SQL (structured query language) injection attack defensive system and defensive method based on grammar transformation

A technology of injection attack and defense system, applied in the field of network security, it can solve the problems of difficulty in establishing normal SQL statements and SQL injection attacks, large and diverse data volume, high false positive rate and false negative rate, etc.

Active Publication Date: 2017-01-25
北京卫达信息技术有限公司
View PDF9 Cites 29 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The focus of this method is to protect against SQL injection attacks on the side close to the database, but it is still based on rules and cannot prevent SQL injection attacks from the root cause.
[0007] In general, most of the existing SQL injection attack defense methods are rule-based, that is, the judgment rules for distinguishing normal SQL statements and SQL injection attacks are established in advance. Due to the continuous development and evolution of attack methods, coupled with the Internet The amount of data on the Internet is too large and the diversity is too large. It is difficult to establish a complete rule base that can accurately distinguish between normal SQL statements and SQL injection attacks. Therefore, this type of method often has a high rate of false positives and false positives. Keep updating the rule base but still can't play a very effective protection

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • SQL (structured query language) injection attack defensive system and defensive method based on grammar transformation
  • SQL (structured query language) injection attack defensive system and defensive method based on grammar transformation
  • SQL (structured query language) injection attack defensive system and defensive method based on grammar transformation

Examples

Experimental program
Comparison scheme
Effect test

Embodiment approach

[0079] Preferred implementation scheme: SQL injection attack defense scheme based on SQL keyword replacement and grammatical analysis.

[0080] Firstly, on the basis of the aforementioned SQL injection attack defense concept based on syntax transformation, the basic principle of this SQL injection attack defense scheme based on SQL keyword replacement and syntax analysis is described in detail.

[0081] First, technicians determine all or common SQL keywords (including select, where, union, and, or, etc.) used to operate the database, and input them through the user configuration module to form a SQL keyword set, which is recorded as set A, set A Each element in corresponds to an SQL keyword. Then construct a set B corresponding to one of them according to the set A, and correspond to each element in the set A with a character string that has no specific meaning and is not common (the string is randomly generated, guaranteed not to be repeated, and does not include keys relate...

Embodiment 1

[0104]Embodiment 1 is an example of a normal user operating the database. Assume that the SQL query statement for login verification in a website program is select*from users where name='username entered by the user' and pw='password entered by the user'; the correct user name is admin, and the correct password is password, Username admin and password password are stored in the database. According to the user-configured SQL keyword set A {..., select, where, and, ...}, the constructed website program SQL keyword replacement rule set C is {..., select→string h, where→string i , and→string j, ...} (here, for the convenience of description, the replacement string is also briefly described). First, replace the content of the website program, and replace the SQL keywords written in the website program for operating the database according to the corresponding rules of set B, that is, replace select with the string h, where with the string i, and with into a string j. Assuming tha...

Embodiment 2

[0106] Embodiment 2 gives an example in which the user inputs the same character string as the SQL keyword, but it is only used as access data and belongs to a normal user operation database example. Assume that the SQL query statement for login verification in a website program is select*from users where name='user name entered by the user' and pw='password entered by the user'; the correct user name is select, and the correct password is password, The user name select and password password are stored in the database; according to the user-configured SQL keyword set A {..., select, where, and, ...}, the constructed website program SQL keyword replacement rule set B is {..., select→string h, where→string i, and→string j, ...} (here is a brief description of the replaced irregular string for the convenience of description); first, replace the content of the website program, Replace the SQL keywords used to operate the database in the website program according to the correspondi...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides an SQL (structured query language) injection attack defensive system and method based on grammar transformation. The SQL statement transformation rule of website program is built; SQL statements in the website program on a Web server are subjected to initialization transformation operation; whether attack statements are injected into SQL access statements sent to a database by the Web server or not is judged; the SQL statement transformation rule of the website program is dynamically transformed, so that the effective defense on the SQL injection attack is realized. The SQL injection attack defensive system and method based on grammar transformation do not depend on rules; the vicious SQL injection attack is precisely recognized on the basis of statement transformation and grammatical analysis; the false alarm rate and the missing report rate are extremely low; the system and the method are applicable to various types of Web servers and database systems; the SQL injection attack behavior can be effectively defensed; the safety protection on the Web server and a background database is obviously improved.

Description

technical field [0001] The invention relates to the field of network security, in particular to a syntax transformation-based SQL injection attack defense system and defense method. Background technique [0002] With the rapid development of Internet technology, Web technology and database technology have become the key technologies of modern information system. Information security based on Web server and database is one of the core Internet security issues. The important information of government agencies, enterprises and institutions, individual users, etc. are often stored in the web server and its background database. Its importance and value are very attractive to hackers, so it is extremely vulnerable to hackers' attacks. [0003] SQL injection attack is a common type of attack faced by web servers at present. The attacker inserts a series of SQL commands by modifying the input field of the web form of the application or the query string in the page request to change ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56G06F21/57
CPCG06F21/563G06F21/577G06F2221/034
Inventor 耿童童
Owner 北京卫达信息技术有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap