基于机器学习的SQL注入漏洞挖掘技术的分析与实现

doi:10.3969/j.issn.1671-1122.2019.11.005

摘要/Abstract

摘要：

随着Web2.0时代的到来,Web应用的表现能力有了突破性的提高,支持的功能显著增加,Web应用也渗透到了人们生活的方方面面。Web2.0时代的最大特点是普通的用户也参与到互联网内容的创造过程中,其身份由原来单纯的信息获得者变成了信息的贡献者与获得者,因此Web应用程序所保存的数据在数量上更加庞大,在结构上更加复杂,这就导致了各种Web应用程序都需要维护自己的数据库来存储这些数据。数据库中存储的数据是一个Web应用程序中最有价值的部分,然而攻击者可以通过SQL注入漏洞获取数据甚至修改数据库数据,这种攻击严重影响了数据库中数据的完整性及保密性,是Web应用程序需要应对的安全问题之一。通过漏洞挖掘技术可以在产品上线之前确定SQL注入漏洞的存在并对其进行修复。文章不仅介绍了传统的SQL注入漏洞挖掘技术及其不足,还介绍了在当今机器学习与大数据环境下SQL注入漏洞挖掘技术的发展方向及存在的困难。

关键词: SQL注入, 漏洞挖掘, 机器学习, 支持向量机, 静态分析

Abstract:

With the advent of the Web2.0 era, the presentation ability of Web applications has been improved dramatically, and the supporting functions have increased significantly. Therefore, Web applications have penetrated into all aspects of people’s lives. The biggest characteristic of the Web2.0 is that ordinary users participate in the process of creating Internet content, their identities changed from the pure recipients of information to the contributors and the winner of information.Thus the data saved by Web application is larger on and more complex in the structure, which leads the large and small web applications today maintain their own databases to store those data.The data stored in the database is the most valuable part of a Web application. However, an attacker can obtain the data or even modify the data through SQL injection vulnerability. This attack seriously affects the integrity and confidentiality of the data in the database, and it is one of the most serious security problems of the Web application. Vulnerability mining technology can identify SQL injection vulnerabilities and fix it before the product goes live.This paper briefly introduces the traditional SQL injection vulnerability mining technology and its shortcomings, and then discusses the development direction and difficulties of SQL injection vulnerability mining technology in today’s machine learning and big data environment.

Key words: SQL injection, vulnerability mining, machine learning, SVM, static analysis

中图分类号:

TP309

胡建伟, 赵伟, 闫峥, 章芮. 基于机器学习的SQL注入漏洞挖掘技术的分析与实现[J]. 信息网络安全, 2019, 19(11): 36-42.

Jianwei HU, Wei ZHAO, Zheng YAN, Rui ZHANG. Analysis and Implementation of SQL Injection Vulnerability Mining Technology Based on Machine Learning[J]. Netinfo Security, 2019, 19(11): 36-42.

图/表 8

图1

图2

表1

图3

图4

表2

表3

表4

参考文献 21

[1]	SINGH N, DAYAL M, RAW R S, et al. SQL Injection: Types, Methodology, Attack Queries and Prevention[EB/OL]., 2019-4-10.
[2]	ABIRAMI J, DEVAKUNCHARI R, VALLIYAMMAI C. A Top Web Security Vulnerability SQL Injection Attack Survey[EB/OL]. , 2019-4-10.
[3]	QIAN L, ZHU Z, HU J, et al. Research of SQL Injection Attack and Prevention Technology[EB/OL]. , 2019-4-10.
[4]	KUMAR P, PATERIYA R K. A Survey on SQL Injection Attacks, Detection and Prevention Techniques[EB/OL]. , 2019-4-10.
[5]	SHAR L K, TAN H B K. Defeating SQL Injection[J]. Computer, 46(3): 69-77.
[6]	JOHARI R, SHARMA P.A Survey on Web Application Vulnerabilities(SQLIA, XSS) Exploitation and Security Engine for SQL Injection[C]// IEEE. 2012 International Conference on Communication Systems and Network Technologies, May 11-13, 2012, Rajkot, India. New York: IEEE, 2012: 453-458.
[7]	SHAR L K, TAN H B K. Mining Input Sanitization Patterns for Predicting SQL Injection and Cross Site Scripting Vulnerabilities[C]// IEEE. 34th International Conference on Software Engineering(ICSE), June 2-9, 2012, Zurich, Switzerland. New York: IEEE, 2012: 1293-1296.
[8]	SHAR L K, TAN H B K, BRIAND L C. Mining SQL Injection and Cross Site Scripting Vulnerabilities Using Hybrid Program Analysis[C]// IEEE. ICSE'13 Proceedings of the 2013 International Conference on Software Engineering, May 18 - 26, 2013, San Francisco, CA, USA. New York: IEEE, 2013: 642-651.
[9]	BUJA G, JALIL K B A, ALI F B H M, et al. Detection Model for SQL Injection Attack: An Approach for Preventing a Web Application from the SQL Injection Attack[EB/OL]. , 2019-4-10.
[10]	BOYD S W, KEROMYTIS A D. SQLrand: Preventing SQL Injection Attacks[EB/OL]. , 2019-4-10.
[11]	MEI J J.An Approach for SQL Injection Vulnerability Detection[C]// IEEE. 2009 Sixth International Conference on Information Technology: New Generations. IEEE, April 27-29, 2009, Las Vegas, NV, USA. New York: IEEE, 2009: 1411-1414.
[12]	BISHT P, MADHUSUDAN P, VENKATAKRISHNAN V N.CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks[J]. ACM Transactions on Information and System Security(TISSEC), 2010, 13(2): 14.
[13]	ANITHA V, LAKSHMI S, REVATHI M, et al.Detecting Various SQL Injection Vulnerabilities Using String Matching and LCS method[C]// IEEE.2014 Sixth International Conference on Advanced Computing(ICoAC), December 17-19, 2014, Chennai, India. New York: IEEE, 2014: 237-241.
[14]	JOSHI A, GEETHA V.SQL Injection Detection Using Machine Learning[C]//IEEE. 2014 International Conference on Control, Instrumentation, Communication and Computational Technologies(ICCICCT), July 10-11, 2014, Kanyakumari, India. New York: IEEE, 2014: 1111-1115.
[15]	XIAO Z, ZHOU Z, YANG W, et al. An Approach for SQL Injection Detection Based on Behavior and Response Analysis[EB/OL]. , 2019-4-10.
[16]	JOHNSON B, SONG Y, MURPHY H E, et al.Why Don't Software Developers Use Static Analysis Tools to Find Bugs?[C]// IEEE. 2013 International Conference on Software Engineering, May 18-26, 2013, San Francisco, CA, USA. New York: IEEE, 2013: 672-681.
[17]	WALDEN J, STUCKMAN J, SCANDARIATO R.Predicting Vulnerable Components: Software Metrics vs Text Mining[C]// IEEE. 25th International Symposium on Software Reliability Engineering, November 3-6, 2014, Naples, Italy. New York: IEEE, 2014: 23-33.
[18]	STIVALET B, FONG E.Large Scale Generation of Complex and Faulty PHP Test Cases[C]// IEEE. 2016 IEEE International Conference on Software Testing, Verification and Validation(ICST), April 11-15, 2016, Chicago, IL, USA. New York: IEEE, 2016: 409-415.
[19]	YAN X X, WANG Q X, MA H T. Path Sensitive Static Analysis of Taint-style Vulnerabilities in PHP Code[EB/OL]. , 2019-4-10.
[20]	GHAFFARIAN S M, SHAHRIARI H R.Software Vulnerability Analysis and Discovery Using Machine-learning and Data-mining Techniques: A survey[J]. ACM Computing Surveys(CSUR), 2017, 50(4): 56.
[21]	PAN S J, YANG Q.A Survey on Transfer Learning[J]. IEEE Transactions on Knowledge and Data Engineering, 2009, 22(10): 1345-1359.

编辑推荐 0

Metrics

阅读次数

全文

606

HTML			PDF

最新录用	在线预览	正式出版	最新录用	在线预览	正式出版
0	0	279	0	0	327

来源	本网站	其他网站

次数	604	2
比例	100%	0%

摘要

1154

最新录用	在线预览	正式出版

0	0	1154

	来源	本网站

	次数	1154
	比例	100%

编号	类型	报错信息	直接显示	多条记录	提取信息	修改信息
A	重言式		√	√	√
B	基于Union查询	√	√	√	√
C	基于报错	√			√
D	布尔盲注				√
E	时间盲注				√
F	带外攻击				√
G	piggy-backed					√
H	基于存储过程		√	√	√
I	编码攻击

测量内容	精确度（Precision）	召回率（Recall）	F1-Score
良性代码	0.98	0.91	0.94
SQL注入漏洞代码	0.81	0.95	0.87
加权平均	0.93	0.92	0.92

漏洞	Moodle	PHPMyAdmin	Drupal
Code Injection	7	10	2
CSRF	3	1	8
XSS	9	45	32
Path Disclosure	2	12	0
Authorization Issue	28	6	39
Other	2	1	16

Web应用	性能指标	软件度量	文本分析
Moodle	精度（Precision）假阳性（FP）准确度（accuracy）	1.8 31.7 68.3	2.3 28.3 71.8
PHPMyAdmin	精度（Precision）假阳性（FP）准确度（accuracy）	13.2 39.8 60.7	14.3 40.6 60.6
Drupal	精度（Precision）假阳性（FP）准确度（accuracy）	52.0 31.6 71.0	57.1 26.9 75.4