CN107368582B - SQL statement detection method and system - Google Patents
SQL statement detection method and system Download PDFInfo
- Publication number
- CN107368582B CN107368582B CN201710601680.6A CN201710601680A CN107368582B CN 107368582 B CN107368582 B CN 107368582B CN 201710601680 A CN201710601680 A CN 201710601680A CN 107368582 B CN107368582 B CN 107368582B
- Authority
- CN
- China
- Prior art keywords
- rule
- security
- safety
- security rule
- plug
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
- G06F16/2448—Query languages for particular applications; for extensibility, e.g. user defined types
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Abstract
The embodiment of the invention provides a method and a system for detecting SQL sentences, which are used for quickly and efficiently detecting and defending security vulnerabilities of a database. The method provided by the embodiment of the invention comprises the following steps: the analysis module extracts the characteristic information of each statement from the Structured Query Language (SQL) statements to be detected; the safety rule plug-in loads a configuration file, matches the characteristic information according to the corresponding safety rule in the configuration file, and determines the safety rule ID corresponding to the successfully matched safety rule according to the matching result, wherein the safety rule corresponds to at least one safety rule ID; and the strategy matching module counts the successfully matched safety rule ID and executes a preset safety strategy corresponding to the safety rule ID.
Description
Technical Field
The invention relates to the field of data security, in particular to a method and a system for detecting SQL (structured query language) statements.
Background
The database is an important storage tool, and a large amount of valuable or sensitive information is stored in the database, wherein the information comprises contents of aspects such as financial, intellectual property and enterprise data, and network hackers can acquire information wanted by the network hackers by various ways. Therefore, it becomes especially important to secure the database. There are many means for network hackers to obtain information, such as SQL injection, which may use a vulnerability built in a website to construct some special SQL statements to illegally obtain information.
Each dangerous behavior corresponds to an SQL feature. In the prior art, dangerous behaviors are identified by identifying SQL features. For example, select from a to an out file "D:/test. txt", can export the data in data table a to "D:/test. txt", causing data leakage. The export command intoutfile and the field value "D:/test. txt" are SQL characteristic information of the dangerous behavior.
In the prior art, corresponding dangerous features are identified by detecting feature information in an SQL statement, and whether the current SQL statement is dangerous or not is analyzed. Aiming at each dangerous statement, a detection rule, namely a safety rule is constructed for detecting and identifying SQL statements which are the same as or similar to the dangerous statement, different safety rules are sequentially operated to analyze and identify each SQL statement, when the development of the safety plug-in is completed, the detection function is cured, only SQL statements which are the same as or similar to preset dangerous statements can be detected, the detection range cannot be expanded, in addition, when more safety rule plug-ins need to be operated, each safety rule plug-in needs to analyze and identify all SQL statements, and the repeated analysis of the SQL statements can cause the detection efficiency to be low.
How to enable the security rule to efficiently detect the database bugs becomes a key of research on how to rapidly expand the detection range adaptability for the change of the attack means.
Disclosure of Invention
The embodiment of the invention provides a method and a system for detecting SQL sentences, which are used for expanding the adaptability of a detection range quickly and efficiently detecting and defending security vulnerabilities of a database.
A first aspect of an embodiment of the present invention provides a method for detecting an SQL statement, where the method may include:
the analysis module extracts the characteristic information of each statement from the Structured Query Language (SQL) statements to be detected;
the safety rule plug-in loads a configuration file, matches the characteristic information according to the corresponding safety rule in the configuration file, and determines the safety rule ID corresponding to the successfully matched safety rule according to the matching result, wherein the safety rule corresponds to at least one safety rule ID;
and the strategy matching module counts the successfully matched safety rule ID and executes a preset safety strategy corresponding to the safety rule ID.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the method further includes:
and when the detection requirement changes, updating the security rules in the configuration file so that the security rule plug-in is matched with new characteristic information to adapt to new detection requirements.
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the feature information includes one or more of a keyword, a table name, a field value, database type information, and operation type information.
With reference to the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, when the configuration file of the security rule plug-in configures feature information matched by the security rule plug-in to be a database type, a keyword "intoutfile" and a field value, the determining, according to a matching result, a security rule ID corresponding to a successfully matched security rule includes: the safety rule plug-in extracts a target field value in an SQL statement containing a keyword 'intoutfile' and the type of a database;
when the target field value is the extension of the executable program, the security rule plug-in determines that the security rule ID corresponding to the successfully matched security rule is a first ID;
and when the target field value is not the extension of the executable program, the security rule plug-in determines that the security rule ID corresponding to the successfully matched security rule is the second ID.
With reference to the first aspect, the first, second, or third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, before the executing the preset security policy corresponding to the security rule ID, the method further includes:
detecting whether the security rule ID is in a preset forbidden security rule ID list or not;
filtering out the security rule IDs in the preset forbidden security rule ID list.
With reference to the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, the method further includes:
and the plurality of safety rule plug-ins simultaneously and parallelly match the characteristic information of each statement so as to improve the detection efficiency.
A second aspect of the present invention provides an SQL statement detection system, which may include:
the analysis module is used for extracting the characteristic information of each statement from the Structured Query Language (SQL) statements to be detected;
the safety rule plug-in is used for matching the characteristic information according to the corresponding safety rule in the configuration file and determining the safety rule ID corresponding to the safety rule which is successfully matched according to the matching result, wherein the safety rule corresponds to at least one safety rule ID;
and the strategy matching module is used for counting the successfully matched safety rule ID and executing a preset safety strategy corresponding to the safety rule ID.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the system further includes:
and the updating module is used for updating the security rules in the configuration file when the detection requirement changes so that the security rule plug-in is matched with new characteristic information to adapt to new detection requirements.
With reference to the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the feature information includes one or more items of keywords, table names, field values, database type information, and operation type information.
With reference to the second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, when the configuration file of the security rule plug-in configures the feature information matched by the security rule plug-in to be a database type, a keyword "intoutfile" and a field value, the security rule plug-in includes:
the extraction unit is used for extracting a target field value in an SQL statement containing a keyword 'intoutfile' and the type of a database by the security rule plug-in;
the judging unit is used for determining that the security rule ID corresponding to the successfully matched security rule is a first ID by the security rule plug-in when the target field value is the extension of the executable program; and when the target field value is not the extension of the executable program, the security rule plug-in determines that the security rule ID corresponding to the successfully matched security rule is the second ID.
With reference to the second aspect, the first, second or third possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the method further includes:
the detection module is used for detecting whether the safety rule ID is in a preset forbidden safety rule ID list or not;
and the filtering module is used for filtering the security rule ID in the preset forbidden security rule list.
According to the technical scheme, the embodiment of the invention has the following advantages:
in the embodiment of the invention, the characteristic information of each statement in the SQL statement to be detected is analyzed uniformly without each safety rule plug-in for analyzing the characteristic information of each statement independently, that is, the SQL statement will not be repeatedly analyzed, the detection efficiency is improved, the safety rule plug-in can match the characteristic information of each statement according to the safety rule in the loaded configuration file, and determines the safety rule ID corresponding to the safety rule successfully matched according to the matching result, executes the preset safety strategy corresponding to the safety rule ID, when the detection requirement changes along with the change of the attack means, the same security rule plug-in can have the capability of detecting the latest attack means only by modifying the security rule in the corresponding configuration file, namely, the detection range of the SQL statement detection method in this embodiment has good expansibility.
Drawings
FIG. 1 is a schematic diagram of an SQL statement detection system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an embodiment of a method for detecting an SQL statement according to the embodiment of the present invention;
FIG. 3 is a schematic diagram of another embodiment of a SQL statement detection method according to the embodiment of the present invention;
FIG. 4 is a schematic diagram of an embodiment of an SQL statement detection system according to the embodiment of the present invention;
FIG. 5 is a schematic diagram of another embodiment of an SQL statement detection system according to the embodiment of the present invention;
FIG. 6 is a schematic diagram of another embodiment of an SQL statement detection system according to the embodiment of the present invention;
fig. 7 is a schematic diagram of another embodiment of an SQL statement detection system according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a method and a system for detecting SQL sentences, which are used for expanding the adaptability of a detection range quickly and efficiently detecting and defending security vulnerabilities of a database.
In the embodiment of the invention, the characteristic information of each statement in the SQL statement is uniformly analyzed through the analysis module, each plug-in does not need to repeatedly analyze the SQL statement, the detection efficiency is improved, then the safety rule plug-in matches the extracted characteristic information according to the safety rules in different configuration files to obtain the safety rule ID corresponding to the safety rule successfully matched, and finally, corresponding actions are made according to the matching result of the rule ID. Because the safety rule plug-in executes the corresponding safety rule according to the loaded configuration file, when the detection requirement changes along with the change of the attack means, the corresponding safety rule can be modified only by modifying the corresponding configuration file, so that the safety rule plug-in can quickly adapt to the detection requirement for detecting the latest attack means.
For convenience of understanding, the SQL statement detection system architecture in the embodiment of the present invention is now described, please refer to fig. 1, in the embodiment of the present invention, an analysis module is provided to uniformly analyze an SQL statement to be detected, and store feature information in each statement separately from feature information of other statements, and a plurality of security rule plug-ins are further provided, where each plug-in corresponds to one configuration file, a policy matching module uniformly interfaces all the security rule plug-ins, and executes a corresponding security policy according to a matching result of the security rule plug-ins.
Referring to fig. 2, a specific flow in the embodiment of the present invention is described below, and an embodiment of a method for detecting an SQL statement in the embodiment of the present invention may include:
201. extracting characteristic information from an SQL statement to be detected;
for the structured query language SQL sentences to be detected, the structured query language SQL sentences can be analyzed according to the lexical method of the SQL sentences, the characteristic information in each sentence is extracted, and the characteristic information in each sentence is stored respectively.
In practical applications, the feature information in the SQL statement may include one or more of a keyword, a table name, a field value, database type information, and operation type information, where the keyword may include a keyword that can change data in a database, import data in the database, or export data in the database in the SQL syntax such as "intoutfile", "delete", and the database type may include a database of a type such as Oracle, Mysql, DB2, MS-SQL, and the like, and a specific type of the feature information may be reasonably configured according to a feature of a security vulnerability to be detected, and a specific type of the feature information and a value of each type of the feature information are not limited herein.
202. Loading a configuration file and matching the characteristic information according to the safety rule in the configuration file;
in this embodiment, each security rule plug-in may extract different feature information according to a preset configuration rule in the configuration file, and further detect the security rule ID to which the feature information corresponds, in this embodiment, all feature information in the SQL statement to be detected is analyzed and stored in advance, and each security rule plug-in only needs to match according to the preset rule.
In practical application, the configuration file of each security rule plug-in can be updated, and when the detection requirement changes, the preset security rules in the security rule plug-in can be updated, so that the security rule plug-in can match with new feature information or determine a corresponding security rule ID according to specific values of the feature information, and further detect a new security vulnerability.
203. Determining a safety rule ID corresponding to the successfully matched safety rule according to the matching result;
the types of the feature information matched by the same security rule are the same, but different security rule IDs can be corresponded to different values of different types of feature information in the matching process, that is, the same security rule at least corresponds to one type of security rule ID according to different matching results, and specifically, the corresponding relationship between different values of the feature information and different security rule IDs can be reasonably set according to the requirements of users, and the specific situation is not limited here.
For example, there is a SQL statement in the Mysql database: select from a from an in o out file "D:/test. The statement may be parsed to obtain the feature information as shown in the parsing results of table 1.
| Key word | into outfile |
| Type of operation | select |
| Table name | a |
| Field value | D:/test.txt |
| Database type | Mysql |
TABLE 1
Referring to table 2, for the export class security plug-in, the keywords, the field value table name and the database type in table 1 may be matched according to the preset security rules, and the export class security rule plug-in extracts the target field value and the database type in the SQL statement containing the keyword "intoutfile"; when the target field value is the extension of the executable program, the security rule plug-in determines that the security rule ID corresponding to the successfully matched security rule is a first ID; and when the target field value is not the extension of the executable program, the security rule plug-in determines that the security rule ID corresponding to the successfully matched security rule is the second ID.
| Rule ID | 1 |
| Database type | Mysql |
| Key word | into outfile |
| Field value | Txt、doc、csv、docx... |
TABLE 2
Specifically, the field value extracted from the statement is "D:/test. txt", so that the statement is determined to be an export operation of a general file, such as txt, doc, csv, docx and other general files, and the field value is not an extension of an executable program, so that the security rule 1 corresponding to the statement can be determined, and the security policy corresponding to the security rule 1 is executed.
Referring to table 3, for the SQL statement, if the field value is an extension of an executable program, such as Exe, bat, sh, asp, etc., the statement is determined to be a dangerous file export operation, and a security rule 2 corresponding to the statement may be determined, and a security policy corresponding to the security rule 2 may be executed.
| Rule ID | 2 |
| Database type | Mysql |
| Key word | into outfile |
| Field value | Exe、bat、sh、asp.... |
TABLE 3
204. And executing the preset security policy corresponding to the security rule ID.
The preset security policies corresponding to different security rule IDs may be reasonably set according to the needs of the user, for example, an alarm operation, a security log recording or no dangerous operation may be performed, and the specific security policy and the execution time may be reasonably set according to the needs of the user, which is not limited herein.
