CN101540704A - Unreliable DBMS malicious intrusion detection system and method - Google Patents
Unreliable DBMS malicious intrusion detection system and method Download PDFInfo
- Publication number
- CN101540704A CN101540704A CN200910083157A CN200910083157A CN101540704A CN 101540704 A CN101540704 A CN 101540704A CN 200910083157 A CN200910083157 A CN 200910083157A CN 200910083157 A CN200910083157 A CN 200910083157A CN 101540704 A CN101540704 A CN 101540704A
- Authority
- CN
- China
- Prior art keywords
- dbms
- database
- insincere
- sql
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to a system and a method for detecting malicious intrusion of an untrusted DBMS (database management system). A database intrusion detection system is introduced between the DBMS and a database application to intercept message communication between the DBMS and the application so as to detect malicious behaviors and protect key data. The database intrusion detection system is divided into a client and a server, wherein the client is responsible for intercepting and forwarding database messages, the server manages an untrusted DBMS and a trusted DBMS simultaneously, and the trusted DBMS stores important metadata information of the system and serves as a mirror database of the untrusted DBMS; the server side is responsible for identity authentication of the client side, communication protocol analysis, transparent data encryption and decryption and malicious database intrusion detection. The invention has the advantages that: automatically discovering data insertion, modification and deletion operations initiated by malicious codes in the data management system; recovering the database damaged by the malicious code; and key data is encrypted to prevent the key data from being stolen by malicious codes.
Description
Technical field
The present invention relates to insincere DBMS malicious intrusions detection system and method, belong to database security Intrusion Detection Technique field.
Background technology
In the modern computing system, the core information resource of the in store system of database.Therefore, database hacker, corporate espionage's emphasis target of attack often.Because China's database technology is started late, database product DBMS (data base management system) is monopolized by foreign vendor substantially at present, causes the serious situation of " hollowization of core technology " and " key technology and product are under one's control ".May there be back door in the external product fully even be injected into " malicious code ", be used to steal or destroy precious data resource.Yes all adopts homemade database product in the application system of key for the ideal style that addresses this problem, this also is the direction of China's effort really, but present homemade database is compared with external product on every indexs such as stability, function, performance and extensibility and is also existed gap, and because existing system has used external database product in a large number, the precipitation cost is very high, therefore can not in a short time it all be replaced with homemade goods.A large amount of foreign database softwares that use have brought following many safety problems:
1. the DBMS such as Oracle that are sold to China only meet C class safety standard usually, roughly are equivalent to the level below 3 grades of GBl7859-1999, and functions such as authentication, access control, security audit are all comparatively weak;
2. because we do not grasp source code, may there be the back door in external DBMS such as Oracle fully, promptly may walk around functions such as normal authentication, access control, automatically some is closed the data of depositing in the key table and outwards transmits.
3. more dangerous is, at some in particular cases, enemy even may deliberately make amendment on original standard DBMS according to buying purposes injects various malicious code, increases, deletes, changes as malice, many deletions of malice or the like.This threat for the defense industrial sector of China is big especially.
In order to protect the core information resource that is related to trade secret, national security; must analyze the security threat that insincere DBMS product may cause; and, find malicious code is initiated in the data management system data insertion, modification and deletion action automatically to the deep research of malice DBMS Intrusion Detection Technique.
Through years of development, all there have been a lot of achievements aspects such as the identity identifying technology of traditional database security fields, access control technology, information flow control technology, encryption control technology, reasoning control technology, audit technique, but existing technology focuses on the ability that improves DBMS antagonism external attack, the ability of the DBMS that how to improve application system antagonism malice is not furtherd investigate as yet.Obviously, the countermeasure techniques of malice DBMS can be complicated more, because DBMS is in charge of the target data resource, structure and semanteme that it understands the target data resource can carry out any operation to target data, also can return result arbitrarily to user's request.
Summary of the invention
Based on above-mentioned, the present invention will provide a kind of insincere DBMS malicious intrusions detection system and method, and it can be accomplished: find malicious code is initiated in the data management system data insertion, modification and deletion action automatically; The database that recovery is destroyed by malicious code; To encryption key data, prevent to be stolen by malicious code.
The present invention is by the following technical solutions:
A kind of insincere DBMS malicious intrusions detection system comprises DBMS and database application system, it is characterized in that:
Between DBMS and database application, introduce a database intruding detection system, the Database Intrusion detection system is divided into two parts of client and server end, wherein: client is responsible for database message and is intercepted and captured and transmit, with the detection of malicious behavior, and the protection critical data; Server end is managed an insincere DBMS and a credible DBMS simultaneously, the important metadata information of credible DBMS saved system, and as the mirror database of insincere DBMS; Server end is responsible for the client identity authentication, is analyzed communications protocol, encryption and decryption data and detection of malicious Database Intrusion.
Described important metadata information comprises encryption key, database object mapping relations, database table pattern.
A kind of insincere DBMS malicious intrusions detection method that in above-mentioned system, adopts, it may further comprise the steps:
1) when database client is provided with server address, uses the address and the port of the client of Database Intrusion detection system;
2) operation requests that application program is sent to insincere database server all is transmitted to the client of Database Intrusion detection system;
3) client of Database Intrusion detection system is transmitted to these operation requests the server end of Database Intrusion detection system;
4) server end of Database Intrusion detection system carries out following analyzing and processing to the operation requests of receiving:
Change if operation requests can not cause the malice of data among the insincere DBMS, then operation requests is transmitted to insincere DBMS, replying of will obtaining again passed on the program of use of responding, and simultaneously the insincere DBMS of the correspondence of the data among the credible DBMS upgraded; Otherwise, refuse the operation requests of this application program.
Further:
Field in the database in credible DBMS in stored data base pattern information, database object mapping ruler, the database and subtabulation key and cryptographic algorithm;
The server end of Database Intrusion detection system is equipped with lower module:
The SQL statement of " SQL syntax Analysis Module "-be used for receiving converts the SQL query tree to;
" object map module "-be used for rewrites the database object name of SQL query tree;
" encrypting module "-be used for enciphered data;
" record verification generation module "-be used for the user data of every record by cryptographic algorithm generate a cryptographic check and, this verification and as a transparent field store of subscriber's meter in insincere DBMS;
" packet forwarding module "-be used for query tree is converted to SQL statement, and
" SQL log buffer module ", " daily record playback module ", " mistake report module ";
Described step 4) is further divided into following steps:
4.1) " SQL syntax Analysis Module " according to morphological rule and the syntax rule of database schema information of storing among the credible DBMS and SQL, and the SQL statement that receives is carried out morphological analysis and syntactic analysis, obtains the SQL query tree;
4.2) " object map module " rewrite database object name in the SQL query tree according to the database object mapping ruler among the credible DBMS;
4.3) if current SQL is the read operation statement, then transfer the SQL query tree to " packet forwarding module ", this module converts SQL query tree is SQL statement, be forwarded to insincere DBMS, finish this request and handle, change afterwards and reply treatment step 4.7), otherwise continue step 4.4);
4.4) if current SQL is the write operation statement, then query tree is transferred to " encrypting module ", this module at first need to determine the field or the table of encryption, and from credible DBMS, obtain corresponding encryption key and cryptographic algorithm, after the enciphered data query tree is passed to " record verification generation module ";
4.5) when carrying out SQL statement at every turn, system determines that at first which record will be subjected to the visit of this SQL statement, check the verification of these records and whether correct then, if it is correct, illustrate that data are not subjected to the change of malice DBMS, then transfer the SQL query tree to " packet forwarding module ", this module converts SQL query tree is forwarded to insincere DBMS for SQL statement;
4.6) this write operation SQL is saved in " SQL log buffer module ", " daily record playback module " from " SQL log buffer module " is that unit takes out SQL statement with affairs afterwards, read response message from insincere DBMS, and the corresponding insincere DBMS of the data among the credible DBMS upgraded, finish this request and handle, change afterwards and reply treatment step 4.7);
4.7) read response message from insincere DBMS, carry out object map afterwards, then be decrypted and write down the verification checking, transmit packet at last to client, the mistake of the generation in the whole process is transferred to the wrong module of reporting and is sent to client.
Further, before corresponding insincere DBMS upgrades to the data among the credible DBMS, detect whether malicious act is arranged among the insincere DBMS,, then refuse the operation requests of this application program, and recover the data among the insincere DBMS if malicious act is arranged.
Further, whether in insincere DBMS have malicious act: allow every sql command carry out respectively on insincere DBMS and credible DBMS if detecting by the following method, the return results that in follow-up Select operation, compares them then, if difference thinks that then insincere DBMS has malicious act as a result.
Further, detect and whether have the concrete steps of malicious act to be among the insincere DBMS:
7.1) on insincere DBMS during executable operations, take the Take-a-Ticket algorithm of serializability scheduling, in each affairs, add a Select statement pellucidly and read Ticket, and then add a Update statement value of Ticket is added one, like this, the Ticket value read of each affairs has promptly been represented their order in serialization history;
7.2) take on the credible DBMS with insincere DBMS on same execution order submit these affairs to;
7.3) after insincere DBMS and two database simultaneous operations of credible DBMS were finished, the content of extracting each table by application layer compared mutually, if inequality, then showed the despiteful behavior of insincere DBMS.
The invention has the advantages that:
1. find malicious code is initiated in the data management system data insertion, modification and deletion data operation automatically;
2. recover to be subjected to the database of malicious code destruction;
3. to encryption key data, prevent to be stolen by malicious code.
Description of drawings
Fig. 1 is the insincere DBMS malicious intrusions of a present invention detection system schematic diagram;
Fig. 2 is Request Interception and processing procedure schematic diagram;
Fig. 3 is that the record verification generates and the checking schematic diagram;
Fig. 4 is interpretation of result and checking schematic diagram;
Fig. 5 is a system deployment example of the present invention.
Embodiment
Below in conjunction with accompanying drawing the present invention is elaborated.
The present invention is a kind of insincere DBMS malicious intrusions detection system and method.
As Fig. 1, the present invention introduces the message communication that a database intruding detection system (DBIDS) is intercepted and captured DBMS and application between DBMS and database application, with the detection of malicious behavior, and the protection critical data.DBIDS is divided into two parts of client and server end, and client mainly is responsible for database message and is intercepted and captured and transmit, and server end is responsible for the client identity authentication, analyzes communications protocol, is realized transparent data encryption and decryption and malicious data storehouse intrusion detection feature.
DBIDS adopts the mode of data forwarding to come the communication of intercepted data storehouse.When database client is provided with server address, use the address and the port of DBIDS client.Like this, application program sends to the request of insincere database server, issued the client of DBIDS all, the DBIDS client uses the network based on ssl protocol to connect the server end of these requests of transmission to DBIDS then, last DBIDS server end is transmitted to real database server with information, and replied from database server, pass on the program of using of responding.For application program and database server, this process is fully transparent.And, on the angle of safety, even the DBIDS client is destroyed since this moment client and service end logic be connected also destroyed, so leakage of information can not occur yet.
The DBIDS server is managed an insincere DBMS and a credible DBMS simultaneously, first function of credible DBMS some important metadata informations that are saved system wherein, and such as encryption key, database object mapping relations, database table pattern or the like.Second function is as mirror database, duplicates a piece of data from insincere DBMS, like this, can detect the malicious act of insincere DBMS, can ensure the restorability of data again.Function, performance requirement to credible DBMS are not high, and the DBMS of unit, single affairs just can be competent at.Therefore can select the many homemade DBMS or the database of increasing income for use, such as the MySQL (in its source code, removed network function, and strengthened some security controls) of safety enhancing.
Field and subtabulation key and cryptographic algorithm in database schema information, database object mapping ruler, the database have been stored in the database in credible DBMS.
Following software module is housed in the server end of Database Intrusion detection system:
The SQL statement of " SQL syntax Analysis Module "-be used for receiving converts the SQL query tree to;
" object map module "-be used for rewrites the database object name of SQL query tree;
" encrypting module "-be used for enciphered data;
" record verification generation module "-be used for the user data of every record by cryptographic algorithm generate a cryptographic check and, this verification and as a transparent field store of subscriber's meter in insincere DBMS;
" packet forwarding module "-be used for query tree is converted to SQL statement, and
" SQL log buffer module ", " daily record playback module ", " mistake report module " etc.
Insincere DBMS malicious intrusions detection method of the present invention may further comprise the steps:
1) when database client is provided with server address, uses the address and the port of the client of Database Intrusion detection system;
2) operation requests that application program is sent to insincere database server all is transmitted to the client of Database Intrusion detection system;
3) client of Database Intrusion detection system is transmitted to these operation requests the server end of Database Intrusion detection system;
4) server end of Database Intrusion detection system carries out following analyzing and processing to the operation requests of receiving:
Change if operation requests can not cause the malice of data among the insincere DBMS, then operation requests is transmitted to insincere DBMS, replying of will obtaining again passed on the program of use of responding, and simultaneously the insincere DBMS of the correspondence of the data among the credible DBMS upgraded; Otherwise, refuse the operation requests of this application program.
Described step 4) is further divided into following steps:
4.1) " SQL syntax Analysis Module " according to morphological rule and the syntax rule of database schema information of storing among the credible DBMS and SQL, and the SQL statement that receives is carried out morphological analysis and syntactic analysis, obtains the SQL query tree;
4.2) " object map module " rewrite database object name in the SQL query tree according to the database object mapping ruler among the credible DBMS;
4.3) if current SQL is the read operation statement, then transfer the SQL query tree to " packet forwarding module ", this module converts SQL query tree is SQL statement, be forwarded to insincere DBMS, finish this request and handle, change afterwards and reply treatment step 4.7), otherwise continue step 4.4);
4.4) if current SQL is the write operation statement, then query tree is transferred to " encrypting module ", this module at first need to determine the field or the table of encryption, and from credible DBMS, obtain corresponding encryption key and cryptographic algorithm, after the enciphered data query tree is passed to " record verification generation module ";
4.5) when carrying out SQL statement at every turn, system determines that at first which record will be subjected to the visit of this SQL statement, check the verification of these records and whether correct then, if it is correct, illustrate that data are not subjected to the change of malice DBMS, then transfer the SQL query tree to " packet forwarding module ", this module converts SQL query tree is forwarded to insincere DBMS for SQL statement;
4.6) this write operation SQL is saved in " SQL log buffer module ", " daily record playback module " from " SQL log buffer module " is that unit takes out SQL statement with affairs afterwards, read response message from insincere DBMS, and the corresponding insincere DBMS of the data among the credible DBMS upgraded, finish this request and handle, change afterwards and reply treatment step 4.7);
4.7) read response message from insincere DBMS, carry out object map afterwards, then be decrypted and write down the verification checking, transmit packet at last to client, the mistake of the generation in the whole process is transferred to the wrong module of reporting and is sent to client.
Further, before corresponding insincere DBMS upgrades to the data among the credible DBMS, detect whether malicious act is arranged among the insincere DBMS,, then refuse the operation requests of this application program, and recover the data among the insincere DBMS if malicious act is arranged.
Further, whether in insincere DBMS have malicious act: allow every sql command carry out respectively on insincere DBMS and credible DBMS if detecting by the following method, the return results that in follow-up Select operation, compares them then, if difference thinks that then insincere DBMS has malicious act as a result.
Further, detect and whether have the concrete steps of malicious act to be among the insincere DBMS:
7.1) on insincere DBMS during executable operations, take the Take-a-Ticket algorithm of serializability scheduling, in each affairs, add a Select statement pellucidly and read Ticket, and then add a Update statement value of Ticket is added one, like this, the Ticket value read of each affairs has promptly been represented their order in serialization history;
7.2) take on the credible DBMS with insincere DBMS on same execution order submit these affairs to;
7.3) after insincere DBMS and two database simultaneous operations of credible DBMS were finished, the content of extracting each table by application layer compared mutually, if inequality, then showed the despiteful behavior of insincere DBMS.
The operation principle of the insincere Database Intrusion detection method of the present invention illustrates from the following aspects:
1. request of data
Fig. 2 is the processing procedure of request of data, client is transmitted the application's data request to service end, " the SQL syntax Analysis Module " of service end is at first according to the table of storing among the credible DBMS, view definition, and the morphological rule of SQL and syntax rule carry out morphological analysis and syntactic analysis to the SQL statement that receives, and obtains the SQL query tree.
Then, " object map module " utilizes database object mapping ruler among the credible DBMS to rewrite database object name in the SQL query tree.This module is responsible for database object titles such as " table ", " field ", " table space " are replaced with insignificant random designations, so just make that applications is grasped, semantic rich data storehouse object oriented before entering incredible DBMS, carried out semantic desalination and handled.The database object mapping ruler is meant the mapping relations between database object names such as the visible table of user, view, row and the database object name of actual storage in insincere database.Suppose and comprise rule " USERNAME->A ", " PASSWORD->B ", " ACCOUNT->C " in the trust data storehouse, statement SELECT USERNAME so, the rewriting of the PASSWORD FROM ACCOUNT WHERE USERNAME=user1 ' SQL of correspondence as a result is SELECT A, B FROMC WHERE A=user1 '.
If current SQL is not renewal statements such as INSERT/UPDATE/DELETE, query tree is transferred to " packet forwarding module ", and this module converts query tree is a SQL statement, and tectonic network message bag is forwarded to insincere DBMS, finishes this request and handles.
If current SQL is INSERT/UPDATE, query tree is transferred to " encrypting module ", this module reads user configured field or the table that needs encryption, from credible DBMS, obtain corresponding encryption key and cryptographic algorithm, after the enciphered data query tree is passed to " record verification generation module ".
Because of current SQL comprises write operation, so this SQL is saved in " SQL log buffer module ", " daily record playback module " from buffer memory is that unit takes out SQL statement with affairs afterwards, and renewal is applied to credible DBMS.
" record verification generation module " be every record user data by cryptographic algorithm generate a cryptographic check and, this verification and as a transparent field store of showing in incredible DBMS.When carrying out SQL statement, system determines that at first which record will be subjected to the visit of this SQL statement: for read operation, the SQL statement accessed record is exactly the result set of SQL at every turn; For upgrading operation, need that update condition is converted to one and read inquiry, the result set of this inquiry is exactly the SQL statement accessed record.Then, check the verification of these records and whether correct,, illustrate that data are not subjected to the change of malice DBMS if correct; If incorrect, show that then database has been subjected to malice and has distorted, will report to the police this moment, and from trust data storehouse restore data.At last, packet forwarding module conversion query is set into SQL statement, and the tectonic network forwards is finished this request to insincere DBMS and handled.Fig. 3 has described the process that generates record verification, checking verification.Field A, B, D are normal fields, and field C is a check field.Insert record or more during new record, the content of C field generates automatically according to A, B, D.During Visitor Logs, according to A, B, D field content calculation check again, and and the C field compare, if otherwise authentication failed is passed through in identical checking so.
The institute of the generation in the data request processing process is wrong all to be handled by " mistake report module ", and unified the report given client.
2. data answering
As shown in Figure 4, the processing procedure of data answering is the inverse process of request of data flow process basically, " result set analysis module " reads response message from insincere DBMS, carry out object map afterwards, then be decrypted and write down the verification checking, transmit packet at last to client, the mistake of the generation in the whole process is transferred to the wrong module of reporting and is sent to client.
3. malicious act detects and the data recovery
Though can detect database the malice of record is distorted operation by the record verification, can not the detection of malicious database to inquiring about twisting of semanteme.For example, database is qualified when carrying out the Select statement records the N item, and malice DBMS deliberately returns more or returns several less, or deliberately when carrying out the Delete statement more deletes or delete several less.Because these two kinds of Core Features that malicious action has been touched DBMS, must adopt the parallel-connection structure of a plurality of DBMS, allow every sql command on a plurality of DBMS, carry out respectively, in follow-up Select operation, compare their return results then, if difference thinks that then DBMS has malicious action as a result.
DBIDS carries out asynchronous replication between credible DBMS and insincere DBMS, the Data Update among the promptly insincere DBMS propagates among the credible DBMS asynchronously.For two data among the DBMS are consistent, this moment, the task of a key was to determine the concurrent real commit order (their order under the serialized scheduling of equivalence just) of submitting to a plurality of affairs of insincere DBMS, so that take same order to submit these affairs to, thereby in two databases, produce the result that can compare in logic at the credible DBMS of reserve.The Take-a-Ticket algorithm that we have taked to be used for originally the serializability scheduling of multiple database obtains this point.That is, in each affairs, add a Select statement pellucidly and read the statement of Ticket, and then add a Update statement value of Ticket is added one.Like this, allow each affairs produce read/write conflict on Ticket by pressure, thereby guaranteed the serialization that affairs are carried out, the Ticket value that each affairs is read has promptly been represented their order in serialization history.
After two database synchronization were finished, the content that can extract each table by application layer was mutually relatively so that detect the whether despiteful behavior of insincere DBMS.Certainly, the safety officer can regularly allow system carry out sampling Detection automatically.Cause the result of database and the semanteme of sql command not to be inconsistent if find the malicious act of incredible DBMS, can utilize the reserve database to recover data among the insincere DBMS.Notice that the backup that can not rely on malice DBMS generation this moment recovers, because they are incredible.
As shown in Figure 5, DBIDS Database Intrusion detection system is positioned at database and application server, perhaps between database and the client.In client and application server DBIDS is exactly a data base management system, and at insincere DBMS, DBIDS is exactly unique database user.If get around the direct accessing database of DBIDS, client can only be read the database schema information of semantic reduction and encrypt ciphertext afterwards so.
The deployment of DBIDS is more flexible, though the DBIDS client can with application server or client on same station server, but in order to reduce the network cost, the DBIDS client is deployed on client computer or the application server usually, and DBIDS server and DBMS department server are deployed in the same local area network (LAN).
Claims (7)
1. an insincere DBMS malicious intrusions detection system comprises DBMS and database application system, it is characterized in that:
Between DBMS and database application, introduce a database intruding detection system;
The Database Intrusion detection system is divided into two parts of client and server end, wherein:
Client is responsible for database message and is intercepted and captured and transmit, with the detection of malicious behavior, and the protection critical data;
Server end is managed an insincere DBMS and a credible DBMS simultaneously, the important metadata information of credible DBMS saved system, and as the mirror database of insincere DBMS;
Server end is responsible for the client identity authentication, is analyzed communications protocol, encryption and decryption data and detection of malicious Database Intrusion.
2. insincere DBMS malicious intrusions detection system as claimed in claim 1 is characterized in that:
Described important metadata information comprises encryption key, database object mapping relations, database table pattern.
3. insincere DBMS malicious intrusions detection method that adopts in the described system of claim 1 is characterized in that may further comprise the steps:
1) when database client is provided with server address, uses the address and the port of the client of Database Intrusion detection system;
2) operation requests that application program is sent to insincere database server all is transmitted to the client of Database Intrusion detection system;
3) client of Database Intrusion detection system is transmitted to these operation requests the server end of Database Intrusion detection system;
4) server end of Database Intrusion detection system carries out following analyzing and processing to the operation requests of receiving:
Change if operation requests can not cause the malice of data among the insincere DBMS, then operation requests is transmitted to insincere DBMS, replying of will obtaining again passed on the program of use of responding, and simultaneously the insincere DBMS of the correspondence of the data among the credible DBMS upgraded; Otherwise, refuse the operation requests of this application program.
4. insincere DBMS malicious intrusions detection method as claimed in claim 3 is characterized in that:
Field in the database in credible DBMS in stored data base pattern information, database object mapping ruler, the database and subtabulation key and cryptographic algorithm;
The server end of Database Intrusion detection system is equipped with lower module:
The SQL statement of " SQL syntax Analysis Module "-be used for receiving converts the SQL query tree to;
" object map module "-be used for rewrites the database object name of SQL query tree;
" encrypting module "-be used for enciphered data;
" record verification generation module "-be used for the user data of every record by cryptographic algorithm generate a cryptographic check and, this verification and as a transparent field store of subscriber's meter in insincere DBMS;
" packet forwarding module "-be used for query tree is converted to SQL statement, and
" SQL log buffer module ", " daily record playback module ", " mistake report module ";
Described step 4) is further divided into following steps:
4.1) " SQL syntax Analysis Module " according to morphological rule and the syntax rule of database schema information of storing among the credible DBMS and SQL, and the SQL statement that receives is carried out morphological analysis and syntactic analysis, obtains the SQL query tree;
4.2) " object map module " rewrite database object name in the SQL query tree according to the database object mapping ruler among the credible DBMS;
4.3) if current SQL is the read operation statement, then transfer the SQL query tree to " packet forwarding module ", this module converts SQL query tree is SQL statement, be forwarded to insincere DBMS, finish this request and handle, change afterwards and reply treatment step 4.7), otherwise continue step 4.4);
4.4) if current SQL is the write operation statement, then query tree is transferred to " encrypting module ", this module at first need to determine the field or the table of encryption, and from credible DBMS, obtain corresponding encryption key and cryptographic algorithm, after the enciphered data query tree is passed to " record verification generation module ";
4.5) when carrying out SQL statement at every turn, system determines that at first which record will be subjected to the visit of this SQL statement, check the verification of these records and whether correct then, if it is correct, illustrate that data are not subjected to the change of malice DBMS, then transfer the SQL query tree to " packet forwarding module ", this module converts SQL query tree is forwarded to insincere DBMS for SQL statement;
4.6) this write operation SQL is saved in " SQL log buffer module ", " daily record playback module " from " SQL log buffer module " is that unit takes out SQL statement with affairs afterwards, read response message from insincere DBMS, and the corresponding insincere DBMS of the data among the credible DBMS upgraded, finish this request and handle, change afterwards and reply treatment step 4.7);
4.7) read response message from insincere DBMS, carry out object map afterwards, then be decrypted and write down the verification checking, transmit packet at last to client, the mistake of the generation in the whole process is transferred to the wrong module of reporting and is sent to client.
5. as claim 3 or 4 described insincere DBMS malicious intrusions detection methods, it is characterized in that:
Before corresponding insincere DBMS upgrades to the data among the credible DBMS, detect whether malicious act is arranged among the insincere DBMS, if malicious act is arranged, then refuse the operation requests of this application program, and recover the data among the insincere DBMS.
6. insincere DBMS malicious intrusions detection method as claimed in claim 5 is characterized in that:
Whether in insincere DBMS have malicious act: allow every sql command carry out respectively on insincere DBMS and credible DBMS if detecting by the following method, the return results that in follow-up Select operation, compares them then, if difference thinks that then insincere DBMS has malicious act as a result.
7. insincere DBMS malicious intrusions detection method as claimed in claim 6 is characterized in that:
Whether detect has the concrete steps of malicious act to be among the insincere DBMS:
7.1) on insincere DBMS during executable operations, take the Take-a-Ticket algorithm of serializability scheduling, in each affairs, add a Select statement pellucidly and read Ticket, and then add a Update statement value of Ticket is added one, like this, the Ticket value read of each affairs has promptly been represented their order in serialization history;
7.2) take on the credible DBMS with insincere DBMS on same execution order submit these affairs to;
7.3) after insincere DBMS and two database simultaneous operations of credible DBMS were finished, the content of extracting each table by application layer compared mutually, if inequality, then showed the despiteful behavior of insincere DBMS.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100831574A CN101540704B (en) | 2009-05-05 | 2009-05-05 | Unreliable DBMS malicious intrusion detection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100831574A CN101540704B (en) | 2009-05-05 | 2009-05-05 | Unreliable DBMS malicious intrusion detection system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101540704A true CN101540704A (en) | 2009-09-23 |
| CN101540704B CN101540704B (en) | 2011-06-15 |
Family
ID=41123705
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100831574A Active CN101540704B (en) | 2009-05-05 | 2009-05-05 | Unreliable DBMS malicious intrusion detection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101540704B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104102879A (en) * | 2013-04-15 | 2014-10-15 | 腾讯科技(深圳)有限公司 | Method and device for extracting message format |
| CN105451223A (en) * | 2014-08-07 | 2016-03-30 | 阿里巴巴集团控股有限公司 | Information monitoring method and device, and mobile terminal |
| CN109889486A (en) * | 2018-12-28 | 2019-06-14 | 武汉职业技术学院 | Mobile office secure accessing platform |
| CN110121712A (en) * | 2017-12-05 | 2019-08-13 | 华为技术有限公司 | A kind of blog management method, server and Database Systems |
| CN110765152A (en) * | 2019-09-18 | 2020-02-07 | 平安科技(深圳)有限公司 | SQL extraction method and device, computer equipment and storage medium |
| CN112613302A (en) * | 2020-12-31 | 2021-04-06 | 天津南大通用数据技术股份有限公司 | Dynamic credibility judgment method for clauses executing select statement based on database |
| CN115643118A (en) * | 2022-12-23 | 2023-01-24 | 北京市大数据中心 | Method, electronic device and medium for defending TDA against threat attack |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564530A (en) * | 2004-04-15 | 2005-01-12 | 沈春和 | Network safety guarded distributing invading detection and internal net monitoring system and method thereof |
-
2009
- 2009-05-05 CN CN2009100831574A patent/CN101540704B/en active Active
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104102879A (en) * | 2013-04-15 | 2014-10-15 | 腾讯科技(深圳)有限公司 | Method and device for extracting message format |
| CN104102879B (en) * | 2013-04-15 | 2016-08-17 | 腾讯科技(深圳)有限公司 | The extracting method of a kind of message format and device |
| US9589136B2 (en) | 2013-04-15 | 2017-03-07 | Tencent Technology (Shenzhen) Company Limited | Method and device for extracting message format |
| CN105451223A (en) * | 2014-08-07 | 2016-03-30 | 阿里巴巴集团控股有限公司 | Information monitoring method and device, and mobile terminal |
| CN110121712B (en) * | 2017-12-05 | 2022-04-05 | 华为技术有限公司 | Log management method, server and database system |
| CN110121712A (en) * | 2017-12-05 | 2019-08-13 | 华为技术有限公司 | A kind of blog management method, server and Database Systems |
| CN109889486A (en) * | 2018-12-28 | 2019-06-14 | 武汉职业技术学院 | Mobile office secure accessing platform |
| CN110765152A (en) * | 2019-09-18 | 2020-02-07 | 平安科技(深圳)有限公司 | SQL extraction method and device, computer equipment and storage medium |
| WO2021051501A1 (en) * | 2019-09-18 | 2021-03-25 | 平安科技(深圳)有限公司 | Sql extraction method and apparatus, computer device, and storage medium |
| CN110765152B (en) * | 2019-09-18 | 2023-05-30 | 平安科技(深圳)有限公司 | SQL extraction method, SQL extraction device, computer equipment and storage medium |
| CN112613302A (en) * | 2020-12-31 | 2021-04-06 | 天津南大通用数据技术股份有限公司 | Dynamic credibility judgment method for clauses executing select statement based on database |
| CN112613302B (en) * | 2020-12-31 | 2023-08-18 | 天津南大通用数据技术股份有限公司 | Dynamic credibility judging method for clauses of select statement based on database |
| CN115643118A (en) * | 2022-12-23 | 2023-01-24 | 北京市大数据中心 | Method, electronic device and medium for defending TDA against threat attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101540704B (en) | 2011-06-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10171239B2 (en) | Single use recovery key | |
| CN101540704B (en) | Unreliable DBMS malicious intrusion detection system and method | |
| US20190050598A1 (en) | Secure data storage | |
| CN101587479B (en) | Database management system kernel oriented data encryption/decryption system and method thereof | |
| US8639947B2 (en) | Structure preserving database encryption method and system | |
| CN108989346B (en) | Third-party valid identity escrow agile authentication access method based on account hiding | |
| CN112217835B (en) | Message data processing method and device, server and terminal equipment | |
| CN105553940A (en) | Safety protection method based on big data processing platform | |
| CN106992851A (en) | TrustZone-based database file password encryption and decryption method and device and terminal equipment | |
| US8769303B2 (en) | Infrastructure independent recovery key release | |
| CN103020542B (en) | Store the technology of the secret information being used for global data center | |
| Lian et al. | Tdrb: An efficient tamper-proof detection middleware for relational database based on blockchain technology | |
| Yu | Encryption technology for computer network data security protection | |
| Rathod et al. | Database intrusion detection by transaction signature | |
| KR101025029B1 (en) | Implementation method for integration database security system using electronic authentication | |
| KR20210053844A (en) | Server of artificial intelligence personal privacy data security system | |
| KR102249758B1 (en) | Artificial intelligence personal privacy data security system applying case based reasoning technology and block chain method and server thereof | |
| Kumar et al. | Enhanced Generic Framework for Privacy Preservation in Internet of Things Networks | |
| CN117708878B (en) | ORAM (object oriented authentication and privacy preserving) function-based copyright information trusted retrieval method | |
| Silvério et al. | Efficient data integrity checking for untrusted database systems | |
| Chaki et al. | Integration of SQL Injection Prevention Methods | |
| Deepa et al. | A Meta-Analysis of Efficient Countermeasures for Data Security | |
| CN201681398U (en) | Computer data comparison system | |
| KR20240078500A (en) | Integrated log data security management system based on blockchain | |
| Fang et al. | Modern Accounting Information System Security (AISS) Research Based on IT Technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100094 No. 28, Yongfeng Road, Beijing, Haidian District Patentee after: Beijing Shenzhou Aerospace Software Technology Co.,Ltd. Address before: 100094 No. 28, Yongfeng Road, Beijing, Haidian District Patentee before: BEIJING SHENZHOU AEROSPACE SOFTWARE TECHNOLOGY Co.,Ltd. |