一种基于神经网络的SQL注入漏洞的检测模型

doi:doi: 10.3969/j.issn.1006-2475.2016.10.014

计算机与现代化 ›› 2016, Vol. 0 ›› Issue (10): 67-71.doi: doi: 10.3969/j.issn.1006-2475.2016.10.014

一种基于神经网络的SQL注入漏洞的检测模型

北京工业大学计算机学院，北京100124

收稿日期:2016-03-31 出版日期:2016-10-15 发布日期:2016-10-14
作者简介:张志超（1988-），男，山东潍坊人，北京工业大学计算机学院硕士研究生，研究方向：SQL注入；王丹（1969-），女，教授，博士生导师，博士，研究方向：可信软件及可信评测。

SQL Injection Detection Based on Neural Network

College of Computer Science, Beijing University of Technology, Beijing 100124, China

Received:2016-03-31 Online:2016-10-15 Published:2016-10-14

摘要/Abstract

摘要： 针对SQL注入漏洞检测问题，本文提出一种基于人工神经元网络的SQL注入漏洞的分析模型。该模型在识别SQL关键字注入攻击特点的基础上，利用人工神经元网络算法对SQL注入语句进行检测，能够直接分析SQL语句，判断用户输入的SQL语句是否为SQL注入的语句。实现上，通过在Web应用程序和数据库中间加一个代理来实现分析和检测过程，从而无需修改已有应用的代码。通过对实验结果的分析证明该模型可提高SQL注入漏洞检测的准确率和执行效率。

关键词: SQL漏洞, 注入, Web应用程序, 神经元网络

Abstract: A novel approach to detect injection attacks was presented by identifying characteristics of injection attacks and using a neural network model to determine the likelihood that a given query is malicious. Based on the recognition of SQL character injection attack, the analysis model comes into being used to determine whether to inject SQL statements of model by using a large number of known data and the neural network algorithm. After that, based on the neural network model presented, the user input SQL statement can be directly analyzed and processed. This approach is implemented in a proxy that locates between a Web application and a database and prevents suspected malicious queries from being executed. This requires no modification of existing application code and is capable of identifying unknown attacks. Experimental results show that the model can effectively improve the accuracy and efficiency of the detection.

Key words: SQL injection, malicious query, Web application, neural network

中图分类号:

TP393.08

张志超，王丹，赵文兵，付利华. 一种基于神经网络的SQL注入漏洞的检测模型[J]. 计算机与现代化, 2016, 0(10): 67-71.

ZHANG Zhichao， WANG Dan， ZHAO Wenbing， FU Lihua. SQL Injection Detection Based on Neural Network[J]. Computer and Modernization, 2016, 0(10): 67-71.

参考文献

［1］OWASP. OWASP Top102010［EB/OL］. http://wenku.baidu.com/view/353d22c75fbfc77da269b1d1.html, 2016-03-31.
［2］Su Zhendong, Wassermann G. The essence of command injection attacks in Web applications［C］// Proceedings of Conference of the 33rd ACM SIGPLANSIGACT Symposium on Principles of Programing Languages(POPL’06). 2006:372-382.
［3］Wassermann G, Su Zhendong. Sound and precise analysis of Web applications for injection vulnerabilities［C］// 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’07). 2007:32-41.
［4］Jiao Antunes, Nuno Neves, Migue Correia, et al. Vulnerability discovery with attack injection［J］. IEEE Transactions on Software Engineering, 2010,36(3):357-370.
［5］Halfond W G J, Viegas H J, Orso A. A classification of SQL injection attacks and countermeasures［C］// Proc. of International Symposium on Secure Software Engineering. IEEE Press, 2006.
［6］Buehrer G T, Weide B W, Sivilotti P A G. Using parse tree validation to prevent SQL injection attacks［C］// Proceedings of the 5th International Workshop on Software Engineering and Middleware(SEM’05). 2005:106-113.
［7］Angelo Ciampa, Corrado Aaron Visaggio, Massimiliano Di Penta. A heuristicbased approach for detecting SQLinjection vulnerabilities in Web applications［C］// Proceedings of the IEEE 2010 ICSE Workshop on Software Engineering for Secure Systems (ICSE’10). 2010:43-49.
［8］Ismail O, Etoh M, Kadobayashi Y, et al. A proposal and implementation of automatic detection/collection system for crosssite scripting vulnerability［C］// Proceedings of the International Conference on Advanced Information Networking and Applications(AINA’04). 2004:145-151.
［9］Daniel Bates, Adams Barths, Collin Jackson. Regular expression considered harmful in clientside XSS filter［C］// Proceedings of the 19th International World Wide Web Conference(WWW’10). 2010:91-100.
［10］Alkhalaf Muath, Choudhary Shauvik Roy, Fazziniy Mattia, et al. ViewPoints: Differential string analysis for discovering client and serverside input validation inconsistencies［C］// Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA’12). 2012:56-66.
［11］Criscione C, Zanero S. Masibty: An anomaly based intrusion prevention system for Web applications［C］// Black Hat Europe. 2009.
［12］Lam M S, Martin M, Livshits B, et al. Securing Web applications with static and dynamic information flow tracking［C］// Proceedings of the 2008 ACM SIGPLAN Symposium on Partial Evaluation and Semantics based Program Manipulation. 2008:3-12.
［13］Ezumalai R, Aghila G. Combinatorial approach for preventing SQL injection attacks［C］// Proceedings of the IEEE International Conference in Advance Computing. 2009:1212-1217.
［14］Simon Haykin. 神经网络与机器学习［M］. 北京:机械工业出版社, 2009.
［15］Brand R Skari. Bayesian Classiflcation for SQL Injection Detection［D］. University of Wyoming, 2011.

[1]	余里辉, 胡少文, 黄浪鑫, 罗澍寰. 一种使用ChatGPT的源代码安全漏洞检测方法[J]. 计算机与现代化, 2024, 0(04): 88-91.
[2]	王东岳, 刘浩. 基于多智能体遗传算法的云平台抗虚假数据注入攻击方法 #br# #br#[J]. 计算机与现代化, 2024, 0(04): 21-26.
[3]	关慧, 盛靖媛, 曹同洲. 一种基于改进TF-IDF的SQL注入攻击检测算法[J]. 计算机与现代化, 2022, 0(06): 122-126.
[4]	郑伟宁, 庄毅, 顾浩为. 一种检测控制流错误的多层分段标签方法[J]. 计算机与现代化, 2020, 0(08): 41-50.
[5]	卫津逸，徐珞，戴文博. 基于脆弱点分析的故障注入技术[J]. 计算机与现代化, 2019, 0(12): 39-.
[6]	唐存东;全上克;王志平. 高校实验室教学管理系统设计与实现[J]. 计算机与现代化, 2013, 1(9): 113-116.
[7]	欧阳和平;阳晖. VS环境下假设检验Web应用程序开发[J]. 计算机与现代化, 2012, 1(10): 187-190,.
[8]	顾坤鹏;宋顺林. 基于C++的关系代数产生的安全SQL查询 [J]. 计算机与现代化, 2011, 194(10): 177-180.
[9]	于海霞;王家骐. 引入Ajax的Struts验证框架的设计与实现 [J]. 计算机与现代化, 2010, 1(7): 27-31.
[10]	焦宁;卢潇;刘香萍;杜鹃. 基于Flex和Java的Web文件管理系统的设计与实现[J]. 计算机与现代化, 2009, 1(12): 157-159.
[11]	阳晖;余腊生欧阳和平. 一款小巧新颖的Web查表程序[J]. 计算机与现代化, 2009, 1(11): 103-107,.

一种基于神经网络的SQL注入漏洞的检测模型

SQL Injection Detection Based on Neural Network

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 11

编辑推荐

Metrics

本文评价