In the embodiment of the invention, the characteristic information of each statement in the SQL statement to be detected is analyzed uniformly without each safety rule plug-in for analyzing the characteristic information of each statement independently, that is, the SQL statement will not be repeatedly analyzed, the detection efficiency is improved, the safety rule plug-in can match the characteristic information of each statement according to the safety rule in the loaded configuration file, and determines the safety rule ID corresponding to the safety rule successfully matched according to the matching result, executes the preset safety strategy corresponding to the safety rule ID, when the detection requirement changes along with the change of the attack means, the same security rule plug-in can have the capability of detecting the latest attack means only by modifying the security rule in the corresponding configuration file, namely, the detection range of the SQL statement detection method in this embodiment has good expansibility.
Secondly, the safety rule plug-in is separated from the safety strategy, the safety rule plug-in can correspond to different safety rule IDs according to different matching results with the characteristic information, and further correspond to different safety strategies, and the early warning range of the same safety rule plug-in is expanded.
Referring to fig. 3, another embodiment of a method for detecting an SQL statement according to the embodiment of the invention based on the embodiment shown in fig. 1 may include:
301. extracting characteristic information from an SQL statement to be detected;
302. matching the characteristic information by adopting a plurality of different safety rule plug-ins;
in this embodiment, each security rule plug-in may extract different feature information according to a preset configuration rule in the configuration file, and further detect the security rule ID to which the feature information corresponds, in this embodiment, all feature information in the SQL statement to be detected is analyzed and stored in advance, and each security rule plug-in only needs to match according to the preset rule.
In this embodiment, the configuration file of each security rule plug-in may be updated, and when a change in the detection requirement is detected, the preset security rule in the security rule plug-in may be updated, so that the security rule plug-in may match with new feature information or determine a corresponding security rule ID according to a specific value of the feature information.
In practical application, a plurality of security rule plug-ins can simultaneously and parallelly match the feature information of each statement so as to improve the detection efficiency.
303. Determining a safety rule ID corresponding to the successfully matched safety rule according to the matching result;
in this embodiment, the content described in steps 301 and 303 is similar to the content described in steps 201 and 203, and please refer to steps 201 and 203 specifically, which is not described herein again.
304. Detecting whether the security rule ID is in a preset forbidden security rule ID list or not;
in actual application, a user may reasonably set a security rule to be executed according to actual requirements of a database of the user, specifically, after determining a corresponding rule ID, may detect whether the rule ID is in a preset forbidden security rule ID list, if the matched security rule ID is not in the forbidden security rule ID list, step 206 may be executed, and if a part of the matched security rule ID is in the forbidden security rule ID list, step 205 may be executed.
305. Filtering out the security rule IDs in a preset forbidden security rule ID list;
for the successfully matched security rule ID, the security rule ID in the preset forbidden security rule ID list can be filtered out according to the setting of the user, and the forbidden security rule is not executed.
306. And executing the preset security policy corresponding to the security rule ID.
The preset security policies corresponding to different security rule IDs may be reasonably set according to the needs of the user, for example, an alarm operation, a security log recording or no dangerous operation may be performed, and the specific security policy and the execution time may be reasonably set according to the needs of the user, which is not limited herein.
In the embodiment of the invention, the feature information in the SQL sentence to be detected is uniformly analyzed, and a plurality of different safety rule plug-ins are adopted to simultaneously and parallelly match the analyzed feature information, the SQL sentence cannot be repeatedly analyzed, the safety rule plug-ins can parallelly match the feature information, the detection efficiency is improved, in addition, the safety rule plug-ins are separated from the safety strategies, the safety rule plug-ins can correspond to different safety rule IDs according to different matching results with the feature information, and further correspond to different safety strategies, the early warning range of the same safety rule plug-in is expanded, the configuration file of the safety rule plug-in can be updated under the condition that the whole safety strategy is not changed, the detection range of the safety rule plug-in is changed, and the expansibility of the detection range of the safety rule plug-in is improved.
An embodiment of the present invention further provides an SQL statement detection system, please refer to fig. 4, where an embodiment of the SQL statement detection system according to the embodiment of the present invention may include:
the analysis module 401 is configured to extract feature information of each statement from a structured query language SQL statement to be detected;
the security rule plug-in 402 is configured to match the feature information according to a corresponding security rule in the configuration file, and determine a security rule ID corresponding to a successfully matched security rule according to a matching result, where the security rule corresponds to at least one security rule ID;
and a policy matching module 403, configured to count the security rule ID successfully matched, and execute a preset security policy corresponding to the security rule ID.
In practical application, for a Structured Query Language (SQL) statement to be detected, the SQL statement can be analyzed according to the lexical method of the SQL statement, feature information in each statement is extracted, the feature information in each statement is stored respectively, and the feature information is matched in parallel by adopting a plurality of safety rule plug-ins 402, so that the detection efficiency is improved.
The specific functions of the SQL statement detection system shown in this embodiment are similar to those described in the embodiment shown in fig. 2, and please refer to the embodiment shown in fig. 2 specifically, which is not described herein again.
Referring to fig. 5, based on the embodiment shown in fig. 4, another embodiment of the SQL statement detection system according to the embodiment of the present invention may include:
the analysis module 401 is configured to extract feature information of each statement from a structured query language SQL statement to be detected;
the security rule plug-in 402 is configured to match the feature information according to a corresponding security rule in the configuration file, and determine a security rule ID corresponding to a successfully matched security rule according to a matching result, where the security rule corresponds to at least one security rule ID;
and a policy matching module 403, configured to count the security rule ID successfully matched, and execute a preset security policy corresponding to the security rule ID.
Optionally, the system in this embodiment may further include:
an updating module 404, configured to update the security rule in the configuration file when the detection requirement changes, so that the security rule plug-in matches new feature information to adapt to a new detection requirement.
Preferably, the feature information in this embodiment includes one or more of a keyword, a table name, a field value, database type information, and operation type information, where the keyword may include a keyword that can change data in a database, import data in a database, or export data in a database in SQL syntax such as "intoutfile", "delete", and the like, the database type may include a database of a type such as Oracle, Mysql, DB2, MS-SQL, and the like, a specific feature information type may be configured reasonably according to a feature of a security vulnerability to be detected, and a specific feature information type and a value of each type of feature information are not limited herein.
Further, referring to fig. 6, based on the embodiment shown in fig. 5, when the configuration file of the security rule plug-in configures the feature information matched with the security rule plug-in to be a database type, a keyword "intoutfile" and a field value, the security rule plug-in 402 includes:
an extracting unit 4021, configured to extract a target field value in an SQL statement that includes a keyword "intoutfile" and a type of a database by the security rule plug-in;
a determining unit 4022, configured to, when the target field value is an extension of an executable program, determine, by the security rule plug-in, that a security rule ID corresponding to a successfully matched security rule is a first ID; and when the target field value is not the extension of the executable program, the security rule plug-in determines that the security rule ID corresponding to the successfully matched security rule is the second ID.
Further, referring to fig. 7 on the basis of the embodiment shown in fig. 5, the system in this embodiment may further include:
a detection module 405, configured to detect whether the security rule ID is in a preset disabled security rule ID list;
and a filtering module 406, configured to filter out the security rule IDs in the preset disabled security rule list.
In this embodiment, all feature information in the SQL statement to be detected is analyzed and stored in advance, each security rule plug-in may extract different feature information according to a preset security rule in the configuration file to detect a security rule ID that the feature information conforms to, each security rule plug-in only needs to match according to the preset rule, information extracted by each plug-in is different, each plug-in may be executed concurrently, detection efficiency is improved, and finally, according to a security rule ID that matches successfully, a corresponding action is made, when a detection requirement changes with a change of an attack means, only a security rule in the corresponding configuration file needs to be modified, so that the same security rule plug-in may have a capability of detecting a latest attack means, that is, a detection range of the SQL statement detection method in this embodiment has a good expandability.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A SQL statement detection method is characterized by comprising the following steps:
the analysis module extracts feature information of each statement from a Structured Query Language (SQL) statement to be detected, wherein the feature information comprises one or more of keywords, table names, field values, database type information and operation type information;
the safety rule plug-in loads a configuration file, matches the characteristic information according to the corresponding safety rule in the configuration file, and determines a safety rule ID corresponding to the successfully matched safety rule according to a matching result, wherein the safety rule corresponds to at least one safety rule ID, and different types of characteristic information correspond to different safety rule IDs with different values;
and the strategy matching module counts the successfully matched safety rule ID and executes a preset safety strategy corresponding to the safety rule ID.
2. The method as recited in claim 1, further comprising:
and when the detection requirement changes, updating the security rules in the configuration file so that the security rule plug-in is matched with new characteristic information to adapt to new detection requirements.
3. The method of claim 2, wherein when the configuration file of the security rule plug-in configures the matched feature information of the security rule plug-in to be the database type, the keyword "intoutfile" and the field value, the determining, according to the matching result, the security rule ID corresponding to the successfully matched security rule comprises: the safety rule plug-in extracts a target field value in an SQL statement containing a keyword 'intoutfile' and the type of a database;
when the target field value is the extension of the executable program, the security rule plug-in determines that the security rule ID corresponding to the successfully matched security rule is a first ID;
and when the target field value is not the extension of the executable program, the security rule plug-in determines that the security rule ID corresponding to the successfully matched security rule is the second ID.
4. The method according to any one of claims 1 to 3, wherein before the executing the preset security policy corresponding to the security rule ID, the method further comprises:
detecting whether the security rule ID is in a preset forbidden security rule ID list or not;
filtering out the security rule IDs in the preset forbidden security rule ID list.
5. The method of claim 4, further comprising:
and the plurality of safety rule plug-ins simultaneously and parallelly match the characteristic information of each statement so as to improve the detection efficiency.
6. An SQL statement detection system, comprising:
the analysis module is used for extracting the characteristic information of each statement from the Structured Query Language (SQL) statements to be detected, wherein the characteristic information comprises one or more of keywords, table names, field values, database type information and operation type information;
the safety rule plug-in is used for matching the characteristic information according to the corresponding safety rule in the configuration file and determining the safety rule ID corresponding to the safety rule which is successfully matched according to the matching result, wherein the safety rule corresponds to at least one safety rule ID, and different types of characteristic information correspond to different safety rule IDs in different values;
and the strategy matching module is used for counting the successfully matched safety rule ID and executing a preset safety strategy corresponding to the safety rule ID.
7. The system of claim 6, further comprising:
and the updating module is used for updating the security rules in the configuration file when the detection requirement changes so that the security rule plug-in is matched with new characteristic information to adapt to new detection requirements.
8. The system of claim 7, wherein the feature information comprises one or more of a keyword, a table name, a field value, database type information, and operation type information.
9. The system according to claim 8, wherein when the configuration file of the security rule plug-in configures the feature information matched with the security rule plug-in to be a database type, a keyword "intoutfile" and a field value, the security rule plug-in comprises:
the extraction unit is used for extracting a target field value in an SQL statement containing a keyword 'intoutfile' and the type of a database by the security rule plug-in;
the judging unit is used for determining that the security rule ID corresponding to the successfully matched security rule is a first ID by the security rule plug-in when the target field value is the extension of the executable program; and when the target field value is not the extension of the executable program, the security rule plug-in determines that the security rule ID corresponding to the successfully matched security rule is the second ID.
10. The system of any one of claims 6 to 9, further comprising:
the detection module is used for detecting whether the safety rule ID is in a preset forbidden safety rule ID list or not;
and the filtering module is used for filtering the security rule ID in the preset forbidden security rule list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710601680.6A CN107368582B (en) | 2017-07-21 | 2017-07-21 | SQL statement detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710601680.6A CN107368582B (en) | 2017-07-21 | 2017-07-21 | SQL statement detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107368582A CN107368582A (en) | 2017-11-21 |
| CN107368582B true CN107368582B (en) | 2020-12-22 |
Family
ID=60307022
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710601680.6A Active CN107368582B (en) | 2017-07-21 | 2017-07-21 | SQL statement detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107368582B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109325043B (en) * | 2018-08-22 | 2021-07-16 | 北京星选科技有限公司 | Method and device for marking SQL (structured query language) statements and electronic equipment |
| CN110826069B (en) * | 2019-11-05 | 2022-09-30 | 深信服科技股份有限公司 | Virus processing method, device, equipment and storage medium |
| CN111885061A (en) * | 2020-07-23 | 2020-11-03 | 深信服科技股份有限公司 | Network attack detection method, device, equipment and medium |
| CN112187739B (en) * | 2020-09-11 | 2022-12-20 | 苏州浪潮智能科技有限公司 | Configuration method, system, terminal and storage medium of mandatory access rule |
| CN113110866B (en) * | 2021-04-30 | 2023-07-21 | 深圳前海微众银行股份有限公司 | Evaluation method and device for database change script |
| CN113343246B (en) * | 2021-05-28 | 2023-05-23 | 福建榕基软件股份有限公司 | Method and terminal for detecting database loopholes |
| CN113852638B (en) * | 2021-09-28 | 2024-02-27 | 深信服科技股份有限公司 | Attack detection method, device, equipment and storage medium |
| CN115495276A (en) * | 2022-11-18 | 2022-12-20 | 北京奥星贝斯科技有限公司 | Abnormity detection method, device, equipment and readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101448007A (en) * | 2008-12-31 | 2009-06-03 | 中国电力科学研究院 | Attack prevention system based on structured query language (SQL) |
| CN103095709A (en) * | 2013-01-17 | 2013-05-08 | 深信服网络科技(深圳)有限公司 | Safety protection method and device |
| CN103744802A (en) * | 2013-12-20 | 2014-04-23 | 北京奇虎科技有限公司 | Method and device for identifying SQL injection attacks |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101141305B (en) * | 2007-10-08 | 2010-11-24 | 福建星网锐捷网络有限公司 | Network security defensive system, method and security management server |
| CN101695031B (en) * | 2009-10-27 | 2011-12-07 | 成都市华为赛门铁克科技有限公司 | Upgrading method and device of intrusion prevention system |
| CN101789948B (en) * | 2010-02-21 | 2013-03-20 | 浪潮通信信息系统有限公司 | Hierarchical type mobile internet security monitoring and protecting system |
| US10102301B2 (en) * | 2010-04-01 | 2018-10-16 | Cloudflare, Inc. | Internet-based proxy security services |
| US20120311715A1 (en) * | 2011-05-30 | 2012-12-06 | Yaron Tal | System and method for protecting a website from hacking attacks |
-
2017
- 2017-07-21 CN CN201710601680.6A patent/CN107368582B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101448007A (en) * | 2008-12-31 | 2009-06-03 | 中国电力科学研究院 | Attack prevention system based on structured query language (SQL) |
| CN103095709A (en) * | 2013-01-17 | 2013-05-08 | 深信服网络科技(深圳)有限公司 | Safety protection method and device |
| CN103744802A (en) * | 2013-12-20 | 2014-04-23 | 北京奇虎科技有限公司 | Method and device for identifying SQL injection attacks |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107368582A (en) | 2017-11-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107368582B (en) | SQL statement detection method and system | |
| Crussell et al. | Andarwin: Scalable detection of android application clones based on semantics | |
| Crussell et al. | Andarwin: Scalable detection of semantically similar android applications | |
| US9454658B2 (en) | Malware detection using feature analysis | |
| US11514701B2 (en) | System and method for global identification in a collection of documents | |
| US20120072988A1 (en) | Detection of global metamorphic malware variants using control and data flow analysis | |
| US20150207811A1 (en) | Vulnerability vector information analysis | |
| Rad et al. | Metamorphic virus variants classification using opcode frequency histogram | |
| EP3346664B1 (en) | Binary search of byte sequences using inverted indices | |
| WO2009058474A1 (en) | Method and apparatus for automatically classifying data | |
| CN109829304B (en) | Virus detection method and device | |
| CN113486350B (en) | Method, device, equipment and storage medium for identifying malicious software | |
| Adkins et al. | Heuristic malware detection via basic block comparison | |
| CN112560031B (en) | Lesovirus detection method and system | |
| US10409572B2 (en) | Compiled file normalization | |
| O'Kane et al. | N-gram density based malware detection | |
| CN105468975A (en) | Method, device and system for tracking malicious code misinformation | |
| Mirzaei et al. | Scrutinizer: Detecting code reuse in malware via decompilation and machine learning | |
| Matyukhina et al. | Adversarial authorship attribution in open-source projects | |
| Mahawer et al. | Metamorphic malware detection using base malware identification approach | |
| Luh et al. | SEQUIN: a grammar inference framework for analyzing malicious system behavior | |
| CN103593614B (en) | Unknown virus retrieval method | |
| CN109726554B (en) | Malicious program detection method and device | |
| CN114666078B (en) | Method and system for detecting SQL injection attack, electronic equipment and storage medium | |
| US11868473B2 (en) | Method for constructing behavioural software signatures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |