臺灣博碩士論文加值系統

電腦網路的快速發展，其無遠弗屆、隨時隨時地可取用的特性，產生了許多新的應用，但也同時形成了網路安全上的威脅。許多組織除了架構防火牆作為第一道安全防線外，具不同技術、特性的入侵偵測系統(Intrusion Detection Systems，IDS)也被發展成為網路系統的第二層防護，以及早發現、處理可疑攻擊事件，降低網路攻擊事件造成組織重大的損失。
典型電子商務網站的會員認證與資料查詢作業，是藉由使用者端透過瀏覽器將輸入資料或查詢條件，經由網頁程式存取後端資料庫並將結果呈現在網頁上。在N-tier的架構下，雖然後端的資料庫系統大多架設在企業內部，可透過防火牆的存取控制清單（Access Control List）設定做有效的保護，但是具有惡意的使用者仍可能透過網頁伺服器此合法管道，以SQL Injection攻擊方式對資料庫做進一步的存取及破壞。
本研究提出以資料探勘技術為基礎的應用型入侵防禦系統，結合攻擊特徵比對、存取權限控管及自動警訊通報機制，可有效偵測及阻擋SQL Injection攻擊事件。
關鍵字：SQL Injection、Access Control List、資料探勘、防火牆、入侵偵測系統。

Internet cross over the restriction of the timespace and region,bring people the work and living tremendous convenience,but also forminged an information security up the larger threat.The fast development of the computer network, it is far-reaching, at any time commendable use at any time of characteristic, generate many new applications, but also forminged in the meantime the threat of the networ security。Many organizations constructed the structure of firewall as the first safe defense line,and IDS(Intrusion Detection Systems) also is developed to become the networ system of secondary protection。To find and handle suspicious hit event early, reduces the networ hit that cause to organize heavy great damage.
Member's certification and data of the typical model E-Commerce website search homework, via the user port and will feed the data or the search condition through the browser。After accessing through the web page program carry database and will present as a result on the web page。Under the structure of the N-tier, although the back carries of the database system installs mostly in the enterprise inner part, can through the access control the detailed list(the Access Control List) setting of the fire wall do a valid protection, have malevolent user still probably through the web page server this legal piping, attack mode by the SQL Injection to does further access and the puncture to the database.
This research puts forward taking sort as a basal applied type to invade to guard against system, combining to attack a characteristic compare to and access the legal power controls a mechanism, can detect and impede the SQL Injection hit event effectively, and provide the automatic caution notification mechanism.
KeyWord：SQL Injection、Access Control List、DataMining、Firewall、Intrusion Detection system。

目錄

中文摘要……………………………………………………………… 1
英文摘要 ……………………………………………………………… 3
誌謝 …………………………………………………………………… 4
目錄…………………………………………………………………… 5
圖索引………………………………………………………………… 7
表索引………………………………………………………………… 8
第一章 緒論 ………………………………………………………… 10
1.1 研究機動 ……………………………………………………… 10
1.2 研究目標 …………………………………………………………13
1.3 論文架構 …………………………………………………………15
第二章 相關研究 …………………………………………………… 15
2.1 網站攻擊事件 ………………………………………………… 15
2.2 入侵偵測系統 ……………………………………………………20
2.3 SQL Injection（資料隱碼）攻擊………………………………25
2.4 ISAPI 篩選常式………………………………………………… 29
2.5 資料探勘方法 ……………………………………………………30
第三章 系統架構與方法 …………………………………………… 34
3.1 系統架構與流程 ……………………………………………… 34
3.2 入侵防禦方法 ……………………………………………………37
第四章 系統實驗與結果 …………………………………………… 43
4.1 實驗環境………………………………………………………… 43
4.2 測試資料 …………………………………………………………45
4.3 分類結果 …………………………………………………………45
4.4 實驗結果 …………………………………………………………48
第五章 結論與未來展望 …………………………………………… 53
5.1 結論……………………………………………………………… 53
5.2 未來展望 …………………………………………………………54
參考文獻 ………………………………………………………………56
附錄
1 SQL Injection語法範例……………………………………………59
2 封包擷取格式……………………………………………………… 60

圖索引

圖2-1 Web 應用系統較常使用之攻擊手法統計圖………………… 18
圖3-1圖3-1網站入侵防護系統架構………………………………… 36
圖3-2 IIS網站伺服器架構圖…………………………………………38
圖3-3 資料庫系統回應之錯誤訊息…………………………………39
圖4-1 ISAPI Filter設定………………………………………………44
圖4-2 ODBC資料來源設定 ……………………………………………44
圖4-3 SQL Injection及正常樣本訓練資料…………………………45
圖4-4 C4.5 True CostCurve…………………………………………47
圖4-5 C4.5 False CostCurve……………………………………… 47
圖4-6 使用者帳號登入畫面………………………………………… 48
圖4-7 偵測入侵攻擊畫面…………………………………………… 48
圖4-8 ISS Server Sensor偵測結果…………………………………51
圖4-10 CA eTrust IDS偵測結果…………………………………… 52

表索引

表 2-1 WEB應用的十大漏洞………………………………………… 17
表 2-2 Web 應用系統較常使用之10種攻擊手法……………………18
表 2-3 ISAPI Filter篩選告知的類型………………………………29
表 3-1 使用者輸入資料特徵值………………………………………39
表 4-1 本系統分類訓練結果…………………………………………46
表 4-2入侵偵測系統測試結果……………………………………… 50
表 4-3入侵偵測系統對於部分特徵值的偵測比較………………… 50

參考文獻

[1] Abdulkader A. Alfantookh,”An Automated Universal Server Level Solution For SQL Injection Security Flaw”,IEEE Conference,2004.
[2] Gregory T. Buehrer, Bruce W. Weide, Paolo A. G. Sivilotti,“Using Parse Tree Validation to Prevent SQL Injection Attacks”, ACM 1­59593­204­4/05/09,Sep 2005.
[3] Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, D. T. Lee, Sy-Yen Kuo,“Securing Web Application Code By Static Analysis and Runtime Protection”,ACM 1-58113-844-X/04/0005, May 2004.
[4] Shu Wenhui, Tan T H, Daniel, “A Novel Intrusion Detection System Model for Securing Web-based Database Systems”,IEEE Conference,2001.
[5] William G.J. Halfond,Alessandro Orso, “Combining Static Analysis and Runtime Monitoring to Counter SQLInjection Attacks”, Workshop on Dynamic Analysis (WODA 2005),17 May 2005.
[6] Yi Hu , Brajendra Panda , “A Data Mining Approach for Database Intrusion Detection” , ACM Symposium on Applied Computing,March 2004.
[7] Yi Hu, Brajendra Panda,” Identification of Malicious Transactions in Database Systems”, Proceedings of the Seventh International Database Engineering and Applications Symposium,IEEE Conference,2004.
[8] Tatyana Ryutov, Clifford Neuman, Dongho Kim, Li Zhou,”Integrated Access Control and Intrusion Detection for Web Servers”, IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS,September 2003.
[9] Chris Anley ,”Advanced SQL Injection In SQL Server Applications”, An NGSSoftware Insight Security Research (NISR) Publication conference, http://www.ngssoftware.com/papers/advanced_sql_ injection.pdf, 2002.
[10] Chris Anley ,” (more) Advanced SQL Injection”, An NGSSoftware Insight Security Research (NISR) Publication conference, http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf,June 2002.
[11] Kevin Spett,”Blind SQL Injection”,secure protect inspect, www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf
[12] Ofer Maor,Amichai Shulman,” SQL Injection Signatures Evasion＂, Application Defense Center, www.imperva.com/download.asp?id=2, April 2004.
[13] Sam Shober, “Testing Web Applications for SQL Injection”, http://www.stickyminds.com/getfile.asp?ot=XML&id=6007&fn=XDD6007filelistfilename1%2Epdf.
[14] Kevin Spett ,”SQL Injection”, www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf.
[15] “The Importance of Web Application Scanning”,Acunetix whitepaper,nov 2005.
[16] The Open Web Application Security Project (OWASP), “A Guide to Building Secure Web Applications and Web Services” 2.0 Black Hat Edition,http://landau.dsic.upv.es/pbs/OWASPGuide2.0.1.pdf ,July 2005.
[17] The Open Web Application Security Project (OWASP), “The Ten Most Critical Web Application Security Vulnerabilitise” 2.0 Black Hat Edition,http://www.pisa.org.hk/event/OWASP_WebScarab_and_WebGoat.pdf , Jan 2004.
[18]John Viega,Matt Messier,Secure Software,”Security is Harder than you Think”, QUEUE,July 2004.
[19] TW-CERT,SQL Injection 簡介與相關防護http://www.cert.org.tw/document/column/show.php?key=96.
[20] 賴溪松教授，”入侵偵測技術”， http://crypto.ee.ncku.edu.tw/class/network_security/93/Ch8.pdf.
[21] 朱瑞狄、賴冠州, “從入侵偵測到入侵防禦”, http://www.broadweb.com/upfiles/tech1087291453.pdf.
[22] 曾仲強,賴谷鑫,陳嘉玫,鄭炳強,”以支援向量機為基礎之後門程式入侵偵測” ,國立中山大學資管系, http://neumann.mis.stu.edu.tw/tungsh/Courses/Spring2006/BI/Chi/taai2005-paper-SS2-3.pdf.
[23] Yue-Shi Lee, Show-Jane Yen,Chi-Hsuan Lin,“Performance Evaluation on a Classification System”, Department of Computer Science and Information Engineering,Ming Chuan University,” http://jie.soit.mcu.edu.tw/notes/authorguidelines-ch.doc”.
[24] 胡百敬,”SQL Injection (資料隱碼)– 駭客的 SQL填空遊戲”,http://www.microsoft.com/taiwan/sql/SQL_Injection_G1.htm.
[25] MSDN Library,“ISAPI 篩選常式”, http://msdn.microsoft.com/library/cht/default.asp?url=/library/CHT/vccore/html/_core_isapi_extensions.3a_.filters.asp.
[26] 陳勇君,”面對WEB化教務行政，如何蒙其利，避其害”, http://www.jwit.edu.tw/~ccds94/slide/20051117track1-03.pdf