CN102693298B - Deep recovery method for database content - Google Patents
Deep recovery method for database content Download PDFInfo
- Publication number
- CN102693298B CN102693298B CN201210152807.8A CN201210152807A CN102693298B CN 102693298 B CN102693298 B CN 102693298B CN 201210152807 A CN201210152807 A CN 201210152807A CN 102693298 B CN102693298 B CN 102693298B
- Authority
- CN
- China
- Prior art keywords
- file
- database
- data
- stream
- line
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 18
- 238000011084 recovery Methods 0.000 title abstract 3
- 238000005516 engineering process Methods 0.000 claims description 4
- 230000001502 supplementing effect Effects 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 abstract description 4
- 238000007781 pre-processing Methods 0.000 abstract 1
- 238000012550 audit Methods 0.000 description 7
- 230000006399 behavior Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000002860 competitive effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to a deep recovery method for the database content, which is realized by the following steps of: (1) pre-processing stage; and (2) matching stage: after the pro-processing is finished, notifying a protocol analysis module, reading a built database operation stream file by a process, reading the file line by line, invoking a kmt algorithm, and analyzing the real database operation in the line. According to the deep recovery method, a database operation process can be truly recovered, a database access behavior can be effectively monitored, the safe state of a database system is accurately mastered, events which violate a database security policy are found in time and are alarmed and recorded in real time, security incident positioning analysis and afterward tracing and evidence taking are convenient to carry out so as to guarantee the security of the database, and whether violated keywords exist is analyzed on the existing basis after the database content is completely recovered.
Description
technical field:
The present invention relates to information audit technical field, be specifically related to a kind of data-base content drastic reduction method.
background technology:
Database is to have strategic assets most in any business and public safety, common all in store important business parnter and customer information, these informational needs are protected, to prevent that rival and other illegal persons from obtaining, the development rapidly of internet is improved the value of business data library information and accessibility, simultaneously, also cause database information assets to be faced with formidable challenges, safety is faced with problems, due to computer software and hardware fault, hacker attacks, the reasons such as virus infraction can cause Database Systems not run well, loss of data etc., yet higher risk sources is in enterprises, internal staff's unauthorized access, malice such as distorts at the operation, the threat bringing to Database Systems is catastrophic especially, continuous growth along with enterprise, to the audit of the database also most important thing of Cheng Liao enterprise internal control.
Be accompanied by database information value and accessibility and promote, database is faced from inside and outside security risk to be increased greatly, as violation unauthorized operation, malicious intrusions cause confidential information, steals leakage, but cannot effectively review and audit afterwards.
In recent years, the security incident of Copyright Law About Databases is to emerge in an endless stream, the account fund causing such as bank's internal data information leakage is given away secrets, the stolen credit card causing of credit card information is forged, enterprises confidential data is revealed the competitive power causing and declined, and these situations have illustrated necessity of implementation database security audit invariably.
Sum up following three aspects that are mainly manifested in:
Management layer: main manifestations is left to be desired for personnel's responsibility, flow process, interior employee's regular job needs standard, and third party maintainer's operation supervise and control lost efficacy etc., while causing security incident to occur, cannot review and locate real operator.
Technological layer: existing database built-in function is not clear, cannot stop by outside any security tool (such as fire wall, IDS, IPS etc.) behaviors such as malicious operation, abuse resource and leakage enterprise confidential information of internal user.
Audit aspect: the existing auditing method that depends on database log file, there is many drawbacks, such as: there is the risk being tampered in performance, database log file itself that the unlatching of database audit function can affect database itself, is difficult to embody the authenticity of audit information.
Summary of the invention
Technical matters solved by the invention is to provide a kind of data-base content drastic reduction method, is arbitrarily changed, and there is no the problem of evidence to overcome database important information.
For solving above-mentioned technical matters, the technical scheme that the present invention takes:
A data-base content drastic reduction method, is characterized in that: described method of reducing is realized by following steps:
(1), pretreatment stage:
By Network card setup, it is promiscuous mode, by the Libpcap packet capturing that circulates, Libpcap adopts zero duplication technology that user memory is mapped in kernel, the packet grabbing is decoded by link layer, protocol layer is processed and stream restructuring, according to four-tuple, (be four-tuple source address, destination address, source port, destination interface) connection of unique identification, and this is connected to the stream writing in files having reduced, if this four-tuple link did not have new data in 30 seconds, writing stream file finishes, and close this stream file, notification protocol parsing module, reduction stream file generates, can reading flow file, analyze every data line, obtain and whether have data base manipulation statement, if have new data in 30 seconds, first judge whether that this four-tuple set up file, if set up file, just by these data supplementings to set up file after, if do not set up file, newly set up file,
(2), matching stage:
After pre-service finishes, notification protocol parsing module reads the database manipulation stream file creating, the file reading of a line a line, call kmt algorithm, resolve the True Data storehouse operation in this row, in this row, search crucial sql order, if there is above-mentioned crucial sql order, think and have sql statement in this row, mentioned order not only supported in keyword, also supports user to input.
The Libpcap that described step (1) pretreatment stage adopts PF_RING to provide carries out packet capturing.
Compared with prior art, beneficial effect of the present invention:
The present invention is the operating process of restoring data storehouse truly, can effective monitoring database access behavior, accurately grasp the safe condition of Database Systems, the event of the Database Security Strategy of discovery violation in time Real-time Alarm, record, be convenient to carry out security incident positioning analysis, trace evidence obtaining afterwards, thereby ensure database security, after data-base content is reduced completely, can also on existing basis, analyze whether there is keyword in violation of rules and regulations.
accompanying drawing explanation:
Fig. 1 is process flow diagram of the present invention.
Embodiment
Below in conjunction with the drawings and specific embodiments, the present invention is described in detail.
Referring to Fig. 1, invention realizes by following steps:
(1), pretreatment stage:
By Network card setup, it is promiscuous mode, by the Libpcap packet capturing that circulates, Libpcap adopts zero duplication technology that user memory is mapped in kernel, the packet grabbing is decoded by link layer, protocol layer is processed and stream restructuring, according to four-tuple, (four-tuple is source address, destination address, source port, destination interface) connection of unique identification, and this is connected to the upper stream writing in files having reduced, if this four-tuple link did not have new data in 30 seconds, writing stream file finishes, and close this stream file, notification protocol parsing module, reduction stream file generates, can reading flow file, analyze every data line, obtain and whether have data base manipulation statement, if have new data in 30 seconds, first judge whether that this four-tuple set up file, if set up file, just by these data supplementings to set up file after, if do not set up file, newly set up file.
The present invention can also adopt PF_RING to carry out packet capturing.
(2), matching stage:
After pre-service finishes, notification protocol analysis process reads the database manipulation stream file creating, and the file reading of a line a line calls kmt algorithm, resolves the True Data storehouse operation in this row.Whether kmt algorithm is in this row, to search to have such as crucial sql orders such as " select drop delete create commit alter truncate insert update rollback ", if there is above-mentioned crucial sql order, think and have sql statement in this row, mentioned order not only supported in keyword, also supports user to input.
MYSQL database is example below, illustrates.
MYSQL accessing database is by after Libpcap packet capturing group stream, produces the stream file table that thes contents are as follows:
Therefore last two row of stream file have SELECT keyword, can judge, this row comprises concrete database access and operates, and user also can self-defined some keyword, for example, go up keyword SHOW SET in routine stream file etc.
The frequently-used data storehouses such as ORACLE, SQLSERVER, DB2, SYBASE, POSTGRESQL, INFORMIX, KINGBASE, DM can adopt which to carry out content depth reduction.
Claims (2)
1. a data-base content drastic reduction method, is characterized in that: described method of reducing is realized by following steps:
(1), pretreatment stage:
By Network card setup, it is promiscuous mode, by the Libpcap packet capturing that circulates, Libpcap adopts zero duplication technology that user memory is mapped in kernel, the packet grabbing is decoded by link layer, protocol layer is processed and stream restructuring, according to four-tuple, (be four-tuple source address, destination address, source port, destination interface) connection of unique identification, and this is connected to the stream writing in files having reduced, if this four-tuple link did not have new data in 30 seconds, writing stream file finishes, and close this stream file, notification protocol parsing module, reduction stream file generates, can reading flow file, analyze every data line, obtain and whether have data base manipulation statement, if have new data in 30 seconds, first judge whether that this four-tuple set up file, if set up file, just by these data supplementings to set up file after, if do not set up file, newly set up file,
(2), matching stage:
After pre-service finishes, notification protocol parsing module reads the database manipulation stream file creating, the file reading of a line a line, call kmt algorithm, resolve the True Data storehouse operation in this row, in this row, search crucial sql order, if there is above-mentioned crucial sql order, think and have sql statement in this row, mentioned order not only supported in keyword, also supports user to input.
2. data-base content drastic reduction method according to claim 1, is characterized in that: the Libpcap that described step (1) pretreatment stage adopts PF_RING to provide carries out packet capturing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210152807.8A CN102693298B (en) | 2012-05-17 | 2012-05-17 | Deep recovery method for database content |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210152807.8A CN102693298B (en) | 2012-05-17 | 2012-05-17 | Deep recovery method for database content |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102693298A CN102693298A (en) | 2012-09-26 |
| CN102693298B true CN102693298B (en) | 2014-02-26 |
Family
ID=46858732
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210152807.8A Active CN102693298B (en) | 2012-05-17 | 2012-05-17 | Deep recovery method for database content |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102693298B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105608202B (en) * | 2015-12-25 | 2019-10-15 | 北京奇虎科技有限公司 | Data packet analysis method and device |
| CN105721254A (en) * | 2016-03-30 | 2016-06-29 | 华南理工大学 | Method for distinguishing GOOSE, SMV and MMS messages |
| CN109784054B (en) * | 2018-12-29 | 2021-01-15 | 360企业安全技术(珠海)有限公司 | Behavior stack information acquisition method and device |
| CN113377615B (en) * | 2021-06-08 | 2022-11-08 | 上海天旦网络科技发展有限公司 | Bypass database monitoring method and system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101526962A (en) * | 2009-04-03 | 2009-09-09 | 成都市华为赛门铁克科技有限公司 | Generation method for security events of database, device and database system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7593942B2 (en) * | 2004-12-30 | 2009-09-22 | Oracle International Corporation | Mandatory access control base |
-
2012
- 2012-05-17 CN CN201210152807.8A patent/CN102693298B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101526962A (en) * | 2009-04-03 | 2009-09-09 | 成都市华为赛门铁克科技有限公司 | Generation method for security events of database, device and database system |
Non-Patent Citations (2)
| Title |
|---|
| 傅瑞军.基于网络抓包的数据库即时备份方法.《计算机工程与设计》.2010,第5355-5358页. |
| 基于网络抓包的数据库即时备份方法;傅瑞军;《计算机工程与设计》;20101231;第5355-5358页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102693298A (en) | 2012-09-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104063473B (en) | A kind of database audit monitoring system and its method | |
| US10819714B2 (en) | Endpoint detection and response system with endpoint-based artifact storage | |
| AU2010202627B2 (en) | Automated forensic document signatures | |
| US8607353B2 (en) | System and method for performing threat assessments using situational awareness | |
| US20050289187A1 (en) | System and method for investigating a data operation performed on a database | |
| US20160036841A1 (en) | Database Queries Integrity and External Security Mechanisms in Database Forensic Examinations | |
| CN102693298B (en) | Deep recovery method for database content | |
| CN112115482A (en) | Big data-based data security monitoring system for protecting data | |
| CN103226675A (en) | Traceability system and traceability method for analyzing intrusion behavior | |
| CN112036995A (en) | Large-scale enterprise financial data management method and system based on block chain and readable storage medium | |
| Kausar et al. | SQL injection detection and prevention techniques in ASP .NET web application | |
| CN113709170A (en) | Asset safe operation system, method and device | |
| Din et al. | Critical success factors for managing information systems security in smart city enabled by Internet of things | |
| US20090222876A1 (en) | Positive multi-subsystems security monitoring (pms-sm) | |
| Lei et al. | Self-recovery Service Securing Edge Server in IoT Network against Ransomware Attack. | |
| EP2495679A1 (en) | System and method for performing threat assessments using situation awareness | |
| Sun et al. | Research on the design of the implementation plan of network security level protection of information security | |
| Durai et al. | Decision tree classification-N tier solution for preventing SQL injection attack on websites | |
| Isiaka et al. | Developing a fail-safe culture in a cyber environment using MySQL replication technique | |
| Chaki et al. | Integration of SQL Injection Prevention Methods | |
| Lim et al. | CVE Records of Known Exploited Vulnerabilities | |
| US20230396640A1 (en) | Security event management system and associated method | |
| Sun et al. | An automatic anti-attack scheme for mysql database | |
| Baek et al. | A study on database vulnerable object analysis and control technology | |
| Patil et al. | Root causes, ongoing difficulties, proactive prevention techniques, and emerging trends of enterprise data breaches |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Deep recovery method for database content Effective date of registration: 20160224 Granted publication date: 20140226 Pledgee: Xi'an innovation financing Company limited by guarantee Pledgor: Jiepu Network Science & Technology Co., Ltd., Xi'an Jiaoda Registration number: 2016990000139 |
|
| PLDC | Enforcement, change and cancellation of contracts on pledge of patent right or utility model | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20170705 Granted publication date: 20140226 Pledgee: Xi'an innovation financing Company limited by guarantee Pledgor: Jiepu Network Science & Technology Co., Ltd., Xi'an Jiaoda Registration number: 2016990000139 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Deep recovery method for database content Effective date of registration: 20170705 Granted publication date: 20140226 Pledgee: Xi'an innovation financing Company limited by guarantee Pledgor: Jiepu Network Science & Technology Co., Ltd., Xi'an Jiaoda Registration number: 2017990000581 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20180428 Granted publication date: 20140226 Pledgee: Xi'an innovation financing Company limited by guarantee Pledgor: Jiepu Network Science & Technology Co., Ltd., Xi'an Jiaoda Registration number: 2017990000581 |