Research On The SQL Injection Attack Filtering Technology

Web applications are gradually becoming an important part of our daily lives.Many activities of people rely on the functions of Web applications.Concomitantly,the security of the Web has become more and more serious.Therefore,research on Web security has become a key and hot topic in the field of information security.Among them,SQL injection is one of the most common and most dangerous vulnerabilities in Web security.It has been ranked as the top ten attacks of the OWASP(Open Web Application Security Project)for many years in a row,and it has ranked number one for many times.In order to effectively improve the security of Web applications,this article attempts to solve SQL injection attacks in Web security,by combining user input filtering,comparison of SQL syntax tree structures,Web crawlers,and artificial neural networks.The main achievements of this thesis include the following aspects:1.For the problem of low recognition rate and high false positives rate for traditional SQL injection filtering method,this article proposes a SQL injection filtering method based on SQL syntax tree by introducing the security strategy of the comparison of SQL syntax tree into the design of user input filtering.This method first extracts user input and then assumes that the user input parameter type is a character type,and the user input X is entered into the specified SQL statement“select a from b where c=?"(?is a placeholder)for parsing.If the parsing fails,interception is performed;if the parsing is successful,the characteristics of the generated SQL syntax tree(the total number of nodes in the SQL syntax tree)are compared with the expected characteristics to judge whether to intercept.Finally,it is judged whether the type of the parameter input by the user may be a digital type.If the type may be a digital type,the user input is brought into the specified SQL statement as a digital type,and the above steps are repeated.This determines whether the user input is a SQL injection attack.2.For the shortcomings in method 1,the type of the parameter normally input by the user is actually a character type,but if it is assumed that the input parameter type is a digital type,the input is a SQL injection attack.In this condition,method 1 may generate false positive for normal input by the user.Based on the SQL injection filtering method described above,this article considers the characteristics of the Web application that has a certain mapping relationship between the URL and parameters in the received HTTP request packet and the SQL statement executed by the back-end database of the Web application.Combined with web crawler,URL length detection and access frequency control,a new SQL injection filtering method named LFS(length-frequency-SQL syntax tree)was proposed.This method includes two stages of learning and filtering.The learning phase runs in a secure environment,the crawler and the database proxy are used to crawl according to the user-supplied start data,and a mapping table of URLs and SQL statements is generated.The filtering phase runs in the real-world environment.The filtering phase detects SQL injection attacks by using URL length detection,connection frequency detection and SQL syntax tree features.3.With the continuous development of artificial intelligence,the precision of machine learning models has greatly improved.How to use machine learning models to better defend against SQL injection has become a research hot-spot.In the above background,this article combines deep neural network and Bag of Words(BoW)against SQL injection attacks,and proposes a SQL injection filtering scheme based on deep neural network.The method first performs lexical analysis on user input,generates tokens one by one,and then converts them into corresponding numerical feature vectors according to the bag model.Then,using the deep learning framework TensorFlow,two neural network structures,a multi-layer perceptron and a recurrent neural network,are used to train and generate models for SQL injection filtering based on these feature vectors,thereby implementing SQL injection attack detection.This article uses the SQL injection attack experiment data generated from SQLMAP to verify the performance of the above three method such as recognition rate and SQL injection false positive rate.The experimental results show that the proposed SQL filtering methods in this article are significantly better than the traditional SQL injection filtering methods,and can effectively increase the recognition rate of SQL injection and reduce the false positive rate,providing new ideas and methods for subsequent research.