SQL injection attacks system of defense and defence method based on dynamic mapping
Technical field
A kind of the present invention relates to network safety filed, more particularly to SQL injection attacks systems of defense based on dynamic mapping
And defence method.
Background technology
With developing rapidly for Internet technology, Web technology and database technology have become composition modernization information system
The key technology of system, the information security based on Web server and data base be current core internet security problem it
One.In the data base on Web server and its backstage, often in store government organs, enterprises and institutions, personal user's etc. is important
Information, its importances and value have huge captivation for hacker, are therefore highly prone to the attack of hacker.
SQL injection attacks are the common attacks of a class that current Web server faces, and attacker is by changing application program
Web lists input domain or page request in a series of sql command of the insertion such as inquiry string come change data storehouse and look into
Sentence is ask, and the sql command of malice is executed so as to cheat database server, and then is realized to the unwarranted visit of background data base
Ask and steal valuable data in data base.A kind of the most frequently used attack when being assault Web server of SQL injection attacks
Mode, causes serious threat to internet security.
The patent of invention of Application No. 201310714559.6 discloses a kind of recognition methodss of SQL injection attacks and dress
Put, first the grammer and morphology of SQL are analyzed, set up the injections of the SQL based on SQL syntax element and SQL syntax field and attack
The rule feature storehouse that hits;When the request of inquiry data base is received, SQL syntax element therein and SQL fields and SQL is extracted
The feature database of injection attacks is mated, and is considered SQL injection attacks if the match is successful.Due to only only in accordance with to SQL languages
The analysis of method and morphology cannot accurately distinguish normal SQL statement and SQL injection attacks, it is impossible to set up a perfect SQL note
Enter the feature database of attack, therefore the method has higher rate of false alarm and rate of failing to report, and due to needing to carry out whole feature database
Coupling, in the case where database access amount is larger, operational efficiency is relatively low.
The patent of invention of Application No. 201510057370.3 discloses a kind of anti-SQL injections of intelligence based on semantic analysis
All requests from webpage are carried out data interception by method or data are extracted, and the data that extracts are sent into security centre
Carry out processing and returning result, while being checked one by one according to default judgment rule in order, judge whether these data are harmful to.Should
Method carried out detection filtration before user's request reaches Web server, but was based on semantic analysis due to presetting judgment rule
, therefore there is larger rate of false alarm and rate of failing to report, and default judgment rule need to be continuously updated, the practicality of the method compared with
Difference.
The patent of invention of Application No. 201210210140.2 discloses a kind of SQL injection attacks based on data base and protects
Method, sets up a bottom layer driving data safety shell in operating system layer, forms a Virtual Space using hard disk cache, by number
It is carried in this Virtual Space according to storehouse, external data passes through data safety shell, first by data when data base is accessed
Containment is responsible for the data exchange of external data and data safety shell internal database;The management end of data safety shell is to external number
According to from address recorded, the port of data safety shell turns to drive and forms the filtration channel for reaching data base, data
The filtration drive of containment is filtered to all external datas for accessing data base, the code of safety is let pass and enters data
Storehouse, and the code to malice filtered and removed.The emphasis of the method is, SQL is being noted near this side of data base
Enter attack to be protected, but still be rule-based, it is impossible to SQL injection attacks are defendd from root.
Generally speaking, existing SQL injection attacks defence method is rule-based mostly, i.e., established for area in advance
Divide the judgment rule of normal SQL statement and SQL injection attacks, due to the continuous development and evolution of attack meanses, along with interconnection
Online data volume is too big and multiformity is too big, it is difficult to setting up one can accurately distinguish the complete of normal SQL statement and SQL injection attacks
Kind rule base, therefore such method often have higher rate of false alarm and rate of failing to report, need ceaselessly to update rule base still
Still very effective protection can not be played.
Content of the invention
It is an object of the invention to improving the deficiency of existing SQL injection attacks defense techniques, propose a kind of based on dynamic change
The SQL injection attacks system of defense that changes and defence method, do not rely on rule, without the need for set up for distinguishing normal SQL languages in advance
Sentence and the judgment rule of SQL injection attacks, are replaced conversion by innovated to SQL statement so that attacker's malice is injected
SQL statement become not meeting the sentence of database syntax specification and cannot be performed, and then effectively defendd SQL injection attacks
Behavior.SQL injection attacks system of defense and defence method based on dynamic mapping of the present invention is applied to polytype
Web server and Database Systems, can be obviously improved the security protection to Web server and its background data base, with wide
Wealthy popularizing application prospect.
For achieving the above object, technical scheme provided by the present invention is:
A kind of SQL injection attacks defence methods based on dynamic mapping, comprise the following steps:
Step one, structure Database field Substitution Rules set and procedure site SQL keyword Substitution Rules set, described
SQL keywords and each substitute character string corresponding to SQL keywords, institute is included in Database field Substitution Rules set
State and in procedure site SQL keyword Substitution Rules set, include SQL keywords and each replacement corresponding to SQL keywords
Character string;
Step 2, initialization replacement operation is carried out, will occur in data base and SQL keyword form identical character strings
Corresponding substitute character string is replaced with according to Database field Substitution Rules set, by the SQL in procedure site on Web server
SQL keywords in sentence are substituted for corresponding substitute character string according to procedure site SQL keyword Substitution Rules set;
Step 3, intercept and capture and parse the SQL statement that Web server is sent to data base, first occur in SQL statement with
SQL keyword form identicals character string replaces with corresponding substitute character string according to Database field Substitution Rules set, connects
In SQL statement according to the set of procedure site SQL keyword Substitution Rules replacement after occur substitute character string again according to
Procedure site SQL keyword Substitution Rules set is reduced to corresponding SQL keywords, and the SQL statement is sent to data then
Storehouse;
Step 4, intercept and capture and parse returning result of the data base to Web server, by occur in returning result and data
Substitute character string identical character string in the field Substitution Rules set of storehouse is carried out also according to the set of Database field Substitution Rules
Then returning result is sent to Web server by original;
Procedure site SQL keywords Substitution Rules set described in step 5, dynamic mapping, and according to conversion after website journey
The set of sequence SQL keyword Substitution Rules is updated to the SQL keywords in the SQL statement in procedure site on Web server
Replacement operation.
Further according to the SQL injection attacks defence methods based on dynamic mapping of the present invention, wherein step one
Specifically include following steps:
(1-1) SQL set of keywords is generated according to user configuration information,;
(1-2), a corresponding first substitute character string is generated for each the SQL keyword in SQL set of keywords,
It is made up of the corresponding relation of the SQL keywords, the first substitute character string and SQL keywords and the first substitute character string described
Database field Substitution Rules set;
(1-3), a corresponding second substitute character string is generated for each the SQL keyword in SQL set of keywords,
It is made up of the corresponding relation of the SQL keywords, the second substitute character string and SQL keywords and the second substitute character string described
Procedure site SQL keyword Substitution Rules set.
Further according to the SQL injection attacks defence methods based on dynamic mapping of the present invention, wherein described number
There is one-to-one relationship according to the SQL keywords and the first substitute character string in the field Substitution Rules set of storehouse, each SQL is closed
The first substitute character string corresponding to key word is and first substitute character without concrete meaning, uncommon character string
Do not contain in string and SQL keyword form identical character strings;In the procedure site SQL keywords Substitution Rules set
SQL keywords and the second substitute character string have one-to-one relationship, each second substitute character corresponding to SQL keywords
String is without concrete meaning, uncommon character string, and does not contain in the second substitute character string and SQL keyword forms
Identical character string;Database field Substitution Rules set and procedure site SQL keyword Substitution Rules set it
Between do not contain identical substitute character string.
Further according to the SQL injection attacks defence methods based on dynamic mapping of the present invention, wherein described step
Rapid three specifically include following steps:
(3-1) SQL statement that Web server is sent to data base, is intercepted and captured and parses, by by the SQL statement and data
Storehouse field Substitution Rules set is contrasted, and judges whether contain and Database field Substitution Rules set in the SQL statement
In SQL keyword form identical character strings, if then the character string is replaced according to Database field Substitution Rules set
Corresponding substitute character string is changed to, if not otherwise being replaced operation;
(3-2) occurred after, replacing according to the set of procedure site SQL keyword Substitution Rules in the SQL statement replaces
Change character string corresponding SQL keywords are reduced to again according to procedure site SQL keyword Substitution Rules set, then will be described
SQL statement is sent to data base.
Further according to the SQL injection attacks defence methods based on dynamic mapping of the present invention, wherein described step
Rapid four specifically include:Returning result of the data base to Web server is intercepted and captured and parses, by by the returning result and data base
Field Substitution Rules set is contrasted, judge whether to contain in the returning result with Database field Substitution Rules set
Substitute character string identical character string, if then the character string is carried out also according to the set of Database field Substitution Rules
Returning result, if otherwise not carrying out restoring operation, is finally sent to Web server by original.
Further according to the SQL injection attacks defence methods based on dynamic mapping of the present invention, wherein step 5
Specifically include following steps:
(5-1), a set of new procedure site SQL keyword Substitution Rules set is generated at set intervals;
(5-2), according to new procedure site SQL keyword Substitution Rules set to procedure site on Web server in
SQL statement is updated replacement operation, and the SQL keywords in SQL statement are replaced rule according to new procedure site SQL keywords
Then set is substituted for corresponding substitute character string;
(5-3), old procedure site SQL keyword Substitution Rules set is deleted.
A kind of SQL injection attacks systems of defense based on dynamic mapping, including:
Substitution Rules construction unit, replaces for building the set of Database field Substitution Rules and procedure site SQL keywords
Regular collection is changed, is included in the Database field Substitution Rules set corresponding to SQL keywords and each SQL keyword
Substitute character string, include SQL keywords in the procedure site SQL keywords Substitution Rules set and each SQL closed
Substitute character string corresponding to key word;
Initialization replacement unit, for carrying out initialization replacement operation, will occur in data base and SQL keyword forms
Identical character string replaces with corresponding substitute character string according to Database field Substitution Rules set, and Web server is surfed the Net
The SQL keywords that stands in the SQL statement in program are substituted for corresponding replacing according to procedure site SQL keyword Substitution Rules set
Change character string;
Data processing unit is accessed, for intercepting and capturing and parsing the SQL statement that Web server is sent to data base, first SQL
Replacing with according to Database field Substitution Rules set with SQL keyword form identicals character string for occurring in sentence is corresponding
Substitute character string, then the replacement word in SQL statement according to appearance after procedure site SQL keyword Substitution Rules set replacement
Symbol string is reduced to corresponding SQL keywords again according to procedure site SQL keyword Substitution Rules set, then by the SQL
Sentence is sent to data base;
Returning result processing unit, for intercepting and capturing and parsing returning result of the data base to Web server, by returning result
Middle appearance with Database field Substitution Rules set in substitute character string identical character string according to Database field replace
Regular collection is reduced, and returning result is sent to Web server then;
Dynamic mapping unit, for procedure site SQL keywords Substitution Rules set described in dynamic mapping, and according to conversion
Procedure site SQL keyword Substitution Rules set afterwards is crucial to the SQL in the SQL statement in procedure site on Web server
Word is updated replacement operation.
A kind of SQL injection attacks systems of defense based on dynamic mapping, including:Substitution Rules initialization unit, data base
Field replacement unit, procedure site SQL keyword replacement units, communication data processing unit, Substitution Rules dynamic mapping unit
With Substitution Rules memory element;
The Substitution Rules initialization unit builds the set of Database field Substitution Rules and net based on user configuration information
Program SQL of standing keyword Substitution Rules set, and the set of Database field Substitution Rules and its generation time are stored in replacement
Procedure site SQL keyword Substitution Rules set and its generation time are stored in Substitution Rules storage single by rule storage unit
Unit, at the same notification database field replacement unit complete according to Database field Substitution Rules set crucial with SQL in data base
The initialization replacement operation of the identic character string of word, notifies procedure site SQL keyword replacement units according to procedure site
SQL keyword Substitution Rules set completes the initialization replacement operation of the SQL statement on Web server in procedure site, wherein
It is crucial that Database field Substitution Rules set and the procedure site SQL keyword Substitution Rules set include SQL
Word and each substitute character string corresponding to SQL keywords;
The Database field replacement unit is notified according to the replacement of Substitution Rules initialization unit, is deposited according to Substitution Rules
The Database field Substitution Rules set stored in storage unit, will occur in data base and SQL keyword form identical words
Symbol string replaces with corresponding substitute character string;
The procedure site SQL keywords replacement unit is according to Substitution Rules initialization unit or Substitution Rules dynamic mapping
The replacement of unit is notified, according to the procedure site SQL keyword Substitution Rules set stored in Substitution Rules memory element, will
SQL keywords in SQL statement on Web server in procedure site replace with corresponding substitute character string;
The communication data processing unit includes accessing data processing module and returning result processing module, the access number
Intercept and capture and parse the SQL statement that Web server is sent to data base according to processing module, first occur in SQL statement and SQL passes
The identic character string of key word replaces with corresponding substitute character string according to Database field Substitution Rules set, then
According to the substitute character string occurred after procedure site SQL keyword Substitution Rules set replacement again according to website in SQL statement
The keyword Substitution Rules set of program SQL is reduced to corresponding SQL keywords, and the SQL statement is sent to data base then;Institute
State returning result processing module to intercept and capture and parse returning result of the data base to Web server, will in returning result occur with
In Database field Substitution Rules set, substitute character string identical character string is carried out according to the set of Database field Substitution Rules
Then returning result is sent to Web server by reduction;
The procedure site SQL stored in the Substitution Rules dynamic mapping unit dynamic mapping Substitution Rules memory element is closed
Key word Substitution Rules set, and notify procedure site SQL keywords replacement unit crucial according to new procedure site SQL after conversion
The set of word Substitution Rules is replaced operation to the SQL keywords in the SQL statement in procedure site on Web server, waits to replace
Delete, after the completion of changing operation, the old procedure site SQL keyword Substitution Rules set stored in Substitution Rules memory element.
According further to the SQL injection attacks systems of defense based on dynamic mapping of the present invention, wherein described replace
Changing rule storage unit includes the first memory module and the second memory module, Database field Substitution Rules set and its life
Be stored in first memory module into the time, the procedure site SQL keyword Substitution Rules set and its generate the time
It is stored in second memory module;The data processing module that accesses intercepts and captures the SQL statement that Web server is sent to data base
Afterwards, the Database field Substitution Rules set that inquires about in first memory module, to judge whether contain in the SQL statement
With the SQL keyword form identical character strings in Database field Substitution Rules set, if then by the character string according to
Database field Substitution Rules set replaces with corresponding substitute character string, if otherwise not dealing with, then access data
The procedure site SQL keyword Substitution Rules set that processing module is inquired about in second memory module, by the SQL statement
Contain with procedure site SQL keyword Substitution Rules set in substitute character string identical character string according to procedure site
SQL keyword Substitution Rules set is reduced to corresponding SQL keywords, and the SQL statement is sent to data base then;Described return
Result treatment module intercepted data storehouse is gone back to after the returning result of Web server, the data that inquires about in first memory module
Storehouse field Substitution Rules set, by returning result occur with Database field Substitution Rules set in substitute character string phase
Same character string is reduced according to Database field Substitution Rules set, and returning result is sent to Web server then.
The purposes of the SQL injection attacks systems of defense based on dynamic mapping of the present invention, wherein by described based on dynamic
The SQL injection attacks systems of defense of state conversion are arranged on Web server or are arranged between Web server and data base.
Beneficial effects of the present invention:
1), the present invention has innovated a kind of new approaches of SQL injection attacks defence, is not based on rule, one Pang of Maintenance free
Big rule base, significantly reduces the exploitation maintenance cost of SQL injection attacks defence;System can not only defend known SQL
Injection attacks, can also defend unknown SQL injection attacks, with very low rate of false alarm and rate of failing to report;
2), the present invention for the request that normal users access Web server and background data base be transparent, and for
SQL injection attacks, the SQL statement of attacker's malice injection after the field of the present invention is replaced can become not meeting data base's language
The sentence of method specification and cannot execute, so as to effectively defend any kind of SQL injection attacks behavior;
3) present invention introduces the thought of dynamic mapping, the nature static feature of the SQL injection attacks defence methods that break traditions,
By the Substitution Rules of the SQL keywords of SQL statement in procedure site on dynamic mapping Web server so that attacker cannot
SQL injection attacks systems of defense are broken through by constantly attacking trial;
4), use it was verified that the present invention can effectively prevent SQL injection attacks behaviors, and side of the present invention through model machine
Case realize arrangement easy, simple to operate, safe and reliable, with significant economic and social benefits and wide marketing application before
Scape.
Description of the drawings
Fig. 1 is the population structure block diagram of the SQL injection attacks systems of defense based on dynamic mapping of the present invention;
Fig. 2 is the flow chart of the SQL injection attacks defence methods based on dynamic mapping of the present invention;
In figure, the implication of each reference is as follows:
11- Substitution Rules initialization units, 12- Substitution Rules memory element, 13- Database field replacement units, 14- nets
Program SQL of standing keyword replacement unit, 15- communication data processing units;16- Substitution Rules dynamic mapping units.
Specific embodiment
Technical scheme is described in detail below in conjunction with accompanying drawing, so that those skilled in the art can be more
Plus be expressly understood the solution of the present invention, but therefore do not limit the scope of the invention.
For the ease of narration, the example of SQL injection attacks is given first.Assume website journey on certain Web server
The SQL query statement for being used for the SQL website logs checking of operating database in sequence is select*from users where
The user name of the name=' user inputs password of and pw=' user inputs ' ', attacker's malice input user name 1'or'1'
=' 1 and password 1'or'1'='1, now original SQL query statement will be changed into select*from users where
Name='1'or'1'='1'and pw='1'or'1'='1', namely select*from users are equivalent to, attacker is led to
Cross such injection, it is possible to achieve without account number cipher Website login, reach which and attack purpose.Essence due to SQL injection attacks
Attacker by change application program Web lists input domain or page request in the insertion such as inquiry string a series of
SQL statement changing the order of operating database, namely the SQL statement of attacker's injection is dynamically generated.
The Innovation Theory of the present invention is elaborated first below.
Technical staff determines that whole or conventional SQL that all SQL statement for operating database include are crucial first
Word (including select, where, union, and, or etc.), forms a SQL set of keywords, is designated as set A, in set A
Each element corresponds to a SQL keyword.Set B correspondingly is built therewith then according to set A, is in set A
Corresponding one of each element without concrete meaning, uncommon character string, (character string is generated at random, it is ensured that do not repeated, no
Include the character string as SQL keyword forms), equal length replacement is preferably carried out, such as appearance in set A
Select is substituted for df#g$u, at the same in set of records ends A each element the rule of correspondence, formed Database field replace rule
Then gather, be designated as set B, that is to say, that in set B, include each element in set A and its corresponding character string, example
Such as set A is:..., select, where, and, or ... ... }, then set B is:..., select → df#g$u,
Where → r$#de, and →@#*, or → %& ... ... }.Set C correspondingly is built therewith according to set A simultaneously, is
Without concrete meaning, uncommon character string, (character string is generated corresponding of each element in set A at random, it is ensured that no
Repeat, do not include the character string as SQL keyword forms), equal length replacement is preferably carried out, such as in set A
The select of appearance is substituted for sdf&e $, at the same in set of records ends A each element the rule of correspondence, formed procedure site SQL
Keyword Substitution Rules set, is designated as set C, that is to say, that includes each element in set A in set C and its corresponds to
Character string, such as set A is:..., select, where, and, or ... ... }, then set C is:..., select →
Sdf&e $, where → ergf&, and → fr#, or → g$ ... ... }.Ensure simultaneously not containing identical in set B and set C
Do not contain in character string corresponding with each element in set A in character string, and set B and set C and SQL key fonts
Formula identical character string.
Then in initial phase in data base to be defendd occur with set A in element identical element
(including select, where, union, and, or etc.) is substituted for corresponding character string (preferably etc. respectively according to the rule of set B
Length is replaced);Then using the SQL of the SQL statement being previously written in procedure site on the Web server as database access end
Keyword (including select, where, union, and, or etc.) is substituted for corresponding character string respectively according to the rule of set C
(preferably equal length replacement).
Explanation is needed exist for, the replacement of website contents of program in the replacement of data-base content and Web server is two
Individual separate process, dividing without precedence, is also separate between set B and set C, without dependence, and
Identical element is not included between set B and set C, does not include any SQL keywords yet.Above-mentioned data-base content is entered
Capable replacement is rule based on set B to intending occurring in the data base of queried access and the element identical word in set A
The replacement of Duan Jinhang, this replacement be directed to data base and and do not differentiate between replacement object whether be keyword, therefore in correlation
In statement, SQL keyword element (such as the select) unified presentations in the set B that will occur in data base are and SQL keywords
Identic character string, because not there are SQL keywords in data base, but exists each with SQL keywords
The duplicate character string of character, such as select character strings;And the replacement carried out by Web server procedure site content is to be based on
The rule of set C is to the static nature for operating database that is previously written in the procedure site as database access port
SQL statement in occur be replaced with element identical SQL keyword in set A, this replacement is directed to Web service
The static SQL statements part that device procedure site is finished writing in advance, the direct object of replacement are the SQL keywords in SQL statement, not
Field information in dynamic user input part is replaced, in such as procedure site, certain select is to be not belonging to
General character string in SQL statement belongs to the character string of user input, then be not the SQL statement part in procedure site
SQL keywords, the select character strings are not replaced, in procedure site be used for operate a class data base SQL languages
Sentence is all generally fixed.
Above-mentioned replacement is the replacement of the initial phase carried out after the SQL injection attacks system of defense is arranged.Then
When some websites program on Web server needs operating database, the SQL injection attacks system of defense intercept nets arranged
The program of station is sent to the communication data of data base, parses the SQL statement for operating database in communication data, according to the following steps
Execute defence operation:
The first step, is replaced the element in the set A occurred in the SQL statement according to corresponding rule in set B
(select for having user input in the SQL statement is substituted for df#g$u for example), if do not occur collecting in the SQL statement
The element in A is closed, then need not be replaced.Explanation:SQL keywords due to being used for operating database in procedure site are complete
Portion is replaced by regular collection C, and therefore the element in set A can not possibly occur in the SQL keyword fragments of SQL statement, in set A
Element be only possible to the part for occurring in user input in SQL statement, if therefore not occurring in set A in the SQL statement
Element, illustrates that in SQL statement user is not input into the character string of this class such as select, where, union, and).
Second step, the character string that replaced according to the rule in set C in the SQL statement according to set C rule also
Originally it was that corresponding SQL keywords (are for example reduced into select sdf&e, carry out reduction herein and be because that SQL statement is by Web
Server site Program Generating, due to being used for the SQL keywords of operating database in advance in above-mentioned initialization in procedure site
Stage was replaced according to regular C), then reduction after communication data send to data base;After reduction in SQL statement
SQL keywords be completely reduced as normal SQL query access key, only as the user input of non-SQL keywords
Partial field is not reduced, but if the user input part is containing the SQL keywords for being likely to cause injection attacks,
Replaced according to regular B in the above-mentioned first step, after sending to data base so as to the communication data after reducing, such as
Fruit user has carried out injection attacks input, then whole SQL statement will become the sentence of grammatical and semantic mistake, it is impossible to by data base
Execute, cause SQL injection attacks to fail.
3rd step, when data base's returning result, the system of defense intercepted data storehouse is sent to the communication of Web server
Data, parse the communication data returned after data base executes SQL statement, and query set B, wherein according to the rule in set B
The character string that then replaced is reduced (df#g$u is reduced into select for example), it is ensured that the positive frequentation of non-attacking input
Ask because in the above-mentioned first step to access data base SQL statement in user input part with element identical in set A
Field is replaced, at the same data base in initialization also to having carried out same replacing with element identical field in set A
Change, in the case where non-implanted aggressivity is accessed, if there is identical field corresponding with user input in data base, data base is holding
Row SQL access sentence after can backward reference result, and need will in returning result through replacement process field be reduced,
Finally the communication data after reduction treatment is sent to Web server.If do not occurred in the content that data base returns
Need not then be reduced according to the character string that the rule in set B was replaced.
Further, in order to prevent the SQL keywords (bag of the SQL statement on attacker's conjecture Web server in procedure site
Include select, where, union, and, or etc.) Substitution Rules set C, need to enter Substitution Rules set C Mobile state change
Change, i.e., generate a set of new Substitution Rules set C1 at set intervals, then according to new Substitution Rules set C1 is taken to Web
The SQL keywords of the SQL statement on business device in procedure site are replaced, and replace and old Substitution Rules set C are deleted after finishing
Remove.Consider in real Web server procedure site, to need the content that replaces a lot, be replaced needs consuming every time certain
Time.In order to ensure that Web server can continue normal externally offer service, in the replacement process of procedure site SQL keywords
In, preferably new and old two sets of Substitution Rules set simultaneously can be used, when all operations based on old Substitution Rules set C complete
Cheng Hou, just deletes to which, replaces according to new set C1 later, while only needing to when generating new set C1 to set
In C, the corresponding string portions of each keyword element are regenerated.
Below based on foregoing invention principle, it is shown in detail in the SQL injection attacks based on dynamic mapping of the present invention and defends
System and defence method.
As shown in figure 1, the SQL injection attacks systems of defense based on dynamic mapping of the present invention are included at the beginning of Substitution Rules
Beginningization unit 11, Substitution Rules memory element 12, Database field replacement unit 13, procedure site SQL keyword replacement units
14th, communication data processing unit 15 and Substitution Rules dynamic mapping unit 16;Wherein described Substitution Rules initialization unit 11 connects
It is connected to Substitution Rules memory element 12, Database field replacement unit 13 and procedure site SQL keywords replacement unit 14;Replace
Rule storage unit 12 is connected to Database field replacement unit 13, procedure site SQL keywords replacement unit 14 and communication number
According to processing unit 15;Database field replacement unit 13 is connected to Substitution Rules memory element 12;Procedure site SQL keywords are replaced
Change unit 14 and be connected to Substitution Rules memory element 12 and Substitution Rules dynamic mapping unit 16;Communication data processing unit 15 connects
It is connected to Substitution Rules memory element 12;Substitution Rules dynamic mapping unit 16 is connected to Substitution Rules memory element 12, website journey
Sequence SQL keyword replacement unit 14.
Substitution Rules initialization unit 11 is used for generating Database field Substitution Rules set (set B) and procedure site
SQL keyword Substitution Rules set (set C).First technical staff determine the whole of the SQL statement for operating database or
Conventional SQL keywords (including select, where, union, and, or etc.), is input into by user configuration module, is formed SQL and is closed
Key word set, is designated as set A, and Substitution Rules initialization unit 11, according to user configured SQL set of keywords A, is in set A
Each element generate that corresponding (character string is generated at random, it is ensured that do not weighed without concrete meaning, uncommon character string respectively
Multiple), preferably generate isometric character string, and the corresponding relation (collection in set of records ends A between the corresponding character string of each element
Close the form that the corresponding relation in B is represented by select → df#g$u, but not limited to this), form Database field and replace rule
Then gather, be designated as set B, in set B, include all of SQL keywords and each replacement word corresponding to SQL keywords
Symbol string;Then Substitution Rules initialization unit 11 is deposited the generation time storage of the set B and set B that generate to Substitution Rules
In storage unit 12, and the replacement in 13 database field of initial phase notification database field replacement unit.Simultaneously
Substitution Rules initialization unit 11 generates procedure site SQL keyword Substitution Rules according to user configured SQL set of keywords A
Set, as set C, record in set C in the same manner have each element in set A and its with the corresponding relation between corresponding character string
(corresponding relation in set C is represented by the form of select → sdf&e, but not limited to this), i.e. set C is included
Some SQL keywords and each substitute character string corresponding to SQL keywords, then Substitution Rules initialization unit 11 is raw
Into set C and set C the generation time store in Substitution Rules memory element 12, and initial phase notify website
Program SQL keyword replacement unit 14 completes replacing first to the SQL keywords in SQL statement in Web server procedure site
Change.Substitution Rules initialization unit 11 generates the set C and set B in a comparable manner, but ensures set B and set C
Between do not include same character string, and neither include and SQL keyword identical character strings.
Substitution Rules memory element 12 includes that Database field replaces mould regular collection memory module and procedure site SQL is closed
Key word Substitution Rules set memory module, Database field are replaced mould regular collection memory module and are replaced for data storage storehouse field
Change the generation time of regular collection B and regular collection B, procedure site SQL keyword Substitution Rules set memory modules are used for
The generation time of storage procedure site SQL keyword Substitution Rules set C and regular collection C.
Database field replacement unit 13 receives the replacement sended over from Substitution Rules initialization unit 11 and notifies, right
The replacement that field in data base is carried out, in the specific inquiry Substitution Rules of Database field replacement unit 13 memory element 12
Database field Substitution Rules set memory module, according to Database field Substitution Rules set B therein, going out in data base
Existing element identical element (including select, where, union, and, or etc.) with set A is substituted for corresponding respectively
Character string (for example in data base occur select be substituted for df#g$u).
Procedure site SQL keywords replacement unit 14 is received from Substitution Rules initialization unit 11 or Substitution Rules dynamic
The notice that converter unit 16 is sended over, realizes the replacement operation to SQL keywords in procedure site on Web server.Specifically
Procedure site SQL keywords replacement unit 14 receive from Substitution Rules initialization unit 11 replacement notify after, inquiry is replaced
The procedure site SQL keyword Substitution Rules set C stored in rule storage unit 12 are changed, procedure site on Web server
In the SQL keywords (including select, where, union, and, or etc.) of SQL statement be substituted for corresponding word in set C
Symbol string (select is replaced with df#g$u for example), this replacement corresponding to initial phase.Procedure site SQL keywords are replaced
Change unit 14 to receive after the replacement that sends over from Substitution Rules dynamic mapping unit 16 notifies, now Substitution Rules storage is single
Be stored with unit 12 the procedure site SQL keyword Substitution Rules set newly-generated by Substitution Rules dynamic mapping unit 16
C1, procedure site SQL keywords replacement unit 14 will according to newly-generated procedure site SQL keyword Substitution Rules set C1
SQL keywords in SQL statement on Web server in procedure site replace with corresponding substitute character string, and this is corresponding to dynamic
The renewal of state conversion stages is replaced, and recording in preferably described procedure site SQL keywords replacement unit 14 has on Web server
The replacement position of each SQL keywords in procedure site, during follow-up dynamic mapping, procedure site SQL keywords are replaced
Change procedure site of the unit 14 directly according to newly-generated procedure site SQL keyword Substitution Rules set C1 to being recorded to replace
The character string of position is updated replacement, so can complete the dynamic mapping of the SQL statement in procedure site faster.Replace
After the completion of procedure site SQL keywords replacement unit 14 notify Substitution Rules dynamic mapping unit 16 Substitution Rules memory element
In 12, the old set C of procedure site SQL keyword Substitution Rules memory module storage deletes the (generation according to regular collection C
Time judges).If there was only a set of set C in Substitution Rules memory element 12 or not yet being completed based on the operation of old set C,
Deletion action is not then carried out.
Communication data processing unit 15 includes accessing data processing module and returning result processing module;Access data processing
Module is intercepted and captured procedure site and is sent to the communication data of data base, and parsing procedure site is used for the SQL statement of operating database, looks into
Ask set B and procedure site SQL in Substitution Rules memory element 12 in Database field Substitution Rules set memory module to close
Set C in key word Substitution Rules set memory module is identical with the element in set A first occurred in the SQL statement
Character string replace with corresponding character string (select is substituted for df#g$u for example) according to the rule of set B, if should
Do not occur and element identical character string in set A in SQL statement, then need not be replaced;Then initial phase is pressed
Corresponding SQL keywords are reduced to according to the character string that set C was replaced according to the rule of set C (to be for example reduced into sdf&e $
select);Finally amended communication data is sent to data base.Returning result processing module processing data storehouse send to
The communication data of Web server, parses the content returned after data base executes SQL statement, inquiry Substitution Rules memory element 12
In Database field Substitution Rules set memory module in set B, the character string that wherein replaced according to regular collection B
(df#g$u is reduced into select for example) is reduced, if the character string for not occurring replacing according to regular collection B
Need not be reduced, finally amended communication data is sent to Web server.Described 15 base of communication data processing unit
The content stored in Substitution Rules memory element 12 is replaced to the communication data between Web server and data base and goes back
Origin operation.
Substitution Rules dynamic mapping unit 16 includes procedure site SQL keyword Substitution Rules set generation modules, website
Program SQL keyword Substitution Rules set removing module;Procedure site SQL keyword Substitution Rules set generation module is every one
Generate for replacing a set of new regular collection C of procedure site SQL keywords that (i.e. new procedure site SQL is crucial the section time
Word Substitution Rules set), concrete generating process is preferably and replicates current procedure site SQL keyword Substitution Rules set, so
Afterwards the corresponding character string of each keyword element in set is modified, forms new random character string.The procedure site
SQL keyword Substitution Rules set generation module is newly-generated procedure site SQL keywords Substitution Rules set C and set
The time that generates of C is stored in the procedure site SQL keyword Substitution Rules set memory modules of Substitution Rules memory element 12,
Procedure site SQL keywords replacement unit 14 is notified (to sentence by the generation time of set C using the set C being newly generated simultaneously
Disconnected) the SQL keywords in procedure site on Web server are replaced;Procedure site SQL keyword Substitution Rules set is deleted
Except module receives the notice from procedure site SQL keywords replacement unit 14, delete and be stored in Substitution Rules memory element 12
Old set C in middle procedure site SQL keywords Substitution Rules set memory module.
The present invention further provides the SQL injection attacks defence methods carried out based on above-mentioned SQL injection attacks system of defense,
As shown in Figure 2, SQL injection attacks system of defense of the present invention first is can be disposed on Web server, is also disposed at
Any point between Web server and data base, the position of system of defense are not limited, the defence method include with
Lower step:
Step (1), structure Database field Substitution Rules set and procedure site SQL keyword Substitution Rules set.Replace
Change regular initialization unit 11 and SQL set of keywords (as set A) is built based on user configuration information, and be based on set A structures
Build Database field Substitution Rules set (being designated as set B) and procedure site SQL keyword Substitution Rules set (is designated as gathering
C), and by the time that generates of set B and set B the Database field Substitution Rules in Substitution Rules memory element 12 are stored
In set memory module, the time that generates of set C and set C is stored the procedure site in Substitution Rules memory element 12
In SQL keyword Substitution Rules set memory modules.Foregoing set A includes the SQL statement for operating database
SQL keywords, configured by user input, form is { ... select, where, and, or ... ... }, and set B is set A
In corresponding one of each element and record corresponding relation without concrete meaning, uncommon character string, form for ...,
Select → df#g$u, where → r$#de, and →@#*, or → %& ... ... }, the generation type of set C and set B classes
Seemingly, also one is corresponded to without concrete meaning, uncommon character string for each element in set A, and record corresponding relation,
But the character string for not including having occurred in set B in set C, the form of set C for ..., select → sdf&e $,
Where → ergf&, and → fr#, or → g$ ... ... }, preferred set B and set C are each element pair in set A
The character string of equal length is answered, and in character string, does not include the SQL keywords element itself in set A.Due to set B and set C
In simultaneously include each element and its corresponding character string in set A, therefore in subsequently each replacement operation based on set B with
Set C can be completed.
Step (2), initialization replacement operation is carried out, specifically included:
(2-1), 11 notification database field replacement unit 13 of Substitution Rules initialization unit carries out replacing for Database field
Change, the inquiry Substitution Rules of Database field replacement unit 13 memory element 12 obtains Database field Substitution Rules set B, so
Inquiry operation is carried out to data base afterwards, by data base occur with set A in element identical element according to set B in
The rule of correspondence is substituted for corresponding character string respectively;
(2-2), Substitution Rules initialization unit 11 notifies procedure site SQL keywords replacement unit 14 to carry out Web service
On device in procedure site SQL keywords replacement, procedure site SQL keywords replacement unit 14 inquire about Substitution Rules memory element
12, procedure site SQL keyword Substitution Rules set C are obtained, inquiry behaviour is carried out to the procedure site on Web server then
Make, the SQL keywords of the SQL statement in procedure site are substituted for corresponding character respectively according to the rule of correspondence in set C
String, completes to replace the initialization of SQL keywords in Web server procedure site.
After step (3), initialization are replaced, as some websites procedure operation data base on Web server, communication data
Processing unit 15 is intercepted and captured procedure site and is sent to the communication data of data base, parses in communication data for operating database
SQL statement, and execute following operation:
(3-1):Database field Substitution Rules in the inquiry Substitution Rules of communication data processing unit 15 memory element 12
Set memory module, intercept and capture SQL statement in occur with set A in element identical element according to set B in right
Rule is answered to replace with corresponding character string, if not having appearance (to say with the element identical element in set A in the SQL statement
Bright user in the SQL statement is not input into the SQL keywords such as select, where, union, and, because removing user input
SQL keywords beyond part are all replaced in initial phase), then need not be replaced;
(3-2):Procedure site SQL keywords in the inquiry Substitution Rules of communication data processing unit 15 memory element 12 are replaced
Change regular collection memory module, the character string that replaced according to set C in the SQL statement that intercepts and captures again according to set C in
The rule of correspondence is reduced to corresponding SQL keywords, and then communications processor element 15 passes through SQL statement the communication number of reduction
According to transmission to data base;In this step, the SQL keywords after reduction in SQL statement are completely reduced as normal SQL
Queried access keyword, the only field as the user input part of non-SQL keywords are not reduced, but the user is defeated
If entering part containing the SQL keywords for being likely to cause injection attacks, replaced according to regular B in above-mentioned (3-1) step
Irregular character string is changed into, the SQL statement containing the irregular character string will become grammatical and semantic after reaching data base
The sentence of mistake, will not be executed by the database, and cause SQL injection attacks to fail (referring to embodiment 3).
When step (4), data base are to Web server backward reference result, 15 intercepted data storehouse of communication data processing unit
Send to the communication data of Web server, parse the content returned after data base in communication data executes SQL statement, and execute
Following operation:Database field Substitution Rules set memory module in inquiry Substitution Rules memory element 12, returning result
Included is reduced to corresponding element (example according to the character string that replaced in set B again according to the rule of correspondence in set B
Df#g$u is reduced into select such as), if do not occurred according to set B in the content of return after data base executes SQL statement
The character string that replaced need not then carry out restoring operation, last communications processor element 15 amended communication data send to
Web server.The normal access that non-attacking input be ensure that by the step, because to visiting in above-mentioned steps (3-1)
Being replaced with element identical field in set A in user input part in the SQL statement of data base is asked, while data
Storehouse in initialization also to having carried out same replacement with element identical field in set A, non-implanted aggressivity access under,
If there is identical field corresponding with user input in data base, data base is executing after SQL accesses sentence and can return
Result is accessed, and needs to be reduced through replacing the field for processing in returning result, finally after reduction treatment
Communication data is sent to Web server (referring to embodiment 2).
Step (5), the procedure site SQL keyword Substitution Rules set generation modules of Substitution Rules dynamic mapping unit 16
A set of new procedure site SQL keyword Substitution Rules set C is generated at set intervals, newly-generated set C and newly
Set C generates time storage to the procedure site SQL keyword Substitution Rules set storage mould of Substitution Rules memory element 12
In block, then notify procedure site SQL keywords replacement unit 14 using the set C being newly generated (during by the generation of set C
Between judge) the SQL keywords of the SQL statement in procedure site on Web server are replaced, that is, notify procedure site SQL
Keyword replacement unit 14 executes above-mentioned steps (2-2).After the completion of replacement, procedure site SQL keywords replacement unit 14 notifies to replace
The procedure site SQL keyword Substitution Rules set removing modules of regular dynamic mapping unit 16 are changed Substitution Rules memory element
In 12, the old set C of procedure site SQL keyword Substitution Rules memory module storage deletes (the generation time according to set C
Judge).
SQL injection attacks defence method proposed by the present invention by being replaced conversion to SQL statement so that attacker dislikes
The SQL statement of meaning injection can become not meeting the sentence of database syntax specification and cannot be performed, and then effectively defend SQL
Injection attacks behavior, for being further understood from the solution of the present invention, is given below normal after arrangement system of defense of the present invention
User operation data base and SQL injection attacks specific embodiments.
Embodiment 1
Example of the embodiment 1 for normal users operating database.Assume the SQL query of login authentication in some websites program
Sentence for select*from users where name=' user inputs user name ' and pw=' user inputs close
Code ';The entitled admin of correct user, correct password are password, and user name admin and password password are stored in
In data base.It is { ..., select, where, and ... } according to user configured SQL set of keywords A.According to set A
The Database field Substitution Rules set B of structure for ..., select → character string a, where → character string b, and → character
String c ... (being for the ease of narration herein, simple description has been carried out to the irregular character string that replaces);According to set A structures
The procedure site SQL keyword Substitution Rules set C for building for ..., select → character string h, where → character string i, and
→ character string j ... (be for the ease of narration herein, simple description, character string h, i, j have equally been carried out to substitute character string
Different from character string a, b, c).It is first according to set B initially to replace data-base content, i.e., appearance in data base
Select is substituted for character string a, and where is substituted for character string b, and and is substituted for character string c, etc., while according to set C pair
The SQL keywords for being used for the SQL statement of operating database in procedure site are replaced, i.e., the select in procedure site is replaced
Change character string h into, where is substituted for character string i, and and is substituted for character string j.Assume the correct user name of user input and close
Code inquiry data base, then the SQL statement for being sent to data base from procedure site is h*from users i name='admin'j
Pw='password', after system of defense intercepts and captures the SQL statement, due to the unit in the SQL statement not in set A
Element, therefore without the need for being replaced according to regular collection B, then query set C, carries out the character string that replaced according to set C
Reduce (character string h being reduced into select, character string i is reduced into where, and character string j is reduced into and), then the SQL statement quilt
Select*from users where name='admin'and pw='password' are reduced into, this is one and meets number
According to the SQL statement of storehouse syntax gauge, normally can execute after being dealt into data base, system of defense is to normal users operand in this instance
According to being transparent for storehouse.
Embodiment 2
Second example of normal users operating database is given below.Assume login authentication in some websites program
SQL query statement for select*from users where name=' user inputs user name ' and pw=' users are defeated
The password for entering ';The entitled select of correct user, correct password are password, user name select and password
Password is stored in data base.According to user configured SQL set of keywords A for ..., select, where,
and、……}.According to set A build Database field Substitution Rules set B for ..., select → character string a, where
→ character string b, and → character string c ... (be for the ease of narration herein, letter has been carried out to the irregular character string that replaces
Slightly describe);According to set A build procedure site SQL keyword Substitution Rules set C for ..., select → character string h,
Where → character string i, and → character string j ... (be for the ease of narration herein, letter has equally been carried out to substitute character string
Slightly describe, character string h, i, j are different from character string a, b, c).It is first according to set B initially to replace data-base content, i.e.,
The select occurred in data base is substituted for character string a, where is substituted for character string b, and and is substituted for character string c, etc.,
The SQL keywords for being used for the SQL statement of operating database in procedure site are replaced according to set C simultaneously, i.e., website
Select in program is substituted for character string h, and where is substituted for character string i, and and is substituted for character string j.Assume user input
Correct username and password inquiry data base, then the SQL statement for being sent to data base from procedure site is h*from users i
Name='select'j pw='password', after system of defense intercepts and captures the SQL statement, due to containing in the SQL statement
Element select in set A, need to (select → character string a) replaces with character string a, the SQL statement according to the rule of set B
It is changed into h*from users i name='a'j pw='password';Then query set C, replacing according to set C
Character string reduced (character string h being reduced into select, character string i is reduced into where, and character string j is reduced into and),
Then the SQL statement is reduced into select*from users where name='a'and pw='password', due to number
Select according to storehouse has been replaced with character string a, and therefore this is a SQL statement for meeting database syntax specification,
Normally can execute after being dealt into data base, in this instance system of defense for normal users operating database be also transparent, with
When data base when executing the sentence due to data base in select have been replaced with character string a, therefore, it is possible to find character
String a, if including character string a in the returning result of data base, here needs, according to set B, character string a is reduced to select,
Ensure that data in this case are normally accessed.
Embodiment 3
The example of SQL injection attacks is given below.
In hypothesis some websites program, the SQL query statement of login authentication is select*from users where name
The password of=the user name of user input ' ' and pw=' user inputs ';The correct entitled admin of user, correct password is
Password, user name admin and password password are stored in data base.If the user of attacker's input is entitled 1'
Or'1'='1, the password of input is 1'or'1'='1, in the case where system of defense of the present invention is not arranged, is sent to data base's
SQL statement can become select*from users where name='1'or'1'='1'and pw='1'or'1'='
1', namely select*from users are equivalent to, attacker is by such injection, it is possible to achieve log in net without account number cipher
Stand, reach which and attack purpose.But after system of defense of the present invention is arranged, according to the side of system of defense of the present invention
Case, builds SQL set of keywords A first for { ..., select, where, and, or ... }.According to the number that set A builds
According to storehouse field Substitution Rules set B for ..., select → character string a, where → character string b, and → character string c, or →
Character string d ... (being for the ease of narration herein, simple description has been carried out to the irregular character string that replaces);According to set
A build procedure site SQL keyword Substitution Rules set C for ..., select → character string h, where → character string i,
And → character string j, or → character string k ... (be for the ease of narration herein, substitute character string has equally been carried out simply
Description, character string h, i, j, k are different from character string a, b, c, d).It is first according to set B initially to replace data-base content,
The select occurred in data base is substituted for character string a, where is substituted for character string b, and and is substituted for character string c, or
Character string d is substituted for, etc., while crucial to the SQL for being used for the SQL statement of operating database in procedure site according to set C
Word is replaced, i.e., the select in procedure site is substituted for character string h, and where is substituted for character string i, and and is substituted for word
Symbol string j.Due to not including or in the SQL keywords in the procedure site for operating database, replacing for or is not therefore carried out
Change.Assume the entitled 1'or'1'='1 of user of attacker's input, the password of input is 1'or'1'='1, then send out from procedure site
SQL statement toward data base is changed into h*from users i name='1'or'1'='1'j pw='1'or'1'='1', prevents
After imperial system intercepts and captures the SQL statement, due to containing the element or in set A in the SQL statement, it will in the SQL statement
Or according to the rule of set B, (or → character string d) replaces with character string d, then the SQL statement will become h*from users i
Name='1'd'1'='1'j pw='1'd'1'='1';Then query set C, the character string that replaced according to set C
(character string h being reduced into select, character string i is reduced into where, and character string j is reduced into and) is reduced, then the SQL languages
Sentence is reduced into select*from users where name='1'd'1'='1'and pw='1'd'1'='1', and this is
One SQL statement for not meeting database syntax specification, normally can execute after being dealt into data base, directly result in SQL injections
Attack failure.
After the arrangement SQL injection attacks systems of defense based on dynamic mapping of the present invention, Web service is accessed for normal
It is transparent for the request of device and background data base, and for SQL injection attacks, the SQL statement warp of attacker's malice injection
Can become not meeting the sentence of database syntax specification and cannot execute after the field replacement for crossing system, so as to prevent attacker
By change application program Web lists input domain or page request in a series of SQL lives of the insertion such as inquiry string
Order carrys out change data library inquiry sentence to cheat the situation generation that database server executes malice sql command, effectively defends
SQL injection attacks behaviors, improve the security protection to Web server and its background data base.
The above is only and the preferred embodiment of the present invention is described, technical scheme is not limited to
This, any known deformation made on the basis of the major technique design of the present invention by those skilled in the art belongs to the present invention
Claimed technology category, the specific protection domain of the present invention are defined by the record of claims.