CN105138675A - Database auditing method and device - Google Patents

Database auditing method and device Download PDF

Info

Publication number
CN105138675A
CN105138675A CN201510566227.7A CN201510566227A CN105138675A CN 105138675 A CN105138675 A CN 105138675A CN 201510566227 A CN201510566227 A CN 201510566227A CN 105138675 A CN105138675 A CN 105138675A
Authority
CN
China
Prior art keywords
data
data flow
flow data
traffic data
operation information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510566227.7A
Other languages
Chinese (zh)
Inventor
梁俊明
樊建峰
同王颜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Upper Marine Infotech Share Co Ltd Of Interrogating
Original Assignee
Upper Marine Infotech Share Co Ltd Of Interrogating
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Upper Marine Infotech Share Co Ltd Of Interrogating filed Critical Upper Marine Infotech Share Co Ltd Of Interrogating
Priority to CN201510566227.7A priority Critical patent/CN105138675A/en
Publication of CN105138675A publication Critical patent/CN105138675A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/252Integrating or interfacing systems involving database management systems between a Database Management System and a front-end application
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention aims to provide a database auditing method and device. The method concretely includes the steps that service flow data between a browser side and middleware and data flow data between the middleware and a server are obtained, wherein the service flow data include user information, and the data flow data include operation information; the data flow data and the service flow data are matched; if matching is successful, the mapping relation between the operation information included by the data flow data and the user information included by the service flow data is determined. Compared with the prior art, according to the technical scheme, the service flow data between the browser side and the middleware and the data flow data between the middleware and the server are obtained at the same time and matched to determine the mapping relation between the operation information and the user information, in this way, which one execution user a certain operation on a database belongs to can be learned about, and database auditing is accurately performed on the database including the middleware.

Description

Database audit method and equipment
Technical field
The application relates to computer realm, particularly relates to a kind of database audit method and equipment.
Background technology
Along with database technology application is more and more extensive, the applied environment of database is also day by day complicated.This just has higher requirement to database audit technique.In the existing Database Systems based on B/S framework, generally browser end---the interactive mode of server end, therefore the audit environment of existing database audit technology, it is all generally the server in the direct connection data storehouse of browser end of database, by the data between Direct Analysis browser end and server, carry out database audit.
At present, for the particular requirement of database application, generally can expand a kind of middleware in a database, form browser end---middleware---Server Mode, for each client of management database for the access of server, can realize controlled, unified, be convenient to the objects such as management.Interaction data (being called traffic data) between browser end and middleware comprises user profile, such as browser end IP and login username, database manipulation message is comprised, such as SQL statement in interaction data (being called data flow data) between middleware and server.Due to being separated of user profile and operation information, existing database audit technology can only know to have carried out what operation, but by whom is performed when cannot determine this operation, and therefore the database that cannot realize comprising middleware is audited.
Summary of the invention
The object of the application is to provide a kind of database audit method and equipment.
For achieving the above object, this application provides a kind of database audit method, the method comprises:
Obtain the traffic data between browser end and middleware and the data flow data between described middleware and server, wherein said traffic data comprises user profile, and described data flow data comprises operation information;
Described data flow data is mated with described traffic data;
If the match is successful, then determine the mapping relations of the operation information that described data flow data comprises and the user profile that described traffic data comprises.
Further, obtain the traffic data between browser end and middleware and the data flow data between described middleware and server, comprising:
Obtain the traffic data between browser end and middleware and the data flow data between described middleware and server, and pre-service is carried out to described data flow data and traffic data, retain the information relevant to coupling.
Further, before described data flow data is mated with described traffic data, also comprise:
In rule base, search the operation information that described data flow data comprises, wherein said rule base comprises the mapping relations between operation information and user profile set up;
When finding described operation information at rule base, determine the user profile corresponding to the operation information that described data flow data comprises according to described mapping relations.
Further, when not finding described operation information at rule base, described data flow data is mated with described traffic data.
Further, after determining the mapping relations of the operation information that described data flow data comprises and the user profile that described traffic data comprises, also comprise:
Described mapping relations are added into rule base.
Further, described traffic data is mated with described data flow data, comprising:
According to the generation time of described traffic data and data flow data and the parameter that comprises, described traffic data is mated with described data flow data.
Further, according to the generation time of described traffic data and data flow data and the parameter that comprises, described traffic data is mated with described data flow data, comprising:
The time weight value of mating is determined according to the generation time of described traffic data and the generation time of described data flow data, and the parameter determination parameter weighting value comprised of the parameter comprised according to described traffic data and described data flow data;
According to described time weight value and parameter weighting value, described traffic data is mated with described data flow data.
Further, when mating with described data flow data described traffic data according to described time weight value and parameter weighting value, the weight of described time weight value is higher than described parameter weighting value.
Based on the another aspect of the application, additionally provide a kind of database audit equipment, this equipment comprises:
Data acquisition facility, for obtaining the traffic data between browser end and middleware and the data flow data between described middleware and server, wherein said traffic data comprises user profile, and described data flow data comprises operation information;
Coalignment, for mating with described traffic data described data flow data;
Mapping device, for when the match is successful, determines the mapping relations of the operation information that described data flow data comprises and the user profile that described traffic data comprises.
Further, described data acquisition facility, for:
Obtain the traffic data between browser end and middleware and the data flow data between described middleware and server, and pre-service is carried out to described data flow data and traffic data, retain the information relevant to coupling.
Further, this equipment also comprises:
Inquiry unit, for before mating with described traffic data described data flow data, in rule base, search the operation information that described data flow data comprises, wherein said rule base comprises the mapping relations between operation information and user profile set up; When finding described operation information at rule base, determine the user profile corresponding to the operation information that described data flow data comprises according to described mapping relations.
Further, described coalignment, for when not finding described operation information at rule base, mates with described traffic data described data flow data.
Further, this equipment also comprises:
Described mapping relations, for after the mapping relations determining the operation information that described data flow data comprises and the user profile that described traffic data comprises, are added into rule base by learning device.
Further, described coalignment, for mating with described data flow data described traffic data according to the generation time of described traffic data and data flow data and the parameter that comprises.
Further, described coalignment, for determining the time weight value of mating according to the generation time of described traffic data and the generation time of described data flow data, and the parameter determination parameter weighting value comprised of the parameter comprised according to described traffic data and described data flow data; And according to described time weight value and parameter weighting value, described traffic data is mated with described data flow data.
Further, described coalignment is when mating with described data flow data described traffic data according to described time weight value and parameter weighting value, and the weight of described time weight value is higher than described parameter weighting value.
Compared with prior art, the technical scheme that the application provides obtains the traffic data between browser end and middleware and the data flow data between described middleware and server simultaneously, and by mating with traffic data data flow data, mapping relations between determination operation information and user profile, thus know that a certain operation for database by which user is performed, the database realized comprising middleware carries out database audit accurately.
In addition, by the mapping relations completing coupling are added into rule base, follow-up get data flow data after, according to mapping relations existing in rule base, can directly match corresponding user profile by operation information, thus improve the speed of coupling, promote the efficiency of database audit.
Accompanying drawing explanation
By reading the detailed description done non-limiting example done with reference to the following drawings, the other features, objects and advantages of the application will become more obvious:
The process flow diagram of a kind of database audit method that Fig. 1 provides for the embodiment of the present application;
The structural representation of the Database Systems of database audit method of Fig. 2 for being applicable to the embodiment of the present application and providing;
The particular flow sheet of matching treatment is carried out in a kind of database audit method that Fig. 3 provides for the embodiment of the present application;
The process flow diagram of a kind of preferred database audit method that Fig. 4 provides for the embodiment of the present application;
The structural representation of a kind of database audit equipment that Fig. 5 provides for the embodiment of the present application;
The structural representation of a kind of preferred database audit equipment that Fig. 6 provides for the embodiment of the present application;
In accompanying drawing, same or analogous Reference numeral represents same or analogous parts.
Embodiment
Below in conjunction with accompanying drawing, the application is described in further detail.
In the application one typically configuration, the equipment of terminal, service network and trusted party include one or more processor (CPU), input/output interface, network interface and internal memory.
Internal memory may comprise the volatile memory in computer-readable medium, and the forms such as random access memory (RAM) and/or Nonvolatile memory, as ROM (read-only memory) (ROM) or flash memory (flashRAM).Internal memory is the example of computer-readable medium.
Computer-readable medium comprises permanent and impermanency, removable and non-removable media can be stored to realize information by any method or technology.Information can be computer-readable instruction, data structure, the module of program or other data.The example of the storage medium of computing machine comprises, but be not limited to phase transition internal memory (PRAM), static RAM (SRAM), dynamic RAM (DRAM), the random access memory (RAM) of other types, ROM (read-only memory) (ROM), Electrically Erasable Read Only Memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc ROM (read-only memory) (CD-ROM), digital versatile disc (DVD) or other optical memory, magnetic magnetic tape cassette, magnetic disk stores or other magnetic storage apparatus or any other non-transmitting medium, can be used for storing the information can accessed by computing equipment.According to defining herein, computer-readable medium does not comprise non-temporary computer readable media (transitorymedia), as data-signal and the carrier wave of modulation.
Fig. 1 shows a kind of database audit method that the embodiment of the present application provides, and the method comprises the following steps:
Step S101, obtain the traffic data between browser end and middleware and the data flow data between described middleware and server, wherein said traffic data comprises user profile, and described data flow data comprises operation information;
Step S102, mates with described traffic data described data flow data;
Step S103, if the match is successful, then determines the mapping relations of the operation information that described data flow data comprises and the user profile that described traffic data comprises.
At this, what this programme was applied comprises the structure of the database of middleware as shown in Figure 2, wherein, traffic data 2A represents the interaction data between browser end 210 and middleware 220, comprise user profile, such as browser end IP and login username etc., data flow data 2B represents the interaction data between middleware 220 and server 230, comprise database manipulation message, such as SQL statement etc.For simplicity's sake, browser end shown in Fig. 2, middleware and server are one, its quantity may be less than the quantity in an actual database system, but this omission far and away with can not affect to the present invention carry out clear, be disclosed as prerequisite fully.
Described traffic data with there is certain associating between data flow data, namely data flow data generally produces with traffic data, such as described traffic data is the operation requests for data a certain in database that user sends, and data flow data is then the specific operating instructions generated according to this operation requests.Therefore, can be mated by specific mode between traffic data with data flow data, determine incidence relation between the two, such as, by rise time of comparing some information in traffic data and data flow data, the specific parameter etc. that comprises.
At this, it will be appreciated by those skilled in the art that the executive agent of said method can include but not limited to as network host, single network server, multiple webserver collection or the realization such as set of computers based on cloud computing.At this, cloud is formed by based on a large amount of main frame of cloud computing (CloudComputing) or the webserver, and wherein, cloud computing is the one of Distributed Calculation, the virtual machine be made up of the loosely-coupled computing machine collection of a group.Preferably, equipment can also be the software running on network host, server or computing machine.
In actual applications, to adopt http (HyperTextTransferProtocol, HTML (Hypertext Markup Language)) interaction scenarios be example, described traffic data can be the http packet that browser end sends to middleware, when capturing http packet, the source IP of this http packet is browser end IP, by resolving the URL (UniformResourceLocator, URL(uniform resource locator)) in http packet, login username can be got.Such as, when grabbing http packet, its source IP is 116.226.187.17, then now browser end IP is 116.226.187.17, does is wherein URL: http: // 192.168.0.1:80/login.aspx? by resolving this URL, username=superadmin & cs=utf-8 & br=ie, can know that login user is called superadmin.It can thus be appreciated that in the user profile that this traffic data is corresponding, browser end IP is 116.226.187.17, and login user is called superadmin.Generally, both can be bound after getting login username and browser end IP, and preserve in the buffer to use when subsequent match.Correspondingly, data flow data can be SQL statement, the SQL statement such as grabbed is: updatet_sessionsetusername=' superadmin ', status=' active ' whereuserid=1234, namely this SQL statement contains the operation information to database, represent change t_session table, in the row of userid=1234: username changes to superadmin, and status changes to active.
The program obtains the traffic data between browser end and middleware and the data flow data between described middleware and server simultaneously, and by mating with traffic data data flow data, mapping relations between determination operation information and user profile, thus know that a certain operation for database by which user is performed, the database realized comprising middleware carries out database audit accurately.
Preferably, step S101 specifically comprises: obtain the traffic data between browser end and middleware and the data flow data between described middleware and server, and pre-service is carried out to described data flow data and traffic data, retain the information relevant to coupling.When getting traffic data and data flow data, only retaining the information relevant to follow-up matching treatment by pretreated means, calculated amount during subsequent treatment can be reduced, reduce computational load, improve treatment effeciency.Still for aforementioned scene, for the URL in traffic data, can be separated relevant parameter, URL is treated to the form only comprising document path, namely the URL mentioned as aforementioned can be treated to :/login.aspx.And be that the SQL statement of name binding parameter format or unbundling parameter format is treated to unordered binding parameter format for the pre-service that the SQL statement in data flow data is carried out.Wherein, in the SQL statement of described unbundling parameter format, parameter adopts occurrence to represent, the such as aforementioned SQL statement mentioned: updatet_sessionsetusername=' superadmin ', status=' active ' whereuserid=1234 is unbundling parameter format, in the SQL statement of described name binding parameter format, parameter adopts variable name to represent, such as updatet_sessionsetusername=' superadmin ', status=' active ' whereuserid=id, wherein id is variable name.When the SQL statement of above-mentioned name binding parameter format or unbundling parameter format is treated to unordered binding parameter format, be separated the parameter that it is relevant, and adopt question mark to substitute the part of parameter, does is the SQL statement of the unordered binding parameter format that final process obtains: updatet_sessionsetusername=?, status=? whereuserid=?
Further, step S102 mates with described data flow data described traffic data, specifically comprises: mate with described data flow data described traffic data according to the generation time of described traffic data and data flow data and the parameter that comprises.In actual applications, there is certain association between the two in the data that data flow data and traffic data not isolate.Because middleware generally after receiving traffic data, can generate data flow data immediately, therefore generally both generation times are relatively.
Particularly, the mode of coupling can adopt the mode of time weight incorporating parametric weighting, specifically comprises step as shown in Figure 3:
Step S301, the time weight value of mating is determined according to the generation time of described traffic data and the generation time of described data flow data, and the parameter determination parameter weighting value comprised of the parameter comprised according to described traffic data and described data flow data.
Step S302, mates with described data flow data described traffic data according to described time weight value and parameter weighting value.
In actual applications, can represent traffic data with URL, SQL statement represents data flow data.Such as, the generation time of a certain SQL statement sqla is 09:00:01:000, if now there are two URL, be respectively urla and urlb, wherein the generation time of urla is 09:00:00:955, and the generation time of urlb is 09:00:00:020, it can thus be appreciated that the generation time of the generation time of urla and sqla is more close.According to the degree of closeness of generation time, can give a mark respectively to urla and urlb, whether successfully acquisition time weighted value, as subsequent match foundation.Wherein, for the concrete marking mode of time weight value, can set according to embody rule scene, such as, according to the mistiming, within 50 microseconds, time weight value is 10, and the mistiming is larger on this basis, and time weight value is lower.For above-mentioned urla and urlb, obvious urla is larger than the time weight value of urlb.
When carrying out parameter weighting, whether comprising same parameter determine parameter weighting value by comparing in URL and SQL statement.Still for aforementioned URL and SQL statement, sqla:select*fromtablewherename='aaa', does is urla: http: // 192.168.0.1:80/find.aspx? param=aaa, and urlb is: http: // 192.168.0.1:80/login.aspx? username=superadmin & cs=utf-8 & br=ie.For urla, there is parameter " aaa " in it, also there is same parameter " aaa ", and do not have parameter identical with the parameter in described sqla in urlb in sqla.Therefore, larger than urlb of the parameter weighting value of urla.If completed the pre-service of traffic data and data flow data in abovementioned steps S101, parameter weighting value can be determined fast by the parameter be separated.
When mating with SQL statement all URL according to described time weight value and parameter weighting value, coupling can be carried out according to time weight value and parameter weighting value to filter, final reservation 1 (the match is successful) or 0 (it fails to match) URL.Under above-mentioned scene, because the time weight value of urla and parameter weighting value are all greater than urlb, therefore, be more likely the URL mated with this SQL statement relative to urlb, urla.When mating filtration, minimum threshold value can be set for time weight value and/or parameter weighting value, such as, if the time weight value of urla and/or parameter weighting value do not reach threshold value, then can be judged to be that it fails to match, otherwise be judged to be that the match is successful, complete the coupling of sqla and urla.
In addition, if be greater than urlb for the time weight value of urla, and the parameter weighting value of urla is less than the situation of urlb, then need the weight further combined with time weight value and parameter weighting value to determine.In the present embodiment, pay the utmost attention to time weight value, parameter weighting value takes second place, and namely when determining matching relationship, the weight of time weight value is greater than parameter weighting value.Still for aforementioned URL and SQL statement, if the time weight value of urla be 10, parameter weighting value be the time weight value of 5, urlb is 6, parameter weighting value is 10, concrete coupling filtering rule can adopt as described below any one.Such as, the weighted value of setting-up time weighted value is 3, the weighted value of parameter weighting value is 2, total score value of two weighted values is considered when considering weight, now total score value of urla is 10 × 3+5 × 2=40, and total score value of urla is 6 × 3+10 × 2=38, more whether reach threshold value according to the time weight value of urla and/or parameter weighting value, finally determine whether that the match is successful.For another example, pay the utmost attention to time weight value, parameter weighting value is considered again when the time, weighted value was identical, as urlc, urld, urle tri-URL, wherein the time weight value of urlc is 10, parameter weighting value is 5, the time weight value of urld is 10, parameter weighting value is 8, the time weight value of urle is 6, parameter weighting value is 10, because the time weight value of urlc and urld is 10, and be greater than urle, now only need again the parameter weighting value of urlc and urld to be compared, because the parameter weighting value of urld is larger, whether threshold value is reached again according to the time weight value of urld and/or parameter weighting value, finally determine whether that the match is successful.At this; it will be appreciated by those skilled in the art that above-mentioned coupling filtering rule is only citing, other coupling filtering rules that are existing or that may occur from now on are as being applicable to the present invention; also within scope should being included in, and this is contained at this with way of reference.
Further, the embodiment of the present application additionally provides a kind of preferred database audit method, as shown in Figure 4, specifically comprises the following steps:
Step S401, obtain the traffic data between browser end and middleware and the data flow data between described middleware and server, wherein said traffic data comprises user profile, and described data flow data comprises operation information;
Step S402, searches the operation information that described data flow data comprises in rule base, and wherein said rule base comprises the mapping relations between operation information and user profile set up;
Step S403, when finding described operation information at rule base, determines the user profile corresponding to the operation information that described data flow data comprises according to described mapping relations;
Step S404, when not finding described operation information at rule base, mates with described traffic data described data flow data;
Step S405, if the match is successful, then determines the mapping relations of the operation information that described data flow data comprises and the user profile that described traffic data comprises.
At this, mapping relations between the operation information set up comprised in described rule base and user profile, can be the mapping relations that the mode of carrying out coupling learning under special time or specific environment obtains, also can be to mate the mapping relations between determined operation information and user profile with described traffic data to described data flow data in actual audit process.By the mapping relations completing coupling are added into rule base, follow-up get data flow data after, according to mapping relations existing in rule base, can directly match corresponding user profile by operation information, thus improve the speed of coupling, promote the efficiency of database audit.
Generally, more due to the traffic data that produces in actual audit process and data flow data simultaneously, accuracy of its coupling is relatively lower than the mapping relations that the mode of carrying out coupling learning under special time or specific environment obtains.Therefore, as one preferred embodiment, when adopting the method to carry out database audit, first the time that selection one is applicable or environment learn, under this time or environment, only there is a certain specific user to use this database, thus the mapping relations between the specific operation information that the user profile of this user is corresponding with it can be determined exactly.
Similarly, in step S401, also can carry out pre-service to the described data flow data got and traffic data, retain the information relevant to coupling, thus improve the efficiency of subsequent treatment.In described rule base, every bar mapping relations can adopt following form to preserve: browser end IP, login username and SQL statement that URL and this URL is corresponding.Wherein, URL and SQL statement all can adopt pretreated form.Such as, in step s 302, do you adopt pretreated SQL statement updatet_sessionsetusername=? status=? whereuserid=? search in rule base, if there is this SQL statement in rule base, then corresponding URL and the user profile of correspondence can be found.Determine the mapping relations between operation information represented by SQL statement and user profile thus.In addition, matching way adopted in step s 404, can adopt mode as shown in Figure 3 equally.
As one preferred embodiment, for any one database audit method aforesaid, after the mapping relations determining the operation information that described data flow data comprises and the user profile that described traffic data comprises, also comprise: described mapping relations are added into rule base.For aforementioned application scenarios, when mapping relations are added into rule base, browser end IP corresponding for a certain URL and this URL, login username can be write in rule base together with SQL statement, be preserved by the data structure of mapping relations.After by matched data flow data and the mapping relations between traffic data determination operation information and user profile, these mapping relations are added into rule base and learn further, improve efficiency during follow-up audit.
Based on the another aspect of the application, Fig. 5 shows a kind of database audit equipment that the embodiment of the present application provides, and this equipment comprises data acquisition facility 510, coalignment 520 and mapping device 530.Particularly, described data acquisition facility 510 is for obtaining the traffic data between browser end and middleware and the data flow data between described middleware and server, wherein said traffic data comprises user profile, and described data flow data comprises operation information; Described coalignment 520 is for mating with described traffic data described data flow data; Described mapping device 530, for when the match is successful, determines the mapping relations of the operation information that described data flow data comprises and the user profile that described traffic data comprises.
At this, what this programme was applied comprises the structure of the database of middleware as shown in Figure 2, wherein, traffic data 2A represents the interaction data between browser end 210 and middleware 220, comprise user profile, such as browser end IP and login username etc., data flow data 2B represents the interaction data between middleware 220 and server 230, comprise database manipulation message, such as SQL statement etc.For simplicity's sake, browser end shown in Fig. 2, middleware and server are one, its quantity may be less than the quantity in an actual database system, but this omission far and away with can not affect to the present invention carry out clear, be disclosed as prerequisite fully.
Described traffic data with there is certain associating between data flow data, namely data flow data generally produces with traffic data, such as described traffic data is the operation requests for data a certain in database that user sends, and data flow data is then the specific operating instructions generated according to this operation requests.Therefore, can be mated by specific mode between traffic data with data flow data, determine incidence relation between the two, such as, by rise time of comparing some information in traffic data and data flow data, the specific parameter etc. that comprises.
At this, it will be appreciated by those skilled in the art that described equipment can include but not limited to as network host, single network server, multiple webserver collection or the realization such as set of computers based on cloud computing.At this, cloud is formed by based on a large amount of main frame of cloud computing or the webserver, and wherein, cloud computing is the one of Distributed Calculation, the virtual machine be made up of the loosely-coupled computing machine collection of a group.Preferably, equipment can also be the software running on network host, server or computing machine.
In actual applications, to adopt the interaction scenarios of http, described traffic data can be the http packet that browser end sends to middleware, when capturing http packet, the source IP of this http packet is browser end IP, by resolving the URL in http packet, login username can be got.Such as, when grabbing http packet, its source IP is 116.226.187.17, then now browser end IP is 116.226.187.17, does is wherein URL: http: // 192.168.0.1:80/login.aspx? by resolving this URL, username=superadmin & cs=utf-8 & br=ie, can know that login user is called superadmin.It can thus be appreciated that in the user profile that this traffic data is corresponding, browser end IP is 116.226.187.17, and login user is called superadmin.Generally, both can be bound after getting login username and browser end IP, and preserve in the buffer to use when subsequent match.Correspondingly, data flow data can be SQL statement, the SQL statement such as grabbed is: updatet_sessionsetusername=' superadmin ', status=' active ' whereuserid=1234, namely this SQL statement contains the operation information to database, represent change t_session table, in the row of userid=1234: username changes to superadmin, and status changes to active.
The program obtains the traffic data between browser end and middleware and the data flow data between described middleware and server simultaneously, and by mating with traffic data data flow data, mapping relations between determination operation information and user profile, thus know that a certain operation for database by which user is performed, the database realized comprising middleware carries out database audit accurately.
Preferably, described data acquisition facility 510 specifically for: obtain the traffic data between browser end and middleware and the data flow data between described middleware and server, and pre-service is carried out to described data flow data and traffic data, retain the information relevant to coupling.When getting traffic data and data flow data, only retaining the information relevant to follow-up matching treatment by pretreated means, calculated amount during subsequent treatment can be reduced, reduce computational load, improve treatment effeciency.Still for aforementioned scene, for the URL in traffic data, can be separated relevant parameter, URL is treated to the form only comprising document path, namely the URL mentioned as aforementioned can be treated to :/login.aspx.And be that the SQL statement of name binding parameter format or unbundling parameter format is treated to unordered binding parameter format for the pre-service that the SQL statement in data flow data is carried out.Wherein, in the SQL statement of described unbundling parameter format, parameter adopts occurrence to represent, the such as aforementioned SQL statement mentioned: updatet_sessionsetusername=' superadmin ', status=' active ' whereuserid=1234 is unbundling parameter format, in the SQL statement of described name binding parameter format, parameter adopts variable name to represent, such as updatet_sessionsetusername=' superadmin ', status=' active ' whereuserid=id, wherein id is variable name.When the SQL statement of above-mentioned name binding parameter format or unbundling parameter format is treated to unordered binding parameter format, be separated the parameter that it is relevant, and adopt question mark to substitute the part of parameter, does is the SQL statement of the unordered binding parameter format that final process obtains: updatet_sessionsetusername=?, status=? whereuserid=?
Further, described coalignment 520 specifically for: according to the generation time of described traffic data and data flow data and the parameter that comprises, described traffic data is mated with described data flow data.In actual applications, there is certain association between the two in the data that data flow data and traffic data not isolate.Because middleware generally after receiving traffic data, can generate data flow data immediately, therefore generally both generation times are relatively.
Particularly, the mode that described coalignment 520 carries out mating is as follows: determine the time weight value of mating according to the generation time of described traffic data and the generation time of described data flow data, and the parameter determination parameter weighting value comprised of the parameter comprised according to described traffic data and described data flow data; And according to described time weight value and parameter weighting value, described traffic data is mated with described data flow data.
In actual applications, can represent traffic data with URL, SQL statement represents data flow data.Such as, the generation time of a certain SQL statement sqla is 09:00:01:000, if now there are two URL, be respectively urla and urlb, wherein the generation time of urla is 09:00:00:955, and the generation time of urlb is 09:00:00:020, it can thus be appreciated that the generation time of the generation time of urla and sqla is more close.According to the degree of closeness of generation time, can give a mark respectively to urla and urlb, whether successfully acquisition time weighted value, as subsequent match foundation.Wherein, for the concrete marking mode of time weight value, can set according to embody rule scene, such as, according to the mistiming, within the mistiming of a certain setting, time weight value is maximum, and the mistiming is larger on this basis, and time weight value is less.For above-mentioned urla and urlb, obvious urla is larger than the time weight value of urlb.
When carrying out parameter weighting, whether comprising same parameter determine parameter weighting value by comparing in URL and SQL statement.Still for aforementioned URL and SQL statement, sqla:select*fromtablewherename='aaa', does is urla: http: // 192.168.0.1:80/find.aspx? param=aaa, and urlb is: http: // 192.168.0.1:80/login.aspx? username=superadmin & cs=utf-8 & br=ie.For urla, there is parameter " aaa " in it, also there is same parameter " aaa ", and do not have parameter identical with the parameter in described sqla in urlb in sqla.Therefore, larger than urlb of the parameter weighting value of urla.If completed the pre-service of traffic data and data flow data in data acquisition facility 510, parameter weighting value can be determined fast by the parameter be separated.
When mating with SQL statement all URL according to described time weight value and parameter weighting value, coupling can be carried out according to time weight value and parameter weighting value to filter, final reservation 1 (the match is successful) or 0 (it fails to match) URL.Under above-mentioned scene, because the time weight value of urla and parameter weighting value are all greater than urlb, therefore, be more likely the URL mated with this SQL statement relative to urlb, urla.When mating filtration, minimum threshold value can be set for time weight value and/or parameter weighting value, such as, if the time weight value of urla and/or parameter weighting value do not reach threshold value, then can be judged to be that it fails to match, otherwise be judged to be that the match is successful, complete the coupling of sqla and urla.
In addition, if be greater than urlb for the time weight value of urla, and the parameter weighting value of urla is less than the situation of urlb, then need the weight further combined with time weight value and parameter weighting value to determine.In the present embodiment, pay the utmost attention to time weight value, parameter weighting value takes second place, and namely when determining matching relationship, the weight of time weight value is greater than parameter weighting value.Still for aforementioned URL and SQL statement, if the time weight value of urla be 10, parameter weighting value be the time weight value of 5, urlb is 6, parameter weighting value is 10, concrete coupling filtering rule can adopt as described below any one.Such as, the weighted value of setting-up time weighted value is 3, the weighted value of parameter weighting value is 2, total score value of two weighted values is considered when considering weight, now total score value of urla is 10 × 3+5 × 2=40, and total score value of urla is 6 × 3+10 × 2=38, more whether reach threshold value according to the time weight value of urla and/or parameter weighting value, finally determine whether that the match is successful.For another example, pay the utmost attention to time weight value, parameter weighting value is considered again when the time, weighted value was identical, as urlc, urld, urle tri-URL, wherein the time weight value of urlc is 10, parameter weighting value is 5, the time weight value of urld is 10, parameter weighting value is 8, the time weight value of urle is 6, parameter weighting value is 10, because the time weight value of urlc and urld is 10, and be greater than urle, now only need again the parameter weighting value of urlc and urld to be compared, because the parameter weighting value of urld is larger, whether threshold value is reached again according to the time weight value of urld and/or parameter weighting value, finally determine whether that the match is successful.At this; it will be appreciated by those skilled in the art that above-mentioned coupling filtering rule is only citing, other coupling filtering rules that are existing or that may occur from now on are as being applicable to the present invention; also within scope should being included in, and this is contained at this with way of reference.
Further, the embodiment of the present application additionally provides a kind of preferred database audit equipment, as shown in Figure 6, comprises data acquisition facility 510, coalignment 520 ', mapping device 530 and inquiry unit 540.Particularly, described acquisition device 510 is for obtaining the traffic data between browser end and middleware and the data flow data between described middleware and server, wherein said traffic data comprises user profile, and described data flow data comprises operation information.Described inquiry unit 540 is for before mating with described traffic data described data flow data, in rule base, search the operation information that described data flow data comprises, wherein said rule base comprises the mapping relations between operation information and user profile set up; When finding described operation information at rule base, determine the user profile corresponding to the operation information that described data flow data comprises according to described mapping relations.Described coalignment 520 ', for when not finding described operation information at rule base, mates with described traffic data described data flow data.Described mapping device 530, for when the match is successful, determines the mapping relations of the operation information that described data flow data comprises and the user profile that described traffic data comprises.
At this, mapping relations between the operation information set up comprised in described rule base and user profile, can be the mapping relations that the mode of carrying out coupling learning under special time or specific environment obtains, also can be to mate the mapping relations between determined operation information and user profile with described traffic data to described data flow data in actual audit process.By the mapping relations completing coupling are added into rule base, follow-up get data flow data after, according to mapping relations existing in rule base, can directly match corresponding user profile by operation information, thus improve the speed of coupling, promote the efficiency of database audit.
Generally, more due to the traffic data that produces in actual audit process and data flow data simultaneously, accuracy of its coupling is relatively lower than the mapping relations that the mode of carrying out coupling learning under special time or specific environment obtains.Therefore, as one preferred embodiment, when adopting this equipment to carry out database audit, first the time that selection one is applicable or environment learn, under this time or environment, only there is a certain specific user to use this database, thus the mapping relations between the specific operation information that the user profile of this user is corresponding with it can be determined exactly.
Similarly, data acquisition facility 510 also can carry out pre-service to the described data flow data got and traffic data, retains the information relevant to coupling, thus improves the efficiency of subsequent treatment.In described rule base, every bar mapping relations can adopt following form to preserve: browser end IP, login username and SQL statement that URL and this URL is corresponding.Wherein, URL and SQL statement all can adopt pretreated form.Such as, does inquiry unit 540 adopt pretreated SQL statement updatet_sessionsetusername=? status=? whereuserid=? search in rule base, if there is this SQL statement in rule base, then corresponding URL and the user profile of correspondence can be found.Determine the mapping relations between operation information represented by SQL statement and user profile thus.In addition, coalignment 520 ' can adopt the mode that the aforementioned generation time according to described traffic data and data flow data and the parameter that comprises are mated with described data flow data described traffic data equally.
As one preferred embodiment, for any one database audit equipment aforesaid, learning device (not shown) is also comprised.Described learning device is used for after the mapping relations determining the operation information that described data flow data comprises and the user profile that described traffic data comprises, and described mapping relations are added into rule base.For aforementioned application scenarios, when mapping relations are added into rule base, browser end IP corresponding for a certain URL and this URL, login username can be write in rule base together with SQL statement, be preserved by the data structure of mapping relations.After by matched data flow data and the mapping relations between traffic data determination operation information and user profile, these mapping relations are added into rule base and learn further, improve efficiency during follow-up audit.
In sum, the technical scheme that the application provides obtains the traffic data between browser end and middleware and the data flow data between described middleware and server simultaneously, and by mating with traffic data data flow data, mapping relations between determination operation information and user profile, thus know that a certain operation for database by which user is performed, the database realized comprising middleware carries out database audit accurately.In addition, by the mapping relations completing coupling are added into rule base, follow-up get data flow data after, according to mapping relations existing in rule base, can directly match corresponding user profile by operation information, thus improve the speed of coupling, promote the efficiency of database audit.
It should be noted that the application can be implemented in the assembly of software and/or software restraint, such as, special IC (ASIC), general object computing machine or any other similar hardware device can be adopted to realize.In one embodiment, the software program of the application can perform to realize step mentioned above or function by processor.Similarly, the software program of the application can be stored in computer readable recording medium storing program for performing (comprising relevant data structure), such as, and RAM storer, magnetic or CD-ROM driver or flexible plastic disc and similar devices.In addition, some steps of the application or function can adopt hardware to realize, such as, as coordinating with processor thus performing the circuit of each step or function.
In addition, a application's part can be applied to computer program, such as computer program instructions, when it is performed by computing machine, by the operation of this computing machine, can call or provide the method according to the application and/or technical scheme.And call the programmed instruction of the method for the application, may be stored in fixing or moveable recording medium, and/or be transmitted by the data stream in broadcast or other signal bearing medias, and/or be stored in the working storage of the computer equipment run according to described programmed instruction.At this, an embodiment according to the application comprises a device, this device comprises the storer for storing computer program instructions and the processor for execution of program instructions, wherein, when this computer program instructions is performed by this processor, trigger this plant running based on the method for aforementioned multiple embodiments according to the application and/or technical scheme.
To those skilled in the art, obvious the application is not limited to the details of above-mentioned one exemplary embodiment, and when not deviating from spirit or the essential characteristic of the application, can realize the application in other specific forms.Therefore, no matter from which point, all should embodiment be regarded as exemplary, and be nonrestrictive, the scope of the application is limited by claims instead of above-mentioned explanation, and all changes be therefore intended in the implication of the equivalency by dropping on claim and scope are included in the application.Any Reference numeral in claim should be considered as the claim involved by limiting.In addition, obviously " comprising " one word do not get rid of other unit or step, odd number does not get rid of plural number.Multiple unit of stating in device claim or device also can be realized by software or hardware by a unit or device.

Claims (16)

1. a database audit method, wherein, the method comprises:
Obtain the traffic data between browser end and middleware and the data flow data between described middleware and server, wherein said traffic data comprises user profile, and described data flow data comprises operation information;
Described data flow data is mated with described traffic data;
If the match is successful, then determine the mapping relations of the operation information that described data flow data comprises and the user profile that described traffic data comprises.
2. method according to claim 1, wherein, obtains the traffic data between browser end and middleware and the data flow data between described middleware and server, comprising:
Obtain the traffic data between browser end and middleware and the data flow data between described middleware and server, and pre-service is carried out to described data flow data and traffic data, retain the information relevant to coupling.
3. method according to claim 1 and 2, wherein, before mating, also comprises described data flow data with described traffic data:
In rule base, search the operation information that described data flow data comprises, wherein said rule base comprises the mapping relations between operation information and user profile set up;
When finding described operation information at rule base, determine the user profile corresponding to the operation information that described data flow data comprises according to described mapping relations.
4., according to the method described in claim 4, wherein, when not finding described operation information at rule base, described data flow data is mated with described traffic data.
5. the method according to any one of Claims 1-4, wherein, after determining the mapping relations of the operation information that described data flow data comprises and the user profile that described traffic data comprises, also comprises:
Described mapping relations are added into rule base.
6. method according to any one of claim 1 to 5, wherein, described traffic data is mated with described data flow data, comprising:
According to the generation time of described traffic data and data flow data and the parameter that comprises, described traffic data is mated with described data flow data.
7. method according to claim 6, wherein, according to the generation time of described traffic data and data flow data and the parameter that comprises, described traffic data is mated with described data flow data, comprising:
The time weight value of mating is determined according to the generation time of described traffic data and the generation time of described data flow data, and the parameter determination parameter weighting value comprised of the parameter comprised according to described traffic data and described data flow data;
According to described time weight value and parameter weighting value, described traffic data is mated with described data flow data.
8. method according to claim 7, wherein, when mating with described data flow data described traffic data according to described time weight value and parameter weighting value, the weight of described time weight value is higher than described parameter weighting value.
9. a database audit equipment, wherein, this equipment comprises:
Data acquisition facility, for obtaining the traffic data between browser end and middleware and the data flow data between described middleware and server, wherein said traffic data comprises user profile, and described data flow data comprises operation information;
Coalignment, for mating with described traffic data described data flow data;
Mapping device, for when the match is successful, determines the mapping relations of the operation information that described data flow data comprises and the user profile that described traffic data comprises.
10. equipment according to claim 9, wherein, described data acquisition facility, for:
Obtain the traffic data between browser end and middleware and the data flow data between described middleware and server, and pre-service is carried out to described data flow data and traffic data, retain the information relevant to coupling.
11. equipment according to claim 9 or 10, wherein, this equipment also comprises:
Inquiry unit, for before mating with described traffic data described data flow data, in rule base, search the operation information that described data flow data comprises, wherein said rule base comprises the mapping relations between operation information and user profile set up; When finding described operation information at rule base, determine the user profile corresponding to the operation information that described data flow data comprises according to described mapping relations.
12. according to the equipment described in claim 11, and wherein, described coalignment, for when not finding described operation information at rule base, mates with described traffic data described data flow data.
13. equipment according to any one of claim 9 to 12, wherein, this equipment also comprises:
Described mapping relations, for after the mapping relations determining the operation information that described data flow data comprises and the user profile that described traffic data comprises, are added into rule base by learning device.
14. equipment according to any one of claim 9 to 13, wherein, described coalignment, for mating with described data flow data described traffic data according to the generation time of described traffic data and data flow data and the parameter that comprises.
15. equipment according to claim 14, wherein, described coalignment, for determining the time weight value of mating according to the generation time of described traffic data and the generation time of described data flow data, and the parameter determination parameter weighting value comprised of the parameter comprised according to described traffic data and described data flow data; And according to described time weight value and parameter weighting value, described traffic data is mated with described data flow data.
16. equipment according to claim 15, wherein, described coalignment is when mating with described data flow data described traffic data according to described time weight value and parameter weighting value, and the weight of described time weight value is higher than described parameter weighting value.
CN201510566227.7A 2015-09-08 2015-09-08 Database auditing method and device Pending CN105138675A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510566227.7A CN105138675A (en) 2015-09-08 2015-09-08 Database auditing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510566227.7A CN105138675A (en) 2015-09-08 2015-09-08 Database auditing method and device

Publications (1)

Publication Number Publication Date
CN105138675A true CN105138675A (en) 2015-12-09

Family

ID=54724022

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510566227.7A Pending CN105138675A (en) 2015-09-08 2015-09-08 Database auditing method and device

Country Status (1)

Country Link
CN (1) CN105138675A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105868591A (en) * 2016-03-23 2016-08-17 上海上讯信息技术股份有限公司 User identification method and equipment
CN106960016A (en) * 2017-03-03 2017-07-18 北京匡恩网络科技有限责任公司 The method and system of data are inserted to database
CN107273411A (en) * 2017-05-03 2017-10-20 上海上讯信息技术股份有限公司 Business operation and the correlating method and equipment of database manipulation data
CN108011925A (en) * 2017-11-01 2018-05-08 北京神州绿盟信息安全科技股份有限公司 A kind of operating audit system and method
CN109408499A (en) * 2018-10-22 2019-03-01 福建星瑞格软件有限公司 A kind of auditing method and system of matching database access user
CN111092910A (en) * 2019-12-30 2020-05-01 深信服科技股份有限公司 Database security access method, device, equipment, system and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070012891A (en) * 2005-07-25 2007-01-30 주식회사 엠파스 Method and apparatus for searching related information by using associated keyword
CN101639879A (en) * 2008-07-28 2010-02-03 成都市华为赛门铁克科技有限公司 Database security monitoring method, device and system
CN103886024A (en) * 2014-02-24 2014-06-25 上海上讯信息技术股份有限公司 Database auditing method and system based on multilayer business association
CN104199848A (en) * 2014-08-08 2014-12-10 亿赞普(北京)科技有限公司 Relevance method and device for user data under different domains

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20070012891A (en) * 2005-07-25 2007-01-30 주식회사 엠파스 Method and apparatus for searching related information by using associated keyword
CN101639879A (en) * 2008-07-28 2010-02-03 成都市华为赛门铁克科技有限公司 Database security monitoring method, device and system
CN103886024A (en) * 2014-02-24 2014-06-25 上海上讯信息技术股份有限公司 Database auditing method and system based on multilayer business association
CN104199848A (en) * 2014-08-08 2014-12-10 亿赞普(北京)科技有限公司 Relevance method and device for user data under different domains

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
贲可荣,张彦铎: "《人工智能》", 31 March 2006, 清华大学出版社 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105868591A (en) * 2016-03-23 2016-08-17 上海上讯信息技术股份有限公司 User identification method and equipment
CN106960016A (en) * 2017-03-03 2017-07-18 北京匡恩网络科技有限责任公司 The method and system of data are inserted to database
CN107273411A (en) * 2017-05-03 2017-10-20 上海上讯信息技术股份有限公司 Business operation and the correlating method and equipment of database manipulation data
CN107273411B (en) * 2017-05-03 2020-11-17 上海上讯信息技术股份有限公司 Correlation method and device of business operation and database operation data
CN108011925A (en) * 2017-11-01 2018-05-08 北京神州绿盟信息安全科技股份有限公司 A kind of operating audit system and method
CN108011925B (en) * 2017-11-01 2020-09-22 北京神州绿盟信息安全科技股份有限公司 Service auditing system and method
CN109408499A (en) * 2018-10-22 2019-03-01 福建星瑞格软件有限公司 A kind of auditing method and system of matching database access user
CN109408499B (en) * 2018-10-22 2022-10-11 福建星瑞格软件有限公司 Auditing method and system for matching database access users
CN111092910A (en) * 2019-12-30 2020-05-01 深信服科技股份有限公司 Database security access method, device, equipment, system and readable storage medium

Similar Documents

Publication Publication Date Title
CN105138675A (en) Database auditing method and device
US9576075B2 (en) Context aware query selection
US20160301732A1 (en) Systems and Methods for Recording and Replaying of Web Transactions
CN106897347B (en) Webpage display method, operation event recording method and device
CN106897251B (en) Rich text display method and device
US10025872B2 (en) Managing browser tabs based on uniform resource locators
US20130185429A1 (en) Processing Store Visiting Data
CN104268082A (en) Pressure test method and pressure test device for browser
US8639560B2 (en) Brand analysis using interactions with search result items
CN103152391A (en) Journal output method and device
CN106126693A (en) The sending method of the related data of a kind of webpage and device
CN104135507A (en) A method and a device for hotlink protection
CN105183851A (en) Interaction method and device overcoming browser same-origin policy limit
CN103729380A (en) Data processing method, system and device
CN103605745A (en) Method, device and system for processing conversion paths
CN111368227A (en) URL processing method and device
US11250080B2 (en) Method, apparatus, storage medium and electronic device for establishing question and answer system
CN103905434A (en) Method and device for processing network data
CN107948234B (en) Data processing method and device
CN106354587A (en) Mirror image server and method for exporting mirror image files of virtual machine
CN110889065B (en) Page stay time determination method, device and equipment
CN113055420A (en) HTTPS service identification method and device and computing equipment
CN102918527B (en) Investigation method and system for web application hosting
Bhuvaneswari et al. A comparative study of different log analyzer tools to analyze user behaviors
CN110134377B (en) Data request processing method, device and equipment of power industry management information system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20151209

RJ01 Rejection of invention patent application after publication