CN117118752A - Method, system, device and medium for resisting information attack - Google Patents
Method, system, device and medium for resisting information attack Download PDFInfo
- Publication number
- CN117118752A CN117118752A CN202311372158.7A CN202311372158A CN117118752A CN 117118752 A CN117118752 A CN 117118752A CN 202311372158 A CN202311372158 A CN 202311372158A CN 117118752 A CN117118752 A CN 117118752A
- Authority
- CN
- China
- Prior art keywords
- sql
- module
- request
- sql request
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000002347 injection Methods 0.000 claims abstract description 60
- 239000007924 injection Substances 0.000 claims abstract description 60
- 238000004458 analytical method Methods 0.000 claims abstract description 39
- 230000014759 maintenance of location Effects 0.000 claims description 22
- 238000004590 computer program Methods 0.000 claims description 10
- 238000013519 translation Methods 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 5
- 230000003213 activating effect Effects 0.000 claims description 3
- 238000005457 optimization Methods 0.000 claims description 2
- 230000035945 sensitivity Effects 0.000 claims 1
- 230000015556 catabolic process Effects 0.000 abstract description 2
- 230000000875 corresponding effect Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 2
- 241000251468 Actinopterygii Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to a method, a system, a device and a medium for resisting an attack of information, which relate to the technical field of system safety, wherein the method for resisting the attack of the information comprises the steps of executing SQL request, warning comparison, alarm, SQL request analysis, SQL request content analysis, suspicion analysis, terminating SQL request, data observation and the like; the information anti-attack system comprises an input module, a database, an SQL receiving module, an SQL executing module, a data statistics module I, a comparison module, an alarm module, a data statistics module II, an SQL analysis module, an SQL termination module, a delay module and other modules. The method and the device can automatically reject SQL injection attacks before the server thread is exhausted, reduce the probability of server breakdown and improve the use experience of users.
Description
Technical Field
The present invention relates to the field of system security technologies, and in particular, to a method, a system, an apparatus, and a medium for information attack resistance.
Background
The SQL injection attack is to submit a carefully constructed request to a WEB program with SQL query, thereby breaking through the original SQL query limit to realize unauthorized access or access, and finally possibly acquiring, falsifying and controlling the content in a database at a website server side. Thus, SQL injection attacks are one of the most common intrusion approaches for intruders.
With the application of precompiled and parameterized queries, SQL injection attacks become no longer as simple as before; however, some query sentences (such as order by sentences) cannot be compatible with the pre-compiling function, so that the SQL injection attack still has room for play. With the use of inquiry authority and the use of data encryption, an attacker is difficult to acquire information in a database, and even if the information is acquired, the information is difficult to decrypt; the application of the operation authority makes it difficult for an attacker to tamper with and delete the database.
These operations make the space for SQL injection attacks smaller and smaller, but still open-net fish, such as lock table attacks, remain. Because the lock table attack cannot acquire information and cannot tamper with the information, the lock table attack is not wounded and elegant for information security. However, the lock table attack can make other users unable to query related information, so that the users occupy threads for a long time, and more users need to query information along with the time, at this time, the database connection threads may be exhausted, and further, the server crashes, and finally, bad use experience is brought to the users.
Disclosure of Invention
In order to solve the problem that when SQL injection attack is suffered, a server crashes and the user experience is reduced, the invention provides an information anti-attack method, an information anti-attack system, an information anti-attack device and a medium.
In a first aspect, the present invention provides a method for anti-attack information, which adopts the following technical scheme:
a method of information resistance to attacks, comprising the steps of:
executing the SQL request: acquiring SQL request data packets, counting the number N of SQL requests being executed, and executing all SQL requests;
alert contrast: the number N of SQL requests being executed and the number CT of guard threads allowed to be executed simultaneously by the server w Comparing, if the number N of executing SQL requests is greater than the warning thread number CT w Executing an alarming step and an SQL request analyzing step; wherein the server allows the simultaneous execution of the guard line number CT w Less than the maximum number of threads CT allowed to be executed simultaneously by the server;
and (3) alarming: sending out an alarm to prompt a database manager to intervene in management;
SQL request analysis: analyzing the SQL request, and further judging whether the executed SQL request has injection attack or not; the SQL request analysis step comprises an SQL request content analysis step and a suspicion analysis step;
SQL request content analysis: analyzing the N SQL requests being executed to obtain the execution duration N of the nth SQL request t Number n of strings of nth SQL request l Number of sensitive words n of nth SQL request x ,n∈[1,N];
Suspicion analysis: execution duration n according to the nth SQL request t Number n of strings of nth SQL request l Number of sensitive words n of nth SQL request x Determining the suspicion index d of the nth SQL request n Doubt index d n The calculation model of (2) is as follows:
;
in the formula, [ N ] l ]Number of strings n for all executing SQL requests l Is a collection of (3);
terminating the SQL request:ending the nth SQL request;
data retention: setting a retention time T, and executing the warning comparison step again after the retention time T.
