CN115549990A - SQL injection detection method and related equipment - Google Patents
SQL injection detection method and related equipment Download PDFInfo
- Publication number
- CN115549990A CN115549990A CN202211135641.9A CN202211135641A CN115549990A CN 115549990 A CN115549990 A CN 115549990A CN 202211135641 A CN202211135641 A CN 202211135641A CN 115549990 A CN115549990 A CN 115549990A
- Authority
- CN
- China
- Prior art keywords
- information
- target
- sql injection
- target request
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000002347 injection Methods 0.000 title claims abstract description 120
- 239000007924 injection Substances 0.000 title claims abstract description 120
- 238000001514 detection method Methods 0.000 title claims abstract description 57
- 238000000034 method Methods 0.000 claims description 33
- 238000004590 computer program Methods 0.000 claims description 21
- 230000002159 abnormal effect Effects 0.000 claims description 15
- 230000004044 response Effects 0.000 claims description 11
- 238000010586 diagram Methods 0.000 description 14
- 238000012545 processing Methods 0.000 description 8
- 239000000243 solution Substances 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 239000013598 vector Substances 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 2
- 238000013480 data collection Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000011218 segmentation Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a SQL injection detection method, which comprises the following steps: acquiring historical message information of a target request; acquiring historical field information of the historical message information based on the historical message information; acquiring current message information of the target request; under the condition that the current message information comprises the historical field, determining current state information of the target request according to current target field information and the historical field information which are associated with the historical field in the current message information; and under the condition that the current state of the target request is a normal request, determining that the SQL injection does not occur to the target request. Therefore, historical field information is obtained by analyzing historical flow information of the target request, the current message and the historical message are matched based on the same field, the current state of the target request is determined, detection is carried out based on the state information, the performance loss of the system can be reduced, the missing report rate and the false report rate are reduced, and the SQL injection detection quality is improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a Structured Query Language (SQL) injection detection method and related equipment.
Background
A series of malicious operations such as acquiring sensitive information from a database, exporting important files, adding database users and the like can be realized through the SQL injection attack, and even the database and even the highest authority of system users can be acquired, so that the high-quality detection of SQL injection on a database system is an urgent problem to be solved in the technical field of network security at present.
The current SQL injection detection is implemented by performing keyword matching, regular expression matching, and syntax rule matching on fields such as data, cookies, refer submitted by a user in an application firewall WAF. However, the content of the keyword matching detection is simple, so that the situations of false alarm and false alarm are easily caused, and the detection is easily bypassed through statement change; the execution efficiency of the regular expression matching detection is low, and the problem of high missing report rate caused by difficult recognition of complex SQL injection exists; the false alarm rate and the missing report rate of grammar rule matching detection are directly influenced by the setting of a rule set, and the setting of the rule set can also increase the work task of network security management personnel. Therefore, the existing SQL injection detection method has the problems of low detection result quality, high false alarm rate and high missing report rate, and increases the potential safety hazard of the network.
Disclosure of Invention
The invention provides an SQL injection detection method, which aims to solve the problems of low detection result quality, high false alarm rate and high missing report rate and further increase of network potential safety hazards in the existing SQL injection detection method.
In a first aspect, the present invention provides a SQL injection detection method, including:
acquiring historical message information of a target request;
acquiring historical field information of the historical message information based on the historical message information;
acquiring current message information of the target request;
under the condition that the current message information comprises the historical field, determining current state information of the target request according to current target field information and the historical field information which are associated with the historical field in the current message information;
and under the condition that the current state of the target request is a normal request, determining that SQL injection does not occur in the target request.
Optionally, the method further includes:
acquiring response information of current message information of the target request under the condition that the current state of the target request is an abnormal request;
and determining SQL injection keywords of the target request based on the response information of the current message information.
Optionally, the method further includes:
and determining target SQL injection keyword information of the target request based on the SQL injection keywords of the target request.
Optionally, the method further includes:
acquiring next message information of the target request;
acquiring the quantity of the target SQL injection keywords in the next message information;
and determining that SQL injection has occurred to the target request under the condition that the number of the target SQL injection keywords in the next message information is greater than or equal to a keyword threshold value.
Optionally, the method further includes:
determining that SQL injection does not occur in the target request under the condition that the number of the target SQL injection keywords in the next message information is smaller than the keyword threshold;
under the condition that SQL injection does not occur in the target request, acquiring the number of target SQL injection keywords in subsequent messages of the target request within preset time;
and determining the SQL injection condition of the subsequent message of the target request according to the number of the target SQL injection keywords in the subsequent message and the keyword threshold.
Optionally, the history field information includes: the name of the history field, the content type information of the history field and the value range information.
Optionally, when the current packet information includes the history field, determining current state information of the target request according to current target field information and the history field information, where the current target field information is associated with the history field in the current packet information, where the determining includes:
determining that the current state of the target request is an abnormal request under the condition that at least one of content type information and value range information included in the current target field information is not matched with content information and value range information included in the historical field information;
and under the condition that the content type information and the value range information included by the current target field information are matched with the content information and the value range information included by the historical field information, determining that the current state of the target request is a normal request.
In a second aspect, the present invention further provides an SQL injection detection apparatus, including:
the first acquisition module is used for acquiring historical message information of a target request;
a second obtaining module, configured to obtain history field information of the history message information based on the history message information;
a third obtaining module, configured to obtain current message information of the target request;
a first determining module, configured to determine, when the current packet information includes the history field, current state information of the target request according to current target field information and history field information associated with the history field in the current packet information;
and the second determination module is used for determining that the SQL injection does not occur in the target request under the condition that the current state of the target request is a normal request.
In a third aspect, the present invention further provides an electronic device, which includes a memory and a processor, where the processor is configured to implement the steps of the SQL injection detection method according to any of the first aspects when executing the computer program stored in the memory.
In a fourth aspect, the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the satellite remote control signaling method according to any one of the first aspect.
According to the technical scheme, the invention provides an SQL injection detection method, which comprises the following steps: acquiring historical message information of a target request; acquiring historical field information of the historical message information based on the historical message information; acquiring current message information of the target request; under the condition that the current message information comprises the history field, determining the current state information of the target request according to the current target field information and the history field information which are associated with the history field in the current message information; and under the condition that the current state of the target request is a normal request, determining that the SQL injection does not occur to the target request. The existing SQL injection detection method has the problems of low detection result quality, high false alarm rate and high missing report rate, so that the potential network safety hazard is increased, and the system maintenance cost is increased. The invention provides an SQL injection detection method, which can obtain historical field information of a target request by analyzing historical flow information of the target request, match current message information and historical message information based on the same field, judge the current state of the target request, do not perform SQL injection detection under the condition that the target request is normal flow, reduce the performance loss of a system, and perform SQL injection detection under the condition that the target request is abnormal flow, thereby reducing the missing report rate and the false report rate, further improving the detection efficiency and the detection quality of SQL injection and improving the safety performance of a network.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments are briefly described below, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a schematic flow chart of an SQL injection detection method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an SQL injection detection apparatus according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a computer-readable storage medium provided in an embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following examples do not represent all embodiments consistent with the present application. But merely as exemplifications of systems and methods consistent with certain aspects of the application, as recited in the claims. In the several embodiments provided in the embodiments of the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways, and the apparatus embodiments described below are merely exemplary.
As shown in fig. 1, an embodiment of the present application provides an SQL injection detection method, and fig. 1 is a schematic flow chart of the SQL injection detection method provided in the embodiment of the present application, where the method includes:
and step S110, obtaining historical message information of the target request.
Illustratively, the message data collection may be performed on the target request by a traffic collection algorithm.
Step S120, based on the historical message information, obtaining the historical field information of the historical message information.
For example, the type of the history field information that needs to be counted may be set based on the type of the target request, and the history field information may be captured in the history message information. The history field information may be counted by a data processing algorithm, and a history field information table may be generated based on the result of the counting.
Step S130, obtaining the current message information of the target request.
Step S140, determining current status information of the target request according to current target field information and the history field information associated with the history field in the current message information, when the current message information includes the history field.
For example, the current target field information associated with the history field may be captured in the current message information by a data collection algorithm. The matching condition between the current target field information and the historical field information can be determined through a data analysis algorithm. A determination condition of a state of the target request may be set, and the current state information of the target request may be determined based on the determination condition and the matching case.
Step S150, determining that the target request has not been subjected to SQL injection when the current status of the target request is a normal request.
For example, in a case that the current status of the target request is a normal request, the current target request may be released.
The historical field information of the target request can be obtained by analyzing the historical flow information of the target request, the current message information and the historical message information are matched based on the same field, the current state of the target request can be judged, SQL injection detection is not carried out under the condition that the target request is normal flow, the injection detection in the whole range is avoided, the performance loss of the system is reduced, SQL injection detection is carried out under the condition that the target request is abnormal flow, the missing report rate and the false report rate can be reduced, the detection efficiency and the detection quality of SQL injection can be improved, and the safety performance of a network is improved.
According to some embodiments, the method further comprises:
under the condition that the current state of the target request is an abnormal request, acquiring response information of current message information of the target request;
and determining the SQL injection key words of the target request based on the response information of the current message information.
For example, when the current state of the target request is an abnormal request, the response information of the current message information of the target request may be recorded and the target request may be intercepted. All the library names in the database can be inquired through a request containing SQL injection, a response message is obtained, and keywords are extracted based on the library name response message. The word segmentation pretreatment can be carried out on the response information, words in the word segmentation result are converted into word vectors, the word vectors are divided into a preset number of similar clusters based on a clustering algorithm, the similar cluster vectors are obtained based on the similar clusters, the similar cluster vectors are processed based on a keyword extraction model, keywords in the response message are output, and the keywords are used as SQL (structured query language) injection keywords of the target request. For example, the SQL injection keywords of the target request may be webhost, information _ schema, vsthyohjztvxbbxaipurp, wordpress, and the like.
By extracting SQL injection keywords from abnormal flow, the SQL injection keywords possibly existing in the target request can be determined more comprehensively and accurately based on the abnormal flow, so that the detection accuracy can be improved, and the false alarm rate and the missing report rate can be reduced.
According to some embodiments, the method further comprises:
and determining the target SQL injection keyword information of the target request based on the SQL injection keyword of the target request.
For example, the target SQL injection keyword list of the target request may be established by writing common keywords of SQL injection, such as and, or, select, unity, order by, and group _ concat, in the keyword list based on the target SQL injection keyword of the target request. The coded target SQL injection keywords may also be added to the target SQL injection keyword list, where the coded format may include multiple coding formats such as Base64 coding, url coding, and 16 system coding. Taking the keyword "and" as an example, the keyword "and" can be obtained by Base64 encoding, and therefore, at least two keywords "and" jw "should be included in the target SQL injection keyword list of the target request.
By the method, more comprehensive target SQL injection keyword information of the target request can be obtained, and the problems that SQL injection of conventional keywords cannot be detected and the false alarm rate of SQL injection detection is high and the quality of detection results is poor caused by changing the keyword information in a conventional coding mode are avoided.
According to some embodiments, the method further comprises:
acquiring next message information of the target request;
acquiring the quantity of the target SQL injection keywords in the next message information;
and determining that the SQL injection of the target request occurs under the condition that the number of the target SQL injection keywords in the next message information is greater than or equal to a keyword threshold value.
For example, the keyword threshold may be set by a network security manager, or determined based on a relationship between the SQL injection condition in the historical request and the number of keywords. An alarm message may be generated and sent to a security management system when the target request has SQL injection, where the alarm message may include: the name of the request injected by SQL, the time of the abnormal request of the message information and the message information associated with the abnormal request.
Under the condition that the current state of the target request is an abnormal request, keyword detection is carried out on next message information, so that the detection range can be narrowed, and the performance loss of the system is reduced. By setting the keyword threshold, the SQL injection of the target request can be avoided being judged only by a small number of keywords, the false alarm rate is reduced, and the precision and the scientificity of the SQL injection detection method are improved.
According to some embodiments, the method further comprises:
determining that the target request does not generate SQL injection under the condition that the number of the target SQL injection keywords in the next message information is smaller than the keyword threshold;
under the condition that the target request does not generate SQL injection, acquiring the quantity of target SQL injection keywords in subsequent messages of the target request within preset time;
and determining the SQL injection condition of the subsequent message of the target request according to the number of the target SQL injection keywords in the subsequent message and the keyword threshold.
Illustratively, in a case that the number of the target SQL injection keywords in the subsequent message is smaller than the keyword threshold within the preset time, and the target SQL injection keywords in the subsequent message are completely consistent with the target SQL injection keywords in the next message information, it may be determined that the target request is not subjected to SQL injection. Under the condition that the number of target SQL injection keywords in subsequent messages within the preset time is greater than or equal to a keyword threshold value, the SQL injection of the target request can be determined. And under the condition that the quantity of the target SQL injection keywords in the subsequent message is less than the keyword threshold value within the preset time and the target SQL injection keywords in the subsequent message are inconsistent with the target SQL injection keywords in the next message information, obtaining the quantity of the target SQL injection keywords in the subsequent message within the preset time.
