一种新的SQL注入防护方法的研究与实现

计算机科学 ›› 2012, Vol. 39 ›› Issue (Z6): 60-64.

一种新的SQL注入防护方法的研究与实现

石聪聪,张涛,余勇,林为民

(中国电力科学研究院南京211106)

出版日期:2018-11-16 发布日期:2018-11-16

New Approach for SQL-injecton Detection

Online:2018-11-16 Published:2018-11-16

摘要/Abstract

摘要： 当前Wcb应用安全问题日益严峻，而SQI、注入是针对Wcb应用最为普遍的攻击手段之一。文中提出了一种新的SQL注入防护方法。该方法通过将静态模式匹配与动态特征过滤配合使用，避免单一方法存在的不足，从而达到良好的效果。该方法通过在安全环境下自动学习所有合法SQL语句，构建知识库;然后在实时工作环境下，利用模式匹配算法将SQI、语句与知识库进行匹配，匹配成功则判定为合法SQI语句。对于匹配失败的SQI、语句并不立即判定为非法，而是采用基于风险值的动态特征过滤算法进行深度特征检查，识别真正的非法SQL语句。基于本方法，设计并实现了一个原型系统。测试结果表明，该原型系统具有较好的性能优势，并能够很好地解决一般防注入方法带来的准确率与误报率之间的矛盾。

关键词: 自学习，SQL语法树，模式匹配，特征过滤

Abstract: Web application security is a serious isssuc of information security, and SQL- injection is one of the most com- mon attacks. This paper proposed an approach to counter SQL Injection which combines static mod}matching and dy- namic fcaturcfiltering. It learned automatically the structure feature of all legal SQL statements to construct knowledge library in safe environments, and then matched every SQL statement with knowledge library in real environments. If succeeded , this SQL statement was considered to be legitimate. If failed, it was not determined to be illegal immediately. We would take depth-feature check based on Valucat Risk,and identitify the true illegal SQL statements. Experimental results prove that this proposed approach has good performance and perfect protection for SQL Injection.

Key words: Sclf-lcarning,SQL Syntax-trcc,Pattcrn-marthing,Fcaturcfiltcring

石聪聪,张涛,余勇,林为民. 一种新的SQL注入防护方法的研究与实现[J]. 计算机科学, 2012, 39(Z6): 60-64. https://doi.org/

参考文献

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed