CN107294969A - A kind of SQL injection attack detection and system based on SDN - Google Patents
A kind of SQL injection attack detection and system based on SDN Download PDFInfo
- Publication number
- CN107294969A CN107294969A CN201710479766.6A CN201710479766A CN107294969A CN 107294969 A CN107294969 A CN 107294969A CN 201710479766 A CN201710479766 A CN 201710479766A CN 107294969 A CN107294969 A CN 107294969A
- Authority
- CN
- China
- Prior art keywords
- data flow
- sql
- sdn
- module
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The invention discloses a kind of SQL injection attack detection and system based on SDN.The data flow for accessing database is sent to simulation data base and it is detected by this method.User's access client, SDN controllers are modified to the Target IP and source IP of user, and conducted interviews inquiry with the IP after change to simulation data base, if do not recorded, and directly data stream is detected, SQL injection attack has been checked whether.The data flow detected is replicated, one group data stream is sent to simulation data base, performed in simulation data base, ensure to access without destructive, configure monitor in implementation procedure, another group data stream is sent directly to monitor, when operation conditions does not occur abnormal, data flow is back to the buffer addition record on detection instrument, and most data flow exports and gives SDN controllers at last, so as to access database.Using this method, security during user accesses data storehouse can ensure that.
Description
Technical field
The present invention relates to SDN fields, a kind of SQL injection attack detection and system based on SDN are specifically related to.
Background technology
SDN is earliest originating from one of the Stanford University campus project for being called clean slate.It is a kind of innovative
Network architecture, its core concept is that Forwarding plane and control plane are separated.Pass through the controller of centralization
Controller is configured and managed to a variety of network equipments using the interface of standard so that the management to network
More centralization, become more meticulous.OpenFlow has fully demonstrated SDN this management and control separation think of as SDN prototype realization pattern
Think.Therefore generally people using OpenFlow as SDN communication standard, just as communication standard of the ICP/IP protocol as internet
Equally.
Sql like language is a kind of SQL for relational database.Its typical sentence that performs is query.
It can change database structure and operating database content.If attacker is by toward inserting a series of SQL languages in query
Sentence carrys out peration data and is written in application program, and this method is defined as SQL injection by we.SQL injection is a kind of attack
Mode, in this attack pattern, malicious code is inserted into character string, and the character string then is delivered into SQL Server
Analyzed and performed.
SQL injection is a kind of attack pattern for database relatively common at present.Attacker is from normal page end
Mouthful webpage is conducted interviews, when running into webpage and needing inquiry database, bound by the sentence for some being contained particular meaning
Change the original intention of user to the medium mode of SQL statement, so as to reach the illegal purpose such as attacker's altered data.
Software defined network (Software Defined Network, SDN), is a kind of new network wound of Emulex networks
New architecture, is a kind of implementation of network virtualization, and its core technology OpenFlow is by by network equipment chain of command and number
Separated according to face, it is achieved thereby that the flexible control of network traffics, making network as pipeline becomes more intelligent.
In SDN, if SDN user does not provide access authentication, as long as user can access SDN switch, it is possible to
Access the equipment or resource in SDN nets.This mode naturally there are serious potential safety hazard.But, in SDN in the prior art
The method for how detecting SQL injection attack can be also realized without scheme.
The content of the invention
The technical problems to be solved by the invention are to provide a kind of SQL injection attack detection and system based on SDN,
Using the detection method, the security in user accesses data storehouse can ensure that.
The technical scheme that the present invention solves above-mentioned technical problem is as follows:
A kind of SQL injection attack detection based on SDN, its specific method comprises the following steps:
(1) SDN controllers receive the data flow of client transmission and recognize client source IP and port, change client source
IP and Target IP;
(2) SQL detects the SQL statement of data flow that instrument caching is received, and inquires about this and detected whether record, if
Have, then the data flow is returned into SDN controllers, if nothing, SQL detects instrument by detecting that grammer detects whether to have exception
Sentence, if there is exception, filters abnormal statement, into next step, if in the absence of abnormal, into next step;
(3) by data flow replication be issued to simulation data base and and simulation run during monitor;
(4) simulation data base screens the data flow received by setting the Data Identification ID of screening, and screening is passed through
Data flow be handed down to configuration monitor in a network, monitored whether destructive sentence, if monitoring exception, abandoned
The data flow;If not monitoring exception, the data flow for being sent to monitor is exported and detects instrument to SQL;
(5) SQL detects that instrument adds record on its buffer, and data flow is exported gives SDN controllers;
(6) data flow is sent to database by SDN controllers.
The beneficial effects of the invention are as follows:
1st, SDN controllers are configured in a network.The present invention is configured with SDN controllers, and SDN controllers include receiving module,
It is connected with client, the data flow for receiving client transmission;Module is changed, is connected with the receiving module, for changing
Client source IP and Target IP;Sending module, is connected with the database, for data flow to be sent into the database.
2nd, SQL database detector has been introduced.The simulation data base that the present invention is set, by SQL under simulated environment
The detection of sentence, such as:Check the SQL statement content of input, the sensitive character of filtering;Strengthen the checking inputted to user;Distinguish
The authority of different accounts;Using encryption mechanism;Use the hole scanner of specialty;Inspect periodically IIS daily records and tables of data.Enter
And abnormal statement is filtered out, the generation for preventing SQL injection formula from attacking.Buffer is provided with SQL detection instruments, for caching
The SQL statement of the data flow received, and inquire about this and detected whether record.
3rd, to needing data lab setting simulation data base to be protected.The present invention is provided with simulation data base, by emulation
The detection of database practice condition, can determine whether flow mutation, or database corruption situation, can further judge
Whether user has destructive access.
4th, it is configured with monitor.The present invention is configured with monitor in the implementation procedure of simulation data base, is held by monitoring
Whether row situation has exception, and then decides whether to export data flow to SDN, so as to access real database.
Further, configuration simulation data base is also included before the step (1), makes the simulation data base and database same
Step.
Present invention also offers a kind of SQL injection attack detection system based on SDN in addition, it is characterised in that including SDN
Controller and the database being all connected with the SDN controllers, SQL database detection instrument, the SQL database detection
Instrument connects monitor and simulation data base;
The SDN controllers include receiving module, are connected with client, the data flow for receiving client transmission;
Module is changed, is connected with the receiving module, for changing client source IP and Target IP;
The SQL database detection kit includes acquisition module, is connected with the change module, for obtaining data flow
SQL statement;
Buffer, is connected with the acquisition module, for caching the SQL statement of the data flow received, and inquires about this
Record is detected whether;
Grammer comparison module, is connected with the buffer, for comparing the grammer of the data flow with the presence or absence of exception or containing
There is the sentence that SQL injection is attacked;
Filtering module, is connected with the grammer comparison module, for the language for filtering abnormal statement or being attacked containing SQL injection
Sentence;
Data duplication module, is connected with the filtering module and grammer comparison module, for by the normal number detected
Replicated according to stream, and data flow is sent to the monitor during simulation data base and simulation run;
The simulation data base, is connected with the data duplication module, for screening the data flow received, and screening is logical
The data flow crossed is handed down to the monitor of configuration in a network, has monitored whether destructive sentence, if monitoring exception, has lost
Abandon the data flow;If not monitoring exception, the data flow for being sent to monitor is exported to the acquisition mould that instrument is detected to SQL
Block;
The SQL detects the buffer of instrument, is additionally operable to addition record, and data flow is exported gives SDN controllers;
SDN controllers also include sending module, and the sending module is connected with the database, for data flow to be sent
To the database.
It is to configure SDN controllers to receive data flow and the change of client transmission using the beneficial effect of such scheme
Client source IP and Target IP, and will detect that the data flow passed through is sent to True Data storehouse;Introduce SQL database detector
It can be detected under simulated environment and cache SQL statement;To needing data lab setting simulation data base to be protected can be by inspection
The practice condition of simulation data base is surveyed, further judges whether user has destructive access;Monitor is configured, is held by monitoring
Whether row situation has exception, and then decides whether to export data flow to SDN, so as to access real database.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of the SQL injection formula attack detection method of the invention based on SDN:
Fig. 2 is SQL injection formula attack configuration diagram of the present invention based on SDN:
Fig. 3 is the schematic flow sheet that the present invention realizes the formula attack of detection SQL injection.
Embodiment
The principle and feature of the present invention are described below in conjunction with accompanying drawing, the given examples are served only to explain the present invention, and
It is non-to be used to limit the scope of the present invention.
As shown in figure 1, the invention provides a kind of SQL injection attack detection based on SDN, comprising the following steps that:
Step 1, user user access some attribute in database by Client client requests.The IP of the user and
Port information can be recognized by controller.To ensure no SQL injection attack and destructive access, the user can be accessed
Data flow carry out emulation testing.
Step 2, configuration simulation data base, simulation data base is synchronized with real database.Use of the SDN to access
Family user Target IP and local source IP is modified.
Step 3, the data flow for asking the Target IP changed and source IP and user carry out emulation testing.
Step 4, issue data flow during, can by SQL database detect instrument, SQL database detection instrument meeting
First the record in buffer is inquired about, if identical recordings, then data flow SDN is directly returned to;If without phase
With record, then this inquiry is detected.Such as:Check the SQL statement content of input, the sensitive character of filtering;',>,<
=,!,-,+, * ,/, |, space etc.;Strengthen the checking inputted to user;Distinguish the authority of different accounts;Using encryption mechanism;Make
With the hole scanner of specialty;Inspect periodically IIS daily records and tables of data.And then filter out abnormal statement.
Step 5, filtered data flow is replicated.
Step 6, a group data stream are sent to simulation data base, and simulation data base performs the data sent.Performing
A monitor is configured in journey, operation conditions is monitored by monitor, such as:Monitor whether that mutation of flow etc. is abnormal,
And then determine whether destructive access.If monitor monitors exception, the data flow will be dropped, this time inquiry knot
Beam.If being not detected by exception, the data flow for being transmitted directly to monitor is led back to and detects instrument to SQL database.
Buffer in step 7, SQL database detection instrument can be to this inquiry addition record, so that phase occurs in next time
SDN is fed directly to during with inquiry.
Step 8, SDN are by real Target IP and source IP and detect that safe data flow accessed real database.
As shown in Figure 2 and Figure 3, present invention also offers a kind of SQL injection attack detection system based on SDN, including SDN
Controller and the database being all connected with the SDN controllers, SQL database detection instrument, the SQL database detection
Instrument connects monitor and simulation data base;
The SDN controllers include receiving module, are connected with client, the data flow for receiving client transmission;
Module is changed, is connected with the receiving module, for changing client source IP and Target IP;
The SQL database detection kit includes acquisition module, is connected with the change module, for obtaining data flow
SQL statement;
Buffer, is connected with the acquisition module, the SQL statement for caching the data flow received,
And inquire about this and detected whether record;
Grammer comparison module, is connected with the buffer, for comparing the grammer of the data flow with the presence or absence of exception or containing
There is the sentence that SQL injection is attacked;
Filtering module, is connected with the grammer comparison module, for the language for filtering abnormal statement or being attacked containing SQL injection
Sentence;
Data duplication module, is connected with the filtering module and grammer comparison module, for by the normal number detected
Replicated according to stream, and data flow is sent to the monitor during simulation data base and simulation run;
The simulation data base, is connected with the data duplication module, for screening the data flow received, and screening is logical
The data flow crossed is handed down to the monitor of configuration in a network, has monitored whether destructive sentence, if monitoring exception, has lost
Abandon the data flow;If not monitoring exception, the data flow for being sent to monitor is exported to the acquisition mould that instrument is detected to SQL
Block;
The SQL detects the buffer of instrument, is additionally operable to addition record, and data flow is exported gives SDN controllers;
SDN controllers also include sending module, and the sending module is connected with the database, for data flow to be sent
To the database.
