Research on Double Layer Defense Model for SQL Injection Attack Based on Classification

doi:10.3969/j.issn.1671-1122.2015.06.001

Abstract

Abstract:

In recent years, some progresses have been made on the research on SQL injection attack defense. However, the present measures of SQL injection attack defense still have limitations. This paper studies the problems existing in the SQL injection attack defense. At first, for the misinformation problem of normal data existing in the user inputs, a measure to filter user inputs is proposed which is based on Http request classification, and the measure of grammatical structure comparison is proposed to solve the underreporting problem of malicious data. Secondly, for the low detection efficiency problem existing in the measure of grammatical structure comparison, a dynamic query matching measure based on the parameterized classification is proposed. Finally, based on the above two measures, a double layer defense model based on classification for SQL injection attack is proposed. The experimental results show that the defense model has good defense capability against SQL injection attacks, which can effectively reduce the misinformation rate and the underreporting rate existing in user input filtering, and improve the detection efficiency of the measure of the grammatical structure comparison.

Key words: SQL injection attack, user input filtering, grammatical structure comparison, defense model

CLC Number:

TP309

TIAN Yu-jie, ZHAO Ze-mao, WANG Li-jun, LIAN Ke. Research on Double Layer Defense Model for SQL Injection Attack Based on Classification[J]. Netinfo Security, 2015, 15(6): 1-6.

Figures/Tables 11

References 17

[1]	郑成兴. 网络入侵防范的理论与实践[M].第1版.北京:机械工业出版社, 2006.
[2]	高鹏, 严望佳.构建安全的Web站点[M].北京:清华大学出版社, 1999.
[3]	ANLEY,Chris.Advanced SQL injection in SQL server applications[R].An NGSSoftware Insight Security Research (NISR) Publication, 2002.
[4]	Becher M.Web Application Firewalls[D]. Akademikerverlag:Universiti Teknologi MARA, 2012.
[5]	Roesch M.Snort: Lightweight intrusion detection for networks[C]// Proceedings of the 13th Conference on Systems Administration(LISA-99),USENIX Association ,Nov 1999:229-238.
[6]	Debasish Das, Utpal Sharma, Bhattacharyya D K.An approach to detection of SQL injection attack based on dynamic query matching[J].2010 International Journal of Computer Applications. 2010,1(25):28-34.
[7]	BOYD, Stephen W KEROMYTIS, Angelos D. SQLrand: Preventing SQL injection attacks[C]//Applied Cryptography and Network Security. Springer Berlin Heidelberg, 2004: 292-302.
[8]	李原, 蒋华伟. 基于指令集随机化的SQL注入防御技术研究[J]. 计算机与数字工程, 2009,37(1):96-99.
[9]	褚龙现. ASP.NET应用中SQL注入攻击的分析与防范[J]. 计算机与现代化, 2014,(3):151-153,160.
[10]	成晓利. Web应用程序SQL注入攻击漏洞测试系统的研究与实现[D]. 成都:西南交通大学,2013.
[11]	王小鉴. SQL参数化查询详解[J]. 电脑编程技巧与维护, 2011,(1):42-50.
[12]	黄龙军. 存储过程技术在网络考试系统SQL注入攻击防御上的应用[J]. 计算机系统应用, 2013,1(22):103-106.
[13]	史硕江. 存储过程在ASP_NET中的应用[J]. 计算技术与信息发展, 2009, (12):56-57.
[14]	黄伟力. 基于存储过程的网络数据库应用系统安全体系[J]. 科技广场, 2009,(3):90-91.
[15]	钱林红,文洪建. 部分加密防御SQL注入攻击[J]. 信息科技,2008,11(24):82-82.
[16]	王巍. 数据库中敏感数据加密方法的研究[J]. 科技广场,2007,(9):111-114.
[17]	William G J Halfond, Alessandro Orso. AMNESIA: analysis and Monitoring for NEutralizing SQL-Injection Attacks[C]// Proceedings of the International Conference on Automated Software Engineering, November 2005:174-183.