摘要
数据库作为信息系统核心组件,存放着大量重要数据信息,易受到危害最大的SQL注入攻击.传统数据库防御手段需要攻击行为的特征等先验知识才能实施有效防御,具有静态、透明、缺乏多样性等缺陷.本文在此背景下,以拟态防御动态异构冗余原理为基础,使用保留字拟态化模块、指纹过滤模块、拟态化中间件模块实现SQL注入指令的指纹化、去指纹化、相似性判决,提出具有内生安全性的拟态数据库模型,并使用渗透测试演练系统DVWA中的SQL注入模块对该模型进行安全性测试,验证了拟态数据库模型的可用性和安全性.
As the core component of the information system,the database stores a large amount of important data information and is vulnerable to the most harmful SQL injection attacks.Traditional database defense methods require prior knowledge such as the characteristics of attack behavior to implement effective defense,and have the defects of static,transparent,and lack of diversity.In this context,based on the dynamic heterogeneous redundancy principle of mimicry defense,the reserved word mimicry module,fingerprint filtering module and mimetic middleware module are used to realize fingerprinting,de-fingerprinting and similarity judgment of SQL injection instructions.A mimetic database model with endogenous security is proposed,and the model is tested using the SQL injection module in the penetration test rehearsal system DVWA to verify the availability and security.
作者
赵琳娜
倪明
喻卫东
ZHAO Lin-Na;NI Ming;YU Wei-Dong(East China Institute of Computing Technology,Shanghai 201808,China)
出处
《计算机系统应用》
2019年第9期251-257,共7页
Computer Systems & Applications
基金
国家重点研发计划(2016YFB0800100)~~
关键词
WEB安全
SQL注入
拟态防御
动态异构冗余
数据库
Web security
SQL injection
micmic defense
dynamic heterogeneous redundancy
database
