• • 上一篇    下一篇

基于 Windows 环境的 SQL 注入攻击检测系统设计与实现

张令通%罗森林%冯帆   

  • 基金资助:
    国家242计划项目[2005C48]、云南省教育厅科研基金项目(2012Y154)

The Design and Implementation for the Detection System of the SQL Injection Attack based on the Windows Environment

ZHANG Ling-tong%LUO Sen-lin%Feng Fan   

  • About author:云南大理学院工程学院,云南大理,671003%北京理工大学信息系统及安全对抗实验中心,北京,100081

摘要: 随着基于 Internet 的 Web 应用程序和服务在信息系统和商业领域中的应用越来越普及,针对 Web 应用程序漏洞发起的攻击在各类攻击中所占的比例正在逐步上升,SQL 注入攻击已经成为威胁 Web 安全的首要隐患。为了防范 SQL 注入攻击对网络信息的危害,根据 SQL语法结构,利用树形结构,对可注入的 SQL 语法进行拆分和分类,并对每一种子类进行特征提取,从而获得了一套 SQL 注入攻击检测的关键字库,基于关键字匹配技术,采用 C/C++语言,设计并实现了基于 Windows 环境的注入攻击检测系统。系统包括在线模式和离线模式,以关键字库和危险 IP 库为基础。系统的在线模式可以对动态获取的网络数据包进行检测,离线模式可以对多种嗅探器软件的数据包文件进行解析和检测。实验结果表明,系统针对危险数据包的检测准确率达到92%,误报率为0.6%,并且可以支持 Wireshark 和 TCPDUMP 生成的数据包文件格式,对防范 SQL 注入攻击具有较好的实际意义。

Abstract: With the wide use of Web applications and services based on the Internet, the fraction of attacks using some bugs of Web applications is increasing, compared to all types of attacks. The SQL injection attack has become the most important hidden danger of threatening the Web security. In order to prevent the harm of SQL injection attack to network information, a detection system of the SQL injection attack has been designed and implemented based on the Windows environment. According to the SQL grammar structure, under the help of tree structure, this system extracts a set of keyword library of SQL injection attacks detection by split and classification of the injected SQL grammar, finding the features of each type, and use keyword matching technology. It finally designed a test system based on C/C++language. The system includes both online and offline modes, and it is on the basis of keyword library and dangerous IP library. The online mode can test the data packages that are obtained randomly. The offline mode can analyze and test the data packages of different types of packet sniffing tools. The experiment results show that the system has high accuracy rate (up to 92%) of detection for dangerous packets and can support the data package file format generated by Wireshark and TCPDUMP. So this system has the good actual significance for preventing SQL injection attacks. The false alarm rate is only 0.6 per cent.