| 面向用户意图的SQL注入检测方法 |
| |
| 引用本文: | 毛辰宇,郭 帆,叶继华. 面向用户意图的SQL注入检测方法[J]. 江西师范大学学报(自然科学版), 2016, 40(4): 386-391 |
| |
| 作者姓名: | 毛辰宇 郭 帆 叶继华 |
| |
| 作者单位: | 江西师范大学计算机信息工程学院,江西 南昌 330022 |
| |
| 摘 要: | Web程序安全的首要威胁是SQL注入攻击,动态分析技术可有效防御此类攻击.提出面向用户意图的检测方法,在程序发布前预先定义Web程序期望的所有数据库操作,在运行时拦截提交至数据库的操作,阻止不符合意图的操作.设计并实现描述数据库操作意图的语言SQLIDL,将开发者提供的允许操作集合解释为以确定有限自动机(DFA)表示的字符串集合,并支持表名、列名、列值及存储过程名的正则表示.在SecuriBench测试集的实验表明,该方法可有效检测现有SQL攻击模式且运行开销较小.
|
| 关 键 词: | SQL注入 动态分析 有限自动机 攻击模式 |
The Intention-Oriented SQL Injection Defense |
| |
| MAO Chenyu,GUO Fan,YE Jihua. The Intention-Oriented SQL Injection Defense[J]. Journal of Jiangxi Normal University (Natural Sciences Edition), 2016, 40(4): 386-391 |
| |
| Authors: | MAO Chenyu GUO Fan YE Jihua |
| |
| Affiliation: | College of Computer Information and Engineering,Jiangxi Normal University,Nanchang Jiangxi 330022,China |
| |
| Abstract: | SQL injection attack(SQLIA)is the most serious threat to Web program security,while dynamic analysis may effectively defend SQLIA.An intention-oriented detection approach is proposed to represent all the database operations expected by Web users,to intecept the operations before the user submission and drop the unintentional operations.A language named SQLIDL is proposed to express the intention of database operations,to transform the SQL operations into string sets formalized by deterministic finite automata(DFA).SQLIDL currently implements the regular expression representation of table names,column names,values and store procedure names.The prototype implementation is evaluated on SecuriBench datasets and the results demonstrate all existing SQL attack patterns can be correctly detected with acceptable run-time overhead. |
| |
| Keywords: | SQL injection dynamic analysis DFA attack pattern |
| 本文献已被 CNKI 等数据库收录! |
| 点击此处可从《江西师范大学学报(自然科学版)》浏览原始摘要信息 |
|
点击此处可从《江西师范大学学报(自然科学版)》下载全文 |
|
