常见WEB攻击方法及其安全防范策略的研究

发布时间：2017-12-27 15:15

本文关键词：常见WEB攻击方法及其安全防范策略的研究　出处：《南昌航空大学》2017年硕士论文　论文类型：学位论文

【摘要】：WEB服务安全是信息安全研究领域的重点之一。在近几年的信息安全领域中,WEB服务攻击的次数或流量几乎成几何倍增长。而且攻击WEB服务的范围也越来越大,从最开始的一般的门户网站到后来的金融服务或大型的电子商务平台等都遭受了不同程度的攻击。为应对这种WEB服务攻击,企业或公司被迫采购相关的防火墙或者安全产品设备,但由于安防软件或设备价格高昂,对有安全需求的公司或企业来说是他们无力承担的,而且这种安全防护软件或设备一般情况下需要厂商维护升级,而客户所拥有的权限有限,不能够直接进行维护,通常情况下是在出现问题后才会有人处理。基于上述问题,该课题研究常见的WEB服务攻击,并提供一些基本的集成解决方案。主要完成的工作有以下几点:首先,设计实验环境。由于WEB服务攻击的多样性,而且每种攻击的特性也各不相同,所需的研究或实验环境也不同,因此,在课题的研究过程中,针对不同的WEB服务攻击搭建不同的模拟实验环境,供测试实验。实验的主要研究对象为XSS攻击防护、Connection Flood攻击防护及SQL注入攻击防护。其次,根据不同的攻击方式设计不同的防范策略。1、提出新的解决方案应对XSS攻击,主要针对原有或厂商提供的解决方案的缺陷进行完善,提高防护系统的可维护性,使得管理员能够自己进行维护升级本地的敏感字符库;设计中断机制,先响应服务,再处理危险字符,并设计页面标签,防止字符回显带来的扩展攻击。2、针对Connection Flood攻击提供一些轻型的解决方案,可供WEB开发人员或者系统维护人员便捷的集成到系统当中,应对一般的DDOS攻击。根据Connection Flood的攻击特性,设计具有针对性的防护方案,并实现主要的防护功能。3、SQL注入攻击在近些年中,对WEB服务的威胁尤为严重,在课题的研究中,设计SQL专用过滤字符功能函数,并给出具体的应用实例,研究中所涉及的主要内容是完善SQL在执行前的一些必要防护操作。最后,实验验证策略的有效性。搭建模拟的WEB服务,将具体的研究对象分别集成到WEB服务中,并将WEB服务部署到相关的服务器上。模拟攻击实验时对其进行相关的模拟攻击,记录不同阶段的实验数据,方便后期的实验数据分析,以此为依据分析防护系统的可靠性或稳定性。
[Abstract]:WEB service security is one of the key points in the field of information security research. In the field of information security in recent years, the number or flow of WEB service attacks has grown almost geometrically. And the scope of attacking WEB services is also increasing. From the beginning of the general portals to the later financial services or the large-scale e-commerce platform, it has been attacked to varying degrees. To deal with this WEB service attacks, enterprises or companies are forced to purchase the firewall security products or equipment, but because of the high security software or equipment prices, they are unable to bear on the security needs of the company or enterprise, and this kind of security software or equipment under normal circumstances require manufacturers to upgrade, and customers the authority is limited, can not be directly maintained, as is usually the case in the problems would have been treated. Based on the above problems, the subject studies the common WEB service attacks and provides some basic integrated solutions. The main tasks are as follows: first, design the experimental environment. Due to the diversity of WEB services attacks and the characteristics of each attack, the required research or experimental environment is also different. Therefore, in the course of research, different simulation environment for different WEB services attacks is built for testing experiments. The main research object of the experiment is XSS attack protection, Connection Flood attack protection and SQL injection attack protection. Secondly, different strategies are designed according to different modes of attack. 1, put forward a new solution to XSS attacks, defect solutions mainly for the original or provided by the manufacturer to improve, improve the protection system maintainability, enables administrators to maintain and upgrade their own local sensitive character library; design of interrupt mechanism, first response service, and handling of dangerous characters, and the design of page label to prevent, extended attack brought significant character. 2, provide some lightweight solutions for Connection Flood attacks, which can be easily integrated into the system by WEB developers or system maintainers, so as to cope with general DDOS attacks. According to the attack characteristics of Connection Flood, the designed protection scheme is designed, and the main protection function is realized. 3, in recent years, SQL injection attack is particularly threatening to WEB services. In the research of this subject, we design SQL specific filter function function, and give specific application examples. The main content of the research is to improve SQL's necessary protection exercises before execution. Finally, the experiment verifies the effectiveness of the strategy. Build a simulated WEB service, integrate specific research objects into WEB services, and deploy WEB services to the related servers. Simulation attack experiments are carried out to simulate related attacks, record the experimental data at different stages, facilitate the analysis of experimental data in the later stage, and analyze the reliability or stability of the protection system based on this.
【学位授予单位】：南昌航空大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【相似文献】