Research On SQLIA Detection And Stage Identification Method Based On Outbound Traffi

SQL Injection Attack(SQLIA)is one of the most threatening web application attack methods and poses a significant security risk to current web applications.Different stages of SQLIA can cause varying degrees of damage to information systems.To address the security threats posed by SQLIA,researchers from both domestic and international domains have proposed numerous solutions,primarily focusing on detection and defense from inbound traffic.However,due to the everevolving nature of SQLIA with diverse variations and increasingly complex techniques,existing inbound traffic-based detection methods exhibit high falsenegative rates when faced with unknown or transformed SQLIA,and cannot accurately determine the true extent of the threat.This is one of the pressing challenges in the field of cybersecurity.Given the aforementioned problems,this thesis aims to explore the perspective of outbound traffic from the web server itself.The main research work includes:(1)In response to attackers’ meticulously crafted unknown or transformed SQLIA statements to bypass detection,some studies have analyzed the characteristics of different stages of SQLIA from the attacker’s perspective.However,these studies primarily focus on the analysis stage rather than the identification stage.Therefore,this thesis proposes a method called An SQLIA Detection and Stage Identification Method Based on Outbound Traffic(SDSIOT).This method adopts a two-stage structure,where SDSIOT detects SQLIA in the first stage(Phase Ⅰ)and identifies its stage in the second stage(Phase Ⅱ).Two tasks are accomplished by constructing models using 13 features extracted from outbound traffic.The proposed method is validated using a self-collected dataset and publicly available data.Experimental results demonstrate that the proposed method can accurately detect SQLIA and identify its stage,without the need to analyze meticulously crafted SQLIA statements by attackers,thus exhibiting advantages compared to other methods.(2)Regarding the diversity of sensitive information leaked through SQLIA,traditional regular expression matching methods struggle to accurately identify all leaked data.This thesis addresses this issue by analyzing the difference in outbound traffic HTTP response lengths generated during the successful and failed processes of SQLIA.Based on this analysis,a method called An SQLIA Leakage Data Identification Method Based on Outbound Traffic(SLDIOT)is proposed.SLDIOT extracts behavioral features from outbound traffic HTTP response lengths and employs classification algorithms to establish a model for accurate identification of SQLIA data leakage.The proposed method is experimentally validated using three types of SQLIA.Experimental results demonstrate that the method can identify a greater number of successful and failed SQLIA types without the need to extract the leaked sensitive content.