CN110427754B - Network application attack detection method, device, equipment and storage medium - Google Patents
Network application attack detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN110427754B CN110427754B CN201910740568.XA CN201910740568A CN110427754B CN 110427754 B CN110427754 B CN 110427754B CN 201910740568 A CN201910740568 A CN 201910740568A CN 110427754 B CN110427754 B CN 110427754B
- Authority
- CN
- China
- Prior art keywords
- sentence
- statement
- detected
- sql
- determining whether
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 173
- 238000002347 injection Methods 0.000 claims abstract description 108
- 239000007924 injection Substances 0.000 claims abstract description 108
- 238000004458 analytical method Methods 0.000 claims abstract description 44
- 238000000034 method Methods 0.000 claims abstract description 37
- 238000007781 pre-processing Methods 0.000 claims abstract description 17
- 238000013507 mapping Methods 0.000 claims abstract description 7
- 238000010276 construction Methods 0.000 claims description 25
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 8
- 238000000354 decomposition reaction Methods 0.000 claims 1
- 238000012360 testing method Methods 0.000 description 16
- 238000010586 diagram Methods 0.000 description 11
- 230000004044 response Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000002159 abnormal effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Machine Translation (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a network application attack detection method, a device, equipment and a storage medium thereof. The method comprises the following steps: preprocessing a received user request to obtain a payload to be detected; constructing the effective load into a sentence to be detected and carrying out Structured Query Language (SQL) grammar analysis on the sentence to be detected so as to determine whether the sentence to be detected is the Structured Query Language (SQL); determining whether the sentence to be detected is an injection attack sentence or not based on a pre-established scoring model, wherein the scoring model is used for outputting a scoring result of the keyword contained in the sentence to be detected according to a mapping relation between a pre-set keyword and a weight score corresponding to the keyword. According to the technical scheme of the embodiment of the application, the SQL injection attack is identified by judging whether the effective load can be constructed into an SQL statement, so that the accuracy of detecting SQL injection is effectively improved.
Description
Technical Field
The present disclosure relates generally to the field of information security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for detecting a network application attack.
Background
The structured query language (Structured Query Language, abbreviated SQL) is a database query and programming language for accessing data and querying, updating and managing relational databases.
Because the input check of the user in the program is not strict, the user submits a section of database SQL query code, and according to the returned result of the program, certain data can be known, namely SQL Injection. The SQL injection attack is that an attacker injects and executes any SQL statement on a service system through parameters, drags database data, and causes data leakage.
At present, regular detection is generally adopted for SQL injection detection, malicious content is matched based on characteristic regular, and the method is difficult to maintain and is easy to make mistakes.
Disclosure of Invention
In view of the foregoing drawbacks or shortcomings in the prior art, it is desirable to provide a method, apparatus, device and storage medium for detecting a web application attack, so as to avoid the problems existing in the regular detection, and thereby improve the accuracy of detecting the SQL injection attack.
In a first aspect, an embodiment of the present application provides a method for detecting a network application attack, where the method includes:
preprocessing a received user request to obtain a payload to be detected;
Constructing the effective load into a sentence to be detected, and carrying out Structured Query Language (SQL) grammar analysis on the sentence to be detected to determine whether the sentence to be detected is the Structured Query Language (SQL);
determining whether the sentence to be detected is an injection attack sentence or not based on a pre-established scoring model, wherein the scoring model is used for outputting a scoring result of the keyword contained in the sentence to be detected according to a mapping relation between a pre-set keyword and a weight score corresponding to the keyword.
In a second aspect, an embodiment of the present application provides a network application attack detection device, where the device includes:
a preprocessing unit for preprocessing a received user request to obtain a payload to be detected;
the sentence construction unit is used for constructing the effective load into a sentence to be detected, and carrying out Structured Query Language (SQL) grammar analysis on the sentence to be detected so as to determine whether the sentence to be detected is the Structured Query Language (SQL);
and the injection determining unit is used for determining whether the sentence to be detected is an injection attack sentence or not based on a pre-established scoring model, wherein the scoring model is used for outputting the scoring result of the keyword contained in the sentence to be detected according to the mapping relation between the pre-set keyword and the weight score corresponding to the keyword.
In a third aspect, embodiments of the present application provide a computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing a method as described in embodiments of the present application when the program is executed.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having stored thereon a computer program for:
the computer program, when executed by a processor, implements a method as described in embodiments of the present application.
According to the network application attack detection method, device and equipment and the storage medium thereof, the effective load to be detected is constructed into the statement to be detected, whether the statement to be detected is an SQL statement is determined based on SQL grammar analysis, and whether the statement to be detected is an injection attack statement is determined, so that the accuracy of detecting the SQL injection attack is effectively improved.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the following drawings, in which:
FIG. 1 illustrates an application scenario for judging SQL attacks in the prior art;
Fig. 2 is a schematic diagram of an implementation environment of a network application attack detection method according to an embodiment of the present application;
fig. 3 is a schematic flow chart of a network application attack detection method according to an embodiment of the present application;
FIG. 4 shows a schematic flow chart of implementation step 202 provided in a further embodiment of the present application;
FIG. 5 shows a schematic flow chart of implementation step 202 provided in a further embodiment of the present application;
FIG. 6 shows a schematic flow chart of implementation step 202 provided in a further embodiment of the present application;
FIG. 7 shows a schematic flow chart of implementation step 202 provided in a further embodiment of the present application;
FIG. 8 shows a schematic flow chart of step 204 provided in a further embodiment of the present application;
fig. 9 is a schematic flow chart of a network application attack detection method according to an embodiment of the present application;
fig. 10 is a block diagram illustrating an exemplary architecture of a network application attack detection device 800 according to an embodiment of the present application
FIG. 11 shows a schematic diagram of a computer system suitable for use in implementing the server of the embodiments of the present application.
Detailed Description
The present application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the related disclosure and not limiting thereof. It should be further noted that, for convenience of description, only the portions related to the disclosure are shown in the drawings.
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
The Web application protection system is also called as a Web application level intrusion prevention system, and a Web application firewall (English: web Application Firewall, WAF for short). Which provides protection for Web applications against HTTP/HTTPs security policies.
WAF detection cluster 101 may be one or more Web application firewalls, may also include detection clouds, and the like.
The user requests a and e may be in the HTTP/HTTPs request format.
The service back-end machine 102 may be a Real host or Server (RS for short, in english: real Server) for actually processing the user's request.
Rule management system 103 is configured to maintain and manage regular rule policies, and issue the rule policies to WAF detection cluster 101 in real time.
As shown in fig. 1, WAF detection cluster 101 receives a user request a sent by a user. The user request may be a normal user request a or a user request e including an SQL injection attack sent by an attacker.
After the user request arrives at the WAF detection cluster 101, the WAF detection cluster 101 determines whether the user request is a malicious request based on the blacklist feature regularization engine. If the request is a malicious request (namely, SQL injection attack request), blocking the user request f; if it is a normal request, forwarding to the service backend machine 102 a normal response, forwarding response b to the user via the WAF detection cluster 101. The WAF detection cluster 101 forwards the request c to the service back-end machine 102, and after the service back-end machine 102 processes the request c, the service back-end machine sends a response d to the WAF detection cluster 101.
Wherein the blacklist feature based regularization engine requires a rule management system 104 to assist in management. Regular rule policies need to be constantly replenished if there are multiple attacks. Obviously, the more rule policies, the slower the detection speed, and the more rule policies, the more error prone the maintenance.
Aiming at the problems, the application provides a method for detecting SQL injection attack requests without a rule strategy.
Referring to fig. 2, fig. 2 is a schematic diagram illustrating an implementation environment of a network application attack detection method according to an embodiment of the present application.
As shown in fig. 2, the implementation environment may include a WAF detection cluster 101 and a traffic backend machine 103.
The WAF detection cluster 101 receives the user request 102, after the WAF detection cluster 101 analyzes SQL grammar of SQL sentences, the user request 102 is scored whether to belong to the attack or not through a scoring model, and if so, the response is blocked. If it is a normal request, it is forwarded to the service back-end machine 103 and a normal response is made. That is, after the user normal request is identified through the detection of the WAF detection cluster 101, the user normal request is forwarded to the service back-end machine 103 to execute a response, the response d is sent to the WAF detection cluster, and the WAF detection cluster 101 sends the response b to the user. If the WAF detection cluster receives the request e injected with the SQL attack statement, the request e is directly blocked after detection and judgment, and no regular rule needs to be obtained from the rule management system 103.
The method solves the problems in the prior art by introducing the SQL injection grammar analysis detection engine at the WAF detection cluster side, and effectively improves the accuracy of detecting SQL injection attack.
Referring to fig. 3, fig. 3 is a flowchart illustrating a method for detecting a network application attack according to an embodiment of the present application. The method may be performed by the WAF detection cluster side.
As shown in fig. 3, the method includes:
in step 201, the received user request is preprocessed to obtain the payload to be detected.
After the WAF receives a user request sent by a user, the WAF preprocesses the user request. The user request may be, for example, an HTTP/HTTPS request. The Request Payload (english: request Payload) is obtained by preprocessing the user Request, and the parameters of the Request are typically displayed in the Request Payload, for example, the parameter format is JSON format: { "key": "value", "key": "value"...
In this step, the preprocessing may be, for example, parsing/decoding a user request. The fields of the user request, the form parameter key-value and the corresponding coding mode can be obtained by analyzing the user request. And decoding the user Request according to the inverse process of the coding mode, so as to obtain the original Request Payload. The decoding operation can avoid the danger caused by the detection of the original Request Payload by various encoding modes, such as URL encoding, URL multiple encoding, base64 encoding, unicode encoding and the like.
Step 202, constructing the payload into a sentence to be detected, and performing structural query language SQL syntax analysis on the sentence to be detected to determine whether the sentence to be detected is a structural query language SQL sentence.
In this step, the payload is spliced and structured into sentences to be detected according to the SQL injection scene. According to different attack detection conditions, the payload is constructed into sentences to be detected. Attack detection can be generalized, for example, to the following cases:
case one: single-lead detection chain for parameter values
select a from test where test='%s';
And a second case: double-quotation detecting chain for parameter values
select a from test where test="%s";
And a third case: numerical detection chain for parameter values
select a from test where test=%s;
Case four: post-field injection parameter name detection chain
select a from test where test=1order by%s;
select a from test where test=1group by%s;
The payloads are regularly judged according to the above four cases to construct a sentence to be detected.
And determining whether the sentence to be detected formed by splicing is an SQL sentence or not through SQL analysis. After the effective load is constructed into the sentence to be detected, whether the sentence to be detected accords with the SQL grammar rule or not is determined through SQL analysis. If yes, the statement to be detected is the SQL statement, and then the SQL statement is input into a pre-established scoring model. If not, it is stated that all detection statements constructed based on the payload do not conform to SQL syntax, and the payload is considered normal and not an attack.
SQL parsing may include both lexical and syntactic steps. The lexical analysis is to decompose sentences to be detected into word block token streams according to lexical rules. The word block token stream includes keywords, identifiers, operators, and the like. Lexical analysis does not care about the grammatical meaning and context of the individual token generated.
The grammar detection and analysis process can be to analyze the word block token stream decomposed by the sentences to be detected according to the SQL grammar rule, and if the word block token stream accords with the SQL grammar rule, a grammar tree is generated. If the SQL grammar rules are not met, errors are reported. The lexical analysis may tag the input sentence to be detected, store it in a variable, and then input the variable into the grammatical analysis. The analysis result of the SQL syntax analysis can determine whether the payload is in a normal state. If a syntax tree is generated, it indicates that the payload to be detected may contain SQL injection risk. If the fault is reported, the payload to be detected is in a normal state, and the SQL injection risk does not exist.
Step 203, determining whether the sentence to be detected is an injection attack sentence based on a pre-established scoring model. The scoring model outputs the scoring result of the keywords contained in the sentences to be detected according to the mapping relation between the preset keywords and the weight scores corresponding to the keywords.
In this step, based on the SQL syntax analysis, it is further determined whether the SQL statement is an injection attack statement. For example, the scoring judgment can be performed on the SQL sentence through a scoring model established by a comprehensive algorithm.
In the embodiment of the application, whether the user request contains an SQL statement is determined first, and then whether the SQL statement accords with the grammar of injection attack is determined. Therefore, the method for detecting SQL injection attack does not need any regular judgment, and the accuracy of SQL injection attack detection can be effectively improved.
Referring to fig. 4, fig. 4 is a schematic flow chart of implementation step 202 according to another embodiment of the present application.
As shown in fig. 4, step 202 may include:
step 301, when the payload includes both single quotation marks and double quotation marks, constructing a first sentence according to a parameter value single quotation mark detection chain;
step 302, determining whether the first sentence accords with the SQL grammar of the structured query language, and if so, determining whether the first sentence is an injection attack sentence based on a pre-established scoring model;
step 303, if not, constructing a second sentence according to the parameter value double-quotation mark detection chain;
step 304, determining whether the second sentence accords with the SQL grammar of the structured query language, if so, determining whether the second sentence is an injection attack sentence based on a pre-established scoring model;
Step 305, if not, constructing a third sentence according to the parameter value numerical detection chain;
step 306, determining whether the third sentence conforms to the SQL grammar of the structured query language, and if so, determining whether the third sentence is an injection attack sentence based on a pre-established scoring model;
step 307, if not, constructing a fourth sentence according to the parameter name detection chain;
step 308, determining whether the fourth sentence conforms to the SQL grammar of the structured query language, and if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
step 309, if not, ends.
In the embodiment of the application, whether the payload contains a single quotation mark and a double quotation mark is detected. When the payload contains a single-lead and a double-lead at the same time, a complete sentence to be detected is constructed in sequence according to the modes of the single-lead detection chain, the double-lead detection chain, the numerical value detection chain and the parameter name detection chain, so that abnormal sentences injected at injection points of different scenes are judged. The method effectively improves the accuracy of detecting SQL injection attacks.
Referring to fig. 5, fig. 5 is a schematic flow chart of implementation step 202 according to another embodiment of the present application.
Step 401, when the payload only comprises a single quotation mark, constructing a first sentence according to a parameter value single quotation mark detection chain;
step 402, determining whether the first sentence accords with the SQL grammar of the structured query language, if so, determining whether the first sentence is an injection attack sentence based on a pre-established scoring model;
step 403, if not, constructing a third sentence according to the parameter value numerical detection chain;
step 404, determining whether the third sentence conforms to the structured query language SQL grammar, if so, determining whether the third sentence is an injection attack sentence based on a pre-established scoring model;
step 405, if not, constructing a fourth sentence according to the parameter name detection chain;
step 406, determining whether the fourth sentence conforms to the structured query language SQL grammar, if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
step 407, if not, end.
In the embodiment of the application, whether the payload contains a single quotation mark and a double quotation mark is detected. When only single quotation marks are included, a complete sentence to be detected is constructed in sequence according to the modes of the single quotation mark detection chain, the numerical value detection chain and the parameter name detection chain, so that abnormal sentences injected by injection points of different scenes are judged.
Referring to fig. 6, fig. 6 is a schematic flow chart of implementation step 202 according to another embodiment of the present application.
Step 501, when the payload only comprises double quotation marks, constructing a second sentence according to the parameter value double quotation mark detection chain;
step 502, determining whether the second sentence conforms to the SQL grammar of the structured query language, and if so, determining whether the second sentence is an injection attack sentence based on a pre-established scoring model;
step 503, if not, constructing a third sentence according to the parameter value numerical detection chain;
step 504, determining whether the third sentence conforms to the structured query language SQL grammar, if so, determining whether the third sentence is an injection attack sentence based on a pre-established scoring model;
step 505, if not, constructing a fourth sentence according to the parameter name detection chain;
step 506, determining whether the fourth sentence conforms to the structured query language SQL grammar, if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
step 507, if not, ending.
In the embodiment of the application, whether the payload contains a single quotation mark and a double quotation mark is detected. When the payload only comprises double quotation marks, a complete sentence to be detected is constructed in sequence according to the double quotation mark detection chain, the numerical value detection chain and the parameter name detection chain, so that abnormal sentences injected from injection points of different scenes are judged.
Referring to fig. 7, fig. 7 is a schematic flow chart of implementation step 202 according to another embodiment of the present application.
Step 601, when the payload does not comprise a single quotation mark and a double quotation mark, constructing a third statement according to the parameter value numerical detection chain;
step 602, determining whether the third sentence conforms to the SQL grammar of the structured query language, and if so, determining whether the third sentence is an injection attack sentence based on a pre-established scoring model;
step 603, if not, constructing a fourth sentence according to the parameter name detection chain;
step 604, determining whether the fourth sentence conforms to the structured query language SQL grammar, if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
step 605, if not, ends.
In the embodiment of the application, whether the payload contains a single quotation mark and a double quotation mark is detected. When the payload does not comprise a single quote and a double quote, a complete statement to be detected is constructed in sequence according to a numerical value detection chain and a parameter name detection chain, so that abnormal statements injected by injection points of different scenes are judged. Referring to fig. 8, fig. 8 is a schematic flow chart of step 204 provided in another embodiment of the present application.
Step 701, inputting a sentence to be detected into a pre-established scoring model, and outputting a scoring result of the sentence to be detected;
step 702, comparing the scoring result with a threshold range, and determining the grade of the scoring result of the sentence to be detected;
in step 703, the payload to be detected is processed according to the level.
Keywords may include, for example, the following levels:
NOTE_KEYWORD=['#','--','/*','*/','0x','@@']
OP_KEYWORD=['\”,'"','=','>','<','(',')']
LINK_KEYWORD=['and','or','&&','||','xor']
HIGH_KEYWORD=['database','schema','table','column','user','information_schema',\'column_name','table_name','schema_name','schemata','user_privileg es',\'schema_privileges',
'table_privileges','column_privileges','load_file',\'updatexml','extractvalue','current_user','system_user','session_user','concat',\'CONCAT_WS','group_concat','benchmark','sysdate']
LOW_KEYWORD=['union','order by','group by','select','from','sleep','ascii',\'hex','unhex','REVERSE','mid','bin','substring','substr','PROCEDURE','ANALYSE',\'rand','floor','version','columns','tables','create','update','delete',\'in sert','drop','case when']
in the embodiment of the application, the formed sentences to be detected are rated through a scoring model which is built in advance through a comprehensive algorithm. The scoring model mainly classifies malicious keywords injected into SQL according to a certain algorithm rule, each classification is correspondingly provided with a corresponding weight, and then, the effective load content is rated and scored, and a smooth confidence value is output.
Then, whether the attack is an attack is determined by a set threshold value, and the attack is classified into a high-middle-low hierarchy by the hierarchy. An interception policy is employed for high-risk payloads.
In the embodiment of the application, compared with the traditional rule detection, only the non-black judgment can be given, the class of the statement injection risk to be detected can be accurately identified, and the detection accuracy is effectively improved.
In order to describe the method for detecting a network application attack provided in the embodiment of the present application in detail, please refer to fig. 9, fig. 9 shows a flow chart of the method for detecting a network application attack provided in the embodiment of the present application.
After the WAF receives a user request sent by a user, preprocessing the user request to obtain a request Payload, and assuming that the Payload is: test 'and'1 '=' 1. Firstly judging whether the Payload has a single lead number and a double lead number at the same time, if the result is no, then judging whether the Payload only comprises the single lead number, if the result is yes, splicing to obtain a statement to be detected by constructing a parameter value single lead number detection chain, for example, the parameter value single lead number detection chain is as follows: select a from test where test = '%s', the spliced statement to be detected is: select a from test where test = 'test' and '1' = '1', then judging whether the sentence to be detected accords with SQL grammar, if so, inputting the sentence to be detected into a scoring model to score whether the sentence to be detected contains malicious keywords. If not, continuing to splice the to-be-detected sentences according to the parameter value numerical value detection chain and the parameter name detection chain to eliminate the risks of numerical injection and parameter name injection until each constructed to-be-detected sentence is judged, and then carrying out corresponding processing according to the judgment result. The sentences to be detected of each structure only need to be input into a scoring model for scoring as long as the sentences to be detected accord with SQL grammar, so that the false alarm rate is reduced, and the detection accuracy is improved.
The processing of other branches is similar to the situation that only single quotation marks exist, a parameter value single quotation mark detection chain, a parameter value double quotation mark detection chain, a parameter value numerical value detection chain and a parameter name detection chain are sequentially constructed in a step-by-step screening mode, after SQL injection scene traversal detection possibly occurs, if the result is negative, the process ends, namely that the Payload is not injected with risk, and the method belongs to normal Payload. If the grammar is met, the grammar is input into a scoring model to carry out scoring judgment. According to the embodiment of the application, through the step-by-step screening mode, no additional regular rule is required, the problem that the rule maintenance of the policy manager is difficult is solved, and meanwhile the detection accuracy is effectively improved.
It should be noted that although the operations of the disclosed methods are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in that particular order or that all illustrated operations be performed in order to achieve desirable results. Rather, the steps depicted in the flowcharts may change the order of execution. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
With further reference to fig. 10, fig. 10 illustrates an exemplary block diagram of a network application attack detection device 800 according to one embodiment of the present application.
A preprocessing unit 801, configured to preprocess a received user request to obtain a payload to be detected.
A statement construction unit 802, configured to construct the payload into a statement to be detected, and perform a structured query language SQL syntax analysis on the statement to determine whether the statement to be detected is a structured query language SQL statement.
An injection determining unit 803 for determining whether the sentence to be detected is an injection attack sentence based on a pre-established scoring model. The scoring model outputs the scoring result of the keywords contained in the sentences to be detected according to the mapping relation between the preset keywords and the weight scores corresponding to the keywords.
The preprocessing unit 801 is also configured to: analyzing the field contained in the user request and the coding mode of the effective load;
and decoding the user request according to the coding mode to obtain the payload to be detected.
Statement construction unit 802 is also to: when the single quotation mark and the double quotation mark are simultaneously included in the payload, constructing a first sentence according to a parameter value single quotation mark detection chain, determining whether the first sentence accords with the SQL grammar of the structured query language, and if so, determining whether the first sentence is an injection attack sentence based on a pre-established scoring model;
If not, constructing a second sentence according to the parameter value double-quote detection chain, determining whether the second sentence accords with the SQL grammar of the structured query language, and if so, determining whether the second sentence is an injection attack sentence based on a pre-established scoring model;
if not, constructing a third sentence according to the parameter value numerical value detection chain, determining whether the third sentence accords with the SQL grammar of the structured query language, and if so, determining whether the third sentence is an injection attack sentence based on a pre-established scoring model;
if not, constructing a fourth sentence according to the parameter name detection chain, determining whether the fourth sentence accords with the SQL grammar of the structured query language, and if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
if not, ending.
The sentence construction unit 802 is further configured to, when only a single quote is included in the payload, construct a first sentence according to the parameter value single quote detection chain, determine whether the first sentence conforms to the structured query language SQL grammar, and if so, determine whether the first sentence is an injection attack sentence based on a pre-established scoring model;
if not, constructing a third sentence according to the parameter value numerical value detection chain, determining whether the third sentence accords with the SQL grammar of the structured query language, and if so, determining whether the third sentence is an injection attack sentence based on a pre-established scoring model;
If not, constructing a fourth sentence according to the parameter name detection chain, determining whether the fourth sentence accords with the SQL grammar of the structured query language, and if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
if not, ending.
The sentence construction unit 802 is further configured to, when it is determined that only double quotation marks are included in the payload, construct a second sentence according to the parameter value double quotation mark detection chain, determine whether the second sentence conforms to the structured query language SQL grammar, and if so, determine whether the second sentence is an injection attack sentence based on a pre-established scoring model;
if not, constructing a third statement according to the parameter value numerical value detection chain, determining whether the third statement accords with the SQL grammar of the structured query language, and if so, determining whether the third statement is an injection attack statement based on a pre-established scoring model;
if not, constructing a fourth sentence according to the parameter name detection chain, determining whether the fourth sentence accords with the SQL grammar of the structured query language, and if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
if not, ending.
The sentence construction unit 802 is further configured to construct a third sentence according to the parameter value numerical detection chain when the payload does not include the single quotation mark and the double quotation mark, determine whether the third sentence conforms to the structured query language SQL grammar, and if so, determine whether the third sentence is an injection attack sentence based on a pre-established scoring model;
If not, constructing a fourth sentence according to the parameter name detection chain, determining whether the fourth sentence accords with the SQL grammar of the structured query language, and if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
if not, ending.
The method for analyzing the structured query language SQL grammar of the sentence to determine whether the sentence to be detected is the structured query language SQL sentence comprises the following steps:
decomposing the sentences into word block token streams according to lexical rules;
carrying out grammar detection analysis on the word block token stream, and generating a grammar tree if the word block token stream accords with the grammar rule of the structured query language SQL; otherwise, reporting the error.
The injection determining unit 803 is further configured to input a sentence to be detected into a pre-established scoring model, and output a scoring result of the sentence to be detected;
comparing the scoring result with a threshold range, and determining the grade of the scoring result of the sentence to be detected;
the payload to be detected is processed according to the rank.
It should be understood that the elements or modules depicted in apparatus 800 correspond to the various steps in the method described with reference to fig. 3. Thus, the operations and features described above with respect to the method are equally applicable to the apparatus 800 and the units contained therein, and are not described in detail herein. The apparatus 800 may be implemented in advance in a browser or other security application of the electronic device, or may be loaded into the browser or security application of the electronic device by means of downloading or the like. The corresponding units in the apparatus 800 may cooperate with units in an electronic device to implement the solutions of the embodiments of the present application.
The division of the modules or units mentioned in the above detailed description is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
Referring now to FIG. 11, there is illustrated a schematic diagram of a computer system 900 suitable for use in implementing the terminal device or server of embodiments of the present application.
As shown in fig. 11, the computer system 900 includes a Central Processing Unit (CPU) 901, which can execute various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage section 908 into a Random Access Memory (RAM) 903. In the RAM 903, various programs and data necessary for the operation of the system 900 are also stored. The CPU 901, ROM 902, and RAM 903 are connected to each other through a bus 904. An input/output (I/O) interface 905 is also connected to the bus 904.
The following components are connected to the I/O interface 905: an input section 506 including a keyboard, a mouse, and the like; an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage portion 908 including a hard disk or the like; and a communication section 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to the I/O interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 910 so that a computer program read out therefrom is installed into the storage section 908 as needed.
In particular, the process described above with reference to flowchart fig. 3 may be implemented as a computer software program according to embodiments of the present disclosure. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a machine-readable medium, the computer program comprising program code for performing the method shown in the flow diagrams. In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909 and/or installed from the removable medium 911. When the computer program is executed by a Central Processing Unit (CPU) 901, the above-described functions defined in the system of the present application are performed.
It should be noted that the computer readable medium shown in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units or modules described in the embodiments of the present application may be implemented by software, or may be implemented by hardware. The described units or modules may also be provided in a processor, for example, as: a processor includes a preprocessing unit, a sentence construction analysis unit, and an injection determination unit. Where the names of these units or modules do not constitute a limitation of the unit or module itself in some cases, for example, a preprocessing unit may also be described as "a unit for preprocessing a received user request to obtain a payload to be detected".
As another aspect, the present application also provides a computer-readable storage medium that may be included in the electronic device described in the above embodiments; or may be present alone without being incorporated into the electronic device. The computer-readable storage medium stores one or more programs that when executed by one or more processors perform the web application attack detection method described herein.
The foregoing description is only of the preferred embodiments of the present application and is presented as a description of the principles of the technology being utilized. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in this application is not limited to the specific combinations of features described above, but it is intended to cover other embodiments in which any combination of features described above or equivalents thereof is possible without departing from the spirit of the disclosure. Such as the above-described features and technical features having similar functions (but not limited to) disclosed in the present application are replaced with each other.
Claims (18)
1. A method for detecting a network application attack, the method comprising:
Preprocessing a received user request to obtain a payload to be detected; the payload characterizes data contained in the user request;
constructing the effective load into a sentence to be detected, and carrying out Structured Query Language (SQL) grammar analysis on the sentence to be detected to determine whether the sentence to be detected is a Structured Query Language (SQL); wherein said constructing the payload into a statement to be detected comprises: constructing the payload into sentences to be detected based on SQL injection scenes; the sentences to be detected comprise target construction sentences corresponding to each detection chain in a plurality of preset injection detection chains corresponding to SQL injection scenes; the plurality of preset injection detection chains comprise a parameter value single-guide detection chain, a parameter value double-guide detection chain, a parameter value detection chain and a parameter name detection chain; the step of analyzing the structured query language SQL grammar of the sentence to be detected to determine whether the sentence to be detected is a structured query language SQL sentence, includes: decomposing the target construction statement corresponding to each detection chain according to lexical rules to obtain a word block token stream corresponding to each detection chain; carrying out grammar detection analysis on the word block token stream corresponding to each detection chain to obtain a grammar detection analysis result corresponding to each detection chain; under the condition that the grammar detection analysis result corresponding to any one detection chain in the plurality of preset injection detection chains is a grammar tree, determining that the target construction statement corresponding to any one detection chain is a Structured Query Language (SQL) statement; under the condition that the grammar detection analysis result corresponding to any detection chain indicates error reporting, determining that the target construction statement corresponding to any detection chain is not a Structured Query Language (SQL) statement;
Determining that the statement to be detected does not belong to an injection attack statement under the condition that the statement to be detected is not a Structured Query Language (SQL) statement; and determining that the sentence to be detected does not belong to the injection attack sentence under the condition that the sentence to be detected is not the structured query language SQL sentence, including: under the condition that the target construction statement corresponding to each detection chain is not a Structured Query Language (SQL) statement, determining that the statement to be detected does not belong to an injection attack statement;
and under the condition that any target construction statement corresponding to a detection chain exists in the statement to be detected and is a Structured Query Language (SQL) statement, determining whether the statement to be detected is the injection attack statement or not based on a pre-established scoring model, wherein the scoring model outputs a scoring result of a keyword contained in the statement to be detected according to a mapping relation between a preset keyword and a weight score corresponding to the keyword.
2. The method for detecting a network application attack according to claim 1, wherein the preprocessing the received user request includes:
analyzing the field contained in the user request and the coding mode of the effective load;
And decoding the user request according to the coding mode to obtain the payload to be detected.
3. The web application attack detection method according to claim 1, wherein constructing the payload into a sentence to be detected and performing a structured query language SQL syntax analysis on the sentence to be detected, comprises the steps of:
when the payload includes both single quotation marks and double quotation marks, then a first sentence is constructed from the single quotation mark detection chain according to the parameter value,
determining whether the first sentence accords with a Structured Query Language (SQL) grammar, if so, determining whether the first sentence is an injection attack sentence based on a pre-established scoring model;
if not, constructing a second sentence according to the parameter value double-quotation mark detection chain,
determining whether the second sentence accords with a structured query language SQL grammar, if so, determining whether the second sentence is an injection attack sentence based on a pre-established scoring model;
if not, constructing a third statement according to the parameter value numerical value detection chain, determining whether the third statement accords with the SQL grammar of the structured query language, and if so, determining whether the third statement is an injection attack statement based on a pre-established scoring model;
If not, constructing a fourth sentence according to the parameter name detection chain, determining whether the fourth sentence accords with the SQL grammar of the structured query language, and if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
if not, ending.
4. The web application attack detection method according to claim 1, wherein constructing the payload into a sentence to be detected and performing a structured query language SQL syntax analysis on the sentence to be detected, comprises the steps of:
when the payload only comprises a single quotation mark, constructing a first sentence according to a parameter value single quotation mark detection chain, determining whether the first sentence accords with a Structured Query Language (SQL) grammar, and if so, determining whether the first sentence is an injection attack sentence based on a pre-established scoring model;
if not, constructing a third statement according to the parameter value numerical value detection chain, determining whether the third statement accords with the SQL grammar of the structured query language, and if so, determining whether the third statement is an injection attack statement based on a pre-established scoring model;
if not, constructing a fourth sentence according to the parameter name detection chain, determining whether the fourth sentence accords with the SQL grammar of the structured query language, and if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
If not, ending.
5. The web application attack detection method according to claim 1, wherein constructing the payload into a sentence to be detected and performing a structured query language SQL syntax analysis on the sentence to be detected, comprises the steps of:
when the payload only comprises double quotation marks, constructing a second sentence according to a parameter value double quotation mark detection chain, determining whether the second sentence accords with a Structured Query Language (SQL) grammar, and if so, determining whether the second sentence is an injection attack sentence based on a pre-established scoring model;
if not, constructing a third statement according to the parameter value numerical value detection chain, determining whether the third statement accords with the SQL grammar of the structured query language, and if so, determining whether the third statement is an injection attack statement based on a pre-established scoring model;
if not, constructing a fourth sentence according to the parameter name detection chain, determining whether the fourth sentence accords with the SQL grammar of the structured query language, and if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
if not, ending.
6. The web application attack detection method according to claim 1, wherein constructing the payload into a sentence to be detected and performing a structured query language SQL syntax analysis on the sentence to be detected, comprises:
When the payload does not comprise a single quotation mark and a double quotation mark, constructing a third statement according to a parameter value numerical detection chain, determining whether the third statement accords with a Structured Query Language (SQL) grammar, and if so, determining whether the third statement is an injection attack statement based on a pre-established scoring model;
if not, constructing a fourth sentence according to the parameter name detection chain, determining whether the fourth sentence accords with the SQL grammar of the structured query language, and if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
if not, ending.
7. The web application attack detection method according to claim 1, wherein the performing a structured query language SQL syntax analysis on the sentence to be detected to determine whether the sentence to be detected is a structured query language SQL sentence comprises:
decomposing the sentences to be detected into word block token streams according to lexical rules;
carrying out grammar detection analysis on the word block token stream, and generating a grammar tree if the word block token stream accords with the grammar rule of the structured query language SQL; otherwise, reporting the error.
8. The method for detecting a web application attack according to claim 1, wherein the determining whether the sentence to be detected is an injected attack sentence based on a pre-established scoring model comprises:
Inputting the sentence to be detected into a pre-established scoring model, and outputting the scoring result of the sentence to be detected;
comparing the scoring result with a threshold range, and determining the grade of the scoring result of the sentence to be detected;
and processing the payload to be detected according to the grade.
9. A network application attack detection device, the device comprising:
a preprocessing unit for preprocessing a received user request to obtain a payload to be detected; the payload characterizes data contained in the user request;
the sentence construction analysis unit is used for constructing the effective load into a sentence to be detected, and carrying out Structured Query Language (SQL) grammar analysis on the sentence to be detected so as to determine whether the sentence to be detected is a Structured Query Language (SQL) sentence or not; wherein said constructing the payload into a statement to be detected comprises: constructing the payload into sentences to be detected based on SQL injection scenes; the sentences to be detected comprise target construction sentences corresponding to each detection chain in a plurality of preset injection detection chains corresponding to SQL injection scenes; the plurality of preset injection detection chains comprise a parameter value single-guide detection chain, a parameter value double-guide detection chain, a parameter value detection chain and a parameter name detection chain; the step of analyzing the structured query language SQL grammar of the sentence to be detected to determine whether the sentence to be detected is a structured query language SQL sentence, includes: decomposing the target construction statement corresponding to each detection chain according to lexical rules to obtain a word block token stream corresponding to each detection chain; carrying out grammar detection analysis on the word block token stream corresponding to each detection chain to obtain a grammar detection analysis result corresponding to each detection chain; under the condition that the grammar detection analysis result corresponding to any one detection chain in the plurality of preset injection detection chains is a grammar tree, determining that the target construction statement corresponding to any one detection chain is a Structured Query Language (SQL) statement; under the condition that the grammar detection analysis result corresponding to any detection chain indicates error reporting, determining that the target construction statement corresponding to any detection chain is not a Structured Query Language (SQL) statement;
A non-injection determining unit, configured to determine that the sentence to be detected does not belong to an injection attack sentence, in the case that the sentence to be detected is not a structured query language SQL sentence; and determining that the sentence to be detected does not belong to the injection attack sentence under the condition that the sentence to be detected is not the structured query language SQL sentence, including: under the condition that the target construction statement corresponding to each detection chain is not a Structured Query Language (SQL) statement, determining that the statement to be detected does not belong to an injection attack statement;
the injection determining unit is used for determining whether the statement to be detected is the injection attack statement or not based on a pre-established scoring model under the condition that a target construction statement corresponding to any detection chain exists in the statement to be detected and is a Structured Query Language (SQL) statement, and the scoring model is used for outputting scoring results of keywords contained in the statement to be detected according to a mapping relation between preset keywords and weight scores corresponding to the keywords.
10. The apparatus of claim 9, wherein the preprocessing unit is further configured to: analyzing the field contained in the user request and the coding mode of the effective load;
And decoding the user request according to the coding mode to obtain the payload to be detected.
11. The apparatus of claim 9, wherein the sentence construction analysis unit is further configured to: when the payload includes both single quotation marks and double quotation marks, then a first sentence is constructed from the single quotation mark detection chain according to the parameter value,
determining whether the first sentence accords with a Structured Query Language (SQL) grammar, if so, determining whether the first sentence is an injection attack sentence based on a pre-established scoring model;
if not, constructing a second sentence according to the parameter value double-quotation mark detection chain,
determining whether the second sentence accords with a structured query language SQL grammar, if so, determining whether the second sentence is an injection attack sentence based on a pre-established scoring model;
if not, constructing a third statement according to the parameter value numerical value detection chain, determining whether the third statement accords with the SQL grammar of the structured query language, and if so, determining whether the third statement is an injection attack statement based on a pre-established scoring model;
if not, constructing a fourth sentence according to the parameter name detection chain, determining whether the fourth sentence accords with the SQL grammar of the structured query language, and if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
If not, ending.
12. The apparatus of claim 9, wherein the sentence construction analysis unit is further configured to: when the payload only comprises a single quotation mark, constructing a first sentence according to a parameter value single quotation mark detection chain, determining whether the first sentence accords with a Structured Query Language (SQL) grammar, and if so, determining whether the first sentence is an injection attack sentence based on a pre-established scoring model;
if not, constructing a third statement according to the parameter value numerical value detection chain, determining whether the third statement accords with the SQL grammar of the structured query language, and if so, determining whether the third statement is an injection attack statement based on a pre-established scoring model;
if not, constructing a fourth sentence according to the parameter name detection chain, determining whether the fourth sentence accords with the SQL grammar of the structured query language, and if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
if not, ending.
13. The apparatus of claim 9, wherein the sentence construction analysis unit is further configured to: when the payload only comprises double quotation marks, constructing a second sentence according to a parameter value double quotation mark detection chain, determining whether the second sentence accords with a Structured Query Language (SQL) grammar, and if so, determining whether the second sentence is an injection attack sentence based on a pre-established scoring model;
If not, constructing a third statement according to the parameter value numerical value detection chain, determining whether the third statement accords with the SQL grammar of the structured query language, and if so, determining whether the third statement is an injection attack statement based on a pre-established scoring model;
if not, constructing a fourth sentence according to the parameter name detection chain, determining whether the fourth sentence accords with the SQL grammar of the structured query language, and if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
if not, ending.
14. The apparatus of claim 9, wherein the sentence construction analysis unit is further configured to: when the payload does not comprise a single quotation mark and a double quotation mark, constructing a third statement according to a parameter value numerical detection chain, determining whether the third statement accords with a Structured Query Language (SQL) grammar, and if so, determining whether the third statement is an injection attack statement based on a pre-established scoring model;
if not, constructing a fourth sentence according to the parameter name detection chain, determining whether the fourth sentence accords with the SQL grammar of the structured query language, and if so, determining whether the fourth sentence is an injection attack sentence based on a pre-established scoring model;
If not, ending.
15. The apparatus according to claim 9, wherein the sentence construction analysis unit includes:
the decomposition module is used for decomposing the sentences to be detected into word block token streams according to lexical rules;
the grammar detection analysis module is used for carrying out grammar detection analysis on the word block token stream, and if the word block token stream accords with the grammar rule of the structured query language SQL, a grammar tree is generated; otherwise, reporting the error.
16. The apparatus of claim 9, wherein the injection determination unit is further configured to: inputting the sentence to be detected into a pre-established scoring model, and outputting the scoring result of the sentence to be detected;
comparing the scoring result with a threshold range, and determining the grade of the scoring result of the sentence to be detected;
and processing the payload to be detected according to the grade.
17. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1-8 when the program is executed by the processor.
18. A computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910740568.XA CN110427754B (en) | 2019-08-12 | 2019-08-12 | Network application attack detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910740568.XA CN110427754B (en) | 2019-08-12 | 2019-08-12 | Network application attack detection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110427754A CN110427754A (en) | 2019-11-08 |
| CN110427754B true CN110427754B (en) | 2024-02-13 |
Family
ID=68414178
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910740568.XA Active CN110427754B (en) | 2019-08-12 | 2019-08-12 | Network application attack detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110427754B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113111345B (en) * | 2020-01-13 | 2024-05-24 | 深信服科技股份有限公司 | XXE attack detection method, system, equipment and computer storage medium |
| CN113141331A (en) * | 2020-01-17 | 2021-07-20 | 深信服科技股份有限公司 | XSS attack detection method, device, equipment and medium |
| CN113821791B (en) * | 2020-06-18 | 2024-07-12 | 中国电信股份有限公司 | Method, system, storage medium and device for detecting SQL injection |
| CN112084499A (en) * | 2020-09-11 | 2020-12-15 | 杭州安恒信息技术股份有限公司 | 0day attack detection method, device, equipment and medium based on syntactic analysis |
| CN114666078B (en) * | 2020-12-08 | 2022-12-20 | 北京中科网威信息技术有限公司 | Method and system for detecting SQL injection attack, electronic equipment and storage medium |
| CN112822187B (en) * | 2020-12-31 | 2022-12-09 | 山石网科通信技术股份有限公司 | Network attack detection method and device |
| CN112783916A (en) * | 2021-01-04 | 2021-05-11 | 广州海量数据库技术有限公司 | SQL statement auditing method and device, storage medium and electronic equipment |
| CN114244558B (en) * | 2021-11-09 | 2023-10-27 | 上海浦东发展银行股份有限公司 | Injection attack detection method, injection attack detection device, computer equipment and readable storage medium |
| US20230185899A1 (en) * | 2021-12-15 | 2023-06-15 | Microsoft Technology Licensing, Llc | Code injection detection using syntactic deviation |
| US20230205882A1 (en) * | 2021-12-29 | 2023-06-29 | Microsoft Technology Licensing, Llc | Detecting malicious queries using syntax metrics |
| CN114598526B (en) * | 2022-03-07 | 2023-08-18 | 四川大学 | Structured query language injection detection method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103744802A (en) * | 2013-12-20 | 2014-04-23 | 北京奇虎科技有限公司 | Method and device for identifying SQL injection attacks |
| CN106991322A (en) * | 2016-01-21 | 2017-07-28 | 北京启明星辰信息安全技术有限公司 | The detection method and device of a kind of SQL SQL injection attack |
| CN107038161A (en) * | 2015-07-13 | 2017-08-11 | 阿里巴巴集团控股有限公司 | A kind of device for filtering data and method |
| CN107273465A (en) * | 2017-06-05 | 2017-10-20 | 环球智达科技(北京)有限公司 | SQL injection detection method |
| CN107292167A (en) * | 2017-06-27 | 2017-10-24 | 北京计算机技术及应用研究所 | Based on the SQL statement safety detection method for simplifying syntax tree |
| CN108763887A (en) * | 2018-05-23 | 2018-11-06 | 腾讯科技(深圳)有限公司 | Database manipulation requests verification method, apparatus, server and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050273859A1 (en) * | 2004-06-04 | 2005-12-08 | Brian Chess | Apparatus and method for testing secure software |
-
2019
- 2019-08-12 CN CN201910740568.XA patent/CN110427754B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103744802A (en) * | 2013-12-20 | 2014-04-23 | 北京奇虎科技有限公司 | Method and device for identifying SQL injection attacks |
| CN107038161A (en) * | 2015-07-13 | 2017-08-11 | 阿里巴巴集团控股有限公司 | A kind of device for filtering data and method |
| CN106991322A (en) * | 2016-01-21 | 2017-07-28 | 北京启明星辰信息安全技术有限公司 | The detection method and device of a kind of SQL SQL injection attack |
| CN107273465A (en) * | 2017-06-05 | 2017-10-20 | 环球智达科技(北京)有限公司 | SQL injection detection method |
| CN107292167A (en) * | 2017-06-27 | 2017-10-24 | 北京计算机技术及应用研究所 | Based on the SQL statement safety detection method for simplifying syntax tree |
| CN108763887A (en) * | 2018-05-23 | 2018-11-06 | 腾讯科技(深圳)有限公司 | Database manipulation requests verification method, apparatus, server and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110427754A (en) | 2019-11-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110427754B (en) | Network application attack detection method, device, equipment and storage medium | |
| US11961021B2 (en) | Complex application attack quantification, testing, detection and prevention | |
| US11108817B2 (en) | SQL injection interception detection method and device, apparatus and computer readable medium | |
| US10885185B2 (en) | Graph model for alert interpretation in enterprise security system | |
| US11212305B2 (en) | Web application security methods and systems | |
| US10503908B1 (en) | Vulnerability assessment based on machine inference | |
| US9787722B2 (en) | Integrated development environment (IDE) for network security configuration files | |
| US10528731B1 (en) | Detecting malicious program code using similarity of hashed parsed trees | |
| US9436730B2 (en) | Methods and systems for validating input data | |
| US11818144B2 (en) | Security appliance to monitor networked computing environment | |
| US12032682B2 (en) | Systems and methods for improving accuracy in recognizing and neutralizing injection attacks in computer services | |
| US11651079B2 (en) | Systems and methods for automated system requirement analysis | |
| CN113194058A (en) | WEB attack detection method, equipment, website application layer firewall and medium | |
| US20190311131A1 (en) | Staged dynamic taint flow inference | |
| US9600644B2 (en) | Method, a computer program and apparatus for analyzing symbols in a computer | |
| Nguyen et al. | Improving web application firewalls with automatic language detection | |
| CN117056347A (en) | SQL sentence true injection detection method, SQL sentence true injection detection device, SQL sentence true injection detection computer equipment and SQL sentence true injection detection storage medium | |
| US11588844B1 (en) | Distributing search loads to optimize security event processing | |
| CN117331920A (en) | Data quality detection processing method and device | |
| CN112989403B (en) | Database damage detection method, device, equipment and storage medium | |
| TWI696080B (en) | System and implementing method for managing security of information based on inspection of database log file | |
| US12093374B1 (en) | Cybersecurity incident response techniques utilizing artificial intelligence | |
| CN115022060B (en) | Real-time filtering method and device for network attack | |
| US20220279013A1 (en) | Flexible deterministic finite automata (dfa) tokenizer for ai-based malicious traffic detection | |
| US20240195841A1 (en) | System and method for manipulation of secure data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |