基于ECA规则和动态污点分析的SQL注入攻击在线检测  被引量：3

作　　者：刘吉会 何成万[1] LIU Jihui;HE Chengwan(School of Computer Science and Engineering,Wuhan Institute of Technology,Wuhan Hubei 430205,China)

机构地区：[1]武汉工程大学计算机科学与工程学院,武汉430205

出　　处：《计算机应用》2023年第5期1534-1542,共9页journal of Computer Applications

基　　金：武汉工程大学第十二届研究生教育创新基金资助项目(CX2020216)。

摘　　要：SQL注入攻击是一种常见的针对Web应用程序漏洞的攻击形式。任何形式的SQL注入攻击最终都会改变原有SQL语句的逻辑结构,违背设计者的初衷。现有的SQL注入攻击检测方法存在检测代码不易被重用、不能被在线注入Web应用程序等不足。因此,提出一种基于ECA(Event Condition Action)规则和动态污点分析的在线检测SQL注入攻击的模型。首先,定义污点标记规则监视污点源函数以标记系统外部引入数据;然后,定义污点传播规则实时跟踪污点数据在应用内部的流向;接着,定义污点检查规则以拦截污点汇聚点函数的参数,并解析它可能携带的污点状态;最后,在原始的Web应用运行时加载ECA规则脚本达到在线检测SQL注入攻击的目的,Web应用无须重新编译、打包和部署。使用Byteman实现了所提模型。在两个不同的Web应用测试实验中,该模型可以识别绝大多数的SQL注入攻击样本,对于正常请求样本没有误报,检测准确率可达99.42%,优于基于支持向量机(SVM)和基于词频逆向文件频率(TF-IDF)的方法;与基于面向方面编程(AOP)的方法相比,该模型易于在Web应用启动后在线加载检测模块。实验结果表明所提模型能够在不修改应用程序执行引擎及源码的情况下,检测6种常见的SQL注入攻击类型,且具有在线检测的优点。SQL injection attack is a common type of attack against Web application vulnerabilities.Any form of SQL injection attacks will eventually change the logical structure of the original SQL statement,going against the original intention of the designer.The existing SQL injection attack detection methods have the shortcomings that the detection code is not easily reusable and cannot be injected into Web application online.Therefore,a model for online detection of SQL injection attacks based on Event Condition Action(ECA)rules and dynamic taint analysis was proposed.Firstly,taint marking rules were defined to monitor taint source functions,thereby marking data imported from outside of the system.Then,taint propagation rules were defined to track the flow of taint data inside the application in real time.Next,taint checking rules were defined to intercept the parameters of the taint sink functions and parse taint states they may carry.Finally,the ECA rule scripts were loaded at the runtime of the original Web application for the purpose of online detection of SQL injection attacks,and the Web application did not need to be recompiled,packaged and deployed.The proposed model was implemented by using Byteman.In two different Web application test experiments,the proposed model can identify most of the SQL injection attack samples,and there are no false positives for normal request samples,the detection accuracy of the proposed model reaches 99.42%,which is better than those of Support Vector Machine(SVM)based method and Term Frequency-Inverse Document Frequency(TF-IDF)based method.Compared with the method based on Aspect-Oriented Programming(AOP),the proposed model is easy to load the detection module online after Web applications are started.Experimental results show that the proposed model can detect 6 common forms of SQL injection attacks without modifying execution engine and source code of the application,and has the advantage of online detection.

关 键 词：SQL注入攻击 动态污点分析 ECA规则 WEB应用 在线检测 

分 类 号：TP183[自动化与计算机技术—控制理论与控制工程]