CN104008349A - Database security access control method and system - Google Patents
Database security access control method and system Download PDFInfo
- Publication number
- CN104008349A CN104008349A CN201410175511.7A CN201410175511A CN104008349A CN 104008349 A CN104008349 A CN 104008349A CN 201410175511 A CN201410175511 A CN 201410175511A CN 104008349 A CN104008349 A CN 104008349A
- Authority
- CN
- China
- Prior art keywords
- sql statement
- request
- database server
- access control
- target database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Mathematical Physics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a database security access control method and system. The method comprises the steps of: analyzing a to-be-executed SQL (Structured Query Language) statement in a data access request sent from a data request source to a target database server and analyzing label information of the data request source and label information of the target database server to serve as attribute information of the data access request; comparing the to-be-executed SQL statement with an SQL statement library in an access control rule after the access control rule corresponding to the attribute information is found in the access control rule library based on the attribute information; if the comparison result is that the to-be-executed SQL statement is an illegal SQL statement in the SQL statement library, interdicting the access of the data request source to the target database server. By the application of the database security access control method and system, SQL injection attacks can be prevented, and security control intensity of a database system is enhanced.
Description
Technical field
The present invention relates to network security technology field, relate in particular to a kind of database security access control method and system.
Background technology
Along with the development of the universal and computer network of computing machine, sharing day by day of data strengthens, according to data structure organize, the use of the Database Systems of store and management data is more and more extensive.For example, the source code of the customer information of bank, information technology companies; The marketing information of production marketing company etc. can be left concentratedly in corresponding database.
And along with the fast development of infotech, the shared resources of information and be delivered in rapidly for user bring huge simultaneously easily, also brought the network security problems such as system invasion, information-leakage, information change or destruction thereupon.Therefore, Database Systems are carried out unified management and controlled to ensure the security of database and the DBMS of integrality (Database Management System, data base management system (DBMS)), playing the part of more and more important role in network security technology field.
At present, data base management system (DBMS) generally adopts C/S (Client/Server, client/server) structure, and wherein, database is arranged at server end, when client's operating database, need conduct interviews to background data base by data access.And current database security access control, generally can adopt record examination & verification, the extended stored procedure of user ID and discriminating, database access daily record management, use encryption, the network of agreement to be connected the technological means such as restriction to carry out security control.For example, in the time of log database, require user to input user ID (as authentication, password authentication etc.), and for input mark differentiates audit and to user right control; Record in detail the log-in events of all accounts by database access daily record, according to making regular check on audit log, find that in time suspicious log-in events occurs; IP address (the Internet Protocol that network is connected, Internet protocol) limit, only ensure that the IP oneself allowing can access, and refuse other IP and carry out port connection, with this, security threat coming on automatic network is effectively controlled.But, by above-mentioned existing safe access control means, cannot carry out for spoofing server SQL (the Structured Query Language of malice, Structured Query Language (SQL)) order SQL injection attacks control effectively, cause the security breaches that exist of existing safe access control.
Therefore, be necessary to provide a kind of SQL injection attacks that can prevent Database Systems, strengthen the access control method of the security control intensity of Database Systems.
Summary of the invention
The embodiment of the present invention provides a kind of database security access control method and system, in order to prevent SQL injection attacks, strengthens the security control intensity of Database Systems.
According to an aspect of the present invention, provide a kind of database security access control method, having comprised:
The data access request sending from request of data source to target database server, parse pending Structured Query Language (SQL) SQL statement, and parse the identification information of the identification information in described request of data source, described target database server as the attribute information of described data access request;
According to the attribute information of described data access request, from access control rule storehouse, find out after the access control rule corresponding with described attribute information, the pending SQL statement parsing and the SQL statement storehouse in the access control rule finding out are compared;
If comparative result is: described pending SQL statement is the normal SQL statement in described SQL statement storehouse, described data access request is sent to described target database server;
If comparative result is: described pending SQL statement is the illegal SQL statement in described SQL statement storehouse, block the access of described request of data source to described target database server.
Preferably, described SQL statement storehouse in described pending SQL statement and described access control rule is compared after, also comprise:
If comparative result is: described pending SQL statement is neither the normal SQL statement in described SQL statement storehouse, the illegal SQL statement in neither described SQL statement storehouse:
Send the information of differentiating SQL statement to keeper; And
The SQL statement that receives described keeper's input is differentiated after indication information, differentiates indication information according to described SQL statement, carries out corresponding operating:
If described SQL statement differentiation indication information is specially the differentiation indication information of normal SQL statement, be stored in described SQL statement storehouse described pending SQL statement as normal SQL statement, and described data access request is sent to described target database server;
If described SQL statement differentiation indication information is specially the differentiation indication information of illegal SQL statement, be stored in described SQL statement storehouse described pending SQL statement as illegal SQL statement, and block the access of described request of data source to described target database server.
Preferably, described access control rule storehouse sets in advance:
For each target database server, the access control rule that relates to this target database server is set in described access control rule storehouse with following method:
Access the request of data source of this target database server for each permission, using the identification information in the identification information of this target database server and this request of data source after attribute information, this target database server is allowed to the SQL statement of carrying out for this request of data source, as the normal SQL statement in the SQL statement storehouse in should the access control rule of attribute information; This target database server is not allowed to the SQL statement of carrying out for this request of data source, as the illegal SQL statement in the SQL statement storehouse in should the access control rule of attribute information.
Preferably, the pending SQL statement parsing described in is one or more; And
Described SQL statement storehouse in the pending SQL statement parsing and described access control rule is compared before, also comprise:
The described each pending SQL statement parsing is carried out after dynamic buffering, for each pending SQL statement, parse the action type of the entrained sql command of this pending SQL statement; And using the pending SQL statement that carries same operation type as one group of SQL sequence; And
Described SQL statement storehouse in the pending SQL statement parsing and described access control rule is compared, specifically comprises:
For every group of SQL sequence, according to set order, by the pending SQL statement in this group SQL sequence successively with described access control rule in SQL statement storehouse compare.
Preferably, described identification information is specially IP address; And
The described attribute information parsing from described data access request also comprises: the transport layer protocol between the port information in described request of data source, the port information of described target database server and described request of data source and described target database server.
According to another aspect of the present invention, also provide a kind of database security access control system, having comprised:
Data access request parsing module, for the data access request sending to target database server from request of data source, parse pending SQL statement, and parse the identification information of the identification information in described request of data source, described target database server as the attribute information of described data access request;
Access control rule enquiry module for according to the attribute information of the data access request of described data access request parsing module transmission, is searched the access control rule corresponding with described attribute information from access control rule storehouse;
SQL statement filtering module, the SQL statement storehouse of the access control rule finding out for pending SQL statement that described data access request parsing module is parsed and described access control rule enquiry module compares, and exports comparative result;
Safe access control module, for the comparative result of exporting according to described SQL statement filtering module, carry out the operation corresponding with described comparative result: if comparative result is: described pending SQL statement is the normal SQL statement in described SQL statement storehouse, described data access request is sent to described target database server; If comparative result is: described pending SQL statement is the illegal SQL statement in described SQL statement storehouse, block the access of described request of data source to described target database server.
