检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
作 者:田玉杰[1] 赵泽茂[1] 王丽君[1] 连科[1]
机构地区:[1]杭州电子科技大学通信工程学院,浙江杭州310018
出 处:《信息网络安全》2015年第6期1-6,共6页Netinfo Security
基 金:浙江省自然科学基金[R109000138];浙江省钱江人才计划[2013R10071]
摘 要:近几年来,对于SQL注入攻击防御的研究已经取得一些进展,但现有的SQL注入攻击防御措施仍存在局限性。文章针对SQL注入攻击防御中存在的一些问题进行了研究。首先,针对用户输入过滤措施存在对正常数据的误报问题,提出一种基于Http请求分类的用户输入过滤措施;而针对用户输入过滤措施存在对恶意数据的漏报问题,只要增加语法结构比较措施即可。其次,针对语法结构比较措施存在检测效率低的问题,提出一种基于参数化分类的动态查询匹配措施。最后,基于以上两种措施,提出一种基于分类的SQL注入攻击双层防御模型。实验结果表明,该模型对SQL注入攻击有较好的防御能力,可以有效降低用户输入过滤的误报率和漏报率,且提高了语法结构比较措施的检测效率。In recent years, some progresses have been made on the research on SQL injection attack defense. However, the present measures of SQL injection attack defense still have limitations. This paper studies the problems existing in the SQL injection attack defense. At first, for the misinformation problem of normal data existing in the user inputs, a measure to filter user inputs is proposed which is based on Http request classification, and the measure of grammatical structure comparison is proposed to solve the underreporting problem of malicious data. Secondly, for the low detection efficiency problem existing in the measure of grammatical structure comparison, a dynamic query matching measure based on the parameterized classification is proposed. Finally, based on the above two measures, a double layer defense model based on classification for SQL injection attack is proposed. The experimental results show that the defense model has good defense capability against SQL injection attacks, which can effectively reduce the misinformation rate and the underreporting rate existing in user input filtering, and improve the detection efficiency of the measure of the grammatical structure comparison.
关 键 词:SQL注入攻击 用户输入过滤 语法结构比较 防御模型
分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.226