WO2021174870A1 - Network security risk inspection method and system, computer device, and storage medium - Google Patents

Network security risk inspection method and system, computer device, and storage medium Download PDF

Info

Publication number
WO2021174870A1
WO2021174870A1 PCT/CN2020/122848 CN2020122848W WO2021174870A1 WO 2021174870 A1 WO2021174870 A1 WO 2021174870A1 CN 2020122848 W CN2020122848 W CN 2020122848W WO 2021174870 A1 WO2021174870 A1 WO 2021174870A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
risk
vulnerability
target sql
target
Prior art date
Application number
PCT/CN2020/122848
Other languages
French (fr)
Chinese (zh)
Inventor
贾凯
李智宇
吴其敏
江杰
黄雨喆
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021174870A1 publication Critical patent/WO2021174870A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • the embodiments of the present application relate to the field of network security, and in particular to a method, system, computer equipment, and computer-readable storage medium for detecting network security risks.
  • IAST Scan Large-scale deployment is difficult, maintenance costs are high, application support is required, and coupling is high. Among them, IAST scanning and RASP protection technology are the most popular security detection technologies in the past two years. Based on bytecode technology, the application execution stack is detected within the application, which can achieve almost zero false positives of vulnerabilities. However, in the actual application of enterprises, it is necessary to deploy a security agent in each application server. In the environment of tens of thousands of application servers in the enterprise, the promotion cost and operation and maintenance cost are extremely high. Therefore, how to improve the accuracy of vulnerability detection and identification in the current network security risk detection, and further improve the efficiency of network security risk detection, has become one of the current technical problems that need to be solved urgently.
  • an embodiment of the present application provides a network security risk detection method, and the method steps include:
  • the vulnerability data exists in the risk data, generate vulnerability information according to the vulnerability data, and report the vulnerability information to the corresponding security operation platform.
  • an embodiment of the present application also provides a network security risk detection system, including:
  • the monitoring module is used to monitor the operation of the target SQL statement on the target database, and record the operation of the target SQL statement to obtain the target SQL log data;
  • the analysis module is used to analyze the target SQL log data to determine whether there is risk data in the target SQL log data;
  • the risk module is configured to perform vulnerability detection on the risk data if the risk data exists in the target SQL log data to determine whether there is any vulnerability data in the risk data;
  • the vulnerability module is used to generate vulnerability information according to the vulnerability data if the vulnerability data exists in the risk data, and report the vulnerability information to the corresponding security operation platform.
  • an embodiment of the present application also provides a computer device, the computer device including a memory, a processor, and computer-readable instructions stored in the memory and running on the processor, the When the computer-readable instructions are executed by the processor, the following steps are implemented:
  • the vulnerability data exists in the risk data, generate vulnerability information according to the vulnerability data, and report the vulnerability information to the corresponding security operation platform.
  • embodiments of the present application also provide a computer-readable storage medium having computer-readable instructions stored in the computer-readable storage medium, and the computer-readable instructions may be executed by at least one processor, So that the at least one processor executes the following steps:
  • the vulnerability data exists in the risk data, generate vulnerability information according to the vulnerability data, and report the vulnerability information to the corresponding security operation platform.
  • the network security risk detection method, system, computer device, and computer-readable storage medium provided by the embodiments of the present application.
  • risk analysis is performed on the target SQL log data
  • vulnerability detection is performed on the target SQL log data that is at risk.
  • FIG. 1 is a schematic flowchart of a method for detecting a network security risk according to an embodiment of this application.
  • Embodiment 2 is a schematic diagram of program modules of Embodiment 2 of the network security risk detection system of this application.
  • FIG. 3 is a schematic diagram of the hardware structure of the third embodiment of the computer equipment of this application.
  • the computer device 2 will be used as the execution subject for exemplary description.
  • FIG. 1 shows a flowchart of steps of a method for detecting a network security risk according to an embodiment of the present application. It can be understood that the flowchart in this method embodiment is not used to limit the order of execution of the steps.
  • the following exemplarily describes the computer device 2 as the execution subject. details as follows.
  • step S100 the operation of the target SQL statement on the target database is monitored, and the operation of the target SQL statement is recorded to obtain target SQL log data.
  • the computer device 2 can inject an agent (software of autonomous activities) into the application corresponding to the target database to monitor the target database through the agent and record the operation function (target SQL statement) of the target database.
  • Operation information to obtain target SQL log data includes: application ID, IP address, request interface address, request input parameters, SQL statement, SQL param (tag).
  • the computer device 2 may hook (data pull) the operation function of the target database corresponding to the target application that needs security monitoring through the agent, and the target application may be jdbc.Statementlmpl, jdbc of the java application. .PreparedStatement, pdo::query, pdo::exec and so on for php applications.
  • the computer device 2 can manage the operation function of the target database, and the monitoring agent can get all the SQL statements that finally enter the target database to operate, and form a sql log record (target SQL log data).
  • the sqlparam is the SQL tag ⁇ sql:param> tag is used to set the parameter value in the SQL statement.
  • the ⁇ sql:param> tag can be used as a nested tag for ⁇ sql:update> and ⁇ sql:query> to provide values in SQL query parameters.
  • Step S102 Analyze the target SQL log data to determine whether there is risk data in the target SQL log data.
  • the target SQL statement includes a compiled SQL statement and a spliced SQL statement; the step S102 may include steps 200 to 204, wherein: step 200, it is determined whether the target SQL statement is a compiled SQL statement or the Spliced SQL statement; step 202, if the target SQL statement is the compiled SQL statement, there is no risk data in the target SQL log data; and step 204, if the target SQL statement is the spliced SQL Statement, the target SQL log data contains risk data.
  • the target SQL statement corresponding to the target SQL log data includes a compiled SQL statement and a spliced SQL statement.
  • the computer device 2 can determine whether the target SQL log data is at risk by analyzing whether the SQL statement is a compiled SQL statement or a spliced SQL statement. in:
  • the computer device 2 may also preliminarily screen applications and interfaces that may have a risk of SQL injection based on other information (such as appid, source, etc.) in the target SQL log data.
  • Step S104 If the risk data exists in the target SQL log data, perform vulnerability detection on the risk data to determine whether there is any vulnerability data in the risk data.
  • the existence of the spliced SQL statement does not mean that its param has a user entry. There may also be some SQL or scheduled SQL running batch tasks executed inside the application. This type of SQL does not have a user entry. There is no risk of injection. Therefore, it is necessary to design some detection logic to determine whether there are loopholes in the interface of splicing SQL, in order to locate the vulnerable data.
  • the step S104 may include steps 300 to 302, wherein: step 300 is to perform mark identification detection on the risk data; and step 302, if there is a mark identification in the risk data, the target SQL log Vulnerability data exists in the data.
  • the computer device 2 may detect the target SQL log data to determine whether the target SQL log data has a pre-inserted mark identifier, and if there is a mark identifier in the target SQL log data, the target can be confirmed There are loopholes in the SQL log data. If the mark identifier does not exist in the target SQL log data, the target SQL log data is safe data.
  • the security analysis link of the target SQL log data (Sql log) only needs to detect whether there is a markedbyscanner string in the sqlparam or sql statement. If it exists, it can be judged that there is injection, because the SQL statement of the interface uses the splicing method, and there is a user entry (because the sender traffic comes from the user), the parameters brought in by the user request normally enter the sql execution function of jdbc. It can be confirmed that the vulnerability must exist.
  • the step S104 may include steps 400 to 402, wherein: in step 400, the risk data is detected by an incoming reference pair; and step 402, if the incoming reference pair is unsuccessful, the target SQL Vulnerability data exists in the log data.
  • the computer device 2 may obtain the interface input parameter value of the request interface of the target database, and compare the interface input parameter value with the param value of sqlparam in the target SQL log data; if the interface input parameter If the value is inconsistent with the param value, it can be confirmed that there are loopholes in the target SQL log data; if the interface input parameter value is consistent with the param value, the target SQL log data is secure data.
  • the input reference pair detection is used in a vulnerability detection scenario, and the input parameter value of the request interface needs to be compared with the value of sqlparam. If the comparison results are completely consistent, it is determined that the interface meets The conditions of sql injection do not need to verify the mark detection logic; it can also be used in security attack monitoring scenarios, by obtaining the requested input parameters (excluding text type data), and parse the input elements of the input parameters (string, space, special Characters are all one element), if the number of input parameter elements is found to be greater than 1, and the input parameter enters the jdbc execution function as sqlparam, it can be judged that there is a loophole and there is a real attack.
  • This attack detection mechanism can achieve zero errors Report, and the detection efficiency is extremely efficient.
  • the step S104 may include steps 500 to 502, wherein: step 500, blacklist detection is performed on the risk data; and step 502, if blacklist data exists in the risk data, the target SQL Vulnerability data exists in the log data.
  • the computer device 2 may check the requested input parameters in the target SQL log data to determine whether there is an attack payload in the requested input parameters, and if there is an attack payload in the requested input parameters, it can confirm the There are loopholes in the target SQL log data; if there is no attack payload in the request input parameter, the target SQL log data is secure data.
  • the principle of the blacklist check logic is the same as that of WAF, and it is determined whether there is an attack behavior by checking whether there is an attack payload in the input parameters. But the difference between it and WAF is that WAF judges whether the attacker's payload is successfully executed by checking the HTTP request/response in the communication link. However, based on the difference in real scenarios, this detection method often has many in practice. False alarms require manual verification.
  • the blacklist detection position in this solution is already at the end of the application stack, so entering the blacklist of the sql statement to attack the payload will definitely be executed by the database, which can confirm the existence of real attacks and security vulnerabilities.
  • the detection logic of SQL blacklist is mainly divided into two categories.
  • attack keyword detection which monitors common attack keywords: information_schema, load_file, sleep, and so on. Of course, there will be some false positives in this category.
  • the second is to analyze the special characters in the SQL statement. For example, the total number of single quotes in a complete SQL is an odd number. This type of vulnerability testing is usually performed by the attacker during the attack, which can accurately determine the presence of an attack.
  • Step S106 If the vulnerability data exists in the risk data, generate vulnerability information according to the vulnerability data, and report the vulnerability information to the corresponding security operation platform.
  • the computer device 2 finds a loophole in the target SQL log data, the system corresponding to the target database has loopholes. At this time, the computer device 2 can generate a corresponding loophole information according to the loophole data, and The vulnerability information is reported to the corresponding security operation platform, so that after receiving the vulnerability information, the external party can repair the vulnerability of the system corresponding to the target database according to the vulnerability information.
  • the computer device 2 monitors the operation of the target SQL statement on the target database, and performs security monitoring on the target SQL log data to determine the vulnerability data, which can achieve the highest vulnerability detection accuracy rate and network attack identification in the industry.
  • the accuracy rate can achieve almost no false positives; its detection idea is different from the strong dependence of IAST and RASP on the deployment of agents, bypassing the difficulty of deploying security agents, weak compatibility, and huge maintenance costs, but it can achieve the same detection Effect:
  • the agent of the monitoring platform based on bytecode technology rapid large-scale deployment can be realized, and it can be quickly rolled out in the enterprise without the pressure of operation, maintenance and promotion.
  • this embodiment can also realize the integrated features of scanning and detection, and at the same time achieve extensive coverage of IAST and RASP capabilities in the enterprise, and combined with the existing security operation mechanism, can achieve in-depth and three-dimensional management of security risks.
  • the network security risk detection method further includes; if the vulnerability data does not exist in the risk data, then the target SQL log data is security data.
  • the target SQL log data is security data.
  • the network security risk detection method further includes: uploading the vulnerability data and the vulnerability information to a blockchain.
  • uploading the vulnerability data and the vulnerability information to the blockchain can ensure its security, fairness and transparency.
  • the blockchain referred to in this example is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm.
  • Blockchain essentially a decentralized database, is a series of data blocks associated with cryptographic methods. Each data block contains a batch of network transaction information for verification. The validity of the information (anti-counterfeiting) and the generation of the next block.
  • the blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
  • the network security risk detection system 20 may include or be divided into one or more program modules, and the one or more program modules are stored in a storage medium and executed by one or more processors to complete this application. Realize the above-mentioned network security risk detection method.
  • the program module referred to in the embodiments of the present application refers to a series of computer program instruction segments that can complete specific functions, and is more suitable for describing the execution process of the network security risk detection system 20 in the storage medium than the program itself. The following description will specifically introduce the functions of each program module in this embodiment:
  • the monitoring module 200 is configured to monitor the operation of the target SQL statement on the target database, and record the operation of the target SQL statement to obtain target SQL log data.
  • the analysis module 202 is configured to analyze the target SQL log data to determine whether there is risk data in the target SQL log data.
  • the target SQL statement includes a compiled SQL statement and a spliced SQL statement; the analysis module 202 is further used to determine whether the target SQL statement is a compiled SQL statement or the spliced SQL statement; if If the target SQL statement is the compiled SQL statement, there is no risk data in the target SQL log data; and if the target SQL statement is the spliced SQL statement, then the target SQL log data has risk data .
  • the risk module 204 is configured to perform vulnerability detection on the risk data if the risk data exists in the target SQL log data to determine whether there is any vulnerability data in the risk data.
  • the risk module 204 is further configured to: perform mark identification detection on the risk data; and if there is a mark identification in the risk data, then there is vulnerability data in the target SQL log data.
  • the risk module 204 is further configured to: perform an incoming reference pair detection on the risk data; and if the incoming reference pair is unsuccessful, then there is vulnerability data in the target SQL log data.
  • the risk module 204 is further configured to: perform blacklist detection on the risk data; and if there is blacklist data in the risk data, then there is vulnerability data in the target SQL log data.
  • the vulnerability module 206 is configured to generate vulnerability information according to the vulnerability data if the vulnerability data exists in the risk data, and report the vulnerability information to the corresponding security operation platform.
  • the network security risk detection system 20 further includes a security module. If the vulnerability data does not exist in the risk data, the target SQL log data is security data.
  • the network security risk detection system 20 further includes an upload module, and the upload module is configured to upload the vulnerability data and the vulnerability information to the blockchain.
  • the computer device 2 is a device that can automatically perform numerical calculation and/or information processing in accordance with pre-set or stored instructions.
  • the computer device 2 may be a rack server, a blade server, a tower server, or a cabinet server (including an independent server or a server cluster composed of multiple servers).
  • the computer device 2 at least includes, but is not limited to, a memory 21, a processor 22, a network interface 23, and a network security risk detection system 20 that can communicate with each other through a system bus.
  • the memory 21 includes at least one type of computer-readable storage medium.
  • the readable storage medium includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.), random access memory ( RAM), static random access memory (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read-only memory (PROM), magnetic memory, magnetic disks, optical disks, etc.
  • the memory 21 may be an internal storage unit of the computer device 2, for example, the hard disk or memory of the computer device 2.
  • the memory 21 may also be an external storage device of the computer device 2, for example, a plug-in hard disk, a smart memory card (Smart Media Card, SMC), and a secure digital (Secure Digital, SD) card, flash card (Flash Card), etc.
  • the memory 21 may also include both the internal storage unit of the computer device 2 and its external storage device.
  • the memory 21 is generally used to store the operating system and various application software installed in the computer device 2, for example, the program code of the network security risk detection system 20 in the second embodiment.
  • the memory 21 can also be used to temporarily store various types of data that have been output or will be output.
  • the processor 22 may be a central processing unit (Central Processing Unit, CPU), a controller, a microcontroller, a microprocessor, or other data processing chips in some embodiments.
  • the processor 22 is generally used to control the overall operation of the computer device 2.
  • the processor 22 is used to run the program code or process data stored in the memory 21, for example, to run the network security risk detection system 20, so as to implement the network security risk detection method of the first embodiment.
  • the network interface 23 may include a wireless network interface or a wired network interface, and the network interface 23 is generally used to establish a communication connection between the computer device 2 and other electronic devices.
  • the network interface 23 is used to connect the computer device 2 with an external terminal through a network, and establish a data transmission channel and a communication connection between the computer device 2 and the external terminal.
  • the network may be an intranet (Intranet), the Internet (Internet), a global system of mobile communication (Global System of Mobile) communicatI/On, GSM), Wideband Code DivisI/On Multiple Access, WCDMA), 4G network, 5G network, Bluetooth (Bluetooth), Wi-Fi and other wireless or wired networks.
  • FIG. 3 only shows the computer device 2 with components 20-23, but it should be understood that it is not required to implement all the components shown, and more or fewer components may be implemented instead.
  • the network security risk detection system 20 stored in the memory 21 can also be divided into one or more program modules.
  • the one or more program modules are stored in the memory 21 and are composed of one or more program modules. Are executed by two processors (in this embodiment, the processor 22) to complete the application.
  • FIG. 2 shows a schematic diagram of program modules for implementing the network security risk detection system 20 according to the second embodiment of the present application.
  • the network security risk detection system 20 can be divided into a monitoring module 200 and an analysis module. 202.
  • the program module referred to in the present application refers to a series of computer program instruction segments that can complete specific functions, and is more suitable than a program to describe the execution process of the network security risk detection system 20 in the computer device 2.
  • the specific functions of the program modules 200-206 have been described in detail in the second embodiment, and will not be repeated here.
  • the computer-readable storage medium may be non-volatile or volatile, such as flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX). Memory, etc.), random access memory (RAM), static random access memory (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read-only memory (PROM), magnetic memory , Magnetic disks, optical disks, servers, App application malls, etc., on which computer-readable instructions are stored, and the computer-readable instructions realize corresponding functions when executed by the processor.
  • the computer-readable storage medium of this embodiment is used in the network security risk detection system 20, and the processor executes the following steps:
  • the vulnerability data exists in the risk data, generate vulnerability information according to the vulnerability data, and report the vulnerability information to the corresponding security operation platform.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Computational Linguistics (AREA)
  • Mathematical Physics (AREA)
  • Computer And Data Communications (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present application relates to the field of network security and provides a network security risk inspection method. Said method comprises: monitoring the operation of a target SQL statement on a target database, and recording the operation of the target SQL statement so as to obtain target SQL log data; analyzing the target SQL log data so as to determine whether risk data is present in the target SQL log data; if risk data is present in the target SQL log data, performing loophole inspection on the risk data so as to determine whether loophole data is present in the risk data; if loophole data is present in the risk data, generating loophole information according to the loophole data, reporting the loophole information to a corresponding secure operation platform, and uploading the loophole data and the loophole information to a blockchain. The present application reduces the operation and maintenance cost of network security risk inspection, and enhances the accuracy of loophole inspection identification, the accuracy of network attack identification, and the efficiency of network security risk inspection.

Description

网络安全风险检测方法、系统、计算机设备和存储介质Network security risk detection method, system, computer equipment and storage medium
本申请申明2020年09月02日递交的申请号为202010907584.6、名称为“网络安全风险检测方法、系统、计算机设备和存储介质”的中国专利申请的优先权,该中国专利申请的整体内容以参考的方式结合在本申请中。This application affirms the priority of the Chinese patent application with the application number 202010907584.6 and titled "Network security risk detection method, system, computer equipment and storage medium" filed on September 02, 2020. The entire content of the Chinese patent application is referred to The way is incorporated in this application.
技术领域Technical field
本申请实施例涉及网络安全领域,尤其涉及一种网络安全风险检测方法、系统、计算机设备及计算机可读存储介质。The embodiments of the present application relate to the field of network security, and in particular to a method, system, computer equipment, and computer-readable storage medium for detecting network security risks.
背景技术Background technique
随着网络技术的发展,互联网在日常生活各个方面的应用越来越多,与此同时,网络信息传输过程中暴露出更多的互联网安全问题。在我国对网络安全的高度重视背景下,企业对网络安全风险检测技术要求也越来越高。但是,发明人意识到,目前业内传统漏洞检测技术始终各有利弊,各技术方案痛点如下:静态代码扫描:误报多、耗人工、自动化程度低。主动爬虫扫描:业务影响大、检测深度低、人工任务部署,自动化程度低。被动式扫描器:部分漏洞检测对业务影响大、一些场景有误报。IAST扫描(RASP):大量规模部署推广难、维护成本高、需应用支持,耦合性高。其中IAST扫描及RASP防护技术是近两年最热门的安全检测技术,其基于字节码技术,在应用内部检测应用执行堆栈,可以做到漏洞的几乎零误报。但其在企业实际应用中,需在每台应用服务器中部署安全agent,在企业动辄上万台的应用服务器的环境下,其推广成本、运维成本都是极高的。因此,如何在当前网络安全风险检测中提高漏洞检测识别的精准率,并进一步的提高网络安全风险检测的效率,成为了当前亟需解决的技术问题之一。With the development of network technology, the Internet has been used more and more in all aspects of daily life. At the same time, more Internet security problems have been exposed in the process of network information transmission. In the context of my country's great attention to network security, enterprises have increasingly higher requirements for network security risk detection technology. However, the inventor realized that the current traditional vulnerability detection technology in the industry has always had its advantages and disadvantages, and the pain points of each technical solution are as follows: Static code scanning: more false positives, labor-intensive, and low degree of automation. Active crawler scanning: large business impact, low detection depth, manual task deployment, and low automation. Passive scanner: Some vulnerability detection has a great impact on the business, and some scenarios have false positives. IAST Scan (RASP): Large-scale deployment is difficult, maintenance costs are high, application support is required, and coupling is high. Among them, IAST scanning and RASP protection technology are the most popular security detection technologies in the past two years. Based on bytecode technology, the application execution stack is detected within the application, which can achieve almost zero false positives of vulnerabilities. However, in the actual application of enterprises, it is necessary to deploy a security agent in each application server. In the environment of tens of thousands of application servers in the enterprise, the promotion cost and operation and maintenance cost are extremely high. Therefore, how to improve the accuracy of vulnerability detection and identification in the current network security risk detection, and further improve the efficiency of network security risk detection, has become one of the current technical problems that need to be solved urgently.
发明内容Summary of the invention
有鉴于此,有必要提供一种网络安全风险检测方法、系统、计算机设备及计算机可读存储介质,以解决当前在网络安全风险检测中漏洞检测识别的精准率低、网络攻击识别精准率低以及网络安全风险检测的效率低等技术问题。In view of this, it is necessary to provide a network security risk detection method, system, computer equipment, and computer readable storage medium to solve the current low accuracy rate of vulnerability detection and recognition in network security risk detection, low accuracy rate of network attack recognition, and Technical problems such as low efficiency of network security risk detection.
为实现上述目的,本申请实施例提供了一种网络安全风险检测方法,所述方法步骤包括:In order to achieve the foregoing objective, an embodiment of the present application provides a network security risk detection method, and the method steps include:
监听目标SQL语句对目标数据库的操作,并对所述目标SQL语句的操作进行记录,以得到目标SQL日志数据;Monitor the operation of the target SQL statement on the target database, and record the operation of the target SQL statement to obtain target SQL log data;
对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据;Analyzing the target SQL log data to determine whether there is risk data in the target SQL log data;
如果所述目标SQL日志数据中存在所述风险数据,则对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据;及If the risk data exists in the target SQL log data, performing vulnerability detection on the risk data to determine whether there is vulnerability data in the risk data; and
如果所述风险数据中存在所述漏洞数据,则根据所述漏洞数据生成漏洞信息,并将所述漏洞信息上报到对应的安全运营平台。If the vulnerability data exists in the risk data, generate vulnerability information according to the vulnerability data, and report the vulnerability information to the corresponding security operation platform.
为实现上述目的,本申请实施例还提供了一种网络安全风险检测系统,包括:To achieve the foregoing objective, an embodiment of the present application also provides a network security risk detection system, including:
监听模块,用于监听目标SQL语句对目标数据库的操作,并对所述目标SQL语句的操作进行记录,以得到目标SQL日志数据;及The monitoring module is used to monitor the operation of the target SQL statement on the target database, and record the operation of the target SQL statement to obtain the target SQL log data; and
分析模块,用于对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据;The analysis module is used to analyze the target SQL log data to determine whether there is risk data in the target SQL log data;
风险模块,用于如果所述目标SQL日志数据中存在所述风险数据,则对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据;及The risk module is configured to perform vulnerability detection on the risk data if the risk data exists in the target SQL log data to determine whether there is any vulnerability data in the risk data; and
漏洞模块,用于如果所述风险数据中存在所述漏洞数据,则根据所述漏洞数据生成漏洞信息,并将所述漏洞信息上报到对应的安全运营平台。The vulnerability module is used to generate vulnerability information according to the vulnerability data if the vulnerability data exists in the risk data, and report the vulnerability information to the corresponding security operation platform.
为实现上述目的,本申请实施例还提供了一种计算机设备,所述计算机设备包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机可读指令,所述计算机可读指令被处理器执行时实现以下步骤:In order to achieve the foregoing objective, an embodiment of the present application also provides a computer device, the computer device including a memory, a processor, and computer-readable instructions stored in the memory and running on the processor, the When the computer-readable instructions are executed by the processor, the following steps are implemented:
监听目标SQL语句对目标数据库的操作,并对所述目标SQL语句的操作进行记录,以得到目标SQL日志数据;Monitor the operation of the target SQL statement on the target database, and record the operation of the target SQL statement to obtain target SQL log data;
对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据;Analyzing the target SQL log data to determine whether there is risk data in the target SQL log data;
如果所述目标SQL日志数据中存在所述风险数据,则对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据;及If the risk data exists in the target SQL log data, performing vulnerability detection on the risk data to determine whether there is vulnerability data in the risk data; and
如果所述风险数据中存在所述漏洞数据,则根据所述漏洞数据生成漏洞信息,并将所述漏洞信息上报到对应的安全运营平台。If the vulnerability data exists in the risk data, generate vulnerability information according to the vulnerability data, and report the vulnerability information to the corresponding security operation platform.
为实现上述目的,本申请实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质内存储有计算机可读指令,所述计算机可读指令可被至少一个处理器所执行,以使所述至少一个处理器执行如下步骤:In order to achieve the foregoing objective, embodiments of the present application also provide a computer-readable storage medium having computer-readable instructions stored in the computer-readable storage medium, and the computer-readable instructions may be executed by at least one processor, So that the at least one processor executes the following steps:
监听目标SQL语句对目标数据库的操作,并对所述目标SQL语句的操作进行记录,以得到目标SQL日志数据;Monitor the operation of the target SQL statement on the target database, and record the operation of the target SQL statement to obtain target SQL log data;
对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据;Analyzing the target SQL log data to determine whether there is risk data in the target SQL log data;
如果所述目标SQL日志数据中存在所述风险数据,则对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据;及If the risk data exists in the target SQL log data, performing vulnerability detection on the risk data to determine whether there is vulnerability data in the risk data; and
如果所述风险数据中存在所述漏洞数据,则根据所述漏洞数据生成漏洞信息,并将所述漏洞信息上报到对应的安全运营平台。If the vulnerability data exists in the risk data, generate vulnerability information according to the vulnerability data, and report the vulnerability information to the corresponding security operation platform.
本申请实施例提供的网络安全风险检测方法、系统、计算机设备及计算机可读存储介质,本实施例通过对所述目标SQL日志数据进行风险分析,并对存在风险的目标SQL日志数据进行漏洞检测,以实现快速漏洞数据定位,降低了网络安全风险检测的运维成本高,提高了漏洞检测识别的精准率、网络攻击识别精准率以及网络安全风险检测的效率。The network security risk detection method, system, computer device, and computer-readable storage medium provided by the embodiments of the present application. In this embodiment, risk analysis is performed on the target SQL log data, and vulnerability detection is performed on the target SQL log data that is at risk. , In order to achieve rapid vulnerability data location, reduce the high operation and maintenance cost of network security risk detection, and improve the accuracy rate of vulnerability detection and identification, the accuracy rate of network attack recognition and the efficiency of network security risk detection.
附图说明Description of the drawings
图1为本申请实施例网络安全风险检测方法的流程示意图。FIG. 1 is a schematic flowchart of a method for detecting a network security risk according to an embodiment of this application.
图2为本申请网络安全风险检测系统实施例二的程序模块示意图。2 is a schematic diagram of program modules of Embodiment 2 of the network security risk detection system of this application.
图3为本申请计算机设备实施例三的硬件结构示意图。FIG. 3 is a schematic diagram of the hardware structure of the third embodiment of the computer equipment of this application.
具体实施方式Detailed ways
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solutions, and advantages of this application clearer and clearer, the following further describes the application in detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the application, and are not used to limit the application. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.
需要说明的是,在本申请中涉及“第一”、“第二”等的描述仅用于描述目的,而不能理解为指示或暗示其相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括至少一个该特征。另外,各个实施例之间的技术方案可以相互结合,但是必须是以本领域普通技术人员能够实现为基础,当技术方案的结合出现相互矛盾或无法实现时应当认为这种技术方案的结合不存在,也不在本申请要求的保护范围之内。It should be noted that the descriptions related to "first", "second", etc. in this application are only for descriptive purposes, and cannot be understood as indicating or implying their relative importance or implicitly indicating the number of indicated technical features . Therefore, the features defined with "first" and "second" may explicitly or implicitly include at least one of the features. In addition, the technical solutions between the various embodiments can be combined with each other, but they must be based on what can be achieved by a person of ordinary skill in the art. When the combination of technical solutions is contradictory or cannot be achieved, it should be considered that such a combination of technical solutions does not exist. , Is not within the scope of protection required by this application.
以下实施例中,将以计算机设备2为执行主体进行示例性描述。In the following embodiments, the computer device 2 will be used as the execution subject for exemplary description.
实施例一Example one
参阅图1,示出了本申请实施例之网络安全风险检测方法的步骤流程图。可以理解,本方法实施例中的流程图不用于对执行步骤的顺序进行限定。下面以计算机设备2为执行主体进行示例性描述。具体如下。Referring to FIG. 1, it shows a flowchart of steps of a method for detecting a network security risk according to an embodiment of the present application. It can be understood that the flowchart in this method embodiment is not used to limit the order of execution of the steps. The following exemplarily describes the computer device 2 as the execution subject. details as follows.
步骤S100,监听目标SQL语句对目标数据库的操作,并对所述目标SQL语句的操作进行记录,以得到目标SQL日志数据。In step S100, the operation of the target SQL statement on the target database is monitored, and the operation of the target SQL statement is recorded to obtain target SQL log data.
计算机设备2可以向所述目标数据库对应的应用注入agent(自主活动的软件),以通过所述agent对所述目标数据库进行监测,并记录对所述目标数据库的操作函数(目标SQL语句)的操作信息,以得到目标SQL日志数据(Sql log),所述目标SQL日志数据包括:应用ID、IP地址、请求接口地址、请求入参、SQL语句、SQL param(标签)。The computer device 2 can inject an agent (software of autonomous activities) into the application corresponding to the target database to monitor the target database through the agent and record the operation function (target SQL statement) of the target database. Operation information to obtain target SQL log data (Sql log), the target SQL log data includes: application ID, IP address, request interface address, request input parameters, SQL statement, SQL param (tag).
在一些实施例中,所述计算机设备2可以通过agent对需要安全监测的目标应用对应的目标数据库的操作函数进行hook(数据拉取),所述目标应用可以是java应用的jdbc.Statementlmpl、jdbc.PreparedStatement,php应用的pdo::query、pdo::exec等等。所述计算机设备2可以通过对所述目标数据库的操作函数的打点,监控agent可以拿到最终进入目标数据库操作的所有SQL语句,形成sql log记录(目标SQL日志数据),所述目标SQL日志数据可以包括:应用ID、IP地址、请求接口地址、请求入参、SQL语句、sqlparam等信息,(如:{"appid":"xxxx","ip":"192.168.1.100","source":"URL:/xxx/abc/custInfo.do","sql":"select*from t_user where username = ?","sqlparam":"username=zhangsan"})将数据同步至安全分析平台。其中,所述sqlparam为SQL标签<sql:param>标签用于在SQL语句中设置参数值。例如,<sql:param>标签可以用作<sql:update>和<sql:query>的嵌套标签,用于在SQL查询参数中提供值。In some embodiments, the computer device 2 may hook (data pull) the operation function of the target database corresponding to the target application that needs security monitoring through the agent, and the target application may be jdbc.Statementlmpl, jdbc of the java application. .PreparedStatement, pdo::query, pdo::exec and so on for php applications. The computer device 2 can manage the operation function of the target database, and the monitoring agent can get all the SQL statements that finally enter the target database to operate, and form a sql log record (target SQL log data). The target SQL log data Can include: application ID, IP address, request interface address, request input parameters, SQL statement, sqlparam and other information, (such as: {"appid": "xxxx", "ip": "192.168.1.100", "source": "URL:/xxx/abc/custInfo.do", "sql":"select*from t_user where username = ?", "sqlparam":"username=zhangsan"}) synchronize the data to the security analysis platform. The sqlparam is the SQL tag <sql:param> tag is used to set the parameter value in the SQL statement. For example, the <sql:param> tag can be used as a nested tag for <sql:update> and <sql:query> to provide values in SQL query parameters.
步骤S102,对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据。Step S102: Analyze the target SQL log data to determine whether there is risk data in the target SQL log data.
示例性的,所述目标SQL语句包括编译型SQL语句和拼接型SQL语句;所述步骤S102可以包括步骤200~204,其中:步骤200,判断所述目标SQL语句是编译型SQL语句还是所述拼接型SQL语句;步骤202,如果所述目标SQL语句为所述编译型SQL语句,则所述目标SQL日志数据不存在风险数据;及步骤204,如果所述目标SQL语句为所述拼接型SQL语句,则所述目标SQL日志数据存在风险数据。Exemplarily, the target SQL statement includes a compiled SQL statement and a spliced SQL statement; the step S102 may include steps 200 to 204, wherein: step 200, it is determined whether the target SQL statement is a compiled SQL statement or the Spliced SQL statement; step 202, if the target SQL statement is the compiled SQL statement, there is no risk data in the target SQL log data; and step 204, if the target SQL statement is the spliced SQL Statement, the target SQL log data contains risk data.
所述目标SQL日志数据对应的目标SQL语句包括编译型SQL语句和拼接型SQL语句。The target SQL statement corresponding to the target SQL log data includes a compiled SQL statement and a spliced SQL statement.
在示例性的实施例中,所述计算机设备2可以通过分析所述SQL语句是编译型SQL语句还是拼接型SQL语句,来判断所述目标SQL日志数据是否存在风险。其中:In an exemplary embodiment, the computer device 2 can determine whether the target SQL log data is at risk by analyzing whether the SQL statement is a compiled SQL statement or a spliced SQL statement. in:
所述编译型SQL语句是通过“?”替换了sqlparam的SQL语句;例如,使用预编译的sql:select username from t_user where userid = ?,即为正常预编译处理的SQL语句,这种SQL进入jdbc时,其sqlparam是“?”占位符,这些是不会存在SQL注入风险的。The compiled SQL statement is a SQL statement in which sqlparam is replaced by "?"; for example, using pre-compiled sql: select username from t_user where userid =? , Which is the SQL statement that is normally pre-compiled and processed. When this SQL enters jdbc, its sqlparam is a "?" placeholder, and there is no risk of SQL injection.
所述拼接型SQL语句为完整的应用执行sql的SQL语句;例如,使用拼接的sql:select username from t_user where userid =‘002’,该拼接型SQL语句的param是直接显示入参值,这种是存在sql注入的风险。The spliced SQL statement is a SQL statement for the complete application to execute SQL; for example, using spliced SQL: select username from t_user where userid = ‘002’, the param of the spliced SQL statement directly displays the value of the input parameter, this is the risk of SQL injection.
在一些实施例中,所述计算机设备2还可以基于目标SQL日志数据中其他信息(如appid、source等)先初步筛选一遍可能存在sql注入风险的应用及接口。In some embodiments, the computer device 2 may also preliminarily screen applications and interfaces that may have a risk of SQL injection based on other information (such as appid, source, etc.) in the target SQL log data.
步骤S104,如果所述目标SQL日志数据中存在所述风险数据,则对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据。Step S104: If the risk data exists in the target SQL log data, perform vulnerability detection on the risk data to determine whether there is any vulnerability data in the risk data.
在一些实施例中,存在所述拼接型SQL语句并不代表其param是有用户入口的,也会存在一些应用内部执行的sql或定时sql跑批任务,这一类无用户入口带入的sql并不存在注入风险。所以需要设计一些检测逻辑去判断拼接sql的接口是否真正存在漏洞,以定位漏洞数据。In some embodiments, the existence of the spliced SQL statement does not mean that its param has a user entry. There may also be some SQL or scheduled SQL running batch tasks executed inside the application. This type of SQL does not have a user entry. There is no risk of injection. Therefore, it is necessary to design some detection logic to determine whether there are loopholes in the interface of splicing SQL, in order to locate the vulnerable data.
示例性的,所述步骤S104可以包括步骤300~302,其中:步骤300,对所述风险数据进行mark标识检测;及步骤302,如果所述风险数据中存在mark标识,则所述目标SQL日志数据中存在漏洞数据。Exemplarily, the step S104 may include steps 300 to 302, wherein: step 300 is to perform mark identification detection on the risk data; and step 302, if there is a mark identification in the risk data, the target SQL log Vulnerability data exists in the data.
所述计算机设备2可以通过对所述目标SQL日志数据进行检测,以确定所述目标SQL日志数据是否存在预先插入mark标识,如果所述目标SQL日志数据中存在mark标识,则可以确认所述目标SQL日志数据中存在漏洞,如果所述目标SQL日志数据中不存在mark标识则所述目标SQL日志数据为安全数据。The computer device 2 may detect the target SQL log data to determine whether the target SQL log data has a pre-inserted mark identifier, and if there is a mark identifier in the target SQL log data, the target can be confirmed There are loopholes in the SQL log data. If the mark identifier does not exist in the target SQL log data, the target SQL log data is safe data.
在示例性的实施例中,所述计算机设备2可以对所有应用对外接口进行发包探测(可采用被动扫描器的机制),对探测的接口参数插入mark标识位,如name=tom的参数,插入特殊字符串进行注入位标识,如name=tommarkedbyscanner。其中,目标SQL日志数据(Sql log)安全分析环节只需要检测sqlparam或sql语句中是否存在markedbyscanner字符串。如存在即可判断存在注入,因为该接口的sql语句使用了拼接方式,且存在用户入口(因发包器流量来自于用户),用户请求带入的参数正常进入了jdbc的sql执行函数。可以确认漏洞一定是存在的。In an exemplary embodiment, the computer device 2 can perform packet detection on all external interfaces of applications (a passive scanner mechanism can be used), and insert a mark flag for the detected interface parameters, such as the parameter name=tom, insert Special string for injection bit identification, such as name=tommarkedbyscanner. Among them, the security analysis link of the target SQL log data (Sql log) only needs to detect whether there is a markedbyscanner string in the sqlparam or sql statement. If it exists, it can be judged that there is injection, because the SQL statement of the interface uses the splicing method, and there is a user entry (because the sender traffic comes from the user), the parameters brought in by the user request normally enter the sql execution function of jdbc. It can be confirmed that the vulnerability must exist.
示例性的,所述步骤S104可以包括步骤400~402,其中:步骤400,所述风险数据进行入参比对检测;及步骤402,如果所述入参比对不成功,则所述目标SQL日志数据中存在漏洞数据。Exemplarily, the step S104 may include steps 400 to 402, wherein: in step 400, the risk data is detected by an incoming reference pair; and step 402, if the incoming reference pair is unsuccessful, the target SQL Vulnerability data exists in the log data.
所述计算机设备2可以获取所述目标数据库的请求接口的接口入参值,将所述接口入参值与所述目标SQL日志数据中的sqlparam的param值进行比对;如果所述接口入参值和所述param值不一致,则可以确认所述目标SQL日志数据中存在漏洞;如果所述接口入参值和所述param值一致,则所述目标SQL日志数据为安全数据。The computer device 2 may obtain the interface input parameter value of the request interface of the target database, and compare the interface input parameter value with the param value of sqlparam in the target SQL log data; if the interface input parameter If the value is inconsistent with the param value, it can be confirmed that there are loopholes in the target SQL log data; if the interface input parameter value is consistent with the param value, the target SQL log data is secure data.
在示例性的实施例中,所述入参比对检测用于漏洞检测场景下,需要将请求接口的入参值与sqlparam的值进行比对,如果比对结果完全一致,即判定该接口满足sql注入的条件,无需再进行mark检测逻辑的验证;还可以用于安全攻击监控的场景下,通过获取请求入参(排除文本类型数据),解析入参的输入元素(字符串、空格、特殊字符均为一个元素),如发现入参元素个数大于1,且该入参作为sqlparam进入jdbc执行函数,即可判定为存在漏洞,且存在真实攻击,这种攻击检测机制可以做到零误报,且检测效率极为高效。In an exemplary embodiment, the input reference pair detection is used in a vulnerability detection scenario, and the input parameter value of the request interface needs to be compared with the value of sqlparam. If the comparison results are completely consistent, it is determined that the interface meets The conditions of sql injection do not need to verify the mark detection logic; it can also be used in security attack monitoring scenarios, by obtaining the requested input parameters (excluding text type data), and parse the input elements of the input parameters (string, space, special Characters are all one element), if the number of input parameter elements is found to be greater than 1, and the input parameter enters the jdbc execution function as sqlparam, it can be judged that there is a loophole and there is a real attack. This attack detection mechanism can achieve zero errors Report, and the detection efficiency is extremely efficient.
示例性的,所述步骤S104可以包括步骤500~502,其中:步骤500,对所述风险数据进行黑名单检测;及步骤502,如果所述风险数据中存在黑名单数据,则所述目标SQL日志数据中存在漏洞数据。Exemplarily, the step S104 may include steps 500 to 502, wherein: step 500, blacklist detection is performed on the risk data; and step 502, if blacklist data exists in the risk data, the target SQL Vulnerability data exists in the log data.
所述计算机设备2可以对所述目标SQL日志数据中的请求入参进行检查,以判断所述请求入参中是否存在攻击payload,如果所述请求入参中存在攻击payload,则可以确认所述目标SQL日志数据中存在漏洞;如果所述请求入参中不存在攻击payload,则所述目标SQL日志数据为安全数据。The computer device 2 may check the requested input parameters in the target SQL log data to determine whether there is an attack payload in the requested input parameters, and if there is an attack payload in the requested input parameters, it can confirm the There are loopholes in the target SQL log data; if there is no attack payload in the request input parameter, the target SQL log data is secure data.
在示例性的实施例中,所述黑名单检查逻辑其原理与WAF一致,通过检查入参是否存在攻击payload来判断是否存在攻击行为。但其与WAF的区别在于,WAF通过在通信链路中检查HTTP的request/response来判断攻击者payload是否被成功执行,但是基于真实场景上的差异,这种检测方法往往在实践中存在很多的误报,需要人工核对。另外,本方案中的黑名单检测位置已在应用堆栈末端,所以进入sql语句的黑名单中攻击payload,是一定会被数据库执行的,即可确认存在真实攻击且存在安全漏洞。目前sql黑名单的检测检测逻辑主要分为两类,一是攻击关键词检测,监控常见攻击关键词:information_schema、load_file、sleep等等。当然这一类是会存在一定误报的。二是分析sql语句中的特殊字符,如一个完整sql中存在的单引号总数量为奇数,这一类通常为攻击者在攻击时进行注入报错的漏洞测试,能够准确的判断存在攻击行为。In an exemplary embodiment, the principle of the blacklist check logic is the same as that of WAF, and it is determined whether there is an attack behavior by checking whether there is an attack payload in the input parameters. But the difference between it and WAF is that WAF judges whether the attacker's payload is successfully executed by checking the HTTP request/response in the communication link. However, based on the difference in real scenarios, this detection method often has many in practice. False alarms require manual verification. In addition, the blacklist detection position in this solution is already at the end of the application stack, so entering the blacklist of the sql statement to attack the payload will definitely be executed by the database, which can confirm the existence of real attacks and security vulnerabilities. At present, the detection logic of SQL blacklist is mainly divided into two categories. One is attack keyword detection, which monitors common attack keywords: information_schema, load_file, sleep, and so on. Of course, there will be some false positives in this category. The second is to analyze the special characters in the SQL statement. For example, the total number of single quotes in a complete SQL is an odd number. This type of vulnerability testing is usually performed by the attacker during the attack, which can accurately determine the presence of an attack.
步骤S106,如果所述风险数据中存在所述漏洞数据,则根据所述漏洞数据生成漏洞信息,并将所述漏洞信息上报到对应的安全运营平台。Step S106: If the vulnerability data exists in the risk data, generate vulnerability information according to the vulnerability data, and report the vulnerability information to the corresponding security operation platform.
当所述计算机设备2发现所述目标SQL日志数据中存在漏洞时,则所述目标数据库对应的系统存在漏洞,这时所述计算机设备2可以根据所述漏洞数据生成一个对应的漏洞信息,并将所述漏洞信息上报到对应的安全运营平台,以便外部在接收到该漏洞信息后,根据所述该漏洞信息对所述目标数据库对应的系统进行漏洞修复。When the computer device 2 finds a loophole in the target SQL log data, the system corresponding to the target database has loopholes. At this time, the computer device 2 can generate a corresponding loophole information according to the loophole data, and The vulnerability information is reported to the corresponding security operation platform, so that after receiving the vulnerability information, the external party can repair the vulnerability of the system corresponding to the target database according to the vulnerability information.
在本实施例中,所述计算机设备2通过监测目标SQL语句对目标数据库的操作,并对目标SQL日志数据进行安全监测以确定漏洞数据,可达到目前业界最高的漏洞检测精准率及网络攻击识别精准率,可做到几乎无误报;其检测思路不同于IAST、RASP对部署agent方式的强依赖,绕开安全agent的部署难、兼容弱、巨大维护成本等问题,但可实现其同等检出效果;通过应用监控平台基于字节码技术的agent,可实现快速大规模部署,迅速在企业内铺开落地,无运维、推广的压力。另外,本实施例还可以实现扫描检测一体化特性,同时做到IAST、RASP能力在企业内广泛覆盖,结合已有的安全运营机制,可以做到对安全风险的纵深立体化管理。In this embodiment, the computer device 2 monitors the operation of the target SQL statement on the target database, and performs security monitoring on the target SQL log data to determine the vulnerability data, which can achieve the highest vulnerability detection accuracy rate and network attack identification in the industry. The accuracy rate can achieve almost no false positives; its detection idea is different from the strong dependence of IAST and RASP on the deployment of agents, bypassing the difficulty of deploying security agents, weak compatibility, and huge maintenance costs, but it can achieve the same detection Effect: By applying the agent of the monitoring platform based on bytecode technology, rapid large-scale deployment can be realized, and it can be quickly rolled out in the enterprise without the pressure of operation, maintenance and promotion. In addition, this embodiment can also realize the integrated features of scanning and detection, and at the same time achieve extensive coverage of IAST and RASP capabilities in the enterprise, and combined with the existing security operation mechanism, can achieve in-depth and three-dimensional management of security risks.
示例性的,所述网络安全风险检测方法还包括;如果所述风险数据中不存在所述漏洞数据,则所述目标SQL日志数据为安全数据。Exemplarily, the network security risk detection method further includes; if the vulnerability data does not exist in the risk data, then the target SQL log data is security data.
如果所述计算机设备2监测到所述风险数据中不存在所述漏洞数据,则所述目标SQL日志数据为安全数据。If the computer device 2 detects that the vulnerability data does not exist in the risk data, the target SQL log data is security data.
示例性的,所述网络安全风险检测方法还包括:将所述漏洞数据和所述漏洞信息上传到区块链中。Exemplarily, the network security risk detection method further includes: uploading the vulnerability data and the vulnerability information to a blockchain.
示例性的,将所述漏洞数据和所述漏洞信息上传至区块链可保证其安全性和公正透明性。本示例所指区块链是分布式数据存储、点对点传输、共识机制、加密算法等计算机技术的新型应用模式。区块链(Blockchain),本质上是一个去中心化的数据库,是一串使用密码学方法相关联产生的数据块,每一个数据块中包含了一批次网络交易的信息,用于验证其信息的有效性(防伪)和生成下一个区块。区块链可以包括区块链底层平台、平台产品服务层以及应用服务层等。Exemplarily, uploading the vulnerability data and the vulnerability information to the blockchain can ensure its security, fairness and transparency. The blockchain referred to in this example is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm. Blockchain, essentially a decentralized database, is a series of data blocks associated with cryptographic methods. Each data block contains a batch of network transaction information for verification. The validity of the information (anti-counterfeiting) and the generation of the next block. The blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
实施例二Example two
图2为本申请网络安全风险检测系统实施例二的程序模块示意图。网络安全风险检测系统20可以包括或被分割成一个或多个程序模块,一个或者多个程序模块被存储于存储介质中,并由一个或多个处理器所执行,以完成本申请,并可实现上述网络安全风险检测方法。本申请实施例所称的程序模块是指能够完成特定功能的一系列计算机程序指令段,比程序本身更适合于描述网络安全风险检测系统20在存储介质中的执行过程。以下描述将具体介绍本实施例各程序模块的功能:2 is a schematic diagram of program modules of Embodiment 2 of the network security risk detection system of this application. The network security risk detection system 20 may include or be divided into one or more program modules, and the one or more program modules are stored in a storage medium and executed by one or more processors to complete this application. Realize the above-mentioned network security risk detection method. The program module referred to in the embodiments of the present application refers to a series of computer program instruction segments that can complete specific functions, and is more suitable for describing the execution process of the network security risk detection system 20 in the storage medium than the program itself. The following description will specifically introduce the functions of each program module in this embodiment:
监听模块200,用于监听目标SQL语句对目标数据库的操作,并对所述目标SQL语句的操作进行记录,以得到目标SQL日志数据。The monitoring module 200 is configured to monitor the operation of the target SQL statement on the target database, and record the operation of the target SQL statement to obtain target SQL log data.
分析模块202,用于对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据。The analysis module 202 is configured to analyze the target SQL log data to determine whether there is risk data in the target SQL log data.
示例性的,所述目标SQL语句包括编译型SQL语句和拼接型SQL语句;所述分析模块202,还用于:判断所述目标SQL语句是编译型SQL语句还是所述拼接型SQL语句;如果所述目标SQL语句为所述编译型SQL语句,则所述目标SQL日志数据不存在风险数据;及如果所述目标SQL语句为所述拼接型SQL语句,则所述目标SQL日志数据存在风险数据。Exemplarily, the target SQL statement includes a compiled SQL statement and a spliced SQL statement; the analysis module 202 is further used to determine whether the target SQL statement is a compiled SQL statement or the spliced SQL statement; if If the target SQL statement is the compiled SQL statement, there is no risk data in the target SQL log data; and if the target SQL statement is the spliced SQL statement, then the target SQL log data has risk data .
风险模块204,用于如果所述目标SQL日志数据中存在所述风险数据,则对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据。The risk module 204 is configured to perform vulnerability detection on the risk data if the risk data exists in the target SQL log data to determine whether there is any vulnerability data in the risk data.
示例性的,所述风险模块204,还用于:对所述风险数据进行mark标识检测;及如果所述风险数据中存在mark标识,则所述目标SQL日志数据中存在漏洞数据。Exemplarily, the risk module 204 is further configured to: perform mark identification detection on the risk data; and if there is a mark identification in the risk data, then there is vulnerability data in the target SQL log data.
示例性的,所述风险模块204,还用于:所述风险数据进行入参比对检测;及如果所述入参比对不成功,则所述目标SQL日志数据中存在漏洞数据。Exemplarily, the risk module 204 is further configured to: perform an incoming reference pair detection on the risk data; and if the incoming reference pair is unsuccessful, then there is vulnerability data in the target SQL log data.
示例性的,所述风险模块204,还用于:对所述风险数据进行黑名单检测;及如果所述风险数据中存在黑名单数据,则所述目标SQL日志数据中存在漏洞数据。Exemplarily, the risk module 204 is further configured to: perform blacklist detection on the risk data; and if there is blacklist data in the risk data, then there is vulnerability data in the target SQL log data.
漏洞模块206,用于如果所述风险数据中存在所述漏洞数据,则根据所述漏洞数据生成漏洞信息,并将所述漏洞信息上报到对应的安全运营平台。The vulnerability module 206 is configured to generate vulnerability information according to the vulnerability data if the vulnerability data exists in the risk data, and report the vulnerability information to the corresponding security operation platform.
示例性的,所述网络安全风险检测系统20还包括,安全模块,所述安全模块,如果所述风险数据中不存在所述漏洞数据,则所述目标SQL日志数据为安全数据。Exemplarily, the network security risk detection system 20 further includes a security module. If the vulnerability data does not exist in the risk data, the target SQL log data is security data.
示例性的,所述网络安全风险检测系统20还包括,上传模块,所述上传模块,用于将所述漏洞数据和所述漏洞信息上传到区块链中。Exemplarily, the network security risk detection system 20 further includes an upload module, and the upload module is configured to upload the vulnerability data and the vulnerability information to the blockchain.
实施例三Example three
参阅图3,是本申请实施例三之计算机设备的硬件架构示意图。本实施例中,所述计算机设备2是一种能够按照事先设定或者存储的指令,自动进行数值计算和/或信息处理的设备。该计算机设备2可以是机架式服务器、刀片式服务器、塔式服务器或机柜式服务器(包括独立的服务器,或者多个服务器所组成的服务器集群)等。如图所示,所述计算机设备2至少包括,但不限于,可通过系统总线相互通信连接存储器21、处理器22、网络接口23、以及网络安全风险检测系统20。Refer to FIG. 3, which is a schematic diagram of the hardware architecture of the computer device according to the third embodiment of the present application. In this embodiment, the computer device 2 is a device that can automatically perform numerical calculation and/or information processing in accordance with pre-set or stored instructions. The computer device 2 may be a rack server, a blade server, a tower server, or a cabinet server (including an independent server or a server cluster composed of multiple servers). As shown in the figure, the computer device 2 at least includes, but is not limited to, a memory 21, a processor 22, a network interface 23, and a network security risk detection system 20 that can communicate with each other through a system bus.
本实施例中,存储器21至少包括一种类型的计算机可读存储介质,所述可读存储介质包括闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、随机访问存储器(RAM)、静态随机访问存储器(SRAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、可编程只读存储器(PROM)、磁性存储器、磁盘、光盘等。在一些实施例中,存储器21可以是计算机设备2的内部存储单元,例如该计算机设备2的硬盘或内存。在另一些实施例中,存储器21也可以是计算机设备2的外部存储设备,例如该计算机设备2上配备的插接式硬盘,智能存储卡(Smart Media Card, SMC),安全数字(Secure Digital, SD)卡,闪存卡(Flash Card)等。当然,存储器21还可以既包括计算机设备2的内部存储单元也包括其外部存储设备。本实施例中,存储器21通常用于存储安装于计算机设备2的操作系统和各类应用软件,例如实施例二的网络安全风险检测系统20的程序代码等。此外,存储器21还可以用于暂时地存储已经输出或者将要输出的各类数据。In this embodiment, the memory 21 includes at least one type of computer-readable storage medium. The readable storage medium includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory, etc.), random access memory ( RAM), static random access memory (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read-only memory (PROM), magnetic memory, magnetic disks, optical disks, etc. In some embodiments, the memory 21 may be an internal storage unit of the computer device 2, for example, the hard disk or memory of the computer device 2. In other embodiments, the memory 21 may also be an external storage device of the computer device 2, for example, a plug-in hard disk, a smart memory card (Smart Media Card, SMC), and a secure digital (Secure Digital, SD) card, flash card (Flash Card), etc. Of course, the memory 21 may also include both the internal storage unit of the computer device 2 and its external storage device. In this embodiment, the memory 21 is generally used to store the operating system and various application software installed in the computer device 2, for example, the program code of the network security risk detection system 20 in the second embodiment. In addition, the memory 21 can also be used to temporarily store various types of data that have been output or will be output.
处理器22在一些实施例中可以是中央处理器(Central Processing Unit,CPU)、控制器、微控制器、微处理器、或其他数据处理芯片。该处理器22通常用于控制计算机设备2的总体操作。本实施例中,处理器22用于运行存储器21中存储的程序代码或者处理数据,例如运行网络安全风险检测系统20,以实现实施例一的网络安全风险检测方法。The processor 22 may be a central processing unit (Central Processing Unit, CPU), a controller, a microcontroller, a microprocessor, or other data processing chips in some embodiments. The processor 22 is generally used to control the overall operation of the computer device 2. In this embodiment, the processor 22 is used to run the program code or process data stored in the memory 21, for example, to run the network security risk detection system 20, so as to implement the network security risk detection method of the first embodiment.
所述网络接口23可包括无线网络接口或有线网络接口,该网络接口23通常用于在所述计算机设备2与其他电子装置之间建立通信连接。例如,所述网络接口23用于通过网络将所述计算机设备2与外部终端相连,在所述计算机设备2与外部终端之间的建立数据传输通道和通信连接等。所述网络可以是企业内部网(Intranet)、互联网(Internet)、全球移动通讯系统(Global System of Mobile communicatI/On,GSM)、宽带码分多址(Wideband Code DivisI/On Multiple Access,WCDMA)、4G网络、5G网络、蓝牙(Bluetooth)、Wi-Fi等无线或有线网络。The network interface 23 may include a wireless network interface or a wired network interface, and the network interface 23 is generally used to establish a communication connection between the computer device 2 and other electronic devices. For example, the network interface 23 is used to connect the computer device 2 with an external terminal through a network, and establish a data transmission channel and a communication connection between the computer device 2 and the external terminal. The network may be an intranet (Intranet), the Internet (Internet), a global system of mobile communication (Global System of Mobile) communicatI/On, GSM), Wideband Code DivisI/On Multiple Access, WCDMA), 4G network, 5G network, Bluetooth (Bluetooth), Wi-Fi and other wireless or wired networks.
需要指出的是,图3仅示出了具有部件20-23的计算机设备2,但是应理解的是,并不要求实施所有示出的部件,可以替代的实施更多或者更少的部件。It should be pointed out that FIG. 3 only shows the computer device 2 with components 20-23, but it should be understood that it is not required to implement all the components shown, and more or fewer components may be implemented instead.
在本实施例中,存储于存储器21中的网络安全风险检测系统20还可以被分割为一个或者多个程序模块,所述一个或者多个程序模块被存储于存储器21中,并由一个或多个处理器(本实施例为处理器22)所执行,以完成本申请。In this embodiment, the network security risk detection system 20 stored in the memory 21 can also be divided into one or more program modules. The one or more program modules are stored in the memory 21 and are composed of one or more program modules. Are executed by two processors (in this embodiment, the processor 22) to complete the application.
例如,图2示出了本申请实施例二之所述实现网络安全风险检测系统20的程序模块示意图,该实施例中,所述网络安全风险检测系统20可以被划分为监听模块200、分析模块202、风险模块204和漏洞模块206。其中,本申请所称的程序模块是指能够完成特定功能的一系列计算机程序指令段,比程序更适合于描述所述网络安全风险检测系统20在所述计算机设备2中的执行过程。所述程序模块200-206的具体功能在实施例二中已有详细描述,在此不再赘述。For example, FIG. 2 shows a schematic diagram of program modules for implementing the network security risk detection system 20 according to the second embodiment of the present application. In this embodiment, the network security risk detection system 20 can be divided into a monitoring module 200 and an analysis module. 202. The risk module 204 and the vulnerability module 206. Among them, the program module referred to in the present application refers to a series of computer program instruction segments that can complete specific functions, and is more suitable than a program to describe the execution process of the network security risk detection system 20 in the computer device 2. The specific functions of the program modules 200-206 have been described in detail in the second embodiment, and will not be repeated here.
实施例四Example four
本实施例还提供一种计算机可读存储介质,所述计算机可读存储介质可以是非易失性,也可以是易失性,如闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、随机访问存储器(RAM)、静态随机访问存储器(SRAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、可编程只读存储器(PROM)、磁性存储器、磁盘、光盘、服务器、App应用商城等等,其上存储有计算机可读指令,计算机可读指令被处理器执行时实现相应功能。本实施例的计算机可读存储介质用于网络安全风险检测系统20,被处理器执行如下步骤:This embodiment also provides a computer-readable storage medium. The computer-readable storage medium may be non-volatile or volatile, such as flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX). Memory, etc.), random access memory (RAM), static random access memory (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read-only memory (PROM), magnetic memory , Magnetic disks, optical disks, servers, App application malls, etc., on which computer-readable instructions are stored, and the computer-readable instructions realize corresponding functions when executed by the processor. The computer-readable storage medium of this embodiment is used in the network security risk detection system 20, and the processor executes the following steps:
监听目标SQL语句对目标数据库的操作,并对所述目标SQL语句的操作进行记录,以得到目标SQL日志数据;Monitor the operation of the target SQL statement on the target database, and record the operation of the target SQL statement to obtain target SQL log data;
对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据;Analyzing the target SQL log data to determine whether there is risk data in the target SQL log data;
如果所述目标SQL日志数据中存在所述风险数据,则对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据;及If the risk data exists in the target SQL log data, performing vulnerability detection on the risk data to determine whether there is vulnerability data in the risk data; and
如果所述风险数据中存在所述漏洞数据,则根据所述漏洞数据生成漏洞信息,并将所述漏洞信息上报到对应的安全运营平台。If the vulnerability data exists in the risk data, generate vulnerability information according to the vulnerability data, and report the vulnerability information to the corresponding security operation platform.
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the foregoing embodiments of the present application are for description only, and do not represent the superiority or inferiority of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。Through the description of the above implementation manners, those skilled in the art can clearly understand that the above-mentioned embodiment method can be implemented by means of software plus the necessary general hardware platform, of course, it can also be implemented by hardware, but in many cases the former is better.的实施方式。
以上仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。The above are only the preferred embodiments of the application, and do not limit the scope of the patent for this application. Any equivalent structure or equivalent process transformation made using the content of the description and drawings of the application, or directly or indirectly applied to other related technical fields , The same reason is included in the scope of patent protection of this application.

Claims (20)

  1. 一种网络安全风险检测方法,其中,所述方法包括: A network security risk detection method, wherein the method includes:
    监听目标SQL语句对目标数据库的操作,并对所述目标SQL语句的操作进行记录,以得到目标SQL日志数据;Monitor the operation of the target SQL statement on the target database, and record the operation of the target SQL statement to obtain target SQL log data;
    对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据;Analyzing the target SQL log data to determine whether there is risk data in the target SQL log data;
    如果所述目标SQL日志数据中存在所述风险数据,则对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据;及If the risk data exists in the target SQL log data, performing vulnerability detection on the risk data to determine whether there is vulnerability data in the risk data; and
    如果所述风险数据中存在所述漏洞数据,则根据所述漏洞数据生成漏洞信息,并将所述漏洞信息上报到对应的安全运营平台。If the vulnerability data exists in the risk data, generate vulnerability information according to the vulnerability data, and report the vulnerability information to the corresponding security operation platform.
  2. 如权利要求1所述的网络安全风险检测方法,其中,所述目标SQL语句包括编译型SQL语句和拼接型SQL语句; 8. The network security risk detection method according to claim 1, wherein the target SQL statement includes a compiled SQL statement and a spliced SQL statement;
    所述对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据,包括;The analyzing the target SQL log data to determine whether there is risk data in the target SQL log data includes;
    判断所述目标SQL语句是编译型SQL语句还是所述拼接型SQL语句;Judging whether the target SQL statement is a compiled SQL statement or the splicing SQL statement;
    如果所述目标SQL语句为所述编译型SQL语句,则所述目标SQL日志数据不存在风险数据;及If the target SQL statement is the compiled SQL statement, there is no risk data in the target SQL log data; and
    如果所述目标SQL语句为所述拼接型SQL语句,则所述目标SQL日志数据存在风险数据。If the target SQL statement is the spliced SQL statement, the target SQL log data contains risk data.
  3. 如权利要求1所述的网络安全风险检测方法,其中,所述对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据,包括: 5. The network security risk detection method according to claim 1, wherein said performing vulnerability detection on said risk data to determine whether there is vulnerability data in said risk data comprises:
    对所述风险数据进行mark标识检测;及Perform mark detection on the risk data; and
    如果所述风险数据中存在mark标识,则所述目标SQL日志数据中存在漏洞数据。If there is a mark identifier in the risk data, then there is vulnerability data in the target SQL log data.
  4. 如权利要求1所述的网络安全风险检测方法,其中,所述对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据,包括: 5. The network security risk detection method according to claim 1, wherein said performing vulnerability detection on said risk data to determine whether there is vulnerability data in said risk data comprises:
    所述风险数据进行入参比对检测;及The risk data is tested for reference; and
    如果所述入参比对不成功,则所述目标SQL日志数据中存在漏洞数据。If the reference entry is unsuccessful, then there is vulnerability data in the target SQL log data.
  5. 如权利要求1所述的网络安全风险检测方法,其中,所述对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据,包括: 5. The network security risk detection method according to claim 1, wherein said performing vulnerability detection on said risk data to determine whether there is vulnerability data in said risk data comprises:
    对所述风险数据进行黑名单检测;及Perform blacklist detection on the risk data; and
    如果所述风险数据中存在黑名单数据,则所述目标SQL日志数据中存在漏洞数据。If blacklist data exists in the risk data, vulnerability data exists in the target SQL log data.
  6. 如权利要求1所述的网络安全风险检测方法,其中,还包括; The network security risk detection method according to claim 1, which further comprises;
    如果所述风险数据中不存在所述漏洞数据,则所述目标SQL日志数据为安全数据。If the vulnerability data does not exist in the risk data, the target SQL log data is safe data.
  7. 如权利要求1所述的网络安全风险检测方法,其中,还包括:将所述漏洞数据和所述漏洞信息上传到区块链中。 The network security risk detection method according to claim 1, further comprising: uploading the vulnerability data and the vulnerability information to a blockchain.
  8. 一种网络安全风险检测系统,其中,包括: A network security risk detection system, which includes:
    监听模块,用于监听目标SQL语句对目标数据库的操作,并对所述目标SQL语句的操作进行记录,以得到目标SQL日志数据;及The monitoring module is used to monitor the operation of the target SQL statement on the target database, and record the operation of the target SQL statement to obtain the target SQL log data; and
    分析模块,用于对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据;The analysis module is used to analyze the target SQL log data to determine whether there is risk data in the target SQL log data;
    风险模块,用于如果所述目标SQL日志数据中存在所述风险数据,则对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据;及The risk module is configured to perform vulnerability detection on the risk data if the risk data exists in the target SQL log data to determine whether there is any vulnerability data in the risk data; and
    漏洞模块,用于如果所述风险数据中存在所述漏洞数据,则根据所述漏洞数据生成漏洞信息,并将所述漏洞信息上报到对应的安全运营平台。The vulnerability module is used to generate vulnerability information according to the vulnerability data if the vulnerability data exists in the risk data, and report the vulnerability information to the corresponding security operation platform.
  9. 一种计算机设备,所述计算机设备包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机可读指令,其中,所述计算机可读指令被处理器执行时实现以下步骤: A computer device that includes a memory, a processor, and computer-readable instructions that are stored on the memory and can run on the processor, wherein the computer-readable instructions are implemented when the processor is executed The following steps:
    监听目标SQL语句对目标数据库的操作,并对所述目标SQL语句的操作进行记录,以得到目标SQL日志数据;Monitor the operation of the target SQL statement on the target database, and record the operation of the target SQL statement to obtain target SQL log data;
    对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据;Analyzing the target SQL log data to determine whether there is risk data in the target SQL log data;
    如果所述目标SQL日志数据中存在所述风险数据,则对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据;及If the risk data exists in the target SQL log data, performing vulnerability detection on the risk data to determine whether there is vulnerability data in the risk data; and
    如果所述风险数据中存在所述漏洞数据,则根据所述漏洞数据生成漏洞信息,并将所述漏洞信息上报到对应的安全运营平台。If the vulnerability data exists in the risk data, generate vulnerability information according to the vulnerability data, and report the vulnerability information to the corresponding security operation platform.
  10. 如权利要求9所述的计算机设备,其中,所述计算机可读指令被处理器执行时还实现以下步骤: 9. The computer device of claim 9, wherein the computer-readable instructions further implement the following steps when executed by the processor:
    所述对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据,包括;The analyzing the target SQL log data to determine whether there is risk data in the target SQL log data includes;
    判断所述目标SQL语句是编译型SQL语句还是所述拼接型SQL语句;Judging whether the target SQL statement is a compiled SQL statement or the splicing SQL statement;
    如果所述目标SQL语句为所述编译型SQL语句,则所述目标SQL日志数据不存在风险数据;及If the target SQL statement is the compiled SQL statement, there is no risk data in the target SQL log data; and
    如果所述目标SQL语句为所述拼接型SQL语句,则所述目标SQL日志数据存在风险数据。If the target SQL statement is the spliced SQL statement, the target SQL log data contains risk data.
  11. 如权利要求9所述的计算机设备,其中,所述计算机可读指令被处理器执行时还实现以下步骤: 9. The computer device of claim 9, wherein the computer-readable instructions further implement the following steps when executed by the processor:
    对所述风险数据进行mark标识检测;及Perform mark detection on the risk data; and
    如果所述风险数据中存在mark标识,则所述目标SQL日志数据中存在漏洞数据。If there is a mark identifier in the risk data, then there is vulnerability data in the target SQL log data.
  12. 如权利要求9所述的计算机设备,其中,所述计算机可读指令被处理器执行时还实现以下步骤: 9. The computer device of claim 9, wherein the computer-readable instructions further implement the following steps when executed by the processor:
    所述风险数据进行入参比对检测;及The risk data is tested for reference; and
    如果所述入参比对不成功,则所述目标SQL日志数据中存在漏洞数据。If the reference entry is unsuccessful, then there is vulnerability data in the target SQL log data.
  13. 如权利要求9所述的计算机设备,其中,所述计算机可读指令被处理器执行时还实现以下步骤: 9. The computer device of claim 9, wherein the computer-readable instructions further implement the following steps when executed by the processor:
    对所述风险数据进行黑名单检测;及Perform blacklist detection on the risk data; and
    如果所述风险数据中存在黑名单数据,则所述目标SQL日志数据中存在漏洞数据。If blacklist data exists in the risk data, vulnerability data exists in the target SQL log data.
  14. 如权利要求9所述的计算机设备,其中,所述计算机可读指令被处理器执行时还实现以下步骤: 9. The computer device of claim 9, wherein the computer-readable instructions further implement the following steps when executed by the processor:
    如果所述风险数据中不存在所述漏洞数据,则所述目标SQL日志数据为安全数据。If the vulnerability data does not exist in the risk data, the target SQL log data is safe data.
  15. 如权利要求9所述的计算机设备,其中,所述计算机可读指令被处理器执行时还实现以下步骤:将所述漏洞数据和所述漏洞信息上传到区块链中。 9. The computer device according to claim 9, wherein the computer readable instruction further implements the following step when executed by the processor: uploading the vulnerability data and the vulnerability information to a blockchain.
  16. 一种计算机可读存储介质,其中,所述计算机可读存储介质内存储有计算机可读指令,所述计算机可读指令可被至少一个处理器所执行,以使所述至少一个处理器执行如下步骤: A computer-readable storage medium, wherein computer-readable instructions are stored in the computer-readable storage medium, and the computer-readable instructions can be executed by at least one processor, so that the at least one processor executes the following step:
    监听目标SQL语句对目标数据库的操作,并对所述目标SQL语句的操作进行记录,以得到目标SQL日志数据;Monitor the operation of the target SQL statement on the target database, and record the operation of the target SQL statement to obtain target SQL log data;
    对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据;Analyzing the target SQL log data to determine whether there is risk data in the target SQL log data;
    如果所述目标SQL日志数据中存在所述风险数据,则对所述风险数据进行漏洞检测,以判断所述风险数据中是否存在漏洞数据;及If the risk data exists in the target SQL log data, performing vulnerability detection on the risk data to determine whether there is vulnerability data in the risk data; and
    如果所述风险数据中存在所述漏洞数据,则根据所述漏洞数据生成漏洞信息,并将所述漏洞信息上报到对应的安全运营平台。If the vulnerability data exists in the risk data, generate vulnerability information according to the vulnerability data, and report the vulnerability information to the corresponding security operation platform.
  17. 如权利要求16所述的计算机可读存储介质,其中,所述计算机可读指令还可被至少一个处理器所执行,以使所述至少一个处理器执行如下步骤: 15. The computer-readable storage medium of claim 16, wherein the computer-readable instructions are also executable by at least one processor, so that the at least one processor executes the following steps:
    所述对所述目标SQL日志数据进行分析,以判断所述目标SQL日志数据中是否存在风险数据,包括;The analyzing the target SQL log data to determine whether there is risk data in the target SQL log data includes;
    判断所述目标SQL语句是编译型SQL语句还是所述拼接型SQL语句;Judging whether the target SQL statement is a compiled SQL statement or the splicing SQL statement;
    如果所述目标SQL语句为所述编译型SQL语句,则所述目标SQL日志数据不存在风险数据;及If the target SQL statement is the compiled SQL statement, there is no risk data in the target SQL log data; and
    如果所述目标SQL语句为所述拼接型SQL语句,则所述目标SQL日志数据存在风险数据。If the target SQL statement is the spliced SQL statement, the target SQL log data contains risk data.
  18. 如权利要求16所述的计算机可读存储介质,其中,所述计算机可读指令还可被至少一个处理器所执行,以使所述至少一个处理器执行如下步骤:对所述风险数据进行mark标识检测;及 The computer-readable storage medium according to claim 16, wherein the computer-readable instructions can also be executed by at least one processor, so that the at least one processor executes the following steps: mark the risk data Logo testing; and
    如果所述风险数据中存在mark标识,则所述目标SQL日志数据中存在漏洞数据。If there is a mark identifier in the risk data, then there is vulnerability data in the target SQL log data.
  19. 如权利要求16所述的计算机可读存储介质,其中,所述计算机可读指令还可被至少一个处理器所执行,以使所述至少一个处理器执行如下步骤:所述风险数据进行入参比对检测;及The computer-readable storage medium of claim 16, wherein the computer-readable instructions can also be executed by at least one processor, so that the at least one processor executes the following steps: the risk data is entered into the parameter Comparison test; and
    如果所述入参比对不成功,则所述目标SQL日志数据中存在漏洞数据。If the reference entry is unsuccessful, then there is vulnerability data in the target SQL log data.
  20. 如权利要求16所述的计算机设备,其中,所述计算机可读指令被处理器执行时还实现以下步骤:The computer device of claim 16, wherein the computer-readable instructions further implement the following steps when executed by the processor:
    对所述风险数据进行黑名单检测;及Perform blacklist detection on the risk data; and
    如果所述风险数据中存在黑名单数据,则所述目标SQL日志数据中存在漏洞数据。If blacklist data exists in the risk data, vulnerability data exists in the target SQL log data.
PCT/CN2020/122848 2020-09-02 2020-10-22 Network security risk inspection method and system, computer device, and storage medium WO2021174870A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010907584.6A CN112039900B (en) 2020-09-02 2020-09-02 Network security risk detection method, system, computer device and storage medium
CN202010907584.6 2020-09-02

Publications (1)

Publication Number Publication Date
WO2021174870A1 true WO2021174870A1 (en) 2021-09-10

Family

ID=73592257

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/122848 WO2021174870A1 (en) 2020-09-02 2020-10-22 Network security risk inspection method and system, computer device, and storage medium

Country Status (2)

Country Link
CN (1) CN112039900B (en)
WO (1) WO2021174870A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114553720A (en) * 2022-02-28 2022-05-27 中国工商银行股份有限公司 User operation abnormity detection method and device
CN114546975A (en) * 2022-03-07 2022-05-27 潍坊凯智计算机科技有限公司 Business risk processing method and server combining artificial intelligence
CN115599503A (en) * 2022-11-28 2023-01-13 联通(广东)产业互联网有限公司(Cn) Container safety risk detection method and device, electronic equipment and storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113158188A (en) * 2021-03-26 2021-07-23 杭州数梦工场科技有限公司 Method and device for detecting sql injection attack and electronic equipment
CN114547024A (en) * 2022-02-08 2022-05-27 支付宝(杭州)信息技术有限公司 SQL statement risk detection method, device, equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050203921A1 (en) * 2004-03-11 2005-09-15 Newman Aaron C. System for protecting database applications from unauthorized activity
CN107563193A (en) * 2017-08-28 2018-01-09 深信服科技股份有限公司 Access and control strategy of database method and system based on SQL templates
CN109067717A (en) * 2018-07-20 2018-12-21 西安四叶草信息技术有限公司 A kind of method and device detecting SQL injection loophole
CN110113341A (en) * 2019-05-09 2019-08-09 极智(上海)企业管理咨询有限公司 A kind of detection method for injection attack, device, computer equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011073982A1 (en) * 2009-12-15 2011-06-23 Seeker Security Ltd. Method and system of runtime analysis
CN105141647B (en) * 2014-06-04 2018-09-21 中国银联股份有限公司 A kind of method and system of detection Web applications
CN106407803B (en) * 2016-08-30 2019-06-14 北京奇虎科技有限公司 The detection method and device of SQL injection loophole
CN108540465A (en) * 2018-03-30 2018-09-14 北京百度网讯科技有限公司 SQL injection intercepts detection method, device, equipment and computer-readable medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050203921A1 (en) * 2004-03-11 2005-09-15 Newman Aaron C. System for protecting database applications from unauthorized activity
CN107563193A (en) * 2017-08-28 2018-01-09 深信服科技股份有限公司 Access and control strategy of database method and system based on SQL templates
CN109067717A (en) * 2018-07-20 2018-12-21 西安四叶草信息技术有限公司 A kind of method and device detecting SQL injection loophole
CN110113341A (en) * 2019-05-09 2019-08-09 极智(上海)企业管理咨询有限公司 A kind of detection method for injection attack, device, computer equipment and storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114553720A (en) * 2022-02-28 2022-05-27 中国工商银行股份有限公司 User operation abnormity detection method and device
CN114546975A (en) * 2022-03-07 2022-05-27 潍坊凯智计算机科技有限公司 Business risk processing method and server combining artificial intelligence
CN115599503A (en) * 2022-11-28 2023-01-13 联通(广东)产业互联网有限公司(Cn) Container safety risk detection method and device, electronic equipment and storage medium
CN115599503B (en) * 2022-11-28 2023-03-21 联通(广东)产业互联网有限公司 Container safety risk detection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN112039900B (en) 2022-08-26
CN112039900A (en) 2020-12-04

Similar Documents

Publication Publication Date Title
US11089045B2 (en) User and entity behavioral analysis with network topology enhancements
US10609079B2 (en) Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management
US10594714B2 (en) User and entity behavioral analysis using an advanced cyber decision platform
US11968227B2 (en) Detecting KERBEROS ticket attacks within a domain
US11818169B2 (en) Detecting and mitigating attacks using forged authentication objects within a domain
WO2021174870A1 (en) Network security risk inspection method and system, computer device, and storage medium
US20210359980A1 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
US11757920B2 (en) User and entity behavioral analysis with network topology enhancements
US11818150B2 (en) System and methods for detecting and mitigating golden SAML attacks against federated services
US11757849B2 (en) Detecting and mitigating forged authentication object attacks in multi-cloud environments
CN110222535B (en) Processing device, method and storage medium for block chain configuration file
US20220210202A1 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
US20210281609A1 (en) Rating organization cybersecurity using probe-based network reconnaissance techniques
WO2019144548A1 (en) Security test method, apparatus, computer device and storage medium
CN110059007B (en) System vulnerability scanning method and device, computer equipment and storage medium
US20230388278A1 (en) Detecting and mitigating forged authentication object attacks in multi - cloud environments with attestation
US20230319019A1 (en) Detecting and mitigating forged authentication attacks using an advanced cyber decision platform
CN113098852B (en) Log processing method and device
CN116599747A (en) Network and information security service system
CN113190812A (en) Login method, system, electronic equipment and storage medium
EP3721364A1 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
US12003534B2 (en) Detecting and mitigating forged authentication attacks within a domain
CN112417328B (en) Webpage monitoring method and device
KR20220073657A (en) Image-based malicious code analysis method and apparatus and artificial intelligence-based endpoint detection and response system using the same
Aji et al. Test performance of electric vehicle charging station management system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20923334

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20923334

Country of ref document: EP

Kind code of ref document: A1