CN112887274B - Method and device for detecting command injection attack, computer equipment and storage medium - Google Patents

Method and device for detecting command injection attack, computer equipment and storage medium Download PDF

Info

Publication number
CN112887274B
CN112887274B CN202110035588.4A CN202110035588A CN112887274B CN 112887274 B CN112887274 B CN 112887274B CN 202110035588 A CN202110035588 A CN 202110035588A CN 112887274 B CN112887274 B CN 112887274B
Authority
CN
China
Prior art keywords
data
injection attack
command injection
rule
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110035588.4A
Other languages
Chinese (zh)
Other versions
CN112887274A (en
Inventor
侯天齐
梁彧
田野
傅强
王杰
杨满智
蔡琳
金红
陈晓光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Eversec Beijing Technology Co Ltd
Original Assignee
Eversec Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Eversec Beijing Technology Co Ltd filed Critical Eversec Beijing Technology Co Ltd
Priority to CN202110035588.4A priority Critical patent/CN112887274B/en
Publication of CN112887274A publication Critical patent/CN112887274A/en
Application granted granted Critical
Publication of CN112887274B publication Critical patent/CN112887274B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Abstract

The invention discloses a method and a device for detecting command injection attack, computer equipment and a storage medium. The method is applied to the command injection attack detection equipment and comprises the following steps: flow data are obtained in real time through a deep packet inspection device, the flow data are analyzed, and data packets of various protocol types are obtained, wherein the deep packet inspection device is deployed in a server bypass; processing each data packet through a data integration tool, and acquiring and storing complete data matched with each data packet; and matching each stored complete data with the command injection attack rule through the rule matching module, and blocking the flow data of a data packet sender matched with the target complete data when determining that the target complete data is matched with the command injection attack rule, so as to alarm command injection attack. By using the technical scheme of the invention, the SQL injection attack can be detected and blocked in real time, and the accuracy of SQL injection attack identification is improved.

