針對SQL Injection攻擊鑑識之分析

Web Forensic Evidence of SQL Injection Analysis

在網路2.0，入侵者以未經授權的方式存取資料庫內容的網路攻擊被廣泛使用。根據OWASP的調查中，SQL注入攻擊（SQLIA）成為網路攻擊排行榜之冠。SQLIA是插入的SQL元字元和命令以更改原本的SQL查詢的內容，以執行惡意的SQL查詢來對資料庫進行攻擊。由於SQLIA的方式並沒有明顯的惡意特徵，所以SQLIA不易被偵測。因此，網路攻擊鑑識分析在此扮演非常重要的角色，以找出攻擊者攻擊資料庫的證據。對於過去所提出的Web攻擊分析方法只是一般的統計分析，僅僅只透過語法分析或簡單的特徵比對，效果並不顯著。因此，我們提出了一種方法來分析與分類SQLIA。首先，我們會將收集到的URL Request進行Decode動作後，接著利用PHPIDS所提供的規則來進行比對，最後我們透過計算各別SQLIA與每個攻擊的cluster中心之距離來對此攻擊進行分類。為了找出SQLIA的特徵模式，我們利用URL Request內的SQL關鍵字作為特徵值並利用K-Mean方法來分析與分類。

In the WEB 2.0 generation, web attack becomes common and widely exploits by the intruders to unauthorized access. According to the survey from OWASP (Open Web Application Security Project's), SQL injection attack (SQLIA) placed the first in the OWASP 2013's top 10 list of cyber threats that web service facing. SQLIA is a technique of inserting SQL meta-characters and commands into web-based input field to change the original meaning of the SQL queries in order to manipulate the execution of the malicious SQL queries to access the databases unauthorized. It unable be detected by firewall or antivirus due to the SQLIA is just injecting meta- character and do not have any malicious. Hence, forensic analysis to find out the evidence attack play an important role to making conclusion about and incident to prove or disprove intruder's guilt. Methodologies forensic analyses of web application that present previously are only simple statistical analysis, parsing capabilities or simple signature matching. Thus, we proposed a method by analyzing the URL request and decode it before analyzing with the rule set that provided by PHPIDS. After that we, cluster these attacks by calculate the distance with every cluster and cluster it with the nearest centroid point. To find the pattern of the SQL injection to cluster these attacks, we apply a method with extracting the SQL keyword as token set form URL request and analyze these request based on K-mean method to find the standard centroid to cluster these attacks.