The SQL injection is not completed in one request, but is staged, and the data requested last time is added into the next request, so that the keyword detection is performed on the message information of the same target request within the preset time, the target request can be dynamically observed based on the behavior characteristics of the SQL injection, the situation that the target SQL injection keyword is continuously contained in the subsequent message information caused by other reasons rather than the SQL injection can be avoided, the SQL injection is determined, the false alarm rate of the SQL injection is reduced, and the SQL injection detection level is improved.
According to some embodiments, the history field information includes: name of the history field, content type information and value range information of the history field.
For example, the names of the history fields may include: id, cookie, user-agent and connection. The content type information may include: numbers, characters, and combinations of numbers and characters. In the case where the content type of the history field is a number, the value range of the history field may be information such as a numerical value range. In the case where the content of the history field is a character, the value range of the history field may be information such as the number and length of the character. In the case where the content of the history field is a combination of a number and a character, the value range of the history field may be information such as the number of characters, the length of the character, the numerical range of the number, and the ratio of the character in the field.
Because almost all SQL injection operations are realized by changing the type of original data or adding special symbols, the current state of a target request can be effectively determined by extracting the content type and the value range of key fields, the request message information can be preliminarily screened, the detection range is narrowed, the detection efficiency is improved, and the performance loss of a system is reduced.
According to some embodiments, in the case that the current packet information includes the history field, determining the current status information of the target request according to the current target field information and the history field information associated with the history field in the current packet information includes:
determining that the current state of the target request is an abnormal request when at least one of the content type information and the value range information included in the current target field information is not matched with the content information and the value range information included in the history field information;
and under the condition that the content type information and the value range information included in the current target field information are matched with the content information and the value range information included in the historical field information, determining that the current state of the target request is a normal request.
In the field of the current message of the target request, the condition that at least one of the content type information and the value range information is not matched with the historical field information is generated, the condition that the request is abnormal and is possibly injected by SQL (structured query language), further detection is required, and the missing report rate of SQL injection detection can be effectively reduced.
As shown in fig. 2, fig. 2 is a schematic structural diagram of an SQL injection detection apparatus according to an embodiment of the present application.
The embodiment of the present application provides an SQL injection detection apparatus 200, which includes:
a first obtaining module 201, configured to obtain history message information of a target request;
a second obtaining module 202, configured to obtain history field information of the history message information based on the history message information;
a third obtaining module 203, configured to obtain current message information of the target request;
a first determining module 204, configured to determine, when the current packet information includes the history field, current state information of the target request according to current target field information and the history field information, which are associated with the history field, in the current packet information;
the second determining module 205 is configured to determine that SQL injection does not occur in the target request when the current state of the target request is a normal request.
The SQL injection detection apparatus 200 is capable of implementing each process implemented in the method embodiment of fig. 1, and is not described herein again to avoid repetition.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
The embodiment of the present application provides an electronic device 300, which includes a memory 310, a processor 320, and a computer program 311 stored in the memory 310 and executable on the processor 320, where the processor 320 executes the computer program 311 to implement the following steps:
acquiring historical message information of a target request;
acquiring historical field information of the historical message information based on the historical message information;
acquiring current message information of the target request;
determining current state information of the target request according to current target field information and the history field information which are associated with the history field in the current message information under the condition that the current message information comprises the history field;
and under the condition that the current state of the target request is a normal request, determining that the SQL injection does not occur in the target request.
In a specific implementation, when the processor 320 executes the computer program 311, any of the embodiments corresponding to fig. 1 may be implemented.
Since the electronic device described in this embodiment is a device used for implementing an apparatus in this embodiment, based on the method described in this embodiment, a person skilled in the art can understand the specific implementation manner of the electronic device of this embodiment and various variations thereof, so that how to implement the method in this embodiment by the electronic device is not described in detail herein, and as long as the person skilled in the art implements the device used for implementing the method in this embodiment, the device is within the scope of the present application.
As shown in fig. 4, fig. 4 is a schematic structural diagram of a computer-readable storage medium according to an embodiment of the present application.
The present embodiment provides a computer-readable storage medium 400 having stored thereon a computer program 411, the computer program 411 realizing the following steps when executed by a processor:
acquiring historical message information of a target request;
acquiring historical field information of the historical message information based on the historical message information;
acquiring current message information of the target request;
determining current state information of the target request according to current target field information and the history field information which are associated with the history field in the current message information under the condition that the current message information comprises the history field;
and under the condition that the current state of the target request is a normal request, determining that the SQL injection does not occur in the target request.
It should be noted that, in the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to relevant descriptions of other embodiments for parts that are not described in detail in a certain embodiment.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Embodiments of the present application further provide a computer program product, where the computer program product includes computer software instructions, and when the computer software instructions are run on a processing device, the processing device is caused to execute a flow in the SQL injection detection method in the embodiment corresponding to fig. 1.
The computer program product includes one or more computer instructions. The processes or functions described above in accordance with the embodiments of the present application occur wholly or in part upon loading and execution of the above-described computer program instructions on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that a computer can store or a data storage device including one or more available media, an integrated server, a data center, and the like. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), etc.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the above-described units is only one type of logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit may be stored in a computer-readable storage medium if it is implemented in the form of a software functional unit and sold or used as a separate product. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In summary, the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present application.
Claims (10)
1. An SQL injection detection method, comprising:
acquiring historical message information of a target request;
acquiring historical field information of the historical message information based on the historical message information;
acquiring current message information of the target request;
under the condition that the current message information comprises the history field, determining the current state information of the target request according to the current target field information and the history field information which are associated with the history field in the current message information;
and under the condition that the current state of the target request is a normal request, determining that SQL injection does not occur in the target request.
2. The method of claim 1, further comprising:
acquiring response information of current message information of the target request under the condition that the current state of the target request is an abnormal request;
and determining the SQL injection key words of the target request based on the response information of the current message information.
3. The method of claim 2, further comprising:
and determining target SQL injection keyword information of the target request based on the SQL injection keywords of the target request.
4. The method of claim 3, further comprising:
acquiring next message information of the target request;
acquiring the quantity of the target SQL injection keywords in the next message information;
and determining that the SQL injection of the target request occurs under the condition that the number of the target SQL injection keywords in the next message information is greater than or equal to a keyword threshold value.
5. The method of claim 4, further comprising:
determining that SQL injection does not occur in the target request under the condition that the number of the target SQL injection keywords in the next message information is smaller than the keyword threshold;
under the condition that SQL injection does not occur in the target request, acquiring the number of target SQL injection keywords in subsequent messages of the target request within preset time;
and determining the SQL injection condition of the subsequent message of the target request according to the number of the target SQL injection keywords in the subsequent message and the keyword threshold.
6. The method of claim 1, wherein the history field information comprises: name of the history field, content type information and value range information of the history field.
7. The method of claim 6, wherein the determining the current status information of the target request according to the current target field information and the history field information associated with the history field in the current packet information in case that the current packet information includes the history field comprises:
determining that the current state of the target request is an abnormal request under the condition that at least one of content type information and value range information included in the current target field information is not matched with content information and value range information included in the historical field information;
and under the condition that the content type information and the value range information included by the current target field information are matched with the content information and the value range information included by the historical field information, determining that the current state of the target request is a normal request.
8. An SQL injection detection apparatus, comprising:
the first acquisition module is used for acquiring historical message information of the target request;
the second acquisition module is used for acquiring the historical field information of the historical message information based on the historical message information;
a third obtaining module, configured to obtain current message information of the target request;
a first determining module, configured to determine current state information of the target request according to current target field information and historical field information that are associated with the historical field in the current packet information when the current packet information includes the historical field;
and the second determination module is used for determining that the SQL injection does not occur in the target request under the condition that the current state of the target request is a normal request.
9. An electronic device comprising a memory, a processor, wherein the processor is configured to implement the steps of the SQL injection detection method according to any of the claims 1 to 7 when executing a computer program stored in the memory.
10. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program when executed by a processor implements the steps of the SQL injection detection method according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211135641.9A CN115549990B (en) | 2022-09-19 | 2022-09-19 | SQL injection detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211135641.9A CN115549990B (en) | 2022-09-19 | 2022-09-19 | SQL injection detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115549990A true CN115549990A (en) | 2022-12-30 |
| CN115549990B CN115549990B (en) | 2023-06-13 |
Family
ID=84728096
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211135641.9A Active CN115549990B (en) | 2022-09-19 | 2022-09-19 | SQL injection detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115549990B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107292170A (en) * | 2016-04-05 | 2017-10-24 | 阿里巴巴集团控股有限公司 | Detection method and device, the system of SQL injection attack |
| US20190306191A1 (en) * | 2018-03-30 | 2019-10-03 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Sql injection interception detection method and device, apparatus and computer readable medium |
| CN111193747A (en) * | 2019-12-31 | 2020-05-22 | 奇安信科技集团股份有限公司 | Message threat detection method and device, electronic equipment and storage medium |
| CN112468520A (en) * | 2021-01-28 | 2021-03-09 | 腾讯科技(深圳)有限公司 | Data detection method, device and equipment and readable storage medium |
| CN112671727A (en) * | 2020-12-11 | 2021-04-16 | 深信服科技股份有限公司 | Information leakage detection method and device, equipment and storage medium |
| CN114048227A (en) * | 2021-11-23 | 2022-02-15 | 北京天融信网络安全技术有限公司 | SQL statement anomaly detection method, device, equipment and storage medium |
-
2022
- 2022-09-19 CN CN202211135641.9A patent/CN115549990B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107292170A (en) * | 2016-04-05 | 2017-10-24 | 阿里巴巴集团控股有限公司 | Detection method and device, the system of SQL injection attack |
| US20190306191A1 (en) * | 2018-03-30 | 2019-10-03 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Sql injection interception detection method and device, apparatus and computer readable medium |
| CN111193747A (en) * | 2019-12-31 | 2020-05-22 | 奇安信科技集团股份有限公司 | Message threat detection method and device, electronic equipment and storage medium |
| CN112671727A (en) * | 2020-12-11 | 2021-04-16 | 深信服科技股份有限公司 | Information leakage detection method and device, equipment and storage medium |
| CN112468520A (en) * | 2021-01-28 | 2021-03-09 | 腾讯科技(深圳)有限公司 | Data detection method, device and equipment and readable storage medium |
| CN114048227A (en) * | 2021-11-23 | 2022-02-15 | 北京天融信网络安全技术有限公司 | SQL statement anomaly detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115549990B (en) | 2023-06-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3251031B1 (en) | Techniques for compact data storage of network traffic and efficient search thereof | |
| JP7373611B2 (en) | Log auditing methods, equipment, electronic equipment, media and computer programs | |
| CN112636957B (en) | Early warning method and device based on log, server and storage medium | |
| CN108011925B (en) | Service auditing system and method | |
| CN106815125A (en) | A kind of log audit method and platform | |
| CN112306700A (en) | Abnormal RPC request diagnosis method and device | |
| CN109543891B (en) | Method and apparatus for establishing capacity prediction model, and computer-readable storage medium | |
| CN111597550A (en) | Log information analysis method and related device | |
| CN110096419A (en) | Acquisition methods, interface log management server and the service server of interface log | |
| CN107911232B (en) | Method and device for determining business operation rule | |
| CN109450869B (en) | Service safety protection method based on user feedback | |
| CN112084179B (en) | Data processing method, device, equipment and storage medium | |
| CN111586695A (en) | Short message identification method and related equipment | |
| CN115242434A (en) | Application program interface API identification method and device | |
| CN112668005A (en) | Webshell file detection method and device | |
| CN114091704B (en) | Alarm suppression method and device | |
| CN108763916B (en) | Service interface security assessment method and device | |
| CN108733543A (en) | A kind of method, apparatus of log analysis, electronic equipment and readable storage medium storing program for executing | |
| CN114760083A (en) | Method and device for issuing attack detection file and storage medium | |
| CN116795631A (en) | Service system monitoring alarm method, device, equipment and medium | |
| CN115549990A (en) | SQL injection detection method and related equipment | |
| KR102153674B1 (en) | A method for classifying sql query, a method for detecting abnormal occurrence, and a computing device | |
| KR102215263B1 (en) | A method for classifying sql query, a method for detecting abnormal occurrence, and a computing device | |
| CN113536381A (en) | Big data analysis processing method and system based on terminal | |
| WO2017184180A1 (en) | Determining probable root cause of performance issues |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |