CN104143064A - Website data security system based on association analysis of database activity and web access - Google Patents
Website data security system based on association analysis of database activity and web access Download PDFInfo
- Publication number
- CN104143064A CN104143064A CN201310165877.1A CN201310165877A CN104143064A CN 104143064 A CN104143064 A CN 104143064A CN 201310165877 A CN201310165877 A CN 201310165877A CN 104143064 A CN104143064 A CN 104143064A
- Authority
- CN
- China
- Prior art keywords
- data
- access
- web
- website
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/958—Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
At present, web security protection aims to discover and prevent attack and suspicious actions in time, but in reality, there are still new bug/attack manners can escape from system detection and protection. Webmasters most concern about security of core data; in other words, how to prevent data leakage/ data tampering and corruption is the big problem which is in great need of being solved in the field of security protection. The website data security system adopts the database activity monitoring technology which is applied to the field front, realizes association and statistical analysis of web requests and responses, corresponding database access and feedback results to acquire a request mode set of normal access to the core data to the website, and further, checks the subsequent web access according to a rule generated by the set so as to discover suspicious data leakage/tampering actions, thus the difficult problem about website data security protection is solved thoroughly through a data security data backup component.
Description
Technical field
Technical field of the present invention is web portal security protection and the data security protection field of computer safety field.
Background technology
Along with the high speed development of internet, applications, various Web website is with the speed rapid growth of geometric series, but availability and security that the assault emerging in an endless stream/DDOS attacks Web website have caused huge threat.The security protection of main flow at present comprises the system of multiple types: intruding detection system, Web application firewall, telesecurity scanning etc.All these system/service all focus on and solve a problem: find in time and stop to attack and suspicious actions.Although Ge Jia manufacturer all declares that this type of protects safe enough; and realistic situation is detection and the protection that always has the new leak/new attack mode continuing to bring out and can escape from these systems; that is to say; to the client by these security protection systems, he cannot know whether my website has been attacked or invaded actually.Meanwhile, according to global authority mechanism investigation result, what portal management person was concerned about most is the safety of its core data in fact, even if attack and succeed in other words, can not cause the leakage of data, be tampered or damaged, this is the greatest problem that safety protection field is wished 100% guarantee most.The present invention is exactly the database activity monitoring technique (Database Activity Monitoring) in application industry forward position, by Web request and response, corresponding database access and returning results, jointly carry out association and make heuristic analysis (Heuristic Profiling), find suspicious data leak/tampering, thoroughly solve a website data security protection difficult problem.
As its name suggests, database activity monitoring technique, is exactly by special tools and techniques, and the SQL statement that client is initiated is carried out intelligent analysis and audit, to find suspicious data access behavior.This technology reaches its maturity in recent years, can catch in real time and record polytype, the SQL activity on the database of Multi-instance.But because independent SQL Acti auditing can not be distinguished the normal and abnormal access to website core data effectively; therefore the present invention pioneeringly accesses user the request/response key message that Web website produces; carry out correlation analysis the classification of taking statistics property with corresponding SQL activity, thereby guarantee that all abnormal access and abnormal movement can be found in time.Lift a typical case, certain URL inquiry of user-accessible transaction data in month in the past in person, if and system discovery of the present invention has the access of certain this URL to attempt other people transaction data of inquiry, or the data of passing by a year in person, or returned and recorded quantity and obviously result set different from the past of field, can be judged to be abnormal access.
Summary of the invention
The present invention has set up a set of Web website data security protection system based on database activity and web access correlation analysis, and it comprises following three assemblies in logic:
be deployed in the data acquisition assembly (this assembly also can integrated traditional Web intrusion detection and protection engine) of same logical layer with website application layer, it is divided into again two submodules: Web request/response monitoring module and database activity monitoring module;
correlation engine and the administrative center's assembly disposed separately, be responsible for collection, assemble, Regularization (normalize), the data that classification (categorization) or cluster (clustering) and associated (correlate) acquisition component are uploaded, and generate audit regulation didactic or that keeper arranges as required, apply these rules simultaneously real-time flow is detected, finding when suspicious actions and alarm notice protection engine are taked safeguard measure automatically;
the 3rd is relatively independent data safety backup assembly, can be according to the core data of tactful timed backup website, and to guarantee last ring of data security, can fast quick-recovery after data are damaged.
