| With the rise of the Internet,banking services,online shopping,online education,e-mail,daily social networking and other online businesses have become an integral part of people's daily lives.Web applications have been widely used and have also brought a series of computer security issues.SQL injection attack is the most common and most harmful attack method for Web applications.If it cannot be prevented in time,it will lead to serious consequences,such as theft,falsification,and deletion of data in the database.The research of SQL injection attacks began in 1998.Until now,SQL injection attacks are still frequent and are still high.Therefore,it is of great theoretical and practical value to study the defense against SQL injection attacks in Web applications.The main research work of this paper is as follows:First of all,we analyze the research status of Web application defense against SQL injection attacks.At present,most defense technologies can only be used to defend against SQL injection attacks.However,they do not consider that after an attacker successfully attacks,they can stop their understanding of acquired information.To solve the above problems,a difficultto-understand second-order SQL injection defense model DUS was proposed.This model can be used not only to defend against SQL injection attacks,but also to prevent the attacker from successfully understanding the acquired information after the attack.In order to accomplish the above task,two stages of the model design are defended: the input verification stage V and the query matching stage M.Secondly,the input verification phase V of the DUS defense model is designed,and the classification data input verification method is used in the V phase.This method identifies sensitive data for user input,encrypts user input that contains sensitive data,and filters the user input that does not contain sensitive data.This can solve the problem that the existing defense technology does not consider the attacker's successful understanding of the acquired information after failing to consider the attack.The query matching phase M of the DUS defense model is designed,and the statement normalization query matching method is used in the M phase.The method extracts the operation type of the SQL statement and the name of the database table used,and grammars the SQL statement to make it into a standard SQL statement.Then query matching SQL statements to prevent SQL injection attacks.This solves the problem that input validation is bypassed by attackers.Finally,simulation experiments verify the performance of the DUS defense model.Using the three indicators of accuracy,false alarm rate,and false negative rate,the DUS defense model was compared with the GreenSQL tool.Simulation results show that the DUS defense model is effective and feasible,and can effectively reduce the false negative rate and improve the defense efficiency. |
PDF Full Text Request