Preferably, if described safe access control module for the comparative result receiving is also: described pending SQL statement is neither the normal SQL statement in described SQL statement storehouse, illegal SQL statement in neither described SQL statement storehouse, sends to keeper the information of differentiating SQL statement; And receive after the SQL statement differentiation indication information of described keeper's input, differentiate indication information according to described SQL statement, carry out corresponding operating:
If described SQL statement differentiation indication information is specially the differentiation indication information of normal SQL statement, be stored in described SQL statement storehouse described pending SQL statement as normal SQL statement, and described data access request is sent to described target database server;
If described SQL statement differentiation indication information is specially the differentiation indication information of illegal SQL statement, be stored in described SQL statement storehouse described pending SQL statement as illegal SQL statement, and block the access of described request of data source to described target database server.
Preferably, described system also comprises:
Access control rule arranges module, be used for for each target database server, the access control rule that relates to this target database server is set in described access control rule storehouse: this target database server of request of data source access to(for) each permission, using the identification information in the identification information of this target database server and this request of data source after attribute information, this target database server is allowed to the SQL statement of carrying out for this request of data source, as the normal SQL statement in the SQL statement storehouse in should the access control rule of attribute information, this target database server is not allowed to the SQL statement of carrying out for this request of data source, as the illegal SQL statement in the SQL statement storehouse in should the access control rule of attribute information.
Preferably, the pending SQL statement that described data access request parsing module parses is one or more; And described system also comprises:
SQL statement grouping module, carries out after dynamic buffering for the each pending SQL statement that described data access request parsing module is parsed, and for each pending SQL statement, parses the action type of the entrained sql command of this pending SQL statement; And using the pending SQL statement that carries same operation type as one group of SQL sequence; And
The every group SQL sequence of described SQL statement filtering module specifically for determining for described SQL statement grouping module, according to the order of setting, the SQL statement storehouse in the access control rule that the pending SQL statement in this group SQL sequence is found out with described access control rule enquiry module successively compares.
Preferably, described identification information is specially IP address; And
Described data access request parsing module is specifically for the data access request sending from request of data source to target database server, parse pending Structured Query Language (SQL) SQL statement, and by the transport layer protocol between the port information of the IP address in the described request of data source further parsing, the port information in described request of data source, the IP address of described target database server, described target database server and described request of data source and described target database server, all as the attribute information of described data access request.
In the technical scheme of the embodiment of the present invention, by the data access request sending from request of data source to target database server, parse pending SQL statement, and the identification information of identification information, target database server that parses request of data source is as the attribute information of data access request; According to the attribute information of data access request, from access control rule storehouse, find out after the access control rule corresponding with attribute information, SQL statement storehouse in the pending SQL statement parsing and access control rule is compared, the SQL injection attacks that can carry out illegal sql command for spoofing server control effectively, and has strengthened the intensity of safe access control.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of the method to set up in the access control rule storehouse of the embodiment of the present invention;
Fig. 2 is the schematic flow sheet of the database security access control method of the embodiment of the present invention;
Fig. 3 is the cut-away view of the database security access control system of the embodiment of the present invention.
Embodiment
For making object of the present invention, technical scheme and advantage clearer, referring to accompanying drawing and enumerate preferred embodiment, the present invention is described in more detail.But, it should be noted that, many details of listing in instructions are only used to make reader to have a thorough understanding to one or more aspects of the present invention, even if do not have these specific details also can realize these aspects of the present invention.
The terms such as " module " used in this application, " system " are intended to comprise the entity relevant to computing machine, such as but not limited to hardware, firmware, combination thereof, software or executory software.For example, module can be, but be not limited in: thread, program and/or the computing machine of the process moved on processor, processor, object, executable program, execution.For instance, the application program of moving on computing equipment and this computing equipment can be modules.One or more modules can be positioned at an executory process and/or thread.
The present inventor's discovery, existing Database Systems are all to use SQL (Structured Query Language, Structured Query Language (SQL)) language to build substantially; And by the safe access control means of above-mentioned existing database, the statement that has potential safety hazard of user's input is not effectively isolated.Like this, user after by above-mentioned existing security control, still can be imported web application into as parameter and carries out SQL injection attacks by building special input; And these inputs are mostly some combinations in SQL grammer, by carrying out SQL statement and then carrying out the operation that assailant will carry out.That is to say, the main cause that Database Systems are subject to SQL injection attacks is the SQL statement in the data access request of user's input not to be analyzed.
Therefore, the present inventor considers, can stop or filter for the invasion information of carrying in the data access request of target access database, prevents the infiltration of malice SQL statement; Particularly, the SQL statement that can send data request source is carried out real time parsing, determines whether illegal SQL statement, and the SQL statement that has potential safety hazard is effectively isolated, and prevents SQL injection attacks.Compare and existingly cannot prevent SQL injection attacks, technical scheme provided by the invention, can strengthen the security control intensity of Database Systems.
In fact,, for different target database servers, each target database server has corresponding with it unique mark (such as IP address); For different request of data sources, each request of data source has corresponding with it mark (such as IP address); And the access between request of data source and target database server also relates to the transport layer protocol of default data access request.Therefore, further, the present inventor also considers, can carry out while access control to multinomial contents such as the transport layer protocols of the IP address of data request source, port and transmission data access request, prevent the malice access of abnormal access end, strengthen the security control intensity of Database Systems with this.
Describe technical scheme of the present invention in detail below in conjunction with accompanying drawing.
In the embodiment of the present invention, before carrying out the safe access control of database, need to set in advance access control rule storehouse.Particularly, can, for the each target database server in Database Systems, the access control rule that relates to this target database server be set in access control rule storehouse.Wherein, the method for the access control rule of this target database server is set, its idiographic flow as shown in Figure 1, can comprise the steps:
S101: for each target database server, count the identification information of this target database server and each permission and access request of data source and the identification information thereof of this target database server.
In fact, the each target database server in Database Systems has corresponding with it unique ip address.Therefore, the identification information of target database server can be specifically the IP address of this target database server.Particularly, the IP address of each target database server (also can be able to be called to target ip address herein) as identification information separately; Then,, for each identification information, count the some request of data source and the IP address (also can be called source IP address herein) thereof that allow the access target database server corresponding with this identification information; And for the each request of data source counting, the identification information using the IP address in this request of data source as this request of data source.
More preferably, can also be using other for the information of the distinguishing different target database server identification information as target database server together with target ip address.For example, can be using the port information of target database server (also can be called target port information herein) identification information as this target database server together with target ip address.Correspondingly, can be using other for the information of the distinguishing different pieces of information request source identification information as request of data source together with source IP address, for example, can be using the port information in request of data source (also can be called source port information herein) identification information as this request of data source together with source IP address.
S102: access the request of data source of this target database server for each permission, using the identification information in the identification information of this target database server and this request of data source as attribute information.
Particularly, for each target database server, access behind each request of data source of this target database server the attribute information of the data access request that the identification information of the identification information in this request of data source, this target database server can be sent to this target database server as this request of data source in the permission being counted by step S101.For example, can be for each request of data source, the attribute information of the data access request that the target ip address of the source IP address in this request of data source, target database server is sent to this target database server as this request of data source.The attribute information of the data access request that more preferably, the target ip address of the source IP address in this request of data source, source port information, target database server, target port information can also be sent to this target database server as this request of data source.
In practical application, request of data source is in the process to the access of database server request for data, its data access request sending to this database server need be transmitted by default transport layer protocol, prevents that request of data source from transmitting data access request by other improper transport layer protocols and causing unauthorized access.Therefore, as a kind of more excellent embodiment, before step S102, for each target database server, access each request of data source of this target database server for the permission counting, can also count the transport layer protocol that allows transmission data access request between this request of data source and this target database server.And the attribute information of the data access request that transport layer protocol, source IP address, source port information, target ip address, the target port information of permission transmission data access request sends to this target database server as this request of data source between this request of data source and this target database server.Wherein, the transport layer protocol counting can be specifically transport layer protocol number.In practical application, the attribute information of the data access request that request of data source sends to target database server specifically can comprise: source IP address, source port information, target ip address, target port information, transport layer protocol number.
S103: the attribute information of the data access request sending to this target database server according to this request of data source, counts this target database server and allow the SQL statement of carrying out and do not allow the SQL statement of carrying out for this request of data source.
Particularly, for each target database server, access each request of data source of this target database server for the permission being counted by step S101, the attribute information of the data access request sending to this target database server according to this request of data source, from the database access daily record of target database server, determine and meet this target database server in this attribute information situation and allow the SQL statement of carrying out for this request of data source, and this target database server does not allow the SQL statement of carrying out for this request of data source.
S104: the normal SQL statement of the SQL statement that above-mentioned permission is carried out in the SQL statement storehouse in should the access control rule of attribute information, and by the above-mentioned SQL statement carried out of not allowing, as the illegal SQL statement in the SQL statement storehouse in should the access control rule of attribute information.
Particularly, the SQL statement storehouse in the access control rule corresponding with this attribute information specifically comprises: normal SQL statement storehouse and illegal SQL statement storehouse; And entrained SQL statement specifically can comprise in data access request: this target database server allows the SQL statement of carrying out and do not allow the SQL statement of carrying out for this request of data source.Therefore, can allow the SQL statement of carrying out to be stored in the normal SQL statement storehouse in the access control rule corresponding with this attribute information as normal SQL statement for this request of data source this target database server; .Meanwhile, can not allow the SQL statement of carrying out to be stored in the illegal SQL statement storehouse in the access control rule corresponding with this attribute information as illegal SQL statement for this request of data source this target database server.More preferably, the non-attack SQL statement that those skilled in the art can also be generally acknowledged is stored in normal SQL statement storehouse as normal SQL statement, and the attack SQL statement that those skilled in the art are generally acknowledged is stored in illegal SQL statement storehouse as illegal SQL statement.
In practical application, no matter be normal SQL statement or illegal SQL statement, its entrained sql command specifically comprises: action type and operand.Wherein, operand is specifically as follows database table, database table column or database.Correspondingly, action type is specifically as follows: " SELECT " (obtaining data from database table), " UPDATE " (upgrading the data in database table), " DELETE " (deleting data from database table), " INSERT INTO " (to database table in data inserting), " CREATE DATABASE " (creating new database), " ALTER DATABASE " (being Update Table storehouse), " CREATE TABLE " (being creation database table), " ALTER TABLE " (changing database table), or " DROP TABLE " (being delete database table) etc.
In fact, the access control rule corresponding with attribute information be actually to this attribute information in request of data source corresponding to source IP address allow action type and the operand of carrying out and do not allow action type and the operand carried out to limit.For example, under the condition that meets this attribute information, the request of data source corresponding with source IP address in this attribute information allows the action type of carrying out to comprise: " SELECT " and " UPDATE ", and do not allow the action type of carrying out to comprise: and " UPDATE " and " DELETE "; And for action type " SELECT ", it allows the operand of access is all database tables; And for action type " UPDATE ", its operand that allows access is the database table " tb_user_info " of specifying, the operand of its disable access is all operations object except database table " tb_user_info ".
Based on the above-mentioned access control rule storehouse setting in advance, the embodiment of the present invention provides a kind of database security access control system, and this system is carried out the method for database security access control, and idiographic flow as shown in Figure 2, can comprise the steps:
S201: receive request of data source after the data access request of target database server transmission, parse the identification information in request of data source, identification information and the pending SQL statement of target database server from the data access request receiving.
Particularly, database security access control system is receiving after the data access request that request of data source sends to target database server, can therefrom parse identification information and the pending SQL statement of identification information and the target database server to be visited in request of data source.Wherein, the identification information in request of data source is specifically as follows source IP address; The identification information of target database server is specially target ip address.In practical application, can also from the data access request receiving, parse the transport layer protocol that allows to transmit data access request between the target port information of source port information, target database server in request of data source and request of data source and target database server.
S202: the attribute information using the identification information of the identification information in the request of data source parsing, target database server as the data access request receiving.
More preferably, database security access control system can also allow the attribute information of the transport layer protocol of transmission data access request and the common data access request as reception of identification information of the identification information in the request of data source that parses, target database server between the source port information parsing, target port information and request of data source and target database server.
S203: according to the attribute information of data access request, search the access control rule corresponding with the attribute information of data access request from access control rule storehouse; If find, perform step S204; Otherwise, execution step S206.
Particularly, database security access control system can be according to the attribute information of data access request, from the access control rule storehouse setting in advance, search the access control rule that whether exists while and the information such as source IP address, target ip address in attribute information to match, i.e. the access control rule corresponding with this attribute information.If find, perform step S204; Otherwise, execution step S206, the access of blocking-up request of data source to target database server.
In practical application, in the time that the attribute information of data access request has comprised source IP address, source port information, target ip address, target port information and transport layer protocol, can be from the access control rule storehouse setting in advance, search the access control rule that whether exists while and source IP address, source port information, target ip address, target port information and transport layer protocol to match, if exist, perform step S204; Otherwise, execution step S206, the access of blocking-up request of data source to target database server.
Particularly, database security access control system can be first according to the target ip address in attribute information and source IP address, from the access control rule storehouse setting in advance, search the access control rule that whether exists while and target ip address, source IP address to match, if do not exist, perform step S206; Otherwise, from the some access control rule that match with target ip address, source IP address that find out, continue to search and whether exist simultaneously and access control rule that source port information, target port information match, if do not exist, perform step S206; Otherwise, from the some access control rule that match with source port information, target port information that find out, continue to search whether have the access control rule matching with host-host protocol, if exist, perform step S204; Otherwise, execution step S206, the access of blocking-up request of data source to target database server.Like this, filter out the access control rule matching with the attribute information of data access request by step S203, define and only have the transmission rule having configured in access control rule could be by above-mentioned multi-level safety access control, prevent the access of invalid data request source and the unauthorized access in legal request of data source.
S204: the pending SQL statement parsing and the SQL statement storehouse in the access control rule finding out are compared, if pending SQL statement is the normal SQL statement in SQL statement storehouse, perform step S205; Otherwise, execution step S206.
Particularly, in the corresponding access control rule of the attribute information of data access request that finds out by step S203 and receive, store the SQL statement storehouse corresponding with this attribute information; And the SQL statement storehouse corresponding with this attribute information comprises: store the normal SQL statement storehouse of several normal SQL statement and store the illegal SQL statement storehouse of several illegal SQL statement.Therefore, can by the pending SQL statement parsing respectively with the access control rule finding out in normal SQL statement storehouse in normal SQL statement and the illegal SQL statement in illegal SQL statement storehouse compare.In practical application, can be by entrained the pending SQL statement parsing operand and action type thereof, successively with SQL statement storehouse in the entrained operand of each normal SQL statement and action type and entrained operand and the action type thereof of each illegal SQL statement compare.
If comparative result is: pending SQL statement is the normal SQL statement in normal SQL statement storehouse, performs step S205.
If comparative result is: pending SQL statement is the illegal SQL statement in illegal SQL statement storehouse, performs step S206, the access of blocking-up request of data source to target database server.
If comparative result is: pending SQL statement is neither the normal SQL statement in normal SQL statement storehouse, and illegally the illegal SQL statement in SQL statement storehouse, performs step S206, blocks the access of request of data source to target database server.
More preferably, in the embodiment of the present invention, in order to strengthen the intensity of database security access control, can also the SQL statement storehouse in access control rule be supplemented and be upgraded.Particularly, be: pending SQL statement is neither the normal SQL statement in normal SQL statement storehouse illegally when the illegal SQL statement in SQL statement storehouse, can further send the information of differentiation SQL statement to keeper at comparative result.Like this, keeper can judge that pending SQL statement is whether for target database server allows the SQL statement of carrying out for this request of data source according to information, and if so, keeper can input the differentiation indication information of normal SQL statement; Otherwise while judging pending SQL statement and be the SQL statement that target database server do not allow to carry out for this request of data source, keeper can input the differentiation indication information of illegal SQL statement.Wherein, the information of differentiating SQL statement specifically can adopt the conventional technological means of those skilled in the art to send, and for example, can send or feed back to keeper by display interface with the form of mail.
Then, the SQL statement that receives keeper's input is differentiated after indication information, can differentiate indication information according to the SQL statement receiving, and carries out corresponding operating.Particularly, if SQL statement differentiation indication information is specially the differentiation indication information of normal SQL statement, can be stored in the SQL statement storehouse in the access control rule finding out pending SQL statement as normal SQL statement, and performs step S205.If SQL statement differentiation indication information is specially the differentiation indication information of illegal SQL statement, pending SQL statement can be stored in SQL statement storehouse as illegal SQL statement, and performs step S206.
In practical application, the pending SQL statement parsing in the data access request that request of data source sends to target database server may be one, may be also multiple.Therefore, in order to improve the processing speed of safe access control, as a kind of more excellent embodiment, in the embodiment of the present invention, can, at execution step S204, before the pending SQL statement parsing and the SQL statement storehouse in the access control rule finding out are compared, the each pending SQL statement parsing be carried out after dynamic buffering, for each pending SQL statement, parse the action type of the entrained sql command of this pending SQL statement; And using the pending SQL statement that carries same operation type as one group of SQL sequence.For example, can carry out packet transaction in the mode of storehouse for the pending SQL statement of same operation type, obtain amendment grouping, delete grouping etc.Then, for every group of SQL sequence, can according to set order, by the pending SQL statement in this group SQL sequence successively with described access control rule in SQL statement storehouse compare.For example, for the each pending SQL statement in this grouping, with the strategy of first in first out, by the pending SQL statement in this grouping successively with the access control rule finding out in SQL statement storehouse compare, obtain comparative result.
Step S205: data access request is sent to target database server.
Step S206: the access of blocking-up request of data source to target database server.
In the embodiment of the present invention, about how data access request being sent to target database server, and how to block request of data source and all can adopt the conventional technological means of those skilled in the art to the access of target database server, do not repeat them here.
In the embodiment of the present invention, about above-mentioned database security access control system, its inner structure as shown in Figure 3, specifically can comprise: data access request parsing module 301, access control rule enquiry module 302, SQL statement filtering module 303, safe access control module 304.
Wherein, the data access request of data access request parsing module 301 for sending to target database server from request of data source, parse pending SQL statement, and the identification information of identification information, target database server that parses request of data source is as the attribute information of this data access request.
Wherein, the identification information in request of data source is specifically as follows the IP address in request of data source; The identification information of target database server is specifically as follows the IP address of target database server.
Particularly, the data access request that data access request parsing module sends from request of data source to target database server, parse pending Structured Query Language (SQL) SQL statement, and by the transport layer protocol between the port information of the IP address of the port information in the IP address in the request of data source further parsing, request of data source, target database server, target database server and request of data source and described target database server, all as the attribute information of data access request.
Access control rule enquiry module 302, for the attribute information of the data access request that sends according to data access request parsing module 301, is searched the access control rule corresponding with this attribute information from access control rule storehouse.
The SQL statement storehouse of the access control rule that SQL statement filtering module 303 finds out for pending SQL statement that data access request parsing module 301 is parsed and access control rule enquiry module 302 compares, and exports comparative result.
The comparative result of safe access control module 304 for exporting according to SQL statement filtering module 303, carries out the operation corresponding with this comparative result.
If comparative result is: pending SQL statement is the normal SQL statement in SQL statement storehouse, data access request is sent to target database server.
If comparative result is: pending SQL statement is the illegal SQL statement in SQL statement storehouse, block the access of described request of data source to described target database server.
If comparative result is: pending SQL statement is neither the normal SQL statement in SQL statement storehouse, the illegal SQL statement in neither SQL statement storehouse, sends to keeper the information of differentiating SQL statement; And receive after the SQL statement differentiation indication information of described keeper's input, differentiate indication information according to described SQL statement, carry out corresponding operating.
Particularly, if SQL statement differentiation indication information is specially the differentiation indication information of normal SQL statement, pending SQL statement is stored in SQL statement storehouse as normal SQL statement, and data access request is sent to target database server.If SQL statement differentiation indication information is specially the differentiation indication information of illegal SQL statement, pending SQL statement is stored in SQL statement storehouse as illegal SQL statement, and blocks the access of request of data source to target database server.
In the embodiment of the present invention, the access control rule storehouse in access control rule enquiry module 302 sets in advance.Therefore, more preferably, above-mentioned database security access control system also comprises: access control rule arranges module 305.
Access control rule arranges module 305 for for each target database server, and the access control rule that relates to this target database server is set in access control rule storehouse.Particularly, access the request of data source of this target database server for each permission, using the identification information in the identification information of this target database server and this request of data source after attribute information, this target database server is allowed to the SQL statement of carrying out for this request of data source, as the normal SQL statement in the SQL statement storehouse in should the access control rule of attribute information; This target database server is not allowed to the SQL statement of carrying out for this request of data source, as the illegal SQL statement in the SQL statement storehouse in should the access control rule of attribute information.
In practical application, the pending SQL statement that data access request parsing module 301 parses may be one, may be also multiple.Therefore, more preferably, in the embodiment of the present invention, above-mentioned database security access control system also comprises: SQL statement grouping module (not indicating in the drawings).
SQL statement grouping module is carried out after dynamic buffering for the each pending SQL statement that data access request parsing module 301 is parsed, and for each pending SQL statement, parses the action type of the entrained sql command of this pending SQL statement; And using the pending SQL statement that carries same operation type as one group of SQL sequence.Then, every group of SQL sequence that SQL statement filtering module 303 can be determined for SQL statement grouping module, according to the order of setting, the SQL statement storehouse in the access control rule that the pending SQL statement in this group SQL sequence is found out with access control rule enquiry module 302 successively compares.
In the invention process, the data access request specifically how data request source being sent about the each module in database security access control system is carried out security control, can, with reference to the idiographic flow of above-mentioned database security access control method, be not described in detail in this.
In technical scheme of the present invention, by the data access request sending from request of data source to target database server, parse pending SQL statement, and the identification information of identification information, target database server that parses request of data source is as the attribute information of data access request; According to the attribute information of data access request, from access control rule storehouse, find out after the access control rule corresponding with attribute information, SQL statement storehouse in the pending SQL statement parsing and access control rule is compared, the SQL injection attacks that can carry out illegal sql command for spoofing server control effectively, and has strengthened the intensity of safe access control.
One of ordinary skill in the art will appreciate that all or part of step realizing in above-described embodiment method is can carry out the hardware that instruction is relevant by program to complete, this program can be stored in a computer read/write memory medium, as: ROM/RAM, magnetic disc, CD etc.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. a database security access control method, is characterized in that, comprising:
The data access request sending from request of data source to target database server, parse pending Structured Query Language (SQL) SQL statement, and parse the identification information of the identification information in described request of data source, described target database server as the attribute information of described data access request;
According to the attribute information of described data access request, from access control rule storehouse, find out after the access control rule corresponding with described attribute information, the pending SQL statement parsing and the SQL statement storehouse in the access control rule finding out are compared;
If comparative result is: described pending SQL statement is the normal SQL statement in described SQL statement storehouse, described data access request is sent to described target database server;
If comparative result is: described pending SQL statement is the illegal SQL statement in described SQL statement storehouse, block the access of described request of data source to described target database server.
2. the method for claim 1, is characterized in that, described SQL statement storehouse in described pending SQL statement and described access control rule is compared after, also comprise:
If comparative result is: described pending SQL statement is neither the normal SQL statement in described SQL statement storehouse, the illegal SQL statement in neither described SQL statement storehouse:
Send the information of differentiating SQL statement to keeper; And
The SQL statement that receives described keeper's input is differentiated after indication information, differentiates indication information according to described SQL statement, carries out corresponding operating:
If described SQL statement differentiation indication information is specially the differentiation indication information of normal SQL statement, be stored in described SQL statement storehouse described pending SQL statement as normal SQL statement, and described data access request is sent to described target database server;
If described SQL statement differentiation indication information is specially the differentiation indication information of illegal SQL statement, be stored in described SQL statement storehouse described pending SQL statement as illegal SQL statement, and block the access of described request of data source to described target database server.
3. the method for claim 1, is characterized in that, described access control rule storehouse sets in advance:
For each target database server, the access control rule that relates to this target database server is set in described access control rule storehouse with following method:
Access the request of data source of this target database server for each permission, using the identification information in the identification information of this target database server and this request of data source after attribute information, this target database server is allowed to the SQL statement of carrying out for this request of data source, as the normal SQL statement in the SQL statement storehouse in should the access control rule of attribute information; This target database server is not allowed to the SQL statement of carrying out for this request of data source, as the illegal SQL statement in the SQL statement storehouse in should the access control rule of attribute information.
4. the method for claim 1, is characterized in that, described in the pending SQL statement that parses be one or more; And
Described SQL statement storehouse in the pending SQL statement parsing and described access control rule is compared before, also comprise:
The described each pending SQL statement parsing is carried out after dynamic buffering, for each pending SQL statement, parse the action type of the entrained sql command of this pending SQL statement; And using the pending SQL statement that carries same operation type as one group of SQL sequence; And
Described SQL statement storehouse in the pending SQL statement parsing and described access control rule is compared, specifically comprises:
For every group of SQL sequence, according to set order, by the pending SQL statement in this group SQL sequence successively with described access control rule in SQL statement storehouse compare.
5. the method as described in as arbitrary in claim 1-4, is characterized in that, described identification information is specially IP address; And
The described attribute information parsing from described data access request also comprises: the transport layer protocol between the port information in described request of data source, the port information of described target database server and described request of data source and described target database server.
6. a database security access control system, is characterized in that, comprising:
Data access request parsing module, for the data access request sending to target database server from request of data source, parse pending SQL statement, and parse the identification information of the identification information in described request of data source, described target database server as the attribute information of described data access request;
Access control rule enquiry module for according to the attribute information of the data access request of described data access request parsing module transmission, is searched the access control rule corresponding with described attribute information from access control rule storehouse;
SQL statement filtering module, the SQL statement storehouse of the access control rule finding out for pending SQL statement that described data access request parsing module is parsed and described access control rule enquiry module compares, and exports comparative result;
Safe access control module, for the comparative result of exporting according to described SQL statement filtering module, carry out the operation corresponding with described comparative result: if comparative result is: described pending SQL statement is the normal SQL statement in described SQL statement storehouse, described data access request is sent to described target database server; If comparative result is: described pending SQL statement is the illegal SQL statement in described SQL statement storehouse, block the access of described request of data source to described target database server.
7. system as claimed in claim 6, is characterized in that,
If described safe access control module for the comparative result receiving is also: described pending SQL statement is neither the normal SQL statement in described SQL statement storehouse, illegal SQL statement in neither described SQL statement storehouse, sends to keeper the information of differentiating SQL statement; And receive after the SQL statement differentiation indication information of described keeper's input, differentiate indication information according to described SQL statement, carry out corresponding operating:
If described SQL statement differentiation indication information is specially the differentiation indication information of normal SQL statement, be stored in described SQL statement storehouse described pending SQL statement as normal SQL statement, and described data access request is sent to described target database server;
If described SQL statement differentiation indication information is specially the differentiation indication information of illegal SQL statement, be stored in described SQL statement storehouse described pending SQL statement as illegal SQL statement, and block the access of described request of data source to described target database server.
8. system as claimed in claim 6, is characterized in that, also comprises:
Access control rule arranges module, be used for for each target database server, the access control rule that relates to this target database server is set in described access control rule storehouse: this target database server of request of data source access to(for) each permission, using the identification information in the identification information of this target database server and this request of data source after attribute information, this target database server is allowed to the SQL statement of carrying out for this request of data source, as the normal SQL statement in the SQL statement storehouse in should the access control rule of attribute information, this target database server is not allowed to the SQL statement of carrying out for this request of data source, as the illegal SQL statement in the SQL statement storehouse in should the access control rule of attribute information.
9. system as claimed in claim 6, is characterized in that, the pending SQL statement that described data access request parsing module parses is one or more; And described system also comprises:
SQL statement grouping module, carries out after dynamic buffering for the each pending SQL statement that described data access request parsing module is parsed, and for each pending SQL statement, parses the action type of the entrained sql command of this pending SQL statement; And using the pending SQL statement that carries same operation type as one group of SQL sequence; And
The every group SQL sequence of described SQL statement filtering module specifically for determining for described SQL statement grouping module, according to the order of setting, the SQL statement storehouse in the access control rule that the pending SQL statement in this group SQL sequence is found out with described access control rule enquiry module successively compares.
10. the system as described in as arbitrary in claim 6-9, is characterized in that, described identification information is specially IP address; And
Described data access request parsing module is specifically for the data access request sending from request of data source to target database server, parse pending Structured Query Language (SQL) SQL statement, and by the transport layer protocol between the port information of the IP address in the described request of data source further parsing, the port information in described request of data source, the IP address of described target database server, described target database server and described request of data source and described target database server, all as the attribute information of described data access request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410175511.7A CN104008349A (en) | 2014-04-28 | 2014-04-28 | Database security access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410175511.7A CN104008349A (en) | 2014-04-28 | 2014-04-28 | Database security access control method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104008349A true CN104008349A (en) | 2014-08-27 |
Family
ID=51368999
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410175511.7A Pending CN104008349A (en) | 2014-04-28 | 2014-04-28 | Database security access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104008349A (en) |
Cited By (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104331457A (en) * | 2014-10-31 | 2015-02-04 | 北京思特奇信息技术股份有限公司 | Database node-based data access method and system |
| CN104361035A (en) * | 2014-10-27 | 2015-02-18 | 深信服网络科技(深圳)有限公司 | Method and device for detecting database tampering behavior |
| CN104484621A (en) * | 2014-12-31 | 2015-04-01 | 中博信息技术研究院有限公司 | Data authority control method based on SQL (Structured Query Language) |
| CN105447408A (en) * | 2015-12-03 | 2016-03-30 | 曙光信息产业(北京)有限公司 | Data protection method and apparatus |
| CN105550350A (en) * | 2015-12-25 | 2016-05-04 | 北京奇虎科技有限公司 | Method and apparatus for providing query service of server information |
| CN105635046A (en) * | 2014-10-28 | 2016-06-01 | 北京启明星辰信息安全技术有限公司 | Database command line filtering and audit blocking method and device |
| CN105718599A (en) * | 2016-03-07 | 2016-06-29 | 深圳前海微众银行股份有限公司 | Method and device for analyzing database access data packet |
| CN105893212A (en) * | 2016-04-28 | 2016-08-24 | 北京数智源科技股份有限公司 | Audit data security control and display system |
| CN106156064A (en) * | 2015-03-30 | 2016-11-23 | 阿里巴巴集团控股有限公司 | Data base is carried out the method and device of flow-control |
| CN106294375A (en) * | 2015-05-15 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of request of data real-time processing method and device |
| CN106383855A (en) * | 2016-08-31 | 2017-02-08 | 清华大学 | Static authentication method capable of aiming at SQL (Structured Query Language) analytical query |
| CN106407836A (en) * | 2016-08-29 | 2017-02-15 | 北京农业信息技术研究中心 | Method and device for automatically detecting illegal data modification behavior |
| CN106548085A (en) * | 2015-09-17 | 2017-03-29 | 中国移动通信集团甘肃有限公司 | A kind of processing method and processing device of data |
| CN107026851A (en) * | 2017-03-22 | 2017-08-08 | 西安电子科技大学 | A kind of real-time system guard method based on stream data processing |
| CN107122657A (en) * | 2017-05-02 | 2017-09-01 | 上海红神信息技术有限公司 | A kind of database broker device for defending SQL injection to attack |
| CN107633016A (en) * | 2017-08-23 | 2018-01-26 | 阿里巴巴集团控股有限公司 | Data processing method and device and electronic equipment |
| CN108667840A (en) * | 2018-05-11 | 2018-10-16 | 腾讯科技(深圳)有限公司 | Injection loophole detection method and device |
| CN108763887A (en) * | 2018-05-23 | 2018-11-06 | 腾讯科技(深圳)有限公司 | Database manipulation requests verification method, apparatus, server and storage medium |
| CN109063013A (en) * | 2018-07-11 | 2018-12-21 | 北京安数云信息技术有限公司 | A kind of behavior database operation blocking-up method and device |
| CN109409120A (en) * | 2017-08-18 | 2019-03-01 | 中国科学院信息工程研究所 | A kind of access control method and system towards Spark |
| CN109582691A (en) * | 2018-11-15 | 2019-04-05 | 百度在线网络技术(北京)有限公司 | Method and apparatus for controlling data query |
| CN109918392A (en) * | 2018-12-15 | 2019-06-21 | 中国平安人寿保险股份有限公司 | Structured query language localization method, device, server and storage medium |
| CN110519213A (en) * | 2019-06-19 | 2019-11-29 | 百度在线网络技术(北京)有限公司 | Filter method, device, equipment and the computer readable storage medium of interior message |
| CN110572394A (en) * | 2019-09-09 | 2019-12-13 | 北京风信科技有限公司 | access control method and device |
| CN110866278A (en) * | 2019-11-14 | 2020-03-06 | 吉林亿联银行股份有限公司 | Method and device for blocking real-time intrusion of database |
| CN111400388A (en) * | 2020-03-20 | 2020-07-10 | 北京东方金信科技有限公司 | Method and system for uniformly connecting and sharing multiple data sources |
| CN111767573A (en) * | 2020-06-28 | 2020-10-13 | 北京天融信网络安全技术有限公司 | Database security management method and device, electronic equipment and readable storage medium |
| CN111931234A (en) * | 2020-08-13 | 2020-11-13 | 中国民航信息网络股份有限公司 | Data access control method and system |
| CN111949693A (en) * | 2020-08-12 | 2020-11-17 | 北京锐安科技有限公司 | Data processing device, data processing method, storage medium and electronic equipment |
| CN112182637A (en) * | 2019-07-04 | 2021-01-05 | 中移信息技术有限公司 | Safety control system, method, device and storage medium |
| CN112214372A (en) * | 2020-09-16 | 2021-01-12 | 广州海颐信息安全技术有限公司 | Sensitive SQL centralized control system |
| CN112395304A (en) * | 2020-10-30 | 2021-02-23 | 迅鳐成都科技有限公司 | Data security calculation method, system and storage medium based on data behavior simulation |
| CN112989403A (en) * | 2019-12-18 | 2021-06-18 | 拓尔思天行网安信息技术有限责任公司 | Method, device and equipment for detecting database destruction and storage medium |
| WO2023245893A1 (en) * | 2022-06-24 | 2023-12-28 | 深圳前海微众银行股份有限公司 | Monitoring method and device, and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050273860A1 (en) * | 2004-06-04 | 2005-12-08 | Brian Chess | Apparatus and method for developing, testing and monitoring secure software |
| US20060212438A1 (en) * | 2005-03-16 | 2006-09-21 | Ming Sum Sam Ng | SQL injection protection by variable normalization |
| CN101370008A (en) * | 2007-08-13 | 2009-02-18 | 杭州安恒信息技术有限公司 | System for real-time intrusion detection of SQL injection WEB attacks |
| CN101448007A (en) * | 2008-12-31 | 2009-06-03 | 中国电力科学研究院 | Attack prevention system based on structured query language (SQL) |
| CN101901219A (en) * | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Detection method for injection attack of database and system |
-
2014
- 2014-04-28 CN CN201410175511.7A patent/CN104008349A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050273860A1 (en) * | 2004-06-04 | 2005-12-08 | Brian Chess | Apparatus and method for developing, testing and monitoring secure software |
| US20060212438A1 (en) * | 2005-03-16 | 2006-09-21 | Ming Sum Sam Ng | SQL injection protection by variable normalization |
| CN101370008A (en) * | 2007-08-13 | 2009-02-18 | 杭州安恒信息技术有限公司 | System for real-time intrusion detection of SQL injection WEB attacks |
| CN101448007A (en) * | 2008-12-31 | 2009-06-03 | 中国电力科学研究院 | Attack prevention system based on structured query language (SQL) |
| CN101901219A (en) * | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Detection method for injection attack of database and system |
Cited By (53)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104361035A (en) * | 2014-10-27 | 2015-02-18 | 深信服网络科技(深圳)有限公司 | Method and device for detecting database tampering behavior |
| CN104361035B (en) * | 2014-10-27 | 2017-10-27 | 深信服网络科技(深圳)有限公司 | The method and device of Test database tampering |
| CN105635046A (en) * | 2014-10-28 | 2016-06-01 | 北京启明星辰信息安全技术有限公司 | Database command line filtering and audit blocking method and device |
| CN105635046B (en) * | 2014-10-28 | 2019-05-17 | 北京启明星辰信息安全技术有限公司 | A kind of filtering of database command row blocks auditing method and device |
| CN104331457A (en) * | 2014-10-31 | 2015-02-04 | 北京思特奇信息技术股份有限公司 | Database node-based data access method and system |
| CN104484621B (en) * | 2014-12-31 | 2017-09-29 | 中博信息技术研究院有限公司 | Data permission control method based on SQL |
| CN104484621A (en) * | 2014-12-31 | 2015-04-01 | 中博信息技术研究院有限公司 | Data authority control method based on SQL (Structured Query Language) |
| CN106156064B (en) * | 2015-03-30 | 2020-01-17 | 阿里巴巴集团控股有限公司 | Method and device for controlling flow of database |
| CN106156064A (en) * | 2015-03-30 | 2016-11-23 | 阿里巴巴集团控股有限公司 | Data base is carried out the method and device of flow-control |
| CN106294375B (en) * | 2015-05-15 | 2020-04-10 | 阿里巴巴集团控股有限公司 | Data request real-time processing method and device |
| CN106294375A (en) * | 2015-05-15 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of request of data real-time processing method and device |
| CN106548085A (en) * | 2015-09-17 | 2017-03-29 | 中国移动通信集团甘肃有限公司 | A kind of processing method and processing device of data |
| CN105447408A (en) * | 2015-12-03 | 2016-03-30 | 曙光信息产业(北京)有限公司 | Data protection method and apparatus |
| CN105550350B (en) * | 2015-12-25 | 2019-12-20 | 北京奇虎科技有限公司 | Method and device for providing query service of server information |
| CN105550350A (en) * | 2015-12-25 | 2016-05-04 | 北京奇虎科技有限公司 | Method and apparatus for providing query service of server information |
| CN105718599A (en) * | 2016-03-07 | 2016-06-29 | 深圳前海微众银行股份有限公司 | Method and device for analyzing database access data packet |
| CN105893212A (en) * | 2016-04-28 | 2016-08-24 | 北京数智源科技股份有限公司 | Audit data security control and display system |
| CN105893212B (en) * | 2016-04-28 | 2018-11-13 | 北京数智源科技股份有限公司 | Audit data security management and control and display systems |
| CN106407836A (en) * | 2016-08-29 | 2017-02-15 | 北京农业信息技术研究中心 | Method and device for automatically detecting illegal data modification behavior |
| CN106407836B (en) * | 2016-08-29 | 2019-05-24 | 北京农业信息技术研究中心 | A kind of method and device that the behavior of data illegal modifications detects automatically |
| CN106383855A (en) * | 2016-08-31 | 2017-02-08 | 清华大学 | Static authentication method capable of aiming at SQL (Structured Query Language) analytical query |
| CN106383855B (en) * | 2016-08-31 | 2019-08-02 | 清华大学 | A kind of Static authorization method for SQL analysis inquiry |
| CN107026851A (en) * | 2017-03-22 | 2017-08-08 | 西安电子科技大学 | A kind of real-time system guard method based on stream data processing |
| CN107122657A (en) * | 2017-05-02 | 2017-09-01 | 上海红神信息技术有限公司 | A kind of database broker device for defending SQL injection to attack |
| CN107122657B (en) * | 2017-05-02 | 2021-01-01 | 上海红神信息技术有限公司 | Database agent device for defending SQL injection attack |
| CN109409120A (en) * | 2017-08-18 | 2019-03-01 | 中国科学院信息工程研究所 | A kind of access control method and system towards Spark |
| CN109409120B (en) * | 2017-08-18 | 2021-12-10 | 中国科学院信息工程研究所 | Spark-oriented access control method and system |
| CN107633016A (en) * | 2017-08-23 | 2018-01-26 | 阿里巴巴集团控股有限公司 | Data processing method and device and electronic equipment |
| CN107633016B (en) * | 2017-08-23 | 2020-11-24 | 创新先进技术有限公司 | Data processing method and device and electronic equipment |
| CN108667840B (en) * | 2018-05-11 | 2021-09-10 | 腾讯科技(深圳)有限公司 | Injection vulnerability detection method and device |
| CN108667840A (en) * | 2018-05-11 | 2018-10-16 | 腾讯科技(深圳)有限公司 | Injection loophole detection method and device |
| CN108763887A (en) * | 2018-05-23 | 2018-11-06 | 腾讯科技(深圳)有限公司 | Database manipulation requests verification method, apparatus, server and storage medium |
| CN109063013A (en) * | 2018-07-11 | 2018-12-21 | 北京安数云信息技术有限公司 | A kind of behavior database operation blocking-up method and device |
| CN109582691A (en) * | 2018-11-15 | 2019-04-05 | 百度在线网络技术(北京)有限公司 | Method and apparatus for controlling data query |
| CN109918392B (en) * | 2018-12-15 | 2023-08-11 | 中国平安人寿保险股份有限公司 | Structured query language positioning method, device, server and storage medium |
| CN109918392A (en) * | 2018-12-15 | 2019-06-21 | 中国平安人寿保险股份有限公司 | Structured query language localization method, device, server and storage medium |
| CN110519213A (en) * | 2019-06-19 | 2019-11-29 | 百度在线网络技术(北京)有限公司 | Filter method, device, equipment and the computer readable storage medium of interior message |
| CN112182637A (en) * | 2019-07-04 | 2021-01-05 | 中移信息技术有限公司 | Safety control system, method, device and storage medium |
| CN110572394B (en) * | 2019-09-09 | 2020-11-03 | 北京风信科技有限公司 | Access control method and device |
| CN110572394A (en) * | 2019-09-09 | 2019-12-13 | 北京风信科技有限公司 | access control method and device |
| CN110866278A (en) * | 2019-11-14 | 2020-03-06 | 吉林亿联银行股份有限公司 | Method and device for blocking real-time intrusion of database |
| CN112989403A (en) * | 2019-12-18 | 2021-06-18 | 拓尔思天行网安信息技术有限责任公司 | Method, device and equipment for detecting database destruction and storage medium |
| CN112989403B (en) * | 2019-12-18 | 2023-09-29 | 拓尔思天行网安信息技术有限责任公司 | Database damage detection method, device, equipment and storage medium |
| CN111400388A (en) * | 2020-03-20 | 2020-07-10 | 北京东方金信科技有限公司 | Method and system for uniformly connecting and sharing multiple data sources |
| CN111767573A (en) * | 2020-06-28 | 2020-10-13 | 北京天融信网络安全技术有限公司 | Database security management method and device, electronic equipment and readable storage medium |
| CN111949693A (en) * | 2020-08-12 | 2020-11-17 | 北京锐安科技有限公司 | Data processing device, data processing method, storage medium and electronic equipment |
| CN111949693B (en) * | 2020-08-12 | 2024-03-01 | 北京锐安科技有限公司 | Data processing device, data processing method, storage medium and electronic equipment |
| CN111931234A (en) * | 2020-08-13 | 2020-11-13 | 中国民航信息网络股份有限公司 | Data access control method and system |
| CN111931234B (en) * | 2020-08-13 | 2024-06-04 | 中国民航信息网络股份有限公司 | Data access control method and system |
| CN112214372A (en) * | 2020-09-16 | 2021-01-12 | 广州海颐信息安全技术有限公司 | Sensitive SQL centralized control system |
| CN112395304A (en) * | 2020-10-30 | 2021-02-23 | 迅鳐成都科技有限公司 | Data security calculation method, system and storage medium based on data behavior simulation |
| CN112395304B (en) * | 2020-10-30 | 2024-01-02 | 迅鳐成都科技有限公司 | Data security calculation method, system and storage medium based on data behavior simulation |
| WO2023245893A1 (en) * | 2022-06-24 | 2023-12-28 | 深圳前海微众银行股份有限公司 | Monitoring method and device, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104008349A (en) | Database security access control method and system | |
| CN110881044B (en) | Computer firewall dynamic defense security platform | |
| US9516051B1 (en) | Detecting web exploit kits by tree-based structural similarity search | |
| IL273860A (en) | Event context management system | |
| US8051484B2 (en) | Method and security system for indentifying and blocking web attacks by enforcing read-only parameters | |
| KR102179152B1 (en) | Client authentication using social relationship data | |
| WO2018118478A1 (en) | Computer telemetry analysis | |
| Li et al. | A study on the service and trend of Fintech security based on text-mining: Focused on the data of Korean online news | |
| CN104426906A (en) | Identifying malicious devices within a computer network | |
| US20090113545A1 (en) | Method and System for Tracking and Filtering Multimedia Data on a Network | |
| CN105678188A (en) | Anti-leakage protocol identification method and device for database | |
| CN112217835A (en) | Message data processing method and device, server and terminal equipment | |
| Ahmed et al. | Network traffic pattern analysis using improved information theoretic co-clustering based collective anomaly detection | |
| CN103166966A (en) | Method and device for distinguishing illegal access request to website | |
| KR20210092464A (en) | Apparatus and method for analyzing network traffic using artificial intelligence | |
| CN103118035A (en) | Website access request parameter legal range analysis method and device | |
| CN110581835B (en) | Vulnerability detection method and device and terminal equipment | |
| CN105959294B (en) | A kind of malice domain name discrimination method and device | |
| CN107911232B (en) | Method and device for determining business operation rule | |
| CN110837646A (en) | Risk investigation device of unstructured database | |
| CN104052720A (en) | Information authentication method and system thereof | |
| CN105718599A (en) | Method and device for analyzing database access data packet | |
| CN102693298B (en) | Deep recovery method for database content | |
| CN114124586B (en) | Network threat detection method and device | |
| CN106817364B (en) | Brute force cracking detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING GUODIANTONG NETWORK TECHNOLOGY CO., LTD. B Free format text: FORMER OWNER: BEIJING GUODIANTONG NETWORK TECHNOLOGY CO., LTD. BEIJING FIBRLINK COMMUNICATIONS CO., LTD. Effective date: 20141120 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20141120 Address after: 100761 West Chang'an Avenue, Beijing, No. 86, No. Applicant after: State Grid Corporation of China Applicant after: Beijing Guodiantong Network Technology Co., Ltd. Applicant after: Fibrlink Networks Co., Ltd. Applicant after: State Grid Zhejiang Electric Power Company Address before: 100761 West Chang'an Avenue, Beijing, No. 86, No. Applicant before: State Grid Corporation of China Applicant before: Beijing Guodiantong Network Technology Co., Ltd. Applicant before: Fibrlink Networks Co., Ltd. |
|
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140827 |
|
| RJ01 | Rejection of invention patent application after publication |