Below will set forth for the pioneering content of the present invention in the first two assembly:
Data acquisition assembly: by the static content request of access first filtering out without monitoring, and after correlation engine heuristic analysis, confirm countless Web according to potential safety hazard request, then by the information of intercepting and capturing in network layer and the information recording directly obtaining in the daily record from Web service (as Apache/Tomcat) be uploaded to correlation engine.Comprise for associated metamessage: Web request and response (request URL, user ID/session id of requestor, required parameter, the identification informations such as corresponding Action method name/entrance function/Thread Id are processed in request, structure/the size of response contents, sensitive data block sampling content in response etc.), database activity (SQL asks and returns results).Wherein how each Web request being mapped with the database manipulation of its initiation, is the key that subsequent association is analyzed.The present invention proposes a kind of pioneering method, in the upper loading of plug-in module of Web server (as Apache/Tomcat), for the Web website application layer building based on J2EE/PHP etc. of main flow, intercept and capture the identification information that it is transmitted to URL request certain background process entrance, record all SQL operations of calling during whole processing of this processing threads simultaneously.And based on above-mentioned information, just certain Web request can be mapped completely with database manipulation and the result set of its initiation.
Correlation engine and administrative center's assembly: obtain after information that acquisition component uploads, automatic analysis is gone out each URL access by correlation engine will cause for which SQL access and composite sequence thereof, which field information will which table of acquisition; By to identical URL but cluster and the heuristic analysis of different parameters, by obtaining this URL, to SQL, which access has plant the classification of Different Results, and other information that its and this URL asks are as the statistical rule between user/session id; Final manual checking and the adjustment also needing through keeper, obtains all request mode set that normally core data conducted interviews in this website.After this in constantly improving this set, this engine rule of also auditing, the suspicious access that is about to not meet this pattern is found out, and finds data leakage/tampering.
Three aspects: for data security threatens, and the present invention provides effective detecting and protection.Attempt parameter by any legal URL and page logic while revising illegally obtain/Update Table when there being external attacker, correlation engine all can find that this access has caused the not access of the SQL in normal mode set or returned results, thereby risk is revealed/distorted to discovery data.In the time that assailant increases illegal URL newly on website, correlation engine also can be found the legal URL that this and non-administrator add by administrative center.Finally, even if attack is succeeded and destroyed core data, SQL Operation Log and data backup assembly that the administrative center in the present invention also can preserve by this locality recover core data set rapidly.
Brief description of the drawings
The structural representation of this system of Fig. 1
This working-flow of Fig. 2 figure
Embodiment
The embodiment of native system is as follows;
1, affix one's name to the data acquisition assembly of system of the present invention at the consolidated network intra-zone at application layer place, website, be included in the Web server deploy card module at application layer place.This plug-in unit should be achieved as follows function: for the Web website application layer building based on J2EE/PHP etc. of main flow, intercept and capture the identification information that it is transmitted to URL request certain background process entrance, record all SQL operations of calling during whole processing of this processing threads simultaneously.The data acquisition function that this black box should be achieved as follows: by the information of intercepting and capturing in network layer and the information recording directly obtaining in the daily record from Web service (as Apache/Tomcat) be uploaded to correlation engine.Comprise for associated metamessage: Web request and response (request URL, user ID/session id of requestor, required parameter, the identification informations such as corresponding Action method name/entrance function/Thread Id are processed in request, structure/the size of response contents, sensitive data block sampling content in response etc.), database activity (SQL asks and returns results).
2, on the correlation engine and management center server disposed separately, to be achieved as follows function: the information of uploading based on acquisition component, automatic analysis goes out each URL access will cause for which SQL access and composite sequence thereof, will obtain which field information of which table; By to identical URL but cluster and the heuristic analysis of different parameters, which access has plant the classification of Different Results to SQL to obtain this URL, and other information that its and this URL asks are as the statistical rule between user/session id; Final manual checking and the adjustment also needing through keeper, obtains all request mode set that normally core data conducted interviews in this website.
3,, after one period of stationary phase, on correlation engine, for the request of each legal URL+ specific parameters combinations, all generated corresponding SQL operational set and returned results characteristic set.Keeper is after administrative center has started didactic audit regulation, correlation engine is in constantly improving above-mentioned information, also can be for the request of access of newly arrived each URL and parameter combinations, check its SQL operational set and return results feature whether meet the legal operational set having generated.If do not met, be judged to be suspicious actions and report to the police.
4, the optional assembly of this system can be included in application layer protection engine before, can be with reference to the realization of traditional Web application firewall, and the alert notice herein sending based on administrative center is taked corresponding safeguard procedures, as blocks this IP or similar subsequent access.
5, keeper receives after warning, can check by hand whether this suspicious access has brought the safety hazard to core data, if had, optionally take recovery measure, can be by data backup component recovery to last backup point, the SQL Operation Log that also can file based on administrative center optionally recovers the data that are tampered/destroy.If this warning is erroneous judgement, can manually adds/adjust and change the related information set that URL is corresponding.
6, native system can move constantly oneself's evolution constantly along with website, finally reaches efficient data security protection.The related information that the code upgrade of irregularly carrying out for website causes changes, and keeper can reset these URL for newly-increased state by administrative center, thereby makes correlation engine can restart to accumulate data and rebuild heuristic rule.
Claims (7)
1. a critical data that ensures Web website is avoided data leakage, and the system of data tampering and corrupted data comprises:
Find and stop possible data to be revealed and data tampering behavior by analyzing Web website visiting record and correspondence database activity;
By pressing the data of named policer timed backup website, to guarantee the fast quick-recovery of energy after data are damaged.
2. in claim 1, find that by analyzing Web website visiting record and correspondence database activity the method that data security threatens comprises:
Web website visiting record is carried out associated with the database activity that this access causes;
By analyzing associated data or a certain amount of recorded information in a period of time, obtain the set of request/resulting schema that this website conducts interviews to data under normal circumstances;
Based on the set of this normal request pattern, automatically or by hand generate the rule that subsequent access is checked, in the time finding that there is the access varying from a rule, be judged to be suspicious data and reveal or tampering.
3. after method described in claim 2 is found suspicious access, be used for stoping follow-up data to reveal, or distort, or the method for other attacks can be included in the guard assembly of accessing for blocking malice in claim 1, can be also to notify other intrusion detections of this system outside and guard system to take measures to stop.
4. in claim 2, it can be any method that all database activity of web access request follow-up direct or indirect generation with it are associated that the database activity that Web website visiting record is caused with this access is carried out associated method; Also can be any method that the data acquisition obtaining from site databases of web access request generation follow-up with it is associated; Also can be any method that the response contents that comprises website data of web access request generation follow-up with it is associated.
5. the request mode in claim 2 refers to the metastable relation between behavior database and a return data results set web access (comprising the parameter that URL request and this request are carried) and it causing.In the situation that not illegal/malice is accessed, obtain pattern corresponding to all normal web accesss and formed a set, the follow-up not access module in this set can be judged to be suspicious behavior.
6. in claim 2, the method for correlation analysis comprises
Classification analysis: the different behavior database that identical request of access is produced is divided into several classification of homogeny/similarity;
Cluster analysis: the behavior database that has similar features that different access request is produced carries out cluster, is finally divided into representational some classifications;
Association analysis: use the heuristic analysis that comprises algorithms of different and artificial regulation rule to find the relation between all web access and behavior databases of its initiation under normal circumstances.
