SQL Web Web SQL SQL SQL SQL SQL SQL SQL SQL SQL SQL SQL i

28 SQL Proposal of attack detection method based on appearance frequency of symbols included in SQL injection attack and its relevance 1170311 2017 2 28

SQL Web Web SQL SQL SQL SQL SQL SQL SQL SQL SQL SQL SQL i

SQL SQL ii

Abstract Proposal of attack detection method based on appearance frequency of symbols included in SQL injection attack and its relevance Cyber attacks targeting Web applications are a great threat to not only those who operate and manage Web applications but also their users. Among them, there are many attacks aimed at vulnerability of SQL injection attack, and it is pointed out that countermeasures have not kept up despite being a previously known vulnerability. SQL injection attack tends to include many symbols. Therefore, as an existing method, attack detection method focusing on symbols included in SQL injection attack has been proposed. However, while the existing method shows a high detection rate in detection of normal data, the detection rate of attack data is not higher than other detection methods. In order to prevent damage caused by SQL injection attack, it is necessary to improve attack detection rate without lowering performance against normal data. It is shown that the SQL injection attack has the following features. SQL statements inserted into SQL injection attacks differ according to the purpose of the attacker. In addition, in order to establish an SQL injection attack and obtain target information, information related to the database is required, and a method called blind SQL injection is used. In this paper, we propose an attack detection method that exploits the relationship between the attacker s purpose and the occurrence frequency of symbols included in blind SQL injection attack. The proposed method improves the attack detection rate iii

without lowering the detection rate of normal data by using the relationship between the purpose of the attacker and the information of the symbol included in the attack data. Moreover, by using blind SQL injection attack data for attack data, it is possible to block requests to collect database related information, which is considered to be a useful attack detection even in actual SQL injection attack. key words attack detection SQL injection machine learning iv

1 1 1.1................................... 1 1.2................................. 3 2 SQL 4 2.1 SQL..................................... 4 2.2 SQL......................... 5 2.2.1 SQL................... 5 2.2.2 SQL.................. 6 2.3 SQL...................... 6 2.3.1 Web ( )....... 7 2.3.2 Web ( )... 7 2.3.3 (WAF)................... 7 2.4 SQL..................... 8 3 10 3.1................................... 10 3.2 SVM (Support Vector Machine)...................... 11 3.3................................ 11 3.4............................ 12 3.5............................ 13 3.6 SQL............. 14 3.7................................... 15 3.8............................ 15 v

4 17 4.1................................ 17 4.2................................... 18 4.3 SQL............... 18 4.4...................................... 21 4.4.1....................... 22 4.4.2................................ 23 5 25 5.1................................... 25 5.2................................... 26 5.3...................................... 26 6 28 30 31 vi

2.1 SQL. 5 4.1.................................... 20 4.2 SQL........ 21 4.3....................... 21 4.4...................... 23 5.1 WAF................................ 27 vii

2.1 SQL............................... 4 3.1 (x ) 5...................... 14 3.2 ( ).......................... 15 3.3 (ModSecurity)........................... 15 3.4 (SVM)................................ 16 4.1................................ 19 4.2................................. 19 4.3 (x ) 5...................... 20 4.4................................ 22 4.5 (x ) 5................... 22 4.6................................ 22 4.7.................................... 24 viii

1 1.1 ICT Web Web Web [1] Web OWASP (Open Web Application Security Project) Web SQL [2] SQL Web SQL Web SQL SQL [3] Web Web (WAF) WAF L7 L4 HTTP 1

1.1 [4] WAF SVM (Support Vector Machine) WAF SQL SQL [1] SQL ( ) ModSecurity SVM ModSecurity SVM [1] SQL SQL [11] SQL SQL SQL SQL SQL 2

1.2 SQL 1.2 6 t 2 SQL 3 SQL 4 3 SQL 5 6 3

2 SQL SQL 2.1 SQL SQL (RDMS) RDBMS Oracle Database Microsoft SQL Server MySQL PostgreSQL SQL SQL 2.1 [3] SQL SQL users user admin id password SELECT id, password FROM users WHERE user = admin ; 2.1 SQL ( ) SELECT FROM WHERE AND = >=, a b c table name age YAMADA 20 4

2.2 SQL 2.2 SQL SQL (CWE-89: Improper Neutralization of Special Elements used in an SQL Command SQL Injection ) Web SQL [5] SQL Web SQL SQL [3] 2.1 SQL 2.2.1 SQL [3] SQL SQL $username $password 5

2.3 SQL SELECT * FROM users WHERE user= $username AND password= $password SQL $username $password 1 or 1 = 1 SQL 1 = 1 OR SELECT * FROM users WHERE user= 1 OR 1 = 1 AND password= 1 OR 1 = 1 SQL SQL 2.2.2 SQL SQL SQL SQL SQL 1 SQL 2.3 SQL SQL [6] 6

2.3 SQL 2.3.1 Web ( ) SQL [3]? SQL SQL 2.3.2 Web ( ) SQL SQL ( ; % + ) SQL [3] 2.3.3 (WAF) WAF (Web Applicatioln Firewall) Web Web WAF 7 4 HTTP [4] WAF SVM (Support Vector Machine) WAF [1] 7

2.4 SQL 2.4 SQL SQL SQL SQL SQL SQL sqlmap sqlmap SQL sqlmap SQL [13] Boolean-based blind WHERE HAVING SQL AND 4908=2320 AND TFah = TFah Time-based blind SQL AND SLEEP(5) AND ybnw = ybnw Error-based SQL SELECT CAST(x FFFFFFFFFFFFFFFF AS UNSIGNED)+1; UNION query-based SQL UNION 8

2.4 SQL ) UNION ALL SELECT NULL,NULL,NULL# Stacked queries 1 SQL ; SELECT SLEEP(5) 9

3 SQL SQL SVM 3.1 SQL Apache ModSecurity SVM SQL 10

3.2 SVM (Support Vector Machine) [1] SQL [1] 3.2 SVM (Support Vector Machine) SVM 2 SVM (margin) ( ) (support vector) [12] SVM [9] 3.3 1 ( ) 11

3.4 [8] 3.4 SQL 1 I A I N 2 ( J A J N ) s 1, s 2,..., s j 3 3 R 3 (x, y, t) 1 X x s 1, s 2,..., s x x 1 X 1 = s 1 2 = s 2... x = s x s j (j = 1, 2,..., x) R 3 X (j, 0, 0) 2 y 1 j s j y j (l i ) = z i(s j ) l i l i l i l i 12

3.5 z i (s x ) l i s x l s j1 s j2 (j 1, y j1 (l)) (j 2, y j2 (l)) 3 t t = 1 t = 0 4 3 y = a 0 + a 1 x + a 2 x 2 + 1 a 0 = b 00 + b 10 t + 2 a 1 = b 01 + b 11 t + 3 a 2 = b 02 + b 12 t + 4 i (i = 1, 2, 3, 4) 0 2 2 SQL y = a 0 + a 1 x + a 2 x 2 5 y = a 0 + a 1 x + a 2 x 2 y SQL 3.5 1 s jk (k = 1, 2,..., K) T N = (j k, y jk, 0) K k=1 T A = (j k, y jk, 0) K k=1 s j y j 13

3.6 SQL 2 T A = (j k, y jk, 0) K k=1 e(t A) T N = (j k, y jk, 0) K k=1 e(t N) 3.6 SQL SQL [10] 2,779 (J A = 2779) Wiki 444 (J A = 444) 3.1 2,779 5 3.1 5 SQL 3.1 (x ) 5 Space ; ) ( x 1 2 3 4 5 14

3.7 3.7 3.2 3.3 3.4 [1] 3.3 Apache ModSecurity 3.4 SVM 3.3 3.4 ModSecurity SVM ModSecurity 3.2 ( ) 2,799 444 200 50 96% 100% 3.3 (ModSecurity) 200 50 100% 38% 3.8 ModSecurity SVM 15

3.8 3.4 (SVM) 2,799 444 200 50 100% 0% 2 SQL SQL Web 16

4 ModSecurity SVM SQL SQL 4.1 SQL SQL SQL SQL SQL SQL 17

4.2 SQL SQL SQL SQL SQL 4.2 SQL 4.2 SQL Web 4.1 4.2 PHP/MySQL Web DVWA (Damn Vulnerable Web Application) VirtualBox Linux DVWA sqlmap $./sqlmap.py -o -u http://192.168.33.10/dvwa/vulnerabilities/sqli/?id=1&submit=submit cookie= Cookie ; security=impossible dump-all 4.3 SQL 3 SQL 18

4.3 SQL 4.1 VirtualBox 5.0.24 OS Web CentOS 6.7 (64bit) DVWA (Damn Vulnerable Web Application) DBMS mysql Ver 14.14 Distrib 5.5.51, for Linux (x86 64) 4.2 OS OS X El Capitan 10.11.5 sqlmap 1.0.11.5 1 SQL sqlmap Web 1,924 (I A = 1924) Web 268 (I N = 268) 2 1,924 4.3 5 (x = 5) 4.3 3 1924 268 4.3 4 3 19

4.3 SQL 4.1 4.3 y = a 0 + a 1 x + a 2 x 2 4.3 (2 ) (x ) 4.3 5 4.4 y = a 0 + a 1 x + a 2 x 2 4.3 (x ) 5 Space ( ), x 1 2 3 4 5 20

4.4 0.5 0.4 0.3 0.2 0.1 0 SP ( ), _ =. * > - `! " # $ & + / : ; <? @ [ ] ^ { } ~ DEL 4.2 SQL 4.3 4.4 SQL 21

4.4 4.4 Space ( ), 0.26465932 0.25184209 0.21951243 0.16767034 0.09631582 0.87445428 0.25591129-0.08131584-0.13722714 0.08817741 100 4.4.1 4.5 x 4.4.1 4.6 4.5 (x ) 5 x 1 2 3 4 5 Space ( ), Space ; ) ( 4.6 Space ; ) ( 0.24825736 0.11328418 0.07426349 0.13119529 0.28407959 0.87467431 0.25590768-0.08154009-0.13766901 0.08752092 22

4.4 4.4 4.4.2 y = (b 00 + b 10 t) + (b 01 + b 11 t)x + (b 02 + b 12 t)x 2 b 00 = 1.77431317 b 10 = 1.51634905 b 01 = 1.04051684 b 11 = 1.05696826 b 02 = 0.14065795 b 12 = 0.5041417 23

4.4 y = (b 00 + b 10 t) + (b 01 + b 11 t)x + (b 02 + b 12 t)x 2 b 00 = 1.7747598 b 10 = 1.1667298 b 01 = 1.04074492 b 11 = 0.56857254 b 02 = 0.14065943 b 12 = 0.02825969 t = 1 t = 0 4.7 4.7 sqlmap SQL 4.7 100% 100% 94% 100% 24

5 5.1 94 6 100 SQL SQl SQL 2 Boolean-based blind Time-based blind Error-based UNION query-based Stacked queries SQL SQL SQL SQL sqlmap SQL 25

5.2 5.2 100 4.3 4.4.1 4.4 4.6 Web Space Space Space 5.3 SQL Web Web WAF [4] 5.3 SQL WAF WAF 26

5.3 課題 複数 WAF インターネット WAF 選択装置 図 5.1 最適 WAF 選択 27 サーバ

6 SQL SQL ModSecurity SVM SQL SQL [11] SQL SQL SQL SQL SQL SQL Web Web 28

29

30

[1] : WAF Vol.56 No.9 pp.1826-1833 (2015) [2] Web SQL : http: //www.atmarkit.co.jp/ait/articles/1409/29/news104.html ( 2017.2.1) [3] IPA SQL : https://www.ipa.go.jp/files/000017320. pdf( 2017.2.1) [4] : WAF Vol.77 Issue 3 pp.3435-3436 (2015) [5] MITRE Common Weakness Enumeration https://cwe.mitre.org/data/ definitions/89.html ( 2017.2.6) [6] : pp.50-54(2016.8.1) [7] Web SQL : http://www.excite.co.jp/ News/column_g/20160316/Cobs_413091.html ( 2017.2.8) [8] : http://www.sigmath.es.osaka-u.ac.jp/~kano/old/ research/application/gasshuku02/lca.pdf( 2017.2.9) [9], : SVM WAF 74 pp.561-562(2012) [10] Testing for SQL Injection (OTG-INPVAL-005) : https://www.owasp.org/ index.php/testing_for_sql_injection_(otg-inpval-006) ( 2017.2.10) [11] : SQL 76 pp.295-296(2014) 31

[12] Sebastian Raschka : Python pp.66-67(2016.7.1). [13] SlideShare Web : https://www.slideshare.net/ abend_cve_9999_0001/websqlm ( 2017.2.10) 32