The Study On Parse Tree Based NOSQL Injection Attacks Detection Mechanisms

With rapid development of non-relational database No SQL(Not only SQL)(such as Mongo DB,Redis,and Cassandra)and fast growing of the mobile Internet traffic,many IT giants need to deal with huge data.In the past,traditional relational databases do not concern the cross-border and the scale of data.Hence,No SQL with a low cost and scalability quickly becomes a new issue in IT industry.Nowadays,many IT giants such as Facebook,Google,and Amazon adopt NoSQL technologies to manage their database systems.Although these kind of database technologies have made outstanding contributions to the development of the IT industry,it also exposed some security risks.Among these threats,SQL injection attack(SQLIA),which allows attackers to bypass authentication,access privacy information,modify data,or even destroy databases.Up to now,there are many solutions to counter SQLIAs.However,there exist few approaches to counter injection attacks in No SQL databases.So,how to design an effective No SQL injection attacks detecting mechanism becomes a subject worthy of in-depth study.In this dissertation,our goal is to design an effective injection attack detecting mechanism for non-relational database.In our design,based on semantic structure analysis of execution statements we propose a detection approach using parse tree.While receiving an HTTP request from user,a parse tree is generated according to the user's request.Meanwhile,the old record of parse tree for the request is retrieved and used to compare with the generated parse tree.If the two trees are equal,it means that no No SQL injection attacks involved in this request.Based on this approach,we focus on Mongo DB,a popular non-relational database,to propose a detection mechanism in the web environment called DND(Dynamic No SQL Injection Attack Detection).It does not require access to or modifying source codes,rewriting source codes with extra libraries,or complex assisted devices.On the other aspect,we develop No SQL injection attack system called NoSQLAttack which has been an open source on Github.We promote No SQLAttack in open source community and hope this injection attack system not only greatly facilitate to the researchers performing the experiments of NoSQL injection attacksbut also improve people's awareness of network security.NoSQLMap is an open source tool which is to audit for automate injection attacks and exploit default configuration weaknesses in NoSQL databases.This tool is currently the only one foreign open source for No SQL injection attacks and we fortunately join the development of NoSQLMap.Finally,we adopt No SQLAttack and No SQLMap to attack our designed mechanism DND on Mongo DB.The experimental results show that DND has high accuracy rates,low false positive rates,and low response time.It is sufficiently to demonstrate that our detection mechanism DND is efficient to counter NoSQL injection attacks for the WEB environment on MongoDB.