CN113821791A - Method, system, storage medium and apparatus for detecting SQL injection - Google Patents
Method, system, storage medium and apparatus for detecting SQL injection Download PDFInfo
- Publication number
- CN113821791A CN113821791A CN202010556544.1A CN202010556544A CN113821791A CN 113821791 A CN113821791 A CN 113821791A CN 202010556544 A CN202010556544 A CN 202010556544A CN 113821791 A CN113821791 A CN 113821791A
- Authority
- CN
- China
- Prior art keywords
- request
- neural network
- sql injection
- network model
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000002347 injection Methods 0.000 title claims abstract description 59
- 239000007924 injection Substances 0.000 title claims abstract description 59
- 238000003062 neural network model Methods 0.000 claims abstract description 54
- 238000013528 artificial neural network Methods 0.000 claims abstract description 32
- 238000011156 evaluation Methods 0.000 claims abstract description 18
- 238000012549 training Methods 0.000 claims abstract description 16
- 238000007781 pre-processing Methods 0.000 claims abstract description 15
- 238000002372 labelling Methods 0.000 claims description 6
- 239000013598 vector Substances 0.000 claims description 6
- 238000013507 mapping Methods 0.000 claims description 3
- 238000001514 detection method Methods 0.000 description 16
- 239000002609 medium Substances 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000014509 gene expression Effects 0.000 description 6
- 238000004088 simulation Methods 0.000 description 5
- 238000013473 artificial intelligence Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 239000012120 mounting media Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Evolutionary Computation (AREA)
- Molecular Biology (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- Biomedical Technology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present disclosure relates to methods, systems, storage media, and apparatus for detecting SQL injection. A method for detecting SQL injection is provided, comprising: for the first request, judging whether the first request corresponds to SQL injection or not based on a first neural network model, wherein the first request is intercepted under the condition that the first request corresponds to the SQL injection, otherwise, the first request is passed; preprocessing the first request according to the evaluation index so as to mark the first request, wherein the marking result reflects whether the first request corresponds to SQL injection or not; generating a first sample based on the first request and the tagging result; updating the current sample by using the first sample, and training a neural network by using the updated sample to obtain a second neural network model; and for the second request, judging whether the second request corresponds to SQL injection or not based on the second neural network model, wherein the second request is intercepted under the condition that the second request corresponds to SQL injection, and otherwise, the second request is passed through.
Description
Technical Field
The present disclosure relates to computer network security, and more particularly, to techniques for methods, systems, storage media, and apparatus for detecting SQL injection.
Background
SQL injection refers to the case: the web application program does not judge the legality of the data input by the user or filters the data badly, an attacker can add extra SQL sentences at the tail of the query sentences defined in advance in the web application program, illegal operation is achieved under the condition that an administrator is not aware of the SQL sentences, and therefore the database server is deceived to execute unauthorized random query, and corresponding data information is further obtained.
The traditional detection mode aiming at SQL injection and the existing Artificial Intelligence (AI) detection mode are modes for detection based on regular expression matching or off-line mode, and have many disadvantages, including the following points: 1) the learning cost of a user is high, the traditional detection mode relates to a large number of regular expressions and the grammar is complex, and for complex attacks, a large number of regular expressions need to be written; 2) the false reporting and missing report rate is high, after an attacker is familiar with the SQL injection detection mode based on regular expression matching, SQL attack statements can be coded through an SQL bypass method or the regular expressions in a rule base can be bypassed by means of escape of special symbols and the like, so that a large number of attack statements are missed to be reported, the rule detection mode is excessively improved, and a lot of false reports can occur, so that the working efficiency of enterprise staff is greatly reduced; 3) poor adaptability: the existing AI offline state detection mode trains a detection model in an offline state based on a historical sample, and for a new SQL injection attack method (such as a historical sample library does not appear), the existing AI offline state detection mode cannot be well matched with the new SQL injection attack, so that a large amount of false missing reports are caused.
Disclosure of Invention
The following presents a simplified summary of the disclosure in order to provide a basic understanding of some aspects of the disclosure. However, it should be understood that this summary is not an exhaustive overview of the disclosure. It is not intended to identify key or critical elements of the disclosure or to delineate the scope of the disclosure. Its sole purpose is to present some concepts of the disclosure in a simplified form as a prelude to the more detailed description that is presented later.
According to an aspect of the present disclosure, there is provided a method for detecting SQL injection, comprising: for a first request, judging whether the first request corresponds to SQL injection or not based on a first neural network model, wherein the first request is intercepted under the condition that the first request corresponds to the SQL injection, otherwise, the first request is passed; preprocessing the first request according to the evaluation index so as to mark the first request, wherein the marking result reflects whether the first request corresponds to SQL injection or not; generating a first sample based on the first request and the tagging result; updating the current sample by using the first sample, and training a neural network by using the updated sample to obtain a second neural network model; and for the second request, judging whether the second request corresponds to SQL injection or not based on the second neural network model, wherein the second request is intercepted under the condition that the second request corresponds to SQL injection, and otherwise, the second request is passed through.
According to one embodiment, the method further comprises performing Word segmentation on the first request, and extracting a text vector from the Word-segmented request by using a Word2Vec tool.
According to an embodiment, in the above method, the evaluation index includes at least one of: the number of occurrences of the same special character, the type of occurrence of a different special character, the number of occurrences of the same sensitive field, the type of occurrence of a different sensitive field, the number of accesses to a sensitive data table, or the number of occurrences of an Internet Protocol (IP) address requested by a user.
According to one embodiment, in the above method, the preprocessing comprises: obtaining a score of the first request according to the evaluation index; weighting and quantizing the scores according to preset weight, and normalizing to obtain a [0,1] interval value; and mapping the obtained interval value to be 0 or 1 according to a preset rule to serve as a marking result of the first request, wherein the marking 0 indicates that the first request is not SQL injection, and the marking 1 indicates that the first request is SQL injection.
According to one embodiment, in the above method, training the neural network with the updated samples to obtain the second neural network model comprises: obtaining parameters of a first neural network model; inputting the request contained in the updated sample into an input layer of the current neural network, and outputting a marking result of the contained request to an ideal output unit of the current neural network; calculating the output of the output layer of the current neural network; calculating the deviation between the marking result and the actual output of the current neural network; updating the weight of the current neural network according to the deviation; and judging whether the updated current neural network model meets the requirements, if so, taking the updated current neural network model as a second neural network model, and if not, returning to continue iteration until the requirements are met.
According to one embodiment, in the above method, for the first request, if the output result output by the first neural network model is different from the labeling result obtained after preprocessing according to the evaluation index, the first sample is given a weight larger than the other samples when the neural network is trained to obtain the second neural network model.
According to one embodiment, in the above method, updating the current sample with the first sample includes deleting a portion of the historical samples and adding the first sample when the number of current samples reaches a predetermined threshold.
According to another aspect of the present disclosure, a system for detecting SQL injection is provided, which may include at least one processor and a memory having stored therein executable instructions that, when executed by the at least one processor, implement the method of the present disclosure.
According to another aspect of the present disclosure, there is provided a non-transitory computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the method of the present disclosure.
According to another aspect of the present disclosure, an apparatus for detecting SQL injection is provided, which may include means for performing operations according to a method of the present disclosure.
According to one or more embodiments of the present disclosure, by preprocessing the request in real time according to the evaluation index, the simulation system can obtain new samples in real time to dynamically update the current sample library, and further can update the neural network model in near real time for subsequent SQL injection detection by training, so as to perform SQL injection detection based on the latest neural network model. Under the condition, complicated rules do not need to be written manually, and samples do not need to be selected manually or marked, so that the labor cost is greatly reduced. In addition, the method can automatically acquire the sample aiming at the unknown attack, and automatically optimize and update the neural network model to enable the neural network model to be more efficient and accurate, so that the detection accuracy and the detection efficiency of the unknown attack can be greatly improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure. The present disclosure may be more clearly understood from the following detailed description with reference to the accompanying drawings, in which:
figure 1 is a schematic diagram illustrating a method for detecting SQL injection according to an embodiment of the disclosure;
FIG. 2 is a schematic diagram illustrating a method for generating a sample by preprocessing a request according to an embodiment of the present disclosure;
FIG. 3 is a schematic diagram illustrating a method for training a neural network, in accordance with an embodiment of the present disclosure; and
figure 4 is a schematic diagram illustrating a system for detecting SQL injection according to an embodiment of the disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise. The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses. In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values. Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
It should be noted that like reference numerals and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Fig. 1 is a schematic diagram illustrating a method 100 for detecting SQL injection according to an embodiment of the disclosure.
In some embodiments, the method 100 may include obtaining a first request in operation 101. In some embodiments, the first request may be a user-entered request. In some embodiments, the first request may be a request obtained by information filtering based on data of a current web system in a simulation system modeled according to a real environment.
In some embodiments, the method 100 may further include tokenizing the first request and extracting a text vector from the tokenized request using the Word2Vec tool. Word2Vec is a tool of Google open source for converting natural language into feature vectors that can be understood by computers.
In some embodiments, the method 100 may further include determining whether the first request corresponds to SQL injection based on a first neural network model in operation 102. For example, the feature vector corresponding to the first request is input to the input layer of the first neural network model, and the corresponding output, for example, 0 or 1, is obtained. In some embodiments, where the first request corresponds to SQL injection (e.g., when the respective output is 1), in operation 103, the first request is intercepted; otherwise (e.g., when the corresponding output is 0), proceed to operation 104, at which point the first request is passed.
In some embodiments, the method 100 may further include preprocessing the first request according to the evaluation index to mark the first request, the marking reflecting whether the first request corresponds to SQL injection in operation 105. In some embodiments, the evaluation index may include, but is not limited to, at least one of: the number of times the same special character appears, the type of appearance of different special characters, the number of times the same sensitive field appears, the type of appearance of different sensitive fields, the number of times a sensitive data table is accessed, or the number of times an IP address requested by a user appears.
In some embodiments, the method 100 may further include generating a first sample based on the first request and the tagging result in operation 106. The detailed process of generating the sample by preprocessing the request is described further below in conjunction with fig. 2.
In some embodiments, the method 100 may further include updating the current sample with the first sample and training the neural network with the updated sample to obtain a second neural network model in operation 107. In some embodiments, updating the current sample with the first sample may further include deleting a portion of the historical samples (e.g., deleting an oldest portion of the samples) and adding the first sample when the number of current samples reaches a predetermined threshold (e.g., 10 ten thousand).
In some embodiments, the method 100 may further include, for the first request, if the output result (e.g., the output at operation 102) output by the first neural network model is different from the labeling result (e.g., the labeling result obtained at operation 105) obtained after preprocessing according to the evaluation index, weighting the first sample more than other samples when training the neural network to obtain the second neural network model (e.g., at operation 107). For example, the neural network may be trained using only samples whose output results differ from the labeled results, or using relatively more samples whose results differ and relatively fewer samples whose results are the same. In the embodiment of the disclosure, the evaluation index can more accurately reflect whether the request corresponds to SQL injection. Therefore, for a specific request, the output result output by the current neural network model is different from the marking result obtained after preprocessing according to the evaluation index, which means that the neural network model is relatively old, and the judgment of SQL injection is biased. In this case, in training of the neural network model, a larger weight is given to the sample based on the specific request, which helps correct the bias of the neural network model.
The detailed process of training the neural network will be further described later in conjunction with fig. 3. In some embodiments, training the neural network with the updated samples may be completed in a period of several milliseconds, so that the neural network model is updated in near real-time. Thereafter, for subsequent requests, the SQL injection can be detected using the updated neural network model. For example, for the immediately second request, the SQL injection may be detected with the updated second neural network model similar to operations 101-104.
Specifically, in operation 101, a second request is obtained. Wherein the second request may be a request immediately following the first request or a request within a short time interval (e.g., within milliseconds or seconds) from the first request. In operation 102, it is determined whether the second request corresponds to an SQL injection based on a second neural network model. For example, the feature vector corresponding to the second request is input to the input layer of the second neural network model, and a corresponding output, such as 0 or 1, is obtained. In the case where the second request corresponds to SQL injection (e.g., when the corresponding output is 1), the second request is intercepted in operation 103; otherwise (e.g., when the corresponding output is 0), proceed to operation 104, at which point the second request is passed.
