本文關(guān)鍵詞：常見WEB攻擊方法及其安全防范策略的研究　出處：《南昌航空大學(xué)》2017年碩士論文　論文類型：學(xué)位論文

  更多相關(guān)文章： WEB服務(wù)安全 WEB服務(wù)攻擊 XSS攻擊防護 Connection Flood攻擊防護 SQL注入攻擊防護 模擬攻擊實驗

【摘要】：WEB服務(wù)安全是信息安全研究領(lǐng)域的重點之一。在近幾年的信息安全領(lǐng)域中,WEB服務(wù)攻擊的次數(shù)或流量幾乎成幾何倍增長。而且攻擊WEB服務(wù)的范圍也越來越大,從最開始的一般的門戶網(wǎng)站到后來的金融服務(wù)或大型的電子商務(wù)平臺等都遭受了不同程度的攻擊。為應(yīng)對這種WEB服務(wù)攻擊,企業(yè)或公司被迫采購相關(guān)的防火墻或者安全產(chǎn)品設(shè)備,但由于安防軟件或設(shè)備價格高昂,對有安全需求的公司或企業(yè)來說是他們無力承擔的,而且這種安全防護軟件或設(shè)備一般情況下需要廠商維護升級,而客戶所擁有的權(quán)限有限,不能夠直接進行維護,通常情況下是在出現(xiàn)問題后才會有人處理�；谏鲜鰡栴},該課題研究常見的WEB服務(wù)攻擊,并提供一些基本的集成解決方案。主要完成的工作有以下幾點:首先,設(shè)計實驗環(huán)境。由于WEB服務(wù)攻擊的多樣性,而且每種攻擊的特性也各不相同,所需的研究或?qū)嶒灜h(huán)境也不同,因此,在課題的研究過程中,針對不同的WEB服務(wù)攻擊搭建不同的模擬實驗環(huán)境,供測試實驗。實驗的主要研究對象為XSS攻擊防護、Connection Flood攻擊防護及SQL注入攻擊防護。其次,根據(jù)不同的攻擊方式設(shè)計不同的防范策略。1、提出新的解決方案應(yīng)對XSS攻擊,主要針對原有或廠商提供的解決方案的缺陷進行完善,提高防護系統(tǒng)的可維護性,使得管理員能夠自己進行維護升級本地的敏感字符庫;設(shè)計中斷機制,先響應(yīng)服務(wù),再處理危險字符,并設(shè)計頁面標簽,防止字符回顯帶來的擴展攻擊。2、針對Connection Flood攻擊提供一些輕型的解決方案,可供WEB開發(fā)人員或者系統(tǒng)維護人員便捷的集成到系統(tǒng)當中,應(yīng)對一般的DDOS攻擊。根據(jù)Connection Flood的攻擊特性,設(shè)計具有針對性的防護方案,并實現(xiàn)主要的防護功能。3、SQL注入攻擊在近些年中,對WEB服務(wù)的威脅尤為嚴重,在課題的研究中,設(shè)計SQL專用過濾字符功能函數(shù),并給出具體的應(yīng)用實例,研究中所涉及的主要內(nèi)容是完善SQL在執(zhí)行前的一些必要防護操作。最后,實驗驗證策略的有效性。搭建模擬的WEB服務(wù),將具體的研究對象分別集成到WEB服務(wù)中,并將WEB服務(wù)部署到相關(guān)的服務(wù)器上。模擬攻擊實驗時對其進行相關(guān)的模擬攻擊,記錄不同階段的實驗數(shù)據(jù),方便后期的實驗數(shù)據(jù)分析,以此為依據(jù)分析防護系統(tǒng)的可靠性或穩(wěn)定性。
[Abstract]:WEB service security is one of the key points in the field of information security research. In the field of information security in recent years, the number or flow of WEB service attacks has grown almost geometrically. And the scope of attacking WEB services is also increasing. From the beginning of the general portals to the later financial services or the large-scale e-commerce platform, it has been attacked to varying degrees. To deal with this WEB service attacks, enterprises or companies are forced to purchase the firewall security products or equipment, but because of the high security software or equipment prices, they are unable to bear on the security needs of the company or enterprise, and this kind of security software or equipment under normal circumstances require manufacturers to upgrade, and customers the authority is limited, can not be directly maintained, as is usually the case in the problems would have been treated. Based on the above problems, the subject studies the common WEB service attacks and provides some basic integrated solutions. The main tasks are as follows: first, design the experimental environment. Due to the diversity of WEB services attacks and the characteristics of each attack, the required research or experimental environment is also different. Therefore, in the course of research, different simulation environment for different WEB services attacks is built for testing experiments. The main research object of the experiment is XSS attack protection, Connection Flood attack protection and SQL injection attack protection. Secondly, different strategies are designed according to different modes of attack. 1, put forward a new solution to XSS attacks, defect solutions mainly for the original or provided by the manufacturer to improve, improve the protection system maintainability, enables administrators to maintain and upgrade their own local sensitive character library; design of interrupt mechanism, first response service, and handling of dangerous characters, and the design of page label to prevent, extended attack brought significant character. 2, provide some lightweight solutions for Connection Flood attacks, which can be easily integrated into the system by WEB developers or system maintainers, so as to cope with general DDOS attacks. According to the attack characteristics of Connection Flood, the designed protection scheme is designed, and the main protection function is realized. 3, in recent years, SQL injection attack is particularly threatening to WEB services. In the research of this subject, we design SQL specific filter function function, and give specific application examples. The main content of the research is to improve SQL's necessary protection exercises before execution. Finally, the experiment verifies the effectiveness of the strategy. Build a simulated WEB service, integrate specific research objects into WEB services, and deploy WEB services to the related servers. Simulation attack experiments are carried out to simulate related attacks, record the experimental data at different stages, facilitate the analysis of experimental data in the later stage, and analyze the reliability or stability of the protection system based on this.
【學(xué)位授予單位】：南昌航空大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.08

【相似文獻】

相關(guān)期刊論文 前10條

1 孟偉;張t，

本文編號：1342227