Mixed structured query language (SQL) injection protection method
A security protection and syntax tree technology, which is applied in special data processing applications, instruments, electrical digital data processing, etc., to achieve performance improvement, increase accuracy, and avoid accuracy and false alarm rates
Inactive Publication Date: 2012-09-19
STATE GRID ELECTRIC POWER RES INST
View PDF4 Cites 29 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
By using the two methods together, on the one hand, it can well alleviate the problems of insufficient coverage and matching accuracy that pattern matching may bring; on the other hand, it can solve the high recognition rate and high misjudgment rate that feature filtering methods may bring The contradiction between; secondly, because the efficiency of pattern matching is higher than that of feature filtering, compared with using feature filtering method alone, this method has a greater performance improvement
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
specific example
[0067] (1) select * from a where username = ‘chenfeng’ and passwd = 123;
[0068] (2) select * from USER_CATALOG where name = ‘chen’or 1=1;
[0069] (3) select * from person where age = 24 and name = ‘li’ and 1=1;
[0070] 402: parse the SQL statement to generate a syntax tree, if there is an error in the analysis, jump to step 407;
[0071] 403: Analyze the syntax tree to obtain access behavior characteristics, and match the access behavior characteristics with the knowledge base. If the matching is unsuccessful, skip to step 407, otherwise skip to step 404;
[0072] For (1) select * from a where username = ‘chenfeng’ and passwd = 123, its database access behavior:
[0073] Database object name Types of operating 1a table Inquire 2 username Column Inquire 3 passwd Column Inquire
[0074] Match the access behavior with the database behavior pool, refer to the matching process image 3 ;
[0075] As in the above steps, select * from USER_CATALOG where name = ‘chen’or 1=1 access behavi...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More Abstract
The invention discloses a mixed structured query language (SQL) injection protection method, which combines a static mode matching technology and a dynamic characteristic filtering technology. The method comprises the following steps of: automatically learning all legal SQL sentences of a service system in security environment, and constructing a knowledge base; and matching the SQL sentences with the knowledge base by using a mode matching algorithm in real-time working environment, and if matching succeeds, determining that the SQL sentences are legal. The SQL sentences which are unsuccessfully matched are not immediately determined to be illegal, deep characteristic check is performed by using a characteristic filtering algorithm based on a value-at-risk, and the truly illegal SQL sentences are identified. A mode matching method and a characteristic filtering method are matched and combined with each other, so a good effect is achieved, and a conflict between accuracy rate and mis-alarm rate caused by the conventional injection protection method can be well solved.
Description
Technical field [0001] The invention relates to a database SQL injection protection method, in particular to a SQL injection protection method using pattern matching and feature filtering. Background technique [0002] With the development of the Internet, the development of business dynamic websites based on the B / S model is more and more favored by major companies. Most of this model adopts the platform architecture of ASP (.NET)+SQL+IIS, so use this model to write There are more and more application programmers. However, the uneven level of programmers and the immaturity of security defense technology have brought many insecure factors to the application system. Most web application systems need to interact with users, receive data from users and process them. If an attacker deliberately enters maliciously constructed data, the malicious code contained in these data will be processed by the system or Other clients execute, thus causing damage to the server or client, this is...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More IPC IPC(8): G06F17/30
Inventor 石聪聪余勇林为民张涛张小建郭骞蒋诚智范杰冯谷费稼轩俞庚申高鹏李尼格鲍兴川曹宛恬
Owner STATE GRID ELECTRIC POWER RES INST