面向网络环境的SQL注入行为检测方法

doi:10.11959/j.issn.1000-436x.2016034

摘要/Abstract

摘要：

SQL 注入攻击是 Web 应用面临的主要威胁之一，传统的检测方法针对客户端或服务器端进行。通过对SQL注入的一般过程及其流量特征分析，发现其在请求长度、连接数以及特征串等方面，与正常流量相比有较大区别,并据此提出了基于长度、连接频率和特征串的LFF（length-frequency-feature）检测方法，首次从网络流量分析的角度检测SQL注入行为。实验结果表明，在模拟环境下，LFF检测方法召回率在95%以上，在真实环境下，该方法也取得较好的检测效果。

关键词: Web安全, SQL注入, 网络流量, 异常检测

Abstract:

SQL injection attack is one of the main threats that many Web applications faced with. The traditional detection method depended on the clients or servers. Firstly the process of SQL injection attack was analyzed, and then the differences between attack traffic and normal traffic HTTP request length, HTTP connections and feature string were discovered. Based on the request length, request frequency and feature string, a new method, LFF (length-frequency-feature), was proposed to detect SQL injection behaviors from network traffic. The results of experiments indicated that in simulation environments the recall of LFF approach reach up to 95%, and in real network traffic the LFF approach also get a good detection result.

Key words: Web security, SQL injection, network traffic, outlier detection

赵宇飞,熊刚,贺龙涛,李舟军. 面向网络环境的SQL注入行为检测方法[J]. 通信学报, 2016, 37(2): 89-98.

Yu-fei ZHAO,Gang XIONG,Long-tao HE,Zhou-jun LI. Approach to detecting SQL injection behaviors in network environment[J]. Journal on Communications, 2016, 37(2): 89-98.

