CN111488590A - SQ L injection detection method based on user behavior credibility analysis - Google Patents
SQ L injection detection method based on user behavior credibility analysis Download PDFInfo
- Publication number
- CN111488590A CN111488590A CN202010475089.2A CN202010475089A CN111488590A CN 111488590 A CN111488590 A CN 111488590A CN 202010475089 A CN202010475089 A CN 202010475089A CN 111488590 A CN111488590 A CN 111488590A
- Authority
- CN
- China
- Prior art keywords
- user
- behavior
- data
- injection
- user behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002347 injection Methods 0.000 title claims abstract description 51
- 239000007924 injection Substances 0.000 title claims abstract description 51
- 238000001514 detection method Methods 0.000 title claims abstract description 46
- 238000004458 analytical method Methods 0.000 title claims abstract description 21
- 230000006399 behavior Effects 0.000 claims description 97
- 238000000034 method Methods 0.000 claims description 16
- 239000013598 vector Substances 0.000 claims description 16
- 238000012549 training Methods 0.000 claims description 14
- 230000008569 process Effects 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 5
- 238000001914 filtration Methods 0.000 claims description 3
- 239000011159 matrix material Substances 0.000 claims description 3
- 230000005856 abnormality Effects 0.000 claims description 2
- 238000012512 characterization method Methods 0.000 claims description 2
- 238000012216 screening Methods 0.000 claims description 2
- 238000011897 real-time detection Methods 0.000 abstract description 3
- 239000000523 sample Substances 0.000 description 18
- 238000012360 testing method Methods 0.000 description 9
- 230000008859 change Effects 0.000 description 5
- 238000005457 optimization Methods 0.000 description 5
- 239000012634 fragment Substances 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000005070 sampling Methods 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000000638 solvent extraction Methods 0.000 description 2
- 235000012571 Ficus glomerata Nutrition 0.000 description 1
- 244000153665 Ficus glomerata Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000002864 sequence alignment Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
- G06F18/232—Non-hierarchical techniques
- G06F18/2321—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
- G06F18/23213—Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Probability & Statistics with Applications (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Bioinformatics & Computational Biology (AREA)
- Quality & Reliability (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Databases & Information Systems (AREA)
- Computing Systems (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to web security detection, and discloses a SQ L injection detection method based on user behavior credibility analysis, which realizes the real-time detection of SQ L injection attack, enhances the security, and reduces the false alarm and false negative rate.
Description
Technical Field
The invention relates to web security detection, in particular to an SQ L injection detection method based on user behavior credibility analysis.
Background
At present, among a plurality of Web application vulnerabilities, SQ L injection vulnerabilities become places where attacks can be frequently utilized, and are one of the oldest, most popular and most dangerous Web application program vulnerabilities.
The SQ L injection is an attack of adding or inserting illegal SQ L statement fragments into request parameters of the Web application, the inserted SQ L statement fragments can dynamically construct SQ L statements in the Web application, the illegal SQ L code fragments can cause the change of the grammar and the semantics of the original SQ L statements, and finally the Web background application can transmit the modified illegal SQ L statements to a database for analysis and execution.
SQ L injection attacks can be broadly divided into two categories:
(1) direct attack-the attack code is inserted directly into the request parameters, which are then placed into the SQ L command for execution when the SQ L command is dynamically constructed.
(2) When the Web application needs to use the character strings stored in the database before to complete certain functions, the stored character strings are taken out of the database and are placed into an SQ L statement spliced dynamically, and therefore malicious SQ L code can be executed.
Due to the fact that the SQ L language has the characteristic of diversity, the language structure is changeable, the SQ L language also supports different coding modes, if Web applications do not verify the untrusted data used for constructing the SQ L code, the data are likely to cause structural and semantic changes of the original SQ L statement, if an attacker finds such a vulnerability, user information and sensitive data are likely to be leaked, the attacker can acquire an account password of a database system, improve the authority of a common user, authorize the normal user, and change or delete information in the database.
The main detection methods for SQ L injection in the conventional technology include the following:
1. program analysis:
the SQ L Probe is an SQ L injection detection system realized based on program analysis, the detection system statically detects Web application codes through a data flow tracking technology, analyzes and determines a path of user data input to obtain a suspicious injection point in a Web application program, then carries out syntax and lexical analysis on the suspicious injection point to establish an abstract SQ L statement representation form, uses a finite state machine to establish and store a legal query statement state model in the Web application, converts the generated SQ L statement into an abstract syntax tree in the program dynamic running process, matches the abstract syntax tree with a prestored legal model, and proves that an attack occurs if the match is wrong, but the detection accuracy mainly depends on the accuracy of the static analysis process and the correctness of the SQ L statement abstract model.
2. Black box test and white box test:
the method comprises the steps of testing whether an SQ L injection vulnerability exists in an application system or not by simulating SQ L injection attack behavior characteristics and according to a server response result in the actual operation of the system under the condition of not knowing source codes, and testing and analyzing which places have the SQ L injection vulnerability and searching specific positions of the vulnerability from the source codes under the condition of obtaining Web application source codes by a white box test, wherein the white box test needs to obtain the source codes of the system by detecting the SQ L injection attack, and the black box test needs to detect the SQ L injection attack without installing any program on the server, does not need to obtain the source codes of the system and know an internal implementation form, but the detection accuracy depends on a complete test case.
3. Static analysis and dynamic analysis:
one advantage of static code analysis is that the Web application under test does not need to be run in advance, but rather, the data flow and the control flow of the program are scanned, and the program is analyzed to find whether codes with known vulnerability type patterns exist, so as to determine whether SQ L vulnerability injection exists.
4. Pattern matching:
researchers at home and abroad combine static pattern detection with dynamic feature filtering to provide a method for defending SQ L injection attacks, the method extracts all normal and legal SQ L sentences to construct a knowledge base through automatically learning a sample set, then, under the condition of running a system, the dynamically constructed SQ L sentences are matched with established patterns by utilizing a pre-constructed pattern base, if the matching is successful, the sentences are represented as legal SQ L sentences, and if the matching is failed, the sentences are judged as illegal SQ L sentences.
5. And (3) sequence comparison:
sequence alignment is to analyze the structure of the SQ L statement to determine whether there is an attack behavior, but the method has limited kinds of SQ L injection attacks.
6. Proxy firewall:
the firewall agent detection is a database firewall technology which is positioned between a Web server and a background database server and is used for preventing the attack of a background Mysql database aiming at Web application, the agent firewall monitors an SQ L query request from a client and analyzes the legality of the query request, the method carries out detection from two aspects, firstly analyzes and filters a user input data part, and secondly carries out detailed analysis on an SQ L syntactic structure.
7. Context sensitive string evaluation:
a detection method based on context-sensitive character string evaluation is based on the principle reason that SQ L injection causes attacks, an attack source is defined as user data input, the user data input is divided into a character string type and a numerical value type, if the character string type is adopted, whether unsafe characters or character strings are contained in the character string or not is detected, and the SQ L injection attacks are proved to be possible once abnormity is detected.
In summary, most of the existing SQ L injection detection methods have some defects, such as too high false alarm rate and missing alarm rate, inability to dynamically detect attacks in real time, and difficulty in complete detection and low detection efficiency for some complicated attack forms.
Disclosure of Invention
The invention aims to solve the technical problem of providing a SQ L injection detection method based on user behavior credible analysis, realizing the real-time detection of SQ L injection attack, enhancing the safety and reducing the false alarm rate and the false alarm rate.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a SQ L injection detection method based on user behavior credibility analysis comprises the following steps:
a. collecting user behavior sample data when a user normally accesses and SQ L injects attacks;
b. counting the user behavior sample data to generate a feature set for identifying user behavior, and screening the feature data in the feature set to obtain a screened feature set;
c. training based on the screened feature set to obtain a behavior detection model;
d. and acquiring and processing real-time data of the user to be used as input of a behavior detection model, and judging whether the current behavior of the user is credible by using the behavior detection model.
As a further optimization, in step a, data such as a call log, a user access log and a weblog of the Web application are collected to collect a user behavior sample data set when the user normally accesses and when the SQ L injects an attack.
As a further optimization, step b specifically includes:
b1. counting the sample data of each user behavior by using a client ip as a unique identifier to generate a characteristic data set S for identifying the user behavior;
b2. and extracting the features in the feature data set S by using a Relief algorithm, filtering out irrelevant, redundant and non-difference characterization capability features, and obtaining an optimal feature set T as a screened feature set.
As a further optimization, in step b1, the statistics specifically include information contents such as a request type, UR L length, UR L access frequency, a parameter type, a parameter length, a parameter number, whether a parameter includes an SQ L keyword, time consumed by response time, whether a server processing is abnormal, and the like.
And c, as a further optimization, training based on the screened feature set to obtain a behavior detection model, specifically comprising the steps of training a classifier by using a K-means model, taking a feature vector matrix in the feature set T as input, dividing training data by using a K-means algorithm, and finally obtaining K divided clusters and cluster centers to obtain the detection model capable of distinguishing normal behaviors of the user from SQ L injection attack behaviors.
As a further optimization, step d specifically includes:
d1. collecting user real-time data;
d2. extracting the characteristics of the collected real-time user data, and processing the real-time user data into characteristic vectors capable of representing real-time user behaviors;
d3. inputting the feature vector of the real-time behavior of the user into the trained detection model;
d4. calculating to obtain a cluster distance from a feature vector of the real-time behavior of the user to a user behavior model through a detection model, and dividing the behavior into clusters with the closest distance, thereby judging whether the current behavior is a common user behavior or an SQ L injection attack;
d5. if the user behavior is normal, judging that the user behavior is credible; otherwise, the user behavior is judged to be not credible.
The invention has the beneficial effects that:
the method comprises the steps of carrying out sample collection on common user behaviors and SQ L injection attack behaviors, carrying out statistics on user behavior feature data according to differences of the common user behaviors and the SQ L injection attack behaviors, selecting features capable of identifying the user behaviors by using a Relief algorithm, then training a classifier by using a k-means model, effectively distinguishing the use behaviors of legal users and the use behaviors of attackers to obtain a behavior detection model, inputting the feature vectors of the real-time user behaviors into the trained model, calculating the cluster distance between the feature vectors of the real-time user behaviors and the user behavior model, and dividing the behaviors to the closest cluster to judge whether the current behaviors are credible.
Drawings
Fig. 1 is a flowchart of an SQ L injection detection method based on user behavior credibility analysis according to the present invention.
Detailed Description
Generally, the behavior habit of the user is kept relatively stable when the user uses the Web application, just like the daily habit of a person. When a user uses a Web application, the user often uses a fixed IP at a fixed location, uses a fixed tool, operates at a fixed frequency and with a relatively stable operation, and the information content of the operation is relatively fixed, which are the behavior habits of the user when using the Web application, and once the behavior of the user changes or frequently changes. We can suspect whether this user is a legitimate user.
We find through research that an attacker needs to go through three stages of searching for an injection point, confirming the injection point and acquiring database data to perform destruction operations when SQ L injects an attack, the attacker needs to continuously send a request to a Web application program, tamper the request data and try to improve user rights in the three stages, the behavior actions of the attackers are also traceable when the attackers attack, and the behavior of the attackers is roughly summarized into four categories:
(1) when an attacker carries out SQ L injection attack, the attacker can tamper with the parameter content in the request UR L or the Form, usually a code fragment with SQ L syntax and semantics or some special character strings are inserted into the request parameter and the Form, such as SQ L keywords and functions of select, union, from, exists and the like, and due to the generation of the character strings, the finally dynamically spliced SQ L statement can have the following execution conditions that the execution can still be normally carried out, the construction of the Web application program SQ L is wrong, the execution of the SQ L command by the database is wrong, and the execution response result of the SQ L command is delayed and returned.
(2) When an attacker makes an SQ L injection attack, the attacker usually sends a large number of probe requests to the Web application in a very short time to search for SQ L injection vulnerabilities, meanwhile, the number of network requests sent to the Web application server in a period of time is higher than that sent by normal users, and through research, the UR L frequency of requests sent by the Web application to the same IP, port and certain browsing content of the same user is changed when the attack is received.
(3) When an attacker carries out SQ L injection attack, the UR L content of a GET request of a normal browsing function also changes remarkably, for example, the length, the number and the content of parameters of the request UR L all change correspondingly, and meanwhile, after the Web application dynamically splices an SQ L statement, the syntax and semantic structure of an SQ L command transmitted to a database for execution also change.
(4) During the process, the data content in the database accessed by the attacker, the accessed data position and normal users also have obvious differences, meanwhile, the attacker tries to carry out illegal operation in order to improve the user authority and change the user authority, and the behavior track of the attacker carrying out SQ L injection has some obvious characteristics.
By analyzing the behavior of the attacker using the Web application program, the method helps to find out whether the Web application program is attacked or not in advance, can prevent the attacker from accessing the Web application program as soon as possible, and reduces the loss caused by users and enterprises.
Based on the above, the present invention provides a SQ L injection detection method based on user behavior credibility analysis, which realizes real-time detection of SQ L injection attack, enhances security, and reduces false alarm and false negative rate, as shown in fig. 1, the method specifically includes:
1. collect SQ L samples at time of injection attack and samples normally visited:
in this step, data such as a call log of the Web application, a user access log, and a weblog are collected as an original data set.
2. Selecting characteristics:
a) the data statistics is carried out on each sample of the sample set by using the client ip as a unique identifier, the request type, the UR L length, the UR L access frequency, the parameter type, the parameter length, the parameter number, whether the parameter contains an SQ L keyword or not, the response time is time-consuming, the server processes information contents such as whether an abnormality occurs or not, and feature set data S for identifying user behaviors is generated { S1, S2, S3 … sn }.
b) And selecting the features by using a Relief algorithm, and removing the features which are irrelevant, redundant and have no difference depicting ability to obtain an optimal feature set D.
The basic contents of the Relief algorithm are as follows: randomly selecting a sample R from the training set D, then searching a nearest neighbor sample H from samples in the same class as R, and searching a nearest neighbor sample M from samples in different classes from R. Repeating the above processes m times to obtain the weight of each feature. Features whose weight is less than a certain threshold will be removed and those that are greater than it will remain, eventually constituting a new subset of features.
Implementation of the Relief algorithm:
inputting: a sample set S, sampling times m and a characteristic weight threshold value R;
and (3) outputting: t is the output characteristic set;
p is a characteristic number, m is an iteration number, and n is a sample number;
dividing S into S1+Positive example and S1-1 ═ negative example }
Weight W ═ (0,0, …,0)
When the sampling times are less than the preset sampling times, the following operations are carried out:
(1) randomly selecting a sample X ∈ S;
(2) random selectionA positive case Z of a nearest neighbor to X+∈S+;
(3) Randomly selecting a negative Z of the nearest neighbors of distance X-∈S-;
(4) Near-hit ═ Z if X is a positive case+;Near-miss=Z-Otherwise, Near-hit ═
Z-;Near-miss=Z+;
(5) Calculating the value of the characteristic weight value Wi:
Wi=Wi-diff(xi,near-hiti)2+diff(xi,near-missi)2
(6) and sequencing the finally obtained Wi according to the size, and removing the features with the lowest weight to obtain a feature set T.
3. Feature training, generating a behavior detection model:
in the step, a K-means model is used for training a classifier, a feature vector matrix in a feature set T is used as input, a K-means algorithm is used for processing a training set, training data are divided, and finally K divided clusters and clustering centers are obtained to obtain a behavior detection model.
The K-means algorithm implementation process comprises the following steps:
the input is a sample set D ═ x1,x2,…xmH, clustering cluster tree k and maximum iteration number N;
the output is the cluster division C ═ C1,C2,…Ck};
Step 1: randomly select k samples from the data set D as the initial k centroid vectors: { u1,u2,…uk};
Step 2: n for N1, 2, · N;
a) initializing cluster partitioning C to
b) For i 1,2.. m, sample x is calculatediAnd each centroid vector uj(j — distance of 1,2, … k:
x is to beiMinimum mark is dijCorresponding class λi. At this time, update Cλi=Cλi∪{xi};
c) For j 1,2, k, pair CjRecalculate new centroid for all sample points in the image
d) If all k centroid vectors have not changed, go to step 3;
and step 3: output cluster partitioning C ═ C1,C2,…Ck}。
4. And (3) behavior detection:
inputting the characteristic vector of the real-time user behavior into a trained model, calculating to obtain a cluster distance from the characteristic vector of the real-time user behavior to a user behavior model, and dividing the behavior into clusters with the closest distance, thereby judging whether the current behavior is a common user behavior or SQ L injection attack, wherein the user behavior is credible if the current behavior is the common user behavior, and the user behavior is not credible if the current behavior is the common user behavior.
Claims (6)
1. A SQ L injection detection method based on user behavior credibility analysis is characterized by comprising the following steps:
a. collecting user behavior sample data when a user normally accesses and SQ L injects attacks;
b. counting the user behavior sample data to generate a feature set for identifying user behavior, and screening the feature data in the feature set to obtain a screened feature set;
c. training based on the screened feature set to obtain a behavior detection model;
d. and acquiring and processing real-time data of the user to be used as input of a behavior detection model, and judging whether the current behavior of the user is credible by using the behavior detection model.
2. The SQ L injection detection method based on the credible analysis of user behaviors as claimed in claim 1,
in the step a, a user behavior sample data set during normal access of a user and during injection of SQ L attacks is collected by collecting data such as a call log, a user access log, a network log and the like of a Web application.
3. The SQ L injection detection method based on the credible analysis of user behaviors as claimed in claim 1,
the step b specifically comprises the following steps:
b1. counting the sample data of each user behavior by using a client ip as a unique identifier to generate a characteristic data set S for identifying the user behavior;
b2. and extracting the features in the feature data set S by using a Relief algorithm, filtering out irrelevant, redundant and non-difference characterization capability features, and obtaining an optimal feature set T as a screened feature set.
4. The SQ L injection detection method based on user behavior credibility analysis as recited in claim 3,
in step b1, the statistics specifically includes information contents such as request type, UR L length, UR L access frequency, parameter type, parameter length, parameter number, whether the parameter includes an SQ L keyword, time consumed by response time, whether the server processes an abnormality, and the like.
5. The SQ L injection detection method based on the credible analysis of user behaviors as claimed in claim 1,
and c, training based on the screened feature set to obtain a behavior detection model, specifically comprising the steps of training a classifier by using a K-means model, taking a feature vector matrix in the feature set T as input, dividing training data by using a K-means algorithm, and finally obtaining K divided clusters and cluster centers to obtain the detection model capable of distinguishing normal behaviors of the user from SQ L injection attack behaviors.
6. The SQ L injection detection method based on the credible analysis of user behaviors as claimed in any one of claims 1-5,
the method is characterized in that the step d specifically comprises the following steps:
d1. collecting user real-time data;
d2. extracting the characteristics of the collected real-time user data, and processing the real-time user data into characteristic vectors capable of representing real-time user behaviors;
d3. inputting the feature vector of the real-time behavior of the user into the trained detection model;
d4. calculating to obtain a cluster distance from a feature vector of the real-time behavior of the user to a user behavior model through a detection model, and dividing the behavior into clusters with the closest distance, thereby judging whether the current behavior is a common user behavior or an SQ L injection attack;
d5. if the user behavior is normal, judging that the user behavior is credible; otherwise, the user behavior is judged to be not credible.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010475089.2A CN111488590A (en) | 2020-05-29 | 2020-05-29 | SQ L injection detection method based on user behavior credibility analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010475089.2A CN111488590A (en) | 2020-05-29 | 2020-05-29 | SQ L injection detection method based on user behavior credibility analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111488590A true CN111488590A (en) | 2020-08-04 |
Family
ID=71813452
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010475089.2A Pending CN111488590A (en) | 2020-05-29 | 2020-05-29 | SQ L injection detection method based on user behavior credibility analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111488590A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112052453A (en) * | 2020-09-04 | 2020-12-08 | 四川长虹电器股份有限公司 | Webshell detection method and device based on Relief algorithm |
| CN112100617A (en) * | 2020-09-15 | 2020-12-18 | 全球能源互联网研究院有限公司 | Abnormal SQL detection method and device |
| CN112507336A (en) * | 2020-12-15 | 2021-03-16 | 四川长虹电器股份有限公司 | Server-side malicious program detection method based on code characteristics and flow behaviors |
| CN114124449A (en) * | 2021-10-14 | 2022-03-01 | 北京墨云科技有限公司 | SQL injection attack identification method based on machine learning |
| CN114244558A (en) * | 2021-11-09 | 2022-03-25 | 上海浦东发展银行股份有限公司 | Injection attack detection method and device, computer equipment and readable storage medium |
| CN114462589A (en) * | 2021-09-28 | 2022-05-10 | 北京卫达信息技术有限公司 | Normal behavior neural network model training method, system, device and storage medium |
| CN114640499A (en) * | 2022-02-11 | 2022-06-17 | 深圳昂楷科技有限公司 | Method and device for carrying out abnormity identification on user behavior |
| CN118018325A (en) * | 2024-04-08 | 2024-05-10 | 山东捷瑞信息技术产业研究院有限公司 | DDoS attack prevention method and system based on artificial intelligence |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160337400A1 (en) * | 2015-05-15 | 2016-11-17 | Virsec Systems, Inc. | Detection of sql injection attacks |
| CN108549814A (en) * | 2018-03-24 | 2018-09-18 | 西安电子科技大学 | A kind of SQL injection detection method based on machine learning, database security system |
| CN108875366A (en) * | 2018-05-23 | 2018-11-23 | 四川大学 | A kind of SQL injection behavioral value system towards PHP program |
| CN109598124A (en) * | 2018-12-11 | 2019-04-09 | 厦门服云信息科技有限公司 | A kind of webshell detection method and device |
| CN110581850A (en) * | 2019-09-09 | 2019-12-17 | 河南戎磐网络科技有限公司 | Gene detection method based on network flow |
| CN111049819A (en) * | 2019-12-07 | 2020-04-21 | 上海镕天信息科技有限公司 | Threat information discovery method based on threat modeling and computer equipment |
| CN111107096A (en) * | 2019-12-27 | 2020-05-05 | 杭州迪普科技股份有限公司 | Web site safety protection method and device |
-
2020
- 2020-05-29 CN CN202010475089.2A patent/CN111488590A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160337400A1 (en) * | 2015-05-15 | 2016-11-17 | Virsec Systems, Inc. | Detection of sql injection attacks |
| CN108549814A (en) * | 2018-03-24 | 2018-09-18 | 西安电子科技大学 | A kind of SQL injection detection method based on machine learning, database security system |
| CN108875366A (en) * | 2018-05-23 | 2018-11-23 | 四川大学 | A kind of SQL injection behavioral value system towards PHP program |
| CN109598124A (en) * | 2018-12-11 | 2019-04-09 | 厦门服云信息科技有限公司 | A kind of webshell detection method and device |
| CN110581850A (en) * | 2019-09-09 | 2019-12-17 | 河南戎磐网络科技有限公司 | Gene detection method based on network flow |
| CN111049819A (en) * | 2019-12-07 | 2020-04-21 | 上海镕天信息科技有限公司 | Threat information discovery method based on threat modeling and computer equipment |
| CN111107096A (en) * | 2019-12-27 | 2020-05-05 | 杭州迪普科技股份有限公司 | Web site safety protection method and device |
Non-Patent Citations (2)
| Title |
|---|
| 张博: "SQL注入攻击与检测技术研究", 《信息安全与通信保密》 * |
| 黄春虎等: "基于Re-FCBF的入侵特征选择算法研究", 《激光杂志》 * |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112052453A (en) * | 2020-09-04 | 2020-12-08 | 四川长虹电器股份有限公司 | Webshell detection method and device based on Relief algorithm |
| CN112100617A (en) * | 2020-09-15 | 2020-12-18 | 全球能源互联网研究院有限公司 | Abnormal SQL detection method and device |
| CN112100617B (en) * | 2020-09-15 | 2023-11-24 | 全球能源互联网研究院有限公司 | Abnormal SQL detection method and device |
| CN112507336A (en) * | 2020-12-15 | 2021-03-16 | 四川长虹电器股份有限公司 | Server-side malicious program detection method based on code characteristics and flow behaviors |
| CN114462589A (en) * | 2021-09-28 | 2022-05-10 | 北京卫达信息技术有限公司 | Normal behavior neural network model training method, system, device and storage medium |
| CN114462589B (en) * | 2021-09-28 | 2022-11-04 | 北京卫达信息技术有限公司 | Normal behavior neural network model training method, system, device and storage medium |
| CN114124449A (en) * | 2021-10-14 | 2022-03-01 | 北京墨云科技有限公司 | SQL injection attack identification method based on machine learning |
| CN114244558A (en) * | 2021-11-09 | 2022-03-25 | 上海浦东发展银行股份有限公司 | Injection attack detection method and device, computer equipment and readable storage medium |
| CN114244558B (en) * | 2021-11-09 | 2023-10-27 | 上海浦东发展银行股份有限公司 | Injection attack detection method, injection attack detection device, computer equipment and readable storage medium |
| CN114640499A (en) * | 2022-02-11 | 2022-06-17 | 深圳昂楷科技有限公司 | Method and device for carrying out abnormity identification on user behavior |
| CN118018325A (en) * | 2024-04-08 | 2024-05-10 | 山东捷瑞信息技术产业研究院有限公司 | DDoS attack prevention method and system based on artificial intelligence |
| CN118018325B (en) * | 2024-04-08 | 2024-07-09 | 山东捷瑞信息技术产业研究院有限公司 | DDoS attack prevention method and system based on artificial intelligence |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111488590A (en) | SQ L injection detection method based on user behavior credibility analysis | |
| CN110233849B (en) | Method and system for analyzing network security situation | |
| CN107241352B (en) | Network security event classification and prediction method and system | |
| CN106961419B (en) | WebShell detection method, device and system | |
| CN114077741B (en) | Software supply chain safety detection method and device, electronic equipment and storage medium | |
| CN105184159A (en) | Web page falsification identification method and apparatus | |
| CN103281177A (en) | Method and system for detecting hostile attack on Internet information system | |
| CN112199677A (en) | Data processing method and device | |
| KR102362516B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| CN111611590B (en) | Method and device for data security related to application program | |
| CN113704328B (en) | User behavior big data mining method and system based on artificial intelligence | |
| CN113190839A (en) | Web attack protection method and system based on SQL injection | |
| Zhang et al. | A php and jsp web shell detection system with text processing based on machine learning | |
| US20240054210A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| CN113297580A (en) | Code semantic analysis-based electric power information system safety protection method and device | |
| CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
| CN113946823A (en) | SQL injection detection method and device based on URL baseline deviation analysis | |
| CN118138361A (en) | Security policy making method and system based on autonomously evolutionary agent | |
| US20230252146A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| US20230252144A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| WO2010149986A2 (en) | A method, a computer program and apparatus for analysing symbols in a computer | |
| US20230048076A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| KR102411383B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| CN111475812B (en) | Webpage backdoor detection method and system based on data executable characteristics | |
| CN115051833B (en) | Intercommunication network anomaly detection method based on terminal process |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20221104 Address after: Floor 29, Building 1, No. 199, Tianfu 4th Street, Chengdu Hi tech Zone, China (Sichuan) Pilot Free Trade Zone, Chengdu 610000, Sichuan Applicant after: Homwee Technology Co.,Ltd. Address before: 518057 unit 01, 23rd floor, Changhong science and technology building, Keji South 12 road, high tech Zone, Yuehai street, Nanshan District, Shenzhen, Guangdong Applicant before: SHENZHEN YIJIAEN TECHNOLOGY Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200804 |
|
| RJ01 | Rejection of invention patent application after publication |