CN110866278A - Method and device for blocking real-time intrusion of database - Google Patents
Method and device for blocking real-time intrusion of database Download PDFInfo
- Publication number
- CN110866278A CN110866278A CN201911113710.4A CN201911113710A CN110866278A CN 110866278 A CN110866278 A CN 110866278A CN 201911113710 A CN201911113710 A CN 201911113710A CN 110866278 A CN110866278 A CN 110866278A
- Authority
- CN
- China
- Prior art keywords
- database
- blocking
- address
- blocking mechanism
- real
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The invention provides a method and a device for blocking real-time intrusion of a database, wherein the method comprises the following steps: monitoring a target database table in real time, wherein the target database table is forged based on a real business scene; when the operation behavior of the target database table is monitored, recording relevant data of the operation behavior; constructing a database blocking mechanism according to the relevant data of the operation behaviors; and blocking the attack behavior aiming at the database in real time by utilizing the database blocking mechanism, thereby realizing the real-time protection of the database.
Description
Technical Field
The invention relates to the technical field of databases, in particular to a method and a device for blocking real-time intrusion of a database.
Background
With the development of database technology, the application range of databases is wider and wider, and database security becomes the focus of research in the field.
The existing database products are mainly classified into vulnerability scanning, database auditing, database honeypots and other types of products. Vulnerability scanning is mainly based on a public vulnerability database, vulnerability of the database is discovered through version comparison and partial POC (full name of Concept in English, Chinese name: verification test), the database is used as a service core part, and stability and compatibility problems may occur in upgrading of a large version. The database audit products are more analyzed by depending on database flow, and the product has the defect of high false alarm in the face of complex business environment. The detection capability of a product such as a database honeypot in the aspects of unknown threats is determined to a certain extent by the design scene, the authenticity of a simulation system and whether a deployed scheme is reasonable.
However, the three products cannot block the attack action aiming at the database in real time, and cannot realize the real-time protection of the database.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for blocking real-time intrusion of a database, so as to achieve real-time blocking of an attack behavior against the database.
In order to achieve the above purpose, the invention provides the following specific technical scheme:
a real-time intrusion blocking method for a database comprises the following steps:
monitoring a target database table in real time, wherein the target database table is forged based on a real business scene;
when the operation behavior of the target database table is monitored, recording relevant data of the operation behavior;
constructing a database blocking mechanism according to the relevant data of the operation behaviors;
and blocking the attack behavior aiming at the database in real time by utilizing the database blocking mechanism.
Optionally, the method further includes:
acquiring a database table naming rule of a service system in a real service scene;
and generating the target database table which accords with the database table naming rule of the business system.
Optionally, the data related to the operation behavior includes a source IP address, a source port number, and an operation time.
Optionally, the constructing a database blocking mechanism according to the data related to the operation behavior includes:
and constructing an external public network IP address blocking mechanism and an internal network IP address blocking mechanism according to the source IP address in the relevant data of the operation behavior.
Optionally, the blocking, in real time, an attack action on the database by using the database blocking mechanism includes:
calling an API (application program interface) of a firewall by using the external public network IP address blocking mechanism to realize automatic blocking of the illegal external public network IP address;
and isolating the communication between the database server and the intranet server by using the intranet IP address blocking mechanism.
A database real-time intrusion blocking apparatus, comprising:
the database table monitoring unit is used for monitoring a target database table in real time, and the target database table is forged based on a real business scene;
the operation behavior recording unit is used for recording relevant data of the operation behavior when the operation behavior of the target database table is monitored;
the blocking mechanism constructing unit is used for constructing a database blocking mechanism according to the relevant data of the operation behaviors;
and the attack behavior blocking unit is used for blocking the attack behavior aiming at the database in real time by utilizing the database blocking mechanism.
Optionally, the apparatus further comprises:
the database table generating unit is used for acquiring a database table naming rule of a service system in a real service scene; and generating the target database table which accords with the database table naming rule of the business system.
Optionally, the data related to the operation behavior includes a source IP address, a source port number, and an operation time.
Optionally, the blocking mechanism constructing unit is specifically configured to construct an external public network IP address blocking mechanism and an internal network IP address blocking mechanism according to the source IP address in the relevant data of the operation behavior.
Optionally, the attack behavior blocking unit is specifically configured to:
calling an API (application program interface) of a firewall by using the external public network IP address blocking mechanism to realize automatic blocking of the illegal external public network IP address;
and isolating the communication between the database server and the intranet server by using the intranet IP address blocking mechanism.
Compared with the prior art, the invention has the following beneficial effects:
the invention discloses a real-time intrusion blocking method for a database, which records the operation behavior of an object database table by monitoring the object database forged based on a real service scene in real time, and establishes a database blocking mechanism on the basis that the operation behavior of the object database table is definitely illegal attack operation because the object database is forged based on the real service scene, and blocks the attack behavior aiming at the database in real time by utilizing the database blocking mechanism to realize the real-time protection of the database.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flowchart of a real-time intrusion blocking method for a database according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a real-time database intrusion blocking device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment discloses a method for blocking real-time intrusion of a database, which is applied to a server deployed with the database, and specifically, referring to fig. 1, the method for blocking real-time intrusion of the database comprises the following steps:
s101: monitoring a target database table in real time;
the target database table is forged based on a real business scene, the real business scene is a business scene corresponding to the database, and the real business scene comprises at least one business system, such as a user login system, a customer information management system, a fund transaction system and the like under a banking business scene.
Forging a target database table, namely firstly acquiring a naming rule of a database table of a business system in a real business scene, wherein the naming rule of the database table of a User Login system is XXX _ User _ Login, the naming rule of the database table of a Customer Information management system is XXX _ Customer _ Information, and the naming rule of the database table of a fund Transaction system is XXX _ Capital _ Transaction.
And then generating a target database table which accords with the database table naming rule of the business system, wherein the target database table can be an empty table or can be randomly filled with data.
S102: when the operation behavior of the target database table is monitored, recording relevant data of the operation behavior;
because the target database table is forged, the operation behavior on the target database table must be an illegal attack behavior that does not know in advance that the target database table is forged.
The relevant data of the operation behavior of the target database table can include data such as a source IP address, a source port number and operation time, and by recording the data, operation and maintenance personnel can trace the relevant data of the illegal attack behavior.
S103: constructing a database blocking mechanism according to the relevant data of the operation behaviors;
the source IP address comprises an external public network IP address and an internal network IP address, and an external public network IP address blocking mechanism and an internal network IP address blocking mechanism are constructed according to the source IP address in the relevant data of the operation behavior, so that illegal attack behaviors from the external public network IP address and the internal IP address are blocked.
S104: and blocking the attack behavior aiming at the database in real time by utilizing the database blocking mechanism.
Specifically, an API (application program interface) of a firewall is called by using an external public network IP address blocking mechanism, so that the illegal external public network IP address is automatically blocked.
And isolating the communication between the database server and the intranet server by utilizing an internal IP address blocking mechanism.
It can be seen that, in the method for blocking real-time intrusion into a database disclosed in this embodiment, an operation behavior of a target database table is recorded by monitoring the target database forged based on a real service scene in real time, and since the target database is forged based on the real service scene, the monitored operation behavior of the target database table is definitely an illegal attack operation, a database blocking mechanism is constructed on the basis, and an attack behavior against the database is blocked in real time by using the database blocking mechanism, so as to implement real-time protection of the database.
Based on the method for blocking real-time intrusion into a database disclosed in the above embodiments, this embodiment correspondingly discloses a device for blocking real-time intrusion into a database, please refer to fig. 2, and the device includes:
a database table monitoring unit 201, configured to monitor a target database table in real time, where the target database table is forged based on a real service scene;
an operation behavior recording unit 202, configured to record, when an operation behavior of the target database table is monitored, relevant data of the operation behavior;
a blocking mechanism constructing unit 203, configured to construct a database blocking mechanism according to the relevant data of the operation behavior;
and the attack behavior blocking unit 204 is configured to block an attack behavior for the database in real time by using the database blocking mechanism.
Optionally, the apparatus further comprises:
the database table generating unit is used for acquiring a database table naming rule of a service system in a real service scene; and generating the target database table which accords with the database table naming rule of the business system.
Optionally, the data related to the operation behavior includes a source IP address, a source port number, and an operation time.
Optionally, the blocking mechanism constructing unit 203 is specifically configured to construct an external public network IP address blocking mechanism and an internal network IP address blocking mechanism according to the source IP address in the relevant data of the operation behavior.
Optionally, the attack behavior blocking unit 204 is specifically configured to:
calling an API (application program interface) of a firewall by using the external public network IP address blocking mechanism to realize automatic blocking of the illegal external public network IP address;
and isolating the communication between the database server and the intranet server by using the intranet IP address blocking mechanism.
The device for blocking real-time intrusion into a database disclosed by the embodiment records the operation behavior of the target database table by monitoring the target database forged based on the real service scene in real time, and because the target database is forged based on the real service scene, the monitored operation behavior of the target database table is certain to be illegal attack operation, a database blocking mechanism is constructed on the basis, and the attack behavior aiming at the database is blocked in real time by utilizing the database blocking mechanism, so that the real-time protection of the database is realized.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A real-time intrusion blocking method for a database is characterized by comprising the following steps:
monitoring a target database table in real time, wherein the target database table is forged based on a real business scene;
when the operation behavior of the target database table is monitored, recording relevant data of the operation behavior;
constructing a database blocking mechanism according to the relevant data of the operation behaviors;
and blocking the attack behavior aiming at the database in real time by utilizing the database blocking mechanism.
2. The method of claim 1, further comprising:
acquiring a database table naming rule of a service system in a real service scene;
and generating the target database table which accords with the database table naming rule of the business system.
3. The method of claim 1, wherein the data related to the operational behavior comprises a source IP address, a source port number, and an operation time.
4. The method according to claim 3, wherein the constructing a database blocking mechanism according to the data related to the operation behavior comprises:
and constructing an external public network IP address blocking mechanism and an internal network IP address blocking mechanism according to the source IP address in the relevant data of the operation behavior.
5. The method of claim 4, wherein blocking, in real time, an attack on the database using the database blocking mechanism comprises:
calling an API (application program interface) of a firewall by using the external public network IP address blocking mechanism to realize automatic blocking of the illegal external public network IP address;
and isolating the communication between the database server and the intranet server by using the intranet IP address blocking mechanism.
6. A real-time intrusion blocking device for a database, comprising:
the database table monitoring unit is used for monitoring a target database table in real time, and the target database table is forged based on a real business scene;
the operation behavior recording unit is used for recording relevant data of the operation behavior when the operation behavior of the target database table is monitored;
the blocking mechanism constructing unit is used for constructing a database blocking mechanism according to the relevant data of the operation behaviors;
and the attack behavior blocking unit is used for blocking the attack behavior aiming at the database in real time by utilizing the database blocking mechanism.
7. The apparatus of claim 6, further comprising:
the database table generating unit is used for acquiring a database table naming rule of a service system in a real service scene; and generating the target database table which accords with the database table naming rule of the business system.
8. The apparatus of claim 6, wherein the data related to the operational behavior comprises a source IP address, a source port number, and an operation time.
9. The apparatus according to claim 8, wherein the blocking mechanism constructing unit is specifically configured to construct an external public network IP address blocking mechanism and an internal network IP address blocking mechanism according to a source IP address in the relevant data of the operation behavior.
10. The apparatus according to claim 9, wherein the attack behavior blocking unit is specifically configured to:
calling an API (application program interface) of a firewall by using the external public network IP address blocking mechanism to realize automatic blocking of the illegal external public network IP address;
and isolating the communication between the database server and the intranet server by using the intranet IP address blocking mechanism.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911113710.4A CN110866278A (en) | 2019-11-14 | 2019-11-14 | Method and device for blocking real-time intrusion of database |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911113710.4A CN110866278A (en) | 2019-11-14 | 2019-11-14 | Method and device for blocking real-time intrusion of database |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110866278A true CN110866278A (en) | 2020-03-06 |
Family
ID=69654144
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911113710.4A Pending CN110866278A (en) | 2019-11-14 | 2019-11-14 | Method and device for blocking real-time intrusion of database |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110866278A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111765801A (en) * | 2020-06-16 | 2020-10-13 | 深圳拼客信息科技有限公司 | Shooting range training and intrusion discovery method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050203881A1 (en) * | 2004-03-09 | 2005-09-15 | Akio Sakamoto | Database user behavior monitor system and method |
| CN102468985A (en) * | 2010-11-01 | 2012-05-23 | 北京神州绿盟信息安全科技股份有限公司 | Method and system for carrying out penetration test on network safety equipment |
| CN104008349A (en) * | 2014-04-28 | 2014-08-27 | 国家电网公司 | Database security access control method and system |
| CN104954335A (en) * | 2014-03-27 | 2015-09-30 | 中国移动通信集团安徽有限公司 | Method and system for preventing high-risk network intrusion |
| CN106506435A (en) * | 2015-09-08 | 2017-03-15 | 中国电信股份有限公司 | For detecting method and the firewall system of network attack |
| CN109818985A (en) * | 2019-04-11 | 2019-05-28 | 江苏亨通工控安全研究院有限公司 | A kind of industrial control system loophole trend analysis and method for early warning and system |
-
2019
- 2019-11-14 CN CN201911113710.4A patent/CN110866278A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050203881A1 (en) * | 2004-03-09 | 2005-09-15 | Akio Sakamoto | Database user behavior monitor system and method |
| CN102468985A (en) * | 2010-11-01 | 2012-05-23 | 北京神州绿盟信息安全科技股份有限公司 | Method and system for carrying out penetration test on network safety equipment |
| CN104954335A (en) * | 2014-03-27 | 2015-09-30 | 中国移动通信集团安徽有限公司 | Method and system for preventing high-risk network intrusion |
| CN104008349A (en) * | 2014-04-28 | 2014-08-27 | 国家电网公司 | Database security access control method and system |
| CN106506435A (en) * | 2015-09-08 | 2017-03-15 | 中国电信股份有限公司 | For detecting method and the firewall system of network attack |
| CN109818985A (en) * | 2019-04-11 | 2019-05-28 | 江苏亨通工控安全研究院有限公司 | A kind of industrial control system loophole trend analysis and method for early warning and system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111765801A (en) * | 2020-06-16 | 2020-10-13 | 深圳拼客信息科技有限公司 | Shooting range training and intrusion discovery method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106487775B (en) | Service data processing method and device based on cloud platform | |
| US10366229B2 (en) | Method for detecting a cyber attack | |
| US11710195B2 (en) | Detection and prevention of fraudulent activity on social media accounts | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| CN110472414A (en) | Detection method, device, terminal device and the medium of system vulnerability | |
| US20180075240A1 (en) | Method and device for detecting a suspicious process by analyzing data flow characteristics of a computing device | |
| US20160226893A1 (en) | Methods for optimizing an automated determination in real-time of a risk rating of cyber-attack and devices thereof | |
| CN104836781A (en) | Method distinguishing identities of access users, and device | |
| CN107682345B (en) | IP address detection method and device and electronic equipment | |
| US20140250221A1 (en) | Methods, Systems, and Computer Program Products for Detecting Communication Anomalies in a Network Based on Overlap Between Sets of Users Communicating with Entities in the Network | |
| US11477245B2 (en) | Advanced detection of identity-based attacks to assure identity fidelity in information technology environments | |
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| CN109144023A (en) | A kind of safety detection method and equipment of industrial control system | |
| CN111404937B (en) | Method and device for detecting server vulnerability | |
| CN108282446A (en) | Identify the method and apparatus of scanner | |
| CN104486320A (en) | Intranet sensitive information disclosure evidence collection system and method based on honeynet technology | |
| CN109005181B (en) | Detection method, system and related components for DNS amplification attack | |
| Bahl et al. | Vulnerability disclosure and cybersecurity awareness campaigns on twitter during COVID‐19 | |
| CN110866278A (en) | Method and device for blocking real-time intrusion of database | |
| US20230388335A1 (en) | System and method for catastrophic event modeling | |
| Boggs et al. | Discovery of emergent malicious campaigns in cellular networks | |
| CN115051867B (en) | Illegal external connection behavior detection method and device, electronic equipment and medium | |
| CN114003904B (en) | Information sharing method, device, computer equipment and storage medium | |
| Dorigo | Security information and event management | |
| CN110958236A (en) | Dynamic authorization method of operation and maintenance auditing system based on risk factor insight |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200306 |