7. the database in claim 1 can be any Database Systems, can be also NoSQL system, can be also data warehouse, can be also the system of the critical data of this required protection in website of any storage.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310165877.1A CN104143064A (en) | 2013-05-08 | 2013-05-08 | Website data security system based on association analysis of database activity and web access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310165877.1A CN104143064A (en) | 2013-05-08 | 2013-05-08 | Website data security system based on association analysis of database activity and web access |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104143064A true CN104143064A (en) | 2014-11-12 |
Family
ID=51852234
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310165877.1A Pending CN104143064A (en) | 2013-05-08 | 2013-05-08 | Website data security system based on association analysis of database activity and web access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104143064A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108833499A (en) * | 2018-05-28 | 2018-11-16 | 北京浩科技有限公司 | The data processing method and device of hypertext transfer protocol, server |
| CN111092910A (en) * | 2019-12-30 | 2020-05-01 | 深信服科技股份有限公司 | Database security access method, device, equipment, system and readable storage medium |
| CN112199677A (en) * | 2020-11-03 | 2021-01-08 | 安徽中安睿御科技有限公司 | Data processing method and device |
| CN112769853A (en) * | 2021-01-20 | 2021-05-07 | 付中野 | Internet data intrusion detection method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020082886A1 (en) * | 2000-09-06 | 2002-06-27 | Stefanos Manganaris | Method and system for detecting unusual events and application thereof in computer intrusion detection |
| CN1553293A (en) * | 2003-12-19 | 2004-12-08 | 华中科技大学 | Cooperative invading testing system based on distributed data dig |
| US20100017870A1 (en) * | 2008-07-18 | 2010-01-21 | Agnik, Llc | Multi-agent, distributed, privacy-preserving data management and data mining techniques to detect cross-domain network attacks |
-
2013
- 2013-05-08 CN CN201310165877.1A patent/CN104143064A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020082886A1 (en) * | 2000-09-06 | 2002-06-27 | Stefanos Manganaris | Method and system for detecting unusual events and application thereof in computer intrusion detection |
| CN1553293A (en) * | 2003-12-19 | 2004-12-08 | 华中科技大学 | Cooperative invading testing system based on distributed data dig |
| US20100017870A1 (en) * | 2008-07-18 | 2010-01-21 | Agnik, Llc | Multi-agent, distributed, privacy-preserving data management and data mining techniques to detect cross-domain network attacks |
Non-Patent Citations (2)
| Title |
|---|
| 李卫强: "基于数据库的入侵检测技术的研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 董晓梅 等: "基于关联规则数据挖掘的数据库系统入侵检测方法", 《第十九届数据库学术会议论文集(研究报告篇)》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108833499A (en) * | 2018-05-28 | 2018-11-16 | 北京浩科技有限公司 | The data processing method and device of hypertext transfer protocol, server |
| CN111092910A (en) * | 2019-12-30 | 2020-05-01 | 深信服科技股份有限公司 | Database security access method, device, equipment, system and readable storage medium |
| CN112199677A (en) * | 2020-11-03 | 2021-01-08 | 安徽中安睿御科技有限公司 | Data processing method and device |
| CN112769853A (en) * | 2021-01-20 | 2021-05-07 | 付中野 | Internet data intrusion detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107958322B (en) | Urban network space comprehensive treatment system | |
| Dong et al. | Real-time network intrusion detection system based on deep learning | |
| CN102902928B (en) | Method and device for webpage integrity assurance | |
| CN112560027A (en) | Data safety monitoring system | |
| CN104283889A (en) | Electric power system interior APT attack detection and pre-warning system based on network architecture | |
| US10645100B1 (en) | Systems and methods for attacker temporal behavior fingerprinting and grouping with spectrum interpretation and deep learning | |
| CN108154029A (en) | Intrusion detection method, electronic equipment and computer storage media | |
| US10505986B1 (en) | Sensor based rules for responding to malicious activity | |
| CN109347808B (en) | Safety analysis method based on user group behavior activity | |
| CN107612924A (en) | Attacker's localization method and device based on wireless network invasion | |
| Al-Dhaqm et al. | A generic database forensic investigation process model | |
| CN103561012A (en) | WEB backdoor detection method and system based on relevance tree | |
| CN107426196B (en) | Method and system for identifying WEB invasion | |
| CN113542279A (en) | Network security risk assessment method, system and device | |
| CN114003903B (en) | Network attack tracing method and device | |
| CN108337269A (en) | A kind of WebShell detection methods | |
| CN107154939A (en) | A kind of method and system of data tracing | |
| CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
| WO2020016906A1 (en) | Method and system for intrusion detection in an enterprise | |
| CN104143064A (en) | Website data security system based on association analysis of database activity and web access | |
| Suo et al. | Research on the application of honeypot technology in intrusion detection system | |
| CN107509200A (en) | Equipment localization method and device based on wireless network invasion | |
| Aldwairi et al. | Flukes: Autonomous log forensics, intelligence and visualization tool | |
| Okereafor et al. | A review of application challenges of digital forensics | |
| CN114257403B (en) | False alarm detection method, equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20141112 |