CN108959967A - A kind of method and system of anti-database sensitive data leakage - Google Patents

A kind of method and system of anti-database sensitive data leakage Download PDF

Info

Publication number
CN108959967A
CN108959967A CN201810778457.3A CN201810778457A CN108959967A CN 108959967 A CN108959967 A CN 108959967A CN 201810778457 A CN201810778457 A CN 201810778457A CN 108959967 A CN108959967 A CN 108959967A
Authority
CN
China
Prior art keywords
sensitive
protected object
database
sensitive data
data base
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810778457.3A
Other languages
Chinese (zh)
Inventor
程国冰
范渊
刘博�
龙文洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201810778457.3A priority Critical patent/CN108959967A/en
Publication of CN108959967A publication Critical patent/CN108959967A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to the leakage-preventing technologies of database, it is desirable to provide a kind of method and system of anti-database sensitive data leakage.The method of this kind of anti-database sensitive data leakage is comprising steps of configuration sensitive information protects table;Configurations match rule;According to demand, mode of learning or protection mode are selected, carries out respective handling respectively.The present invention protects information table and matching rule by configuration database, and sensitive database action statement library is arrived in study under mode of learning, and sensitive database operation is blocked under protection mode;The present invention efficiently can quickly prevent database sensitive information leakage.

Description

A kind of method and system of anti-database sensitive data leakage
Technical field
The present invention relates to the leakage-preventing technical field of database, in particular to a kind of side of anti-database sensitive data leakage Method and system.
Background technique
With the high speed development of internet and mobile Internet and universal, Internet application have become it is daily it is personal, Enterprise or government department etc. obtain the main means of information and release information, and it is precious that Internet application becomes resourceful information Library.Database is the warehouse of storage, organization and management these information.
It is convenient that the shared information that Internet application provides is brought to people's life, meanwhile, also increase sensitive data leakage Risk.Sensitive information can bring serious puzzlement to personal, enterprise or government department, or even directly bring economic loss, endanger Property is very big.Therefore sensitive data leakage in database is prevented to be a problem to be solved.
The existing leakage-preventing technology of anti-database probably uses following two method:
1, the server in operation system is detected whether to receive in the network traffic data of terminal transmission comprising sensitive number According to the feature of sensitive data is preset, such as a kind of Chinese patent " leakage prevention method and device (CN201610652403.3) ", still, sensitive data can be deformed and be bypassed by attacker.
2, the connection request that firewall Intercept Interview source is sent, firewall carry out sensitive data to the connection request and access plan It slightly matches: if matching result is to allow, forwarding connection request;If matching result is not allow, connection request is blocked;Strategy Matching includes: keyword match, IP address matching or/and MAC Address matching;Such as Chinese patent " let out by a kind of anti-sensitive data Close method and device (CN201010104930.3) ", still, attacker can be pretended to bypass to access originator.
Summary of the invention
It is a primary object of the present invention to overcome deficiency in the prior art, a kind of anti-database sensitive data leakage is provided Method and system.In order to solve the above technical problems, solution of the invention is:
A kind of method of anti-database sensitive data leakage is provided, is included the following steps:
Step (1): configuration sensitive information protects table:
The sensitive data in sensitive information protection table is configured, sensitive data includes that (action type refers to logarithm to action type According to the operation of library or database table), (guard fields refer to for protection table (protection table refer in database sensitive table) and guard fields The sensitive field of sensitive table in database);
(action type: oper1, oper2, oper3 ...
Protect table: Table1, Table2, Table3 ...
Protect literary name section: Table1.Field1, Table1.Field2, Table1.Field3 ...
Table2.Field1、Table2.Field2、Table2.Field3、….
…、…、…、….)
Step (2): configurations match rule:
The logical relation in sensitive information protection table between sensitive data is configured, sensitive data logical combination is formed into sensitivity Data Matching rule;
The logical relation refers to or and and;
Step (3): according to demand, mode of learning or protection mode is selected, carries out respective handling respectively;
Mode of learning, for obtaining credible sentence template library (credible SQL statement library), specifically include the following steps:
Step C1: configuration protected object information, and obtain the flowing of access of protected object;
The protected object refers to database;
Step C2: flowing of access acquired in step C1 is parsed, data base manipulation statement is obtained;
Step C3: the data base manipulation statement that step C2 is obtained is matched with sensitive data matching rule:
If successful match, which is gone after parameter to be inserted into credible sentence template library, as going to join Several credible SQL statement templates;
If matching is unsuccessful, the data base manipulation statement is abandoned;
The credible SQL statement template of parameter is stored in the credible sentence template library;
Step C4: it jumps to step C2 and repeats and (in mode of learning, once there is database manipulation request, just repeat always Step C2-C3);
Protection mode, for preventing the sensitive data of protected object from leaking, specifically include the following steps:
Step D1: configuration protected object information, and obtain the flowing of access of protected object;
The protected object refers to database;
Step D2: flowing of access acquired in step D1 is parsed, data base manipulation statement is obtained;
Step D3: the data base manipulation statement that step D2 is obtained is matched with sensitive data matching rule, if matching Success, then the data base manipulation statement is matched with credible sentence template library:
If successful match, then it is assumed that the data base manipulation statement is trusted operations, is let pass;
If matching unsuccessful, then it is assumed that the data base manipulation statement is sensitive operation, is blocked;
Step D4: jumping to step D1 and reacquire the flow of the protected object, then is repeated in subsequent step (in protection mould Then formula can obtain always protected object flow and then carry out step D2-D3 behaviour as long as protected object configuration is primary Make, to protect protected object).
A kind of system of anti-database sensitive data leakage, including processor are provided, each instruction is adapted for carrying out;And storage Equipment is suitable for storing a plurality of instruction, and described instruction is suitable for being loaded and being executed by processor:
Step (1): configuration sensitive information protects table:
The sensitive data in sensitive information protection table is configured, sensitive data includes that (action type refers to logarithm to action type According to the operation of library or database table), (guard fields refer to for protection table (protection table refer in database sensitive table) and guard fields The sensitive field of sensitive table in database);
(action type: oper1, oper2, oper3 ...
Protect table: Table1, Table2, Table3 ...
Protect literary name section: Table1.Field1, Table1.Field2, Table1.Field3 ...
Table2.Field1、Table2.Field2、Table2.Field3、….
…、…、…、….)
Step (2): configurations match rule:
The logical relation in sensitive information protection table between sensitive data is configured, sensitive data logical combination is formed into sensitivity Data Matching rule;
The logical relation refers to or and and;
Step (3): according to demand, mode of learning or protection mode is selected, carries out respective handling respectively;
Mode of learning, for obtaining credible sentence template library (credible SQL statement library), specifically include the following steps:
Step C1: configuration protected object information, and obtain the flowing of access of protected object;
The protected object refers to database;
Step C2: flowing of access acquired in step C1 is parsed, data base manipulation statement is obtained;
Step C3: the data base manipulation statement that step C2 is obtained is matched with sensitive data matching rule:
If successful match, which is gone after parameter to be inserted into credible sentence template library, as going to join Several credible SQL statement templates;
If matching is unsuccessful, the data base manipulation statement is abandoned;
The credible SQL statement template of parameter is stored in the credible sentence template library;
Step C4: it jumps to step C2 and repeats and (in mode of learning, once there is database manipulation request, just repeat always Step C2-C3);
Protection mode, for preventing the sensitive data of protected object from leaking, specifically include the following steps:
Step D1: configuration protected object information, and obtain the flowing of access of protected object;
The protected object refers to database;
Step D2: flowing of access acquired in step D1 is parsed, data base manipulation statement is obtained;
Step D3: the data base manipulation statement that step D2 is obtained is matched with sensitive data matching rule, if matching Success, then the data base manipulation statement is matched with credible sentence template library:
If successful match, then it is assumed that the data base manipulation statement is trusted operations, is let pass;
If matching unsuccessful, then it is assumed that the data base manipulation statement is sensitive operation, is blocked;
Step D4: jumping to step D1 and reacquire the flow of the protected object, then is repeated in subsequent step (in protection mould Then formula can obtain always protected object flow and then carry out step D2-D3 behaviour as long as protected object configuration is primary Make, to protect protected object).
Compared with prior art, the beneficial effects of the present invention are:
The present invention protects information table and matching rule by configuration database, and sensitive database is arrived in study under mode of learning Action statement library, and sensitive database operation is blocked under protection mode;The present invention efficiently can quickly prevent database sensitive Information leakage.
Detailed description of the invention
Fig. 1 is the schematic diagram that sensitive information protects table in the present invention.
Fig. 2 is the flow diagram of mode of learning in the present invention.
Fig. 3 is the flow diagram of protection mode in the present invention.
Specific embodiment
It is computer technology in field of information security technology the present invention relates to database technology firstly the need of explanation A kind of application.During realization of the invention, the application of multiple software function modules can be related to.It is applicant's understanding that such as After reading over application documents, accurate understanding realization principle and goal of the invention of the invention, existing well-known technique is being combined In the case where, the software programming technical ability that those skilled in the art can grasp completely with it realizes the present invention.All Shens of the present invention Please category this scope for referring to of file, applicant will not enumerate.
Present invention is further described in detail with specific embodiment with reference to the accompanying drawing:
A kind of method of anti-database sensitive data leakage, includes the following steps:
Step (1): configuration sensitive information protects table:
The sensitive data in sensitive information protection table is configured, sensitive data includes action type, protection table and guard fields, It can refer to Fig. 1.
Action type: delete, update, select ...
Protect table: user, account, relation ...
Protect literary name section: user.name, user.password, user.mobile ...
account.name、account.number、account.sum、….
relation.name、relation.mobile、relation.ID、….
Step (2): configurations match rule:
It configures action type in sensitive information protection table, protect the logical relation between table, protection literary name section, logical combination Form sensitive data matching rule.The logical relation refers to or and and.
Delete or update and user or user.name or user.password or user.mobile;
Delete or update and account and account.number or account.sum;
Step (3): according to demand, mode of learning or protection mode are selected, carries out respective handling.
Mode of learning as shown in Figure 2 specifically includes down for obtaining credible sentence template library (credible SQL statement library) State step:
Step C1: configuring protected object information in database safeguard, and database safeguard obtains protected object Flowing of access.
The database safeguard is the database firewall box of independent development;The anti-database of this patent is sensitive The system of data leak is a functional module of database safeguard.The protected object refers to database.
Step C2: flowing of access acquired in step C1 is parsed, data base manipulation statement is obtained.
1,Delete*from user;(including delete user)
2, Update account set account.number=***where account.name=" 1234 "; (including update account account.number)
Step C3: the data base manipulation statement that step C2 is obtained is matched with sensitive data matching rule, step C2 In two SQL statements and step (2) rule match success, after following two SQL statements in step C2 are gone parametrization It is inserted into credible sentence template library.
1,delete from user;
2,update account set account.number where account.name;
In mode of learning, step C2-C3 operation can be repeated.
Protection mode as shown in Figure 3, for preventing the sensitive data of protected object from leaking, specifically include the following steps:
Step D1: configuring protected object information in database safeguard, and database safeguard obtains protected object Flowing of access.
The database safeguard is the database firewall box of independent development;The anti-database of this patent is sensitive The system of data leak is a functional module of database safeguard.The protected object refers to database.
Step D2: flowing of access acquired in step D1 is parsed, data base manipulation statement is obtained.
Update account set account.number=***where 1=1;
Step D3: the data base manipulation statement that step D2 is obtained is matched with sensitive data matching rule, Update Account set account.number=***where 1=1, include Update account, account.number, Successful match.
Then, the data base manipulation statement of step D2 is matched with credible sentence template library:
If successful match, then it is assumed that the data base manipulation statement is trusted operations, is let pass;
If matching unsuccessful, then it is assumed that the data base manipulation statement is sensitive operation, is blocked.
In the present embodiment, Update account set account.number where 1 matches unsuccessful, resistance It is disconnected.
In protection mode, step D1-D3 operation can be repeated.
Finally it should be noted that the above enumerated are only specific embodiments of the present invention.It is clear that the invention is not restricted to Above embodiments can also have many variations.Those skilled in the art can directly lead from present disclosure Out or all deformations for associating, it is considered as protection scope of the present invention.

Claims (2)

1. a kind of method of anti-database sensitive data leakage, which is characterized in that include the following steps:
Step (1): configuration sensitive information protects table:
The sensitive data in sensitive information protection table is configured, sensitive data includes action type, protection table and guard fields;
Step (2): configurations match rule:
The logical relation in sensitive information protection table between sensitive data is configured, sensitive data logical combination is formed into sensitive data Matching rule;
The logical relation refers to or and and;
Step (3): according to demand, mode of learning or protection mode is selected, carries out respective handling respectively;
Mode of learning, for obtaining credible sentence template library, specifically include the following steps:
Step C1: configuration protected object information, and obtain the flowing of access of protected object;
The protected object refers to database;
Step C2: flowing of access acquired in step C1 is parsed, data base manipulation statement is obtained;
Step C3: the data base manipulation statement that step C2 is obtained is matched with sensitive data matching rule:
If successful match, which is gone after parameter to be inserted into credible sentence template library, as going parameter Credible SQL statement template;
If matching is unsuccessful, the data base manipulation statement is abandoned;
The credible SQL statement template of parameter is stored in the credible sentence template library;
Step C4: it jumps to step C2 and repeats;
Protection mode, for preventing the sensitive data of protected object from leaking, specifically include the following steps:
Step D1: configuration protected object information, and obtain the flowing of access of protected object;
The protected object refers to database;
Step D2: flowing of access acquired in step D1 is parsed, data base manipulation statement is obtained;
Step D3: the data base manipulation statement that step D2 is obtained is matched with sensitive data matching rule, if successful match, The data base manipulation statement is matched with credible sentence template library again:
If successful match, then it is assumed that the data base manipulation statement is trusted operations, is let pass;
If matching unsuccessful, then it is assumed that the data base manipulation statement is sensitive operation, is blocked;
Step D4: it jumps to step D1 and reacquires the flow of the protected object, then be repeated in subsequent step.
2. a kind of system of anti-database sensitive data leakage, including processor, are adapted for carrying out each instruction;And storage equipment, Suitable for storing a plurality of instruction, described instruction is suitable for being loaded and being executed by processor:
Step (1): configuration sensitive information protects table:
The sensitive data in sensitive information protection table is configured, sensitive data includes action type, protection table and guard fields;
Step (2): configurations match rule:
The logical relation in sensitive information protection table between sensitive data is configured, sensitive data logical combination is formed into sensitive data Matching rule;
The logical relation refers to or and and;
Step (3): according to demand, mode of learning or protection mode is selected, carries out respective handling respectively;
Mode of learning, for obtaining credible sentence template library, specifically include the following steps:
Step C1: configuration protected object information, and obtain the flowing of access of protected object;
The protected object refers to database;
Step C2: flowing of access acquired in step C1 is parsed, data base manipulation statement is obtained;
Step C3: the data base manipulation statement that step C2 is obtained is matched with sensitive data matching rule:
If successful match, which is gone after parameter to be inserted into credible sentence template library, as going parameter Credible SQL statement template;
If matching is unsuccessful, the data base manipulation statement is abandoned;
The credible SQL statement template of parameter is stored in the credible sentence template library;
Step C4: it jumps to step C2 and repeats;
Protection mode, for preventing the sensitive data of protected object from leaking, specifically include the following steps:
Step D1: configuration protected object information, and obtain the flowing of access of protected object;
The protected object refers to database;
Step D2: flowing of access acquired in step D1 is parsed, data base manipulation statement is obtained;
Step D3: the data base manipulation statement that step D2 is obtained is matched with sensitive data matching rule, if successful match, The data base manipulation statement is matched with credible sentence template library again:
If successful match, then it is assumed that the data base manipulation statement is trusted operations, is let pass;
If matching unsuccessful, then it is assumed that the data base manipulation statement is sensitive operation, is blocked;
Step D4: it jumps to step D1 and reacquires the flow of the protected object, then be repeated in subsequent step.
CN201810778457.3A 2018-07-16 2018-07-16 A kind of method and system of anti-database sensitive data leakage Pending CN108959967A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810778457.3A CN108959967A (en) 2018-07-16 2018-07-16 A kind of method and system of anti-database sensitive data leakage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810778457.3A CN108959967A (en) 2018-07-16 2018-07-16 A kind of method and system of anti-database sensitive data leakage

Publications (1)

Publication Number Publication Date
CN108959967A true CN108959967A (en) 2018-12-07

Family

ID=64481310

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810778457.3A Pending CN108959967A (en) 2018-07-16 2018-07-16 A kind of method and system of anti-database sensitive data leakage

Country Status (1)

Country Link
CN (1) CN108959967A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109829327A (en) * 2018-12-15 2019-05-31 中国平安人寿保险股份有限公司 Sensitive information processing method, device, electronic equipment and storage medium
CN110399749A (en) * 2019-08-05 2019-11-01 杭州安恒信息技术股份有限公司 Data assets management method and system
CN111639365A (en) * 2020-06-09 2020-09-08 杭州安恒信息技术股份有限公司 Data leakage warning method and related device
CN112000984A (en) * 2020-08-24 2020-11-27 杭州安恒信息技术股份有限公司 Data leakage detection method, device, equipment and readable storage medium
CN113704825A (en) * 2021-09-08 2021-11-26 上海观安信息技术股份有限公司 Database auditing method, device and system and computer storage medium
WO2022012669A1 (en) * 2020-07-16 2022-01-20 中兴通讯股份有限公司 Data access method and device, and storage medium and electronic device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101609493A (en) * 2009-07-21 2009-12-23 国网电力科学研究院 A kind of database SQL infusion protecting method based on self study
CN104361035A (en) * 2014-10-27 2015-02-18 深信服网络科技(深圳)有限公司 Method and device for detecting database tampering behavior
CN107563193A (en) * 2017-08-28 2018-01-09 深信服科技股份有限公司 Access and control strategy of database method and system based on SQL templates
CN107566363A (en) * 2017-08-30 2018-01-09 杭州安恒信息技术有限公司 A kind of SQL injection attack guarding method based on machine learning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101609493A (en) * 2009-07-21 2009-12-23 国网电力科学研究院 A kind of database SQL infusion protecting method based on self study
CN104361035A (en) * 2014-10-27 2015-02-18 深信服网络科技(深圳)有限公司 Method and device for detecting database tampering behavior
CN107563193A (en) * 2017-08-28 2018-01-09 深信服科技股份有限公司 Access and control strategy of database method and system based on SQL templates
CN107566363A (en) * 2017-08-30 2018-01-09 杭州安恒信息技术有限公司 A kind of SQL injection attack guarding method based on machine learning

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109829327A (en) * 2018-12-15 2019-05-31 中国平安人寿保险股份有限公司 Sensitive information processing method, device, electronic equipment and storage medium
CN110399749A (en) * 2019-08-05 2019-11-01 杭州安恒信息技术股份有限公司 Data assets management method and system
CN110399749B (en) * 2019-08-05 2021-04-23 杭州安恒信息技术股份有限公司 Data asset management method and system
CN111639365A (en) * 2020-06-09 2020-09-08 杭州安恒信息技术股份有限公司 Data leakage warning method and related device
WO2022012669A1 (en) * 2020-07-16 2022-01-20 中兴通讯股份有限公司 Data access method and device, and storage medium and electronic device
CN112000984A (en) * 2020-08-24 2020-11-27 杭州安恒信息技术股份有限公司 Data leakage detection method, device, equipment and readable storage medium
CN113704825A (en) * 2021-09-08 2021-11-26 上海观安信息技术股份有限公司 Database auditing method, device and system and computer storage medium

Similar Documents

Publication Publication Date Title
CN108959967A (en) A kind of method and system of anti-database sensitive data leakage
US10885182B1 (en) System and method for secure, policy-based access control for mobile computing devices
CN107480527B (en) Lesso software prevention method and system
US9246944B1 (en) Systems and methods for enforcing data loss prevention policies on mobile devices
KR101120814B1 (en) Systems and methods that optimize row level database security
CN102598007B (en) Effective detection fingerprints the system and method for data and information
US8495705B1 (en) Systems and methods for reputation-based application of data-loss prevention policies
US8020213B2 (en) Access control method and a system for privacy protection
CA3042934A1 (en) Method and system for managing electronic documents based on sensitivity of information
US20140149322A1 (en) Protecting Contents in a Content Management System by Automatically Determining the Content Security Level
US20120005720A1 (en) Categorization Of Privacy Data And Data Flow Detection With Rules Engine To Detect Privacy Breaches
CN112069536A (en) Method and equipment for realizing desensitization access of database data
US9621590B1 (en) Systems and methods for applying data-loss-prevention policies
US10445514B1 (en) Request processing in a compromised account
US9471665B2 (en) Unified system for real-time coordination of content-object action items across devices
US20170371894A1 (en) Samba configuration management method and system for network device
CN109800571B (en) Event processing method and device, storage medium and electronic device
CN109154968A (en) The system and method for the safety in organizing and efficiently communicated
CN107292188A (en) A kind of method and apparatus for controlling access privilege
CN112350997A (en) Database access right control method and device, computer equipment and storage medium
US9245132B1 (en) Systems and methods for data loss prevention
Valleru COST-EFFECTIVE CLOUD DATA LOSS PREVENTION STRATEGIES FOR SMALL AND MEDIUM-SIZED ENTERPRISES
CN107846351A (en) A kind of chat messages sensitive information encryption method and device
EP3276524A1 (en) Access control system and access control method
US10938849B2 (en) Auditing databases for security vulnerabilities

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20181207