The method and the device have the advantages that the samples are continuously and dynamically updated by the requests, and the neural network model is updated nearly in real time, so that the neural network model is more efficient and accurate when SQL injection is detected immediately after the neural network model is detected, unknown attacks can be timely judged, and the detection accuracy and the detection efficiency are improved. For the second request, labeling and forming new samples may be performed similar to operations 105 through 107 in order to further train the neural network model.
The detailed process of generating a sample by preprocessing a request described in operations 105 and 106 in fig. 1 is further described below in conjunction with fig. 2. Fig. 2 is a schematic diagram illustrating a method 200 for generating a sample by preprocessing a request according to an embodiment of the present disclosure.
In some embodiments, the method 200 may include obtaining a score for the first request based on the evaluation index in operation 201. As described above, in some embodiments, the evaluation index may include, but is not limited to, at least one of: the number of times the same special character occurs, the kind of occurrence of a different special character, the number of times the same sensitive field (e.g., unity or order by, etc.) occurs, the kind of occurrence of a different sensitive field, the number of times a sensitive data table (e.g., a user table such as user or an administrator table such as admin) is accessed, or the number of times an Internet Protocol (IP) address requested by a user occurs. For example, if the number of occurrences of the same special character is larger or the types of occurrences of different special characters are larger per unit time, the score of the first request is higher; if the number of times of the same sensitive field appearing in unit time is larger, or the types of the different sensitive fields appearing in unit time are larger, the score of the first request is higher; if the number of times of accessing the sensitive data table in unit time is more, the score of the first request is higher; if the number of times the IP address requested by the user appears is larger per unit time, the score of the request for the IP address is higher. When a user sends a request to access the web system, a corresponding firewall (e.g., modsecurity) or middleware (e.g., nginx) generates log data, and an IP address requested by the user can be obtained by obtaining the user access IP in the log data.
In some embodiments, the method 200 may include weighting and quantizing the scores according to a predetermined weight and normalizing the scores into [0,1] interval values in operation 202. For example, when the IP address requested by the user has a large influence on determining whether SQL injection is performed, the entry may be given a higher weight.
In some embodiments, the method 200 may include mapping the obtained interval value to 0 or 1 according to a predetermined rule as a marking result of the first request in operation 203. In some embodiments, where a flag of 0 indicates that the first request is not an SQL injection, a flag of 1 indicates that the first request is an SQL injection. In still other embodiments, where the tag 1 indicates that the first request is not an SQL injection, the tag 0 indicates that the first request is an SQL injection. In some embodiments, the predetermined rule may be to determine whether the obtained interval value is greater than or equal to a certain threshold (e.g., 0.6). In an embodiment where the flag 0 indicates that the request is not SQL injection, for example, request a has a weighted quantized score of 80 points and a normalized interval value of 0.8, and request B has a weighted quantized score of 10 points and a normalized interval value of 0.1, the flag result for request a may be 1 and the flag result for request B may be 0.
In some embodiments, the first sample may be generated based on the first request and its corresponding tagged result. In some embodiments, the generated first sample may also be modified to some extent with the historical samples.
In the simulation system, when a request is preprocessed, according to the characteristics and problems of SQL injection encountered in a real environment, by setting the times of the same special character, the types of the different special characters, the times of the same sensitive field, the types/total times of the different sensitive fields, the times of accessing a sensitive data table, the times of the IP address requested by a user and the like as evaluation indexes, the request can be dynamically marked, a new sample is obtained in real time, and the training and updating of a neural network model are more real-time and efficient. In addition, compared with a real environment, the simulation system can simulate various different scenes to obtain abundant sample results, and the simulation is relatively fast, so that the diversity of the samples is increased.
The detailed process of training the neural network described in operation 107 in fig. 1 is further described below in conjunction with fig. 3. Fig. 3 is a schematic diagram illustrating a method 300 for training a neural network, in accordance with an embodiment of the present disclosure.
In some embodiments, the method 300 may include obtaining parameters of the first neural network model as initial parameters of the current neural network model in operation 301.
In some embodiments, the method 300 may include inputting the request included in the updated sample (e.g., obtained in operation 107) to an input layer of the current neural network and outputting a marking result of the included request to an ideal output unit of the current neural network in operation 302. For example, when the marking result of the first request is 1, the first request may be input to the input layer and 1 may be output to the ideal output unit.
In some embodiments, the method 300 may include calculating an output of an output layer of the current neural network in operation 303. For example, for the first request, the current neural network actual output may be 0.8.
In some embodiments, the method 300 may include calculating a deviation between the labeling result and an actual output of the current neural network in operation 304. For example, for the first request, the deviation between the tagged result 1 and the actual output 0.8 is 0.2.
In some embodiments, the method 300 may include updating the connections of the current neural network or their weights according to the deviation in operation 305.
In some embodiments, the method 300 may include determining whether the updated current neural network model satisfies the requirements in operation 306. In some embodiments, the requirement may be a predetermined condition that needs to be met, such as an accuracy rate of detection of the neural network model, a robustness of the neural network model, and the like. If yes, continuing to operate 307, and taking the current neural network model as a second neural network model; if not, returning to operation 301, taking the parameters of the neural network updated in operation 305 as the parameters of the current neural network model, and continuing to perform the iterative operations 302-306 until the requirements are met.
Figure 4 is a schematic diagram illustrating a system 400 for detecting SQL injection according to an embodiment of the disclosure.
In some embodiments, the system 400 may include at least one processor 401 and memory 402.
The processor 401 provides various functions of the system 400 for detecting SQL injections. In some embodiments, the processor 401 is configured to perform the methods of the present disclosure. The processor 401 may be any processor such as a microprocessor, digital signal processor, microcontroller, multi-core processor, special purpose processor, interface for communication, or the like. Processor 401 may execute various program instructions stored in memory 402 to perform corresponding operations.
In some embodiments, memory 402 has stored therein executable instructions that when executed by processor 401 implement the functionality of the present disclosure. The memory 402 may be any of various types of memory or storage devices. For example, memory 402 may include mounting media (e.g., CD-ROM, floppy disk, or tape devices), random access memory (such as DRAM, DDR RAM, SRAM, EDO RAM, Rambus RAM, etc.), non-volatile memory (such as flash memory, magnetic media, or optical storage), registers, or other similar types of memory elements, and so forth. The memory 402 may also include other types of memory or combinations thereof. In embodiments of the present disclosure, the memory 402 may store program instructions (e.g., instructions for performing corresponding operations) to implement methods in accordance with embodiments of the present disclosure in software, hardware, or a combination of software and hardware.
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
Aspects of the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects all of which may be referred to herein generally as a "circuit," module "or" system. Any combination of one or more computer-readable storage media may be used. The computer readable storage medium may be a computer readable signal medium or a computer readable storage medium.
A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The present disclosure, in various embodiments, configurations, and aspects, includes components, methods, processes, systems and/or apparatus substantially as depicted and described herein, including various embodiments, subcombinations, and subsets thereof. Those of skill in the art will understand how to make and use the systems and methods disclosed herein after understanding the present disclosure. In various embodiments, configurations, and aspects, the disclosure includes providing apparatuses and processes in the absence of items not depicted and/or described herein or in various embodiments, configurations, or aspects hereof, including in the absence of items that may have been used in previous apparatuses or processes, e.g., for improving performance, achieving ease and/or reducing cost of implementation.
Any feature disclosed in this specification (including any accompanying claims, abstract) may be replaced by alternative features serving equivalent or similar purposes, unless expressly stated otherwise. That is, unless expressly stated otherwise, each feature is only an example of a generic series of equivalent or similar features.
Moreover, although the description of the present disclosure has included description of one or more embodiments, configurations, or aspects, certain variations and modifications, other variations, combinations, and modifications are within the scope of the disclosure, e.g., as may be within the skill and knowledge of those in the art, after understanding the present disclosure. The present disclosure is intended to obtain rights which include alternative embodiments, configurations, or aspects to the extent permitted, including alternate, interchangeable and/or equivalent structures, functions, ranges or steps to those claimed, whether or not such alternate, interchangeable and/or equivalent structures, functions, ranges or steps are specifically set forth herein. Nothing herein is intended to publicly dedicate any patentable technical solution.
Claims (10)
1. A method for detecting SQL injection, comprising:
for a first request, judging whether the first request corresponds to SQL injection or not based on a first neural network model, wherein the first request is intercepted under the condition that the first request corresponds to the SQL injection, otherwise, the first request is passed;
preprocessing the first request according to the evaluation index so as to mark the first request, wherein the marking result reflects whether the first request corresponds to SQL injection or not;
generating a first sample based on the first request and the tagging result;
updating the current sample by using the first sample, and training a neural network by using the updated sample to obtain a second neural network model; and
and for the second request, judging whether the second request corresponds to SQL injection or not based on the second neural network model, wherein the second request is intercepted under the condition that the second request corresponds to the SQL injection, and otherwise, the second request is passed through.
2. The method of claim 1, further comprising tokenizing the first request and extracting a text vector from the tokenized request using a Word2Vec tool.
3. The method of claim 1, wherein the evaluation index comprises at least one of: the number of times the same special character appears, the type of appearance of different special characters, the number of times the same sensitive field appears, the type of appearance of different sensitive fields, the number of times the sensitive data table is accessed, or the number of times the internet protocol IP address requested by the user appears.
4. The method of claim 1, wherein the pre-processing comprises:
obtaining a score of the first request according to the evaluation index;
weighting and quantizing the scores according to preset weight, and normalizing to obtain a [0,1] interval value;
and mapping the obtained interval value to be 0 or 1 according to a preset rule to serve as a marking result of the first request, wherein the marking 0 indicates that the first request is not SQL injection, and the marking 1 indicates that the first request is SQL injection.
5. The method of claim 1, wherein training the neural network with the updated samples to obtain a second neural network model comprises:
obtaining parameters of a first neural network model;
inputting the request contained in the updated sample to an input layer of the current neural network, and outputting a marking result of the contained request to an ideal output unit of the current neural network;
calculating the output of the output layer of the current neural network;
calculating the deviation between the marking result and the actual output of the current neural network;
updating the weight of the current neural network according to the deviation; and
and judging whether the updated current neural network model meets the requirements, if so, taking the updated current neural network model as a second neural network model, and if not, returning to continue iteration until the requirements are met.
6. The method of claim 1, wherein, for the first request, if an output result output by the first neural network model is different from a labeling result obtained after preprocessing according to the evaluation index, the first sample is given a weight larger than other samples when training the neural network to obtain the second neural network model.
7. The method of claim 1, wherein updating the current sample with the first sample comprises: when the number of current samples reaches a predetermined threshold, a portion of the historical samples are deleted and the first sample is added.
8. A system for detecting SQL injection, the system comprising:
at least one processor; and
a memory having stored therein executable instructions that, when executed by the at least one processor, implement the method of any one of claims 1-7.
9. A non-transitory computer readable storage medium having stored thereon executable instructions that, when executed by a processor, perform the method of any one of claims 1-7.
10. An apparatus for detecting SQL injection, the apparatus comprising means for performing operations of the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010556544.1A CN113821791B (en) | 2020-06-18 | 2020-06-18 | Method, system, storage medium and device for detecting SQL injection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010556544.1A CN113821791B (en) | 2020-06-18 | 2020-06-18 | Method, system, storage medium and device for detecting SQL injection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113821791A true CN113821791A (en) | 2021-12-21 |
| CN113821791B CN113821791B (en) | 2024-07-12 |
Family
ID=78924378
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010556544.1A Active CN113821791B (en) | 2020-06-18 | 2020-06-18 | Method, system, storage medium and device for detecting SQL injection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113821791B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103744802A (en) * | 2013-12-20 | 2014-04-23 | 北京奇虎科技有限公司 | Method and device for identifying SQL injection attacks |
| CN106295338A (en) * | 2016-07-26 | 2017-01-04 | 北京工业大学 | A kind of SQL leak detection method based on artificial neural network |
| CN108667816A (en) * | 2018-04-19 | 2018-10-16 | 重庆邮电大学 | A kind of the detection localization method and system of Network Abnormal |
| US20190108432A1 (en) * | 2017-10-05 | 2019-04-11 | Salesforce.Com, Inc. | Convolutional neural network (cnn)-based anomaly detection |
| CN109670307A (en) * | 2018-12-04 | 2019-04-23 | 成都知道创宇信息技术有限公司 | A kind of SQL injection recognition methods based on CNN and massive logs |
| CN109960934A (en) * | 2019-03-25 | 2019-07-02 | 西安电子科技大学 | A kind of malicious requests detection method based on CNN |
| CN110245721A (en) * | 2019-06-25 | 2019-09-17 | 深圳市腾讯计算机系统有限公司 | Training method, device and the electronic equipment of neural network model |
| CN110427754A (en) * | 2019-08-12 | 2019-11-08 | 腾讯科技(深圳)有限公司 | Network application attack detection method, device, equipment and storage medium |
-
2020
- 2020-06-18 CN CN202010556544.1A patent/CN113821791B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103744802A (en) * | 2013-12-20 | 2014-04-23 | 北京奇虎科技有限公司 | Method and device for identifying SQL injection attacks |
| CN106295338A (en) * | 2016-07-26 | 2017-01-04 | 北京工业大学 | A kind of SQL leak detection method based on artificial neural network |
| US20190108432A1 (en) * | 2017-10-05 | 2019-04-11 | Salesforce.Com, Inc. | Convolutional neural network (cnn)-based anomaly detection |
| CN108667816A (en) * | 2018-04-19 | 2018-10-16 | 重庆邮电大学 | A kind of the detection localization method and system of Network Abnormal |
| CN109670307A (en) * | 2018-12-04 | 2019-04-23 | 成都知道创宇信息技术有限公司 | A kind of SQL injection recognition methods based on CNN and massive logs |
| CN109960934A (en) * | 2019-03-25 | 2019-07-02 | 西安电子科技大学 | A kind of malicious requests detection method based on CNN |
| CN110245721A (en) * | 2019-06-25 | 2019-09-17 | 深圳市腾讯计算机系统有限公司 | Training method, device and the electronic equipment of neural network model |
| CN110427754A (en) * | 2019-08-12 | 2019-11-08 | 腾讯科技(深圳)有限公司 | Network application attack detection method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 谢鑫;任春辉;陈新宇;: "基于CNN的SQL注入检测", 计算机与网络, no. 03, 12 February 2020 (2020-02-12), pages 69 - 71 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113821791B (en) | 2024-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110765770B (en) | Automatic contract generation method and device | |
| US10628129B2 (en) | Intellectual automated security, performance and code generation framework | |
| WO2021253904A1 (en) | Test case set generation method, apparatus and device, and computer readable storage medium | |
| WO2020108063A1 (en) | Feature word determining method, apparatus, and server | |
| CN112347310A (en) | Event processing information query method and device, computer equipment and storage medium | |
| CN110175851B (en) | Cheating behavior detection method and device | |
| CN108664791B (en) | Method and device for detecting back door of webpage in hypertext preprocessor code | |
| CN111753171B (en) | Malicious website identification method and device | |
| CN113761163A (en) | Deep code searching method, system and device based on code structure semantic information | |
| CN113190849A (en) | Webshell script detection method and device, electronic equipment and storage medium | |
| CN111092894A (en) | Webshell detection method based on incremental learning, terminal device and storage medium | |
| CN114357190A (en) | Data detection method and device, electronic equipment and storage medium | |
| CN111090860A (en) | Code vulnerability detection method and device based on deep learning | |
| KR102051350B1 (en) | Method and system for data acquisition for analyzing transaction of cryptocurrency | |
| CN113961768B (en) | Sensitive word detection method and device, computer equipment and storage medium | |
| CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
| CN110084323A (en) | End-to-end semanteme resolution system and training method | |
| CN112925883A (en) | Search request processing method and device, electronic equipment and readable storage medium | |
| CN112311809A (en) | Attack detection method and device | |
| CN113918936A (en) | SQL injection attack detection method and device | |
| CN111125443A (en) | On-line updating method of test question bank based on automatic duplicate removal | |
| CN113821791B (en) | Method, system, storage medium and device for detecting SQL injection | |
| CN117034269A (en) | Dynamic malicious software detection method based on parameter enhanced semantic chain | |
| CN113032836B (en) | Data desensitization method and apparatus | |
| Xia et al. | Source Code Vulnerability Detection Based On SAR-GIN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |