CN112069498B - SQL injection detection model construction method and detection method - Google Patents

SQL injection detection model construction method and detection method Download PDF

Info

Publication number
CN112069498B
CN112069498B CN202010997062.XA CN202010997062A CN112069498B CN 112069498 B CN112069498 B CN 112069498B CN 202010997062 A CN202010997062 A CN 202010997062A CN 112069498 B CN112069498 B CN 112069498B
Authority
CN
China
Prior art keywords
sql
unlabeled
training
labeled
detection model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010997062.XA
Other languages
Chinese (zh)
Other versions
CN112069498A (en
Inventor
李武军
周庆博
解银朋
周嵩
何金栋
谢新志
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University
State Grid Corp of China SGCC
Global Energy Interconnection Research Institute
Electric Power Research Institute of State Grid Fujian Electric Power Co Ltd
Original Assignee
Nanjing University
State Grid Corp of China SGCC
Global Energy Interconnection Research Institute
Electric Power Research Institute of State Grid Fujian Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University, State Grid Corp of China SGCC, Global Energy Interconnection Research Institute, Electric Power Research Institute of State Grid Fujian Electric Power Co Ltd filed Critical Nanjing University
Priority to CN202010997062.XA priority Critical patent/CN112069498B/en
Publication of CN112069498A publication Critical patent/CN112069498A/en
Application granted granted Critical
Publication of CN112069498B publication Critical patent/CN112069498B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Data Mining & Analysis (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Health & Medical Sciences (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application provides a method for constructing an SQL injection detection model and a detection method, wherein the method for constructing the SQL injection detection model comprises the following steps: acquiring a plurality of labeled SQL training samples; obtaining tagged feature vectors of each tagged SQL training sample; training an SQL injection detection model; acquiring a plurality of unlabeled SQL training samples; inputting the unlabeled feature vector set into a trained SQL injection detection model, extracting a preset number of unlabeled feature vectors as new labeled feature vectors when the confidence degree corresponding to at least one unlabeled feature vector is determined to belong to a confidence degree interval, and training the SQL injection detection model. The SQL injection detection model capable of accurately detecting SQL injection sentences in the network environment is obtained while the labeled SQL training sample resources are saved.

Description

SQL injection detection model construction method and detection method
Technical Field
The application relates to the technical field of network security, in particular to a method for constructing an SQL injection detection model and a detection method.
Background
Structured query language (Structured Query Language, abbreviated as SQL) injection is one of the most common Web application attack means at present, and is usually to replace a certain part of normal SQL sentences with malicious SQL sentences to construct malicious SQL sentences, so that an attacker acquires the authority of a database by executing malicious codes to perform network attack.
In the prior art, a regular expression matching-based detection method is generally used for modeling an SQL statement set of a system database which can be normally accessed to construct a regular expression pattern library. For each SQL statement to be accessed to the database, matching the SQL statement with the pattern of the regular expression pattern library, if the matching is successful, considering the SQL statement as a normal statement, and if the matching is failed, considering the SQL statement as an injection statement.
However, before SQL injection detection is performed by adopting a detection method based on regular expression matching, a regular expression pattern library needs to be established for the SQL injection detection, however, the established regular expression pattern library has certain limitations, so that the detection precision of the regular expression pattern library is relatively low. Therefore, an SQL injection detection model with higher detection precision is urgently needed, and the SQL injection detection model has important significance for improving network security.
Disclosure of Invention
The application provides a method for constructing an SQL injection detection model and a detection method, which are used for solving the defects of low detection precision and the like of the SQL injection detection method in the prior art.
The first aspect of the application provides a method for constructing an SQL injection detection model, which comprises the following steps:
acquiring a plurality of labeled SQL training samples; the tags comprise an injection statement tag and a normal statement tag;
Constructing an SQL injection detection model based on a neural network according to a preset detection requirement;
extracting features of the plurality of labeled SQL training samples to obtain labeled feature vectors corresponding to the labeled SQL training samples;
training the SQL injection detection model according to the tagged feature vectors and the tags corresponding to the tagged feature vectors to obtain a trained SQL injection detection model;
acquiring a plurality of unlabeled SQL training samples;
extracting features of the plurality of unlabeled SQL training samples to obtain a corresponding unlabeled feature vector set;
inputting the unlabeled feature vector set into the trained SQL injection detection model to obtain labels and confidence corresponding to each unlabeled SQL training sample;
judging whether the confidence coefficient corresponding to each unlabeled feature vector belongs to the confidence coefficient interval or not according to a preset confidence coefficient interval;
when the confidence corresponding to at least one unlabeled feature vector is determined to belong to the confidence interval, extracting a preset number of unlabeled feature vectors according to a confidence ascending sequencing result of the at least one unlabeled feature vector, and setting the labels for the unlabeled feature vectors; adding the unlabeled feature vector with the label into the original labeled feature vector to serve as a new labeled feature vector, and returning to the step of training the SQL injection detection model according to the labeled feature vector and the labels corresponding to the labeled feature vectors to obtain a trained SQL injection detection model;
And when the confidence coefficient corresponding to each label-free feature vector is not determined to be in the confidence coefficient interval, determining the trained SQL injection detection model as a target SQL injection detection model.
Optionally, before feature extraction is performed on the plurality of labeled SQL training samples and/or feature extraction is performed on the plurality of unlabeled SQL training samples, the method further includes:
carrying out grammar analysis on the plurality of labeled SQL training samples and/or the plurality of unlabeled SQL training samples by adopting a preset SQL grammar analysis algorithm to obtain labeled training grammar trees corresponding to the labeled SQL training samples and/or unlabeled training grammar trees corresponding to the unlabeled SQL training samples;
determining redundant data in each grammar tree according to the tree structure of each labeled training grammar tree and/or the data information in each leaf node of each unlabeled training grammar tree, and performing elimination processing on the redundant data to obtain a plurality of preprocessed labeled training grammar trees and/or a plurality of preprocessed unlabeled training grammar trees.
Optionally, the feature extraction of the plurality of labeled SQL training samples and/or the feature extraction of the plurality of unlabeled SQL training samples includes:
Converting each preprocessed labeled training grammar tree and/or each preprocessed unlabeled training grammar tree into a corresponding SQL mode to obtain a labeled training SQL mode and/or an unlabeled training SQL mode;
and carrying out feature extraction on the labeled training SQL mode and/or the unlabeled training SQL mode based on a preset word bag model.
The second aspect of the present application provides an SQL injection detection method, comprising:
acquiring an SQL sentence to be detected;
extracting features of the SQL sentence to be detected to obtain a feature vector corresponding to the SQL sentence to be detected;
inputting the feature vector into a target SQL injection detection model constructed by the SQL injection detection model construction method according to the first aspect and any optional implementation manner of the first aspect, so as to generate a corresponding detection result.
Optionally, the method further comprises:
judging whether the SQL sentence to be detected is an injection sentence or not according to the detection result;
and when the SQL sentence to be detected is determined to be the injection sentence, generating injection alarm information.
Optionally, the method further comprises: and when the SQL sentence to be detected is determined to be a normal sentence, returning to the step of acquiring the SQL sentence to be detected.
The third aspect of the present application provides an apparatus for constructing an SQL injection detection model, comprising:
the first acquisition module is used for acquiring a plurality of labeled SQL training samples; the tags comprise an injection statement tag and a normal statement tag;
the construction module is used for constructing an SQL injection detection model based on a neural network according to preset detection requirements;
the first feature extraction module is used for extracting features of the plurality of labeled SQL training samples to obtain labeled feature vectors corresponding to the labeled SQL training samples;
the training module is used for training the SQL injection detection model according to the tagged feature vectors and the tags corresponding to the tagged feature vectors to obtain a trained SQL injection detection model;
the second acquisition module is used for acquiring a plurality of unlabeled SQL training samples;
the second feature extraction module is used for carrying out feature extraction on the plurality of unlabeled SQL training samples so as to obtain a corresponding unlabeled feature vector set;
the learning module is used for inputting the unlabeled feature vector set into the trained SQL injection detection model so as to obtain labels and confidence corresponding to each unlabeled SQL training sample;
The judging module is used for judging whether the confidence coefficient corresponding to each label-free feature vector belongs to the confidence coefficient interval or not according to a preset confidence coefficient interval;
the first determining module is used for extracting a preset number of unlabeled feature vectors according to a confidence ascending sequencing result of the at least one unlabeled feature vector when the confidence corresponding to the at least one unlabeled feature vector is determined to belong to the confidence interval, and setting the labels for the unlabeled feature vectors; adding the unlabeled feature vector with the label into the original labeled feature vector to serve as a new labeled feature vector, and returning to the step of training the SQL injection detection model according to the labeled feature vector and the labels corresponding to the labeled feature vectors to obtain a trained SQL injection detection model;
and the second determining module is used for determining the trained SQL injection detection model as a target SQL injection detection model when determining that the confidence coefficient corresponding to each unlabeled feature vector does not belong to the confidence coefficient interval.
Optionally, the apparatus further includes:
the preprocessing module is used for carrying out grammar analysis on the plurality of labeled SQL training samples and/or the plurality of unlabeled SQL training samples by adopting a preset SQL grammar analysis algorithm to obtain labeled training grammar trees corresponding to the labeled SQL training samples and/or unlabeled training grammar trees corresponding to the unlabeled SQL training samples;
Determining redundant data in each grammar tree according to the tree structure of each labeled training grammar tree and/or the data information in each leaf node of each unlabeled training grammar tree, and performing elimination processing on the redundant data to obtain a plurality of preprocessed labeled training grammar trees and/or a plurality of preprocessed unlabeled training grammar trees.
Optionally, the first feature extraction module and/or the second feature extraction module are specifically configured to:
converting each preprocessed labeled training grammar tree and/or each preprocessed unlabeled training grammar tree into a corresponding SQL mode to obtain a labeled training SQL mode and/or an unlabeled training SQL mode;
and carrying out feature extraction on the labeled training SQL mode and/or the unlabeled training SQL mode based on a preset word bag model.
A fourth aspect of the present application provides an SQL injection detection apparatus, comprising:
the acquisition module is used for acquiring SQL sentences to be detected;
the third feature extraction module is used for extracting features of the SQL sentence to be detected so as to obtain a feature vector corresponding to the SQL sentence to be detected;
and the detection module is used for inputting the feature vector into the target SQL injection detection model constructed by the SQL injection detection model construction model according to the third aspect and any optional implementation manner of the third aspect so as to generate a corresponding detection result.
Optionally, the detection module is further configured to: judging whether the SQL sentence to be detected is an injection sentence or not according to the detection result;
and when the SQL sentence to be detected is determined to be the injection sentence, generating injection alarm information.
Optionally, the detection module is further configured to: and when the SQL sentence to be detected is determined to be a normal sentence, returning to the step of acquiring the SQL sentence to be detected.
A fifth aspect of the present application provides an electronic device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executes computer-executable instructions stored in the memory to cause the at least one processor to perform the method of the first aspect and any optional implementation of the first aspect, or to perform the method of the second aspect and any optional implementation of the second aspect.
A sixth aspect of the application provides a computer readable storage medium having stored therein computer executable instructions which, when executed by a processor, perform the method of the first aspect and any of its first alternative embodiments, or perform the method of the second aspect and any of its second alternative embodiments.
The technical scheme of the application has the following advantages:
the method and the device for constructing the SQL injection detection model are characterized in that a plurality of labeled SQL training samples are obtained; the labels comprise injection statement labels and normal statement labels; constructing an SQL injection detection model based on a neural network according to a preset detection requirement; extracting features of a plurality of labeled SQL training samples to obtain labeled feature vectors corresponding to the labeled SQL training samples; training the SQL injection detection model according to the labeled feature vectors and the labels corresponding to the labeled feature vectors to obtain a trained SQL injection detection model; acquiring a plurality of unlabeled SQL training samples; extracting features of a plurality of unlabeled SQL training samples to obtain a corresponding unlabeled feature vector set; inputting the unlabeled feature vector set into the trained SQL injection detection model to obtain labels and confidence corresponding to each unlabeled SQL training sample; judging whether the confidence coefficient corresponding to each unlabeled feature vector belongs to a confidence coefficient interval or not according to a preset confidence coefficient interval; when the confidence coefficient corresponding to the at least one unlabeled feature vector is determined to belong to a confidence coefficient interval, extracting a preset number of unlabeled feature vectors according to a confidence coefficient ascending sequencing result of the at least one unlabeled feature vector, and setting labels for the unlabeled feature vectors; adding the unlabeled feature vector with the label into the original labeled feature vector to serve as a new labeled feature vector, returning to the step of training the SQL injection detection model according to the labeled feature vector and labels corresponding to the labeled feature vectors to obtain a trained SQL injection detection model; and when the confidence coefficient corresponding to each unlabeled feature vector is determined not to belong to the confidence coefficient interval, determining the trained SQL injection detection model as a target SQL injection detection model. According to the SQL injection detection model construction method provided by the scheme, the constructed SQL injection detection model is subjected to model training by using a small amount of labeled SQL training samples and a large amount of unlabeled SQL training samples, so that the SQL injection detection model capable of accurately detecting SQL injection sentences in a network environment is obtained while the labeled SQL training sample resources are saved, and a foundation is laid for improving the accuracy of SQL injection detection results.
According to the SQL injection detection method and device, SQL sentences to be detected are obtained; extracting features of the SQL sentence to be detected to obtain a feature vector corresponding to the SQL sentence to be detected; and inputting the feature vector into a pre-constructed SQL injection detection model to generate a corresponding detection result. According to the SQL injection detection method provided by the scheme, the SQL injection detection is performed by utilizing the pre-constructed SQL injection detection model, so that the model can accurately detect SQL sentences to be detected, the accuracy of detection results is improved, and a foundation is laid for improving the safety of a network environment.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, a brief description will be given below of the drawings required for the embodiments or the prior art descriptions, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1 is a schematic diagram of a structure of an SQL injection detection model building system according to an embodiment of the application;
FIG. 2 is a schematic diagram of a SQL injection detection system according to an embodiment of the application;
FIG. 3 is a schematic flow chart of a method for constructing an SQL injection detection model according to an embodiment of the application;
FIG. 4 is a flow chart of an exemplary SQL injection detection model building method according to an embodiment of the application;
FIG. 5 is a flow chart of a SQL injection detection method according to an embodiment of the application;
FIG. 6 is a flow chart of an exemplary SQL injection detection method according to an embodiment of the application;
fig. 7 is a schematic structural diagram of an SQL injection detection model construction device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of an SQL injection detection device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. These drawings and the written description are not intended to limit the scope of the disclosed concept in any way, but to illustrate the inventive concept to those skilled in the art by reference to specific embodiments.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. In the following description of the embodiments, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.
In the prior art, a regular expression matching-based detection method is generally used for modeling an SQL statement set of a system database which can be normally accessed to construct a regular expression pattern library. For each SQL statement to be accessed to the database, matching the SQL statement with the pattern of the regular expression pattern library, if the matching is successful, considering the SQL statement as a normal statement, and if the matching is failed, considering the SQL statement as an injection statement. However, before SQL injection detection is performed by adopting a detection method based on regular expression matching, a regular expression pattern library needs to be established for the SQL injection detection, however, the established regular expression pattern library has certain limitations, so that the detection precision of the regular expression pattern library is relatively low.
Aiming at the problems, the embodiment of the application provides a method for constructing an SQL injection detection model, which comprises the steps of obtaining a plurality of labeled SQL training samples; the labels comprise injection statement labels and normal statement labels; constructing an SQL injection detection model based on a neural network according to a preset detection requirement; extracting features of a plurality of labeled SQL training samples to obtain labeled feature vectors corresponding to the labeled SQL training samples; training the SQL injection detection model according to the labeled feature vectors and the labels corresponding to the labeled feature vectors to obtain a trained SQL injection detection model; acquiring a plurality of unlabeled SQL training samples; extracting features of each unlabeled SQL training sample to obtain a corresponding unlabeled feature vector set; inputting the label-free feature vector set into a trained SQL injection detection model to obtain labels and confidence corresponding to the label-free feature vectors; judging whether the confidence coefficient corresponding to each unlabeled feature vector belongs to a confidence coefficient interval or not according to a preset confidence coefficient interval; when the confidence coefficient corresponding to at least one unlabeled feature vector is determined to belong to a confidence coefficient interval, extracting a preset number of unlabeled feature vectors according to a confidence coefficient ascending sequencing result of the at least one unlabeled feature vector, and setting labels for the unlabeled feature vectors according to a model prediction result; taking the unlabeled feature vector with the label as a new labeled feature vector, adding the new labeled feature vector into an original labeled feature vector set, and training the SQL injection detection model according to the new labeled feature vector set to obtain a trained SQL injection detection model; and when the confidence coefficient corresponding to each unlabeled feature vector is determined not to belong to the confidence coefficient interval, determining the trained SQL injection detection model as a target SQL injection detection model. According to the SQL injection detection model construction method provided by the scheme, the constructed SQL injection detection model is subjected to model training by using a small amount of labeled SQL training samples and a large amount of unlabeled SQL training samples, so that the SQL injection detection model capable of accurately detecting SQL injection sentences in a network environment is obtained while the labeled SQL training sample resources are saved, and a foundation is laid for improving the accuracy of SQL injection detection results.
Furthermore, the embodiment of the application also provides an SQL injection detection method, which comprises the steps of obtaining SQL sentences to be detected; extracting features of the SQL sentence to be detected to obtain a feature vector corresponding to the SQL sentence to be detected; and inputting the feature vector into a pre-constructed SQL injection detection model to generate a corresponding detection result. According to the SQL injection detection method provided by the scheme, the SQL injection detection is performed by utilizing the pre-constructed SQL injection detection model, so that the model can accurately detect SQL sentences to be detected, the accuracy of detection results is improved, and a foundation is laid for improving the safety of a network environment.
The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Firstly, the structure of the SQL injection detection model construction system and the structure of the SQL injection detection system based on the application are described:
the method and the device for constructing the SQL injection detection model are suitable for constructing the SQL injection detection model for SQL injection detection, and as shown in fig. 1, are structural schematic diagrams of an SQL injection detection model construction system based on the embodiment of the application, and mainly comprise a sample database and an SQL injection detection model construction device for constructing the SQL injection detection model, wherein the sample database comprises a labeled SQL training sample and an unlabeled SQL training sample. Specifically, the SQL injection detection model construction device performs model training by using a labeled SQL training sample obtained from a sample database, detects an unlabeled SQL training sample obtained from the sample database by using an SQL injection detection model trained by the labeled SQL training sample, performs optimization training on the model again according to a detection result, and finally obtains a target SQL injection detection model with higher accuracy.
The SQL injection detection method and device provided by the embodiment of the application are suitable for constructing an SQL injection detection system for detecting injection of SQL sentences to be detected, and are shown in fig. 2, and are a structural schematic diagram of the SQL injection detection system based on the embodiment of the application. Specifically, in the process that the client sends the SQL statement to the server, the SQL statement can be injected and detected based on the SQL injection detection device to judge whether the SQL statement sent by the current client is an injected statement or not, so that the server is prevented from being attacked by an attacker maliciously, and therefore network security is guaranteed.
The embodiment of the application provides a method for constructing an SQL injection detection model, which is used for constructing the SQL injection detection model for SQL injection detection. The execution main body of the embodiment of the application is electronic equipment such as a server, a desktop computer, a notebook computer, a tablet computer and other electronic equipment which can be used for constructing an SQL injection detection model.
As shown in fig. 3, a flow chart of a method for constructing an SQL injection detection model according to an embodiment of the present application is shown, where the method includes:
Step 301, a plurality of labeled SQL training samples are obtained.
The labels comprise injection statement labels and normal statement labels.
Step 302, constructing an SQL injection detection model based on a neural network according to a preset detection requirement.
It should be explained that the detection requirements may be determined according to the application environment and the actual SQL injection detection requirements, so that the constructed SQL injection detection model may meet the actual requirements.
And 303, extracting features of the plurality of labeled SQL training samples to obtain labeled feature vectors corresponding to the labeled SQL training samples.
Specifically, before model training, feature extraction is performed on a plurality of labeled SQL training samples to obtain SQL modes corresponding to the labeled SQL training samples, and further, vectorization processing is performed on the SQL modes corresponding to the labeled SQL training samples to obtain labeled feature vectors corresponding to the labeled SQL training samples.
And step 304, training the SQL injection detection model according to the labeled feature vectors and the labels corresponding to the labeled feature vectors to obtain a trained SQL injection detection model.
Specifically, the labeled feature vectors corresponding to the labeled SQL training samples and the labels corresponding to the labeled SQL training samples are sequentially and correspondingly input into a pre-constructed SQL injection detection model to perform model training on the SQL injection detection model, so that the accuracy of the constructed SQL injection detection model is improved.
In step 305, a plurality of unlabeled SQL training samples are obtained.
It should be explained that, in order to improve the reliability of the constructed SQL injection detection model and save sample resources of the labeled SQL training samples, the number of the obtained unlabeled SQL training samples may be far greater than that of the labeled SQL training samples.
And 306, extracting features of a preset number of unlabeled SQL training samples to obtain a corresponding unlabeled feature vector set.
Similarly, feature extraction is performed on a preset number of unlabeled SQL training samples respectively to obtain sentence features corresponding to each unlabeled SQL training sample, further, vectorization processing is performed on the sentence features corresponding to each unlabeled SQL training sample to obtain unlabeled feature vectors corresponding to each unlabeled SQL training sample, and a corresponding unlabeled feature vector set is constructed by utilizing each unlabeled feature vector.
Step 307, inputting the unlabeled feature vector set into the trained SQL injection detection model to obtain labels and confidence corresponding to each unlabeled SQL training sample.
It should be explained that the confidence corresponding to each unlabeled SQL training sample may be determined based on a preset estimation function in the SQL injection detection model, and specifically used for estimating the confidence of the detection result (label) output by the current SQL injection detection model.
Step 308, according to the preset confidence interval, it is determined whether the confidence corresponding to each unlabeled SQL training sample belongs to the confidence interval.
It should be explained that the confidence interval is preset according to the actual requirement before the model training. The confidence level output by the current SQL injection detection model specifically reflects the confidence level of the detection result of the current unlabeled SQL training sample.
Step 309, when it is determined that the confidence coefficient corresponding to at least one unlabeled feature vector belongs to the confidence coefficient interval, extracting a preset number of unlabeled feature vectors according to the confidence coefficient ascending sequencing result of the at least one unlabeled feature vector, and setting a label for the unlabeled feature vectors; adding the unlabeled feature vector with the label into the original labeled feature vector to serve as a new labeled feature vector, returning to the step of training the SQL injection detection model according to the labeled feature vector and labels corresponding to the labeled feature vectors to obtain a trained SQL injection detection model.
It should be explained that if the confidence degrees corresponding to some unlabeled SQL training samples belong to the preset confidence degree intervals, it is proved that the unlabeled SQL training samples are suitable for continuing to train the model, and the label output by the SQL training model can be determined as the label corresponding to the unlabeled SQL training sample, so that the label can be used as a new labeled SQL training sample to further train the model.
In the model building method provided by the embodiment of the application, only a small amount of labeled SQL training samples are needed to be obtained before training the model. In the process of further improving the detection precision of the model, the obtained large number of unlabeled SQL training samples can be subjected to SQL injection detection by using the model, so that more labeled SQL training samples are obtained, and the model training cost is saved.
And step 310, when the confidence coefficient corresponding to each unlabeled SQL training sample is determined not to belong to the confidence coefficient interval, determining that the trained SQL injection detection model is a target SQL injection detection model.
Specifically, when the confidence corresponding to each unlabeled SQL training sample does not belong to the confidence interval, it may be determined that the unlabeled SQL training samples are unsuitable as new labeled SQL training samples.
For example, when the preset confidence interval is [ ρ_min, ρ_max ] and the preset number is k, k unlabeled SQL training samples with lower confidence are extracted in the [ ρ_min, ρ_max ] confidence interval according to the confidence ascending sequencing result of each unlabeled SQL training sample, and a corresponding unlabeled SQL training sample set is constructed. When the number of the unlabeled SQL training samples in the constructed unlabeled SQL training sample set is greater than or equal to 1, determining the labels corresponding to the unlabeled SQL training samples in the current unlabeled SQL training sample set according to the labels output by the SQL injection detection model, and adding the labels to the original labeled feature vectors so as to train the current SQL injection detection model, thereby further improving the accuracy and reliability of the SQL injection detection model.
On the basis of the above embodiment, since each SQL statement includes a large amount of redundant data, in order to improve the detection efficiency of the constructed SQL injection detection model, as an implementation manner, on the basis of the above embodiment, in an embodiment, before feature extraction is performed on a plurality of labeled SQL training samples, and/or before feature extraction is performed on a preset number of unlabeled SQL training samples, the method further includes:
carrying out grammar analysis on a plurality of labeled SQL training samples and/or a plurality of unlabeled SQL training samples by adopting a preset SQL grammar analysis algorithm to obtain labeled training grammar trees corresponding to the labeled SQL training samples and/or unlabeled training grammar trees corresponding to the unlabeled SQL training samples; determining redundant data in each grammar tree according to the tree structure of each labeled training grammar tree and/or the data information in each leaf node of each unlabeled training grammar tree, and performing elimination processing on the redundant data to obtain a plurality of preprocessed labeled training grammar trees and/or a plurality of preprocessed unlabeled training grammar trees.
Specifically, for the redundant data, the redundant data may be subjected to rejection processing, or may be subjected to unified processing according to the data type of the redundant data, so as to be converted into preset specified content.
Illustratively, each tagged training syntax tree may be converted to 0 with a number in the leaf node of the tagged training syntax tree and/or converted to'? 'the character string containing the SQL keyword is converted into', 'and the SQL annotation information is converted into'. ' converting redundant data in each grammar tree into a specified symbol to obtain a plurality of preprocessed tagged training grammar trees and/or a preset number of preprocessed untagged training grammar trees.
Specifically, in an embodiment, each preprocessed tagged training syntax tree and/or each preprocessed untagged training syntax tree may be converted into a corresponding SQL mode to obtain a tagged training SQL mode and/or an untagged training SQL mode; and carrying out feature extraction on the labeled training SQL mode and/or the unlabeled training SQL mode based on a preset word bag model.
It should be explained that, the SQL mode specifically refers to a representation form of a data set, where, because each preprocessed tagged training syntax tree provided by the embodiment of the present application and/or each preprocessed untagged training syntax tree is a syntax tree that is subjected to redundant data rejection or conversion, each syntax tree corresponds to each SQL mode one-to-one.
After the labeled training SQL mode and/or the unlabeled training SQL mode are input to the preset word bag model, the labeled training SQL mode and/or each labeled SQL training sample corresponding to the unlabeled training SQL mode and/or sentence features corresponding to the unlabeled SQL training sample can be determined based on the word bag model, and labeled feature vectors and/or unlabeled feature vectors corresponding to the sentence features can be generated.
As shown in fig. 4, an exemplary flow chart of an exemplary method for constructing an SQL injection detection model according to an embodiment of the present application is shown, where the method for constructing an SQL injection detection model shown in fig. 4 is an exemplary implementation of the method for constructing a QL injection detection model shown in fig. 3, and the two principles are the same and are not repeated.
The SQL injection detection model constructed by the embodiment of the application is particularly suitable for the scenes of professional labeling of manpower shortage and the system just started, and improves the accuracy of detection results by combining a small amount of labeled SQL training samples and a large amount of unlabeled SQL training samples. And the marking is carried out without consuming a great amount of manpower, thereby further saving the manpower resources.
According to the SQL injection detection model construction method provided by the embodiment of the application, a plurality of labeled SQL training samples are obtained; the labels comprise injection statement labels and normal statement labels; constructing an SQL injection detection model based on a neural network according to a preset detection requirement; extracting features of a plurality of labeled SQL training samples to obtain labeled feature vectors corresponding to the labeled SQL training samples; training the SQL injection detection model according to the labeled feature vectors and the labels corresponding to the labeled feature vectors to obtain a trained SQL injection detection model; acquiring a plurality of unlabeled SQL training samples; extracting features of a plurality of unlabeled SQL training samples to obtain a corresponding unlabeled feature vector set; inputting the unlabeled feature vector set into the trained SQL injection detection model to obtain labels and confidence corresponding to each unlabeled SQL training sample; judging whether the confidence coefficient corresponding to each unlabeled feature vector belongs to a confidence coefficient interval or not according to a preset confidence coefficient interval; when the confidence coefficient corresponding to the at least one unlabeled feature vector is determined to belong to a confidence coefficient interval, extracting a preset number of unlabeled feature vectors according to a confidence coefficient ascending sequencing result of the at least one unlabeled feature vector, and setting labels for the unlabeled feature vectors; adding the unlabeled feature vector with the label into the original labeled feature vector to serve as a new labeled feature vector, returning to the step of training the SQL injection detection model according to the labeled feature vector and labels corresponding to the labeled feature vectors to obtain a trained SQL injection detection model; and when the confidence coefficient corresponding to each unlabeled feature vector is determined not to belong to the confidence coefficient interval, determining the trained SQL injection detection model as a target SQL injection detection model. According to the SQL injection detection model construction method provided by the scheme, the constructed SQL injection detection model is subjected to model training by using a small amount of labeled SQL training samples and a large amount of unlabeled SQL training samples, so that the SQL injection detection model capable of accurately detecting SQL injection sentences in a network environment is obtained while the labeled SQL training sample resources are saved, and a foundation is laid for improving the accuracy of SQL injection detection results.
The embodiment of the application provides an SQL injection detection method which is used for carrying out injection detection on SQL sentences in a network environment. The execution main body of the embodiment of the application is electronic equipment such as a server, a desktop computer, a notebook computer, a tablet computer and other electronic equipment which can be used for SQL injection detection.
As shown in fig. 5, a flow chart of an SQL injection detection method according to an embodiment of the present application is shown, where the method includes:
step 501, acquiring an SQL sentence to be detected;
step 502, extracting features of the SQL sentence to be detected to obtain a feature vector corresponding to the SQL sentence to be detected;
in step 503, the feature vector is input into the target SQL injection detection model constructed by the SQL injection detection model construction method provided in the above embodiment, so as to generate a corresponding detection result.
Specifically, in an embodiment, the method further comprises: judging whether the SQL sentence to be detected is an injection sentence or not according to the detection result; and when the SQL sentence to be detected is determined to be the injection sentence, generating injection alarm information.
Specifically, the access of the current client is also terminated while the alarm information is generated, so as to prevent the network attacker from carrying out malicious attack.
Furthermore, the generated injection alarm information is subjected to report processing so as to remind relevant operators to take corresponding safety measures in time. The report mode of the injected alarm information can be short message report, alarm lamp report or alarm sound report, etc., and the embodiment of the application is not limited;
correspondingly, when the SQL sentence to be detected is determined to be a normal sentence, returning to the step of acquiring the SQL sentence to be detected.
An exemplary, as shown in fig. 6, is a flow chart of an exemplary SQL injection detection method provided by the embodiment of the present application, where the SQL injection detection method shown in fig. 6 is an exemplary implementation of the SQL injection method shown in fig. 5, and the two principles are the same and are not repeated.
According to the SQL injection detection method provided by the embodiment of the application, the SQL statement to be detected is obtained; extracting features of the SQL sentence to be detected to obtain a feature vector corresponding to the SQL sentence to be detected; and inputting the feature vector into a pre-constructed SQL injection detection model to generate a corresponding detection result. According to the SQL injection detection method provided by the scheme, the SQL injection detection is performed by utilizing the pre-constructed SQL injection detection model, so that the model can accurately detect SQL sentences to be detected, the accuracy of detection results is improved, and a foundation is laid for improving the safety of a network environment.
The embodiment of the application provides a SQL injection detection model construction device which is used for executing the SQL injection detection model construction method provided by the embodiment.
Fig. 7 is a schematic structural diagram of an SQL injection detection model construction device according to an embodiment of the present application. The apparatus 70 includes: a first acquisition module 701, a construction module 702, a first feature extraction module 703, a training module 704, a second acquisition module 705, a second feature extraction module 706, a learning module 707, a judgment module 708, a first determination module 709, and a second determination module 710.
The first acquisition module is used for acquiring a plurality of labeled SQL training samples; the labels comprise injection statement labels and normal statement labels; the construction module is used for constructing an SQL injection detection model based on a neural network according to preset detection requirements; the first feature extraction module is used for extracting features of the plurality of labeled SQL training samples to obtain labeled feature vectors corresponding to the labeled SQL training samples; the training module is used for training the SQL injection detection model according to the labeled feature vectors and the labels corresponding to the labeled feature vectors so as to obtain a trained SQL injection detection model; the second acquisition module is used for acquiring a plurality of unlabeled SQL training samples; the second feature extraction module is used for carrying out feature extraction on the plurality of unlabeled SQL training samples so as to obtain a corresponding unlabeled feature vector set; the learning module is used for inputting the unlabeled feature vector set into the trained SQL injection detection model so as to obtain labels and confidence corresponding to each unlabeled SQL training sample; the judging module is used for judging whether the confidence coefficient corresponding to each label-free feature vector belongs to the confidence coefficient interval or not according to the preset confidence coefficient interval; the first determining module is used for extracting a preset number of unlabeled feature vectors according to a confidence ascending sequencing result of at least one unlabeled feature vector when the confidence corresponding to the at least one unlabeled feature vector is determined to belong to a confidence interval, and setting labels for the unlabeled feature vectors; adding the unlabeled feature vector with the label into the original labeled feature vector to serve as a new labeled feature vector, returning to the step of training the SQL injection detection model according to the labeled feature vector and labels corresponding to the labeled feature vectors to obtain a trained SQL injection detection model; and the second determining module is used for determining the trained SQL injection detection model as a target SQL injection detection model when determining that the confidence degrees corresponding to the unlabeled feature vectors do not belong to the confidence degree interval.
Specifically, in an embodiment, the apparatus further comprises:
the preprocessing module is used for carrying out grammar analysis on a plurality of labeled SQL training samples and/or a plurality of unlabeled SQL training samples by adopting a preset SQL grammar analysis algorithm to obtain labeled training grammar trees corresponding to the labeled SQL training samples and/or unlabeled training grammar trees corresponding to the unlabeled SQL training samples;
determining redundant data in each grammar tree according to the tree structure of each labeled training grammar tree and/or the data information in each leaf node of each unlabeled training grammar tree, and performing elimination processing on the redundant data to obtain a plurality of preprocessed labeled training grammar trees and/or a plurality of preprocessed unlabeled training grammar trees.
Specifically, in an embodiment, the first feature extraction module, and/or the second feature extraction module is specifically configured to:
converting each preprocessed labeled training grammar tree and/or each preprocessed unlabeled training grammar tree into a corresponding SQL mode to obtain a labeled training SQL mode and/or an unlabeled training SQL mode;
and carrying out feature extraction on the labeled training SQL mode and/or the unlabeled training SQL mode based on a preset word bag model.
The specific manner in which the respective modules perform the operations in the SQL injection detection model construction apparatus of the present embodiment has been described in detail in the embodiments related to the method, and will not be described in detail herein.
The device for constructing the SQL injection detection model provided by the embodiment of the application is used for executing the method for constructing the SQL injection detection model provided by the embodiment, and the implementation mode and the principle are the same and are not repeated.
The embodiment of the application provides a SQL injection detection model construction device which is used for executing the SQL injection detection model construction method provided by the embodiment.
Fig. 8 is a schematic structural diagram of an SQL injection detection device according to an embodiment of the present application. The apparatus 80 includes: an acquisition module 801, a third feature extraction module 802, and a detection module 803.
The acquisition module is used for acquiring SQL sentences to be detected; the third feature extraction module is used for extracting features of the SQL sentence to be detected so as to obtain a feature vector corresponding to the SQL sentence to be detected; and the detection module is used for inputting the feature vector into the target SQL injection detection model constructed in the embodiment so as to generate a corresponding detection result.
Specifically, in an embodiment, the detection module is further configured to: judging whether the SQL sentence to be detected is an injection sentence or not according to the detection result;
and when the SQL sentence to be detected is determined to be the injection sentence, generating injection alarm information.
Specifically, in an embodiment, the detection module is further configured to: and when the SQL sentence to be detected is determined to be a normal sentence, returning to the step of acquiring the SQL sentence to be detected.
The specific manner in which the various modules perform the operations of the SQL injection detection device according to the embodiments of the application have been described in detail in relation to the embodiments of the method, and will not be described in detail herein.
The SQL injection detection device provided by the embodiment of the application is used for executing the SQL injection detection method provided by the embodiment, and the implementation mode and principle are the same and are not repeated.
The embodiment of the application provides electronic equipment for executing the SQL injection detection model construction method or the SQL injection detection method provided by the embodiment.
Fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application. The electronic device 90 includes: at least one processor 91 and a memory 92;
the memory stores computer-executable instructions; at least one processor executes computer-executable instructions stored in a memory, causing the at least one processor to perform the SQL injection detection model building method, or the SQL injection detection method, as provided in any of the embodiments above.
The electronic device provided by the embodiment of the application is used for executing the SQL injection detection model construction method provided by the embodiment, or the SQL injection detection method, and the implementation mode and principle are the same and are not repeated.
The embodiment of the application provides a computer readable storage medium, wherein computer execution instructions are stored in the computer readable storage medium, and when a processor executes the computer execution instructions, the SQL injection detection model construction method or the SQL injection detection method provided by any embodiment is realized.
The storage medium containing the computer executable instructions in the embodiment of the present application may be used to store the method for constructing the SQL injection detection model provided in the foregoing embodiment, or the computer executable instructions of the SQL injection detection method, where the implementation manner and principle are the same and will not be described again.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.

Claims (10)

1. The SQL injection detection model construction method is characterized by comprising the following steps of:
acquiring a plurality of labeled SQL training samples; the tags comprise an injection statement tag and a normal statement tag;
constructing an SQL injection detection model based on a neural network according to a preset detection requirement;
extracting features of the plurality of labeled SQL training samples to obtain labeled feature vectors corresponding to the labeled SQL training samples;
training the SQL injection detection model according to the tagged feature vectors and the tags corresponding to the tagged feature vectors to obtain a trained SQL injection detection model;
acquiring a plurality of unlabeled SQL training samples;
extracting features of the plurality of unlabeled SQL training samples to obtain a corresponding unlabeled feature vector set;
inputting the unlabeled feature vector set into the trained SQL injection detection model to obtain labels and confidence corresponding to each unlabeled SQL training sample;
judging whether the confidence coefficient corresponding to each unlabeled feature vector belongs to the confidence coefficient interval or not according to a preset confidence coefficient interval;
when the confidence corresponding to at least one unlabeled feature vector is determined to belong to the confidence interval, extracting a preset number of unlabeled feature vectors according to a confidence ascending sequencing result of the at least one unlabeled feature vector, and setting the labels for the unlabeled feature vectors; adding the unlabeled feature vector with the label into the original labeled feature vector to serve as a new labeled feature vector, and returning to the step of training the SQL injection detection model according to the labeled feature vector and the labels corresponding to the labeled feature vectors to obtain a trained SQL injection detection model;
And when the confidence coefficient corresponding to each label-free feature vector is not determined to be in the confidence coefficient interval, determining the trained SQL injection detection model as a target SQL injection detection model.
2. The method of claim 1, wherein prior to feature extraction of the plurality of tagged SQL training samples and/or feature extraction of the plurality of untagged SQL training samples, the method further comprises:
carrying out grammar analysis on the plurality of labeled SQL training samples and/or the plurality of unlabeled SQL training samples by adopting a preset SQL grammar analysis algorithm to obtain labeled training grammar trees corresponding to the labeled SQL training samples and/or unlabeled training grammar trees corresponding to the unlabeled SQL training samples;
determining redundant data in each grammar tree according to the tree structure of each labeled training grammar tree and/or the data information in each leaf node of each unlabeled training grammar tree, and performing elimination processing on the redundant data to obtain a plurality of preprocessed labeled training grammar trees and/or a plurality of preprocessed unlabeled training grammar trees.
3. The method for constructing an SQL injection detection model according to claim 2, wherein the feature extraction of the plurality of labeled SQL training samples and/or the feature extraction of the plurality of unlabeled SQL training samples comprises:
converting each preprocessed labeled training grammar tree and/or each preprocessed unlabeled training grammar tree into a corresponding SQL mode to obtain a labeled training SQL mode and/or an unlabeled training SQL mode;
and carrying out feature extraction on the labeled training SQL mode and/or the unlabeled training SQL mode based on a preset word bag model.
4. An SQL injection detection method, comprising:
acquiring an SQL sentence to be detected;
extracting features of the SQL sentence to be detected to obtain a feature vector corresponding to the SQL sentence to be detected;
inputting the feature vector into a target SQL injection detection model constructed by the SQL injection detection model construction method according to any one of claims 1-3 to generate a corresponding detection result.
5. The SQL injection detection method according to claim 4, further comprising:
judging whether the SQL sentence to be detected is an injection sentence or not according to the detection result;
And when the SQL sentence to be detected is determined to be the injection sentence, generating injection alarm information.
6. The SQL injection detection method according to claim 4, further comprising: and when the SQL sentence to be detected is determined to be a normal sentence, returning to the step of acquiring the SQL sentence to be detected.
7. An SQL injection detection model construction device is characterized by comprising:
the first acquisition module is used for acquiring a plurality of labeled SQL training samples; the tags comprise an injection statement tag and a normal statement tag;
the construction module is used for constructing an SQL injection detection model based on a neural network according to preset detection requirements;
the first feature extraction module is used for extracting features of the plurality of labeled SQL training samples to obtain labeled feature vectors corresponding to the labeled SQL training samples;
the training module is used for training the SQL injection detection model according to the tagged feature vectors and the tags corresponding to the tagged feature vectors to obtain a trained SQL injection detection model;
the second acquisition module is used for acquiring a plurality of unlabeled SQL training samples;
the second feature extraction module is used for carrying out feature extraction on the plurality of unlabeled SQL training samples so as to obtain a corresponding unlabeled feature vector set;
The learning module is used for inputting the unlabeled feature vector set into the trained SQL injection detection model so as to obtain labels and confidence corresponding to each unlabeled SQL training sample;
the judging module is used for judging whether the confidence coefficient corresponding to each label-free feature vector belongs to the confidence coefficient interval or not according to a preset confidence coefficient interval;
the first determining module is used for extracting a preset number of unlabeled feature vectors according to a confidence ascending sequencing result of the at least one unlabeled feature vector when the confidence corresponding to the at least one unlabeled feature vector is determined to belong to the confidence interval, and setting the labels for the unlabeled feature vectors; adding the unlabeled feature vector with the label into the original labeled feature vector to serve as a new labeled feature vector, and returning to the step of training the SQL injection detection model according to the labeled feature vector and the labels corresponding to the labeled feature vectors to obtain a trained SQL injection detection model;
and the second determining module is used for determining the trained SQL injection detection model as a target SQL injection detection model when determining that the confidence coefficient corresponding to each unlabeled feature vector does not belong to the confidence coefficient interval.
8. An SQL injection detection apparatus, comprising:
the acquisition module is used for acquiring SQL sentences to be detected;
the third feature extraction module is used for extracting features of the SQL sentence to be detected so as to obtain a feature vector corresponding to the SQL sentence to be detected;
the detection module is used for inputting the feature vector into the target SQL injection detection model constructed by the SQL injection detection model construction method according to any one of claims 1-3 so as to generate a corresponding detection result.
9. An electronic device, comprising: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executing computer-executable instructions stored in the memory causes the at least one processor to perform the SQL injection detection model construction method of any one of claims 1-3 or the SQL injection detection method of any one of claims 4-6.
10. A computer readable storage medium, wherein computer executable instructions are stored in the computer readable storage medium, and when the processor executes the computer executable instructions, the method for constructing the SQL injection detection model according to any one of claims 1-3 is implemented, or the method for detecting the SQL injection according to any one of claims 4-6 is implemented.
CN202010997062.XA 2020-09-21 2020-09-21 SQL injection detection model construction method and detection method Active CN112069498B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010997062.XA CN112069498B (en) 2020-09-21 2020-09-21 SQL injection detection model construction method and detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010997062.XA CN112069498B (en) 2020-09-21 2020-09-21 SQL injection detection model construction method and detection method

Publications (2)

Publication Number Publication Date
CN112069498A CN112069498A (en) 2020-12-11
CN112069498B true CN112069498B (en) 2023-11-21

Family

ID=73681156

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010997062.XA Active CN112069498B (en) 2020-09-21 2020-09-21 SQL injection detection model construction method and detection method

Country Status (1)

Country Link
CN (1) CN112069498B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112966268B (en) * 2021-03-02 2024-07-26 全球能源互联网研究院有限公司 SQL detection method and system based on neural network model and hash matching
CN112966507B (en) * 2021-03-29 2024-09-13 北京金山云网络技术有限公司 Method, device, equipment and storage medium for constructing recognition model and attack recognition
CN113343051B (en) * 2021-06-04 2024-04-16 全球能源互联网研究院有限公司 Abnormal SQL detection model construction method and detection method
CN113726787B (en) * 2021-08-31 2023-02-07 中国平安人寿保险股份有限公司 SQL injection generation method, device, equipment and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108549814A (en) * 2018-03-24 2018-09-18 西安电子科技大学 A kind of SQL injection detection method based on machine learning, database security system
CN108632263A (en) * 2018-04-25 2018-10-09 杭州闪捷信息科技股份有限公司 A kind of detection method of SQL injection point
CN109194677A (en) * 2018-09-21 2019-01-11 郑州云海信息技术有限公司 A kind of SQL injection attack detection, device and equipment
KR101949338B1 (en) * 2018-11-13 2019-02-18 (주)시큐레이어 Method for detecting sql injection from payload based on machine learning model and apparatus using the same
CN109413028A (en) * 2018-08-29 2019-03-01 集美大学 SQL injection detection method based on convolutional neural networks algorithm
CN110362597A (en) * 2019-06-28 2019-10-22 华为技术有限公司 A kind of structured query language SQL injection detection method and device
CN110414219A (en) * 2019-07-24 2019-11-05 长沙市智为信息技术有限公司 Detection method for injection attack based on gating cycle unit Yu attention mechanism
CN111126038A (en) * 2019-12-24 2020-05-08 北京明略软件系统有限公司 Information acquisition model generation method and device and information acquisition method and device
CN111291070A (en) * 2020-01-20 2020-06-16 南京星环智能科技有限公司 Abnormal SQL detection method, equipment and medium
CN111314388A (en) * 2020-03-26 2020-06-19 北京百度网讯科技有限公司 Method and apparatus for detecting SQL injection

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107491534B (en) * 2017-08-22 2020-11-20 北京百度网讯科技有限公司 Information processing method and device

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108549814A (en) * 2018-03-24 2018-09-18 西安电子科技大学 A kind of SQL injection detection method based on machine learning, database security system
CN108632263A (en) * 2018-04-25 2018-10-09 杭州闪捷信息科技股份有限公司 A kind of detection method of SQL injection point
CN109413028A (en) * 2018-08-29 2019-03-01 集美大学 SQL injection detection method based on convolutional neural networks algorithm
CN109194677A (en) * 2018-09-21 2019-01-11 郑州云海信息技术有限公司 A kind of SQL injection attack detection, device and equipment
KR101949338B1 (en) * 2018-11-13 2019-02-18 (주)시큐레이어 Method for detecting sql injection from payload based on machine learning model and apparatus using the same
CN110362597A (en) * 2019-06-28 2019-10-22 华为技术有限公司 A kind of structured query language SQL injection detection method and device
CN110414219A (en) * 2019-07-24 2019-11-05 长沙市智为信息技术有限公司 Detection method for injection attack based on gating cycle unit Yu attention mechanism
CN111126038A (en) * 2019-12-24 2020-05-08 北京明略软件系统有限公司 Information acquisition model generation method and device and information acquisition method and device
CN111291070A (en) * 2020-01-20 2020-06-16 南京星环智能科技有限公司 Abnormal SQL detection method, equipment and medium
CN111314388A (en) * 2020-03-26 2020-06-19 北京百度网讯科技有限公司 Method and apparatus for detecting SQL injection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SQL注入行为实时在线智能检测技术研究;李铭;邢光升;王芝辉;王晓东;;湖南大学学报(自然科学版)(第08期);全文 *

Also Published As

Publication number Publication date
CN112069498A (en) 2020-12-11

Similar Documents

Publication Publication Date Title
CN112069498B (en) SQL injection detection model construction method and detection method
CN113191148B (en) Rail transit entity identification method based on semi-supervised learning and clustering
CN113986864A (en) Log data processing method and device, electronic equipment and storage medium
CN112580329B (en) Text noise data identification method, device, computer equipment and storage medium
CN113807973B (en) Text error correction method, apparatus, electronic device and computer readable storage medium
CN111488468A (en) Geographic information knowledge point extraction method and device, storage medium and computer equipment
CN115098061A (en) Software development document optimization method and device, computer equipment and storage medium
CN112989043A (en) Reference resolution method and device, electronic equipment and readable storage medium
CN116719683A (en) Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN112446209A (en) Method, equipment and device for setting intention label and storage medium
CN113947087B (en) Label-based relation construction method and device, electronic equipment and storage medium
CN113094625B (en) Page element positioning method and device, electronic equipment and storage medium
CN113705192B (en) Text processing method, device and storage medium
CN114676705B (en) Dialogue relation processing method, computer and readable storage medium
Shang et al. A framework to construct knowledge base for cyber security
CN114398466A (en) Complaint analysis method and device based on semantic recognition, computer equipment and medium
CN115455922B (en) Form verification method, form verification device, electronic equipment and storage medium
CN114048753B (en) Word sense recognition model training, word sense judging method, device, equipment and medium
CN115730071A (en) Electric power public opinion event extraction method and device, electronic equipment and storage medium
CN113051900B (en) Synonym recognition method, synonym recognition device, computer equipment and storage medium
CN115858776A (en) Variant text classification recognition method, system, storage medium and electronic equipment
CN115186240A (en) Social network user alignment method, device and medium based on relevance information
CN115344563A (en) Data deduplication method and device, storage medium and electronic equipment
CN113343051A (en) Abnormal SQL detection model construction method and detection method
CN112364649B (en) Named entity identification method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant