信息网络安全 ›› 2019, Vol. 19 ›› Issue (11): 36-42.doi: 10.3969/j.issn.1671-1122.2019.11.005

• 技术研究 • 上一篇    下一篇

基于机器学习的SQL注入漏洞挖掘技术的分析与实现

胡建伟, 赵伟(), 闫峥, 章芮   

  1. 西安电子科技大学,陕西西安 710071
  • 收稿日期:2019-06-10 出版日期:2019-11-10 发布日期:2020-05-11
  • 作者简介:

    作者简介:胡建伟(1973—),男,浙江,副教授,博士,主要研究方向为网络安全与网络对抗、通信侦察和通信对抗;赵伟(1995—),男,河北,硕士研究生,主要研究方向为渗透测试、Web安全;闫峥(1972—),女,陕西,教授,博士,主要研究方向为信息安全与隐私保护、信任管理与可信计算;章芮(1994—),女,安徽,博士研究生,主要研究方向为声纹认证与隐私保护。

  • 基金资助:
    国家自然科学基金[61672410]

Analysis and Implementation of SQL Injection Vulnerability Mining Technology Based on Machine Learning

Jianwei HU, Wei ZHAO(), Zheng YAN, Rui ZHANG   

  1. Xidian University, Xi’an Shaanxi 710071, China
  • Received:2019-06-10 Online:2019-11-10 Published:2020-05-11

摘要:

随着Web2.0时代的到来,Web应用的表现能力有了突破性的提高,支持的功能显著增加,Web应用也渗透到了人们生活的方方面面。Web2.0时代的最大特点是普通的用户也参与到互联网内容的创造过程中,其身份由原来单纯的信息获得者变成了信息的贡献者与获得者,因此Web应用程序所保存的数据在数量上更加庞大,在结构上更加复杂,这就导致了各种Web应用程序都需要维护自己的数据库来存储这些数据。数据库中存储的数据是一个Web应用程序中最有价值的部分,然而攻击者可以通过SQL注入漏洞获取数据甚至修改数据库数据,这种攻击严重影响了数据库中数据的完整性及保密性,是Web应用程序需要应对的安全问题之一。通过漏洞挖掘技术可以在产品上线之前确定SQL注入漏洞的存在并对其进行修复。文章不仅介绍了传统的SQL注入漏洞挖掘技术及其不足,还介绍了在当今机器学习与大数据环境下SQL注入漏洞挖掘技术的发展方向及存在的困难。

关键词: SQL注入, 漏洞挖掘, 机器学习, 支持向量机, 静态分析

Abstract:

With the advent of the Web2.0 era, the presentation ability of Web applications has been improved dramatically, and the supporting functions have increased significantly. Therefore, Web applications have penetrated into all aspects of people’s lives. The biggest characteristic of the Web2.0 is that ordinary users participate in the process of creating Internet content, their identities changed from the pure recipients of information to the contributors and the winner of information.Thus the data saved by Web application is larger on and more complex in the structure, which leads the large and small web applications today maintain their own databases to store those data.The data stored in the database is the most valuable part of a Web application. However, an attacker can obtain the data or even modify the data through SQL injection vulnerability. This attack seriously affects the integrity and confidentiality of the data in the database, and it is one of the most serious security problems of the Web application. Vulnerability mining technology can identify SQL injection vulnerabilities and fix it before the product goes live.This paper briefly introduces the traditional SQL injection vulnerability mining technology and its shortcomings, and then discusses the development direction and difficulties of SQL injection vulnerability mining technology in today’s machine learning and big data environment.

Key words: SQL injection, vulnerability mining, machine learning, SVM, static analysis

中图分类号: