297 results about "SQL injection" patented technology

A method for detecting a SQL injection attack comprises a training phase and a detection phase. In the training phase, a plurality of SQL queries is transformed into a respective plurality of SQL token domain queries which are processed using a n-gram analysis to provide a threshold and an averaging vector. In the detection phase, each newly arrived SQL query is transformed into a new SQL token domain query, and the n-gram analysis is applied together with the averaging vector and the threshold to each new SQL token domain query to determine if the new SQL query is normal or abnormal. The detection may be online or offline.

An SQL injection attack detecting method and system are provided, comprising building phase of SQL injection attack detecting knowledge base and detecting phase for real-time SQL injection attack. The build of SQL injection attack detecting knowledge base comprises collection of SQL injection attack sample for sorts of scenes, classification of SQL injection ways, and build of SQL injection attack detecting grammar rules aiming at sorts of SQL injection ways; the detecting phase for real-time SQL injection attack comprises extraction and decoding of user inputting data in HTTP request message and matching of the SQL injection attack detecting grammar rules and so on. This invention defines the SQL injection attack detecting grammar rules by using SQL grammar instead of defining the SQL injection attack detecting grammar rules based on the traditional attack characteristic. The invention overcomes shortcomings of uneasy extraction and inclined fraud of the attach characteristic sign of the SQL injection attack incident, which significantly reduces rate of wrong report and rate of missing report while invading the detecting system for detecting SQL injection attack.

Method to prevent the effect of web application injection attacks, such as SQL injection and cross-site scripting (XSS), which are major threats to the security of the Internet. Method using complementary character coding, a new approach to character level dynamic tainting, which allows efficient and precise taint propagation across the boundaries of server components, and also between servers and clients over HTTP. In this approach, each character has two encodings, which can be used to distinguish trusted and untrusted data. Small modifications to the lexical analyzers in components such as the application code interpreter, the database management system, and (optionally) the web browser allow them to become complement aware components, capable of using this alternative character coding scheme to enforce security policies aimed at preventing injection attacks, while continuing to function normally in other respects. This approach overcomes some weaknesses of previous dynamic tainting approaches by offering a precise protection against persistent cross-site scripting attacks, as taint information is maintained when data is passed to a database and later retrieved by the application program. The technique is effective on a group of vulnerable benchmarks and has low overhead.

The invention discloses a database SQL infusion protecting method based on self-learning, comprising a learning phase and a filtering phase. The learning phase works in safe environment. At the moment, all SQL sentences are legitimate SQL sentences generated by an application system. A knowledge model (knowledge base) of the legitimate SQL sentences can be constituted by analyzing the sentences as well as analyzing and summarizing the characteristics of the sentences on the basis of sentence analysis results. The filtering phase works in real environment. At the moment, all SQL sentences are assumed to be possibly illegitimate SQL sentences. The sentences undergo pattern matching with the knowledge base established in the safe environment. If the matching is successful, the sentences are legitimate SQL sentences, otherwise, the sentences are illegitimate SQL sentences. The database SQL infusion protecting method has the advantage that an SQL infusion protecting system based on learning the legitimate SQL sentences can greatly reduce the false report rate and missing report rate which are caused by traditional SQL infusion protection, and the defending capability of the whole system can be improved.

The invention relates to a database security auditing method which comprises the following steps: acquiring database network communication data; parsing a database network communication protocol; carrying out self-learning digging on audit rules; detecting database risk event invasion; evaluating database user permissions; tracking the three-layer correlation of a primary user. The database security auditing method can be used for auditing and monitoring a database in real time, so that the automatic assessment, audit, protection and invasion detection operation can be realized; the method can be used for preventing, recording and tracking the complete database operation behavior so as to help an administrator to find out the internal safety problems of unauthorized use, privilege abuse, permission theft and the like of the database in time; furthermore, after the method is used, the outside attacks such as SQL (structured query language) injection and the like can be avoided.

The invention discloses a key technique-SQL injection vulnerability detection technique of a host vulnerability scanning system as one important product for network security. The SQL injection vulnerability detection technique is characterized by submitting normal access request data and different types of SQL injection data to a server, receiving results returned by the server, then cross-comparing the returned results of different requests, and further determining exists of SQL injection vulnerabilities from the processing of submitted data by the server according to the compared results. To-be-certified website addresses are defined by means of website crawler, browser plug-in and manual input. One or a plurality of attacking templates of four different types of attacking templates can be selected to detect exists of SQL injection vulnerabilities on the to-be-certified websites. And the exists of SQL injection vulnerabilities during processing the user-submitted data by the server can be judged through cross-comparing the returned results of the normal access requests and SQL injection statements, under the condition that the server shields error information.

The invention provides an Android application vulnerability detection method which comprises the following steps: 1, judging whether a privacy leakage vulnerability possibly exists or not by virtue of analyzing Content Provider interface characteristics of a to-be-detected Android application; 2, if the privacy leakage vulnerability possibly exists, performing an SQL (Structured Query Lanaguge) injection vulnerability test and a path traversal vulnerability test on a public accessible URI (Uniform Resource Identifier) of the to-be-detected Android application which possibly has the privacy leakage vulnerability by virtue of monitoring a related API (Application Program Interface) function in an Android system, and then detecting passive data leakage safety risks. The invention also provides an Android application vulnerability detection system. The method and the system can be used for rapidly discovering privacy leakage and data pollution vulnerabilities possibly existing in the Android application, avoiding misdeclaration, and providing a powerful support for discovering the privacy leakage and data pollution vulnerabilities in the Android application on a large scale.

The invention provides a modified misuse-type structured query language (hereinafter referred as to SQL) attack defense system which is based on application system services and an SQL-injected characteristic extraction malicious attack behavior characteristic library and combined with the SQL request of the characteristic library to a user to carry out strict test and block the SQL request with the attack characteristics according to test results, so as to provide the security protection for the database and the corresponding audit record. The invention can be flexibly allocated to boundary defense devices, application servers, database servers and various security audit software, and the SQL attack behavior characteristic library can be updated at any time when the application environment is changed and a new attack type or normal behavior pattern appears.

The invention discloses a method and a device for identifying SQL (Structured Query Language) injection attacks, wherein the method comprises the steps of establishing an SQL injection feature library based on SQL syntax elements and SQL syntax fields through SQL lexical and syntactic analysis, obtaining target data, performing the SQL lexical and syntactic analysis on the target data and obtaining all SQL syntax elements and SQL syntax fields included in the target data, next, matching all of the obtained SQL syntax elements and SQL syntax fields included in the target data with the SQL injection feature library, and if matching is successful, determining the existence of the SQL injection attacks. The method and the device are capable of improving the efficiency of identifying SQL injection and reducing misinformation and failures in report.

A website data tampering preventing method based on a network isolation structure belongs to the technical field of network safety. The website data tampering preventing method includes: disposing a database server storing website data to the high-safety-level network, publishing the content in a database to a database server of the low-safety-level network connected with the internet unidirectionally and protecting the website data in the low-safety-level network. Therefore, a website data tampering preventing system consisting of an intranet mainframe and an outer net mainframe which are connected to each other is built, in the outer net mainframe, a data updating module submits incremental data to a data sheet to be updated, and a data publishing module publishes the incremental data to an outer net website data sheet. A data tampering preventing module inquires system configuration and data variation in an incremental data sheet to be checked at regular time, starts corresponding operation when detecting data variation and ensures operations of the outer net website data sheet to be authorized. By the aid of the website data tampering preventing method based on the network isolation structure, attacks to the database, such as SQL (structured query language) injection and the like, can be effectively avoided and data safety of the website database is guaranteed.

The invention discloses an injection point extracting method in SQL (Structured Query Language) injection vulnerability detection, which is used for solving the technical problem of poor accuracy of the traditional method in the SQL injection vulnerability detection under a Web environment. According to the technical scheme, the injection point extracting method comprises the steps of: firstly, preprocessing a downloaded webpage, dividing the webpage into a simple webpage and a complex webpage, extracting a data injection point of the simple webpage, extracting a data injection point of the complex webpage, extracting a test case through constructing the test case, analyzing service response, and establishing a decision rule of an SQL injection vulnerability. According to the invention, starting from obtaining the data injection points of a Web application system, through constructing the targeted test case, the used test case is used for carrying out character string, numerical value, annotation and delay testing according to the types and the parameter compositions of the data injection points, thus the test of the injection vulnerability caused by simple filtration of URL (Uniform Resource Locator) parameters and table submitted data is effectively dealt; and through analysis response, the established decision rule of the SQL injection vulnerability is improved in testing accuracy.

The invention relates to a method for detecting SQL (structured query language) injection vulnerability, comprising the following steps: 1, capturing user input data; 2, generating harmless input; 3, carrying out SQL lexical analysis and syntactic analysis to generate SQL syntax trees, wherein the SQL syntax trees comprise a syntax tree based on user input word strings and a syntax tree based on harmless word strings; 4, comparing the two SQL syntax trees, and if the two SQL syntax trees are same, considering a group of testing word strings to pass a test; and 5, responding the result, if a user attempting to carry out SQL injection is found out, blocking an HTTP (hyper text transport protocol) package, and otherwise, releasing the HTTP package. In the method, analyzed objects are input by the user directly or indirectly, thus maximally restoring the real intentions of the user and reducing the rate of false alarm; and meanwhile, based on the analysis of the SQL syntax trees, the SQL injection can be blocked fundamentally, thereby improving the accuracy rate of the detection.

The present invention relates to a real time intrusion detection system for detecting SQL injection Web aggression, including a method for providing learning normal database and Web application standard query statement (SQL) query data for a Website; a method for capturing real time database and Web application SQL query data for a Website; a method for detecting typical SQL injection aggression based on the normal database and Web application standard query statement (SQL) query data, as well as the real time database and Web application SQL query data. The beneficial effects of the present invention are that the invention can not only detect common SQL injection aggression, also has low alarm by mistake and high detection rate and the like.

A malicious script detection method based on an SVM (support vector machine) comprises the following steps: 1), crawling a webpage from the Internet, and acquiring the webpage link; 2), acquiring Java script content corresponding to the link; 3), analyzing web intrusion such as SQL (structured query language) injection and the like based on the script to obtain characteristics relative to the intrusion, performing characteristic extraction on acquired script content according to the intrusion characteristics, and transforming every script into a characteristic-based characteristic vector; and 4), acquiring an optimal classification model of the SVM according to a sort algorithm, classifying the acquired characteristic vectors by the model, and judging whether the script is a malicious script so as to perform related follow-up processing.

The invention relates to an SQL injection attack detecting system which supports multiple types of databases, which comprises a data acquisition module, a data preprocessing module, SQL injection attack detecting modules, an SQL injection alarming module and a classification transferring module. The system may comprise a plurality of the SQL injection attack detecting modules, and each of the SQL injection attack detecting modules respectively creates SQL injection attack detecting grammar rules based on the expanded SQL grammar of the data base types which are related with the SQL injection attack detecting modules, each of the SQL injection attack detecting modules is bound with the destination address of a certain Web application server, thereby the SQL injection attack detection of all to-be detected objects which have the same determination address is realized. The system fully considers the differences of the SQL grammar of various types of the databases, classifies the to-be detected objects according to the destination address of the Web application server, and detects the objects by the SQL injection attack detecting module which supports the SQL grammar expansion of the specific types of the databases, and greatly reduces the under-reporting problems in the SQL injection attack detecting modules.

The invention discloses a mixed structured query language (SQL) injection protection method, which combines a static mode matching technology and a dynamic characteristic filtering technology. The method comprises the following steps of: automatically learning all legal SQL sentences of a service system in security environment, and constructing a knowledge base; and matching the SQL sentences with the knowledge base by using a mode matching algorithm in real-time working environment, and if matching succeeds, determining that the SQL sentences are legal. The SQL sentences which are unsuccessfully matched are not immediately determined to be illegal, deep characteristic check is performed by using a characteristic filtering algorithm based on a value-at-risk, and the truly illegal SQL sentences are identified. A mode matching method and a characteristic filtering method are matched and combined with each other, so a good effect is achieved, and a conflict between accuracy rate and mis-alarm rate caused by the conventional injection protection method can be well solved.

The invention relates to a method for driving web application penetration testing by applying an SGM-SQL (sage grant management-structured query language) injection model, in the method, a web application penetration test framework driven by an SGM-SQL injection attack model is defined; by defining the SGM-SQL injection attack model in the framework and guiding the definition of a formalized definition set of SQL injection safety loopholes and a formalized description system of penetration test cases thereof, the accurate criterion for judging existence of the safety loopholes and the orderedcomplete test cases are further provided for the penetrating testing, and an SQL injection safety loophole penetration test algorithm driven by the SGM-SQL injection attack model is accordingly provided, thereby improving the accuracy of the web application SQL injection safety loophole penetration testing. Practices prove that the method is credible, systematic and complete, and can be applied in the field of the web application safety loophole penetration testing.

The invention discloses a machine learning-based SQL injection detection method, and a database security system, and belongs to the technical field of network security. The machine learning-based SQLinjection detection method comprises the steps of extracting parameters from HTTP requests, generating a grammar tree of a sample through lexical analysis and grammatical analysis, extracting featuresof the grammar tree and a URL, and performing training by adopting a machine learning algorithm of a support vector machine; and deploying a trained classification model between a Web service and a client, classifying the HTTP requests in a production environment, when it is judged that the HTTP requests comprise SQL injection attacks, giving a warning and blocking the requests, and finally storing the requests in an SQL injection attack sample library. According to the method, the dependency on background information is low, so that the HTTP requests received by the Web service only need tobe obtained; the deployment difficulty is low, so that the classification model can be deployed between a Web server and the client to serve as a flow filter; the method has high accuracy; the methodhas a continuous learning capability; and the method has high expansibility.

SQL injection attack detection system adapting to high speed LAN environment comprises data acquisition module, data pretreatment module, filter module for object to be detected, SQL injection attack detection module and SQL injection alarming module. The data acquisition module acquires network data pack related with HTTP service from protected network; data pretreatment module resolves operation and establishes object to be detected and transmits to the filter module for object to be detected based on TCP stream reassembly and HTTp protocol; the filter module for object to be detected matches URL of every object to be detected according to filtering rule sequence established, and performs designated processing action of matched filtering rule. The Web object type of HTTP request is divided into static Web type and dynamic Web type; static Web type HTTP requests during real time SQL injection attack detection is filtered out, which largely relieves processing pressure for SQL injection attack detection module, reduces rate of false alarm.

The invention discloses a method and a device for detecting a structured query language SQL injection attack. The method comprises the following steps: firstly detecting a received message based on SQL injection attack characteristics, and then detecting the received message based on SQL injection attack behaviors; counting the attack frequency of a source IP address of each hit message; alarming the IP address of which the attack frequency exceeds a preset value. The technical proposal of the invention greatly reduces the conditions of attack omission.

The invention discloses a detection method and a detection system for SQL (Structured Query Language) injection attack. The detection method and the detection system are used for increasing the accuracy of vulnerability detection for SQL injection attack and assisting the website in finding the true SQL injection vulnerability. The detection method for SQL injection attack comprises the following steps of: detecting a dangerous attack HTTP (Hyper Text Transfer Protocol) request and/or safe attack HTTP request contained in an HTTP request, for the HTTP request sent to a server by a request terminal; sending the detected safe attack HTTP request to the server and intercepting the detected dangerous attack HTTP request; for an HTTP response corresponding to the HTTP request containing the safe attack HTTP request returned to the request terminal by the server, confirming the existence of the SQL injection vulnerability if detecting the preset first feature information contained in the HTTP response.

The invention discloses a SQL injection detection method based on a convolution neural network algorithm. The method comprises the following steps: step one, performing text word-segmentation processing; step two, extracting a text vector: performing vocabulary model training on a training sample after the word segmentation processing by using a CBOW algorithm in a Word2Vec tool, converting the text data into the text vector; step three, training a detection model: designing a convolution neural network structure; selecting a convolution layer, a pooling layer and an activation function as parameters; inputting the text vector extracted from the step 2 into the convolution neural network to perform model training to obtain a detection model; step four, performing SQL injection detection: inputting the to-be-detected SQL injection instance into the detection model of the step three, or abandoning the data packet. Through the SQL injection detection method disclosed by the invention, the feature vector of an attack sample is extracted through the own characteristics of the CNN algorithm, the false alarm rate of the loophole detection is reduced, and a recognition rate for the variation attack is improved.

The invention discloses a method for detecting an SQL (Structured Query Language) injection attack. The method comprises the following steps of: detecting whether a user sends universal resource locator (URL) request messages of a prescribed number of times, which carry SQL injection keywords and are used for requesting to access a related website with the same access attribute information in prescribed time duration or not; if so, affirming that the user is carrying out an SQL injection attack on the website at the moment; and if not, affirming that the user does not carry out the SQL injection attack on the website. The embodiment of the invention also discloses an SQL injection attack detection device. The method and the device for detecting the SQL injection attack provided by the embodiment of the invention effectively overcome the defects of the traditional SQL detection mechanisms on the basis of the behavioral characteristics of the SQL injection attack of malicious personnel and solve the problem of high false alarm rate in the traditional SQL injection attack detection method.

System, method and program product for detecting a malicious SQL query in a parameter value field of a request. The parameter value field is searched for query operands, characters and/or symbols and combinations of query operands, characters and/or symbols indicative of malicious SQL injection. A respective score assigned to each of the query operands, characters and/or symbols or combinations of query operands, characters and/or symbols found in the parameter value field is added to yield a total score for at least two of the query operands, characters and/or symbols or combinations of query operands, characters and/or symbols found in the parameter value field. Responsive to the total score exceeding a threshold, the request is blocked.