Summary of the invention
The object of the present invention is to provide a kind of database manipulation authority detection method and system of SQL statement,, generate detection strategy, adjust detection (audit) strategy of database manipulation authority automatically unauthorized database manipulation with by study automatically.
On the one hand, the invention discloses a kind of database manipulation authority detection method of SQL statement, comprise the steps: extraction step, operation is analyzed to current database, determine that described current database operates pairing database manipulation template, according to described template, extract described current database and operate pairing database manipulation summary; And, the corresponding unique detecting unit of described database manipulation summary; The authority determining step judges that whether store described detecting unit in advance: if not, then described current database is operating as illegally, sends warning message in the detection module of system; If, then determine the state of described detecting unit, described state comprises learning state, state of activation and short-circuit condition; Carry out the detection of operating right according to the state of detecting unit.
Above-mentioned database manipulation authority detection method, in the preferred described authority determining step, if described detecting unit is in short-circuit condition, then described current database is operating as legal operation.
Above-mentioned database manipulation authority detection method, in the preferred described authority determining step, if described detecting unit is in state of activation, then judge: whether the described detecting unit of storage in advance comprises described current database is operated pairing database manipulation template, if then described current database is operating as legal operation; If not, then described current database is operating as illegally, sends warning message.
Above-mentioned database manipulation authority detection method, in the preferred described authority determining step, if described detecting unit is in learning state, then: determine database manipulation templates all in the described detecting unit, whether the quantity of judging database manipulation template in the described detecting unit surpasses predetermined threshold: if, then the state with described detecting unit switches to short-circuit condition, determines that described current database is operating as legal operation; If not, whether the time of then judging learning state exceeds the schedule time or whether the operation template fission of learning is not upgraded for a long time:
If then the state with described detecting unit switches to state of activation, be in the detection that state of activation is carried out operating right according to described detecting unit; If not, the corresponding database manipulation template of described current database operation is added in the described detecting unit; Simultaneously, determine that described current database is operating as legal operation.
Above-mentioned database manipulation authority detection method, in the preferred described extraction step, described database manipulation summary is that database manipulation type and database object are formed the right ordered set of meaning guest; Wherein, described database manipulation type list shows the mode of database manipulation; Described database object table is shown an entity in the database.
Above-mentioned database manipulation authority detection method, in the preferred described extraction step, described database manipulation summary obtains in the following way: by database journal as resolving foundation, based on context, SQL statement is resolved to the database manipulation template, according to described database manipulation template, obtain the database manipulation summary.
On the other hand, the invention discloses a kind of database manipulation authority detection system of SQL statement, comprising: extraction module and authority judge module.Wherein, extraction module is used for current database operation is analyzed, and determines that described current database operates pairing database manipulation template, according to described template, extracts described current database and operates pairing database manipulation summary; And, the corresponding unique detecting unit of described database manipulation summary; The authority judge module is used for judging the detection module of system, whether stores described detecting unit in advance: if not, then described current database is operating as illegally, sends warning message; If, then determine the state of described detecting unit, described state comprises learning state, state of activation and short-circuit condition; Carry out the detection of operating right according to the state of detecting unit.
Above-mentioned database manipulation authority detection system, in the preferred described authority judge module, if described detecting unit is in short-circuit condition, then described current database is operating as legal operation.
Above-mentioned database manipulation authority detection system, in the preferred described authority judge module, if described detecting unit is in state of activation, then judge: whether the described detecting unit of storage in advance comprises described current database is operated pairing database manipulation template, if then described current database is operating as legal operation; If not, then described current database is operating as illegally, sends warning message.
Above-mentioned database manipulation authority detection system, in the preferred described authority judge module, if described detecting unit is in learning state, then:
Determine database manipulation templates all in the described detecting unit, whether the quantity of judging database manipulation template in the described detecting unit surpasses predetermined threshold: if, then the state with described detecting unit switches to short-circuit condition, determines that described current database is operating as legal operation; If not, whether the time of then judging learning state exceeds the schedule time or whether the operation template fission of learning is not upgraded for a long time:
If then the state with described detecting unit switches to state of activation, be in the detection that state of activation is carried out operating right according to described detecting unit; If not, the corresponding database manipulation template of described current database operation is added in the described detecting unit; Simultaneously, determine that described current database is operating as legal operation.
Above-mentioned database manipulation authority detection system, in the preferred described extraction module, described database manipulation summary is that database manipulation type and database object are formed the right ordered set of meaning guest; Wherein, described database manipulation type list shows the mode of database manipulation; Described database object table is shown an entity in the database.
Above-mentioned database manipulation authority detection system, in the preferred described extraction module, described database manipulation summary obtains in the following way: by database journal as resolving foundation, based on context, SQL statement is resolved to the database manipulation template, according to described database manipulation template, obtain the database manipulation summary.
Compared with prior art, the present invention is based on grammatical analysis to SQL statement, produce the database manipulation summary info, the corresponding state machine of each database manipulation summary info, this state machine can be understood as a unit of a detection module, be set at " learning state ", " state of activation ", " short-circuit condition " by state, reach the non-purpose of awarding visit of dynamic monitoring state machine.
Therefore, the present invention can generate the detection strategy to unauthorized database manipulation by study automatically, adjusts detection (audit) strategy of database manipulation authority automatically.
Embodiment
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, the present invention is further detailed explanation below in conjunction with the drawings and specific embodiments.
For a large-scale application system, the generation overwhelming majority of database manipulation is produced by application system, is to be understood that the operation that produces for application system is through authorizing.How to judge automatically that non-application system (or claiming non routine operation) is exactly an a great problem.
The database manipulation authority detection method embodiment of SQL statement
With reference to Fig. 1, Fig. 1 comprises the steps: for the flow chart of steps of the database manipulation authority detection method embodiment of SQL statement of the present invention
Extraction step S110 analyzes current database operation, determines that described current database operates pairing database manipulation template, according to described template, extracts described current database and operates pairing database manipulation summary; And, the corresponding unique detecting unit of described database manipulation summary.
Authority determining step S120 judges whether store described detecting unit in the system in advance, if not, and execution in step S130A, if, execution in step S130B.
Step S130A determines that current database is operating as illegally, sends warning message;
Step S130B determines the state of described detecting unit, and described state comprises learning state, state of activation and short-circuit condition; Carry out the detection of operating right according to the state of detecting unit.
The foregoing description is by making a summary to producing database manipulation, and the corresponding detecting unit (state machine) of should making a summary, by the setting state with state machine is " learning state ", " state of activation " or " short-circuit condition ", reaches the non-purpose of awarding visit of dynamic monitoring.
In addition; need to prove; the foregoing description is a kind of optimization to system for the application of database manipulation template; purpose is the stored number that reduces data in EMS memory storehouse operation (SQL), and directly application data base Action Summary correspondence database is operated and reached similar purpose also within protection scope of the present invention.
Preferred embodiment
Below in conjunction with Fig. 2, Fig. 3 and Fig. 4, the preferred embodiments of the present invention are described.
With reference to Fig. 2, Fig. 2 is the flow chart of steps of the database manipulation authority detection method preferred embodiment of SQL statement of the present invention.The database manipulation authority detection method of this SQL statement comprises the steps:
1) by database journal as resolving foundation, based on context, SQL statement is resolved to the database manipulation template, according to the database manipulation template, obtain the database manipulation summary; The corresponding unique detecting unit of database manipulation summary.The database manipulation summary is that database manipulation type and database object are formed the right ordered set of meaning guest; Wherein, described database manipulation type list shows the mode of database manipulation; Described database object table is shown an entity in the database.
2) judge in the detection module of system, whether store above-mentioned detecting unit in advance:
If not, then described current database is operating as illegally, sends warning message;
If, then determine the state of described detecting unit, described state comprises learning state, state of activation and short-circuit condition; Carry out the detection of operating right according to the state of detecting unit.
Below to 2) be elaborated:
A), 2) in, if detecting unit is in short-circuit condition, then described current database is operating as legal operation.
B) 2) in, if detecting unit is in state of activation, then judge:
Whether Cun Chu detecting unit comprises described current database and operates pairing database manipulation template in advance, if then current database is operating as legal operation; If not, then current database is operating as illegally, sends warning message.
C) 2) in, if detecting unit is in learning state, then:
The database manipulation template of determining in the detecting unit to be comprised judges whether to satisfy short circuit condition, and promptly whether the quantity of these database manipulation templates surpasses predetermined threshold:
I) if then the state with detecting unit switches to short-circuit condition, determines that described current database is operating as legal operation;
Ii) if not, then judge whether meet activation condition at present, activation condition is, whether the time of learning state exceeds the schedule time or whether the operation template fission of learning is not upgraded for a long time:
If then the state with detecting unit switches to state of activation, be in the detection that state of activation is carried out operating right according to the appeal detecting unit;
If not, the corresponding database manipulation template of current database operation is added in the described detecting unit; Simultaneously, determine that described current database is operating as legal operation.
Below, database manipulation template and database summary are described.
The database manipulation template: (Oracle company is referred to as Parsed SQL, other local temporary transient find unanimity or approaching definition therewith) make a summary with respect to database manipulation, the database manipulation template is another the standardization processing mode to database manipulation (SQL statement), the data division that is characterized in all SQL statement be replaced by special symbol (for example question mark "? "), the SQL key word of SQL statement and database object are defined by unified upper case or lower case form, meetings such as a plurality of blank characters of SQL statement (" r " " n " " t ") are by unified space or other special symbols of replacing to, thereby make and have only SQL statement form difference, the different SQL statement of the numerical value of SQL parameter has unique statement.
For example: SQL statement " SELECT TABLE1.COL1 from TABLE1 whereTABLE1.ID=' Zhang San ' " and SQL statement " SELECT TABLE1.COL1 FROMTABLE1 WHERE TABLE1.ID=' Li Si ' " the database manipulation template all is " select tabl1.col1 from table1 where table1.id=? " the certain corresponding unique database manipulation template of the SQL statement of a database manipulation, but a database manipulation template can be mated a plurality of SQL statement.
The database manipulation summary
● the database manipulation type: the mode of expression database manipulation is SELECTUPDATE DELETE INSERT etc. for example.
● database object: an entity in the expression database can be a table, a view, a trigger etc.
● database manipulation meaning guest is right: the database object by a database action type and an operation is formed.
● database manipulation summary: call guests to forming by one or more database manipulations.
For example:
It is right that database manipulation summary " (SELECT, TABLE1) " comprises a database manipulation meaning guest: the expression query manipulation acts on the database object TABLE1 table; The database manipulation summary " (SELECT, TABLE1) (UPDATE, TABLE2) " it is right to comprise two each and every one database manipulation meaning guests: the expression query manipulation acts on the database object TABLE1 table, upgrades acting on the database object TABLE2.
Each database manipulation (SQL statement) only can mate a database Action Summary, but a database Action Summary can mate a plurality of database manipulations (SQL statement): " SELECT*from TABLE1 where ID=1 for example; " " SELECT name fromTABLE1 where ID=2; " all can mate (SELECT, TABLE1).
Suppose that a SQL statement detection model comprises a detection module, with reference to Fig. 3, Fig. 3 is detection module, detecting unit, database manipulation summary, database manipulation template and each relation between objects of SQL.Be specially:
1) detection module can have a plurality of detecting units
2) corresponding unique database Action Summary of detecting unit
3) corresponding unique state of detecting unit
4) detecting unit can corresponding a plurality of database manipulation templates
5) corresponding SQL statement of database manipulation template, the only corresponding database manipulation template of SQL statement.
Below in conjunction with Fig. 4, learning state, state of activation and short-circuit condition are described.
1) learning state
Illustrate that the corresponding detecting unit of certain database manipulation summary is in the middle of the process of continuous collection database manipulation template, if system has found a new database manipulation template by certain database manipulation being carried out grammatical analysis, system can gather central with new database manipulation template is positioned over and can not produce warning information.
Need to prove that under the default situations, the new corresponding detecting unit of database manipulation summary is in the middle of the learning state.Afterwards, the automatic or manual participation by system can make detecting unit be in state of activation or short-circuit condition.
2) state of activation:
Illustrate that the corresponding detecting unit of certain database manipulation summary is in the monitoring state of unauthorized access, if database Action Summary of a database manipulation coupling of system discovery, in the middle of the database manipulation template of this detecting unit was done tabulation, but system can not produce the abnormality alarming of unauthorized access to the database manipulation template of this database manipulation.When detecting unit is in learning state after a period of time (system think that the database manipulation template of certain database manipulation summary of coupling all collect) system can be with the state of change detection unit to state of activation.
3) short-circuit condition
If database manipulation of system discovery mates the corresponding detecting unit of this database summary and database manipulation summary and is in short-circuit condition under this state, this database manipulation " is let slip " in system's meeting, and does not trigger warning information (no matter this database manipulation whether in the middle of the pairing database manipulation template list of making a summary at this database manipulation).System can be when a database Action Summary state machine be in the corresponding database behaviour template of learning state and database manipulation summary and does tabulation enough big (surpassing certain threshold values), and the detecting unit of database manipulation summary correspondence is switched to short-circuit condition.Short-circuit condition has very big meaning for the authorization database visit coupling under SQL statement (matching database Action Summary, still each real database manipulation template the is all inequality) situation of dynamic generation.
This embodiment has following advantage:
(1) dynamically sets up the detection strategy.
(2) can accomplish zero manual intervention in theory.
(3) because the database manipulation summary can be explained out professional meanings such as authority, its main body sign as strategy has better readability.
(4) because the structuring characteristic of database manipulation summary can be the pointed function extended capability of system (such as the fragment of certain database manipulation summary of artificial definition or database manipulation summary) easily.
The database manipulation authority detection system embodiment of SQL statement
With reference to Fig. 5, illustrated topology is resolved the reduction SQL statement with the network traffics of the mode monitored data storehouse client of bypass, database of record operation and other association attributeses.Among the figure, comprise audit server 51, probe 52, the network equipment 53 and database 54.The database manipulation authority detection system of SQL statement is arranged in probe module 52.
With reference to Fig. 6, Fig. 6 is the structured flowchart of the database manipulation authority detection system embodiment of SQL statement.Comprise: extraction module 60 and authority judge module 62.Wherein,
Extraction module 60 is used for current database operation is analyzed, and determines that described current database operates pairing database manipulation template, according to described template, extracts described current database and operates pairing database manipulation summary; And, the corresponding unique detecting unit of described database manipulation summary.Authority judge module 62 is used for judging the detection module of system, whether stores described detecting unit in advance: if not, then described current database is operating as illegally, sends warning message; If, then determine the state of described detecting unit, described state comprises learning state, state of activation and short-circuit condition; Carry out the detection of operating right according to the state of detecting unit.
The foregoing description is by making a summary to producing database manipulation, and the corresponding detecting unit (state machine) of should making a summary, by the setting state with state machine is " learning state ", " state of activation " or " short-circuit condition ", reaches the non-purpose of awarding visit of dynamic monitoring.
In addition; need to prove; the foregoing description is a kind of optimization to system for the application of database manipulation template; purpose is the stored number that reduces data in EMS memory storehouse operation (SQL), and directly application data base Action Summary correspondence database is operated and reached similar purpose also within protection scope of the present invention.
Below, the foregoing description is described further.
In the foregoing description, in the authority judge module 62, if described detecting unit is in short-circuit condition, then described current database is operating as legal operation.
In the foregoing description, in the authority judge module 62, if described detecting unit is in state of activation, then judge: whether the described detecting unit of storage in advance comprises described current database is operated pairing database manipulation template, if then described current database is operating as legal operation; If not, then described current database is operating as illegally, sends warning message.
In the foregoing description, in the authority judge module 62, if described detecting unit is in learning state, then: the quantity of all database manipulation templates in the true detecting unit, judge whether the quantity of database manipulation template in the described detecting unit surpasses predetermined threshold:
I) if then the state with described detecting unit switches to short-circuit condition, determines that described current database is operating as legal operation;
Ii) if not, whether the time of then judging learning state exceeds the schedule time or whether the operation template fission of learning is not upgraded for a long time:
If then the state with described detecting unit switches to state of activation, be in the detection that state of activation is carried out operating right according to described detecting unit;
If not, the corresponding database manipulation template of described current database operation is added in the described detecting unit; Simultaneously, determine that described current database is operating as legal operation.
In addition, the database manipulation summary is that database manipulation type and database object are formed the right ordered set of meaning guest; Wherein, described database manipulation type list shows the mode of database manipulation; Described database object table is shown an entity in the database.This database manipulation summary can obtain in the following way: as resolving foundation, based on context, SQL statement is resolved to the database manipulation template by database journal, according to described database manipulation template, obtain the database manipulation summary.
In addition, need to prove that the principle of the database manipulation authority detection system embodiment of SQL statement is identical with the database manipulation authority detection method of SQL statement, relevant part is mutually with reference to getting final product, and the present invention does not repeat them here.
More than the database manipulation authority detection method and the system of a kind of SQL statement provided by the present invention described in detail, used specific embodiment among the present invention principle of the present invention and embodiment are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, part in specific embodiments and applications all can change.In sum, this description should not be construed as limitation of the present invention.