计算机科学 ›› 2019, Vol. 46 ›› Issue (7): 108-113.doi: 10.11896/j.issn.1002-137X.2019.07.017

• 信息安全 • 上一篇    下一篇

基于N-Gram的SQL注入检测研究

万卓昊,徐冬冬,梁生,黄保华   

  1. (广西大学计算机与电子信息学院 南宁530004)
  • 收稿日期:2018-06-04 出版日期:2019-07-15 发布日期:2019-07-15
  • 作者简介:万卓昊(1993-),男,硕士生,主要研究方向为数据库安全;徐冬冬(1993-),男,硕士生,主要研究方向为数据库安全;梁 生(1992-),男,硕士生,主要研究方向为数据库安全;黄保华(1973-),男,博士,副教授,CCF高级会员,主要研究方向为数据库安全等,E-mail:bhhuang66@gxu.edu.cn(通信作者)。
  • 基金资助:
    国家自然科学基金项目(61262072)资助

Study on SQL Injection Detection Based on N-Gram

WAN Zhuo-hao,XU Dong-dong,LIANG Sheng,HUANG Bao-hua   

  1. (School of Computer and Electronic Information,Guangxi University,Nanning 530004,China)
  • Received:2018-06-04 Online:2019-07-15 Published:2019-07-15

摘要: SQL注入攻击是Web面临的主要安全威胁,文中针对SQL注入难以检测的问题,提出基于N-Gram的SQL注入检测方法。该方法基于N-Gram将SQL语句转换成固定维数的特征向量,并采用改变不同特征子序列权重的方法改进距离,将改进距离和卡方距离通过BP神经网络计算得到的模糊距离作为向量间的距离标准。首先计算安全SQL语句的平均特征向量,然后计算各SQL语句与平均特征向量的距离以确定距离的阈值,接着将据待测SQL语句与平均特征向量的距离与阈值进行对比,以判断待测SQL语句的安全性。实验结果表明,与直接使用单词构成的特征向量相比,所提方法能有效提高检测率、降低误报率。

关键词: N-Gram, SQL注入, 神经网络, 特征向量

Abstract: SQL injection attack is the main security threat faced by Web.Aiming at the problem that SQL injection is hard to detect,this paper proposed an SQL injection detection method based on N-Gram.The method transforms the SQL statements into the feature vectors with fixed dimension based on N-Gram,and the distance is improved by changing the weights of different feature subsequences.The fuzzy distance obtained from the improved distance and chi-square distance through BP neural network is used as the distance criterion between vectors.Firstly,the average feature vector of the secure SQL statements is calculated.Then,the distances between every SQL sentence and average feature vector are calculated to determine the distance threshold.The distance between the unknown SQL statement and the average feature vector is compared with the distance threshold to judge the safety of the unknown SQL statement.The experimental results show that the proposed method can effectively improve the true positive rate and reduce the false positive rate in terms of detection compared with the feature vector directly composed by words.

Key words: N-Gram, Feature vector, Neural network, SQL injection

中图分类号: 

  • TP309
[1]LI H L,ZOU J X.Research of SQL Injection Detection Based on SVM and Text Feature Extraction[J].Netinfo Security,2017,17(12):40-46.(in Chinese)
李红灵,邹建鑫.基于SVM和文本特征向量提取的SQL注入检测研究[J].信息网络安全,2017,17(12):40-46.
[2]KAMTUO K,SOOMLEK C.Machine Learning for SQL injection prevention on server-side scripting[C]∥Computer Science and Engineering Conference.IEEE,2017:1-6.
[3]WU S H,CHENG S B,HU Y.Web Attack Detection Method Based on Support Vector Machines[J].Computer Science,2015,42(S1):362-364.(in Chinese)
吴少华,程书宝,胡勇.基于SVM的Web攻击检测技术[J].计算机科学,2015,42(S1):362-364.
[4]SHEYKHKANLOO N M.A Learning-based Neural Network Model for the Detection and Classification of SQL Injection Attacks[C]∥International Conference on Information Systems Security(ICISS 2014).2015:16-41.
[5]CHOI J H,CHOI C,KO B K,et al.Detection of cross site scripting attack in wireless networks using n-Gram and SVM[J].Mobile Information Systems,2012,8(3):275-286.
[6]CHEN Z,GUO M.Research on SQL injection detection techno- logy based on SVM[C]∥MATEC Web of Conferences.EDP Scie-nces,2018:01004.
[7]KAR D,SAHOO A K,AGARWAL K,et al.Learning to detect SQLIA using node centrality with feature selection[C]∥International Conference on Computing,Analytics and Security Trends.IEEE,2017:18-23.
[8]KAR D,PANIGRAHI S,SUNDARARAJAN S.SQLiGoT:Detecting SQL injection attacks using graph of tokens and SVM[J].Computers & Security,2016,60:206-225.
[9]PRIYAA B D,DEVI M I.Hybrid SQL injection detection system[C]∥International Conference on Advanced Computing and Communication Systems.IEEE,2016:1-5.
[10]KIM M Y,DONG H L.Data-mining based SQL injection attack detection using internal query trees[J].Expert Systems with Applications,2014,41(11):5416-5430.
[11]CHOI J,KIM H,CHANG C,et al.Efficient Malicious Code Detection Using N-Gram Analysis and SVM[C]∥International Conference on Network-Based Information Systems.IEEE Computer Society,2011:618-621.
[12]YANG Y,JIANG G P.Improved Method of Computer Virus Signature Automatic Extraction Based on N-Gram[J].Compu-ter Science,2017,44(S2):338-341.(in Chinese)
杨燕,蒋国平.基于N-Gram的计算机病毒特征码自动提取的改进方法[J].计算机科学,2017,44(S2):338-341.
[13]SHI C C,ZHANG T,YU Y,et al.New Approach for SQL-injection Detection[J].Computer Science,2012,39(S1):60-64.(in Chinese)
石聪聪,张涛,余勇,等.一种新的SQL注入防护方法的研究与实现[J].计算机科学,2012,39(S1):60-64.
[14]APPIAH B,OPOKU-MENSAH E,QIN Z.SQL injection attack detection using fingerprints and pattern matching technique[C]∥2017 8th IEEE International Conference on Software Enginee-ring and Service Science (ICSESS).IEEE,2017:583-587.
[15]TIAN Y J,ZHAO Z M,WANG L J,et al.Research on Double Layer Defense Model for SQL Injection Attack Based on Classification[J].Netinfo Security,2015(6):1-6.(in Chinese)
田玉杰,赵泽茂,王丽君,等.基于分类的SQL注入攻击双层防御模型研究[J].信息网络安全,2015(6):1-6.
[16]DOGBE E,MILLHAM R,SINGH P.A combined approach to prevent SQL Injection Attacks[C]∥Science and Information Conference.IEEE,2013:406-410.
[17]RAIKAR D D,KULKARNI S,DANDANNAVAR P.Preven- ting SQL Injection Attacks Using Combinatorial Approach[J].International Journal of Advanced Research in Computer Engineering & Technology,2012,1(8):46-52.
[18]ZHOU J L,WANG X F,YU S S,et al.A New Policy to Defend against SQL Injection Attacks[J].Computer Science,2006,33(11):64-68.(in Chinese)
周敬利,王晓锋,余胜生,等.一种新的反SQL注入策略的研究与实现[J].计算机科学,2006,33(11):64-68.
[19]闻新.应用MATLAB实现神经网络[M].北京:国防工业出版社,2015.
[1] 周芳泉, 成卫青.
基于全局增强图神经网络的序列推荐
Sequence Recommendation Based on Global Enhanced Graph Neural Network
计算机科学, 2022, 49(9): 55-63. https://doi.org/10.11896/jsjkx.210700085
[2] 周乐员, 张剑华, 袁甜甜, 陈胜勇.
多层注意力机制融合的序列到序列中国连续手语识别和翻译
Sequence-to-Sequence Chinese Continuous Sign Language Recognition and Translation with Multi- layer Attention Mechanism Fusion
计算机科学, 2022, 49(9): 155-161. https://doi.org/10.11896/jsjkx.210800026
[3] 宁晗阳, 马苗, 杨波, 刘士昌.
密码学智能化研究进展与分析
Research Progress and Analysis on Intelligent Cryptology
计算机科学, 2022, 49(9): 288-296. https://doi.org/10.11896/jsjkx.220300053
[4] 王润安, 邹兆年.
基于物理操作级模型的查询执行时间预测方法
Query Performance Prediction Based on Physical Operation-level Models
计算机科学, 2022, 49(8): 49-55. https://doi.org/10.11896/jsjkx.210700074
[5] 陈泳全, 姜瑛.
基于卷积神经网络的APP用户行为分析方法
Analysis Method of APP User Behavior Based on Convolutional Neural Network
计算机科学, 2022, 49(8): 78-85. https://doi.org/10.11896/jsjkx.210700121
[6] 朱承璋, 黄嘉儿, 肖亚龙, 王晗, 邹北骥.
基于注意力机制的医学影像深度哈希检索算法
Deep Hash Retrieval Algorithm for Medical Images Based on Attention Mechanism
计算机科学, 2022, 49(8): 113-119. https://doi.org/10.11896/jsjkx.210700153
[7] 檀莹莹, 王俊丽, 张超波.
基于图卷积神经网络的文本分类方法研究综述
Review of Text Classification Methods Based on Graph Convolutional Network
计算机科学, 2022, 49(8): 205-216. https://doi.org/10.11896/jsjkx.210800064
[8] 闫佳丹, 贾彩燕.
基于双图神经网络信息融合的文本分类方法
Text Classification Method Based on Information Fusion of Dual-graph Neural Network
计算机科学, 2022, 49(8): 230-236. https://doi.org/10.11896/jsjkx.210600042
[9] 李宗民, 张玉鹏, 刘玉杰, 李华.
基于可变形图卷积的点云表征学习
Deformable Graph Convolutional Networks Based Point Cloud Representation Learning
计算机科学, 2022, 49(8): 273-278. https://doi.org/10.11896/jsjkx.210900023
[10] 郝志荣, 陈龙, 黄嘉成.
面向文本分类的类别区分式通用对抗攻击方法
Class Discriminative Universal Adversarial Attack for Text Classification
计算机科学, 2022, 49(8): 323-329. https://doi.org/10.11896/jsjkx.220200077
[11] 齐秀秀, 王佳昊, 李文雄, 周帆.
基于概率元学习的矩阵补全预测融合算法
Fusion Algorithm for Matrix Completion Prediction Based on Probabilistic Meta-learning
计算机科学, 2022, 49(7): 18-24. https://doi.org/10.11896/jsjkx.210600126
[12] 杨炳新, 郭艳蓉, 郝世杰, 洪日昌.
基于数据增广和模型集成策略的图神经网络在抑郁症识别上的应用
Application of Graph Neural Network Based on Data Augmentation and Model Ensemble in Depression Recognition
计算机科学, 2022, 49(7): 57-63. https://doi.org/10.11896/jsjkx.210800070
[13] 张颖涛, 张杰, 张睿, 张文强.
全局信息引导的真实图像风格迁移
Photorealistic Style Transfer Guided by Global Information
计算机科学, 2022, 49(7): 100-105. https://doi.org/10.11896/jsjkx.210600036
[14] 戴朝霞, 李锦欣, 张向东, 徐旭, 梅林, 张亮.
基于DNGAN的磁共振图像超分辨率重建算法
Super-resolution Reconstruction of MRI Based on DNGAN
计算机科学, 2022, 49(7): 113-119. https://doi.org/10.11896/jsjkx.210600105
[15] 刘月红, 牛少华, 神显豪.
基于卷积神经网络的虚拟现实视频帧内预测编码
Virtual Reality Video Intraframe Prediction Coding Based on Convolutional Neural Network
计算机科学, 2022, 49(7): 127-131. https://doi.org/10.11896/jsjkx.211100179
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!