Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Detection method and detection system for SQL injection attack

A technology of injection attack and detection method, applied in the field of information security, it can solve the problems of website security threats, inability to know website SQL injection attack vulnerabilities, weak sense of product value, etc., and achieve the effect of improving accuracy

Active Publication Date: 2017-01-25
NSFOCUS INFORMATION TECHNOLOGY CO LTD +1
View PDF2 Cites 25 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The above two methods are based on the detection of HTTP requests. The obvious defect brought about by this is that the judgment of SQL injection attacks is based on theory and has not been tested in practice, which will cause more false positives.
There are at least two adverse effects: one is that the website itself has no loopholes, but the protection product generates a bunch of attack logs, which customers cannot read, and the value of the product is not strong; the other is that the website itself has loopholes, but because Attacks are blocked by protection products, and website administrators cannot know the SQL injection attack vulnerabilities that exist on the website. Once the protection products fail or there are new 0-day (cracked) vulnerabilities that bypass the protection products, the website security will be seriously threatened

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Detection method and detection system for SQL injection attack
  • Detection method and detection system for SQL injection attack
  • Detection method and detection system for SQL injection attack

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0022] In order to reduce the false alarm rate and false negative rate of SQL injection attack detection, the present invention provides a SQL injection attack detection method and system.

[0023] The implementation principle of the SQL injection attack detection method provided by the embodiment of the present invention is: the firewall detects the HTTP request sent by the client to the server, sends the detected security attack HTTP request to the server, and intercepts the detected dangerous attack HTTP Request, for the HTTP response corresponding to the security attack HTTP request returned by the server to the requesting end, if it is detected that the HTTP response contains the preset first characteristic information, then it is confirmed that there is a SQL injection vulnerability. The above-mentioned SQL injection attack detection method Allow some HTTP requests containing security attack HTTP requests to be sent to the server, and then detect whether there is a SQL in...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a detection method and a detection system for SQL (Structured Query Language) injection attack. The detection method and the detection system are used for increasing the accuracy of vulnerability detection for SQL injection attack and assisting the website in finding the true SQL injection vulnerability. The detection method for SQL injection attack comprises the following steps of: detecting a dangerous attack HTTP (Hyper Text Transfer Protocol) request and / or safe attack HTTP request contained in an HTTP request, for the HTTP request sent to a server by a request terminal; sending the detected safe attack HTTP request to the server and intercepting the detected dangerous attack HTTP request; for an HTTP response corresponding to the HTTP request containing the safe attack HTTP request returned to the request terminal by the server, confirming the existence of the SQL injection vulnerability if detecting the preset first feature information contained in the HTTP response.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a SQL injection attack detection method and system. Background technique [0002] SQL (Structured Query Language, Structured Query Language) injection attack refers to the construction of special input as parameters into the Web application, and these inputs are mostly some combinations in the SQL syntax, by executing the SQL statement to execute the attacker's desired The main reason is that the program does not carefully filter the data entered by the user, resulting in illegal data intrusion into the system. [0003] The current defense algorithms against SQL injection are mainly based on rules and semantic analysis. The rules mainly use regular matching to filter the input parameters for each SQL injection rule. Semantic analysis is mainly based on the compiling principle. It performs semantic analysis on HTTP (HyperText Transfer Protocol, Hypertext Transfer Pr...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L29/08
CPCH04L63/0209H04L63/1433H04L63/1466H04L67/02
Inventor 彭元
Owner NSFOCUS INFORMATION TECHNOLOGY CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com