本文關(guān)鍵詞：常見(jiàn)WEB攻擊方法及其安全防范策略的研究　出處：《南昌航空大學(xué)》2017年碩士論文　論文類型：學(xué)位論文

  更多相關(guān)文章： WEB服務(wù)安全 WEB服務(wù)攻擊 XSS攻擊防護(hù) Connection Flood攻擊防護(hù) SQL注入攻擊防護(hù) 模擬攻擊實(shí)驗(yàn)

【摘要】：WEB服務(wù)安全是信息安全研究領(lǐng)域的重點(diǎn)之一。在近幾年的信息安全領(lǐng)域中,WEB服務(wù)攻擊的次數(shù)或流量幾乎成幾何倍增長(zhǎng)。而且攻擊WEB服務(wù)的范圍也越來(lái)越大,從最開始的一般的門戶網(wǎng)站到后來(lái)的金融服務(wù)或大型的電子商務(wù)平臺(tái)等都遭受了不同程度的攻擊。為應(yīng)對(duì)這種WEB服務(wù)攻擊,企業(yè)或公司被迫采購(gòu)相關(guān)的防火墻或者安全產(chǎn)品設(shè)備,但由于安防軟件或設(shè)備價(jià)格高昂,對(duì)有安全需求的公司或企業(yè)來(lái)說(shuō)是他們無(wú)力承擔(dān)的,而且這種安全防護(hù)軟件或設(shè)備一般情況下需要廠商維護(hù)升級(jí),而客戶所擁有的權(quán)限有限,不能夠直接進(jìn)行維護(hù),通常情況下是在出現(xiàn)問(wèn)題后才會(huì)有人處理�；谏鲜鰡�(wèn)題,該課題研究常見(jiàn)的WEB服務(wù)攻擊,并提供一些基本的集成解決方案。主要完成的工作有以下幾點(diǎn):首先,設(shè)計(jì)實(shí)驗(yàn)環(huán)境。由于WEB服務(wù)攻擊的多樣性,而且每種攻擊的特性也各不相同,所需的研究或?qū)嶒?yàn)環(huán)境也不同,因此,在課題的研究過(guò)程中,針對(duì)不同的WEB服務(wù)攻擊搭建不同的模擬實(shí)驗(yàn)環(huán)境,供測(cè)試實(shí)驗(yàn)。實(shí)驗(yàn)的主要研究對(duì)象為XSS攻擊防護(hù)、Connection Flood攻擊防護(hù)及SQL注入攻擊防護(hù)。其次,根據(jù)不同的攻擊方式設(shè)計(jì)不同的防范策略。1、提出新的解決方案應(yīng)對(duì)XSS攻擊,主要針對(duì)原有或廠商提供的解決方案的缺陷進(jìn)行完善,提高防護(hù)系統(tǒng)的可維護(hù)性,使得管理員能夠自己進(jìn)行維護(hù)升級(jí)本地的敏感字符庫(kù);設(shè)計(jì)中斷機(jī)制,先響應(yīng)服務(wù),再處理危險(xiǎn)字符,并設(shè)計(jì)頁(yè)面標(biāo)簽,防止字符回顯帶來(lái)的擴(kuò)展攻擊。2、針對(duì)Connection Flood攻擊提供一些輕型的解決方案,可供WEB開發(fā)人員或者系統(tǒng)維護(hù)人員便捷的集成到系統(tǒng)當(dāng)中,應(yīng)對(duì)一般的DDOS攻擊。根據(jù)Connection Flood的攻擊特性,設(shè)計(jì)具有針對(duì)性的防護(hù)方案,并實(shí)現(xiàn)主要的防護(hù)功能。3、SQL注入攻擊在近些年中,對(duì)WEB服務(wù)的威脅尤為嚴(yán)重,在課題的研究中,設(shè)計(jì)SQL專用過(guò)濾字符功能函數(shù),并給出具體的應(yīng)用實(shí)例,研究中所涉及的主要內(nèi)容是完善SQL在執(zhí)行前的一些必要防護(hù)操作。最后,實(shí)驗(yàn)驗(yàn)證策略的有效性。搭建模擬的WEB服務(wù),將具體的研究對(duì)象分別集成到WEB服務(wù)中,并將WEB服務(wù)部署到相關(guān)的服務(wù)器上。模擬攻擊實(shí)驗(yàn)時(shí)對(duì)其進(jìn)行相關(guān)的模擬攻擊,記錄不同階段的實(shí)驗(yàn)數(shù)據(jù),方便后期的實(shí)驗(yàn)數(shù)據(jù)分析,以此為依據(jù)分析防護(hù)系統(tǒng)的可靠性或穩(wěn)定性。
[Abstract]:WEB service security is one of the key points in the field of information security research. In the field of information security in recent years, the number or flow of WEB service attacks has grown almost geometrically. And the scope of attacking WEB services is also increasing. From the beginning of the general portals to the later financial services or the large-scale e-commerce platform, it has been attacked to varying degrees. To deal with this WEB service attacks, enterprises or companies are forced to purchase the firewall security products or equipment, but because of the high security software or equipment prices, they are unable to bear on the security needs of the company or enterprise, and this kind of security software or equipment under normal circumstances require manufacturers to upgrade, and customers the authority is limited, can not be directly maintained, as is usually the case in the problems would have been treated. Based on the above problems, the subject studies the common WEB service attacks and provides some basic integrated solutions. The main tasks are as follows: first, design the experimental environment. Due to the diversity of WEB services attacks and the characteristics of each attack, the required research or experimental environment is also different. Therefore, in the course of research, different simulation environment for different WEB services attacks is built for testing experiments. The main research object of the experiment is XSS attack protection, Connection Flood attack protection and SQL injection attack protection. Secondly, different strategies are designed according to different modes of attack. 1, put forward a new solution to XSS attacks, defect solutions mainly for the original or provided by the manufacturer to improve, improve the protection system maintainability, enables administrators to maintain and upgrade their own local sensitive character library; design of interrupt mechanism, first response service, and handling of dangerous characters, and the design of page label to prevent, extended attack brought significant character. 2, provide some lightweight solutions for Connection Flood attacks, which can be easily integrated into the system by WEB developers or system maintainers, so as to cope with general DDOS attacks. According to the attack characteristics of Connection Flood, the designed protection scheme is designed, and the main protection function is realized. 3, in recent years, SQL injection attack is particularly threatening to WEB services. In the research of this subject, we design SQL specific filter function function, and give specific application examples. The main content of the research is to improve SQL's necessary protection exercises before execution. Finally, the experiment verifies the effectiveness of the strategy. Build a simulated WEB service, integrate specific research objects into WEB services, and deploy WEB services to the related servers. Simulation attack experiments are carried out to simulate related attacks, record the experimental data at different stages, facilitate the analysis of experimental data in the later stage, and analyze the reliability or stability of the protection system based on this.
【學(xué)位授予單位】：南昌航空大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2017
【分類號(hào)】：TP393.08

【相似文獻(xiàn)】

相關(guān)期刊論文 前10條

1 孟偉;張t，

本文編號(hào)：1342227