A kind of database comprehensive safety protecting method
Technical field
The present invention relates to field of information security technology; Specifically relate to a kind of rule-based misuse detection technique and, be aided with the database audit technique of independent and perfect and the new types of data storehouse comprehensive protecting method of real-time monitoring technique based on the novel detection model of the technological combination of the abnormality detection of machine learning.
Background technology
Database Systems are the core components of computer information system as the aggregation of information, and its fail safe is most important.Yet owing to reasons such as the own fail safe deficiencies of database; The assailant possibly visit database through improper approach; Even the enforcement buffering area overflows or SQL injects attack database, thereby cause the leakage of sensitive information, the safety of compromise data safety and information system.
For ensureing the safety of database and information system, each enterprise and unit have taked many safeguard procedures, comprise conventional method and special database means of defence.Conventional method comprises physical isolation, fire compartment wall, intrusion detection, encrypted transmission identity authorization system etc.; These conventional methods can only be carried out network layers such as address, port, agreement and filtered, can't effectively resist to the attack of Database Systems application layer for example SQL such as attacking etc.Special database means of defence comprises based on database safeguarding method of characteristic etc.; These method essence are Misuse Detection Models; Misuse Detection Model is set up feature database and is combined simple function of white name list to realize security protection to the various attack mode, just only can not detect known safety problem, can't find the unknown attack behavior; And exist along with the continuous complicacy of feature database and huge; The problem that the time loss that detects increases thereupon, most serious of all, because the property versatile and flexible of sql like language and constantly updating of attack; Only rely on feature database will be difficult to accurately distinguish normal access and attack, cause accuracy attenuating and rate of false alarm to increase thus.
The notion of intruding detection system is meant without permission premeditatedly attempts visit information, distorts information, makes that system is unreliable maybe can not to be used.Intruding detection system is divided into unusual intruding detection system and misuse intruding detection system.
Abnormality detection modelling system operate as normal model is compared current active and normal model, in case find to depart from the operator scheme on the normal statistics meaning; Promptly think intrusion behavior has taken place; Its key is the selection of unusual threshold value and characteristic, and its advantage is to detect unknown invasion and comparatively complicated invasion, but the change flexibly usually of the behavioural characteristic of various application systems; The abnormality detection model is difficult to the accurate location that implementation structure query language SQL attacks, and rate of false alarm is too high.
Existing unusual intrusion detection method has method for detecting abnormality based on feature selecting, based on the abnormality detection of Bayesian inference, based on the abnormality detection of Bayesian network, based on the method for detecting abnormality of statistics, based on the method for detecting abnormality of model prediction, based on the method for detecting abnormality of machine learning, based on the method for detecting abnormality of data mining, based on the method for detecting abnormality of application model, based on the method for detecting abnormality of text classification.
Misuse Detection Model is gathered the characteristic of intrusion behavior, sets up relevant attack feature database.In testing process, the attack characteristic in data of collecting and the feature database is carried out pattern, whether intrusion behavior has taken place to differentiate.The Misuse Detection Model rate of false alarm is low, but can only only can be used for detecting known intrusion behavior, can't find unknown intrusion behavior.
Existing Method of Misuse Intrusion Detection has misuse intrusion detection based on conditional probability, the misuse intrusion detection of analyzing based on state transition, the misuse intrusion detection based on keyboard monitoring, rule-based Method of Misuse Intrusion Detection.
Comprehensive; Wrong report appears in unusual intrusion detection easily, and failing to report appears in misuse intrusion detection easily, and patent of the present invention proposes a kind ofly to have combined rule-based misuse detection technique and based on the new detection model of the abnormality detection technology of machine learning; Utilized two kinds of detection techniques advantage separately; And their complementarity, rate of failing to report and rate of false alarm when having reduced certain Intrusion Detection Technique of simple use, thereby the general safety protective capacities of raising system.
Audit function is the important part of data base management system fail safe, simultaneously in the present invention as the second road security perimeter that is independent of detection module.Common security audit technology mainly contains four types, is respectively: based on the audit technique of daily record, based on the audit technique of agency's audit technique, monitoring Network Based, based on the audit technique of gateway.
The present invention has adopted the audit technique based on gateway, and this technology is through before Database Systems, disposing gateway device, realizes audit through online intercepting and capturing and the flow that is forwarded to database.
Summary of the invention
For overcoming the shortcoming of prior art; Patent of the present invention provides a kind of and has combined rule-based misuse detection technique and based on the new detection model of the abnormality detection of machine learning technology; Utilized two kinds of detection techniques advantage separately; And their complementarity, rate of failing to report and rate of false alarm when having reduced certain Intrusion Detection Technique of simple use, thereby the general safety protective capacities of raising system.The characteristic rule base that rule-based misuse detection technique adopts has been contained and has been analyzed the database defect characteristic rule base that extracts SQL injections and wait the database leak of malicious attack behavioural characteristic rule base, Macro or mass analysis history and latest find that attack forms and defective formation, the exclusive characteristic rule base that combines concrete application system demand and database features formation.The used characteristic rule base of rule-based misuse detection technique adopts the regular expression of PERL form to describe, and is flexible and powerful.Set study and filtered two kinds of mode of operations based on the abnormality detection of machine learning; Mode of learning requires the entire run under independent, safe environment of concrete application system; All user captures of record of database security gateway and analysis form knowledge base under this pattern; Filtered model should switch after accomplishing global learning, and the knowledge base that this pattern Applied Learning obtains is carried out strictness to user capture and filtered.This novel detection model has been gathered two kinds of detection techniques; It is legal that all normal access will be judged as by the abnormality detection module based on machine learning; Abnormal access can be judged as illegally and be blocked by rule-based misuse detection module; Being considered to outside two kinds is suspicious, is got involved by the keeper and confirms that the self-learning module of process system is included into above two types afterwards.This method has realized protecting to the comprehensive, strict, flexible of database application layers such as visit account, access library object, access list object, action type and authority from IP, agreement, these network layers of port through the above technology of effective fusion, and to resisting to database application layer attacks and self can attacking effectively of fragility.
Provided by the invention based on the unusual database security comprehensive protecting method that combines with misuse, comprising: detect with rule-based misuse detection technique with based on the abnormality detection technology of machine learning, judge visit whether legal.
Rule-based misuse detection technique described in the optimal technical scheme provided by the invention comprises with the Perl regular expression describes attack library form, and is applied to the trace routine of SQL SQL attack.
Attack library content comprises described in second optimal technical scheme provided by the invention: external attacks such as SQL injection, database self fragility are utilized behavior and the operation of user's sensitive data storehouse.
Abnormality detection technology based on machine learning described in the 3rd optimal technical scheme provided by the invention is study and filters two kinds of mode of operations.
Mode of learning described in the 4th optimal technical scheme provided by the invention is system's entire run under independent, safe environment, database security gateway recording user visit under this pattern, analysis and formation knowledge base.
The switching of filtered model described in the 5th optimal technical scheme provided by the invention after accomplishing global learning; The knowledge base that this pattern Applied Learning obtains is carried out strictness to user capture and is filtered.
In the 6th optimal technical scheme provided by the invention, said method comprises the steps: that (1) build the application system test environment; (2) in said test environment, dispose database security gateway and be set to mode of learning; (3) complete Test Application system forms knowledge base; (4) in true application system environment, dispose the database security gateway and be set to filtered model; (5) Test Application system, the warning that solution possibly occur; (6) subsequent upgrade and maintenance.
In the 7th optimal technical scheme provided by the invention, said method comprises the database audit steps.
In the 8th optimal technical scheme provided by the invention, said method comprises the real-time monitoring step of database.
With prior art than advantage of the present invention:
(1) patent of the present invention proposes a kind ofly to have combined rule-based misuse detection technique and based on the new detection model of the abnormality detection technology of machine learning; Utilized two kinds of detection techniques advantage separately; And their complementarity; Rate of failing to report and rate of false alarm when having reduced certain Intrusion Detection Technique of simple use, thereby the general safety protective capacities of raising system.
(2) the present invention can carry out self study to these feature database key elements when key elements such as collection IP, agreement, port, account, SQL SQL operating operation, SQL SQL operand, injection characteristic.So-called here self study refers to when applied environment changes and new normal behaviour pattern occurs; Or when the new attack type occurring; These new visit behaviors will be judged to be suspicious by system; Get involved by the keeper again these new behaviors are carried out artificial judgment,, then launch based on the learning functionality of the abnormality detection module of machine learning the characteristic of this behavior is included into the normal behaviour knowledge base if be judged to be normally.If be judged to be attack, the learning functionality of then launching rule-based misuse detection module is included into the attack feature database with this behavior.。
(3) the present invention is through Perl regular expression (Perl Compatible Regular Expressions; Pcre) formalized description the behavioural characteristic storehouse of and SQL SQL attack signature professional based on application system, be applied in the trace routine of SQL SQL attack.Because characteristics such as regular expression have flexibly and descriptive power is powerful, it is powerful and have a very high autgmentability to consolidate feature database.
(4) the present invention can be deployed among border defence installation, application server, database server, the various safety auditing system flexibly.
Description of drawings
Fig. 1 is a database security gateway fundamental diagram of the present invention;
Fig. 2 is that the database security gateway is as the deployment diagram of information security network isolating device in the middle of network;
Fig. 3 has combined rule-based misuse detection technique and based on the new detection model workflow diagram of the abnormality detection of machine learning technology;
Fig. 4 is based on the mode of learning workflow diagram of the abnormality detection technology of machine learning;
Fig. 5 is based on the filtered model workflow diagram of the abnormality detection technology of machine learning;
Fig. 6 is based on the overall workflow figure of the abnormality detection technology of machine learning;
Fig. 7 is based on the workflow diagram of the misuse detection technique of rule.
Embodiment
The following stated is the exemplary embodiment of database security gateway as a kind of information network spacer assembly.
The database security gateway is that information Intranet trusty and fly-by-night information outer net are isolated, must the guarantee information Intranet and the information outer net between SQL communication all carry out SQL and detect through the database security gateway.The database security gateway is to adapt to network to carry out the needs of subregion according to safe class, and to the isolated plant that database is protected, its core technology is to have adopted the database comprehensive protecting method that combines with misuse based on unusual.The present invention program can filter the network traffics of visit Oracle/SQLSERVER database; Only allow the certain applications server specific database server to be conducted interviews, and the content and the behavior of the service of client-side program accessing database are controlled through specific program.
Referring to accompanying drawing 1, see the operation principle of database security gateway.The integral body of database security gateway has been divided following functional module: (1) database bag is gathered; (2) network layer is filtered; (3) IP fragmentation reorganization, TCP session reorganization, session status monitoring; (3) database protocol is resolved; (4) SQL filters; (5) packet is transmitted; Wherein, the present invention is mainly used in the core of product: among the SQL filtering module.
Referring to accompanying drawing 2; The database security gateway is isolated information Intranet trusty and fly-by-night information outer net as the information security network isolating device, thereby the communication of the SQL between guarantee information Intranet and the information outer net is all carried out the SQL detection through the database security gateway.
Combined rule-based misuse detection technique and based on the new detection model workflow diagram of the abnormality detection of machine learning technology referring to accompanying drawing 3.Wherein this novel detection model comprises: (1) is through setting up and be used for the knowledge base that will use based on the abnormality detection technology of machine learning catching and analyze legal database access: (2) are through excavating and summary data storehouse attack technology the characteristic rule base that is used for rule-based misuse detection technique that extracts.
Two kinds of detection techniques combine to use, and compare with the Lawful access in the knowledge base based on the SQL visit that the abnormality detection technology of machine learning will be to be detected, visit legally if exist then think, directly are forwarded to database.If do not exist then use rule-based misuse detection technique and in the characteristic rule base, compare, if exist then think illegal, directly abandon, if do not exist then be judged to be warning.
Visit for alert type; Need the keeper to get involved and do artificial judgement; If it is legal to be judged as; Then call self-learning function, automatically this database access is included in the middle of the knowledge base, can judge voluntarily based on the abnormality detection technology of machine learning when running into such so once more and visiting based on the abnormality detection of machine learning technology.If be judged as illegally, then call the self-learning module of rule-based misuse detection technique, analyze the behavioural characteristic of visit, and characteristic is joined the characteristic rule base.
Referring to accompanying drawing 4 and accompanying drawing 5 based on the mode of learning of the abnormality detection technology of machine learning and the workflow diagram of filtered model.Wherein filtered model is the pattern that operate as normal adopted, and mode of learning supposition external environment condition is independent safely, and all visits of catching are directly started self-learning function, is used to form knowledge base.
Two kinds of patterns have all experienced following flow process: SQL statement is accepted in (1); (2) resolve SQL statement; (3) analytical characteristic; (4) compare with knowledge base.Its difference is that filtered model returns comparison result, and mode of learning is to start self-learning function visit is joined knowledge base when not existing at comparison result.
Referring to the overall workflow figure of accompanying drawing 6 based on the abnormality detection technology of machine learning.This workflow diagram has been contained the content of accompanying drawing 4 and accompanying drawing 5; And, can see that SQL statement can experience: (1) morphological analysis and comparison in based on the abnormality detection technology of machine learning to more clear embodiment being arranged based on the technological SQL analytic process of the abnormality detection of machine learning; (2) syntactic analysis and comparison; (3) semantic analysis and comparison.And in fact comprised morphology storehouse, syntax library, behavior storehouse three parts based on the technological knowledge base of the abnormality detection of machine learning.
Workflow diagram referring to accompanying drawing 7 rule-based misuse detection techniques.The feature database of rule-based misuse detection technique be analyze with attack technology basis, summary data storehouse on, adopt powerful and flexibly regular expression represent, visit the search procedure that the comparison process of SQL in feature database is based on regular expression.
Below be the complete deploying step of database security gateway as the information security network isolating device.
Step 1: build the application system test environment
The database security gateway is researched and developed with the misuse combination technology based on unusual; So need set up the knowledge base of normal access behavior earlier; The foundation of knowledge base is need be under independent, safe environment complete catches and passes through the analysis of system after the all-access record and set up, so that the application system test environment is built is essential.Simultaneously the database security gateway is disposed in the middle of network as the information security network isolating device.
Step 2: in test environment, dispose the database security gateway and be set to mode of learning
The information security network isolating device requires DataBase Gateway to be deployed in the intranet and extranet border, and string is accomplished to shield fully background data base, and visit information is carried out safety filtering in data link.
Deployment comprises:
Give eth0, eth1 distributes the inside and outside net network address respectively, connects network.
Set up Database Mapping, comprise local mapping ip and port, legal type of database, database server ip address and port are set, and this is set is mapped as the all-pass pattern.
Test database mapping, successful then carry out next step in extranet access intranet data storehouse, otherwise need the inspection setting.
Authority configuration, configuration valid application server ip address or address field,, legal type of database and user name, legal database library name etc.
Setting is mapped as mode of learning.
Step 3: complete Test Application system forms knowledge base
Application system is tested in the environment of independent safety, guarantee application system all functions test one time as possible, otherwise the knowledge of setting up is imperfect, can strengthen the follow-up work amount.Test period can in time be understood the database access situation through the functions such as real-time monitoring of database security gateway.
Step 4: in true application system environment, dispose the database security gateway and be set to filtered model
Deployment way leads to step 2, and mapping at last is set to filtered model.
Step 5: full test application system, the warning that solution possibly occur
Once more in the middle of the Test Application systematic procedure; Possibly run into normal access that step 3 test not exclusively causes by what report by mistake to warning message, need this moment the keeper to get involved judgement and will warn SQL to join the knowledge base of normal access with the self-learning function of database security gateway.
Step 6: subsequent upgrade and maintenance
Follow-up upgrading and maintenance comprise that mainly system, the upgrading of characteristic rule base and keeper handle warning etc.
The present invention has been described according to preferred embodiment.Obviously, reading and understanding above-mentioned detailed description postscript and can make multiple correction and replacement.What this invention is intended to is that the application is built into all these corrections and the replacement that has comprised within the scope that falls into appended claims book or its equivalent.