面向网络环境的SQL注入行为检测方法

doi:10.11959/j.issn.1000-436x.2016034

Abstract

Abstract:

SQL injection attack is one of the main threats that many Web applications faced with. The traditional detection method depended on the clients or servers. Firstly the process of SQL injection attack was analyzed, and then the differences between attack traffic and normal traffic HTTP request length, HTTP connections and feature string were discovered. Based on the request length, request frequency and feature string, a new method, LFF (length-frequency-feature), was proposed to detect SQL injection behaviors from network traffic. The results of experiments indicated that in simulation environments the recall of LFF approach reach up to 95%, and in real network traffic the LFF approach also get a good detection result.

Key words: Web security, SQL injection, network traffic, outlier detection

Yu-fei ZHAO,Gang XIONG,Long-tao HE,Zhou-jun LI. Approach to detecting SQL injection behaviors in network environment[J]. Journal on Communications, 2016, 37(2): 89-98.

Figures/Tables 17

References 21

[1]	OWASP 2013 top 10 risks[EB/OL]. , 2015-3-12.
[2]	MCDONALD, S . SQL Injection: modes of attack, defense, and why it matters[EB/OL]. , 2015-3-11.
[3]	ORSO A , HALFOND W G J , VIEGAS J . A classification of SQL injection attacks and countermeasures[C]// The International Symposium on Secure Software Engineering. c2006.
[4]	APPELT D , NGUYEN D C , BRIAND L . Behind an application irewall, are we safe from SQL injection attacks[C]// IEEE International Conference on Software Testing, Verification and Validation (ICST). c2015: 1-10.
[5]	马小婷, 胡国平, 李舟军 . SQL注入漏洞检测与防御技术研究[J]. 计算机安全, 2010(11): 18-24. MA X T , HU G P , LI Z J . Research on detection and prevention technologies for SQL injection vulnerability[J]. Computer Security, 2010(11): 18-24.
[6]	HALFOND W G J , ORSO A . AMNESIA: analysis and monitorin for NEutralizing SQL-injection attacks[C]// 20th IEEE/ACM International Conference on Automated Software Engineering. ACM, c2005: 174-183.
[7]	HALFOND W G J , ORSO A . Detection and prevention of SQL injection attacks[J]. Malware Detection, 2006, (27): 85-109.
[8]	SHAR L K , TAN H B K , BRIAND L C . Mining SQL injection cross site scripting vulnerabilities using hybrid program analysis[C]// 2013 International Conference on Software Engineering. IEEE Press, c2013: 642-651.
[9]	SHAHRIAR H , NORTH S , CHEN W C . Early detection of SQL injection attacks[J]. International Journal of Network Security ＆ Its Applications, 2013, 5(4): 53-65.
[10]	VALEUR F , MUTZ D , VIGNA G . A learning-based approach to the detection of SQL attacks[M]. Detection of Intrusions and Malware, and Vulnerability Assessment, Springer Berlin Heidelberg, 2005: 123-140.
[11]	KEMALIS K , TZOURAMANIS T . SQL-IDS: a specification-based approach for SQL-injection detections[C]// 2008 ACM Symposium on Applied Computing. ACM, c2008: 2153-2158.
[12]	陆开奎 . 基于动态污点分析的漏洞攻击检测技术研究与实现[D]. 成都: 电子科技大学, 2013. LU K K . The Research and realization of dynamic taint analysis based security attack detection technology[D]. Chengdu: University of Electronic Science and Technology of China, 2013.
[13]	HUANG Y W , HUANG S K , TSAI C H . Web application security assessment by fault injection and behavior monitoring[C]// WWW’03 International Conference on World Wide Web. c2003: 148-159.
[14]	KALS S , KIRDA E , KRUEGEL C , et al. SecuBat: a Web vulnerability scanner[C]// International Conference on World Wide Web. c2006: 247-256.
[15]	APPELT D , NGUYEN C D , BRIAND L C , et al. Automated testing for SQL injection vulnerabilities: an input mutation approach[C]// In ternational Symposium on Software Testing ＆ Analysis. c2014: 259-269.
[16]	王苏南 . 高速复杂网络环境下异常流量检测技术研究[D]. 郑州:解放军信息工程大学, 2012. WANG S N . Research on anomaly detection technology in high-speed complex network environment[D]. Zhengzhou: PLA Information Engineering University, 2012.
[17]	ZHANG J , XIANG Y , WANG Y , et al. Network traffic classification using correlation information[J]. IEEE Transactions on Parallel ＆ Distributed Systems, 2013, 24(1): 104-117.
[18]	周爱平, 程光, 郭晓军 . 高速网络流量测量方法[J]. 软件学报, 2014, 25(1): 135-153. ZHOU A P , CHENG G , GUO X J . High-speed network traffic measurement method[J]. Journal of Software, 2014, 25(1): 135-153.
[19]	王鹏, 兰巨龙, 陈庶樵 . 粒度自适应的多径流量分割算法[J]. 通信学报, 2015, 36(1): 211-217. WANG P , LAN J L , CHEN S Q . Multipath traffic splitting algorithm based on adaptive granularity[J]. Journal on Communicatio, 2015, 36(1): 211-217.
[20]	Pangolin-SQLinjection tools[EB/OL]. , 2014-12-22.
[21]	Sqlmap-Automatic SQL injection and databasetakeover tool[EB/OL]. , 2015-3-5.

Metrics

Recommended 0

No Suggested Reading articles found!

源IP	目的IP	目的端口	HTTP连接数	持续时间/s	每秒平均连接次数
197.237..	202.113..	80	28 456	12 372	2.3
118.228..	23.5..	80	18 093	25 848	0.7
115.132..	202.113..	80	11 312	6 285	1.8
199.244..	143.90..	80	9 487	11 029	0.86
111.118..	119.9..	80	8 475	1 022	8.3

软件	SQL注入次数	持续时间/s	每秒平均注入次数	峰值
啊D2.32	381	46	8.3	20
明小子4.3	166	81	2	3
pangolin4.0	361	171	2.1	10
sqlmap1.0	500	79	6.3	13

软件	URI长度平均值/byte	加权平均值/byte	最小值/byte	最大值/byte	众数/byte	标准差	URI总个数
211 GB原始流量	78.3	103.1	1	1 442	37	106.4	712 516
啊D2.32	86.6	93.7	1	106	101	18.67	383
明小子4.3	62.5	68.0	1	95	86	28.39	230
pangolin4.0	102.8	99.0	29	617	96	43.44	357
sqlmap1.0	79.8	80.0	19	413	67	42.78	443

软件	平均值	加权平均值	最小值	最大值	众数	标准差	总个数
原始流量	505.6	532.9	1	1 484	1 460	531.4	190 938
sqlmap1.0	109.6	119.0	18	470	18	95.28	59

最长公共子串	重复次数
%20and%20(select%20count(*)%20from%20admin)%20and%201	48 426
%20and%20(select%20Count(1)%20from%20[admin]%20where%201=1)%20between%2010%20and%2010	16 290
%20and%20(select%20%20from%20admin)	10 425
%20AND%20SELECT%20	10 122
%20AND%20EXISTS%28SELECT%20%20FROM%20%29	9 030

Approach to detecting SQL injection behaviors in network environment

RichHTML

PDF

Knowledge

Cited

Abstract

Cite this article

share this article

Figures/Tables 17

References 21

Related Articles 15

Metrics

Recommended 0

注入语句	正则表示	说明
’or 1=1	(’\s+)(or\|and)\s+[[:alnum:]]+\s=\s[[:alnum:]]+\s*(--)?	构造重言式注入语句
;and (select count(*)from admin)＞0	;?select(\(\|%28)\scount(\(\|%28)\\(\)\|%29)\s+from\s+[^)]+\s(\)\|%29)\s(＞\|%3E)?(=\|%3D)?\s*\d+	猜测数据库名

指标	啊D2.32	明小子4.3	pangolin4.0	sqlmap1.0	Havij1.7pro	safe3
HTTP连接数	385	230	362	507	527	650
SQL注入次数	381	166	361	500	523	649
报警次数	381	114	308	500	0	624
检测召回率	100%	68.67%	85.31%	100%	0	96.15%

SQL注入次数	LFF检出次数	召回率	错误率	误报率
3 033	2 286	74.77%	0	0

[1]	Debin WEI, Chengsheng PAN, Li YANG, Zuoren YAN. Adaptive random early detection algorithm based on network traffic level grade prediction [J]. Journal on Communications, 2023, 44(6): 154-166.
[2]	Yifeng WANG, Yuanbo GUO, Qingli CHEN, Chen FANG, Renhao LIN, Yongliang ZHOU, Jiali MA. Method based on contrastive incremental learning for fine-grained malicious traffic classification [J]. Journal on Communications, 2023, 44(3): 1-11.
[3]	Xueyuan DUAN, Yu FU, Kun WANG, Taotao LIU, Bin LI. Network traffic anomaly detection method based on multi-scale characteristic [J]. Journal on Communications, 2022, 43(10): 65-76.
[4]	Zhongping ZHANG, Weixiong LIU, Yuting ZHANG, Yu DENG, Mianxin WEI. ERDOF: outlier detection algorithm based on entropy weight distance and relative density outlier factor [J]. Journal on Communications, 2021, 42(9): 133-143.
[5]	Bolin MA, Zheng ZHANG, Hao LIU, Jiangxing WU. SQLMVED: SQL injection runtime prevention system based on multi-variant execution [J]. Journal on Communications, 2021, 42(4): 127-138.
[6]	Yongjin HU,Yuanbo GUO,Jun MA,Han ZHANG,Xiuqing MAO. Method to generate cyber deception traffic based on adversarial sample [J]. Journal on Communications, 2020, 41(9): 59-70.
[7]	Xiaohui YANG,Xiaoming LIU. Local outlier factor algorithm based on correction of bidirectional neighbor [J]. Journal on Communications, 2020, 41(8): 130-140.
[8]	Debin WEI,Ting SHEN,Li YANG,Yaowen QI. Network queue scheduling algorithm based on self-similar traffic level grading prediction [J]. Journal on Communications, 2020, 41(4): 182-189.
[9]	Jie WANG,Lili YANG,Min YANG. Multitier ensemble classifiers for malicious network traffic detection [J]. Journal on Communications, 2018, 39(10): 155-165.
[10]	Yong WANG,Huiyi ZHOU,Hao FENG,Miao YE,Wenlong KE. Network traffic classification method basing on CNN [J]. Journal on Communications, 2018, 39(1): 14-23.
[11]	De-guang LE,Sheng-rong GONG,Shao-gang WU,Feng XU,Wen-sheng LIU. Penetration test method using blind SQL injection based on second-order fragment and reassembly [J]. Journal on Communications, 2017, 38(Z1): 73-82.
[12]	Cai-xia SONG,Guo-zhen TAN,Nan DING,Jun-ling BU,Fu-xin ZHANG,Ming-jian LIU. Application oriented cross-layer multi-channel MAC protocol for VANET [J]. Journal on Communications, 2016, 37(5): 95-105.
[13]	Zhong-da TIAN,Shu-jiang LI,Yan-hong WANG,Xiang-dong WANG. Network traffic multi-step prediction based on chaos theory and improved echo state network [J]. Journal on Communications, 2016, 37(3): 55-70.
[14]	Yan JIA,He WANG,Shao-qing LYU,Yu-qing ZHANG. Research on HTML5 application cache poison attack [J]. Journal on Communications, 2016, 37(10): 149-157.
[15]	. Research on second-order SQL injection techniques [J]. Journal on Communications, 2015, 36(Z1): 85-93.