend SQLIA.An intention-oriented detection approach is proposed to represent all the database operations expected by Web users,to intecept the operations before the user submission and drop the unintentional operations.A language named SQLIDL is proposed to express the intention of database operations,to transform the SQL operations into string sets formalized by deterministic finite automata(DFA).SQLIDL currently implements the regular expression representation of table names,column names,values and store procedure names.The prototype implementation is evaluated on SecuriBench datasets and the results demonstrate all existing SQL attack patterns can be correctly detected with acceptable run-time overhead.
Keywords:SQL injection  dynamic analysis  DFA  attack pattern
本文献已被 CNKI 等数据库收录!
点击此处可从《江西师范大学学报(自然科学版)》浏览原始摘要信息
点击此处可从《江西师范大学学报(自然科学版)》下载全文
设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号