CN108009427B - Rapid retrieval method for database vulnerability rules - Google Patents

Rapid retrieval method for database vulnerability rules Download PDF

Info

Publication number
CN108009427B
CN108009427B CN201711222402.6A CN201711222402A CN108009427B CN 108009427 B CN108009427 B CN 108009427B CN 201711222402 A CN201711222402 A CN 201711222402A CN 108009427 B CN108009427 B CN 108009427B
Authority
CN
China
Prior art keywords
rule
database
hit
bit
bit matrix
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711222402.6A
Other languages
Chinese (zh)
Other versions
CN108009427A (en
Inventor
杨海峰
李彦君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Dbsec Technology Co ltd
Original Assignee
Beijing Dbsec Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Dbsec Technology Co ltd filed Critical Beijing Dbsec Technology Co ltd
Priority to CN201711222402.6A priority Critical patent/CN108009427B/en
Publication of CN108009427A publication Critical patent/CN108009427A/en
Application granted granted Critical
Publication of CN108009427B publication Critical patent/CN108009427B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24564Applying rules; Deductive queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/71Version control; Configuration management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to a quick retrieval method aiming at a database vulnerability rule, which is technically characterized by comprising the following steps of: generating all database vulnerability rules, and duplicate removal results and corresponding bit matrixes required by all single behavior characteristic verification; generating an initial bit matrix of all enabling rules of the current database under the current version; obtaining a bit matrix of a possible hit rule under the current session through a verification result of the behavior characteristics of the session level and corresponding bit operation; judging the behavior characteristics of the SQL operation type and the SQL key object information to obtain a rule set which can be hit by the statement; performing SQL text matching and regular matching, and determining a hit rule; according to the rule type of the hit rule, the risk level is recorded and a control action is performed. The method and the system are reasonable in design, control actions such as auditing, releasing, intercepting, blocking and the like can be performed according to the retrieved database bug rules, rule judgment response can be timely and quickly performed, and safety performance and practical performance are improved.

Description

Rapid retrieval method for database vulnerability rules
Technical Field
The invention belongs to the technical field of database security, and particularly relates to a quick retrieval method for a database vulnerability rule.
Background
With the wide use and evolution of databases, database vulnerabilities are also continuously exposed and mined. And the cost brought by frequent database version upgrades is quite expensive. Therefore, corresponding defense rules are defined by using the attack behavior of the database loopholes, the database loophole rules are quickly searched, the matched database loophole rules are confirmed, and auditing, releasing, intercepting and blocking control are very important and meaningful. The prevention mechanism for the database loophole not only ensures the safety of user data, but also avoids the cost waste and the risk of data loss or abnormity caused by database upgrading. However, because there are many database vulnerability rules and each rule needs to verify the operation behavior characteristics of multiple databases, the time consumption is long for verifying the behavior characteristics one by one rule and one by one rule, and the rule judgment response cannot be timely and quickly achieved, so that the usability of the technical route is greatly reduced.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a quick retrieval method for the database bug rules, which is reasonable in design, high in speed, safe and reliable.
The technical problem to be solved by the invention is realized by adopting the following technical scheme:
a quick retrieval method for a database vulnerability rule comprises the following steps:
step 1, generating all database vulnerability rules, and duplicate removal results and corresponding bit matrixes required by all single behavior characteristic verification;
step 2, generating initial bit matrixes of all enabling rules of the current database under the current version;
step 3, obtaining a bit matrix of a possible hit rule under the current session through a verification result of the behavior characteristics of the session level and corresponding bit operation;
step 4, judging the behavior characteristics of the SQL operation type and the SQL key object information to obtain a rule set which can be hit by the statement;
step 5, SQL text matching and regular matching are carried out, and a hit rule is determined;
step 6, recording the risk level and executing a control action according to the rule type of the hit rule;
and 7, judging whether a new SQL request is received or not, and if so, jumping to the step 4 to continue.
The specific implementation method of the step 1 comprises the following steps: grouping and de-duplicating all behavior characteristics needing to be verified of all database vulnerability rules, extracting verification requirements of all single behavior characteristics, generating a bit matrix with a rule id as a key value for the verification requirements of each single behavior characteristic, wherein the value of a bit represented by a certain id in the matrix is 1, which indicates that if the verification result of the single behavior characteristic is true, the rule represented by the rule id is likely to be hit, and the value of the bit represented by a certain id in the matrix is 0, which indicates that the hit is unlikely.
And 2, generating an initial bit matrix with the rule id as a key value according to the type and version information of the database, wherein the initial bit matrix represents a database vulnerability rule set which is possible to hit under the database.
The specific implementation method of the step 3 is as follows: after the database connection is established, the following session information of the obtained database is obtained: performing single characteristic verification on a database user name, a module name, an application name, a session state, a terminal, an operating system user and a host name one by one; recording all behavior characteristics of which the single characteristic check result is true, and acquiring a bit matrix generated by the behavior characteristics in the step 1; converting the AND/OR operation of the check result related to the above session information behavior characteristics in the rule into the bitwise AND/OR calculation of each bit matrix according to the defined content in the rule; performing bitwise and operation on the calculated bit matrix and the initial bit matrix generated in the step 2 to obtain a bit matrix of a session level; all bits in the bit matrix that are 1's represent that the rule id represented by the bit may be hit within this session.
The specific implementation method of the step 4 comprises the following steps: after the SQL statement is executed, checking the statement operation type and the behavior characteristics of the statement key object according to the syntax analysis result of the executed SQL statement, recording bit matrixes generated in the step 1 by all check elements with real single characteristic check results, and performing AND/or calculation on each bit matrix according to the rule requirement; and performing bitwise AND operation on the calculated result and the session level bit matrix obtained in the step 3 to obtain a rule set which is possible to hit by the SQL statement under the session.
The specific implementation method of the step 5 is as follows: and (4) carrying out item-by-item and detailed text content on all the rules in the rule set obtained in the step (4) by using the SQL statement text to carry out inclusion judgment and regular expression characteristic judgment, so as to obtain the rule id determined and hit by the SQL statement.
The specific implementation method of the step 6 comprises the following steps: and (5) recording the set high, medium, low and risk-free levels according to the rule type of the hit rule id determined in the step (5), and performing corresponding auditing, releasing, intercepting and blocking control actions.
The invention has the advantages and positive effects that:
the method converts the database vulnerability rules into the AND/OR operation of a plurality of single behavior characteristic check results, and generates a bit matrix with the rule id as a key value for each single behavior characteristic check. When rule retrieval is performed, hierarchical checking is performed according to the characteristic of whether behavior characteristics will change again in the connection and how much time is consumed for checking. After each layer of verification, remaining rule sets which are possible to hit are reserved and used for bit matrix record with the rule id as a key value. And finally obtaining a rule set for confirming hit when the specific SQL content is verified. And according to the rule type of the retrieved database vulnerability rule, high, medium, low and no risk are recorded, control actions such as auditing, releasing, intercepting, blocking and the like are carried out, rule judgment response can be timely and quickly carried out, and the safety performance and the practical performance are improved.
Drawings
FIG. 1 is a flow chart of the present invention for fast rule search.
FIG. 2 is a schematic of a memory structure for a single behavior feature and bit matrix used in the present invention.
Detailed Description
The embodiments of the present invention will be described in detail with reference to the accompanying drawings.
A method for quickly retrieving a database vulnerability rule, as shown in fig. 1, includes the following steps:
step 1: and generating all database vulnerability rules, and duplicate removal results and corresponding bit matrixes required by all single behavior characteristic verification.
In this step, all behavior features to be checked of all database vulnerability rules are grouped and deduplicated, and all check requirements of single behavior features are extracted. And generating a bit matrix with the rule id as a key value for each check requirement of the single behavior characteristic, wherein the value of a bit represented by a certain id in the matrix is 1, which indicates that the rule represented by the rule id is possible to hit if the check result of the single behavior characteristic is true, and 0 indicates that the rule is not possible to hit, and the storage structure of the single behavior characteristic and the bit matrix is shown in fig. 2.
Step 2: and generating an initial bit matrix of all the enabling rules of the current database under the current version.
In this step, an initial bit matrix with the rule id as a key value is generated according to the type and version information of the database, and the initial bit matrix represents a database vulnerability rule set which may hit under the database.
And step 3: and obtaining a bit matrix of the possible hit rule under the current session through the verification result of the behavior characteristics of the session level and the corresponding bit operation.
After the database connection is established, the step of utilizing the obtained database session information comprises the following steps: and performing single characteristic verification on information such as database user names, module names, application names, session states, terminals, operating system users, host names and the like one by one. And recording all the behavior characteristics of which the single characteristic check result is true, and taking the bit matrix generated in the step 1 by the behavior characteristics. And/or operation of the check result related to the above session information behavior characteristics in the rule is converted into bitwise and/or calculation of each bit matrix according to the defined content in the rule. And performing bitwise AND operation on the calculated bit matrix and the initial bit matrix generated in the step 2 to obtain a bit matrix of the session level. All bits in the bit matrix that are 1's represent that the rule id represented by the bit may be hit within this session.
And 4, step 4: and judging the behavior characteristics of the SQL operation type and the SQL key object information to obtain a rule set which can be hit by the statement.
After the SQL statement is executed, according to the syntax parsing result of the executed SQL statement, the two behavior characteristics of the statement operation type and the statement key object are checked, and the bit matrix generated in the step 1 by all check elements with the true single characteristic check result is recorded. And performing AND/or calculation of each bit matrix according to the requirements in the rule. And (3) performing bitwise AND operation on the calculated result and the session level bit matrix obtained in the step (3) to quickly obtain a rule set which can be hit by the SQL statement under the session.
And 5: and performing SQL text matching and regular matching, and determining a hit rule.
In this step, the inclusion judgment and the regular expression characteristic judgment are performed on all the rules in the rule set obtained in step 4 item by the SQL statement text, so as to obtain the rule id determined by the SQL statement.
Step 6: according to the rule type of the hit rule, the risk level is recorded and a control action is performed.
In the step, according to the rule type of the hit rule id determined in the step 5, the set high, medium, low and risk-free levels are recorded, and corresponding auditing, releasing, intercepting and blocking control actions are performed.
And 7: and (4) judging whether a new SQL request is received, if so, jumping to the step 4 to continue.
It should be emphasized that the embodiments described herein are illustrative rather than restrictive, and thus the present invention is not limited to the embodiments described in the detailed description, but also includes other embodiments that can be derived from the technical solutions of the present invention by those skilled in the art.

Claims (7)

1. A quick retrieval method for a database vulnerability rule is characterized by comprising the following steps:
step 1, generating all database vulnerability rules, and duplicate removal results and corresponding bit matrixes required by all single behavior characteristic verification;
step 2, generating initial bit matrixes of all enabling rules of the current database under the current version;
step 3, obtaining a bit matrix of a possible hit rule under the current session through a verification result of the behavior characteristics of the session level and corresponding bit operation;
step 4, judging the behavior characteristics of the SQL operation type and the SQL key object information to obtain a rule set which is possible to hit by the SQL statement;
step 5, SQL text matching and regular matching are carried out, and a hit rule is determined;
step 6, recording the risk level and executing a control action according to the rule type of the hit rule;
and 7, judging whether a new SQL request is received or not, and if so, jumping to the step 4 to continue.
2. The method for rapidly retrieving the database vulnerability rules according to claim 1, wherein: the specific implementation method of the step 1 comprises the following steps: grouping and de-duplicating all behavior characteristics needing to be verified of all database vulnerability rules, extracting verification requirements of all single behavior characteristics, generating a bit matrix with a rule id as a key value for the verification requirements of each single behavior characteristic, wherein the value of a bit represented by a certain id in the matrix is 1, which indicates that if the verification result of the single behavior characteristic is true, the rule represented by the rule id is likely to be hit, and the value of the bit represented by a certain id in the matrix is 0, which indicates that the hit is unlikely.
3. The method for rapidly retrieving the database vulnerability rules according to claim 1, wherein: and 2, generating an initial bit matrix with the rule id as a key value according to the type and version information of the database, wherein the initial bit matrix represents a database vulnerability rule set which is possible to hit under the database.
4. The method for rapidly retrieving the database vulnerability rules according to claim 1, wherein: the specific implementation method of the step 3 is as follows: after the database connection is established, the following session information of the obtained database is obtained: performing single characteristic verification on a database user name, a module name, an application name, a session state, a terminal, an operating system user and a host name one by one; recording all behavior characteristics of which the single characteristic check result is true, and acquiring a bit matrix generated by the behavior characteristics in the step 1; converting the AND/OR operation of the check result related to the above session information behavior characteristics in the rule into the bitwise AND/OR calculation of each bit matrix according to the defined content in the rule; performing bitwise and operation on the calculated bit matrix and the initial bit matrix generated in the step 2 to obtain a bit matrix of a session level; all bits in the bit matrix that are 1's represent that the rule id represented by the bit may be hit within this session.
5. The method for rapidly retrieving the database vulnerability rules according to claim 1, wherein: the specific implementation method of the step 4 comprises the following steps: after the SQL statement is executed, checking the statement operation type and the behavior characteristics of the statement key object according to the syntax analysis result of the executed SQL statement, recording bit matrixes generated in the step 1 by all check elements with real single characteristic check results, and performing AND/or calculation on each bit matrix according to the rule requirement; and performing bitwise AND operation on the calculated result and the session level bit matrix obtained in the step 3 to obtain a rule set which is possible to hit by the SQL statement under the session.
6. The method for rapidly retrieving the database vulnerability rules according to claim 1, wherein: the specific implementation method of the step 5 is as follows: and (4) carrying out item-by-item and detailed text content on all the rules in the rule set obtained in the step (4) by using the SQL statement text to carry out inclusion judgment and regular expression characteristic judgment, so as to obtain the rule id determined and hit by the SQL statement.
7. The method for rapidly retrieving the database vulnerability rules according to claim 1, wherein: the specific implementation method of the step 6 comprises the following steps: and (5) recording the set high, medium, low and risk-free levels according to the rule type of the hit rule id determined in the step (5), and performing corresponding auditing, releasing, intercepting and blocking control actions.
CN201711222402.6A 2017-11-29 2017-11-29 Rapid retrieval method for database vulnerability rules Active CN108009427B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711222402.6A CN108009427B (en) 2017-11-29 2017-11-29 Rapid retrieval method for database vulnerability rules

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711222402.6A CN108009427B (en) 2017-11-29 2017-11-29 Rapid retrieval method for database vulnerability rules

Publications (2)

Publication Number Publication Date
CN108009427A CN108009427A (en) 2018-05-08
CN108009427B true CN108009427B (en) 2021-01-26

Family

ID=62054462

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711222402.6A Active CN108009427B (en) 2017-11-29 2017-11-29 Rapid retrieval method for database vulnerability rules

Country Status (1)

Country Link
CN (1) CN108009427B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111935121B (en) * 2020-07-31 2022-04-26 北京天融信网络安全技术有限公司 Vulnerability reporting method and device
CN113852620B (en) * 2021-09-22 2023-07-18 中国人民解放军战略支援部队信息工程大学 Safety protocol host name verification module vulnerability analysis method based on model learning
CN113987521B (en) * 2021-12-28 2022-03-22 北京安华金和科技有限公司 Scanning processing method and device for database bugs
CN117112609B (en) * 2023-06-29 2024-05-10 南京国电南自轨道交通工程有限公司 Method for improving retrieval efficiency of monitoring historical data by using key element matrix

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902470A (en) * 2010-07-14 2010-12-01 南京大学 Form feature-based Web security vulnerability dynamic testing method
CN104090941A (en) * 2014-06-30 2014-10-08 江苏华大天益电力科技有限公司 Database auditing system and database auditing method
CN104915595A (en) * 2015-06-30 2015-09-16 北京奇虎科技有限公司 Virtualization bug fixing method and device through cloud platform
CN106845237A (en) * 2017-01-23 2017-06-13 北京安华金和科技有限公司 A kind of SQL injection methods of risk assessment based on SQL statement

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902470A (en) * 2010-07-14 2010-12-01 南京大学 Form feature-based Web security vulnerability dynamic testing method
CN104090941A (en) * 2014-06-30 2014-10-08 江苏华大天益电力科技有限公司 Database auditing system and database auditing method
CN104915595A (en) * 2015-06-30 2015-09-16 北京奇虎科技有限公司 Virtualization bug fixing method and device through cloud platform
CN106845237A (en) * 2017-01-23 2017-06-13 北京安华金和科技有限公司 A kind of SQL injection methods of risk assessment based on SQL statement

Also Published As

Publication number Publication date
CN108009427A (en) 2018-05-08

Similar Documents

Publication Publication Date Title
CN108009427B (en) Rapid retrieval method for database vulnerability rules
US11924233B2 (en) Server-supported malware detection and protection
CN101777062B (en) Context-aware real-time computer-protection systems and methods
Walls et al. Forensic Triage for Mobile Phones with {DEC0DE}
CN110225029B (en) Injection attack detection method, device, server and storage medium
CN108399338B (en) Platform integrity state information measuring method based on process behaviors
CN109522328B (en) Data processing method and device, medium and terminal thereof
US8336100B1 (en) Systems and methods for using reputation data to detect packed malware
CN102737205B (en) Protection comprises can the file of editing meta-data
US10296743B2 (en) Method and device for constructing APK virus signature database and APK virus detection system
CN101751530B (en) Method for detecting loophole aggressive behavior and device
CN103164698A (en) Method and device of generating fingerprint database and method and device of fingerprint matching of text to be tested
KR102396237B1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
KR102550596B1 (en) Apparatus and method for analyzing vulnerability of smart contract code
CN110781061A (en) Method and device for recording user behavior link
CN103646062A (en) Scanning method and device for downloaded file
WO2020168763A1 (en) Data classification and storage method and apparatus of application program, device, and storage medium
US9860230B1 (en) Systems and methods for digitally signing executables with reputation information
CN107169011A (en) The original recognition methods of webpage based on artificial intelligence, device and storage medium
CN111104674A (en) Power firmware homologous binary file association method and system
KR20210035987A (en) Document search device and method based on jaccard model
Vahedi et al. Cloud based malware detection through behavioral entropy
CN111460436B (en) Unstructured data operation method and system based on blockchain
CN114003737A (en) Double-record examination assisting method, device, equipment and medium based on artificial intelligence
US11514163B2 (en) Terminal device, method for control of report of operation information performed by terminal device, and recording medium storing therein program for control of report of operation information performed by terminal device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant