KR20040052569A - Method and system for monitoring and securing a database - Google Patents

Abstract

PURPOSE: A method and a device for monitoring/securing a database are provided to manage the database by monitoring the database even if an internal user accesses the database with a normal authority. CONSTITUTION: A login server(430) prevents a terminal combined with a database monitoring/securing device from directly connecting to the database, and generates/analyzes/stores the login information corresponding to a search standard including at least one from a user ID, an access IP, a time zone, a terminal name, network, a query, an instruction, an application, and the data to be accessed by analyzing a signal received from the terminal. An engine server(440) includes a search part and a security managing part. The search part provides the login information, the database access particulars, and the operation particulars according to the database access particulars depending on the search standard. The security managing part judges that the login information is corresponding to a security condition, and performs at least one from the data backup/recovery, the access interruption, or the forced termination depending on a kind of the security condition.

Description

Method and system for monitoring and securing a database

The present invention relates to a method and apparatus for monitoring and securing a database. More particularly, the present invention relates to a database monitoring and security apparatus that can manage a case where an insider accesses a database with normal authority through database monitoring.

Referring to the monitoring and security method according to the prior art as follows. Early security has been developed with a focus on preventing intrusion from the outside, but interest in security from insiders as well as security from the outside is increasing. However, according to the related art, there is a problem in that proper monitoring and security cannot be performed for a user having a right in security by an insider.

In practice, most information leaks are caused by legitimate users who can access the data, and such leaks can cause more serious and fatal damage than hacking incidents from outside. Since only the insider can access the high-level information on the key confidentiality of the information managed in the database, such information may cause a problem of information leakage by a user with proper authority.

In particular, according to the prior art, there is no way to manage security by using the type of application to connect to the database. According to the prior art, by using an ODBC configuration or simply by acquiring an Oracle account, and reconnecting using an application such as Toad or SQL Plus, all user restrictions and security settings of the 4GL Client program There is a problem bypassing it.

That is, according to the prior art, there is a problem that there is no efficient method and apparatus capable of performing monitoring, security and auditing of normal activities for legitimate users.

The present invention has been made to solve the above-described problems, and to provide a database monitoring and security device that can manage even when the insider accesses the database with normal authority through the database monitoring. That is, the present invention provides database monitoring and audit for the part where the insider accesses the database with normal authority through database monitoring, and database protection for managing deleted or changed contents in case of deletion or change of data stored in the database. It can play the role of database security that provides access control according to IP, user error, Query command, etc. that could not be provided in database. In addition, the present invention may be configured such that all these tasks operate on a separate device from the database server and do not place a load on the database.

In addition, another object of the present invention is to provide a method and apparatus for monitoring and security of the database, as well as monitoring whether or not to query the database, in order to prevent misuse of information, to perform the audit and control of legitimate users In providing.

In addition, another object of the present invention is to provide a device and method that can not only conveniently set the security conditions in accordance with the security policy to the administrator, but also to secure the database in real time according to the security conditions.

In addition, another object of the present invention is to provide a method and apparatus for managing security by using a type of application that cannot be achieved by the existing security program.

1A and 1B are views showing the configuration of a database monitoring and security system according to a preferred embodiment of the present invention.

2 is a diagram showing the configuration of a database security server according to a preferred embodiment of the present invention.

3 is a view showing the configuration of the engine server unit according to a preferred embodiment of the present invention.

4 illustrates a data structure according to a preferred embodiment of the present invention.

5 is a view showing the configuration of a monitoring unit according to an embodiment of the present invention.

6 is a diagram illustrating a configuration of a backup and recovery unit according to an embodiment of the present invention.

7 is a flow chart showing the operation of the security management unit according to an embodiment of the present invention.

8 is a diagram illustrating a configuration of a backup and recovery unit according to an embodiment of the present invention.

9A to 9C are views illustrating a user interface screen according to a preferred embodiment of the present invention.

<Explanation of symbols for the main parts of the drawings>

100: external terminal 200: internal terminal

300: application unit 400: database security server

500: database 450: search unit

460: security management 470: support

610: monitoring unit 620: inquiry unit

630: reporting unit 640: backup and recovery unit

650: security block 660: forced termination

670: load balancing unit 680: multi-server support unit

690: condition setting unit

In order to achieve the above object, according to an aspect of the present invention to provide a database monitoring and security device that can be managed even when the insider accesses the database with normal authority through the database monitoring.

According to a preferred embodiment, the monitoring and security device for the database prevents at least one terminal coupled to the database monitoring and security device from directly accessing the database, corresponding to the terminal attempting to access the database. Search criteria including at least one of a user ID, an access IP, a time zone, a terminal name, a network, a query, a command, an application type, and data to be connected by analyzing a signal received from at least one terminal that can access a database. Logging server unit for generating, analyzing and storing the logging information corresponding to the; A search unit for providing logging information, a database access history, an operation history according to the access history, and a security condition including at least one of a preset backup condition, a blocking condition, and an end condition according to the search criteria; Determining whether the data is stored in the database; and if the security condition corresponds to the security condition, at least one of backup and recovery of data stored in the database, disconnection of the data, and forced termination of the connection according to the security condition. An engine server unit including a security manager for performing the operation; And a controller for organically controlling the logging server unit and the engine server unit to perform an operation according to the security condition.

Here, the database monitoring and security device may further include a client module unit including a NAT module for connecting the terminal to the database.

The search unit analyzes and searches the sentences and commands included in the signal according to the search criteria to generate the logging information for the terminal currently connected to the database security server, and provides the logging information in real time. Monitoring unit for; And an inquiry unit for providing logging information about a terminal that is previously connected to a database security server.

The search unit may further include a reporting unit for providing the analyzed information of the logging information using a preset user interface, and the security manager may include a command for requesting the database corresponding to a preset command. After storing the data corresponding to the object of the command in the storage unit of the database security server, and may further include a backup and recovery unit for performing the command corresponding to the command.

And if the size of the result data corresponding to the command is greater than or equal to a preset size; When the application type included in the logging information does not use a preset application; And at least one of a security blocking unit and a forced termination unit for blocking access to the data when attempting to access a preset data table.

The engine search unit may further include: a load balancer configured to perform load balancing of the plurality of database servers when there are a plurality of database servers for managing the database; And a multi-server support unit for performing monitoring and security for database servers using different network protocols.

In order to achieve the above object, according to another aspect of the present invention to provide a database monitoring and security method that can be managed even when the insider accesses the database with normal authority through the database monitoring.

According to a preferred embodiment, a method of monitoring and securing a database connected to said database security server at a database security server comprises: (a) from at least one terminal capable of accessing said database via said database security server; Analyze the received signal to generate logging information corresponding to a search criterion including at least one of a user ID, an access IP, a time zone, a terminal name, a network, a query, a command, an application type, and data to be accessed, and the logging. Displaying information on a display device coupled to the database security server in accordance with the search criteria; (b) determining whether the logging information corresponds to a security condition including at least one of a preset backup condition, a blocking condition, and an end condition; and if the security condition corresponds to the security condition, determining a type of the security condition. ; (c) If the security condition is the backup condition, the data to be accessed is stored in a storage unit coupled to the database security server and registered in the recovery menu to be restored through a preset recovery menu. Generating the result information according to the operation after performing the operation according to the operation; (d) if the security condition is the blocking condition, disconnecting access to the data and generating result information including information according to the access and disconnection; (e) if the security condition is the termination condition, terminating the connection of the database security server of the terminal and generating result information including information according to the connection attempt and termination; (f) providing the result information through a preset user interface.

Here, the backup condition may be a command including a command including a type of the command including deletion of data included in the database, and the blocking condition is when a size of the result data corresponding to the command is equal to or larger than a preset size; When the application type included in the logging information does not use a preset application; And a case of attempting to access a preset data table. The termination condition may be configured to correspond to a blocking condition more than a preset number of times. Here, the logging information and the result information may be displayed using a tree structure corresponding to the search criteria.

Hereinafter, a configuration of a method and apparatus for monitoring and securing a database according to the present invention will be described in detail with reference to the accompanying drawings. Hereinafter, the same or corresponding components regardless of reference numerals will be described with reference to the accompanying drawings. Reference numerals will be given and duplicate description thereof will be omitted.

Overall system and configuration

The method and apparatus for monitoring and securing a database according to the present invention can provide a security service even for access to a legitimate user. Hereinafter, a database monitoring and security system according to the present invention will be described in detail with reference to the accompanying drawings. In FIG. 1A, an entire system will be described, and FIG. 1B will be described in a group designation method according to a preferred embodiment of the present invention.

Figure 1a is a diagram showing the overall configuration of a database monitoring and security system according to a preferred embodiment of the present invention.

Referring to FIG. 1A, the database monitoring and security system according to the present invention includes an external terminal 100 and an internal terminal 200, a predetermined application unit 300, a database security server 400, and a database 500. The components are coupled through the Internet 110, firewall 120, and hub 130.

The terminal according to the present invention refers to all terminals that can access the database security server 400 according to the present invention through a network, and may include an external terminal 100 and an internal terminal 200. Here, the external terminal 100 can access the database security server 400 through the Internet 110, the firewall 120 and the hub 130, the internal terminal 200 is a database security server through the internal network 400 can be connected. Herein, the internal terminal 200 includes a first internal terminal 230 and a second internal terminal 270.

Here, the first internal terminal 230 refers to a terminal designated to a specific group or a specific terminal, and such a first internal terminal 230 must pass through a predetermined application unit 300 to the database security server 400. It is configured to be accessible. The second internal terminal 270 may be configured to access the database security server 400 without such a restriction.

The database security server 400 may provide a monitoring, security, and audit function for a legitimate user. The database security server 400 according to the present invention is configured to perform a monitoring and inquiry function for all operations of accessing a database on a network. The database security server 400 according to the present invention may store and retrieve data for all query statements, and provide various search functions for database access. In addition, the database security server 400 can query in real time by user ID, access IP, time zone, terminal name, network, query, command for the history of access to the database, and provides session information on the currently connected user. You can also force the termination of a particular user's connection.

In addition, the database security server 400 is configured to provide an additional service such as search, backup, alarm, etc. for a predetermined command (for example, DELETE, DROP, ALTER command, etc.) for the database table that is important for security. do. In addition, the present invention is configured to perform the same monitoring function for Telnet, FTP service as well as HTTP service.

The database 500 is controlled by a database server equipped with a database management program (DBMS), which is not shown in the figure, and the database management program is defined in the accumulated data structure, data accumulation according to the data structure, and database language. Data retrieval and update by multiple users, simultaneous execution control of data processing from multiple users, when an abnormality occurs during the update, return to the state before the update, and security of information. Here, the general type of DBMS is a relational database management system (RDBMS), and the standardized user and program interface of the RDBMS is called Structured Query Language (SQL). Oracle, Sybase, and Infomix are widely used as relational DBMSs. For convenience of explanation, the following description will be based on Oracle, and the interface will be described based on SQL.

1B is a diagram illustrating a specific group designation method according to a preferred embodiment of the present invention.

Referring to FIG. 1B illustrating a group designation method according to an exemplary embodiment of the present invention, a predetermined group of internal terminals may be set and the group may be connected in a preset method. For example, an internal terminal may be set as two groups, a first internal terminal and a second internal terminal, and the first internal terminal may be set to connect using a preset application (for example, middleware or 4GL client). Can be. In this case, when the first internal terminal attempts to access a database by using an application such as SQL Plus or Toad, the access is denied and may be configured to generate logging information on the access attempt and rejection. The second internal terminal may be configured to be accessible even when using SQL Plus or Toad without any limitation. Here, although the description is made based on the case where the group is divided into a first internal terminal and a second internal terminal, it is a matter of course that three or more groups can be designated and divided.

According to the prior art, there is no way to manage security by using the type of application to connect to the database. According to the present invention, security can be dramatically improved by using a type of application that cannot be achieved with a conventional security program. In particular, the present invention can control the SQL client connecting to the database, such as Oracle, there is an advantage that can protect the database from the threat of all 4GL Client program that requires ODBC configuration.

Here, although the case of dividing based on the group is described, it is possible to limit the database access to a specific user, a terminal, an IP, or a specific query using a method similar to the group.

For example, a predetermined SQL query including a DDL, a DML, a DCL, or a table access of a database may be controlled for a predetermined terminal 231 among the first internal terminals. Similarly, the predetermined terminal 271 of the second internal terminal can be set so that the deletion of the table in which the resident registration is stored cannot be changed.

Such a restriction may be set in more detail according to each command. For example, if a user using the same account selects more than 10 customer information at the same time, security may be limited to restrict the execution of the command or disable other commands such as the "DROP" command. You can set the policy. Such a security policy setting may be set by conveniently inputting a security condition through a preset user interface screen.

Through the above configuration, it is possible to protect important tables from certain SQL queries (e.g., DELETE, DROP, preset number of SELECTs), and restrict execution of a specific command when the IP is different even when logging on with an administrator account. It can be configured to.

Configuration and data structure of the database security management server

Security management server 400 according to the present invention, in providing a database monitoring and security services, can provide a security service for access to legitimate users. Hereinafter, the configuration of the database monitoring and security device will be described with reference to the accompanying drawings. In FIG. 3, the configuration of the control unit of the database monitoring and security device will be described. In FIG. 4, the data structure will be described.

2 is a diagram showing the configuration of a database security server according to a preferred embodiment of the present invention.

First, referring to FIG. 2 illustrating a hardware configuration of a database monitoring and security device, the database security server 400 according to the present invention includes a control unit 410, a server unit 420, and a client module unit 490. It is configured to include, the server unit 420 may include a logging server unit 430 and the engine server unit 440.

The controller 410 performs an audit policy setting, an audit and inquiry function, and performs a function of integrally managing the server unit 420 and the client module unit 430 according to a preset or input security condition.

The server unit 420 performs a function of substantially securing the database under the control of the controller 410. The logging server unit 420 performs authentication, stores logging information, and analyzes, stores, and manages logging information of a user or a terminal that accesses a database.

In addition, the engine server unit 430 performs a specific security operation according to a preset security policy, is configured to grasp the requested query and command, and to control the access and reference of the database such as a result value and execution stop.

The client module 490 is used to monitor and secure the database according to the present invention by combining the terminal with the database security server without changing the configuration of the database and the terminal to be connected to the NAT (Network Address Transaction) module. The client module unit 430 includes a network address translation (NAT) module. The client module unit 430 converts individual internal addresses and official IP addresses in the company, and assigns temporary temporary addresses to access the Internet even from nodes that are not assigned individual addresses. It is configured to be. Here, the NAT module performs a function of enabling a specific TCP / IP application by converting a communication protocol of a transport layer or an application layer of TCP / IP.

3 is a diagram illustrating a configuration of an engine server unit according to an exemplary embodiment of the present invention.

Referring to FIG. 3, the engine server 440 according to the present invention includes a searcher 450, a security manager 460, and a supporter 470.

Here, the search unit 450 may include a monitoring unit 610, an inquiry unit 620, and a reporting unit 630.

The monitoring unit 610 analyzes and searches a sentence according to each command, and performs a function of analyzing and providing information about a query or a command of the terminal according to each command in real time. In general, commands can be divided into: Query is a language used to look up data and refers to the syntax for getting the value of a record. DML (Data Manipulation Language) is a part that processes data and is used to insert, update, and delete new rows in a record. In addition, DDL (Data Definition Language) is a language used to define data. It is a syntax for creating or dropping a table or user. DCL (Data Control Language) is a language used to control data. This includes creating a user in DDL and then granting it. According to a preferred embodiment, the monitoring unit 310 performs a sentence-by-statement search according to DML for a preset command (for example, SELECT, DROP, DELETE, INSERT, ALTER, etc.), and performs a preset security operation. Can be done. For example, it collects and stores SQL statements on the network and controls the behavior of SQL commands when necessary. In addition, it is possible to control the result value of the SQL query, and according to the preferred embodiment, when selecting a specific table, it can be configured not to return a result when the result is more than five lines.

The inquiry unit 620 is configured to query the database access history by query, command, user, time zone, and IP. While the monitoring unit 610 provides access information in real time, the inquiry unit 620 is configured to extract and provide past access information.

The reporting unit 630 may be configured to statistically provide the information generated by the monitoring unit 610 or the inquiry unit 340 using a chart or the like through a preset user interface screen. In addition, the reporting unit 630 may extract the user's usage history set in advance according to the reporting condition, analyze and statistically process the user's usage history, and provide the same to the user. For example, the user-specific statistics module included in the reporting unit 630 may output the usage history based on the user, and the statistics module for the DML may be configured to output the history output based on the DML.

The security manager 460 includes a backup and recovery unit 640, a security blocker 650, and a forced termination unit 660.

The backup and recovery unit 640, regardless of whether the user is a legitimate user, if the command for requesting the database corresponds to a preset command (for example, a DELETE command for a specific table), the data is transferred to the database security server 400. After storing in the storage unit of), it is configured to perform the specific command. Thereafter, the data copied to the database security server 400 may be conveniently recovered through a preset recovery menu.

The security blocker 650 is configured to block access to specific data rather than backing up data with respect to a predetermined specific command. The security blocker 650 according to the present invention may control access to a critical table in a specific IP band or may be set to be accessible only to a specific application (for example, MiddleWare, SQLplus, Toad, etc.). It is configured to control access to a specific table by setting conditions for each query, command, user, time zone, and IP.

The forced termination unit 660 performs a function of forcibly terminating the connection of the user with respect to a predetermined specific command. The security block 680 is configured to simply block access, but the forced termination unit 660 may perform a function of forcibly terminating the real-time access session. Here, the function is forcibly disconnected from the Oracle session being connected in real time, and in this case, the zombie process is configured not to occur.

The support unit 470 may include a load balancing unit 670, a multi-server support unit 680, and a condition setting unit 690. The load balancer 473 may load balance two or more servers when two or more management servers of the database are configured.

In addition, the multi-server support unit 680 is configured to support database servers existing on physically different networks, and is configured to support monitoring, data recovery, log inquiry search, and the like regardless of the types of servers and protocols. Hereinafter, although described based on the HTTP protocol, it is a matter of course that security management of all commands and result values for the Telnet user and the FTP user is possible.

The condition setting unit 690 stores the received security condition according to the security policy in a preset table, and determines whether the access information analyzed by the monitoring unit corresponds to the security condition, and if so, It is configured to perform security management according to.

An alarm generating unit (not shown) may be included, and when a preset security condition is generated among the security conditions, an alarm may be generated to the administrator while performing security management according to the security condition. Here, the alarm information may be displayed on the display screen of the terminal, or may be provided by means of a message or the like using a network.

4 is a diagram illustrating a data structure according to a preferred embodiment of the present invention.

The present invention is configured to extract preset information corresponding to each protocol from data transmitted and received to access a database. 4, the data structure according to the present invention is configured to include the following basic information. That is, the extracted information may include IP information 710, user ID information 720, terminal information 730, application information 740, query information 750, and the like.

Although the data structure is different according to each network environment or protocol, the database security server according to the present invention can extract the above-mentioned information from the protocol and perform security management according to the present invention. Referring to Table 1 below, information extracted according to the present invention is summarized.

Kinds Contents Connection IP QUERY search and detailed information by access IP User ID QUERY search and detailed information by user ID Computer name QUERY search and detailed information by computer name Usage application Search QUERY by Application Used Time information IP status by time zone, user by time zone Advanced search function Provides information such as status and detailed search function Response time Other response time such as average response time Search Query by entering a search term

Search

Hereinafter, with reference to the accompanying drawings, a detailed configuration according to the configuration of the present invention will be described in detail. The monitoring unit and the inquiry unit according to the present invention may extract detailed information according to the above-described protocol, classify the detailed information according to a preset format, and provide the same to a user. According to the present invention, it is configured to monitor and provide in real time using the protocol analysis information, and to provide to the user using the stored information. Hereinafter, the monitoring unit will be described in FIG. 5, and the inquiry unit will be described in FIG. 6.

5 is a view illustrating a monitoring unit according to a preferred embodiment of the present invention.

Referring to FIG. 5, the monitoring unit 610 is classified as follows according to a search type, the command monitoring unit 611, the IP monitoring unit 612, the user monitoring unit 613, the terminal monitoring unit 614, The application monitoring unit 615 and the time band monitoring unit 616 is included.

The command monitoring unit 611 performs a sentence-by-statement search based on main DML such as SELECT, DROP, DELETE, INSERT, ALTER, and the like. The IP monitoring unit 612 provides QUERY search and detailed information for each access IP, and the user monitoring unit 613 provides QUERY search and detailed information for each user ID. The terminal monitoring unit 614 provides QUERY search and detailed information for each computer name, and the application monitoring unit 615 searches for QUERY for each application used. In addition, the time band monitoring unit 616 provides information such as IP status by time zone and user status by time zone and provides a detailed search function.

Although not shown in the figure, it may include other information providing and searching unit such as average response time and response time. Referring to Table 2 below, the functions of the monitoring unit according to the present invention are summarized.

Kinds Contents Monitor all DML sentences Monitoring support for all DML statements SQL Query Response Time Monitoring Response time monitoring function for all SQL queries Real time current user session audit Inquiry of current user status Command monitoring Monitor the command currently running Middleware monitoring All command monitoring function delivered from middleware to Oralce DB Monitoring by Oracle ID Monitoring with all Oracle IDs (by server, by ID) Monitoring by IP Address Monitor using user IP Monitor by computer name Monitor using your computer name Monitoring to your application Monitoring based on the application used by the user for DB access Telnet command monitoring Monitoring function when administrator and user access by Telnet

6 is a diagram illustrating an inquiry unit according to a preferred embodiment of the present invention.

The inquiry unit 620 according to the present invention is configured to provide a past user's database access and use contents according to various inquiry criteria.

Referring to FIG. 6, the inquiry unit 620 is classified according to a search type as follows: an instruction inquiry unit 611, an IP inquiry unit 612, a user inquiry unit 616, a terminal inquiry unit 614, The application inquiry unit 615 and the time inquiry unit 616 are included. The monitoring unit 610 analyzes and provides logging information about a user currently connected in real time, while the inquiry unit 620 is configured to analyze and provide logging information of a user stored in a database in the past.

The command inquiry unit 611 performs a sentence-by-statement search based on main DML such as SELECT, DROP, DELETE, INSERT, ALTER, and the like. The IP inquiry unit 612 provides QUERY search and detailed information for each access IP, and the user inquiry unit 616 provides QUERY search and detailed information for each user ID. The terminal inquiry unit 614 provides QUERY search and detailed information for each computer name, and the application inquiry unit 615 searches for QUERY for each application used. The time inquiry unit 616 provides information and detailed search functions such as IP status by time zone and user status by time zone. The other description is similar to the configuration of the monitoring unit 610, so description thereof will be omitted. Referring to Table 2 below, the functions of the inquiry unit according to the present invention are summarized.

Kinds Contents Usage inquiry function by IP Provide inquiry and search function using user IP Inquiry function using terminal name Provide inquiry and search function using user's computer name Inquiry function using ID Provides search and search function using user Oracle ID Inquiry by Application Provides search and search function based on the application used by the user for DB access Query function using TABLE access Provides the function to query and search QUERY or user based on the access target table Inquiry function based on DML Provides the function to search and search for users based on DML commands SQL Query response time inquiry function SQL Query time query from actual query to response Telnet user inquiry function Inquiry and search function using Telnet user ID and IP Telnet command inquiry function Inquiry and search function using command executed after telnet connection

Security management department

The security manager 460 according to the present invention includes a backup and recovery unit 640, a security blocker 650, and a forced termination unit 660. Hereinafter, the overall operation of the security management unit will be described in FIG. 7, and the configuration of the backup and recovery unit will be described in FIG. 8.

7 is a diagram illustrating an operation procedure of security management according to a preferred embodiment of the present invention.

First, in step S710, the security condition is extracted and monitored in real time for all users attempting to access the database. As a result of the monitoring in step S720, if the security condition corresponds, the type of security condition is determined. The security condition according to the present invention may include a backup condition, a blocking condition and a termination condition. Here, as described above, the user may conveniently set a security condition using a preset user interface screen, and may be configured to control access and use of a database in real time according to the security condition.

If it is determined that the backup condition is met, the backup and recovery unit 640 backs up the data corresponding to the object of the command in step S730, and restores the backed up data when a recovery request is made in step S732. .

If the determination result corresponds to a blocking condition, in step S730, the security blocking unit 650 may block access to the command or data to be accessed according to a preset blocking condition. Here, the blocking conditions of the security blocking unit 380 for blocking access according to preset blocking information may set detailed conditions such as IP band, time, application, user, terminal, specific pattern attack, and the like. When a user corresponding to the condition attempts to connect, it is configured to detect and block the connection. For example, when the blocking condition is set to the IP band and the table, when the terminal connected in the IP band attempts to access the table, it is configured to perform the function of blocking the access.

According to an embodiment of the present invention, when the user corresponding to the blocking condition set by the security blocker in step S742 attempts to connect more than a plurality of times, it may be configured to forcibly terminate the connection of the user in step S750. .

If it is determined that the termination condition is met, the connection with the database is forcibly terminated in step S750.

8 is a diagram illustrating a configuration of a backup and recovery unit according to a preferred embodiment of the present invention.

The backup and recovery unit 640 performs a function of backing up data corresponding to an object of the command when performing a preset command with respect to a predetermined table. Here, the command refers to a command including deletion of data, and the backup operation is not performed in the database, but is configured to bring the data of the database to the storage of the database security server.

Referring to FIG. 8, the backup and recovery unit 640 according to the present invention includes a table identification unit 641, an extraction and storage unit 643, an administrator menu registration unit 645, and a recovery operation unit 647. According to the exemplary embodiment of the present invention, when the table identification unit 641 requests a command accompanying deletion of data such as deletion, change, or modification of specific data, when the table identification unit 641 detects this, the extraction and storage unit 343 The data corresponding to the delete command is extracted from the table or tables and stored in the storage unit of the database security server. When the administrator menu registerer 645 stores the backup information, the administrator can conveniently request a repair command using the manager menu, and when a request for a repair command is requested, the repair work unit 647 returns to the storage unit. You can restore the stored data.

Referring to Table 4 below, commands corresponding to backup conditions and operations on the commands are summarized.

Kinds Contents DELETE Separately stores data deleted by policy when executing "DELETE" Query Database security server provides the function to search or recover deleted data. Supports recovery function even if COMMIT is executed after DELETE Query UPDATE When UPDATE query is executed, the data updated by the policy is stored separately. The database security server provides the function to query or recover the updated data. DROP Saves data dropped by policy when executing "DROP" query. Provides the function to query and recover the dropped data to "database security server" administrator. Supports recovery function even after executing COMMIT after UPDATE Query

User interface

According to the present invention, the result of the security condition setting and the security management may be provided to the user through a preset user interface. Hereinafter, a user interface screen according to a preferred embodiment of the present invention will be described with reference to the accompanying drawings.

9A to 9C are views illustrating a user interface screen according to a preferred embodiment of the present invention.

In operation S910, the monitoring result providing screen according to an exemplary embodiment of the present invention includes a window 911 for setting a monitoring condition, a window 912 for providing a monitoring result, and a window 913 for providing query information for a user. And, it may further include a shortcut menu bar 914 for conveniently controlling the menu.

Here, when the inquiry menu is clicked by operating the shortcut menu bar 914 or the menu, in step S920, an inquiry result providing screen according to an embodiment of the present invention is shown. The left window 921 of the screen configures a directory structure divided according to preset search criteria, and the right window 922 is configured to provide brief information according to the selected search criteria.

In this case, when the short information is clicked on, in S930, detailed information on the short information may be provided. Here, a preferred embodiment of detailed information provided on the basis of the user's IP is shown, and configured to separately provide a window 931 for providing the requested query information corresponding to the IP together with the basic information about the IP. Can be.

The screen of step S940 is a user interface for explaining the operation by the security blocker. The database security server refers to the security condition in real time and can control the operation of the connection and the command. In addition, when using DELETE or UPDATE command for a specific user (IP, computer, application), it is possible to provide the record keeping function of the deleted record and the state before the UPDATE. In this case, when a specific IP is selected using the left window 941, brief information on the selection is displayed on the right window 942, and detailed information on information including a preset command among the short information is provided. It is configured to provide a window 943.

Although the above has been described based on the general HTTP protocol, the same security management can be performed for all users accessing the database regardless of the protocol type. For example, when accessing the database by telnet, as shown in step S950, it is configured to provide in real time the monitoring information for the user who accesses and uses the telnet. In other words, it can monitor the usage log and other OS command execution connected to telnet and search all files sent and received by FTP, so that security management for not only Oracle but also other databases can be performed.

With the above-described configuration, the present invention can completely recover data corruption and tampering caused by misuse of a user or an administrator.

As described above, the present invention has the effect of providing a database monitoring and security method and apparatus that can be managed even when the insider accesses the database with normal authority through database monitoring.

In addition, in order to prevent the misuse of information, the present invention has the effect of monitoring and controlling the database as well as monitoring whether the database is inquired, and performing audit and control on a legitimate user.

In addition, the present invention can not only conveniently set the security conditions according to the security policy to the administrator, but also has the effect of performing the security of the database in real time according to these security conditions.

In addition, the present invention also has the effect that it is possible to manage the security by using a kind of application that cannot be done by the existing security program.

Although described above with reference to a preferred embodiment of the present invention, those skilled in the art that various modifications of the present invention without departing from the spirit and scope of the invention described in the claims below And can be changed.

Claims (12)

In the monitoring and security of the database, Prevents at least one terminal coupled to the database monitoring and security device from directly accessing the database, and analyzes a signal received from at least one terminal that can access the database corresponding to the terminal attempting to access the database. Logging server unit for generating, analyzing and storing logging information corresponding to a search criterion including at least one of a user ID, an access IP, a time zone, a terminal name, a network, a query, a command, an application type, and data to be accessed. ; A search unit for providing logging information, a database access history, an operation history according to the access history, and a security condition including at least one of a preset backup condition, a blocking condition, and an end condition according to the search criteria; Determining whether the data is stored in the database; and if the security condition corresponds to the security condition, at least one of backup and recovery of data stored in the database, disconnection of the data, and forced termination of the connection according to the security condition. An engine server unit including a security manager for performing the operation; And A control unit for organically controlling the logging server unit and the engine server unit to perform an operation according to the security condition Database monitoring and security device comprising a. The method of claim 1, The database monitoring and security device And a client module unit including a NAT module for connecting the terminal to the database. The method of claim 1, The search unit A monitoring unit configured to generate logging information by analyzing and searching for a sentence and a command included in the signal according to the search criteria with respect to a terminal currently connected to the database security server, and providing the logging information in real time; And An inquiry unit for providing logging information about a terminal that accesses a database security server; Database monitoring and security device comprising a. The method of claim 1, The search unit And a reporting unit for providing the analyzed information of the logging information using a preset user interface. The method of claim 1, The security management unit, If the command for requesting the database corresponds to a preset command, the backup and recovery unit for storing the data corresponding to the object of the command in a storage unit of the database security server, and then performs a command corresponding to the command Database monitoring and security device further comprising. The method of claim 1, The security management unit, When the size of the result data corresponding to the command is greater than or equal to a preset size; When the application type included in the logging information does not use a preset application; And at least one of a security blocker and a forced termination unit for blocking access to the data when attempting to access a preset data table. The method of claim 1, The engine search unit, When there are a plurality of database servers for managing the database, A load balancer for performing load balancing of the plurality of database servers; And A multi-server support unit for performing monitoring and security for database servers using different network protocols; And at least one of the database monitoring and security device. A method for monitoring and securing a database connected to the database security server in a database security server, the method comprising: (a) Analyzing a signal received from at least one terminal that can access the database via the database security server, user ID, access IP, time zone, terminal name, network, query, command, application type, access Generating logging information corresponding to a search criterion including at least one of data to be displayed, and displaying the logging information on a display device coupled to the database security server according to the search criterion; (b) determining whether the logging information corresponds to a security condition including at least one of a preset backup condition, a blocking condition, and an end condition; and if the security condition corresponds to the security condition, determining a type of the security condition. ; (c) If the security condition is the backup condition, the data to be accessed is stored in a storage unit coupled to the database security server, and registered in the recovery menu to be restored through a preset recovery menu. Generating the result information according to the operation after performing the operation according to the operation; (d) if the security condition is the blocking condition, disconnecting access to the data and generating result information including information according to the access and disconnection; (e) if the security condition is the termination condition, terminating the connection of the database security server of the terminal and generating result information including information according to the connection attempt and termination; (f) providing the result information through a preset user interface; Database monitoring and security method comprising a. The method of claim 8, The backup condition is, And the command includes a command including a deletion of data included in the database. The method of claim 8, The blocking condition is, When the size of the result data corresponding to the command is greater than or equal to a preset size; When the application type included in the logging information does not use a preset application; And Attempting to connect to a preset data table; And at least one of the database monitoring and security method. The method of claim 8, The termination condition is, A method for monitoring and securing a database, characterized in that the case corresponds to a blocking condition more than a predetermined number of times. The method of claim 8, The logging information and the result information is displayed using a tree structure corresponding to the search criteria.