Description

Method and device for detecting command injection attack, computer equipment and storage medium
Technical Field
The embodiment of the invention relates to information security and attack detection technologies, in particular to a method and a device for detecting command injection attacks, computer equipment and a storage medium.
Background
The command injection attack, that is, the SQL (Structured Query Language) injection attack belongs to one of the database security attack means, and an attacker inserts an SQL command into an input field of a Web form or a Query string of a page request to deceive a server from executing a malicious SQL command, thereby achieving the purpose of invading a database and even an operating system.
In the prior art, a database security protection system is serially deployed between a Web application server and an external network link, and SQL injection attack is detected through the database security protection system. However, once a single point of failure occurs in the database security protection system, the normal service operation of the Web application server is affected. The method comprises the steps that a database security protection system is deployed on a router at the front end of a Web application server, flow data are forwarded to the database security protection system through the router, and SQL injection attacks are detected through the database security protection system. However, the router can generate invalid data or incomplete data in the forwarded traffic data, so that the database security protection system cannot effectively identify real data, and the accuracy of identifying the SQL injection attack is reduced. Moreover, the database security protection system only has high data identification degree based on an HTTP (HyperText Transfer Protocol), and is difficult to detect when SQL injection attack data exists in other Protocol data.
Disclosure of Invention
Embodiments of the present invention provide a method and an apparatus for detecting a command injection attack, a computer device, and a storage medium, so as to detect and block an SQL injection attack in real time while ensuring normal service of a Web application server, thereby improving accuracy of SQL injection attack identification.
In a first aspect, an embodiment of the present invention provides a method for detecting a command injection attack, where the method is applied to a device for detecting a command injection attack, and the method includes:
the method comprises the steps that flow data are obtained in real time through a deep packet inspection device of a command injection attack inspection device, the flow data are analyzed, and data packets of various protocol types are obtained, wherein the deep packet inspection device is deployed on a server bypass;
processing each data packet through a data integration tool of command injection attack detection equipment, and acquiring and storing complete data matched with each data packet;
and matching each stored complete data with the command injection attack rule through a rule matching module of the command injection attack detection equipment, and blocking the flow data of a data packet sender matched with the target complete data when determining that the target complete data is matched with the command injection attack rule, so as to alarm command injection attack.
In a second aspect, an embodiment of the present invention further provides a device for detecting a command injection attack, where the device is deployed in a device for detecting a command injection attack, and the device includes:
the flow data analysis module is used for acquiring flow data in real time through a deep packet inspection device of the command injection attack inspection device, analyzing the flow data and acquiring data packets of various protocol types, wherein the deep packet inspection device is deployed in a server bypass;
the data packet processing module is used for processing each data packet through a data integration tool of the command injection attack detection equipment, and acquiring and storing complete data matched with each data packet;
and the flow data blocking module is used for matching each piece of stored complete data with the command injection attack rule through the rule matching module of the command injection attack detection equipment, blocking the flow data of a data packet sender matched with the target complete data when the target complete data is determined to be matched with the command injection attack rule, and carrying out command injection attack warning.
In a third aspect, an embodiment of the present invention further provides a computer device, including a memory, a processor, and a computer program that is stored in the memory and is executable on the processor, where the computer device includes a deep packet inspection device, a data integration tool, and a rule matching module, and when the processor executes the program, the method for detecting a command injection attack according to any one of the embodiments of the present invention is implemented.
In a fourth aspect, embodiments of the present invention further provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are used to perform the method for detecting a command injection attack according to any one of the embodiments of the present invention.
The embodiment of the invention arranges the deep packet detection equipment on the bypass of the server, acquires the flow data in real time through the deep packet detection equipment, analyzes the flow data to obtain data packets based on various protocol types, completes each data packet through the data integration tool to obtain complete data, matches the complete data with the command injection attack rule through the rule matching module, blocks the flow data of a data packet sender when the matching is successful, and performs the command injection attack alarm. The problem that the normal service operation of a server is affected when the database security protection system fails in the prior art by a mode that the database security protection system deployed on a front-end router of a Web application server detects command injection attacks is solved, the problem that the database security protection system is difficult to detect other protocol type data except HTTP protocol data is solved, and the problem that the SQL injection attack detection accuracy is poor due to the fact that data forwarded by the router is incomplete is solved, the SQL injection attacks are detected and blocked in real time while normal service of the Web application server is guaranteed, and the SQL injection attack identification accuracy is improved.
Drawings
Fig. 1 is a flowchart of a method for detecting a command injection attack in a first embodiment of the present invention;
FIG. 2a is a flowchart of a method for detecting a command injection attack according to a second embodiment of the present invention;
FIG. 2b is a schematic diagram of network deployment for command injection attack detection in scenario one in which the present invention is specifically applicable;
fig. 3 is a schematic structural diagram of a device for detecting a command injection attack in a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computer device in the fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some structures related to the present invention are shown in the drawings, not all of them.
Example one
Fig. 1 is a flowchart of a method for detecting a command injection attack according to an embodiment of the present invention, where this embodiment is applicable to a case of performing real-time detection on an SQL injection attack, and the method may be executed by a device for detecting a command injection attack, where the device may be implemented by software and/or hardware and is generally integrated in a device for detecting a command injection attack, and a device for detecting a command injection attack, where a deep packet detection device, a data integration tool, and a rule matching module are disposed in the device for detecting a command injection attack.
As shown in fig. 1, the technical solution of the embodiment of the present invention specifically includes the following steps:
s110, flow data are obtained in real time through a deep packet inspection device of the command injection attack inspection device, the flow data are analyzed, and data packets of various protocol types are obtained, wherein the deep packet inspection device is deployed in a server bypass.
The Deep Packet Inspection (DPI) device may perform Inspection analysis on traffic and Packet content at key points of a network, and may perform filtering control on Inspection traffic according to a predefined policy. The DPI device can acquire the traffic data of the server in real time. Traffic data is data that the server communicates with the external link. The Protocol type is used to represent a communication rule between the packet sender and the server, and the Protocol type may include various, for example, an HTTPS Protocol, an SNMP (Simple Network Management P) Protocol, an FTP (File Transfer Protocol) Protocol, an ICMP (Internet Control Message Protocol) Protocol, and the like. Typically, the protocol types may include the HTTP protocol and/or the SQL protocol. The data packet is a data unit in communication transmission, includes address information of a sender and a receiver, and performs communication transmission according to a corresponding protocol type.
In the prior art, a database protection system is deployed between a server and a network link in a serial manner, and when a single point of failure occurs in the database protection system, normal communication between the server and the network link is affected, and normal service operation is hindered.
In the embodiment of the invention, DPI equipment is deployed at the bypass of the server, and the DPI equipment collects and analyzes the traffic data of the server. The bypass deployment of the DPI equipment has the advantages that even if the DPI equipment has a single-point fault, normal communication between the server and a network link is not influenced, and normal operation of server services is guaranteed.
And S120, processing each data packet through a data integration tool of the command injection attack detection device, and acquiring and storing complete data matched with each data packet.
The ETL tool is used for extracting data from a data source, performing cleaning, processing and conversion, and then loading the data into a data warehouse, so as to integrate scattered, disordered and standard non-uniform data together for subsequent data analysis. In the embodiment of the present invention, the ETL tool is used to complete the invalid data and the incomplete data in each data packet to form complete data.
In the embodiment of the present invention, the complete data formed after ETL processing can be stored in a data warehouse or directly stored in a relational database. The data warehouse provides current and historical data used by a user for decision support, and in the embodiment of the invention, complete data can be stored in the data warehouse in a data loading mode for subsequent detection of command injection attacks. The relational database is created according to the relational model, data are stored according to a structured method, and in the embodiment of the invention, complete data can be directly stored in the relational database, so that data query during subsequent command injection attack detection is facilitated.
S130, matching each stored complete data with the command injection attack rule through a rule matching module of the command injection attack detection equipment, blocking flow data of a data packet sender matched with the target complete data when determining that the target complete data is matched with the command injection attack rule, and carrying out command injection attack warning.
The command injection attack rule can be a characteristic character or a characteristic field of the SQL injection attack, the essence of the SQL injection attack is to modify the SQL statement by operating the input, so that the server executes the malicious SQL command, and therefore, the SQL injection attack statement usually contains some special characters or fields. Therefore, through matching of the command injection attack rule, the SQL injection attack statement can be identified, and the SQL injection attack behavior is determined to exist. The command injection attack rule can also comprise a blacklist of the data packet sending party, the data packet sending party is added into the blacklist when the SQL injection attack behavior is detected once, and the SQL injection attack behavior can be determined to exist when the data sending party which detects the target complete data is positioned in the blacklist.
In the prior art, a database protection system has the problem of limited protocol type identification capability in the process of SQL injection attack detection on traffic data, and only has high identification degree on data based on an HTTP protocol and low identification degree on data of other protocol types.
In the embodiment of the invention, the DPI equipment analyzes the acquired flow data, can identify data packets based on various protocol types, and the rule matching module matches complete data formed after the data packets are processed by the ETL with the command injection attack rule, so that the detection of SQL injection attack can be realized. The method and the device realize accurate protocol analysis on the traffic data, and improve the accuracy of identifying the data packet information, thereby improving the accuracy of detecting the SQL injection attack.
In the embodiment of the invention, in a single SQL injection attack action, a data packet sender, namely an attacker, sends a plurality of data packets to the server, and the server combines the data packets after receiving the data packets and executes a corresponding malicious SQL command to form a complete SQL injection attack action.
When the target complete data is matched with the command injection attack rule, the SQL injection attack statement exists in the target complete data, and the SQL injection attack behavior can be determined to exist. Therefore, when the rule matching module detects that the SQL injection attack behavior exists, a data blocking instruction can be sent to the DPI device, and after the DPI device receives the data blocking instruction, the data packet sending party can be identified according to the data blocking instruction, and a communication link between the data packet sending party and the server is blocked, so that an SQL injection attack flow data source is blocked, the data packet sending party cannot send subsequent data packets, a complete SQL injection attack behavior cannot be formed, and SQL injection attack is prevented.
Meanwhile, when the rule matching module detects that the SQL injection attack behavior exists, the warning prompt of the SQL injection attack can be carried out so as to inform a network manager to process the SQL injection attack behavior in time.
According to the technical scheme, the deep packet inspection equipment is deployed at a server bypass, the flow data is acquired in real time through the deep packet inspection equipment and analyzed to obtain data packets based on multiple protocol types, each data packet is completed through a data integration tool to obtain complete data, the complete data is matched with the command injection attack rule through the rule matching module, and when the matching is successful, the flow data of a data packet sender is blocked, and command injection attack warning is carried out. The problem that the normal service operation of the server is affected when the database security protection system fails in the prior art by means of detecting the command injection attack through the database security protection system arranged on the front-end router of the Web application server, the problem that the database security protection system is difficult to detect other protocol type data except HTTP protocol data, and the problem that the SQL injection attack detection accuracy is poor due to the fact that data forwarded by the router is incomplete are solved, real-time detection and block of SQL injection attack are achieved while normal service of the Web application server is guaranteed, and the SQL injection attack identification accuracy is improved.
Example two
Fig. 2a is a flowchart of a method for detecting a command injection attack according to a second embodiment of the present invention, where the second embodiment of the present invention further embodies a process of analyzing traffic data by a deep packet inspection device, a process of completing each data packet by a data integration tool, a process of matching complete data with a command injection attack rule, and a process of blocking traffic data of an attacker when detecting an SQL injection attack.
Correspondingly, as shown in fig. 2a, the technical solution of the embodiment of the present invention specifically includes the following steps:
s210, flow data acquired, copied and sent by the drainage device is acquired in real time through the deep packet inspection device.
In the embodiment of the invention, drainage equipment is arranged in the server and the external network link. Optionally, the drainage device may be a network splitter, a firewall, or a three-layer flow switch.
Preferably, a network splitter may be used as the diversion device, and the network splitter may copy the data sent by the data sender to the server and forward the data to the DPI device. Compared with a firewall or a three-layer flow switch, the network shunt has stronger specificity and higher speed of transmitting flow data.
In the embodiment of the invention, the flow data is acquired by the drainage equipment in real time, the copied flow data is forwarded to the DPI equipment, and the DPI equipment analyzes the flow data.
S220, carrying out protocol type analysis on the acquired flow data through the deep packet inspection equipment, acquiring data packets of various protocol types, and converting each data packet into structured format data.
In the embodiment of the invention, the DPI equipment can realize protocol identification of the flow data, thereby acquiring data packets based on multiple protocol types. After dividing the flow data according to the protocol types, the DPI equipment converts the data of each protocol type into structured format data for output.
The structured format may be JSON (JS Object Notation) format or XML (eXtensible Markup Language) format. The XML format uses a series of simple marks to describe data, and the JSON format stores data in a key name-key value pair mode, so that the data is simpler and more visual than the XML format data.
Accordingly, structured format data is data that can be represented in a unified structure. The data conversion into the structured format data has the effect that the data can be conveniently and subsequently checked for leaks and completed, and the embodiment does not limit which structured format is specifically adopted.
And S230, extracting data of each structured format data through a data integration tool, verifying the data, cleaning the data according to a data verification result, and acquiring complete data matched with each structured format data.
Preferably, data of each protocol type can be converted into a JSON file format, the ETL tool performs data extraction on the JSON file output by the DPI device, the data extraction refers to extracting data required by a destination data source system from a source data source system, and in the embodiment of the present invention, the data extraction refers to a process of acquiring the JSON file output by the DPI device by the ETL tool.
And after the ETL tool acquires the JSON file, carrying out data verification, wherein the purpose of the data verification is to judge the validity and the integrity of the data. For example, the same session may correspond to a plurality of packets, and a source IP (Internet Protocol) address and a destination IP address of each packet should be the same. If the source IP of other data packets corresponding to the same session is a and the destination IP is B, but the source IP of a certain data packet is C and the destination IP is B, it can be determined that the data packet is invalid data and the source IP thereof needs to be modified. If the source IP of a certain data packet is A and the destination IP is null, the data packet can be judged to be incomplete data, and the destination IP needs to be completed.
The data verification result is invalid data and/or incomplete data obtained according to data verification, and the data cleaning refers to a process of performing integrity completion on the invalid data and the incomplete data. In the embodiment of the invention, the data content can be completed by performing comparative analysis, correlation analysis and the like on adjacent data packets and/or similar data packets of invalid data and/or incomplete data. For example, if the invalid packet lacks a source IP and the source IP of other packets corresponding to the same session as the invalid packet is a, it can be inferred that the source IP of the invalid packet is also a. In this embodiment, the data content may be compared and analyzed according to adjacent data packets, or the data content may be correlated and analyzed according to similar data packets, and the data verification result, that is, the invalid data and/or the incomplete data, may be provided to the user, and may be supplemented manually by the user.
In the embodiment of the invention, after the ETL tool performs data extraction, data verification and data cleaning on the structured format data output by the DPI device, complete data matched with each structured format data is obtained. The aim of obtaining complete data through the ETL tool is to improve the accuracy of SQL injection attack detection.
And S240, converting each complete data into a standard format for storage.
In the embodiment of the invention, different batches of flow data can be converted into different types of structured format data through the DPI equipment, so that the data output by the DPI equipment is subjected to integrity completion by the ETL tool, and after the complete data is acquired, the data is converted, and each complete data is converted into a uniform standard format, so that the content information of the data can be better identified and analyzed.
The complete data after the uniform standard format conversion can be loaded and stored in a data warehouse or directly stored in a relational database.
And S250, acquiring all stored complete data through the rule matching module, inputting all the complete data into the rule matching model, and matching all the complete data with the command injection attack rule through the rule matching model.
In the embodiment of the invention, the matching of the SQL injection attack rule can be carried out on each complete data output by the ETL tool through the rule matching model obtained by pre-training in the rule matching module.
The rule matching model can be obtained by training according to a plurality of data packets containing SQL injection attack statements and a preset machine learning model, and the training process and the specific training mode of the rule matching model are not limited in the embodiment.
The command injection attack rules comprise all command injection attack rules prestored in a command injection attack rule base and command injection attack rules formed by associating and/or combining the prestored command injection attack rules.
In the embodiment of the invention, a command injection attack rule base can be preset, the command injection attack rule base comprises a plurality of SQL injection attack rules, and when the rule matching model matches the SQL injection attack rules of the data packet, the rule matching model can not only perform feature matching on the data packet and the prestored SQL injection attack rules, but also perform feature matching on new SQL injection attack rules obtained after the association, combination or variation of the data packet and each SQL injection attack rule.
And S260, if the rule matching module determines that the target complete data is matched with the command injection attack rule, executing S270, otherwise, returning to execute S210.
In the embodiment of the invention, if the target complete data is matched with the command injection attack rule, the SQL injection attack behavior is shown to exist.
And S270, sending a data blocking instruction to the deep packet inspection equipment, so that the deep packet inspection equipment sends a reset connection data packet to a data packet sender matched with the target complete data according to the data blocking instruction, and blocking flow data of the data packet sender.
The Reset connection packet, i.e., the RST (Reset) packet, is used to force the link between the packet sender and the server to be closed.
When determining that the target complete data is matched with the command injection attack rule, the rule matching module acquires a data packet sender corresponding to the target complete data through sender address information, namely a source IP address, in the target complete data, constructs a data blocking instruction according to the data packet sender corresponding to the target complete data, and sends the data blocking instruction to the DPI device, and after receiving the data blocking instruction, the DPI device sends an RST data packet to the data packet sender corresponding to the target complete data so as to break a link between the data packet sender corresponding to the target complete data and the server and block a flow data source of SQL injection attack.
And S280, carrying out command injection attack warning. Return to execution S210.
The rule matching module sends a data blocking instruction to the deep message detection equipment and simultaneously carries out the warning prompt of SQL injection attack.
According to the technical scheme, a deep packet inspection device is deployed on a server bypass, flow data copied and sent by a drainage device are acquired in real time through the deep packet inspection device, the flow data are analyzed, analyzed data packets based on multiple protocol types are converted into structured format data, the structured format data are converted into complete data through data extraction, data verification and data cleaning of an ETL tool, the complete data are matched with command injection attack rules through a rule matching module, when matching is successful, a data blocking instruction is sent to the deep packet inspection device, the deep packet inspection device sends a reset connection data packet to a data packet sender according to the data blocking instruction, the flow data of the data packet sender are blocked, and command injection attack warning is carried out. The problem that the normal service operation of the server is affected when the database security protection system fails in the prior art by means of detecting the command injection attack through the database security protection system arranged on the front-end router of the Web application server, the problem that the database security protection system is difficult to detect other protocol type data except HTTP protocol data, and the problem that the SQL injection attack detection accuracy is poor due to the fact that data forwarded by the router is incomplete are solved, real-time detection and block of SQL injection attack are achieved while normal service of the Web application server is guaranteed, and the SQL injection attack identification accuracy is improved.
Specific application scenario 1
Fig. 2b is a schematic diagram of network deployment of command injection attack detection in a scenario one in which the present invention is specifically applied, and as shown in fig. 2b, a convergence and offloading device, that is, a drainage device in the foregoing embodiment, is arranged between an external network link and a Web application server. The command injection attack detection device is deployed on a server bypass and comprises a DPI device, an ETL tool, a rule detection module and a relational database. And the aggregation and distribution device copies the traffic data sent by the external network link and forwards the traffic data to the DPI device. The DPI equipment identifies the protocol of the collected flow data, acquires data packets of various protocol types, and converts each data packet into structured format data. And the ETL tool performs data extraction, data verification and data cleaning on each structured format data to obtain complete data matched with each structured format data and stores the complete data in the relational database. And the rule matching module is used for matching the SQL injection attack rules with each complete data in the relational database, and if the SQL injection attack rules can be matched with each complete data, the SQL injection attack behavior exists in the original flow data corresponding to the complete data. The rule matching module identifies a sender of the complete data, namely an attacker, constructs a data blocking instruction and sends the data blocking instruction to the DPI device, the DPI device sends an RST data packet to the attacker after receiving the data blocking instruction so as to block corresponding SQL injection attack flow data, and the rule matching module also carries out alarm prompt in a mode of sending mails or short messages and informs a network manager of SQL injection attack behaviors. And if the traffic data are not matched, the rule matching module monitors and records the relevant information of the traffic data in real time.
EXAMPLE III
Fig. 3 is a schematic structural diagram of a command injection attack detection apparatus in a third embodiment of the present invention, where the apparatus may be implemented by software and/or hardware and is generally integrated in a command injection attack detection device, and the command injection attack detection device is configured with a deep packet detection device, a data integration tool, and a rule detection module. The device includes: a traffic data parsing module 310, a packet processing module 320, and a traffic data blocking module 330. Wherein:
the traffic data analysis module 310 is configured to acquire traffic data in real time by injecting a command into a deep packet inspection device of the attack inspection device, analyze the traffic data, and acquire a data packet of multiple protocol types, where the deep packet inspection device is deployed in a server bypass;
the data packet processing module 320 is configured to process each data packet through a data integration tool of a command injection attack detection device, and acquire and store complete data matched with each data packet;
and the traffic data blocking module 330 is configured to match the stored complete data with the command injection attack rule through a rule matching module of the command injection attack detection device, and block traffic data of a data packet sender that matches the target complete data when it is determined that the target complete data matches the command injection attack rule, so as to perform command injection attack warning.
According to the technical scheme, the server bypass is provided with the deep packet detection device, the deep packet detection device collects flow data in real time and analyzes the flow data to obtain data packets based on various protocol types, each data packet is completed through the data integration tool to obtain complete data, the complete data is matched with the command injection attack rule through the rule matching module, and when the matching is successful, the flow data of a data packet sender is blocked, and the command injection attack alarm is carried out. The problem that the normal service operation of a server is affected when the database security protection system fails in the prior art by a mode that the database security protection system deployed on a front-end router of a Web application server detects command injection attacks is solved, the problem that the database security protection system is difficult to detect other protocol type data except HTTP protocol data is solved, and the problem that the SQL injection attack detection accuracy is poor due to the fact that data forwarded by the router is incomplete is solved, the SQL injection attacks are detected and blocked in real time while normal service of the Web application server is guaranteed, and the SQL injection attack identification accuracy is improved.
On the basis of the foregoing embodiment, the traffic data parsing module 310 includes:
the flow data acquisition unit is used for acquiring flow data acquired, copied and sent by the drainage equipment in real time through the deep packet inspection equipment;
the flow data analysis unit is used for carrying out protocol type analysis on the acquired flow data through the deep packet inspection equipment, acquiring data packets of various protocol types and converting each data packet into structured format data;
the protocol types include hypertext transfer protocol and/or structured query language protocol.
On the basis of the above embodiment, the drainage device is a network splitter, a firewall, or a three-layer flow switch.
On the basis of the foregoing embodiment, the packet processing module 320 includes:
the complete data acquisition unit is used for extracting data of each structured format data through the data integration tool, verifying the data, cleaning the data according to the data verification result and acquiring complete data matched with each structured format data;
and the format conversion unit is used for converting each complete data into a standard format for storage.
On the basis of the foregoing embodiment, the traffic data blocking module 330 includes:
and the data matching unit is used for acquiring each stored complete data through the rule matching module, inputting each complete data into the rule matching model, and matching each complete data with the command injection attack rule through the rule matching model.
On the basis of the above embodiment, the command injection attack rules include each command injection attack rule prestored in the command injection attack rule base, and command injection attack rules formed by associating and/or combining the prestored command injection attack rules.
On the basis of the foregoing embodiment, the traffic data blocking module 330 includes:
and the resetting connection data packet sending unit is used for sending a data blocking instruction to the deep packet inspection equipment if the rule matching module determines that the target complete data is matched with the command injection attack rule, so that the deep packet inspection equipment sends a resetting connection data packet to a data packet sender matched with the target complete data according to the data blocking instruction, and the flow data of the data packet sender is blocked.
The device for detecting command injection attacks provided by the embodiment of the invention can execute the method for detecting command injection attacks provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Example four
Fig. 4 is a schematic structural diagram of a computer apparatus according to a fourth embodiment of the present invention, as shown in fig. 4, the computer apparatus includes a processor 70, a memory 71, an input device 72, and an output device 73; the number of processors 70 in the computer device may be one or more, and one processor 70 is taken as an example in fig. 4; the processor 70, the memory 71, the input device 72 and the output device 73 in the computer apparatus may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 4. The computer device is also provided with a DPI device, an ETL tool, a rule detection module and a relational database.
The memory 71 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as modules corresponding to the detection method of command injection attack in the embodiment of the present invention (for example, the traffic data parsing module 310, the packet processing module 320, and the traffic data blocking module 330 in the detection device of command injection attack). The processor 70 executes various functional applications and data processing of the computer device by executing software programs, instructions and modules stored in the memory 71, that is, implements the above-described method for detecting a command injection attack. The method comprises the following steps:
the method comprises the steps that flow data are obtained in real time through a deep packet inspection device of a command injection attack inspection device, the flow data are analyzed, and data packets of various protocol types are obtained, wherein the deep packet inspection device is deployed on a server bypass;
processing each data packet through a data integration tool of command injection attack detection equipment, and acquiring and storing complete data matched with each data packet;
and matching each stored complete data with the command injection attack rule through a rule matching module of the command injection attack detection equipment, and blocking the flow data of a data packet sender matched with the target complete data when determining that the target complete data is matched with the command injection attack rule, so as to carry out command injection attack warning.
The memory 71 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 71 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 71 may further include memory located remotely from the processor 70, which may be connected to a computer device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 72 may be used to receive input numeric or character information and generate key signal inputs relating to user settings and function controls of the computer apparatus. The output device 73 may include a display device such as a display screen.
EXAMPLE five
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions are executed by a computer processor to perform a method for detecting a command injection attack, where the method includes:
obtaining flow data in real time by a deep packet inspection device of a command injection attack inspection device, analyzing the flow data, and obtaining data packets of various protocol types, wherein the deep packet inspection device is deployed in a server bypass;
processing each data packet through a data integration tool of command injection attack detection equipment, and acquiring and storing complete data matched with each data packet;
and matching each stored complete data with the command injection attack rule through a rule matching module of the command injection attack detection equipment, and blocking the flow data of a data packet sender matched with the target complete data when determining that the target complete data is matched with the command injection attack rule, so as to alarm command injection attack.
Of course, the storage medium containing the computer-executable instructions provided by the embodiments of the present invention is not limited to the method operations described above, and may also perform related operations in the method for detecting a command injection attack provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the device for detecting a command injection attack, each unit and each module included in the device are only divided according to functional logic, but are not limited to the above division as long as the corresponding function can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. Those skilled in the art will appreciate that the present invention is not limited to the particular embodiments described herein, and that various obvious changes, rearrangements and substitutions will now be apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A method for detecting command injection attack is applied to a device for detecting command injection attack, and comprises the following steps:
the method comprises the steps that flow data acquired, copied and forwarded by a drainage device is acquired in real time through a deep packet detection device of a command injection attack detection device, the flow data is analyzed, and data packets of various protocol types are acquired, wherein the deep packet detection device is deployed in a server bypass;
processing each data packet through a data integration tool of command injection attack detection equipment, and acquiring and storing complete data matched with each data packet; the data integration tool is used for completing the information of invalid data and incomplete data in each data packet to form complete data;
and matching each stored complete data with the command injection attack rule through a rule matching module of the command injection attack detection equipment, and blocking the flow data of a data packet sender matched with the target complete data when determining that the target complete data is matched with the command injection attack rule, so as to alarm command injection attack.
2. The method according to claim 1, wherein obtaining, by instructing a deep packet inspection device of an attack inspection device to inject the traffic data obtained, copied, and forwarded by a drainage device in real time, the traffic data is analyzed to obtain data packets of multiple protocol types, including:
carrying out protocol type analysis on the acquired flow data through the deep packet inspection equipment to acquire data packets of various protocol types, and converting each data packet into structured format data;
the protocol types include hypertext transfer protocol and/or structured query language protocol.
3. The method of claim 2, wherein the drainage device is a network splitter, a firewall, or a triple layer traffic switch.
4. The method of claim 2, wherein processing each of the data packets by a data integration tool of a command injection attack detection device to obtain complete data matching each of the data packets for storage comprises:
extracting data of each structured format data through a data integration tool, verifying the data, cleaning the data according to a data verification result, and acquiring complete data matched with each structured format data;
and converting each complete data into a standard format for storage.
5. The method of claim 1, wherein matching each stored integrity data with a command injection attack rule by a rule matching module of a command injection attack detection device comprises:
and acquiring each stored complete data through the rule matching module, inputting each complete data into the rule matching model, and matching each complete data with the command injection attack rule through the rule matching model.
6. The method according to claim 5, wherein the command injection attack rules include command injection attack rules pre-stored in a command injection attack rule base, and command injection attack rules formed by associating and/or combining the pre-stored command injection attack rules.
7. The method of claim 1, wherein blocking traffic data of a data packet sender matching the target integrity data when the target integrity data is determined to match the command injection attack rule comprises:
and if the rule matching module determines that the target complete data is matched with the command injection attack rule, sending a data blocking instruction to the deep packet inspection equipment so that the deep packet inspection equipment sends a reset connection data packet to a data packet sender matched with the target complete data according to the data blocking instruction to block the flow data of the data packet sender.
8. A detection device for command injection attack is deployed in a command injection attack detection device, and comprises:
the flow data analysis module is used for acquiring flow data acquired, copied and forwarded by the drainage equipment in real time through a deep packet detection equipment which injects a command into the attack detection equipment, analyzing the flow data and acquiring data packets of various protocol types, wherein the deep packet detection equipment is deployed at a server bypass;
the data packet processing module is used for processing each data packet through a data integration tool of the command injection attack detection equipment, and acquiring and storing complete data matched with each data packet; the data integration tool is used for completing the information of invalid data and incomplete data in each data packet to form complete data;
and the flow data blocking module is used for matching each piece of stored complete data with the command injection attack rule through the rule matching module of the command injection attack detection equipment, blocking the flow data of a data packet sender matched with the target complete data when the target complete data is determined to be matched with the command injection attack rule, and carrying out command injection attack alarm.
9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the computer device comprises a deep packet inspection device, a data integration tool and a rule matching module, and the processor implements the method for detecting a command injection attack according to any one of claims 1 to 7 when executing the program.
10. A storage medium containing computer-executable instructions for performing the method of detecting a command injection attack of any one of claims 1 to 7 when executed by a computer processor.
CN202110035588.4A 2021-01-12 2021-01-12 Method and device for detecting command injection attack, computer equipment and storage medium Active CN112887274B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110035588.4A CN112887274B (en) 2021-01-12 2021-01-12 Method and device for detecting command injection attack, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110035588.4A CN112887274B (en) 2021-01-12 2021-01-12 Method and device for detecting command injection attack, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112887274A CN112887274A (en) 2021-06-01
CN112887274B true CN112887274B (en) 2023-04-14

Family

ID=76044103

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110035588.4A Active CN112887274B (en) 2021-01-12 2021-01-12 Method and device for detecting command injection attack, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112887274B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113297577A (en) * 2021-06-16 2021-08-24 深信服科技股份有限公司 Request processing method and device, electronic equipment and readable storage medium
CN113660260B (en) * 2021-08-13 2022-12-20 杭州安恒信息技术股份有限公司 Message detection method, system, computer equipment and readable storage medium
CN113992447B (en) * 2021-12-28 2022-03-15 北京未来智安科技有限公司 SQL injection alarm processing method and device
CN115118493B (en) * 2022-06-27 2023-11-10 北京天融信网络安全技术有限公司 Message query method and device, electronic equipment and storage medium
CN114866355B (en) * 2022-07-06 2023-04-28 浙江国利网安科技有限公司 Message flow forwarding method, device and computer equipment
CN115913655A (en) * 2022-10-28 2023-04-04 华中科技大学 Shell command injection detection method based on flow analysis and semantic analysis

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388763A (en) * 2007-09-12 2009-03-18 北京启明星辰信息技术有限公司 SQL injection attack detection system supporting multiple database types
CN101425937A (en) * 2007-11-02 2009-05-06 北京启明星辰信息技术有限公司 SQL injection attack detection system suitable for high speed LAN environment
CN104135490A (en) * 2014-08-14 2014-11-05 浪潮(北京)电子信息产业有限公司 Intrusion detection system (IDS) analysis method and intrusion detection system
WO2018018699A1 (en) * 2016-07-29 2018-02-01 广州市乐商软件科技有限公司 Website scripting attack prevention method and device
CN107657174A (en) * 2016-07-26 2018-02-02 北京计算机技术及应用研究所 A kind of Database Intrusion Detection method based on agreement fingerprint
CN111371783A (en) * 2020-03-02 2020-07-03 中国建设银行股份有限公司 SQL injection attack detection method, device, equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388763A (en) * 2007-09-12 2009-03-18 北京启明星辰信息技术有限公司 SQL injection attack detection system supporting multiple database types
CN101425937A (en) * 2007-11-02 2009-05-06 北京启明星辰信息技术有限公司 SQL injection attack detection system suitable for high speed LAN environment
CN104135490A (en) * 2014-08-14 2014-11-05 浪潮(北京)电子信息产业有限公司 Intrusion detection system (IDS) analysis method and intrusion detection system
CN107657174A (en) * 2016-07-26 2018-02-02 北京计算机技术及应用研究所 A kind of Database Intrusion Detection method based on agreement fingerprint
WO2018018699A1 (en) * 2016-07-29 2018-02-01 广州市乐商软件科技有限公司 Website scripting attack prevention method and device
CN111371783A (en) * 2020-03-02 2020-07-03 中国建设银行股份有限公司 SQL injection attack detection method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN112887274A (en) 2021-06-01

Similar Documents

Publication Publication Date Title
CN112887274B (en) Method and device for detecting command injection attack, computer equipment and storage medium
CN112769833B (en) Method and device for detecting command injection attack, computer equipment and storage medium
US10686814B2 (en) Network anomaly detection
CN103442008B (en) A kind of routing safety detecting system and detection method
CN111800412B (en) Advanced sustainable threat tracing method, system, computer equipment and storage medium
US20030159069A1 (en) Network-based attack tracing system and method using distributed agent and manager system
CN103746885A (en) Test system and test method oriented to next-generation firewall
US11463459B2 (en) Network security intrusion detection
CN106302450A (en) A kind of based on the malice detection method of address and device in DDOS attack
CN114374569B (en) Message detection method and device, electronic equipment and storage medium
CN108769016B (en) Service message processing method and device
CN113825129A (en) Industrial internet asset mapping method under 5G network environment
CN112822223B (en) DNS hidden tunnel event automatic detection method and device and electronic equipment
CN113518042B (en) Data processing method, device, equipment and storage medium
CN113347184A (en) Method, device, equipment and medium for testing network flow security detection engine
CN107864110A (en) Botnet main control end detection method and device
CN103685298A (en) Deep packet inspection based SSL (Secure Sockets Layer) man-in-the-middle attack discovering method
US11457021B2 (en) Selective rate limiting via a hybrid local and remote architecture
CN113709129A (en) White list generation method, device and system based on traffic learning
CN112491883A (en) Method, device, electronic device and storage medium for detecting web attack
CN112565259B (en) Method and device for filtering DNS tunnel Trojan communication data
CN113596058A (en) Malicious address processing method and device, computer equipment and storage medium
EP2819365A1 (en) Network traffic inspection
CN111490989A (en) Network system, attack detection method and device and electronic equipment
CN112825504B (en) Data monitoring method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Hou Tianqi

Inventor after: Liang Yu

Inventor after: Tian Ye

Inventor after: Fu Qiang

Inventor after: Wang Jie

Inventor after: Yang Manzhi

Inventor after: Cai Lin

Inventor after: Jin Hong

Inventor after: Chen Xiaoguang

Inventor before: Waiting for tianqi

Inventor before: Liang Yu

Inventor before: Tian Ye

Inventor before: Fu Qiang

Inventor before: Wang Jie

Inventor before: Yang Manzhi

Inventor before: Cai Lin

Inventor before: Jin Hong

Inventor before: Chen Xiaoguang

GR01 Patent grant
GR01 Patent grant