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit the invention, it is all the present invention spirit and
Within principle, any modification, equivalent substitution and improvements made etc. should be included in the scope of the protection.
Claims (3)
1. a kind of SQL injection attack detection based on SDN, it is characterised in that comprise the following steps:
(1) SDN controllers receive client send data flow and recognize client source IP and port, change client source IP with
And Target IP;
(2) SQL detects the SQL statement of data flow that instrument caching is received, and inquires about this and detected whether record, if so,
The data flow is then returned into SDN controllers, if nothing, SQL detects instrument by detecting that grammer detects whether to have abnormal language
Sentence, if there is exception, filters abnormal statement, into next step, if in the absence of abnormal, into next step;
(3) data flow replication is issued to the monitor during simulation data base and simulation run;
(4) simulation data base screens the data flow received by setting the Data Identification ID of screening, the number that screening is passed through
The monitor of configuration in a network is issued according to flowing down, destructive sentence has been monitored whether, if monitoring exception, has abandoned the number
According to stream;If not monitoring exception, the data flow for being sent to monitor is exported and detects instrument to SQL;
(5) SQL detects that instrument adds record on its buffer, and data flow is exported gives SDN controllers;
(6) data flow is sent to database by SDN controllers.
2. the SQL injection attack detection according to claim 1 based on SDN, it is characterised in that in the step
(1) also include configuration simulation data base before, make the simulation data base and database synchronization.
3. a kind of SQL injection attack detection system based on SDN, it is characterised in that including SDN controllers and with the SDN
Database that controller is all connected with, SQL database detection instrument, the SQL database detection instrument connection monitor and emulation
Database;
The SDN controllers include receiving module, are connected with client, the data flow for receiving client transmission;
Module is changed, is connected with the receiving module, for changing client source IP and Target IP;
The SQL database detection kit includes acquisition module, is connected with the change module, the SQL for obtaining data flow
Sentence;
Buffer, is connected with the acquisition module, for caching the SQL statement of the data flow received, and inquires about this detection
Whether record is had;
Grammer comparison module, is connected with the buffer, for comparing the grammer of the data flow with the presence or absence of exception or containing SQL
The sentence of injection attacks;
Filtering module, is connected with the grammer comparison module, for the sentence for filtering abnormal statement or being attacked containing SQL injection;
Data duplication module, is connected with the filtering module and grammer comparison module, for by the normal flow detected
Replicated, and data flow is sent to the monitor during simulation data base and simulation run;
The simulation data base, is connected with the data duplication module, for screening the data flow received, will screen what is passed through
Data flow is handed down to the monitor of configuration in a network, has monitored whether destructive sentence, if monitoring exception, and abandoning should
Data flow;If not monitoring exception, the data flow for being sent to monitor is exported to the acquisition module that instrument is detected to SQL;
The SQL detects the buffer of instrument, is additionally operable to addition record, and data flow is exported gives SDN controllers;
SDN controllers also include sending module, and the sending module is connected with the database, for data flow to be sent into institute
State database.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710479766.6A CN107294969A (en) | 2017-06-22 | 2017-06-22 | A kind of SQL injection attack detection and system based on SDN |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710479766.6A CN107294969A (en) | 2017-06-22 | 2017-06-22 | A kind of SQL injection attack detection and system based on SDN |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107294969A true CN107294969A (en) | 2017-10-24 |
Family
ID=60097458
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710479766.6A Pending CN107294969A (en) | 2017-06-22 | 2017-06-22 | A kind of SQL injection attack detection and system based on SDN |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107294969A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109324985A (en) * | 2018-09-03 | 2019-02-12 | 中新网络信息安全股份有限公司 | A kind of SQL injection recognition methods of the automatic adaptation scene based on machine learning |
CN110798442A (en) * | 2019-09-10 | 2020-02-14 | 广州西麦科技股份有限公司 | Data injection attack detection method and related device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102750483A (en) * | 2012-06-21 | 2012-10-24 | 无锡华御信息技术有限公司 | SQL (structured query language) injection attack protection method based on database |
CN103780614A (en) * | 2014-01-21 | 2014-05-07 | 金华比奇网络技术有限公司 | Method for SQL injection vulnerability discovery based on simulated attack extension |
CN104615934A (en) * | 2015-02-03 | 2015-05-13 | 腾讯科技(深圳)有限公司 | SQL injection attack safety protection method and system |
CN105897728A (en) * | 2016-04-27 | 2016-08-24 | 江苏警官学院 | Anti-virus system based on SDN (Software Defined Network) |
US20160337400A1 (en) * | 2015-05-15 | 2016-11-17 | Virsec Systems, Inc. | Detection of sql injection attacks |
-
2017
- 2017-06-22 CN CN201710479766.6A patent/CN107294969A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102750483A (en) * | 2012-06-21 | 2012-10-24 | 无锡华御信息技术有限公司 | SQL (structured query language) injection attack protection method based on database |
CN103780614A (en) * | 2014-01-21 | 2014-05-07 | 金华比奇网络技术有限公司 | Method for SQL injection vulnerability discovery based on simulated attack extension |
CN104615934A (en) * | 2015-02-03 | 2015-05-13 | 腾讯科技(深圳)有限公司 | SQL injection attack safety protection method and system |
US20160337400A1 (en) * | 2015-05-15 | 2016-11-17 | Virsec Systems, Inc. | Detection of sql injection attacks |
CN105897728A (en) * | 2016-04-27 | 2016-08-24 | 江苏警官学院 | Anti-virus system based on SDN (Software Defined Network) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109324985A (en) * | 2018-09-03 | 2019-02-12 | 中新网络信息安全股份有限公司 | A kind of SQL injection recognition methods of the automatic adaptation scene based on machine learning |
CN110798442A (en) * | 2019-09-10 | 2020-02-14 | 广州西麦科技股份有限公司 | Data injection attack detection method and related device |
CN110798442B (en) * | 2019-09-10 | 2023-01-20 | 广州西麦科技股份有限公司 | Data injection attack detection method and related device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104063473B (en) | A kind of database audit monitoring system and its method | |
CN112291232B (en) | Safety capability and safety service chain management platform based on tenants | |
CN104767757B (en) | Various dimensions safety monitoring method and system based on WEB service | |
CN101751535B (en) | Data loss protection through application data access classification | |
CN103428196B (en) | A kind of WEB application intrusion detection method based on URL white list | |
CN103391216B (en) | A kind of illegal external connection is reported to the police and blocking-up method | |
CN114584405B (en) | Electric power terminal safety protection method and system | |
CN110401624A (en) | The detection method and system of source net G system mutual message exception | |
CN108156131A (en) | Webshell detection methods, electronic equipment and computer storage media | |
CN106027528B (en) | A kind of method and device of the horizontal permission automatic identification of WEB | |
CN106452955B (en) | A kind of detection method and system of abnormal network connection | |
KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
CN112929390B (en) | Network intelligent monitoring method based on multi-strategy fusion | |
CN106101130A (en) | A kind of network malicious data detection method, Apparatus and system | |
CN102882748A (en) | Network access detection system and network access detection method | |
CN103166966A (en) | Method and device for distinguishing illegal access request to website | |
CN103118035A (en) | Website access request parameter legal range analysis method and device | |
KR100989347B1 (en) | Method for detecting a web attack based on a security rule | |
CN107231360A (en) | Network virus protection method, safe wireless router and system based on cloud network | |
CN107463839A (en) | A kind of system and method for managing application program | |
CN103365963B (en) | Database audit system compliance method for quickly detecting | |
CN115134099A (en) | Network attack behavior analysis method and device based on full flow | |
CN110460611A (en) | Full flow attack detecting technology based on machine learning | |
CN107294969A (en) | A kind of SQL injection attack detection and system based on SDN | |
CN105429996A (en) | Method for intelligently finding and locating address translation equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |