检索规则说明:AND代表“并且”;OR代表“或者”;NOT代表“不包含”;(注意必须大写,运算符两边需空一格)
检 索 范 例 :范例一: (K=图书馆学 OR K=情报学) AND A=范并思 范例二:J=计算机应用与软件 AND (U=C++ OR U=Basic) NOT M=Visual
名 称:
注 释:
作 者:殷博[1] 刘磊 朱静雯 许静 YIN Bo;LIU Lei;ZHU Jing-wen;XU Jing(State Grid Tianjin Electric Power Company,Tianjin 300010,China;College of Artificial Intelligence,Nankai University,Tianjin 300350,China;College of Software,Nankai University,Tianjin 300350,China)
机构地区:[1]国网天津市电力公司,天津300010 [2]南开大学人工智能学院,天津300350 [3]南开大学软件学院,天津300350
出 处:《计算机工程与设计》2021年第3期614-621,共8页Computer Engineering and Design
基 金:国家电网公司总部科技基金项目(SGTJDK00DWJS1900105)。
摘 要:SQL注入漏洞是危害最为严重的电力Web信息系统漏洞之一,且其隐蔽性、逻辑性和时序性等特点不断增强,传统漏洞分析方法已难以满足当前的检测要求,造成准确度不足的问题。对此,提出一种状态驱动的电力Web信息系统SQL注入漏洞安全特征分析和检测模型,将攻击语句特征进行状态映射,建立检测过程的扩展有限状态机(extended finite state machine,EFSM),利用相应的状态转换关系来分析识别漏洞特征。实验对比与分析结果表明,该方法可有效提高电力信息系统中SQL注入漏洞渗透测试的准确度,降低其误报和漏报。SQL injection vulnerability is one of the most serious vulnerabilities in power Web information system,and its hidden,logical and temporal characteristics are increasingly strengthened,the traditional vulnerability analysis method is difficult to meet the current detection requirements,resulting in insufficient accuracy.A state-driven detection model was presented for the secu-rity feature analysis of power Web information system.The attack statement features were mapped to states,and the extended finite state machine(EFSM)of the test process based on the attack statement characteristics was established,and the vulnerabi-lity characteristics were analyzed using the corresponding state transition relation.The results show that the proposed method can improve the accuracy of the penetration test of SQL injection in power Web system,and reduce the testing false positives and false negatives.
关 键 词:电力信息系统 安全漏洞 扩展有限状态机 安全测试 SQL注入漏洞
分 类 号:TP311.5[自动化与计算机技术—计算机软件与理论]
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在载入数据...
正在链接到云南高校图书馆文献保障联盟下载...
云南高校图书馆联盟文献共享服务平台 版权所有©
您的IP:216.73.216.116