CN110851461A - Method and device for auditing non-relational database and storage medium - Google Patents
Method and device for auditing non-relational database and storage medium Download PDFInfo
- Publication number
- CN110851461A CN110851461A CN201911057975.7A CN201911057975A CN110851461A CN 110851461 A CN110851461 A CN 110851461A CN 201911057975 A CN201911057975 A CN 201911057975A CN 110851461 A CN110851461 A CN 110851461A
- Authority
- CN
- China
- Prior art keywords
- relational database
- auditing
- result
- action
- request data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses an auditing method of a non-relational database, which comprises the following steps: collecting request data of a non-relational database to be audited; if the request data is data generated by an access request to a target object, taking the target object as an SQL table, and converting the request data into an SQL statement; detecting the access request according to the SQL statement to obtain a detection result; and executing corresponding result action according to the detection result so as to realize auditing of the non-relational database. The invention also discloses an auditing device and a storage medium of the non-relational database. The invention effectively realizes the safety audit of the non-relational database.
Description
Technical Field
The invention relates to the field of databases, in particular to an auditing method, device and storage medium for a non-relational database.
Background
With the rapid development of computer technology, the application of databases is more and more extensive, and the database is used as the core of an information system, and the security of the database is particularly important. Therefore, techniques for security auditing databases have evolved.
Currently, the auditing of the database mainly aims at a relational database. A relational database is a database that uses a relational model to organize data, storing data in rows and columns, a series of rows and columns of a relational database are called tables, and a set of tables constitutes a relational database. However, for a non-relational database, the data is stored in the form of objects, and the relationship between the objects is determined by the attributes of each object itself. Due to the characteristics of the non-relational database, the auditing of the non-relational database is very difficult, and no technology for effectively auditing the non-relational database exists in the prior database auditing.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide an auditing method, device and storage medium for a non-relational database, aiming at solving the technical problem that the auditing of the non-relational database cannot be carried out.
In order to achieve the above object, the present invention provides an auditing method for a non-relational database, comprising: collecting request data of a non-relational database to be audited; if the request data is data generated by an access request to a target object, taking the target object as an SQL table, and converting the request data into an SQL statement; detecting the access request according to the SQL statement to obtain a detection result; and executing corresponding result action according to the detection result so as to realize auditing of the non-relational database.
Optionally, the step of detecting the access request according to the SQL statement specifically includes: analyzing the SQL statement to extract a characteristic information set in the SQL statement; carrying out rule matching on the feature information set according to a plurality of safety rules to obtain a matching result; and taking the matching result as a detection result.
Optionally, the step of performing rule matching on the feature information set according to a plurality of security rules to obtain a matching result specifically includes: traversing at least one configuration file, and taking the traversed configuration file as a current configuration file; wherein, each configuration file is written with a safety rule; extracting at least one target feature information associated with the current profile from the set of feature information; carrying out rule matching on at least one target characteristic information by using the current configuration file to obtain a matching result; and after traversing is finished, obtaining matching results corresponding to the plurality of safety rules respectively.
Optionally, the step of performing a corresponding result action according to the detection result to audit the non-relational database includes: performing action matching on each matching result according to an action execution strategy to obtain a hit result action; the resulting action is performed.
Optionally, there are a plurality of said resulting actions that hit; the step of executing the result action specifically includes: acquiring the priority of each result action; acquiring a result action with the highest priority from the result actions; the highest priority resulting action is performed.
Optionally, after the step of collecting the request data of the client to the non-relational database to be audited, the auditing method for the non-relational database further includes: and if the request data is not the data generated by the request of the set or the class, generating an audit log according to the request data.
In addition, in order to achieve the above object, the present invention further provides an auditing apparatus for a non-relational database, including: the acquisition module is used for acquiring request data of the non-relational database to be audited; the conversion module is used for taking the target object as an SQL (structured query language) table and converting the request data into an SQL statement if the request data is data generated by an access request of the target object; the detection module is used for detecting the access request according to the SQL statement; and the action execution module is used for executing corresponding result actions according to the detection result so as to realize the auditing of the non-relational database.
In addition, in order to achieve the above object, the present invention further provides an auditing apparatus for a non-relational database, including: the auditing system comprises a memory, a processor and an auditing program of the non-relational database, wherein the auditing program of the non-relational database is stored on the memory and can run on the processor, and when being executed by the processor, the auditing program of the non-relational database realizes the steps of the auditing method of the non-relational database.
In addition, to achieve the above object, the present invention further provides a storage medium, on which an auditing program of a non-relational database is stored, which when executed by a processor implements the steps of the auditing method of the non-relational database as described above.
According to the auditing method, the auditing device and the storage medium of the non-relational database provided by the embodiment of the invention, the request data of the non-relational database to be audited is collected, if the request data is data generated by an access request of a target object, the target object is used as an SQL table, the request data is converted into an SQL statement, the access request is detected according to the SQL statement to obtain a detection result, corresponding result action is executed according to the detection result to realize the auditing of the non-relational database, the request data accessing the target object is converted into the SQL statement by using the data characteristics of the target object in the non-relational database, the request data is safely audited by using an SQL statement analysis technology, and the safety auditing of the non-relational database is realized.
Drawings
Fig. 1 is a schematic terminal structure diagram of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a first embodiment of an auditing method for a non-relational database according to the present invention;
FIG. 3 is a flowchart illustrating a detailed process of step S206 in a first embodiment of the auditing method for the non-relational database in FIG. 2;
FIG. 4 is a detailed flowchart of step S304 of a first embodiment of the auditing method for the non-relational database in FIG. 3;
FIG. 5 is a flowchart illustrating a detailed process of step S208 of a first embodiment of the auditing method for the non-relational database in FIG. 2;
FIG. 6 is a flowchart illustrating a detailed process of step S504 of a first embodiment of the auditing method for the non-relational database in FIG. 5;
FIG. 7 is a flowchart illustrating a second embodiment of an auditing method for a non-relational database according to the present invention;
FIG. 8 is a block diagram of an audit device of the non-relational database according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Fig. 1 is a schematic terminal structure diagram of a hardware operating environment according to an embodiment of the present invention.
The terminal of the embodiment of the present invention may be a PC (Personal Computer), a smart phone, a tablet PC, an e-book reader, an MP3(Moving Picture Experts Group Audio Layer III, Moving Picture Experts compression standard Audio Layer 3) player, an MP4(Moving Picture Experts Group Audio Layer IV, Moving Picture Experts compression standard Audio Layer 4) player, a portable Computer, or other mobile terminal device with a display function.
As shown in fig. 1, the terminal may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Optionally, the terminal may further include a camera, a Radio Frequency (RF) circuit, a sensor, an audio circuit, a WiFi module, and the like. Such as light sensors, motion sensors, and other sensors. Specifically, the light sensor may include an ambient light sensor that may adjust the brightness of the display screen according to the brightness of ambient light, and a proximity sensor that may turn off the display screen and/or the backlight when the mobile terminal is moved to the ear. As one of the motion sensors, the gravity acceleration sensor can detect the magnitude of acceleration in each direction (generally, three axes), detect the magnitude and direction of gravity when the mobile terminal is stationary, and can be used for applications (such as horizontal and vertical screen switching, related games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer and tapping) and the like for recognizing the attitude of the mobile terminal; of course, the mobile terminal may also be configured with other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which are not described herein again.
Those skilled in the art will appreciate that the terminal structure shown in fig. 1 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and an auditing program of a non-relational database.
In the terminal shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and processor 1001 may be configured to invoke an audit program of a non-relational database stored in memory 1005 and perform the following operations: collecting request data of a non-relational database to be audited; if the request data is data generated by an access request to a target object, taking the target object as an SQL table, and converting the request data into an SQL statement; detecting the access request according to the SQL statement to obtain a detection result; and executing corresponding result action according to the detection result so as to realize auditing of the non-relational database.
Further, processor 1001 may invoke an audit program of a non-relational database stored in memory 1005, and also perform the following operations: analyzing the SQL statement to extract a characteristic information set in the SQL statement; carrying out rule matching on the feature information set according to a plurality of safety rules to obtain a matching result; and taking the matching result as a detection result.
Further, processor 1001 may invoke an audit program of a non-relational database stored in memory 1005, and also perform the following operations: traversing a plurality of configuration files, and taking the traversed configuration files as current configuration files; wherein, each configuration file is written with a safety rule; extracting at least one target feature information associated with the current profile from the set of feature information; carrying out rule matching on at least one target characteristic information by using the current configuration file to obtain a matching result; and after traversing is finished, obtaining matching results corresponding to the plurality of safety rules respectively.
Further, processor 1001 may invoke an audit program of a non-relational database stored in memory 1005, and also perform the following operations: performing action matching on each matching result according to an action execution strategy to obtain a hit result action; the resulting action is performed.
Further, there are a plurality of the resulting actions that hit; processor 1001 may invoke an audit program of a non-relational database stored in memory 1005, and also perform the following operations: acquiring the priority of each result action; acquiring a result action with the highest priority from the result actions; the highest priority resulting action is performed.
Further, processor 1001 may invoke an audit program of a non-relational database stored in memory 1005, and also perform the following operations: and if the request data is not the data generated by the request of the set or the class, generating an audit log according to the request data.
Referring to fig. 2, a first embodiment of a method for auditing a non-relational database, where the method for auditing a non-relational database includes:
step S202, collecting request data of a non-relational database to be audited;
database auditing (DBAudio for short) is a technology for recording database activities on a network in real time, performing compliance management of fine-grained auditing on database operations, alarming risk behaviors suffered by a database and blocking attack behaviors. The method helps the user generate a compliance report and accident tracing and tracing afterwards by recording, analyzing and reporting the behavior of the user accessing the database, and simultaneously strengthens the network behavior record of the internal and external databases and improves the safety of data assets. The embodiment of the invention particularly provides an auditing method for a non-relational database.
A non-relational database, also known as nosql (not Only SQL), means not just SQL (structured query language). NoSQL was first introduced in 1998, and was a lightweight, open-source, SQL-function-incompatible relational database that was first developed by Carlo Storzzi, and in 2009, the concept of NoSQL was proposed again at a conference on distributed open-source databases, where NoSQL mainly refers to a non-relational, distributed, and ac-free (four basic elements of database transactions) Atomicity (Atomicity), Consistency (Consistency), Isolation (Isolation), and persistence (durabilty) database design model. In the same year, the most common definition of NoSQL is "unassociated" at the "NoSQL (east)" conference held in atlanta, emphasizing the advantages of Key-Value storage and document databases, rather than simply opposing RDBMS (Relational Database Management System), to which NoSQL has begun to appear formally in front of the world.
The non-relational database comprises a MongoDB database, a Cache database, an Hbase database, a Hive database and the like. The specific non-relational database is not specifically limited herein, but is merely exemplary to illustrate one of the embodiments of the present application. For a non-relational database, the storage form of data is a key-value form, a document form, a picture form and the like, and the stored objects are collections, classes, functions, indexes and the like. The data storage form of the set is consistent with the table in the relational database, and the class can be used as a column of the table in the relational data. Therefore, in the embodiment of the application, when a user accesses a set or a class in a non-relational database, the set or the class is used as a table of the relational database, the corresponding SQL conversion is performed on the request data, so that SQL analysis is performed on the SQL statements obtained after the conversion, and the request data is audited according to the SQL analysis. When a user accesses other data in the non-relational database, such as a webpage address, the SQL conversion is not carried out on the data for the access, and the audit is directly carried out on the accessed data.
In this embodiment, the pending non-relational database is simply referred to as a pending audit database. When monitoring that the database to be audited receives an access request of the database, the terminal collects request data of the access request so as to perform security audit on the request data. Specifically, the terminal captures the access request from a receiving port of the access request, and analyzes the request data carried in the access request from the access request. The request data is an access command for accessing an object requested to be accessed by a client sending a request, and the request data at least comprises the following information: client information of the request, object information of the request access, operation type of the request access and the like. The operation types include addition, deletion, modification and lookup of data, and access to web page addresses.
Step S204, if the request data is data generated by an access request to a target object, the target object is used as an SQL table, and the request data is converted into an SQL statement;
since the non-relational database does not support SQL, the non-relational database cannot be accessed through SQL statements. For the access of a non-relational database, different database objects may need different types of access commands for access due to the lack of a uniform database access language, and the different types of access commands are difficult to be resolved by a uniform resolution rule. The SQL sentences can be analyzed through unified analysis rules, the existing SQL sentence analysis technology is mature, and the SQL sentences of different access requests can be analyzed conveniently to obtain required information. In this embodiment, the target object includes a Collection (Collection) or a class of the database to be audited, for example, one Collection may include a corresponding relationship between name information and age information, and a class may include a plurality of name information, where the Collection may be a table of a relational database, and the class may be a column of the table of the relational database. In view of the fact that the data storage form of the set in the non-relational database is consistent with the table in the relational database, and the class can be used as one column of the table in the relational database, in this embodiment, the terminal uses the target object such as the set or the class as an SQL table, and converts the request data for the target object into an SQL statement to further analyze the SQL statement, thereby obtaining the required information. Specifically, when the request data is data generated by an access request of a set or class of the database to be audited, the terminal takes the set or class as an SQL table and converts the request data into an SQL statement. For example, when the request data is "set apreon ═ class (company.person) · OpenId (10)", where "company.person" is a class name of the request access, the terminal uses the "company.person" class as an SQL table, converts the request data into a corresponding SQL statement, and the converted SQL statement is specifically "select × from company.person id ═ 10".
Step S206, detecting the access request according to the SQL statement to obtain a detection result;
and the terminal detects the access request by using the SQL sentence obtained by conversion. Specifically, the terminal extracts a feature information set from the SQL statement and detects the feature information set. In this embodiment, the terminal analyzes the SQL statement according to the lexical method of the SQL statement, extracts at least one feature information in the SQL statement, and obtains a feature information set. The characteristic information may be the type of the accessed database, the SQL table name, the operation type, keywords, fields, field values, and the like. The operation types are classified according to the access objects, such as an access type for accessing an SQL table, an access type for accessing an index, an access type for accessing a function, and the like; the keywords of the SQL statement may express access operations, such as add, delete, modify, and find operations on the SQL table, access operations on the indexed web page, and the like; the field is a constant or variable in the SQL statement, and the field value is the value of the field in the SQL statement. For example, in the above "select from company. person id ═ 10" SQL statement, the access type is an access to the SQL table "company. person", the keyword is "select", which indicates a query operation, and the field value of the field "id" is "10".
In this embodiment, the terminal detects the feature information set by using a preset security rule to obtain a corresponding detection result. The security rules may be implemented by a local program, or may be implemented as an external plug-in. Specifically, the safety rule may be a preset feature set, for example, when the feature information set hits any one preset feature in the preset feature set, the detection result may be a danger, and conversely, when the feature information set does not hit any one feature in the feature set, the safety check result is safety. In this embodiment, the detection result may be set to a plurality of security levels, such as primary, secondary, … … n level, and the like. Wherein n is a positive integer greater than or equal to 2. The detection result of each security level can be determined by the number of features in the security rule hit by the feature information set. For example, when the preset features hit by the feature information set are one, the corresponding detection result is one level, and when the preset features hit by the feature information set are n, the corresponding detection result is n levels. The detection result of each security level can also be determined by the access behavior of the user, and the access behavior can be the combination of the access object and the access operation, for example, operation 1 of the access object a can be set as a primary detection result, and operation 2 of the access object a can be set as a secondary detection result; specifically, for example, the access object a is table a, operation 1 is reading data of table a, and operation 2 is deleting data of table a.
And S208, executing corresponding result action according to the detection result so as to audit the non-relational database.
In this embodiment, different detection results correspond to different result actions. The resulting action may be set to deny access or allow access, etc. In one embodiment, the result action is to generate an audit log according to the characteristic information, and the user request corresponding to the request data sends an alarm or rejects the user request corresponding to the request data. The alarm comprises risk prompt information and inquiry information about whether to continue to access, and the user can select whether to continue to request to access when receiving the alarm. Specifically, when the result action corresponding to the detection result is to generate an audit log, the corresponding audit log is generated according to the characteristic information of the SQL statement, so as to record the access behavior of the user to the database to be audited. The terminal can store the generated audit log and can print and output the audit log to a display screen of the terminal for a user to browse. When the terminal stores the audit log, the terminal can print and output the audit log to a display screen of the terminal after receiving an instruction for checking the audit log. And when the result action corresponding to the detection result is taken as a user request corresponding to the request data to send an alarm, the terminal generates alarm information and outputs the alarm information to a display screen of the terminal so as to remind the user that the risk may exist in the access. When the result action corresponding to the detection result is the user request corresponding to the refusal request data, the terminal directly refuses the access behavior of the user to the database to be audited; for example, when the user requests an access behavior of deleting data of a certain important set or class, the terminal executes a result action of rejecting the access according to the detection result.
In the embodiment, the security audit of the non-relational database is realized by collecting the request data of the non-relational database to be audited, if the request data is the data generated by the access request of the target object, using the target object as an SQL table, converting the request data into SQL statements, detecting the access request according to the SQL statements to obtain detection results, executing corresponding result actions according to the detection results to audit the non-relational database, converting the request data accessing the target object into the SQL statements by using the data characteristics of the target object in the non-relational database, and performing the security audit on the request data by using the SQL statement analysis technology.
Referring to fig. 3, in an embodiment, based on the first embodiment of the auditing method of the non-relational database shown in fig. 2, the step S206 specifically includes:
step S302, analyzing the SQL statement to extract a characteristic information set in the SQL statement;
in this embodiment, the terminal analyzes the SQL statement according to the lexical method of the SQL statement, extracts at least one feature information in the SQL statement, and obtains a feature information set. The characteristic information may be the type of the accessed database, the SQL table name, the operation type, keywords, fields, field values, and the like. The operation types are classified according to the access objects, such as an access type for accessing an SQL table, an access type for accessing an index, an access type for accessing a function, and the like; the keywords of the SQL statement may express access operations, such as add, delete, modify, and find operations on the SQL table, access operations on the indexed web page, and the like; the field is a constant or variable in the SQL statement, and the field value is the value of the field in the SQL statement.
Step S304, carrying out rule matching on the characteristic information set according to a plurality of safety rules to obtain a matching result;
and step S306, taking the matching result as a detection result.
In this embodiment, the detection result is a matching result obtained by performing rule matching on the feature information set using a plurality of security rules. The terminal performs step S208 with the matching result as the detection result.
Wherein the plurality of security rules are implemented by a plurality of security rule plug-ins, respectively. And the terminal sequentially utilizes the plurality of safety rule plug-ins to carry out rule matching on the characteristic information set so as to obtain a matching result of the characteristic information set and each safety rule. Each security rule plug-in is written with a security rule program, and each security rule plug-in has a unique rule ID. Each security rule program includes a match hit determination for the feature information, for example, when the security rule program determines whether the feature information set includes at least one designated target feature information, it determines that the feature information set matches when all designated target feature information is hit in the feature information set. For example, when the target feature information is an object a and an object B, the security rule program may determine whether to hit the object a and the operation B at the same time, where the object a may be a specified SQL table, the operation B is a specified operation type, such as a data delete operation, and when the feature information set hits the object a and the operation B at the same time, it is determined that the object a and the operation B match. Specifically, the terminal calls the security rule plug-ins in sequence to perform rule matching on the feature information set, and when feature information completely matched with the called security rule plug-ins exists in the feature information set, the rule ID of the security rule plug-ins is obtained. And when the terminal is matched with all the safety rule plug-ins, obtaining all the rule ID sets matched with the characteristic information sets. In this embodiment, the terminal uses the obtained rule ID set as a matching result for rule matching of the feature information set.
In the embodiment, the SQL sentence is analyzed to extract the feature information set in the SQL sentence, the feature information set is subjected to rule matching according to the plurality of safety rules to obtain the matching result, and the matching result is used as the detection result, so that the feature information obtained by analyzing the SQL sentence is detected.
Referring to fig. 4, in an embodiment, the step S304 specifically includes:
step S402, traversing at least one configuration file, and taking the traversed configuration file as a current configuration file; wherein, each configuration file is written with a safety rule;
in this embodiment, the security rule program is stored in the form of a configuration file. The configuration file may be stored in a local memory or in an external storage device. Each profile contains a unique rule ID. Specifically, the terminal traverses a plurality of configuration files to obtain the traversed current configuration file. The traversal order of the terminal may be a storage order of the configuration files, a size order of the configuration files, a sorting order of the rule IDs, other traversal orders, and the like.
Step S404, extracting at least one target feature information associated with the current configuration file from the feature information set;
and the terminal extracts at least one piece of characteristic information associated with the characteristics of the safety rule from the characteristic information set according to the characteristics of the safety rule of the current configuration file. For example, if the security rule in the current configuration file is security level identification of the operation type of the access object, for example, an operation of deleting a certain SQL table, the terminal extracts two pieces of feature information, such as the SQL table name of the SQL table as the access object and the operation type of the SQL table, from the feature information set.
Step S406, performing rule matching on at least one target feature information by using the current configuration file to obtain a matching result;
the current configuration file is written with the incidence relation of the security levels corresponding to the plurality of target characteristic information related to the current configuration file. For example, in the current configuration file, the security level of the deletion operation to the SQL table 1 is first level, the security level of the modification operation to the SQL table 1 is second level, the security level of the query operation to the SQL table 1 is third level, and the security levels of the addition, deletion, modification and check operations to the SQL table 2 are all third level, and so on. And the terminal performs rule matching on the extracted at least one target characteristic information by using the safety rule written in the current configuration file to obtain a matching result. Wherein, the matching result is the security level.
Step S408, after the traversal is completed, obtaining matching results corresponding to the plurality of security rules respectively.
After the traversal is completed, the terminal obtains a plurality of matching results corresponding to the plurality of security rules, respectively, and executes step S306 and step S208 with the plurality of matching results as detection results.
In this embodiment, a plurality of configuration files are traversed, and the traversed configuration files are used as current configuration files, wherein a security rule is written in each configuration file to extract at least one piece of target feature information associated with the current configuration file from the feature information set, so that rule matching is performed on at least one piece of target feature information by using the current configuration files to obtain a matching result, and the configuration files written with the security rule are traversed to perform rule matching on the target feature information by sequentially using the configuration files, so that matching of the security rule on the feature information can be completed in order and efficiently.
Referring to fig. 5, in an embodiment, the step S208 specifically includes:
step S502, performing action matching on each matching result according to an action execution strategy to obtain a hit result action;
the action execution strategy is the incidence relation between the matching result and the result action. The matching results are classified into different security levels. Specifically, the terminal classifies the security level of the matching result according to the matched rule ID. For example, the matching result matched to the rule ID of 1 is divided into one level; the matching result which is not matched to the rule ID of 1 but matched to the rule ID of 2 is divided into two levels. The feature information included in the rule ID 1 may be, for example, "table 1" and "delete operation", and the feature information included in the rule ID 1 may be "table 1" and "query operation". In this embodiment, the division rule of the security level of the matching result is not specifically limited, and those skilled in the art may also set other division rules in a customized manner according to actual needs, for example, the matching result with more hit rule IDs is set to a higher or lower security level, and the like. In this embodiment, the matching results of each security level correspond to result actions of different levels. For example, a match with a security level of one level may correspond to a level one result action, a match with a security level of two levels may correspond to a level two result action, … …, and a match with a security level of n level may correspond to a level n result action. The specific operation corresponding to each level result action may be generating an audit log according to the characteristic information, sending an alarm to the user request corresponding to the request data, or rejecting the user request corresponding to the request data, or the like. In this embodiment, the first-level result action is to reject the user request corresponding to the request data, the second-level result action is to issue an alarm to the user request corresponding to the request data, and the third-level result action is to generate an audit log according to the feature information. Those skilled in the art can set the required number of result actions in the number of levels according to actual requirements, and set specific operations of other types of result actions, etc., which are not specifically limited in the art.
Step S504, the result action is executed.
In this embodiment, the terminal may execute all hit result actions, or may execute at least one result action according to a preset rule, so as to complete security audit on the non-relational database.
In the embodiment, the action execution strategy is used for carrying out action matching on the matching result to obtain the result action hit by the matching result, and the result action is obtained according to the corresponding relation between the matching result and the result action in the action execution strategy, so that the method is very quick, convenient and easy to set and execute.
In one embodiment, the predetermined rule is to execute the result action with the highest priority according to the priority of the result actions of each level. Specifically, referring to fig. 6, the resulting action of a hit is multiple; the step S504 specifically includes:
step S602, acquiring the priority of each result action;
in this embodiment, the corresponding priority is preset for each level corresponding to the result action. For example, set from small to large as a high to low priority in the level of the resulting action, a high level priority having a right to be executed with priority over a low level priority thereof.
Step S604, obtaining the result action with the highest priority from the result actions;
the terminal compares the priorities of the result actions to obtain the result action with the highest priority.
Step S606, the result action with the highest priority is executed.
The terminal performs the action of the result with the highest priority. For example, the terminal hits three levels of result actions, such as a first level result action, a second level result action, and a third level result action, wherein the priority is ranked from high to low as the first level result action is higher than the second level result action, and the second level result action is higher than the third level result action, so that the terminal obtains the first level result action and executes the first level result action. For example, the first-level result action is used for rejecting a user request corresponding to the request data, the second-level result action is used for sending an alarm to the user request corresponding to the request data, and the third-level result action is used for executing a result action of rejecting the user request corresponding to the request data when an audit log is generated according to the characteristic information.
In this embodiment, by using the priorities of the result actions, the result action with the highest priority is obtained from the result actions and executed, so that a plurality of result actions corresponding to each matching result can be effectively managed.
Referring to fig. 7, a second auditing method for a non-relational database is an auditing method for a non-relational database, where after step S202, the auditing method for a non-relational database further includes:
step S702, if the request data is not the data generated by the request of the set or the class, generating an audit log according to the request data.
When the request data is not the data generated by the request of the set or the class, the terminal does not convert the request data into the SQL statement, and directly generates the audit log according to the request data. Request data for accessing web sites, for example: and the terminal directly generates and outputs an audit log according to the request data.
In this embodiment, when the request data is not data generated by a request for an aggregate or a class, the audit log is directly generated according to the request data, and a user can obtain the access condition of the database by checking the audit log, thereby completing the audit of the request data of the access object of the non-aggregate or the class in the non-relational database.
Referring to fig. 8, an embodiment of the present invention further provides an auditing apparatus for a non-relational database, where the auditing apparatus for a non-relational database includes:
the acquisition module 810 is used for acquiring request data of the non-relational database to be audited;
a conversion module 820, configured to, if the request data is data generated by an access request for a target object, use the target object as an SQL table, and convert the request data into an SQL statement;
the detection module 830 is configured to detect the access request according to the SQL statement to obtain a detection result;
and the action execution module 840 is used for executing a corresponding result action according to the detection result so as to audit the non-relational database.
In the embodiment, the security audit of the non-relational database is realized by collecting the request data of the non-relational database to be audited, if the request data is the data generated by the access request of the target object, using the target object as an SQL table, converting the request data into SQL statements, detecting the access request according to the SQL statements to obtain detection results, executing corresponding result actions according to the detection results to audit the non-relational database, converting the request data accessing the target object into the SQL statements by using the data characteristics of the target object in the non-relational database, and performing the security audit on the request data by using the SQL statement analysis technology.
Optionally, the detecting module 830 is further configured to parse the SQL statement to extract a feature information set in the SQL statement; carrying out rule matching on the feature information set according to a plurality of safety rules to obtain a matching result; and taking the matching result as a detection result.
Optionally, the detecting module 830 is further configured to traverse a plurality of configuration files, and use the traversed configuration files as current configuration files; wherein, each configuration file is written with a safety rule; extracting at least one target feature information associated with the current profile from the set of feature information; carrying out rule matching on at least one target characteristic information by using the current configuration file to obtain a matching result; and after traversing is finished, obtaining matching results corresponding to the plurality of safety rules respectively.
Optionally, the action executing module 840 is further configured to perform action matching on each matching result according to an action executing policy, and obtain a hit result action; the resulting action is performed.
Optionally, there are a plurality of said resulting actions that hit; the action execution module 840 is further configured to obtain priorities of the result actions; acquiring a result action with the highest priority from the result actions; the highest priority resulting action is performed.
Optionally, the auditing apparatus for the non-relational database further includes: and the audit log generation module is used for generating the audit log according to the request data if the request data is not the data generated by the request of the set or the class.
In addition, an embodiment of the present invention further provides an auditing apparatus for a non-relational database, where the auditing apparatus for a non-relational database includes: the auditing system comprises a memory, a processor and an auditing program of the non-relational database, wherein the auditing program of the non-relational database is stored on the memory and can run on the processor, and when being executed by the processor, the auditing program of the non-relational database realizes the steps of the embodiment of the auditing method of the non-relational database.
In addition, an embodiment of the present invention further provides a storage medium, where an auditing program of a non-relational database is stored in the storage medium, and when executed by a processor, the auditing program of the non-relational database implements the steps of the embodiment of the auditing method of the non-relational database.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A non-relational database auditing method is characterized by comprising the following steps:
collecting request data of a non-relational database to be audited;
if the request data is data generated by an access request to a target object, taking the target object as an SQL table, and converting the request data into an SQL statement;
detecting the access request according to the SQL statement to obtain a detection result;
and executing corresponding result action according to the detection result so as to realize auditing of the non-relational database.
2. The auditing method for a non-relational database according to claim 1, where the step of detecting the access request according to the SQL statement specifically comprises:
analyzing the SQL statement to extract a characteristic information set in the SQL statement;
carrying out rule matching on the feature information set according to a plurality of safety rules to obtain a matching result;
and taking the matching result as a detection result.
3. The auditing method for a non-relational database according to claim 2, where said step of rule matching the feature information sets according to a plurality of security rules to obtain a matching result specifically comprises:
traversing at least one configuration file, and taking the traversed configuration file as a current configuration file; wherein, each configuration file is written with a safety rule;
extracting at least one target feature information associated with the current profile from the set of feature information;
performing rule matching on at least one target characteristic information based on the current configuration file to obtain a matching result;
and after traversing is finished, obtaining matching results corresponding to the plurality of safety rules respectively.
4. The auditing method for a non-relational database according to claim 3, where said step of performing a corresponding result action based on the detection result to audit the non-relational database specifically comprises:
performing action matching on each matching result according to an action execution strategy to obtain a hit result action;
the resulting action is performed.
5. A method for auditing a non-relational database according to claim 4, wherein there are a plurality of said resulting actions that hit;
the step of executing the result action specifically includes:
acquiring the priority of each result action;
acquiring a result action with the highest priority from the result actions;
the highest priority resulting action is performed.
6. The auditing method for a non-relational database according to claim 1, wherein after the step of collecting the request data of the client to audit the non-relational database, the auditing method for a non-relational database further comprises:
and if the request data is not the data generated by the request of the set or the class, generating an audit log according to the request data.
7. An auditing apparatus for a non-relational database, the auditing apparatus comprising:
the acquisition module is used for acquiring request data of the non-relational database to be audited;
the conversion module is used for taking the target object as an SQL (structured query language) table and converting the request data into an SQL statement if the request data is data generated by an access request of the target object;
the detection module is used for detecting the access request according to the SQL statement to obtain a detection result;
and the action execution module is used for executing corresponding result actions according to the detection result so as to realize the auditing of the non-relational database.
8. An auditing apparatus for a non-relational database, the auditing apparatus for a non-relational database further comprising: and the audit log generation module is used for generating the audit log according to the request data if the request data is not the data generated by the request of the set or the class.
9. An auditing apparatus for a non-relational database, the auditing apparatus comprising: memory, processor and auditing program for non-relational databases stored on said memory and executable on said processor, said auditing program for non-relational databases, when executed by said processor, implementing the steps of the auditing method for non-relational databases according to any of claims 1 to 6.
10. A storage medium having stored thereon an auditing program for a non-relational database, the auditing program for a non-relational database when executed by a processor implementing the steps of a method for auditing a non-relational database according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911057975.7A CN110851461A (en) | 2019-10-31 | 2019-10-31 | Method and device for auditing non-relational database and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911057975.7A CN110851461A (en) | 2019-10-31 | 2019-10-31 | Method and device for auditing non-relational database and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110851461A true CN110851461A (en) | 2020-02-28 |
Family
ID=69598331
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911057975.7A Pending CN110851461A (en) | 2019-10-31 | 2019-10-31 | Method and device for auditing non-relational database and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110851461A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111651758A (en) * | 2020-06-08 | 2020-09-11 | 成都安恒信息技术有限公司 | Method for auditing result set of relational database of operation and maintenance auditing system |
| CN113420046A (en) * | 2021-06-22 | 2021-09-21 | 康键信息技术(深圳)有限公司 | Data operation method, device, equipment and storage medium of non-relational database |
| CN113419924A (en) * | 2021-08-23 | 2021-09-21 | 北京安华金和科技有限公司 | Database operation risk prompt processing method and device based on session maintenance |
| CN113448942A (en) * | 2020-03-27 | 2021-09-28 | 阿里巴巴集团控股有限公司 | Database access method, device, equipment and storage medium |
| CN113641702A (en) * | 2021-10-18 | 2021-11-12 | 北京安华金和科技有限公司 | Method and device for interactive processing with database client after statement audit |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101448007A (en) * | 2008-12-31 | 2009-06-03 | 中国电力科学研究院 | Attack prevention system based on structured query language (SQL) |
| CN105656903A (en) * | 2016-01-15 | 2016-06-08 | 国家计算机网络与信息安全管理中心 | Hive platform user safety management system and application |
| US20160342680A1 (en) * | 2015-05-22 | 2016-11-24 | Guidance Software Inc. | System and method for generating, maintaining, and querying a database for computer investigations |
| CN108021607A (en) * | 2017-10-31 | 2018-05-11 | 安徽四创电子股份有限公司 | A kind of wireless city Audit data off-line analysis method based on big data platform |
-
2019
- 2019-10-31 CN CN201911057975.7A patent/CN110851461A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101448007A (en) * | 2008-12-31 | 2009-06-03 | 中国电力科学研究院 | Attack prevention system based on structured query language (SQL) |
| US20160342680A1 (en) * | 2015-05-22 | 2016-11-24 | Guidance Software Inc. | System and method for generating, maintaining, and querying a database for computer investigations |
| CN105656903A (en) * | 2016-01-15 | 2016-06-08 | 国家计算机网络与信息安全管理中心 | Hive platform user safety management system and application |
| CN108021607A (en) * | 2017-10-31 | 2018-05-11 | 安徽四创电子股份有限公司 | A kind of wireless city Audit data off-line analysis method based on big data platform |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113448942A (en) * | 2020-03-27 | 2021-09-28 | 阿里巴巴集团控股有限公司 | Database access method, device, equipment and storage medium |
| CN113448942B (en) * | 2020-03-27 | 2022-07-22 | 阿里巴巴集团控股有限公司 | Database access method, device, equipment and storage medium |
| CN111651758A (en) * | 2020-06-08 | 2020-09-11 | 成都安恒信息技术有限公司 | Method for auditing result set of relational database of operation and maintenance auditing system |
| CN113420046A (en) * | 2021-06-22 | 2021-09-21 | 康键信息技术(深圳)有限公司 | Data operation method, device, equipment and storage medium of non-relational database |
| CN113419924A (en) * | 2021-08-23 | 2021-09-21 | 北京安华金和科技有限公司 | Database operation risk prompt processing method and device based on session maintenance |
| CN113419924B (en) * | 2021-08-23 | 2021-12-07 | 北京安华金和科技有限公司 | Database operation risk prompt processing method and device based on session maintenance |
| CN113641702A (en) * | 2021-10-18 | 2021-11-12 | 北京安华金和科技有限公司 | Method and device for interactive processing with database client after statement audit |
| CN113641702B (en) * | 2021-10-18 | 2022-02-22 | 北京安华金和科技有限公司 | Method and device for interactive processing with database client after statement audit |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110851461A (en) | Method and device for auditing non-relational database and storage medium | |
| US11620397B2 (en) | Methods and apparatus to provide group-based row-level security for big data platforms | |
| CN109240901B (en) | Performance analysis method, performance analysis device, storage medium, and electronic apparatus | |
| TW202029079A (en) | Method and device for identifying irregular group | |
| US9965641B2 (en) | Policy-based data-centric access control in a sorted, distributed key-value data store | |
| US20140122455A1 (en) | Systems and Methods for Intelligent Parallel Searching | |
| US9411803B2 (en) | Responding to natural language queries | |
| CN108090351A (en) | For handling the method and apparatus of request message | |
| US20210026862A1 (en) | Methods and systems for indexing and accessing documents over cloud network | |
| JP2017138866A (en) | Information processing apparatus, data comparison method, and data comparison program | |
| CN111488594A (en) | Authority checking method and device based on cloud server, storage medium and terminal | |
| CN105095436A (en) | Automatic modeling method for data of data sources | |
| CN111586695A (en) | Short message identification method and related equipment | |
| US10866944B2 (en) | Reconciled data storage system | |
| CN110874366A (en) | Data processing and query method and device | |
| CN116860311A (en) | Script analysis method, script analysis device, computer equipment and storage medium | |
| US20230237019A1 (en) | Terminal and method for storing and parsing log data | |
| CN102831174B (en) | Method and system for rapidly checking structured information | |
| CN111259039A (en) | Database operation method, device, equipment and computer readable storage medium | |
| KR101880474B1 (en) | Keyword-based service provide method for high value added content information service and method and recording medium storing program for executing the same and recording medium storing program for executing the same | |
| Kesavan et al. | Graph based indexing techniques for big data analytics: a systematic survey | |
| CN113348514A (en) | Method and system for predicting chemical structure properties | |
| US11574217B2 (en) | Machine learning based identification and classification of database commands | |
| KR101752259B1 (en) | High value-added content management device and method and recording medium storing program for executing the same and recording medium storing program for executing the same | |
| CN113971207A (en) | Document association method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200228 |
|
| RJ01 | Rejection of invention patent application after publication |