By adopting the technical scheme, the server continuously receives the SQL request, executes the SQL request and continuously counts the executed SQL request; when the number N of executing SQL requests exceeds the warning thread number CT w When the database is proved to be possibly attacked by SQL injection, and the SQL injection attack is hidden in the executing SQL request, so that the executing SQL request is analyzed, and an alarm is sent out at the same time to prompt a database manager to pay close attention to the state of the server.
When analyzing the SQL requests, counting the execution time, the number of character strings and the number of sensitive words of all the executing SQL requests, further obtaining basic information of all the executing SQL requests, and then analyzing the risk degree (i.e. suspicion index) of the executing SQL requests; the higher the suspicion index of the executing SQL request, the greater the likelihood that the SQL request is proved to be an SQL injection attack, at which point the SQL request is ended and observed for a period of time.
If after a period of time, the number N of executing SQL requests still exceeds the warning thread number CT w Proving that the SQL injection attack is not cleared, executing SQL request analysis again, ending the SQL request with the second highest suspicion index, and the like; if after a period of time, the number N of executing SQL requests is smaller than the number CT of exceeding the warning line w The SQL injection attack is demonstrated to be cleared. Therefore, SQL injection attacks can be automatically eliminated, the probability of long-time locking of the database is reduced, and the use experience of users is improved.
Optionally, in the suspicion analysis step, the number n of pre-compiled sensitive words in the nth SQL request is also determined x p And according to n x p Optimizing the suspicion index; the suspicion index d after optimization n The calculation model of (2) is as follows:
。
by adopting the technical scheme, the more the number of sensitive words is in the number of character strings, the higher the suspicion index of the SQL request is, but not all the sensitive words can affect the database. When a part of sensitive words is pre-compiled, the part of sensitive words can be classified as trusted sensitive words, so that the probability that a normal SQL request is misjudged as SQL injection is reduced.
Optionally, in the alert comparison step, an average execution duration T of all executed SQL requests is counted 1 And the average number j of SQL requests received in unit time, the warning line number CT w And T is 1 And j is as follows:
CT w >2jT 1 ;
maximum thread number CT and guard thread number CT w The relationship of (2) is as follows:
CT>CT w +jT 1 ;
in the data retention step, the retention time T is equal to the average execution duration T of all executed SQL requests 1 。
By adopting the technical scheme, when SQL injection attack is encountered, the probability of server breakdown in the retention time can be reduced; meanwhile, the retention time can be shortened to the minimum, and whether the SQL injection attack is released or not can be determined rapidly, so that whether the SQL request needs to be analyzed again or not in the next step can be judged.
Optionally, in the suspicion analysis step, text of the SQL request is translated, and then the translated text of the SQL request is subjected to a number of strings n l Number of sensitive words n x Is a statistic of (1).
By adopting the technical scheme, certain SQL injection attacks are elaborated, the number of character strings and the number of sensitive words in the SQL request are difficult to determine when the SQL request is directly scanned, SQL injection attack texts are translated into data in other formats in a translation mode, and then the SQL injection attack texts are analyzed, so that the accuracy of counting the number of character strings and the number of sensitive words can be improved, and the accuracy of suspicion analysis is further improved.
Optionally, in the alert comparison step, if the number N of executing SQL requests is less than or equal to the alert thread number CT w Executing SQL injection attack statistics;
SQL injection attack statistics: and inputting the nth SQL request ending in the step of terminating the SQL request into the SQL injection attack database.
By adopting the technical scheme, after the SQL injection attack is determined, the SQL request corresponding to the SQL injection attack is input into the database, so that a database manager can maintain and update codes conveniently.
In a second aspect, the present invention provides an information anti-attack system, which adopts the following technical scheme:
an information anti-attack system, comprising the following modules:
an input module: for inputting warning line number CT w Maximum thread number CT and retention time T; for entering sensitive word information;
database: the input end is connected with the output end of the input module and is used for storing sensitive word information;
SQL receiving module: the method comprises the steps of receiving an SQL request data packet;
the SQL execution module: the input end is connected with the output end of the SQL receiving module and is used for executing the SQL request;
data statistics module I: the input end is connected with the output end of the SQL execution module and is used for counting the number N of executing SQL requests;
and a comparison module: the input end is connected with the data statistics module I and the output end of the input module for counting the number of requests N and the warning line number CT w Comparing;
and an alarm module: the input end is connected with the output end of the comparison module and used for giving an alarm;
data statistics module II: the input end is connected with the SQL execution module and the output end of the database and is used for obtaining the execution duration n of the nth SQL request t Number of strings n of nth SQL request l And judges the nth SQL requestThe number n of sensitive words that have been precompiled x p Number of sensitive words n of nth SQL request x ;
SQL analysis module: the input end is connected with the output end of the SQL execution module and the data statistics module II and is used for calculating the suspicion index d n And take d n Maximum value of (2);
SQL termination module: the input end is connected with the output end of the SQL analysis module for terminating the suspicion index d n The SQL request corresponding to the maximum time;
and a time delay module: the input end is connected with the SQL termination module and the output end of the input module, and the output end is connected with the output end of the comparison module and used for activating the comparison module after the retention time T.
By adopting the technical scheme, the SQL receiving module continuously receives the SQL request data packet, and the SQL executing module continuously believes the SQL request; when the database is attacked by SQL injection, the SQL receiving module can still continuously receive SQL request data packets, but the SQL executing module cannot normally execute SQL requests, so that the number of executed SQL requests is increased, and when the number of executed SQL requests exceeds the warning thread number CT w When the method is used, the alarm module gives an alarm to prompt a database manager to monitor the running condition of the server, starts counting basic data of the executing SQL requests, calculates suspicion indexes according to the basic data of the executing SQL requests, judges the SQL request with the highest suspicion index as SQL injection attack and terminates the SQL request, triggers the delay module, and re-judges whether the quantity of the executing SQL requests exceeds the warning thread number CT after a period of time delay w If the number of SQL requests being executed still exceeds the warning thread number CT w Proving that the terminated SQL request is not an SQL injection attack, and judging the executing SQL request again; if the number of SQL requests being executed is no longer the guard line number CT w The SQL injection attack is proved to be eliminated, and the database can be normally consulted.
Optionally, a data translation module is also included,
a data translation module: the input end is connected with the output end of the SQL execution module, and the output end is connected with the input end of the data statistics module II and is used for translating SQL request texts into texts in other formats.
By adopting the technical scheme, the SQL injection attack text is translated into data in other formats in a translation mode, and then analysis and statistics are carried out on the SQL injection attack text through the data statistics module, so that the accuracy rate of counting the number of character strings and the number of sensitive words can be improved, and the accuracy rate of suspicion analysis is further improved.
Optionally, the system also comprises a recording module,
and a recording module: the input end is connected with the output ends of the SQL termination module and the comparison module, and the output end is connected with the database and is used for outputting text information of SQL injection attack to the database.
By adopting the technical scheme, after the SQL injection attack is determined to be eliminated, the civilization of the SQL injection attack is input into the database for storage, so that a database manager can maintain and update codes later.
In a third aspect, the present invention provides a device, which adopts the following technical scheme:
an apparatus comprising a processor and a memory, the memory for storing a computer program, the processor for executing the computer program stored by the memory to cause the apparatus to perform the method of the first aspect.
In a fourth aspect, the present invention provides a medium, which adopts the following technical scheme:
a medium having a computer program stored thereon; the computer program, when executed by a processor, implements the method as described in the first aspect.
In summary, the present invention includes at least one of the following beneficial technical effects:
1. through the arrangement of the SQL request content analysis step and the suspicion analysis step, the SQL request corresponding to the SQL injection attack can be accurately found out, and then the SQL injection attack is erased by terminating the SQL request step, so that the information is protected.
2. By comparing CT in an alert step w Set to be greater than 2jT 1 Setting CT to be larger than CT w +jT 1 In the data observation step, the observation time length T is set as the average execution time length T of all executed SQL requests 1 The probability that the SQL injection attack is removed before the server crashes is improved, and the use experience of a user is improved.
3. Through the setting of the SQL injection attack statistics step, after an SQL injection attack is removed, the SQL injection attack statistics database is injected, and a reference is provided for upgrading codes of subsequent database administrators.
Drawings
FIG. 1 is a schematic flow chart of example 1;
FIG. 2 is a system diagram of example 2;
fig. 3 is a schematic diagram of a bus communication structure of embodiment 3.
Detailed Description
The invention is described in further detail below in connection with fig. 1-3.
Example 1: the embodiment discloses an information anti-attack method, referring to fig. 1, the information anti-attack method includes the following steps:
s1: executing the SQL request: and obtaining SQL request data packets, counting the number N of the SQL requests being executed, and executing all the SQL requests. The step is continuously executed, namely, SQL request data packets are continuously acquired, and the acquired SQL requests are put into execution. The executing SQL requests occupy the server threads, and the executed SQL requests are recycled, so that the server threads are not occupied any more, and the number of the executing SQL requests is equal to the number of occupied server threads.
S2: alert contrast: the number N of SQL requests being executed and the number CT of guard threads allowed to be executed simultaneously by the server w Comparing; at the time of setting the warning line number CT w When the SQL request is executed, firstly, the average execution time T of all executed SQL requests is counted 1 And the average number j of SQL requests received in unit time, the warning line number CT w And T is 1 And j is as follows:
CT w >2jT 1 ;
server enabled simultaneous execution of alert thread number CT w Less than the maximum number of threads CT allowed to be executed simultaneously by the server, the maximum number of threads CT and the guard number of threads CT w The relationship of (2) is as follows:
CT>CT w +jT 1 。
if the number N of SQL requests being executed is greater than the guard line number CT w Executing an alarming step S3 and an SQL request analyzing step S4;
if the number N of the SQL requests being executed is less than or equal to the warning thread number CT w Executing an SQL injection attack statistics step S7;
s3: and (3) alarming: and sending out an alarm to prompt a database manager to intervene in management.
S4: SQL request analysis: and analyzing the SQL request to further judge whether the injection attack exists in the executed SQL request. The SQL request analysis step comprises an SQL request content analysis step S4-1 and a suspicion analysis step S4-2;
s4-1: SQL request content analysis: analyzing the N SQL requests being executed to obtain the execution duration N of the nth SQL request t Number of strings n of nth SQL request l The method comprises the steps of carrying out a first treatment on the surface of the And translate the text of SQL request, and then perform character string number n on the translated SQL request text l Number of sensitive words n x Is a statistic of the number of sensitive words n that have been precompiled x p Statistics are carried out, wherein n is E [1, N]。
Because the annotation similar to "-" may appear in the SQL request, and thus the server cannot identify the character string after the annotation, when the text of the SQL request is translated, the text of the SQL request may be translated into a binary number, so that each character string in the text of the SQL request may be identified, and the number of character strings in the SQL request may be obtained.
When the sensitive words are counted, a sensitive word stock can be set first, the sensitive words in the sensitive word stock are translated into binary numbers and then compared with the translated SQL request text, and then the number of the sensitive words in the SQL request is obtained.
In the SQL request, not all sensitive words bring risks, and some sensitive words can eliminate risks after precompiled; moreover, when the spliced SQL statement is encountered, the situation that part of the SQL statement can be precompiled and part of the SQL statement cannot be precompiled may occur; at this time, a precompiled library can be set, and the precompiled text in the precompiled library is translated into binary numbers and then compared with the translated SQL request text, so that the number of the precompiled sensitive words in the SQL request is obtained.
S4-2: suspicion analysis: execution duration n according to the nth SQL request t Number n of strings of nth SQL request l Number of sensitive words n of nth SQL request x And the number of sensitive words n that have been precompiled in the nth SQL request x p Determining the suspicion index d of the nth SQL request n Doubt index d n The calculation model of (2) is as follows:
;
in the formula, [ N ] l ]Number of strings n for all executing SQL requests l Is a set of (3).
In an SQL request, because the more the number of the non-precompiled sensitive words in the unit character string length is, the greater the probability that the SQL request is an SQL injection attack is, and the longer the SQL request is executed, the exponentially increasing probability that the SQL request is an SQL injection attack is, so that a relatively accurate suspicion index d can be obtained n 。
S5: terminating the SQL request:the nth SQL request is ended.
S6: data retention: setting a retention time T, and executing the warning comparison step again after the retention time T passes; the retention time T is equal to the average execution duration T of all executed SQL requests 1 。
S7: SQL injection attack statistics: and inputting the nth SQL request ending in the step of ending the SQL request into the SQL injection attack database, and deleting a command for ending the nth SQL request.
The implementation principle of the method for resisting the attack of the information in the embodiment is as follows:
the server continuously acquires SQL requests, executes the SQL requests after acquiring the SQL requests, counts the executed SQL requests, occupies a server thread, recovers the executed SQL requests, and does not occupy the server thread any more; when the number N of SQL requests being executed is greater than the number CT of guard threads allowed to be executed simultaneously by the server w And when the SQL request is executed, analyzing the SQL request, and judging which SQL request is an SQL injection attack.
When analyzing the executing SQL request, the executing time length n of the nth SQL request is obtained first t Number of strings n of nth SQL request l The method comprises the steps of carrying out a first treatment on the surface of the And translate the text of SQL request, and then perform character string number n on the translated SQL request text l Number of sensitive words n x Is a statistic of the number of sensitive words n that have been precompiled x p Counting is carried out to improve the accuracy of counting; then according to the execution time length n of the nth SQL request t Number n of strings of nth SQL request l Number of sensitive words n of nth SQL request x And the number of sensitive words n that have been precompiled in the nth SQL request x p Determining the suspicion index d of the nth SQL request n And will doubt index d n And judging the SQL request corresponding to the maximum value in the steps as SQL injection attack, and then terminating the SQL request.
After terminating the corresponding SQL request, a period of time is left, due to the time T, the number CT of warning threads w Average execution duration T of all executed SQL requests 1 The average number j of the SQL requests received in unit time and the maximum thread number CT allowed to be executed simultaneously by the server are strongly correlated, so that the server can judge whether the ended SQL request is an SQL injection attack or not in the fastest time and the most accurate.
If the ended SQL request is an SQL injection attack, the SQL request for the SQL injection attack is input into the SQL injection attack database, so that a subsequent database manager can conveniently review and update codes. If the ended SQL request is not the SQL injection attack, the SQL request is screened again, so that the probability of eliminating the SQL injection attack before the server crashes is improved, and the use experience of a user is improved.
Example 2: the embodiment discloses an information anti-attack system, referring to fig. 2, the information anti-attack system includes the following modules:
an input module: for inputting warning line number CT w Maximum thread number CT and retention time T; for entering sensitive word information.
Database: the input end is connected with the output end of the input module and is used for storing sensitive word information.
SQL receiving module: for receiving SQL request packets.
The SQL execution module: the input end is connected with the output end of the SQL receiving module and is used for executing the received SQL request.
Data statistics module I: the input end is connected with the output end of the SQL execution module and is used for counting the number N of the SQL requests being executed.
And a comparison module: the input end is connected with the data statistics module I and the output end of the input module for counting the number of requests N and the warning line number CT w Comparison was performed.
And an alarm module: the input end is connected with the output end of the comparison module, when the request number N is larger than the warning line number CT w And sending out an alarm.
A data translation module: the input end is connected with the output end of the SQL execution module and is used for translating the SQL request text into texts in other formats; if the sensitive word information input in the input module is text information, the input end of the data translation module can be connected with the output end of the database for translating the sensitive word information in the database into text in other formats.
Data statistics module II: the input end is connected with the data translation module and the output end of the database and is used for obtaining the execution time length n of the nth SQL request t Nth (n)Number of strings n of SQL requests l And judges the number n of the pre-compiled sensitive words in the nth SQL request x p And the total number n of sensitive words of the nth SQL request x 。
SQL analysis module: the input end is connected with the output end of the SQL execution module and the data statistics module II and is used for calculating the suspicion index d n And take d n Is the maximum value of (a).
SQL termination module: the input end is connected with the output end of the SQL analysis module for terminating the suspicion index d n And the corresponding SQL request is the largest.
And a time delay module: the input end is connected with the SQL termination module and the output end of the input module, and the output end is connected with the output end of the comparison module and used for activating the comparison module after the retention time T.
And a recording module: the input end is connected with the output ends of the SQL termination module and the comparison module, the output end is connected with the database, and when the number N of requests is less than or equal to the warning line number CT w And outputting text information of SQL injection attack to the database.
The implementation principle of the information anti-attack system of the embodiment is as follows:
the SQL receiving module continuously acquires SQL requests, the SQL requests are transmitted to the SQL executing module to execute the SQL requests after being acquired, and the data statistics module I counts the executed SQL requests. The comparison module then compares the number N of SQL requests being executed with the guard line number CT that the server allows to execute simultaneously w And (5) performing comparison. When the number N of SQL requests being executed is greater than the number CT of guard threads allowed to be executed simultaneously by the server w The data translation module starts translating the executing SQL request; then the data statistics module II analyzes the translated SQL request to obtain the execution duration n of the nth SQL request t Number of strings n of nth SQL request l And judges the number n of the pre-compiled sensitive words in the nth SQL request x p And the total number n of sensitive words of the nth SQL request x 。
The SQL analysis module then executes the SQL request according to the execution time n of the nth SQL request t Number n of strings of nth SQL request l Number of sensitive words n of nth SQL request x And the number of sensitive words n that have been precompiled in the nth SQL request x p Determining the suspicion index d of the nth SQL request n The method comprises the steps of carrying out a first treatment on the surface of the The SQL termination module will then suspect the exponent d n And the SQL request corresponding to the maximum value in the list is terminated. And then starting the delay module, keeping a period of time, and triggering the comparison module again. When the number N of the SQL requests being executed is less than or equal to the number CT of guard threads allowed to be executed simultaneously by the server w In this case, the recording module will suspicion the index d n And the SQL request corresponding to the maximum is input into the database.
Example 3: the embodiment discloses an information anti-attack device, referring to fig. 3, the information anti-attack device includes:
a memory for storing a computer program;
a processor for executing the computer program stored in the memory, and further implementing the method described in embodiment 1.
The storage may include mass storage for storing data or instructions. By way of example, and not limitation, the storage may comprise a hard disk, floppy disk, flash memory, optical disk, magneto-optical disk, magnetic tape, or a combination of two or more of the foregoing. Where appropriate, the reservoir may comprise removable or non-removable (or fixed) media. The storage may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the storage is a non-volatile solid state storage. In particular embodiments, the storage includes Read Only Memory (ROM). The ROM may be mask-programmed ROM, programmable ROM (PROM), erasable PROM (EPROM), electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or a combination of two or more of the foregoing, where appropriate.
Example 4: the present embodiment discloses a computer storage medium with information attack resistance, wherein the computer storage medium stores a program, and the program can implement part or all of the steps of the method described in embodiment 1 when executed.
The above embodiments are not intended to limit the scope of the present invention, so: all equivalent changes in structure, shape and principle of the invention should be covered in the scope of protection of the invention.
Claims (10)
1. An information anti-attack method is characterized in that: the method comprises the following steps:
executing the SQL request: acquiring SQL request data packets, counting the number N of SQL requests being executed, and executing all SQL requests;
alert contrast: the number N of SQL requests being executed and the number CT of guard threads allowed to be executed simultaneously by the server w Comparing, if the number N of executing SQL requests is greater than the warning thread number CT w Executing an alarming step and an SQL request analyzing step; wherein the server allows the simultaneous execution of the guard line number CT w Less than the maximum number of threads CT allowed to be executed simultaneously by the server;
and (3) alarming: sending out an alarm to prompt a database manager to intervene in management;
SQL request analysis: analyzing the SQL request, and further judging whether the executed SQL request has injection attack or not; the SQL request analysis step comprises an SQL request content analysis step and a suspicion analysis step;
SQL request content analysis: analyzing the N SQL requests being executed to obtain the execution duration N of the nth SQL request t Number n of strings of nth SQL request l Number of sensitive words n of nth SQL request x ,n∈[1,N];
Suspicion analysis: execution duration n according to the nth SQL request t Number n of strings of nth SQL request l Number of sensitive words n of nth SQL request x Determining the suspicion index d of the nth SQL request n Doubt index d n The calculation model of (2) is as follows:
;
in the formula, [ N ] l ]Number of strings n for all executing SQL requests l Is a collection of (3);
terminating the SQL request:ending the nth SQL request;
data retention: setting a retention time T, and executing the warning comparison step again after the retention time T.
2. The method for information attack resistance according to claim 1, wherein: in the suspicion analysis step, the number n of pre-compiled sensitive words in the nth SQL request is also determined x p And according to n x p Optimizing the suspicion index; the suspicion index d after optimization n The calculation model of (2) is as follows:
。
3. the method for information attack resistance according to claim 1, wherein: in the alert comparison step, the average execution duration T of all executed SQL requests is counted 1 And the average number j of SQL requests received in unit time, the warning line number CT w And T is 1 And j is as follows:
CT w >2jT 1 ;
maximum thread number CT and guard thread number CT w The relationship of (2) is as follows:
CT>CT w +jT 1 ;
in the data retention step, the retention time T is equal to the average execution duration T of all executed SQL requests 1 。
4. The method for information attack resistance according to claim 1, wherein: in the suspicion analysis step, the text of the SQL request is also translated and thenPerforming character string number n on translated SQL request text l Number of sensitive words n x Is a statistic of (1).
5. The method for information attack resistance according to claim 1, wherein: in the alert comparison step, if the number N of executing SQL requests is less than or equal to the alert thread number CT w Executing SQL injection attack statistics;
SQL injection attack statistics: and inputting the nth SQL request ending in the step of terminating the SQL request into the SQL injection attack database.
6. An information anti-attack system for applying the method of information anti-attack of any of claims 1-5, characterized in that: the method comprises the following modules:
an input module: for inputting warning line number CT w Maximum thread number CT and retention time T; for entering sensitive word information;
database: the input end is connected with the output end of the input module and is used for storing sensitive word information;
SQL receiving module: the method comprises the steps of receiving an SQL request data packet;
the SQL execution module: the input end is connected with the output end of the SQL receiving module and is used for executing the SQL request;
data statistics module I: the input end is connected with the output end of the SQL execution module and is used for counting the number N of executing SQL requests;
and a comparison module: the input end is connected with the data statistics module I and the output end of the input module for counting the number of requests N and the warning line number CT w Comparing;
and an alarm module: the input end is connected with the output end of the comparison module and used for giving an alarm;
data statistics module II: the input end is connected with the SQL execution module and the output end of the database and is used for obtaining the execution duration n of the nth SQL request t Number of strings n of nth SQL request l And judges the sensitivity of precompiled SQL request in the nth SQL requestWord number n x p Number of sensitive words n of nth SQL request x ;
SQL analysis module: the input end is connected with the output end of the SQL execution module and the data statistics module II and is used for calculating the suspicion index d n And take d n Maximum value of (2);
SQL termination module: the input end is connected with the output end of the SQL analysis module for terminating the suspicion index d n The SQL request corresponding to the maximum time;
and a time delay module: the input end is connected with the SQL termination module and the output end of the input module, and the output end is connected with the output end of the comparison module and used for activating the comparison module after the retention time T.
7. An information anti-attack system according to claim 6 and wherein: also included is a data translation module that is configured to translate,
a data translation module: the input end is connected with the output end of the SQL execution module, and the output end is connected with the input end of the data statistics module II and is used for translating SQL request texts into texts in other formats.
8. An information anti-attack system according to claim 7 and wherein: also comprises a recording module which is used for recording the data,
and a recording module: the input end is connected with the output ends of the SQL termination module and the comparison module, and the output end is connected with the database and is used for outputting text information of SQL injection attack to the database.
9. An information anti-attack device comprising a processor and a memory, the memory for storing a computer program, characterized in that: the processor is configured to execute the computer program stored in the memory, to cause the apparatus to perform the method according to any one of claims 1-5.
10. An information attack resistant medium having stored thereon a computer program; the method is characterized in that: the computer program implementing the method according to any of claims 1-5 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311372158.7A CN117118752B (en) | 2023-10-23 | 2023-10-23 | Method, system, device and medium for resisting information attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311372158.7A CN117118752B (en) | 2023-10-23 | 2023-10-23 | Method, system, device and medium for resisting information attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117118752A true CN117118752A (en) | 2023-11-24 |
| CN117118752B CN117118752B (en) | 2024-01-09 |
Family
ID=88809504
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311372158.7A Active CN117118752B (en) | 2023-10-23 | 2023-10-23 | Method, system, device and medium for resisting information attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117118752B (en) |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080295178A1 (en) * | 2007-05-24 | 2008-11-27 | Oracle International Corporation | Indicating SQL injection attack vulnerability with a stored value |
| US20090150374A1 (en) * | 2007-12-07 | 2009-06-11 | International Business Machines Corporation | System, method and program product for detecting sql queries injected into data fields of requests made to applications |
| CN102045319A (en) * | 2009-10-21 | 2011-05-04 | 中国移动通信集团山东有限公司 | Method and device for detecting SQL (Structured Query Language) injection attack |
| US20160337400A1 (en) * | 2015-05-15 | 2016-11-17 | Virsec Systems, Inc. | Detection of sql injection attacks |
| US20170134407A1 (en) * | 2015-11-09 | 2017-05-11 | Salesforce.Com, Inc. | Identifying Attack Patterns in Requests Received by Web Applications |
| CN107563197A (en) * | 2017-08-30 | 2018-01-09 | 杭州安恒信息技术有限公司 | It is a kind of to drag storehouse to hit storehouse attack defense method for database layer |
| KR101949338B1 (en) * | 2018-11-13 | 2019-02-18 | (주)시큐레이어 | Method for detecting sql injection from payload based on machine learning model and apparatus using the same |
| CN110855676A (en) * | 2019-11-15 | 2020-02-28 | 腾讯科技(深圳)有限公司 | Network attack processing method and device and storage medium |
| CN110933105A (en) * | 2019-12-13 | 2020-03-27 | 中国电子科技网络信息安全有限公司 | Web attack detection method, system, medium and equipment |
| CN112199677A (en) * | 2020-11-03 | 2021-01-08 | 安徽中安睿御科技有限公司 | Data processing method and device |
| CN112261050A (en) * | 2020-10-23 | 2021-01-22 | 新华三信息安全技术有限公司 | Method and device for detecting SQL injection attack |
| CN112650769A (en) * | 2020-12-29 | 2021-04-13 | 山石网科通信技术股份有限公司 | Method and device for detecting SQL statement injection attack |
| CN113055399A (en) * | 2021-03-31 | 2021-06-29 | 深信服科技股份有限公司 | Attack success detection method, system and related device for injection attack |
| WO2022249399A1 (en) * | 2021-05-27 | 2022-12-01 | 日本電信電話株式会社 | Denial-of-service attack detection device, method, and program |
-
2023
- 2023-10-23 CN CN202311372158.7A patent/CN117118752B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080295178A1 (en) * | 2007-05-24 | 2008-11-27 | Oracle International Corporation | Indicating SQL injection attack vulnerability with a stored value |
| US20090150374A1 (en) * | 2007-12-07 | 2009-06-11 | International Business Machines Corporation | System, method and program product for detecting sql queries injected into data fields of requests made to applications |
| CN102045319A (en) * | 2009-10-21 | 2011-05-04 | 中国移动通信集团山东有限公司 | Method and device for detecting SQL (Structured Query Language) injection attack |
| US20160337400A1 (en) * | 2015-05-15 | 2016-11-17 | Virsec Systems, Inc. | Detection of sql injection attacks |
| US20170134407A1 (en) * | 2015-11-09 | 2017-05-11 | Salesforce.Com, Inc. | Identifying Attack Patterns in Requests Received by Web Applications |
| CN107563197A (en) * | 2017-08-30 | 2018-01-09 | 杭州安恒信息技术有限公司 | It is a kind of to drag storehouse to hit storehouse attack defense method for database layer |
| KR101949338B1 (en) * | 2018-11-13 | 2019-02-18 | (주)시큐레이어 | Method for detecting sql injection from payload based on machine learning model and apparatus using the same |
| CN110855676A (en) * | 2019-11-15 | 2020-02-28 | 腾讯科技(深圳)有限公司 | Network attack processing method and device and storage medium |
| CN110933105A (en) * | 2019-12-13 | 2020-03-27 | 中国电子科技网络信息安全有限公司 | Web attack detection method, system, medium and equipment |
| CN112261050A (en) * | 2020-10-23 | 2021-01-22 | 新华三信息安全技术有限公司 | Method and device for detecting SQL injection attack |
| CN112199677A (en) * | 2020-11-03 | 2021-01-08 | 安徽中安睿御科技有限公司 | Data processing method and device |
| CN112650769A (en) * | 2020-12-29 | 2021-04-13 | 山石网科通信技术股份有限公司 | Method and device for detecting SQL statement injection attack |
| CN113055399A (en) * | 2021-03-31 | 2021-06-29 | 深信服科技股份有限公司 | Attack success detection method, system and related device for injection attack |
| WO2022249399A1 (en) * | 2021-05-27 | 2022-12-01 | 日本電信電話株式会社 | Denial-of-service attack detection device, method, and program |
Non-Patent Citations (2)
| Title |
|---|
| 张博;: "SQL注入攻击与检测技术研究", 信息安全与通信保密, no. 05 * |
| 张慧琳;丁羽;张利华;段镭;张超;韦韬;李冠成;韩心慧;: "基于敏感字符的SQL注入攻击防御方法", 计算机研究与发展, no. 10 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117118752B (en) | 2024-01-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Baek et al. | SSD-insider: Internal defense of solid-state drive against ransomware with perfect data recovery | |
| CN105072089B (en) | A kind of WEB malice scanning behavior method for detecting abnormality and system | |
| US7032114B1 (en) | System and method for using signatures to detect computer intrusions | |
| US6996843B1 (en) | System and method for detecting computer intrusions | |
| US7065657B1 (en) | Extensible intrusion detection system | |
| US20180069893A1 (en) | Identifying Changes in Use of User Credentials | |
| US11436358B2 (en) | Data based web application firewall | |
| US10097569B2 (en) | System and method for tracking malware route and behavior for defending against cyberattacks | |
| JP2019079493A (en) | System and method for detecting malicious files using machine learning | |
| WO2015109326A1 (en) | Sol query constraint solving | |
| US10505986B1 (en) | Sensor based rules for responding to malicious activity | |
| Liu et al. | Intrusion confinement by isolation in information systems | |
| CN110602029A (en) | Method and system for identifying network attack | |
| WO2021017318A1 (en) | Cross-site scripting attack protection method and apparatus, device and storage medium | |
| WO2014103115A1 (en) | Illicit intrusion sensing device, illicit intrusion sensing method, illicit intrusion sensing program, and recording medium | |
| CN113872965B (en) | SQL injection detection method based on Snort engine | |
| CN113055399A (en) | Attack success detection method, system and related device for injection attack | |
| CN113067792A (en) | XSS attack identification method, device, equipment and medium | |
| CN117118752B (en) | Method, system, device and medium for resisting information attack | |
| WO2023109046A1 (en) | Anomaly detection method and apparatus, electronic device, and storage medium | |
| Sahin et al. | An efficient firewall for web applications (EFWA) | |
| CN113596044A (en) | Network protection method and device, electronic equipment and storage medium | |
| CN114186278A (en) | Database abnormal operation identification method and device and electronic equipment | |
| CN113886812A (en) | Detection protection method, system, computer equipment and readable storage medium | |
| CN110162974B (en) | Database attack defense method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |