SQL injection attack defensive system and method based on dynamic conversion

A dynamic transformation and injection attack technology, applied in the field of network security, can solve problems such as difficulty in establishing normal SQL statements and SQL injection attacks, large and diverse data volume, and inability to defend against SQL injection attacks from the root cause

Active Publication Date: 2017-03-15
北京卫达信息技术有限公司
View PDF8 Cites 12 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The focus of this method is to protect against SQL injection attacks on the side close to the database, but it is still based on rules and cannot prevent SQL injection attacks from the root cause.
[0007] In general, most of the existing SQL injection attack defense methods are rule-based, that is, the judgment rules for distinguishing normal SQL statements and SQL injection attacks are established in advance. Due to the continuous development and evolution of attack methods, coupled with the Internet The amount of data on the Internet is too large and the diversity is too large. It is difficult to establish a complete rule base that can accurately distinguish between normal SQL statements and SQL injection attacks. Therefore, this type of method often has a high rate of false positives and false positives. Keep updating the rule base but still can't play a very effective protection

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • SQL injection attack defensive system and method based on dynamic conversion
  • SQL injection attack defensive system and method based on dynamic conversion

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0083] Embodiment 1 is an example of a normal user operating the database. Assume that the SQL query statement for login verification in a website program is select*from users where name='username entered by the user' and pw='password entered by the user'; the correct user name is admin, and the correct password is password, Username admin and password password are stored in the database. The SQL keyword set A configured by the user is {..., select, where, and,...}. The database field replacement rule set B constructed according to set A is {..., select→string a, where→string b, and→string c,...} The string is briefly described); the website program SQL keyword replacement rule set C constructed according to the set A is {..., select→string h, where→string i, and→string j,...} (this For the convenience of description, the replacement character strings are also briefly described, and the character strings h, i, and j are different from the character strings a, b, and c). Fir...

Embodiment 2

[0085] The second example of a normal user operating the database is given below. Assume that the SQL query statement for login verification in a website program is select*from users where name='user name entered by the user' and pw='password entered by the user'; the correct user name is select, and the correct password is password, The username select and the password password are stored in the database. The SQL keyword set A configured by the user is {..., select, where, and,...}. The database field replacement rule set B constructed according to set A is {..., select→string a, where→string b, and→string c,...} The string is briefly described); the website program SQL keyword replacement rule set C constructed according to the set A is {..., select→string h, where→string i, and→string j,...} (this For the convenience of description, the replacement character strings are also briefly described, and the character strings h, i, and j are different from the character strings ...

Embodiment 3

[0087] An example of SQL injection attack is given below.

[0088] Assume that the SQL query statement for login verification in a website program is select*from users where name='username entered by the user' and pw='password entered by the user'; the correct user name is admin, and the correct password is password, Username admin and password password are stored in the database. If the user name of the assailant's input is 1'or'1'='1, and the password of the input is 1'or'1'='1, without arranging the defense system of the present invention, the SQL statement sent to the database will be Become select*from users where name='1'or'1'='1'and pw='1'or'1'='1', which is equivalent to select*from users, the attacker passes such Injection can realize the login to the website without account and password, and achieve its attack purpose. But after deploying the defense system of the present invention, according to the scheme of the defense system of the present invention, first const...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides an SQL injection attack defensive system and method based on dynamic conversion. The method comprises the steps that a database field replacement rule set and a website program SQL keyword replacement rule set are constructed, character strings which are the same as SQL keywords in mode and appear in a database are replaced according to the database field replacement rule set, SQL sentences in a website program on a Web server are replaced according to the website program SQL keyword replacement rule set, SQL keywords in the SQL sentences are replaced according to the database field replacement rule set for the SQL sentences sent to the database by the Web server, and then the SQL keywords are reduced according to the website program SQL keyword replacement rule set. Independent of rules, judgment rules for distinguishing normal SQL languages and SQL injection attacks do not need to be built in advance, replacement and conversion are performed through the SQL sentences, the SQL languages injected maliciously by an attacker become sentences not conforming to database grammatical norms and cannot be executed, and then SQL injection attack behaviors are defended.

Description

technical field [0001] The invention relates to the field of network security, in particular to a dynamic transformation-based SQL injection attack defense system and defense method. Background technique [0002] With the rapid development of Internet technology, Web technology and database technology have become the key technologies of modern information system. Information security based on Web server and database is one of the core Internet security issues. The important information of government agencies, enterprises and institutions, individual users, etc. are often stored in the web server and its background database. Its importance and value are very attractive to hackers, so it is extremely vulnerable to hackers' attacks. [0003] SQL injection attack is a common type of attack faced by web servers at present. The attacker inserts a series of SQL commands by modifying the input field of the web form of the application or the query string in the page request to change...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56
Inventor 耿童童
Owner 北京卫达信息技术有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap