CN110222530A - A kind of database drags detection method, device and the electronic equipment of library behavior - Google Patents
A kind of database drags detection method, device and the electronic equipment of library behavior Download PDFInfo
- Publication number
- CN110222530A CN110222530A CN201910447188.7A CN201910447188A CN110222530A CN 110222530 A CN110222530 A CN 110222530A CN 201910447188 A CN201910447188 A CN 201910447188A CN 110222530 A CN110222530 A CN 110222530A
- Authority
- CN
- China
- Prior art keywords
- data
- library
- behavior
- database
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
The embodiment of the invention provides detection method, device and electronic equipments that a kind of database drags library behavior.Firstly, obtaining the audit log in data to be tested library;From audit log, the operation behavior data that user treats Test database are obtained;Finally, operation behavior data and the user behavior baseline being pre-created are compared, obtain database and drag library testing result.Since operation behavior data are obtained according to the operation behavior dynamic of the user recorded in audit log, including: the statistical data of preset operation behavior relevant to library behavior is dragged, therefore the comparison result using it with user behavior baseline is as detecting foundation, database can be obtained and drag library behavioral value as a result, reducing wrong report, improving the accuracy rate that database drags library behavioral value.
Description
Technical field
The present invention relates to technical field of network security, and detection method, the dress of library behavior are dragged more particularly to a kind of database
It sets and electronic equipment.
Background technique
Library is dragged, refers to that attacker invades valuable website and steals the behavior of database.Currently, SQL injection is pair
Database in internet carries out one of major way for dragging library to attack, and attacker is launched a offensive using SQL injection loophole, will be held
Easily in the code write-in SQL query statement of triggering SQL exception, the exception of the supported database of SQL is caused, to reach operation data
Library, the purpose for obtaining user sensitive information.Therefore, the prior art often through the method for detection SQL injection carries out that library is dragged to examine
It surveys.
Specifically, since attacker can be carried out by construction comment statement, " logically true " condition, using modes such as connectors
SQL malice inject, thus detect SQL injection when, according to preset rules to progress such as comment statement, logically true condition, connectors just
It then matches, above-mentioned sentence is judged whether there is according to matching result;If it exists, then it is assumed that be that malice is injected, exist and drag library behavior.
But user is during normal use, it is also possible to using comment statement, logically true condition or occur submitting forbidden character etc. accidentally
The case where operation, will lead to largely report by mistake, reduces the accurate of detection if the every appearance of above-mentioned sentence is once all alerted
Rate.
Summary of the invention
A kind of database of being designed to provide of the embodiment of the present invention drags detection method, device and the electronics of library behavior to set
It is standby, to improve the accuracy rate that database drags library behavioral value.Specific technical solution is as follows:
In a first aspect, the embodiment of the invention provides the detection methods that a kind of database drags library behavior, which is characterized in that answer
For server, which comprises
Obtain the audit log in data to be tested library;
From the audit log, user is obtained to the operation behavior data in the data to be tested library;The operation row
For data, comprising: the statistical data of preset various operation behaviors relevant to library behavior is dragged;
The operation behavior data and the user behavior baseline being pre-created are compared, database is obtained and drags library behavior
Testing result;The user behavior baseline, are as follows: the data to be tested library is in the operation row being not affected by the state of dragging library to attack
For data.
Optionally, the step of audit log for obtaining data to be tested library, comprising:
Obtain the audit log that data to be tested library generates in the current detection period;
It is described to obtain the step of user is to the operation behavior data in the data to be tested library from the audit log,
Include:
From the audit log that the data to be tested library generates in the current detection period, user is obtained in current detection
To the operation behavior data in the data to be tested library in period;
The user behavior baseline, are as follows: user drags under library attack state in a upper detection cycle to being in be not affected by
The data to be tested library operation behavior data.
Optionally, described from the audit log, user is obtained to the operation behavior data in the data to be tested library
The step of, comprising:
Obtain all action statement in the audit log;
Statement matching is carried out to all action statement according to the first behavior recognition rule constructed in advance, identifies institute
State preset various operation behaviors relevant to library behavior is dragged;
The preset various operation behaviors relevant to library behavior is dragged are counted, obtain user to described to be detected
The operation behavior data of database.
Optionally, the preset various operation behaviors relevant to library behavior is dragged, comprising: searching system decanting point is sentenced
Disconnected echo, database is spied, database data exports and deletes library or table handling;
The operation behavior data, comprising: injection number, quick-fried library number, database data export number of operations and danger
Dangerous behavior number;
It is described that the preset various operation behaviors relevant to library behavior is dragged are counted, obtain user to it is described to
The step of operation behavior data of Test database, comprising:
Statistics finds the sum of the number of the operation of decanting point and judgement echo, as injection number;
The number of staqtistical data base probing operations, as quick-fried library number;
Staqtistical data base data export number of operations;
Statistics deletes the number of operations of library or table, as hazardous act number.
Optionally, the operation behavior data, further includes: the statistical data of preset various normal operating behaviors;
It is described to obtain the step of user is to the operation behavior data in the data to be tested library from the audit log,
Include:
Obtain all action statement in the audit log;
Statement matching is carried out to all action statement according to the second Activity recognition rule constructed in advance, identifies institute
State preset various operation behaviors relevant to library behavior is dragged and preset various normal operating behaviors;
The preset various operation behaviors relevant to library behavior is dragged and preset various normal operating behaviors are carried out
Statistics obtains user to the operation behavior data in the data to be tested library.
Optionally, the preset various operation behaviors relevant to library behavior is dragged, comprising: searching system decanting point is sentenced
Disconnected echo, database is spied, database data exports and deletes library or table handling;The preset various normal operating behavior packets
It includes: inquiry operation;
The operation behavior data, comprising: injection number, quick-fried library number, database data export number of operations, danger
Behavior number and normal operating number;
It is described that the preset various operation behaviors relevant to library behavior is dragged are counted, obtain user to it is described to
The step of operation behavior data of Test database, comprising:
Statistics finds the sum of the number of the operation of decanting point and judgement echo, as injection number;
The number of staqtistical data base probing operations, as quick-fried library number;
Staqtistical data base data export number of operations;
Statistics deletes the number of operations of library or table, as hazardous act number;
The number of statistical query operation, as normal operating number.
Optionally, the operation behavior data and the user behavior baseline being pre-created are compared described, are obtained
Database dragged after the step of library behavioral value result, further includes:
It drags library to attack if testing result is not affected by for the data to be tested library, saves the data to be tested library and exist
The operation behavior data in current detection period, the user behavior baseline as next detection cycle.
Optionally, the operation behavior data and the user behavior baseline being pre-created are compared, obtain database
The step of dragging library testing result, comprising:
Calculate the irrelevance between the operation behavior data and the user behavior baseline being pre-created;
According to the calculated result of irrelevance, judge whether the data to be tested library is dragged library to attack.
Optionally, the calculated result according to irrelevance, judges whether the data to be tested library is dragged library to attack
The step of, comprising:
If the irrelevance is less than preset threshold, the data to be tested library, which is judged as being not affected by, drags library to attack;
If the irrelevance is greater than preset threshold, the data to be tested library is judged as that library is dragged to attack.
Optionally, the irrelevance is calculated using following formula:
Wherein, n indicates the data dimension of the operation behavior data and the user behavior baseline, XiFor user's row
For the i-th dimension data in baseline, YiFor the i-th dimension data in the operation behavior data.
Second aspect, the embodiment of the invention provides the detection devices that a kind of database drags library behavior, which is characterized in that answers
For server, described device includes:
Log acquisition module, for obtaining the audit log in data to be tested library;
Data acquisition module, for from the audit log, obtaining user to the operation row in the data to be tested library
For data;The operation behavior data, comprising: the statistical data of preset various operation behaviors relevant to library behavior is dragged;
Detection module is obtained for being compared the operation behavior data and the user behavior baseline being pre-created
Database drags library testing result;The user behavior baseline, are as follows: the data to be tested library is being not affected by the state for dragging library to attack
Under operation behavior data.
Optionally, the log acquisition module generates in the current detection period specifically for obtaining data to be tested library
Audit log;
The data acquisition module, specifically for the audit generated in the current detection period from the data to be tested library
In log, user is obtained within the current detection period to the operation behavior data in the data to be tested library;
The user behavior baseline, are as follows: user drags under library attack state in a upper detection cycle to being in be not affected by
The data to be tested library operation behavior data.
Optionally, the data acquisition module, comprising:
First acquisition unit, for obtaining all action statement in the audit log;
First recognition unit, for being carried out according to the first behavior recognition rule constructed in advance to all action statement
Statement matching identifies the preset various operation behaviors relevant to library behavior is dragged;
First statistic unit is obtained for counting to the preset various operation behaviors relevant to library behavior is dragged
User is obtained to the operation behavior data in the data to be tested library.
Optionally, the preset various operation behaviors relevant to library behavior is dragged, comprising: searching system decanting point is sentenced
Disconnected echo, database is spied, database data exports and deletes library or table handling;
The operation behavior data, comprising: injection number, quick-fried library number, database data export number of operations and danger
Dangerous behavior number;
First statistic unit, comprising:
First statistics subelement, for counting the sum for finding the number of operation of decanting point and judgement echo, as injection
Number;
Second statistics subelement, for the number of staqtistical data base probing operations, as quick-fried library number;
Third counts subelement, exports number of operations for staqtistical data base data;
4th statistics subelement, for counting the number of operations for deleting library or table, as hazardous act number.
Optionally, the operation behavior data, further includes: the statistical data of preset various normal operating behaviors;
The data acquisition module, comprising:
Second acquisition unit, for obtaining all action statement in the audit log;
Second recognition unit carries out sentence to all action statement according to the second Activity recognition rule constructed in advance
Matching, identifies the preset various operation behaviors relevant to library behavior is dragged and preset various normal operating behaviors;
Second statistic unit, to preset various operation behaviors relevant to library behavior is dragged and preset various normal
Operation behavior is counted, and obtains user to the operation behavior data in the data to be tested library.
Optionally, the preset various operation behaviors relevant to library behavior is dragged, comprising: searching system decanting point is sentenced
Disconnected echo, database is spied, database data exports and deletes library or table handling;The preset various normal operating behavior packets
It includes: inquiry operation;
The operation behavior data, comprising: injection number, quick-fried library number, database data export number of operations, danger
Behavior number and normal operating number;
Second statistic unit, comprising:
5th statistics subelement, for counting the sum for finding the number of operation of decanting point and judgement echo, as injection
Number;
6th statistics subelement, for the number of staqtistical data base probing operations, as quick-fried library number;
7th statistics subelement, exports number of operations for staqtistical data base data;
8th statistics subelement, for counting the number of operations for deleting library or table, as hazardous act number;
9th statistics subelement, for the number of statistical query operation, as normal operating number.
Optionally, described device further include:
Preserving module is executed for the detection module by the operation behavior data and the user behavior base being pre-created
Line is compared, after obtaining database the step of dragging library testing result, if testing result be the data to be tested library not
It is dragged library to attack, then saves the data to be tested library in the operation behavior data in current detection period, as next detection
The user behavior baseline in period.
Optionally, the detection module, comprising:
Computing unit, for calculating the deviation between the operation behavior data and the user behavior baseline being pre-created
Degree;
Judging unit judges whether the data to be tested library is dragged library to attack for the calculated result according to irrelevance
It hits.
Optionally, the judging unit, comprising:
First judgment sub-unit, for when the irrelevance is less than preset threshold, then the data to be tested library to be judged to
Break to be not affected by and library being dragged to attack;
Second judgment sub-unit, for when the irrelevance is greater than preset threshold, then the data to be tested library to be judged to
Break to be dragged library to attack.
Optionally, the computing unit is specifically used for calculating irrelevance using following formula:
Wherein, n indicates the data dimension of the operation behavior data and the user behavior baseline, XiFor user's row
For the i-th dimension data in baseline, YiFor the i-th dimension data in the operation behavior data.
The third aspect, the embodiment of the invention provides a kind of electronic equipment, including processor, communication interface, memory and
Communication bus, wherein processor, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any method and step of first aspect.
Fourth aspect, the embodiment of the invention provides a kind of computer readable storage medium, the computer-readable storage
Instruction is stored in medium, when run on a computer, so that computer executes any side of above-mentioned first aspect
Method step.
5th aspect, the embodiment of the invention provides a kind of computer program products comprising instruction, when it is in computer
When upper operation, so that computer executes any method and step of above-mentioned first aspect.
A kind of database provided in an embodiment of the present invention drags detection method, device and the electronic equipment of library behavior, obtains first
The audit log in data to be tested library is taken, and from audit log, obtains the operation behavior data that user treats Test database;
Then, operation behavior data and the user behavior baseline being pre-created are compared, obtain database and drags library behavioral value knot
Fruit.Since operation behavior data are obtained according to the operation behavior dynamic of the user recorded in audit log, including: it is pre-
If operation behavior relevant to library behavior is dragged statistical data, therefore using its comparison result with user behavior baseline as inspection
Foundation is surveyed, database can be obtained and drag library behavioral value as a result, reducing wrong report, raising database drags the accurate of library behavioral value
Rate.
Certainly, implement any of the products of the present invention or method it is not absolutely required at the same reach all the above excellent
Point.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described.
Fig. 1 is a kind of flow diagram for the detection method that a kind of database provided in an embodiment of the present invention drags library behavior;
Fig. 2 is another process signal for the detection method that a kind of database provided in an embodiment of the present invention drags library behavior
Figure;
Fig. 3 is another process signal for the detection method that a kind of database provided in an embodiment of the present invention drags library behavior
Figure;
Fig. 4 is the structural schematic diagram for the detection device that a kind of database provided in an embodiment of the present invention drags library behavior;
Fig. 5 is a kind of electronic equipment schematic diagram provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description.
In order to realize the detection for dragging library behavior to database, the embodiment of the invention provides a kind of databases to drag library behavior
Detection method, device and electronic equipment.
As a kind of embodiment of the embodiment of the present invention, a kind of database provided in an embodiment of the present invention drags library behavior
Detection method is applied to server.Since attacker is when database drags library, the normal operatings such as data query can be not only executed,
Also operation behavior relevant to library behavior is dragged can be performed a plurality of times, such as: searching system decanting point, judgement echo, database is spied,
Database data export and the operation for deleting library or table.Therefore, user can go to above-mentioned operation relevant to library behavior is dragged
To be counted, and by statistical data compared with user behavior baseline when not occurring dragging library behavior being pre-created, to detect
Whether database, which receives, is dragged library to attack.
Specifically, as shown in Figure 1, this method comprises:
S101 obtains the audit log in data to be tested library.
The database manipulations such as person, operating time, action statement that may include database manipulation in this step, in audit log
Information.
S102 obtains the operation behavior data that user treats Test database from audit log;Operation behavior data,
It include: the statistical data of preset various operation behaviors relevant to library behavior is dragged.
Specifically, including multiple action statement in audit log, each action statement indicates a kind of operation behavior, therefore
Can be from these action statement, determining that user treats whether there is in each operation performed by Test database and drags library row
For relevant operation, and then preset each operation behavior relevant to library behavior is dragged is counted, obtains operation behavior number
According to.
In practical application, it can periodically treat Test database and carry out dragging library behavioral value.It in this case, can be with
From the audit log that data to be tested library generates in the current detection period, user is obtained within the current detection period to be checked
The operation behavior data in measured data library.
Operation behavior data and the user behavior baseline being pre-created are compared by S103, obtain database and library is dragged to examine
Survey result;User behavior baseline, are as follows: data to be tested library is in the operation behavior data being not affected by the state of dragging library to attack.
Specifically, if periodically treating Test database drag library behavioral value, user behavior baseline can be with are as follows:
User is not affected by the operation behavior number for dragging the data to be tested library under library attack state in a upper detection cycle, to being in
According to.In other embodiments, user behavior baseline can also be preset according to historical operation behavioral data.
Embodiment as shown in Figure 1 is as it can be seen that since operation behavior data are the behaviour according to the user recorded in audit log
Make what behavior dynamic obtained, including the statistical data of preset operation behavior relevant to library behavior is dragged, therefore by its with
The comparison result of user behavior baseline can obtain database and drag library behavioral value as a result, reducing wrong report, mentioning as detection foundation
High database drags the accuracy rate of library behavioral value.
As a kind of embodiment of the embodiment of the present invention, another kind database provided in an embodiment of the present invention drags library behavior
Detection method, be applied to server.
Specifically, as shown in Fig. 2, this method comprises:
S201 obtains the audit log that data to be tested library generates in the current detection period.
In the present embodiment, Test database can be treated and carry out periodically dragging library behavioral value, detection cycle view is specific
Situation and be arranged, can be one day or one week.
S202 obtains all action statement in audit log.
S203 carries out statement matching to all action statement according to the first behavior recognition rule constructed in advance, identifies
Preset various operation behaviors relevant to library behavior is dragged.
Specifically, can make in action statement due to when executing preset various operation behaviors relevant to library behavior is dragged
With specific function or character, therefore the matching rule containing these functions or character can be preset, i.e. the first behavior is known
Not rule;Then regular expression is utilized, the action statement for meeting preset matching rule is found out in all action statement, this
It is exactly to drag the relevant operation behavior of library behavior to preset performed by the action statement found out a bit.
Wherein, preset operation behavior relevant to library behavior is dragged, may include: searching system decanting point, judgement echo,
Database is spied, database data exports and deletes library or table handling.
S204 counts preset various operation behaviors relevant to library behavior is dragged, and obtains user and treats testing number
According to the operation behavior data in library.
In this step, operation behavior data may include: injection number, quick-fried library number, database data export operation time
Several and hazardous act number.
Specifically, statistics finds the sum of the number of the operation of decanting point and judgement echo, as injection number;Statistical data
The number of library probing operations, as quick-fried library number;Staqtistical data base data export number of operations;Statistics deletes the operation of library or table
Number, as hazardous act number.
S205, the irrelevance between calculating operation behavioral data and the user behavior baseline being pre-created.
S206 judges whether data to be tested library is dragged library to attack according to the calculated result of irrelevance.
In the present embodiment, using the irrelevance between following formula calculating operation behavioral data and user behavior baseline:
Wherein, n indicates the data dimension of operation behavior data and user behavior baseline, XiFor in user behavior baseline
I dimension data, YiFor the i-th dimension data in operation behavior data.For example, when operation behavior data include injection number, quick-fried library time
When number, database data export number of operations and hazardous act number, n=4, Y1、Y2、Y3、Y4Then respectively indicate injection number,
Quick-fried library number, database data export number of operations and hazardous act number.
If irrelevance is less than preset threshold, data to be tested library, which is judged as being not affected by, drags library to attack;If irrelevance
Greater than preset threshold, then data to be tested library is judged as that library is dragged to attack.
In addition, can save data to be tested library when testing result is not affected by for data to be tested library and library is dragged to attack and exist
The operation behavior data in current detection period, the user behavior baseline as next detection cycle.
As a kind of embodiment of the embodiment of the present invention, another database provided in an embodiment of the present invention drags library behavior
Detection method, be applied to server.
Specifically, as shown in figure 3, this method comprises:
S301 obtains the audit log that data to be tested library generates in the current detection period.
S302 obtains all action statement in audit log.
S303 carries out statement matching to all action statement according to the second Activity recognition rule constructed in advance, identifies
Preset various operation behaviors relevant to library behavior is dragged and preset various normal operating behaviors.
S304 carries out preset various operation behaviors relevant to library behavior is dragged and preset various normal operating behaviors
Statistics obtains the operation behavior data that user treats Test database.
In step S303~S304, the second Activity recognition rule can be constructed in advance, include to execute in advance in the recognition rule
If various operations relevant to library behavior is dragged and execute preset various normal operatings institute specific function to be used or character;
Then, using regular expression, go out to execute the action statement and execution of normal operating according to the second Activity recognition rule match
The action statement of operation behavior relevant to library behavior is dragged;Finally, to preset various operation behaviors relevant to library behavior is dragged
It is counted with preset normal operating behavior.
Wherein, preset operation behavior relevant to library behavior is dragged, comprising: searching system decanting point, judgement echo, data
Library is spied, database data exports and deletes library or table handling;Preset normal operating behavior includes: inquiry operation;Operation row
For data, comprising: injection number, quick-fried library number, database data export number of operations, hazardous act number and normal operating time
Number.
Preset various operation behaviors relevant to library behavior is dragged and preset various normal operating behaviors are counted
When, statistics finds the sum of the number of the operation of decanting point and judgement echo, as injection number;Staqtistical data base probing operations
Number, as quick-fried library number;Staqtistical data base data export number of operations;Statistics deletes the number of operations of library or table, as danger
Dangerous behavior number;The number of statistical query operation, as normal operating number.
S305, the irrelevance between calculating operation behavioral data and the user behavior baseline being pre-created.
S306 judges whether data to be tested library is dragged library to attack according to the calculated result of irrelevance.
In the present embodiment, step S201~S202 in step S301~S302, S305~S306 and embodiment illustrated in fig. 2,
S205~S206 is identical, and details are not described herein again.
It is understood that in the fig. 3 embodiment, the user behavior baseline being pre-created can be with detection cycle
Change and dynamically update, therefore, using the comparison result of operation behavior data and the user behavior baseline being pre-created as detection
Foundation can further increase the accuracy rate that database drags library behavioral value.In addition, the operation row in embodiment shown in Fig. 3
For the statistical data in data, further comprising normal operating behavior, further improves raising database and library behavior is dragged to examine
The accuracy rate of survey.
As a kind of embodiment of the embodiment of the present invention, as shown in figure 4, a kind of database provided in an embodiment of the present invention
The detection device of library behavior is dragged, server is applied to, described device includes:
Log acquisition module 410, for obtaining the audit log in data to be tested library;
Data acquisition module 420, for from audit log, obtaining the operation behavior number that user treats Test database
According to;Operation behavior data, comprising: the statistical data of preset various operation behaviors relevant to library behavior is dragged;
Detection module 430 obtains number for being compared operation behavior data and the user behavior baseline being pre-created
Library testing result is dragged according to library;User behavior baseline, are as follows: data to be tested library is in the operation row being not affected by the state of dragging library to attack
For data.
A kind of database provided in an embodiment of the present invention drags the detection device of library behavior, obtains data to be tested library first
Audit log, and from audit log, obtain the operation behavior data that user treats Test database;Then, by operation behavior
Data and the user behavior baseline being pre-created are compared, and are obtained database and are dragged library testing result.Due to operation behavior data
It is to be obtained according to the operation behavior dynamic of the user recorded in audit log, including: it is preset related to library behavior is dragged
The statistical data of operation behavior can obtain number therefore using its comparison result with user behavior baseline as detection foundation
Library behavioral value is dragged according to library as a result, reducing wrong report, improving the accuracy rate that database drags library behavioral value.
As a kind of embodiment of the embodiment of the present invention, the log acquisition module 410 is specifically used for obtaining to be detected
The audit log that database generates in the current detection period;
The data acquisition module 420, specifically for what is generated in the current detection period from the data to be tested library
In audit log, user is obtained within the current detection period to the operation behavior data in the data to be tested library;
The user behavior baseline, are as follows: user drags under library attack state in a upper detection cycle to being in be not affected by
The data to be tested library operation behavior data.
As a kind of embodiment of the embodiment of the present invention, the data acquisition module 420 may include:
First acquisition unit, for obtaining all action statement in the audit log;
First recognition unit, for being carried out according to the first behavior recognition rule constructed in advance to all action statement
Statement matching identifies the preset various operation behaviors relevant to library behavior is dragged;
First statistic unit is obtained for counting to the preset various operation behaviors relevant to library behavior is dragged
User is obtained to the operation behavior data in the data to be tested library.
As a kind of embodiment of the embodiment of the present invention, the preset various operation rows relevant to library behavior is dragged
For, comprising: searching system decanting point, judgement echo, database is spied, database data exports and deletes library or table handling;
The operation behavior data, comprising: injection number, quick-fried library number, database data export number of operations and danger
Dangerous behavior number;
First statistic unit, comprising:
First statistics subelement, for counting the sum for finding the number of operation of decanting point and judgement echo, as injection
Number;
Second statistics subelement, for the number of staqtistical data base probing operations, as quick-fried library number;
Third counts subelement, exports number of operations for staqtistical data base data;
4th statistics subelement, for counting the number of operations for deleting library or table, as hazardous act number.
As a kind of embodiment of the embodiment of the present invention, the operation behavior data, further includes: preset various normal
The statistical data of operation behavior;
The data acquisition module 420 may include:
Second acquisition unit, for obtaining all action statement in the audit log;
Second recognition unit carries out sentence to all action statement according to the second Activity recognition rule constructed in advance
Matching, identifies the preset various operation behaviors relevant to library behavior is dragged and preset various normal operating behaviors;
Second statistic unit, to preset various operation behaviors relevant to library behavior is dragged and preset various normal
Operation behavior is counted, and obtains user to the operation behavior data in the data to be tested library.
As a kind of embodiment of the embodiment of the present invention, the preset various operation rows relevant to library behavior is dragged
For, comprising: searching system decanting point, judgement echo, database is spied, database data exports and deletes library or table handling;Institute
Stating preset just various normal operation behaviors includes: inquiry operation;
The operation behavior data, comprising: injection number, quick-fried library number, database data export number of operations, danger
Behavior number and normal operating number;
Second statistic unit, comprising:
5th statistics subelement, for counting the sum for finding the number of operation of decanting point and judgement echo, as injection
Number;
6th statistics subelement, for the number of staqtistical data base probing operations, as quick-fried library number;
7th statistics subelement, exports number of operations for staqtistical data base data;
8th statistics subelement, for counting the number of operations for deleting library or table, as hazardous act number;
9th statistics subelement, for the number of statistical query operation, as normal operating number.
As a kind of embodiment of the embodiment of the present invention, described device further include:
Preserving module is executed for the detection module by the operation behavior data and the user behavior base being pre-created
Line is compared, after obtaining database the step of dragging library testing result, if testing result be the data to be tested library not
It is dragged library to attack, then saves the data to be tested library in the operation behavior data in current detection period, as next detection
The user behavior baseline in period.
As a kind of embodiment of the embodiment of the present invention, the detection module 430, comprising:
Computing unit, for calculating the deviation between the operation behavior data and the user behavior baseline being pre-created
Degree;
Judging unit judges whether the data to be tested library is dragged library to attack for the calculated result according to irrelevance
It hits.
As a kind of embodiment of the embodiment of the present invention, the judging unit, comprising:
First judgment sub-unit, for when the irrelevance is less than preset threshold, then the data to be tested library to be judged to
Break to be not affected by and library being dragged to attack;
Second judgment sub-unit, for when the irrelevance is greater than preset threshold, then the data to be tested library to be judged to
Break to be dragged library to attack.
As a kind of embodiment of the embodiment of the present invention, the computing unit is specifically used for calculating using following formula
Irrelevance:
Wherein, n indicates the data dimension of the operation behavior data and the user behavior baseline, XiFor user's row
For the i-th dimension data in baseline, YiFor the i-th dimension data in the operation behavior data.
A kind of database provided in an embodiment of the present invention drags the detection device of library behavior, obtains data to be tested library first
Audit log, and from audit log, obtain the operation behavior data that user treats Test database;Then, by operation behavior
Data and the user behavior baseline being pre-created are compared, and are obtained database and are dragged library testing result.Due to operation behavior data
It is to be obtained according to the operation behavior dynamic of the user recorded in audit log, including: it is preset related to library behavior is dragged
The statistical data of operation behavior can obtain number therefore using its comparison result with user behavior baseline as detection foundation
Library behavioral value is dragged according to library as a result, reducing wrong report, improving the accuracy rate that database drags library behavioral value.
The embodiment of the invention also provides a kind of electronic equipment, as shown in figure 5, include processor 501, communication interface 502,
Memory 503 and communication bus 504, wherein processor 501, communication interface 502, memory 503 are complete by communication bus 504
At mutual communication,
Memory 503, for storing computer program;
Processor 501 when for executing the program stored on memory 503, realizes following steps:
Obtain the audit log in data to be tested library;
From audit log, the operation behavior data that user treats Test database are obtained;Operation behavior data, comprising:
The statistical data of preset operation behavior relevant to library behavior is dragged;
Operation behavior data and the user behavior baseline being pre-created are compared, database is obtained and drags library detection knot
Fruit;User behavior baseline, are as follows: data to be tested library is in the operation behavior data being not affected by the state of dragging library to attack.
The communication bus that above-mentioned electronic equipment is mentioned can be Peripheral Component Interconnect standard (Peripheral Component
Interconnect, PCI) bus or expanding the industrial standard structure (Extended Industry Standard
Architecture, EISA) bus etc..The communication bus can be divided into address bus, data/address bus, control bus etc..For just
It is only indicated with a thick line in expression, figure, it is not intended that an only bus or a type of bus.
Communication interface is for the communication between above-mentioned electronic equipment and other equipment.
Memory may include random access memory (Random Access Memory, RAM), also may include non-easy
The property lost memory (Non-Volatile Memory, NVM), for example, at least a magnetic disk storage.Optionally, memory may be used also
To be storage device that at least one is located remotely from aforementioned processor.
Above-mentioned processor can be general processor, including central processing unit (Central Processing Unit,
CPU), network processing unit (Network Processor, NP) etc.;It can also be digital signal processor (Digital Signal
Processing, DSP), it is specific integrated circuit (Application Specific Integrated Circuit, ASIC), existing
It is field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete
Door or transistor logic, discrete hardware components.
In another embodiment provided by the invention, a kind of computer readable storage medium is additionally provided, which can
It reads to be stored with computer program in storage medium, the computer program realizes that any of the above-described database drags when being executed by processor
The step of detection method of library behavior.
In another embodiment provided by the invention, a kind of computer program product comprising instruction is additionally provided, when it
When running on computers, so that computer executes the step that any database in above-described embodiment drags the detection method of library behavior
Suddenly.
In the above-described embodiments, can come wholly or partly by software, hardware, firmware or any combination thereof real
It is existing.When implemented in software, it can entirely or partly realize in the form of a computer program product.The computer program
Product includes one or more computer instructions.When loading on computers and executing the computer program instructions, all or
It partly generates according to process or function described in the embodiment of the present invention.The computer can be general purpose computer, dedicated meter
Calculation machine, computer network or other programmable devices.The computer instruction can store in computer readable storage medium
In, or from a computer readable storage medium to the transmission of another computer readable storage medium, for example, the computer
Instruction can pass through wired (such as coaxial cable, optical fiber, number from a web-site, computer, server or data center
User's line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or
Data center is transmitted.The computer readable storage medium can be any usable medium that computer can access or
It is comprising data storage devices such as one or more usable mediums integrated server, data centers.The usable medium can be with
It is magnetic medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk
Solid State Disk (SSD)) etc..
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for device reality
For applying example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to embodiment of the method
Part explanation.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all
Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention
It is interior.
Claims (21)
1. the detection method that a kind of database drags library behavior, which is characterized in that be applied to server, which comprises
Obtain the audit log in data to be tested library;
From the audit log, user is obtained to the operation behavior data in the data to be tested library;The operation behavior number
According to, comprising: the statistical data of preset various operation behaviors relevant to library behavior is dragged;
The operation behavior data and the user behavior baseline being pre-created are compared, database is obtained and drags library behavioral value
As a result;The user behavior baseline, are as follows: the data to be tested library is in the operation behavior number being not affected by the state of dragging library to attack
According to.
2. the method according to claim 1, wherein the step of the audit log for obtaining data to be tested library
Suddenly, comprising:
Obtain the audit log that data to be tested library generates in the current detection period;
It is described from the audit log, obtain the step of user is to the operation behavior data in the data to be tested library, comprising:
From the audit log that the data to be tested library generates in the current detection period, user is obtained in the current detection period
The interior operation behavior data to the data to be tested library;
The user behavior baseline, are as follows: user is not affected by the institute dragged under library attack state in a upper detection cycle, to being in
State the operation behavior data in data to be tested library.
3. according to the method described in claim 2, user is to described for acquisition it is characterized in that, described from the audit log
The step of operation behavior data in data to be tested library, comprising:
Obtain all action statement in the audit log;
Statement matching is carried out to all action statement according to the first behavior recognition rule constructed in advance, is identified described pre-
If various operation behaviors relevant to library behavior is dragged;
The preset various operation behaviors relevant to library behavior is dragged are counted, obtain user to the data to be tested
The operation behavior data in library.
4. according to the method described in claim 3, it is characterized in that, the preset various operation rows relevant to library behavior is dragged
For, comprising: searching system decanting point, judgement echo, database is spied, database data exports and deletes library or table handling;
The operation behavior data, comprising: injection number, quick-fried library number, database data export number of operations and dangerous row
For number;
It is described that the preset various operation behaviors relevant to library behavior is dragged are counted, user is obtained to described to be detected
The step of operation behavior data of database, comprising:
Statistics finds the sum of the number of the operation of decanting point and judgement echo, as injection number;
The number of staqtistical data base probing operations, as quick-fried library number;
Staqtistical data base data export number of operations;
Statistics deletes the number of operations of library or table, as hazardous act number.
5. according to the method described in claim 2, it is characterized in that, the operation behavior data, further includes: it is preset it is various just
The statistical data of normal operation behavior;
It is described from the audit log, obtain the step of user is to the operation behavior data in the data to be tested library, comprising:
Obtain all action statement in the audit log;
Statement matching is carried out to all action statement according to the second Activity recognition rule constructed in advance, is identified described pre-
If various operation behaviors relevant to library behavior is dragged and preset various normal operating behaviors;
The preset various operation behaviors relevant to library behavior is dragged and preset various normal operating behaviors are counted,
User is obtained to the operation behavior data in the data to be tested library.
6. according to the method described in claim 5, it is characterized in that, the preset various operation rows relevant to library behavior is dragged
For, comprising: searching system decanting point, judgement echo, database is spied, database data exports and deletes library or table handling;Institute
Stating preset various normal operating behaviors includes: inquiry operation;
The operation behavior data, comprising: injection number, quick-fried library number, database data export number of operations, hazardous act
Number and normal operating number;
It is described that the preset various operation behaviors relevant to library behavior is dragged are counted, user is obtained to described to be detected
The step of operation behavior data of database, comprising:
Statistics finds the sum of the number of the operation of decanting point and judgement echo, as injection number;
The number of staqtistical data base probing operations, as quick-fried library number;
Staqtistical data base data export number of operations;
Statistics deletes the number of operations of library or table, as hazardous act number;
The number of statistical query operation, as normal operating number.
7. according to the method described in claim 2, it is characterized in that, by the operation behavior data and being pre-created described
After the step of user behavior baseline is compared, and acquisition database drags library behavioral value result, further includes:
It drags library to attack if testing result is not affected by for the data to be tested library, saves the data to be tested library current
The operation behavior data of detection cycle, the user behavior baseline as next detection cycle.
8. the method according to claim 1, wherein by the operation behavior data and the user's row being pre-created
It is compared for baseline, obtains the step of database drags library testing result, comprising:
Calculate the irrelevance between the operation behavior data and the user behavior baseline being pre-created;
According to the calculated result of irrelevance, judge whether the data to be tested library is dragged library to attack.
9. according to the method described in claim 8, it is characterized in that, the calculated result according to irrelevance, judgement it is described to
The step of whether Test database is dragged library to attack, comprising:
If the irrelevance is less than preset threshold, the data to be tested library, which is judged as being not affected by, drags library to attack;
If the irrelevance is greater than preset threshold, the data to be tested library is judged as that library is dragged to attack.
10. according to the method described in claim 8, it is characterized in that, the irrelevance, is calculated using following formula:
Wherein, n indicates the data dimension of the operation behavior data and the user behavior baseline, XiFor the user behavior base
I-th dimension data in line, YiFor the i-th dimension data in the operation behavior data.
11. the detection device that a kind of database drags library behavior, which is characterized in that be applied to server, described device includes:
Log acquisition module, for obtaining the audit log in data to be tested library;
Data acquisition module, for from the audit log, obtaining user to the operation behavior number in the data to be tested library
According to;The operation behavior data, comprising: the statistical data of preset various operation behaviors relevant to library behavior is dragged;
Detection module obtains data for being compared the operation behavior data and the user behavior baseline being pre-created
Drag library testing result in library;The user behavior baseline, are as follows: the data to be tested library be not affected by drag library attack in the state of
Operation behavior data.
12. device according to claim 11, which is characterized in that
The log acquisition module, the audit log generated in the current detection period specifically for obtaining data to be tested library;
The data acquisition module, specifically for the audit log generated in the current detection period from the data to be tested library
In, user is obtained within the current detection period to the operation behavior data in the data to be tested library;
The user behavior baseline, are as follows: user is not affected by the institute dragged under library attack state in a upper detection cycle, to being in
State the operation behavior data in data to be tested library.
13. device according to claim 12, which is characterized in that the data acquisition module, comprising:
First acquisition unit, for obtaining all action statement in the audit log;
First recognition unit, for carrying out sentence to all action statement according to the first behavior recognition rule constructed in advance
Matching, identifies the preset various operation behaviors relevant to library behavior is dragged;
First statistic unit is used for counting to the preset various operation behaviors relevant to library behavior is dragged
Operation behavior data of the family to the data to be tested library.
14. device according to claim 13, which is characterized in that the preset various operations relevant to library behavior is dragged
Behavior, comprising: searching system decanting point, judgement echo, database is spied, database data exports and deletes library or table handling;
The operation behavior data, comprising: injection number, quick-fried library number, database data export number of operations and dangerous row
For number;
First statistic unit, comprising:
First statistics subelement, for counting the sum for finding the number of operation of decanting point and judgement echo, as injection number;
Second statistics subelement, for the number of staqtistical data base probing operations, as quick-fried library number;
Third counts subelement, exports number of operations for staqtistical data base data;
4th statistics subelement, for counting the number of operations for deleting library or table, as hazardous act number.
15. device according to claim 12, which is characterized in that the operation behavior data, further includes: preset various
The statistical data of normal operating behavior;
The data acquisition module, comprising:
Second acquisition unit, for obtaining all action statement in the audit log;
Second recognition unit carries out sentence to all action statement according to the second Activity recognition rule constructed in advance
Match, identifies the preset various operation behaviors relevant to library behavior is dragged and preset various normal operating behaviors;
Second statistic unit, to the preset various operation behaviors relevant to library behavior is dragged and preset various normal operatings
Behavior is counted, and obtains user to the operation behavior data in the data to be tested library.
16. device according to claim 15, which is characterized in that the preset various operations relevant to library behavior is dragged
Behavior, comprising: searching system decanting point, judgement echo, database is spied, database data exports and deletes library or table handling;
The preset various normal operating behaviors include: inquiry operation;
The operation behavior data, comprising: injection number, quick-fried library number, database data export number of operations, hazardous act
Number and normal operating number;
Second statistic unit, comprising:
5th statistics subelement, for counting the sum for finding the number of operation of decanting point and judgement echo, as injection number;
6th statistics subelement, for the number of staqtistical data base probing operations, as quick-fried library number;
7th statistics subelement, exports number of operations for staqtistical data base data;
8th statistics subelement, for counting the number of operations for deleting library or table, as hazardous act number;
9th statistics subelement, for the number of statistical query operation, as normal operating number.
17. device according to claim 12, which is characterized in that described device further include:
Preserving module, for the detection module execute by the operation behavior data and the user behavior baseline that is pre-created into
Row compares, after obtaining the step of database drags library testing result, if testing result is that the data to be tested library is not affected by
It drags library to attack, then saves the data to be tested library in the operation behavior data in current detection period, as next detection cycle
User behavior baseline.
18. device according to claim 11, which is characterized in that the detection module, comprising:
Computing unit, for calculating the irrelevance between the operation behavior data and the user behavior baseline being pre-created;
Judging unit judges whether the data to be tested library is dragged library to attack for the calculated result according to irrelevance.
19. device according to claim 18, which is characterized in that the judging unit, comprising:
First judgment sub-unit, for when the irrelevance is less than preset threshold, then the data to be tested library to be judged as
It is not affected by and library is dragged to attack;
Second judgment sub-unit, for when the irrelevance is greater than preset threshold, then the data to be tested library to be judged as
Library is dragged to attack.
20. device according to claim 18, which is characterized in that the computing unit is specifically used for using following formula
Calculate irrelevance:
Wherein, n indicates the data dimension of the operation behavior data and the user behavior baseline, XiFor the user behavior base
I-th dimension data in line, YiFor the i-th dimension data in the operation behavior data.
21. a kind of electronic equipment, which is characterized in that including processor, communication interface, memory and communication bus, wherein processing
Device, communication interface, memory complete mutual communication by communication bus;
Memory, for storing computer program;
Processor when for executing the program stored on memory, realizes any method and step of claim 1-10.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910447188.7A CN110222530A (en) | 2019-05-27 | 2019-05-27 | A kind of database drags detection method, device and the electronic equipment of library behavior |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910447188.7A CN110222530A (en) | 2019-05-27 | 2019-05-27 | A kind of database drags detection method, device and the electronic equipment of library behavior |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110222530A true CN110222530A (en) | 2019-09-10 |
Family
ID=67818523
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910447188.7A Pending CN110222530A (en) | 2019-05-27 | 2019-05-27 | A kind of database drags detection method, device and the electronic equipment of library behavior |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110222530A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111046382A (en) * | 2019-12-30 | 2020-04-21 | 武汉英迈信息科技有限公司 | Database auditing method, device, storage medium and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105447408A (en) * | 2015-12-03 | 2016-03-30 | 曙光信息产业(北京)有限公司 | Data protection method and apparatus |
KR101608221B1 (en) * | 2014-10-27 | 2016-04-01 | 주식회사 웨어밸리 | System and method of sensing cyber threat using database access pattern |
CN107517203A (en) * | 2017-08-08 | 2017-12-26 | 北京奇安信科技有限公司 | A kind of user behavior baseline method for building up and device |
CN107528832A (en) * | 2017-08-04 | 2017-12-29 | 北京中晟信达科技有限公司 | Baseline structure and the unknown anomaly detection method of a kind of system-oriented daily record |
-
2019
- 2019-05-27 CN CN201910447188.7A patent/CN110222530A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101608221B1 (en) * | 2014-10-27 | 2016-04-01 | 주식회사 웨어밸리 | System and method of sensing cyber threat using database access pattern |
CN105447408A (en) * | 2015-12-03 | 2016-03-30 | 曙光信息产业(北京)有限公司 | Data protection method and apparatus |
CN107528832A (en) * | 2017-08-04 | 2017-12-29 | 北京中晟信达科技有限公司 | Baseline structure and the unknown anomaly detection method of a kind of system-oriented daily record |
CN107517203A (en) * | 2017-08-08 | 2017-12-26 | 北京奇安信科技有限公司 | A kind of user behavior baseline method for building up and device |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111046382A (en) * | 2019-12-30 | 2020-04-21 | 武汉英迈信息科技有限公司 | Database auditing method, device, storage medium and device |
CN111046382B (en) * | 2019-12-30 | 2024-04-02 | 武汉英迈信息科技有限公司 | Database auditing method, equipment, storage medium and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110958220B (en) | Network space security threat detection method and system based on heterogeneous graph embedding | |
US9860262B2 (en) | Methods and systems for encoding computer processes for malware detection | |
CN107659570A (en) | Webshell detection methods and system based on machine learning and static and dynamic analysis | |
TWI684151B (en) | Method and device for detecting illegal transaction | |
CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
CN107992738B (en) | Account login abnormity detection method and device and electronic equipment | |
CN110572409B (en) | Industrial Internet security risk prediction method, device, equipment and storage medium | |
CN105471819A (en) | Account abnormity detection method and account abnormity detection device | |
CN110414277B (en) | Gate-level hardware Trojan horse detection method based on multi-feature parameters | |
WO2017040574A1 (en) | Method, apparatus and system for detecting fraudulent software promotion | |
CN108900496A (en) | A kind of quick detection website is implanted the detection method and device of digging mine wooden horse | |
CN110519208A (en) | Method for detecting abnormality, device and computer-readable medium | |
CN105740711B (en) | A kind of malicious code detecting method and system based on kernel objects behavior ontology | |
CN107247902A (en) | Malware categorizing system and method | |
CN109344611A (en) | Access control method, terminal device and the medium of application | |
CN109905396A (en) | A kind of WebShell file test method, device and electronic equipment | |
CN113158197B (en) | SQL injection vulnerability detection method and system based on active IAST | |
CN110213255A (en) | A kind of pair of host carries out the method, apparatus and electronic equipment of trojan horse detection | |
CN106789837A (en) | Network anomalous behaviors detection method and detection means | |
CN108234426A (en) | APT attacks alarm method and APT attack alarm devices | |
CN110222530A (en) | A kind of database drags detection method, device and the electronic equipment of library behavior | |
CN105608383B (en) | ActiveX control loophole test method and system | |
CN108156127A (en) | Network attack mode judging device, judging method and computer readable storage medium thereof | |
CN111104670B (en) | APT attack identification and protection method | |
CN105893846A (en) | Method and device for protecting target application program and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190910 |
|
RJ01 | Rejection of invention patent application after publication |