(18.204.227.34) 您好!臺灣時間:2021/05/19 08:37
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

我願授權國圖
: 
twitterline
研究生:李玠樺
研究生(外文):Jieh-Hua Lee
論文名稱:以階段式分析為基礎之資料隱碼防禦系統
論文名稱(外文):A Layer-based SQL Injection Prevention System
指導教授:江清泉江清泉引用關係
指導教授(外文):作者未提供
學位類別:碩士
校院名稱:銘傳大學
系所名稱:資訊傳播工程學系碩士班
學門:傳播學門
學類:一般大眾傳播學類
論文種類:學術論文
論文出版年:2012
畢業學年度:100
語文別:中文
論文頁數:55
中文關鍵詞:入侵防禦系統資料隱碼攻擊網路安全
外文關鍵詞:Intrusion Prevention SystemSQL Injection AttackInformation SecurityNetwork Attack
相關次數:
  • 被引用被引用:0
  • 點閱點閱:140
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
隨著網頁應用程式與資料庫的廣泛使用,許多都可透過網頁的方式來提供網路服務。然而,網頁應用程式若在執行時有安全性的漏洞,導致網頁使用者的輸入內容沒有經過任何的檢查便直接存取資料庫,網路的惡意攻擊者便會根據這個漏洞進行資料隱碼攻擊(SQL Injection Attack),造成資料外洩或者被植入惡意程式等問題產生。
本論文透過在網頁伺服器與資料庫之間提供一個驗證與防禦機制,透過三個階段式的指令收集來先行紀錄所有網頁使用的SQL指令並將其內容編寫成Snort inline規則,並且利用Snort inline入侵防禦系統進行使用者輸入內容驗證。若是使用者輸入的內容是合法的,便允許該使用者存取資料庫;但若使用者的輸入內容有添加額外或是根本沒有含任何的合法內容,便判定該使用者正在進行資料隱碼攻擊,將中斷此攻擊者存取資料庫的連線,並紀錄其輸入內容,藉此防禦資料隱碼攻擊。
藉由我們提供的防禦機制,網頁程式的設計者可以不用修改任何的網頁原始碼,而網頁的使用者可在不知有此防禦機制的情況下,仍然能夠正常地存取資料庫並且避免惡意的攻擊者進行資料隱碼攻擊,達到保護使用者的個人資料的效果。
Web applications are the most popular services on the Internet. Many services combine database with web applications to provide the necessary information. Security problems with web applications are increasing with the growth of Internet applications. Malicious users are able to use SQL Injection attacks on vulnerabilities of web applications to obtain information in the database or exploit the system.
A layer-based SQL Injection prevention system (LBSIPS) is proposed in this paper to protect the database. SQL commands are collected and classified at the first step by using the inline monitor mechanism. Privileges and access control are verified by examining the database and the predefined profile and snort rules are established to filter out suspicious activities at the second step. An inline LBSIPS infrastructure is implemented and the experiment results show SQL attacks are blocked and thus it improves the security of web applications.
摘要 i
Abstract ii
誌謝 iii
目錄 iv
表目錄 vii
圖目錄 viii
第一章 緒論 1
1.1 研究背景與動機 1
1.2 研究目的 3
1.3 論文架構 4
第二章 相關技術與研究 5
2.1資料隱碼攻擊(SQL Injection Attack) 5
2.1.1違法或邏輯錯誤的查詢 (Illegal/Logically Incorrect Query) 5
2.1.2恆等式查詢 (Tautology) 6
2.1.3註解式攻擊 (End of Line Comment) 7
2.1.4聯集式查詢 (Union Query) 8
2.1.5多重查詢 (Piggy-backed Query) 9
2.2 防禦資料隱碼相關攻擊研究探討 10
2.2.1 原始碼檢測 10
2.2.2 用戶者端的防禦機制 11
2.2.3 網頁應用程式端的防禦機制 11
2.2.4 送出SQL查詢時的防禦機制 13
2.2.5 資料庫端的防禦機制 14
2.3 Snort inline入侵防禦系統 14
第三章 系統架構與防禦方法 17
3.1系統架構 17
3.2指令收集階段 18
3.3 規則編寫階段 22
3.3.1 Select查詢與Delete刪除指令 22
3.3.2 Insert新增與Update更新指令 24
3.4 即時防禦階段 24
3.4.1 Drop處理方式 25
3.4.2 Pass與Reject處理方式 26
第四章 研究成果與實驗分析 27
4.1 系統操作頁面 27
4.1.1 指令收集階段 28
4.1.2 規則編寫階段 30
4.1.3 即時監控階段 31
4.4 查詢時間之延遲分析 33
4.5 防禦成功率測試 34
第五章 結論 36
參考文獻 37
附錄 40
[1]全國法規資料庫入口網站,「個人資料保護法」,
http://law.moj.gov.tw/LawClass/LawAll.aspx?PCode=I0050021.
[2]Top 10 2010 – OWASP,
https://www.owasp.org/index.php/Top_10_20.
[3]William G.J. Halfond, Jeremy Viegas, and Alessandro Orso, “A Classification of SQL Injection Attacks and Countermeasures”, In: Proceedings of the IEEE International Symposium on Secure Software Engineering Arlington, VA, USA, March 2006.
[4]San-Tsai Sun, Ting Han Wei, Stephen Liu and Sheung Lau, "Classification of SQL Injection Attacks",
http://www.cc.gatech.edu/~orso/papers/halfond.viegas.orso.ISSSE06.pdf.
[5]Download: Source Code Analyzer for SQL Injection - Microsoft Download Center - Download Details,
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16305.
[6]Hossain Shahriar and Mohammad Zulkernine. "MUSIC: Mutation-based SQL Injection Vulnerability Checking.", In Proc. The 8th International Conference on Quality Software, pages 77-86, Aug. 2008.
[7]J. Tuya, M. J. Suarez-Cabal, C. de la Riva, "SQLMutation: a tool to generate mutants of SQL datatbase queries," in 2nd Workshop on Mutation Analysis, at ISSRE’06, Releigh, North Carolina, Nov., 2006.
[8]Livshits, V. B. and Lam, M. S.(2005) “Finding Security Vulnerabilities in Java Applications with Static Analysis”, In SSYM’05: Proceedings of the 14th Conference on USENIX Security Symposium, USENIX Association, Berkeley, CA, USA, 16–18.
[9]Eclipse - The Eclipse Foundation open source community website,
http://www.eclipse.org/.
[10]Parosproxy.org - Web Application Security,
http://www.parosproxy.org/.
[11]W.G. Halfond and A. Orso(2005) ‘AMNESIA: Analysis and Monitoring for NEutralizing SQLInjection Attacks’, In the Proceedings of 20th IEEE and ACM International Conference on Automated Software Engineering, pp. 174-183.
[12]William G.J. Halfond, Alessandro Orso, and Panagiotis Manolios. "WASP: Protecting Web applications using positive tainting and syntax-aware evaluation," IEEE Transactions on Software Engineering, Vol. 34, No. 1, pp 65-81.
[13]Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin and Chung-Hung Tsai. "Web Application Security Assessment by Fault Injection and Behavior Monitoring, " In Proceedings of the 12th international conference on World Wide Web, pages 148-159, 2003.
[14]G. T. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using Parse Tree Validation to Prevent SQL Injection Attacks. In Proc. of the 5th Intern. Workshop on Software Engineering and Middleware (SEM 2005), pages 106–113, Sep. 2005.
[15]S. W. Boyd and A. D. Keromytis. "SQLRand: Preventing SQL injection attacks," In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, 2004.
[16]Konstantinos Kemalis and Theodoros Tzouramanis. "SQL-IDS: A Specification-based Approach for SQL Injection Detection Symposium on Applied Computing, " 23rd ACM Symposium on Applied Computing - Computer Security Track Fortaleza, Ceara, Brazil, March 2008.
[17]F. Valeur, D. Mutz, and G. Vigna. "A Learning-Based Approach to the Detection of SQL Attacks," Detection of Intrusions And Malware, And Vulnerability Assessment, Proceedings, Volume: 3548, pp. 123-140, 2005.
[18]Anyi Liu, Yi Yuan, Duminda Wijesekera, Angelos Stavrou. "SQLProb: A Proxy-based Architecture towards Preventing SQL Injection Attacks", In Proceedings of the ACM symposium on Applied Computing,pages 2054-2061, Mar. 2009.
[19]S. Ali, et al., "SQLIPA: An Authentication Mechanism Against SQL Injection," European Journal of Scientific Research, vol. 38, pp. 604-611, 2009.
[20]snort_inline,
http://snort-inline.sourceforge.net/oldhome.html, 2012
[21]netfilter/iptables project homepage - The netfilter.org "iptables" project,
http://www.netfilter.org/projects/iptables/index.html, 2012
[22]Employee Directory Web Appplication - Free Open Source Code in ASP, PHP, JSP, Perl, ColdFusion, ASP.NET / C#,
http://www.gotocode.com/apps.asp?app_id=6&, 2011
[23]Java SE Downloads,
http://www.oracle.com/technetwork/java/javase/downloads/index.html, 2012
[24]jNetPcap OpenSource | Protocol Analysis SDK,
http://jnetpcap.com/, 2012
[25]SQL Injection Cheat sheet: Esp: for filter evasion - by Rsnake, http://ha.ckers.org/sqlinjection/, 2012
[26]SQL Injection Attacks by Example, http://www.unixwiz.net/techtips/sql-injection.html, 2012
電子全文 電子全文(本篇電子全文限研究生所屬學校校內系統及IP範圍內開放)
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top
無相關期刊