图/表 17

表1

表2

图1

图2

图3

表3

图4

图5

表4

表5

表6

图6

表7

表8

表9

表10

表11

参考文献 21

[1]	OWASP 2013 top 10 risks[EB/OL]. , 2015-3-12.
[2]	MCDONALD, S . SQL Injection: modes of attack, defense, and why it matters[EB/OL]. , 2015-3-11.
[3]	ORSO A , HALFOND W G J , VIEGAS J . A classification of SQL injection attacks and countermeasures[C]// The International Symposium on Secure Software Engineering. c2006.
[4]	APPELT D , NGUYEN D C , BRIAND L . Behind an application irewall, are we safe from SQL injection attacks[C]// IEEE International Conference on Software Testing, Verification and Validation (ICST). c2015: 1-10.
[5]	马小婷, 胡国平, 李舟军 . SQL注入漏洞检测与防御技术研究[J]. 计算机安全, 2010(11): 18-24. MA X T , HU G P , LI Z J . Research on detection and prevention technologies for SQL injection vulnerability[J]. Computer Security, 2010(11): 18-24.
[6]	HALFOND W G J , ORSO A . AMNESIA: analysis and monitorin for NEutralizing SQL-injection attacks[C]// 20th IEEE/ACM International Conference on Automated Software Engineering. ACM, c2005: 174-183.
[7]	HALFOND W G J , ORSO A . Detection and prevention of SQL injection attacks[J]. Malware Detection, 2006, (27): 85-109.
[8]	SHAR L K , TAN H B K , BRIAND L C . Mining SQL injection cross site scripting vulnerabilities using hybrid program analysis[C]// 2013 International Conference on Software Engineering. IEEE Press, c2013: 642-651.
[9]	SHAHRIAR H , NORTH S , CHEN W C . Early detection of SQL injection attacks[J]. International Journal of Network Security ＆ Its Applications, 2013, 5(4): 53-65.
[10]	VALEUR F , MUTZ D , VIGNA G . A learning-based approach to the detection of SQL attacks[M]. Detection of Intrusions and Malware, and Vulnerability Assessment, Springer Berlin Heidelberg, 2005: 123-140.
[11]	KEMALIS K , TZOURAMANIS T . SQL-IDS: a specification-based approach for SQL-injection detections[C]// 2008 ACM Symposium on Applied Computing. ACM, c2008: 2153-2158.
[12]	陆开奎 . 基于动态污点分析的漏洞攻击检测技术研究与实现[D]. 成都: 电子科技大学, 2013. LU K K . The Research and realization of dynamic taint analysis based security attack detection technology[D]. Chengdu: University of Electronic Science and Technology of China, 2013.
[13]	HUANG Y W , HUANG S K , TSAI C H . Web application security assessment by fault injection and behavior monitoring[C]// WWW’03 International Conference on World Wide Web. c2003: 148-159.
[14]	KALS S , KIRDA E , KRUEGEL C , et al. SecuBat: a Web vulnerability scanner[C]// International Conference on World Wide Web. c2006: 247-256.
[15]	APPELT D , NGUYEN C D , BRIAND L C , et al. Automated testing for SQL injection vulnerabilities: an input mutation approach[C]// In ternational Symposium on Software Testing ＆ Analysis. c2014: 259-269.
[16]	王苏南 . 高速复杂网络环境下异常流量检测技术研究[D]. 郑州:解放军信息工程大学, 2012. WANG S N . Research on anomaly detection technology in high-speed complex network environment[D]. Zhengzhou: PLA Information Engineering University, 2012.
[17]	ZHANG J , XIANG Y , WANG Y , et al. Network traffic classification using correlation information[J]. IEEE Transactions on Parallel ＆ Distributed Systems, 2013, 24(1): 104-117.
[18]	周爱平, 程光, 郭晓军 . 高速网络流量测量方法[J]. 软件学报, 2014, 25(1): 135-153. ZHOU A P , CHENG G , GUO X J . High-speed network traffic measurement method[J]. Journal of Software, 2014, 25(1): 135-153.
[19]	王鹏, 兰巨龙, 陈庶樵 . 粒度自适应的多径流量分割算法[J]. 通信学报, 2015, 36(1): 211-217. WANG P , LAN J L , CHEN S Q . Multipath traffic splitting algorithm based on adaptive granularity[J]. Journal on Communicatio, 2015, 36(1): 211-217.
[20]	Pangolin-SQLinjection tools[EB/OL]. , 2014-12-22.
[21]	Sqlmap-Automatic SQL injection and databasetakeover tool[EB/OL]. , 2015-3-5.

源IP	目的IP	目的端口	HTTP连接数	持续时间/s	每秒平均连接次数
197.237..	202.113..	80	28 456	12 372	2.3
118.228..	23.5..	80	18 093	25 848	0.7
115.132..	202.113..	80	11 312	6 285	1.8
199.244..	143.90..	80	9 487	11 029	0.86
111.118..	119.9..	80	8 475	1 022	8.3

软件	SQL注入次数	持续时间/s	每秒平均注入次数	峰值
啊D2.32	381	46	8.3	20
明小子4.3	166	81	2	3
pangolin4.0	361	171	2.1	10
sqlmap1.0	500	79	6.3	13

软件	URI长度平均值/byte	加权平均值/byte	最小值/byte	最大值/byte	众数/byte	标准差	URI总个数
211 GB原始流量	78.3	103.1	1	1 442	37	106.4	712 516
啊D2.32	86.6	93.7	1	106	101	18.67	383
明小子4.3	62.5	68.0	1	95	86	28.39	230
pangolin4.0	102.8	99.0	29	617	96	43.44	357
sqlmap1.0	79.8	80.0	19	413	67	42.78	443

软件	平均值	加权平均值	最小值	最大值	众数	标准差	总个数
原始流量	505.6	532.9	1	1 484	1 460	531.4	190 938
sqlmap1.0	109.6	119.0	18	470	18	95.28	59

最长公共子串	重复次数
%20and%20(select%20count(*)%20from%20admin)%20and%201	48 426
%20and%20(select%20Count(1)%20from%20[admin]%20where%201=1)%20between%2010%20and%2010	16 290
%20and%20(select%20%20from%20admin)	10 425
%20AND%20SELECT%20	10 122
%20AND%20EXISTS%28SELECT%20%20FROM%20%29	9 030