A New Approach for SQL-Injection Detection

摘要

With the deepening of information construction, Web architecture is widely used in various business systems. While presenting convenience, these new technologies also introduce great security risks. Web security has been a serious issue of information security, and SQL-injection is one of the most common means of attack against Web services. SQL Injection often changes the structure of SQL statements. This paper proposed a self-learning approach to counter SQL Injection which can learn automatically the structure feature of all legal SQL statements to construct knowledge library based on SQL syntax tree in safe environments, and then match every SQL statement with knowledge library to find whether the structural feature has been changed in real environments. If successful, this SQL statement is legal. SQL statements which fail pattern marching are not determined as illegal immediately. Then, we take depth-feature check based on Value-at-Risk, and identity the true illegal SQL statements. This method which combines mode-matching and character-filtering can reach good results. Experimental results prove that this proposed approach holds good performance and perfect protection for SQL Injection.