CN102480385B - database security protection method and device - Google Patents

database security protection method and device Download PDF

Info

Publication number
CN102480385B
CN102480385B CN201010570372.XA CN201010570372A CN102480385B CN 102480385 B CN102480385 B CN 102480385B CN 201010570372 A CN201010570372 A CN 201010570372A CN 102480385 B CN102480385 B CN 102480385B
Authority
CN
China
Prior art keywords
operations
database
observation cycle
message
model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201010570372.XA
Other languages
Chinese (zh)
Other versions
CN102480385A (en
Inventor
孙海波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Venus Information Security Technology Co Ltd
Beijing Venus Information Technology Co Ltd
Original Assignee
Beijing Venus Information Security Technology Co Ltd
Beijing Venus Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Venus Information Security Technology Co Ltd, Beijing Venus Information Technology Co Ltd filed Critical Beijing Venus Information Security Technology Co Ltd
Priority to CN201010570372.XA priority Critical patent/CN102480385B/en
Publication of CN102480385A publication Critical patent/CN102480385A/en
Application granted granted Critical
Publication of CN102480385B publication Critical patent/CN102480385B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a database security protection method and device, relates to the technical field of networks, and solves the problem of low security of a database. The method comprises the following steps of: receiving and resolving a message, and extracting database operation information in the message; carrying out statistics on the database operation information; and generating a normal behavioral model according to a statistical result, and detecting whether the database operation is abnormal or not according to the normal behavioral model. The technical scheme provided by the invention is suitable for database security protection.

Description

Database security protection method and device
Technical field
The present invention relates to networking technology area, relate in particular to a kind of database security protection method and device.
Background technology
Along with informationalized development, be more and more deep in the middle of all trades and professions as the use of DB2, Oracle, MySQL etc. for various databases.Especially relating in the middle of the industry such as finance, information, database is all used to store a large amount of significant datas, and becomes for audit and the protection of various data the problem that network security product must be considered.
Current diverse network safety product, as fire compartment wall, intruding detection system etc. can only detect and protect external attack or potential safety hazard, but cannot effectively find and protect for database internal staff's violation operation.And only can carry out to the user in the middle of current business system at present the extraction of operation information to the operation of types of databases for common data bank service auditing system.Wherein user for the operation of database comprise substantially increasing, delete, change, the action type such as inquiry, a lot of data bank service auditing systems can extract all kinds of database manipulation messages accurately, comprises action type, operand, operating time etc.It is inadequate that but current data bank service development trend has determined only can to extract the operation information of various databases, for the consideration of database safeguarding angle, need in a large amount of database manipulation messages, to detect the abnormal database manipulation behavior that exists.For example, in the middle of an actual case occurring, certain Pharmaceutical Sales Representative for taking kick-backs in the middle of buying medicine, repeatedly service condition and the price of various kinds of drug in the middle of Query Database, iff depending on traditional data bank service auditing system, although the query event that can audit accurately each time, but because query manipulation each time all belongs to legal database manipulation, wherein abnormal therefore cannot be detected.In the middle of the operation of this case be a certain user's inquiry times and frequency and the greatly abnormal database manipulation behavior within a period of time of operation ratio and be reflected in.And for example in certain case, user ceaselessly modifies to back-end data database data for seeking private interests, although the Update Table behavior of auditing each time at auditing system, but cannot find this abnormal behaviour of data modification frequently, reduce the fail safe of database.
Summary of the invention
The invention provides a kind of database security protection method and device, solved the low problem of database security.
A kind of database security protection method, comprising:
Receive and analytic message, extract the database manipulation message in described message;
Described database manipulation message is added up;
Generate normal behaviour model according to statistics;
According to described normal behaviour model, it is abnormal whether Test database operation exists.
Preferably, receive and analytic message, the database manipulation message extracting in described message is specially:
Receive message, extract the SQL statement that identifies database manipulation in message, from described SQL statement, extract described database manipulation message.
Preferably, described database manipulation message comprises action type, operation source IP address, operating time and type of database, and described reception analytic message, before extracting the step of the database manipulation message in described message, also comprise:
Formulate model generation strategy, described model generation strategy comprises policing parameter, Model Self-Learning cycle, Model Self-Learning algorithm, observation cycle and sampling period, described policing parameter comprises effective action type and type of database, and described Model Self-Learning periodic packets is containing at least one observation cycle.
Preferably, described described database manipulation message is added up and is specially;
The database manipulation message matching with described policing parameter is carried out to statistic of classification, obtain statistics, described statistic of classification is specially the number of operations of adding up each generic operation in an observation cycle according to action type.
Preferably, describedly generate normal behaviour model according to statistics and comprise:
In each model generation cycle, according to described statistics, calculate respectively the number of operations of each observation cycle all operations were in the last sampling period;
The number of operations that calculates respectively each generic operation in each observation cycle accounts for the ratio of the number of operations of described all operations were;
Account for the ratio of the number of operations of described all operations were according to the number of operations of the number of operations of described all operations were and each generic operation, according to described model generation strategy, generate normal behaviour model.
Preferably, described according to described model generation strategy, generate normal behaviour model and comprise:
Pass through expression formula calculate the number of operations average of a generic operation in an observation cycle, wherein, N is the number of the observation cycle that comprises in the sampling period, x ibe illustrated in the number of operations of this generic operation in each observation cycle, it is the number of operations average of a generic operation in an observation cycle;
Pass through expression formula calculate the variance yields of the number of operations of a generic operation in the sampling period;
Pass through expression formula calculate the number of operations of a generic operation in an observation cycle and account for the average of the ratio of the number of operations of all operations were in this observation cycle, wherein, N is the number of the observation cycle that comprises in the sampling period, y jthe number of operations that is illustrated in this generic operation in each observation cycle accounts for the ratio of the number of operations of all operations were in this observation cycle;
Pass through expression formula calculating number of operations of a generic operation within a sampling period accounts for the variance of proportion value of the number of operations of all operations were in this observation cycle;
Described in inciting somebody to action σ 1, y jand σ 2as normal running model.
Preferably, according to described normal behaviour model, whether Test database operation exists extremely and is specially:
Poor by the number of operations average of the number of operations to a generic operation and this generic operation in the last sampling period in the observation cycle of current place, compare with the variance yields of the number of operations of this generic operation, according to comparative result, judge whether to exist database manipulation abnormal.
Preferably, according to described normal behaviour model, whether Test database operation exists extremely and is specially:
Average poor of the ratio of all operations were number of times in this observation cycle and this ratio in the last model generation cycle will in the observation cycle of current place, the number of operations of a generic operation be accounted for, the variance of proportion value that accounts for all operations were number of times with the number of operations of this generic operation compares, according to comparative result, judge whether to exist database manipulation abnormal.
The present invention also provides a kind of database security protective device, comprising:
Packet parsing module, for receiving and analytic message, extracts the database manipulation message in described message;
Statistical module, for adding up described database manipulation message;
Model generation module, for generating normal behaviour model according to statistics;
Abnormality detection module, for according to described normal behaviour model, it is abnormal whether Test database operation exists.
Preferably, above-mentioned database security protective device also comprises:
Policy development module, be used for formulating model generation strategy, described model generation strategy comprises policing parameter, Model Self-Learning cycle, Model Self-Learning algorithm and observation cycle, described policing parameter comprises effective action type and type of database, and described Model Self-Learning periodic packets is containing at least one observation cycle
The invention provides a kind of database security protection method and device; receive and analytic message at database side joint; extract the database manipulation message in described message; and described database manipulation message is added up; then generate normal behaviour model according to statistics, then according to described normal behaviour model, it is abnormal whether Test database operation exists; can detect the abnormal behaviour on database manipulation, solve the low problem of database security.
Brief description of the drawings
The flow chart of a kind of database security protection method that Fig. 1 provides for embodiments of the invention one;
The flow chart of a kind of database security protection method that Fig. 2 provides for embodiments of the invention two;
The structural representation of a kind of database security protective device that Fig. 3 provides for embodiments of the invention;
The structural representation of a kind of database security protective device that Fig. 4 provides for another embodiment of the present invention.
Embodiment
In order to solve the problem of database security, the invention provides a kind of method that can realize for the abnormality detection of types of databases operation behavior, thereby can, by the database manipulation behavior noting abnormalities in the middle of a large amount of database manipulation events, improve the protective capacities of Database Systems.
Hereinafter in connection with accompanying drawing, embodiments of the invention are elaborated.It should be noted that, in the situation that not conflicting, the combination in any mutually of the feature in embodiment and embodiment in the application.
Embodiments of the invention have proposed a kind of database security protection method and device for operation behavior abnormality detection in the middle of Database Systems; under the data bank service environment of practical application, by data message being resolved and the collection of types of databases operation information generates the normal behaviour model of the each generic operation under current data lab environment, and detect according to storehouse abnormal operation taking this model as standard logarithmic.This database manipulation abnormal behavior detection model can be constantly updated normal behaviour model to adapt to the needs of abnormality detection by the mode of self study in testing process simultaneously.The database security protection method that the embodiment of the present invention provides and system; can and dynamically adjust model in self study mode according to the normal behaviour model of the types of databases operation behavior building database operation of carrying in the network message of actual acquisition; can find accurately the central hiding abnormal behaviour of types of databases operation behavior; thereby reflect that to a certain extent the potential safety hazard that may exist reports user or keeper, for Database Systems provide accurate audit and safeguard function.
First, embodiments of the invention one are described.
Use embodiments of the invention one, to database security protect detection abnormal behaviour flow process as shown in Figure 1, comprising:
Step 101, reception analytic message, extract the database manipulation message in described message;
Step 102, described database manipulation message is added up;
Step 103, generate normal behaviour model according to statistics;
Step 104, according to described normal behaviour model, whether Test database operation exists abnormal.
The database security protection method that the embodiment of the present invention provides; receive and analytic message at database side joint; extract the database manipulation message in described message; and described database manipulation message is added up; then generate normal behaviour model according to statistics, then according to described normal behaviour model, it is abnormal whether Test database operation exists; can detect the abnormal behaviour on database manipulation, solve the low problem of database security.
Below in conjunction with accompanying drawing, embodiments of the invention two are described.
The embodiment of the present invention provides a kind of database security protection method, use the method, to database security protect detection abnormal behaviour flow process as shown in Figure 2, comprising:
Step 201, formulation model generation strategy;
In this step, according to actual database system environments setting model generation strategy, model generation strategy is used to the generation of types of databases operating data statistics and normal behaviour model that foundation is provided.
Described model generation strategy comprises policing parameter, Model Self-Learning cycle, Model Self-Learning algorithm and observation cycle, and described policing parameter comprises effective action type and type of database, and described Model Self-Learning periodic packets is containing at least one observation cycle.
Under different database environments, may be different to the factor such as access frequency, access type of database.For example, for some database environment, be different for the criteria for classification of the operations of database, may only need to pay close attention to the main behavior such as inquiry, change, deletion, what also may pay close attention to is all types of database manipulations.And for example different database environments is different for the access frequency of database, the observation cycle that may set as the system of the hot topics such as finance, bank some only needs a few minutes or even a few second, and for the not high database environment of access frequency, may set observation cycle is dozens of minutes.Clearly set every policing parameter required while generating normal behaviour model in this step, to ensure the demand of the realistic application of normal behaviour model of follow-up generation.
Step 202, reception analytic message, extract the database manipulation message in described message;
This step is specially, and receives message, extracts the SQL statement that identifies database manipulation in message, from described SQL statement, extracts described database manipulation message.
Described message specifically can be data message, carry out protocol analysis according to the data message of actual acquisition, carry out each field contents according to corresponding database protocol form and extract and according to the model generation strategy of setting, the types of databases operation information wherein comprising carried out to statistic of classification, and the data after statistics are offered to detection model maker carry out the generation of detection model.
Specific as follows:
Suppose that the policing parameter of setting is in step 201:
Type of database: oracle database;
Valid function type: inquiry, change and other operation.
Step 202, reception analytic message, extract the database manipulation message in described message;
In this step, protocol resolver operates the data message of catching, and carries out corresponding field extraction according to different database protocol forms.For example, for informix database, can in the middle of type of message is 0002 or 0001 data message, extract the SQL statement of identification database operation, and oracle database can or extract by setting the matching technique of tagged words such as " select, insert " SQL statement that identification database operates at 0351 message according to different driving types.After this this step is classified the types of databases operation extracting and with unified information format generating database operating data, comprising database manipulation type, operation IP, operating time, object data library name etc.
The observation cycle arranging is 5 minutes, is sampled as 5 days, and the model generation cycle is 1 hour.To receiving the record following (each parameter of each record is followed successively by: action type, address, time, type of database) of the database manipulation message comprising in message:
Select 201.220.74.104 10-05-23 8:00 Oracle
update 162.195.54.101 10-05-23 8:01 Oracle
insert 130.114.52.162 10-05-23 8:01 Oracle
Select 192.168.172.1 10-05-23 8:01 DB2
update 60.192.173.162 10-05-23 8:02 Oracle
update 211.182.16.13 10-05-23 8:02 Oracle
Select 210.171.62.17 10-05-23 8:03 Oracle
Select 166.193.14.124 10-05-23 8:03 Oracle
Delete 202.168.72.181 10-05-23 8:04 Oracle
Step 203, described database manipulation message is added up;
In this step, according to the record in step 202, can be categorized as inquiry 3 times, upgrade 3 times, other 2 times for the operation for oracle database in observation cycle 8:00-8:05.Record 4 is wherein invalid record.Similarly, in the middle of this step, also can set the strategies such as monitoring IP.
Step 204, generate normal behaviour model according to statistics;
This step can be followed the model generation cycle of an appointment, can be also to carry out aperiodic.In the embodiment of the present invention, describe as example periodically to generate normal behaviour model, according to aperiodic mode generation model, the generation model algorithm that it is concrete and sampling principle are identical with periodicity, are not repeated.
In this step, generate the database manipulation normal behaviour model under current data lab environment according to classified database manipulation statistics, and this model is offered to database, as the abnormal examination criteria of operation behavior.
Generate the database manipulation normal behaviour model under current data lab environment according to classified database manipulation statistics, and this model is offered to the standard of database manipulation abnormal behavior checkout gear as abnormality detection.
In the each observation cycle providing according to database manipulation data statistics step, the statistics of Various types of data operation, calculates total number of operations and database manipulation proportion of all categories and generates detection model with this.This step adopts self study mode to carry out the generation of model, can adopt as required periodic mode of learning or acyclic mode of learning to carry out the generation of detection model.Without loss of generality, the present embodiment hypothesis adopts periodic mode of learning to carry out the generation of model, according to the model generation strategy of setting up in step 202, the data object of setting up as normal behaviour model according to the database manipulation statistics of the 8:00-9:00 in past 5 days.Observation cycle within this sampling period is 5 minutes, and the observation cycle in this time period of every day is 12, and total observation cycle in past 5 days is 60.With this, we generate the normal behaviour model of (8:00-9:00) database manipulation in this time period.Circular is as follows:
Pass through expression formula calculate the number of operations average of a generic operation in an observation cycle, wherein, N is the number of the observation cycle that comprises in the sampling period, x ibe illustrated in the number of operations of this generic operation in each observation cycle, it is the number of operations average of a generic operation in an observation cycle;
Pass through expression formula calculate the variance yields of the number of operations of a generic operation in the sampling period.
According to the statistics in above-mentioned giving an example, in this step, need to calculate respectively average and variance yields, the average of change generic operation and average and the variance yields of variance yields and other generic operations of inquiry generic operation.For inquiry generic operation, the inquiry generic operation number of times x in the sampling period in first observation cycle 1=3.
In addition, pass through expression formula calculate the number of operations of a generic operation in an observation cycle and account for the average of the ratio of the number of operations of all operations were in this observation cycle, wherein, N is the number of the observation cycle that comprises in the sampling period, y jbe illustrated in the ratio that interior this generic operation of each observation cycle accounts for the number of operations of all operations were in this observation cycle;
Pass through expression formula calculating number of operations of a generic operation within a sampling period accounts for the variance of proportion value of the number of operations of all operations were in this observation cycle.According to above-mentioned statistics of giving an example, for observation cycle 1, y 1=0.375.
Need to illustrate, in the time having adopted periodic self-learning algorithm to generate normal behaviour model, normal behaviour model will periodically upgrade according to the model generation cycle, in the time of each renewal, all taking current point in time as starting point, multiple test period value of getting forward in the sampling period is upgraded for unit.While carrying out abnormality detection, be as the criterion with up-to-date model threshold.
Step 205, according to described normal behaviour model, whether Test database operation exists abnormal;
In this step, the normal behaviour model generating according to step 204 and the follow-up types of databases operation information of receiving carry out abnormality detection, judge whether current database manipulation behavior exists extremely, and testing result is exported to user or keeper.
Concrete, at real-time monitor stages, by the actual value of the database manipulation behavior of adding up in certain observation cycle, compare with its baseline, according to the threshold value of departure degree and setting, judge whether database manipulation behavior exists extremely.Here need to carry out the comparison of two types of data: the comparison of the database manipulation number of times of predefined type, with the comparison that accounts for total number of operations percentage, finally comprehensively judges whether to exist abnormal according to the result of two comparisons.The determination methods that the embodiment of the present invention is used adopts monolateral comparison in relatively, just likely produces abnormal alarm while only having actual value to be greater than threshold value, if actual value is less than threshold value, no matter deviation has and muchly all do not report to the police.
Now for example determination methods is described, determination methods is:
normally;
mile abnormality;
moderate is abnormal;
severely subnormal;
For example, suppose that current point in time is 6:30, the object that needs statistical analysis is all data base querying behaviors, the actual value of the data base querying number of times of current statistics, and the user of the 6:00-7:00 that need to set up with the self study stage logs in behavior normal behaviour model and compares.Suppose that this model comprises: inquiry times average is 100, variance is 10, and operation percentage average is 30%, and percentage variance is 0.05.Criterion is default standard (is mile abnormality, moderate are abnormal, severely subnormal standard be respectively 2 σ, 3 σ and 4 σ).
Suppose in current observation cycle, observing data base querying number of times is 120 times, accounts for 35% of total number of operations, judges according to number of operations:
Therefore 120-100=20=2 × 10 are mile abnormality
Judge according to percentage:
Therefore 0.35-0.3=0.05 < 2 × 0.05 is normal.
Consider the result of determination of the two, assert that active user's User behavior is normal.Here can be according to the synthetic determination mode of two threshold values of actual database environment set, for example above-mentioned example can be judged to be normally also can be judged to be mile abnormality, and this can according to actual environment or user need to set or default weighted average mode is judged automatically.
Embodiments of the invention also provide a kind of database security protective device, and its structure as shown in Figure 3, comprising:
Packet parsing module 301, for receiving and analytic message, extracts the database manipulation message in described message;
Statistical module 302, for adding up described database manipulation message;
Model generation module 303, for generating normal behaviour model according to statistics;
Abnormality detection module 304, for according to described normal behaviour model, it is abnormal whether Test database operation exists.
Further, this device as shown in Figure 4, also comprises:
Policy development module 305, be used for formulating model generation strategy, described model generation strategy comprises policing parameter, Model Self-Learning cycle, Model Self-Learning algorithm and observation cycle, described policing parameter comprises effective action type and type of database, and described Model Self-Learning periodic packets is containing at least one observation cycle.Above-mentioned database security protective device; a kind of database security protection method that can provide with embodiments of the invention combines; receive and analytic message at database side joint; extract the database manipulation message in described message; and described database manipulation message is added up; then generate normal behaviour model according to statistics; again according to described normal behaviour model; it is abnormal whether Test database operation exists; can detect the abnormal behaviour on database manipulation, solve the low problem of database security.Solve data bank service auditing system simultaneously and only can show but cannot therefrom the note abnormalities problem of operation of types of databases operation information.The normal behaviour model that has adopted abnormality detection technology and self study technology to produce database manipulation in current data lab environment carries out abnormality detection and has realized for the self study of normal behaviour model and upgraded function.Perfect to a certain extent whether there is the comprehensive and safeguard function of abnormal detection for database manipulation, can be promptly and accurately show the contingent attack from database built-in function or potential safety hazard for user or administrative staff, contribute to management system or the administrative staff comprehensive assurance to current database system and the protection of abnormal data storehouse operation behavior, there is good performance and accuracy, can be widely used in network security product.
The all or part of step that one of ordinary skill in the art will appreciate that above-described embodiment can realize by computer program flow process, described computer program can be stored in a computer-readable recording medium, described computer program (as system, unit, device etc.) on corresponding hardware platform is carried out, in the time carrying out, comprise step of embodiment of the method one or a combination set of.
Alternatively, all or part of step of above-described embodiment also can realize with integrated circuit, and these steps can be made into respectively integrated circuit modules one by one, or the multiple modules in them or step are made into single integrated circuit module realize.Like this, the present invention is not restricted to any specific hardware and software combination.
Each device/functional module/functional unit in above-described embodiment can adopt general calculation element to realize, and they can concentrate on single calculation element, also can be distributed on the network that multiple calculation elements form.
Each device/functional module/functional unit in above-described embodiment is realized and during as production marketing independently or use, can be stored in a computer read/write memory medium using the form of software function module.The above-mentioned computer read/write memory medium of mentioning can be read-only memory, disk or CD etc.
Any be familiar with those skilled in the art the present invention disclose technical scope in, the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range described in claim.

Claims (9)

1. a database security protection method, is characterized in that, comprising:
Receive and analytic message, extract the database manipulation message in described message;
Described database manipulation message is added up;
Generate normal behaviour model according to statistics;
According to described normal behaviour model, it is abnormal whether Test database operation exists;
Wherein, generating normal behaviour model comprises:
Pass through expression formula calculate the number of operations average of a generic operation in an observation cycle, wherein, N is the number of the observation cycle that comprises in the sampling period, x ibe illustrated in the number of operations of this generic operation in each observation cycle, it is the number of operations average of a generic operation in an observation cycle;
Pass through expression formula calculate the variance yields of the number of operations of a generic operation in the sampling period;
Pass through expression formula calculate the number of operations of a generic operation in an observation cycle and account for the average of the ratio of the number of operations of all operations were in this observation cycle, wherein, N is the number of the observation cycle that comprises in the sampling period, y jthe number of operations that is illustrated in this generic operation in each observation cycle accounts for the ratio of the number of operations of all operations were in this observation cycle;
Pass through expression formula calculating number of operations of a generic operation within a sampling period accounts for the variance of proportion value of the number of operations of all operations were in this observation cycle;
Described in inciting somebody to action σ i, y jand σ 2as normal running model.
2. database security protection method according to claim 1, is characterized in that, receives and analytic message, and the database manipulation message extracting in described message is specially:
Receive message, extract the SQL statement that identifies database manipulation in message, from described SQL statement, extract described database manipulation message.
3. database security protection method according to claim 1; it is characterized in that; described database manipulation message comprises action type, operation source IP address, operating time and type of database; described reception analytic message; before extracting the step of the database manipulation message in described message, also comprise:
Formulate model generation strategy, described model generation strategy comprises policing parameter, Model Self-Learning cycle, Model Self-Learning algorithm, observation cycle and sampling period, described policing parameter comprises effective action type and type of database, and described Model Self-Learning periodic packets is containing at least one observation cycle.
4. database security protection method according to claim 3, is characterized in that, described described database manipulation message is added up and is specially;
The database manipulation message matching with described policing parameter is carried out to statistic of classification, obtain statistics, described statistic of classification is specially the number of operations of adding up each generic operation in an observation cycle according to action type.
5. database security protection method according to claim 4, is characterized in that, describedly generates normal behaviour model according to statistics and comprises:
In each model generation cycle, according to described statistics, calculate respectively the number of operations of each observation cycle all operations were in the last sampling period;
The number of operations that calculates respectively each generic operation in each observation cycle accounts for the ratio of the number of operations of described all operations were;
Account for the ratio of the number of operations of described all operations were according to the number of operations of the number of operations of described all operations were and each generic operation, according to described model generation strategy, generate normal behaviour model.
6. database security protection method according to claim 1, is characterized in that, according to described normal behaviour model, whether Test database operation exists extremely and be specially:
Poor by the number of operations average of the number of operations to a generic operation and this generic operation in the last sampling period in the observation cycle of current place, compare with the variance yields of the number of operations of this generic operation, according to comparative result, judge whether to exist database manipulation abnormal.
7. database security protection method according to claim 1, is characterized in that, according to described normal behaviour model, whether Test database operation exists extremely and be specially:
Average poor of the ratio of all operations were number of times in this observation cycle and this ratio in the last model generation cycle will in the observation cycle of current place, the number of operations of a generic operation be accounted for, the variance of proportion value that accounts for all operations were number of times with the number of operations of this generic operation compares, according to comparative result, judge whether to exist database manipulation abnormal.
8. a database security protective device, is characterized in that, comprising:
Packet parsing module, for receiving and analytic message, extracts the database manipulation message in described message;
Statistical module, for adding up described database manipulation message;
Model generation module, for generating normal behaviour model according to statistics;
Abnormality detection module, for according to described normal behaviour model, it is abnormal whether Test database operation exists;
Wherein, generating normal behaviour model comprises:
Pass through expression formula calculate the number of operations average of a generic operation in an observation cycle, wherein, N is the number of the observation cycle that comprises in the sampling period, x ibe illustrated in the number of operations of this generic operation in each observation cycle, it is the number of operations average of a generic operation in an observation cycle;
Pass through expression formula calculate the variance yields of the number of operations of a generic operation in the sampling period;
Pass through expression formula calculate the number of operations of a generic operation in an observation cycle and account for the average of the ratio of the number of operations of all operations were in this observation cycle, wherein, N is the number of the observation cycle that comprises in the sampling period, y jthe number of operations that is illustrated in this generic operation in each observation cycle accounts for the ratio of the number of operations of all operations were in this observation cycle;
Pass through expression formula calculating number of operations of a generic operation within a sampling period accounts for the variance of proportion value of the number of operations of all operations were in this observation cycle;
Described in inciting somebody to action σ 1, y jand σ 2as normal running model.
9. database security protective device according to claim 8, is characterized in that, this device also comprises:
Policy development module, be used for formulating model generation strategy, described model generation strategy comprises policing parameter, Model Self-Learning cycle, Model Self-Learning algorithm and observation cycle, described policing parameter comprises effective action type and type of database, and described Model Self-Learning periodic packets is containing at least one observation cycle.
CN201010570372.XA 2010-11-26 2010-11-26 database security protection method and device Expired - Fee Related CN102480385B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010570372.XA CN102480385B (en) 2010-11-26 2010-11-26 database security protection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010570372.XA CN102480385B (en) 2010-11-26 2010-11-26 database security protection method and device

Publications (2)

Publication Number Publication Date
CN102480385A CN102480385A (en) 2012-05-30
CN102480385B true CN102480385B (en) 2014-10-22

Family

ID=46092872

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010570372.XA Expired - Fee Related CN102480385B (en) 2010-11-26 2010-11-26 database security protection method and device

Country Status (1)

Country Link
CN (1) CN102480385B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882701B (en) * 2012-08-14 2015-07-29 深圳供电局有限公司 A kind of electrical network core business data intelligent monitoring warning system and method
CN103248630A (en) * 2013-05-20 2013-08-14 上海交通大学 Network safety situation analyzing methods based on data excavating
CN105825137B (en) * 2015-01-05 2018-10-02 中国移动通信集团江苏有限公司 A kind of method and device of determining sensitive data dispersal behavior
CN104767640B (en) * 2015-03-25 2019-03-12 亚信科技(南京)有限公司 Method for early warning and early warning system
CN105678188B (en) * 2016-01-07 2019-01-29 杨龙频 The leakage-preventing protocol recognition method of database and device
CN107465651B (en) * 2016-06-06 2020-10-02 腾讯科技(深圳)有限公司 Network attack detection method and device
CN106484803B (en) * 2016-09-22 2019-07-09 北京润科通用技术有限公司 A kind of data analysing method and system
CN106776704B (en) * 2016-11-14 2020-03-06 平安科技(深圳)有限公司 Statistical information collection method and device
CN110365698A (en) * 2019-07-29 2019-10-22 杭州数梦工场科技有限公司 Methods of risk assessment and device
CN112988765B (en) * 2019-12-02 2023-11-03 青岛海尔电冰箱有限公司 Refrigerator fresh-keeping model data updating method, equipment and storage medium
CN111177779B (en) * 2019-12-24 2023-04-25 深圳昂楷科技有限公司 Database auditing method, device, electronic equipment and computer storage medium
CN111159706A (en) * 2019-12-26 2020-05-15 深信服科技股份有限公司 Database security detection method, device, equipment and storage medium
CN111444534A (en) * 2020-03-12 2020-07-24 中国建设银行股份有限公司 Method, device, equipment and computer readable medium for monitoring user operation

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101145971A (en) * 2007-10-12 2008-03-19 杭州华三通信技术有限公司 A statistical method and device for network topology change

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7240046B2 (en) * 2002-09-04 2007-07-03 International Business Machines Corporation Row-level security in a relational database management system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101145971A (en) * 2007-10-12 2008-03-19 杭州华三通信技术有限公司 A statistical method and device for network topology change

Also Published As

Publication number Publication date
CN102480385A (en) 2012-05-30

Similar Documents

Publication Publication Date Title
CN102480385B (en) database security protection method and device
CN101902366B (en) Method and system for detecting abnormal service behaviors
CN110908883B (en) User portrait data monitoring method, system, equipment and storage medium
CN106027577A (en) Exception access behavior detection method and device
CN104239197A (en) Administrative user abnormal behavior detection method based on big data log analysis
CN103581155A (en) Information security situation analysis method and system
Costante et al. A white-box anomaly-based framework for database leakage detection
CN102456032B (en) Database security protection method and device
CN106156026A (en) A kind of method based on the data online anomaly of stream fictitious assets
Collier Towards cross-lingual alerting for bursty epidemic events
CN108965208A (en) Log audit method based on correlation analysis
KR102509748B1 (en) System for providing pseudonymization processing service using metadata and deeplearning security control
CN109062762A (en) Formatted log method for pushing and device
CN112787890A (en) Block chain monitoring system
CN102648467A (en) Database and method for evaluating data therefrom
US11308104B2 (en) Knowledge graph-based lineage tracking
CN111563527B (en) Abnormal event detection method and device
Vavilis et al. A severity-based quantification of data leakages in database systems
Vavilis et al. Data leakage quantification
KR20160139897A (en) Method and system for providing evaluation service of enterprise value by automated network deduction
CN115766096A (en) Network security protection system based on big data
CN109377391A (en) A kind of tracking of information method, storage medium and server
Vuong et al. A dataset of blockade, vandalism, and harassment activities for the cause of climate change mitigation
Kilicay‐Ergin et al. Knowledge elicitation methodology for evaluation of Internet of Things privacy characteristics in smart cities
CN114154094B (en) Calculation method for untimely updating of website

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20141022

Termination date: 20201126

CF01 Termination of patent right due to non-payment of annual fee