CN111104395A - Database auditing method, device, storage medium and device - Google Patents
Database auditing method, device, storage medium and device Download PDFInfo
- Publication number
- CN111104395A CN111104395A CN201911402355.2A CN201911402355A CN111104395A CN 111104395 A CN111104395 A CN 111104395A CN 201911402355 A CN201911402355 A CN 201911402355A CN 111104395 A CN111104395 A CN 111104395A
- Authority
- CN
- China
- Prior art keywords
- database
- information
- auditing
- sensitive data
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of database auditing and discloses a database auditing method, equipment, a storage medium and a device. The method comprises the steps of extracting network address information, corresponding port information, current monitoring data and a database to be audited in a database audit request by acquiring the database audit request; scanning the current monitoring data through a service scanning tool according to the port information to obtain service discovery information; searching a corresponding server engine according to the service discovery information; scanning the current monitoring data through a sensitive data scanning tool according to the network address information to obtain current sensitive data; acquiring a strategy making request, and adding the current sensitive data according to the strategy making request to obtain an auditing strategy; and auditing the database to be audited according to the server engine and the auditing strategy, so as to achieve the purpose of improving the auditing efficiency of the sensitive data.
Description
Technical Field
The invention relates to the technical field of database security audit, in particular to a database audit method, equipment, a storage medium and a device.
Background
The sensitive data is also called private data, which is commonly known as name, identification number, address, telephone, bank account, mailbox, password, medical information, education background, etc., the service discovery is a detection service provider, namely a HyperText Transfer Protocol (HTTP) server, which provides an Application Programming Interface (API) service, and uses an Internet Protocol (IP) port as a service address, a service consumer is a service process, and processes according to the service provided by an access service provider, the HTTP server can be a service provided by the service provider or a service provided by another service provider required by the consumer, for example, the sensitive data is generally obtained by a keyword mode when analyzing the data, but the auditing of the sensitive data cannot be realized more specifically, thereby reducing the efficiency of the audit.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a database auditing method, equipment, a storage medium and a device, aiming at improving the auditing efficiency of sensitive data.
In order to achieve the above object, the present invention provides a database auditing method, which comprises the following steps:
acquiring a database audit request, and extracting network address information, corresponding port information, current monitoring data and a database to be audited in the database audit request;
scanning the current monitoring data through a service scanning tool according to the port information to obtain service discovery information;
searching a corresponding server engine according to the service discovery information;
scanning the current monitoring data through a sensitive data scanning tool according to the network address information to obtain current sensitive data;
acquiring a strategy making request, and adding the current sensitive data according to the strategy making request to obtain an auditing strategy;
and auditing the database to be audited according to the server engine and the auditing strategy.
Preferably, the searching for the corresponding server engine according to the service discovery information includes:
acquiring condition retrieval information, wherein the condition retrieval information comprises service type information, port number information, operating system type information and operating system version information;
adjusting the service discovery information according to the service type information, the port number information, the operating system type information and the operating system version information to obtain target retrieval information;
and searching a corresponding server engine according to the target retrieval information.
Preferably, the scanning the current monitoring data through a sensitive data scanning tool according to the network address information to obtain current sensitive data includes:
scanning the current monitoring data through a sensitive data scanning tool according to the network address information to obtain reference scanning data;
and acquiring a sensitive data rule, and screening the reference scanning data according to the sensitive data rule to obtain the current sensitive data.
Preferably, before the obtaining of the policy making request and the adding of the current sensitive data according to the policy making request and obtaining of the audit policy, the method further includes:
acquiring a data type and a scanning range, and adjusting the current sensitive data according to the data type and the scanning range to obtain a sensitive data list;
the obtaining of the policy making request adds the current sensitive data according to the policy making request to obtain an audit policy, and the obtaining of the audit policy comprises the following steps:
and acquiring a strategy making request, and adding the sensitive data list according to the strategy making request to obtain an auditing strategy.
Preferably, before the obtaining of the policy making request and the adding of the sensitive data list according to the policy making request and obtaining of the audit policy, the method further includes:
acquiring global parameter information, and adding the sensitive data list to the global parameter information according to data types to obtain target global parameter information;
obtaining a strategy making request, adding the sensitive data list according to the strategy making request to obtain an auditing strategy, comprising the following steps:
and acquiring a strategy making request, and quoting the target global parameter information according to the strategy making request to obtain an auditing strategy.
Preferably, before the obtaining of the database audit request and the extracting of the network address information, the corresponding port information, and the current monitoring data in the database audit request, the method further includes:
calling a preset monitoring program;
and monitoring the network address information and the corresponding port information through the preset monitoring program to obtain current monitoring data.
Preferably, after the auditing the target database according to the server engine and the auditing policy, the method further includes:
obtaining an audit result, storing the audit result to a preset storage area, and configuring preset interface information for the preset storage area;
acquiring a query request, calling the preset interface information to access the preset storage area according to the query request to obtain a query result, and visually displaying the query result.
In addition, in order to achieve the above object, the present invention further provides a database auditing apparatus, including: a memory, a processor and a database auditing program stored on the memory and running on the processor, the database auditing program when executed by the processor implementing the steps of the database auditing method as described above.
In addition, to achieve the above object, the present invention further provides a storage medium, which stores a database auditing program, and the database auditing program implements the steps of the database auditing method when executed by a processor.
In addition, in order to achieve the above object, the present invention further provides a database auditing apparatus, including:
the system comprises an acquisition module, a database audit request processing module and a monitoring module, wherein the acquisition module is used for acquiring the database audit request and extracting network address information, corresponding port information, current monitoring data and a database to be audited in the database audit request;
the scanning module is used for scanning the current monitoring data through a service scanning tool according to the port information to obtain service discovery information;
the searching module is used for searching a corresponding server engine according to the service discovery information;
the scanning module is further configured to scan the current monitoring data through a sensitive data scanning tool according to the network address information to obtain current sensitive data;
the obtaining module is further configured to obtain a policy making request, and add the current sensitive data according to the policy making request to obtain an audit policy;
and the auditing module is used for auditing the database to be audited according to the server engine and the auditing strategy.
According to the technical scheme provided by the invention, by acquiring a database audit request, network address information, corresponding port information, current monitoring data and a database to be audited in the database audit request are extracted; scanning the current monitoring data through a service scanning tool according to the port information to obtain service discovery information; searching a corresponding server engine according to the service discovery information; scanning the current monitoring data through a sensitive data scanning tool according to the network address information to obtain current sensitive data; acquiring a strategy making request, and adding the current sensitive data according to the strategy making request to obtain an auditing strategy; and auditing the database to be audited according to the server engine and the auditing strategy, so that the current monitoring data is screened through the network address information and the port information, the auditing of the database is realized aiming at the screened data, and the aim of improving the auditing efficiency of the sensitive data is fulfilled.
Drawings
FIG. 1 is a schematic diagram of a database auditing device architecture of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a first embodiment of a database auditing method of the present invention;
FIG. 3 is a schematic flow chart of a second embodiment of a database auditing method according to the present invention;
FIG. 4 is a schematic flow chart of a third embodiment of a database auditing method according to the present invention;
fig. 5 is a block diagram of the first embodiment of the database auditing apparatus of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a database auditing device of a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the database auditing apparatus may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), the optional user interface 1003 may also include a standard wired interface and a wireless interface, and the wired interface of the user interface 1003 may be a Universal Serial Bus (USB) interface in the present invention. The network interface 1004 may optionally include a standard wired interface as well as a wireless interface (e.g., WI-FI interface). The Memory 1005 may be a high speed Random Access Memory (RAM); or a stable Memory, such as a Non-volatile Memory (Non-volatile Memory), and may be a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in FIG. 1 does not constitute a limitation of the database auditing apparatus, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is one type of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a database auditing program.
In the database auditing device shown in fig. 1, the network interface 1004 is mainly used for connecting with a background server and performing data communication with the background server; the user interface 1003 is mainly used for connecting peripheral equipment; the database auditing device calls a database auditing program stored in the memory 1005 through the processor 1001 and executes the database auditing method provided by the embodiment of the invention.
Based on the hardware structure, the embodiment of the database auditing method is provided.
Referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of the database auditing method of the present invention.
In a first embodiment, the database auditing method comprises the following steps:
step S10: and acquiring a database audit request, and extracting network address information, corresponding port information, current monitoring data and a database to be audited in the database audit request.
It should be noted that, the execution subject of this embodiment is a database auditing device, and may also be other devices that can implement the same or similar functions, such as a data analysis server, and the like.
In this embodiment, the database audit request is a database audit request initiated according to a current interface, and network address information and corresponding port information can be set through the interface, so as to implement auditing of data monitored by a specific port, where the current monitoring data is monitoring data obtained through monitoring by a preset monitoring program, and also can be obtained through a third-party application program, and this embodiment is not limited thereto.
Step S20: and scanning the current monitoring data through a service scanning tool according to the port information to obtain service discovery information.
It can be understood that service and sensitive Data discovery is a function of assisting database auditing decision, and an application service port scanning mechanism based on a Network scanning and sniffing toolkit (NMAP) mode and a database sensitive Data scanning based on Java database Connectivity (JDBC) are adopted.
In order to realize service discovery, scanning result operation, network segment setting, port setting, service type and single IP timeout setting are selected for data scanning by configuring Internet Protocol (IP) information and port information, and the scanned result is displayed in service discovery and data discovery.
In a specific implementation, the service discovery is performed by accurately scanning according to a configured port number, for example, a Transmission Control Protocol (TCP) Protocol port number, a destination IP, or an IP segment, to obtain a service discovery result, a summary, a service type, and an operating system type.
It should be noted that, in order to implement host discovery, by sending a probe packet to a target host, if a reply is received, it indicates that the target host is on, the NMAP supports more than ten different host probing methods, and a user can flexibly select different methods to probe the target host under different conditions.
In order to realize port scanning, by sending a synchronization Sequence number (SYN) to a target port, if an ACK reply is received by receiving an SYN/Acknowledge Character (ACK), it can be determined that the port is open; if a reset RST packet is received, the port is closed. If no reply is received, it may be determined that the port is shielded. This approach is relatively hidden and efficient because it only sends SYN packets to a specific port of the target host, but does not establish a complete TCP connection.
To implement version detection, first check if the ports that open the open and open | filtered states are in the excluded port list. If the port is on the exclusion list, the port is removed, and if the port is a TCP port, an attempt is made to establish a TCP connection. The attempt waits for a moment, usually 6 seconds or more, usually within the waiting time, receives 'WelcoomeBanner' information sent by the target machine, compares the received Banner with the signature in the NULL probe in the nmap-services-probes, searches the name and version information of the corresponding application program, if the version of the application program cannot be determined through the 'Welcome Banner', tries to send other probe packets, namely selects a proper probe from the nmap-services-probes, compares the probe-obtained reply packet with the signature in the database, and prints out an application return message if the application cannot be obtained through repeated detection, so that the user can make a further judgment.
To detect the operating system, different operating systems and devices are identified by using TCP/IP protocol stack fingerprints. In Request For Comments (RFC) specification, there are places where there is no mandatory provision For implementing TCP/IP, so that different TCP/IP schemes may have their own specific ways, the type of operating system is determined according to the differences in these details, the fingerprint characteristics of 2600 known systems are included inside, in a file nmap-os-db, the fingerprint database is used as a sample library For fingerprint comparison, an open port and a closed port are selected respectively, a well-designed TCP/User Data Protocol (UDP)/Internet Control Message Protocol (ICMP) data packet is sent to the fingerprint database, a system fingerprint is generated according to the returned data packet, the detected fingerprint is compared with the fingerprint in nmap-os-db, and finding a matched system. If the matching fails, possible systems are listed in a probability mode, and therefore the detection of the operating system is achieved.
Step S30: and searching a corresponding server engine according to the service discovery information.
It should be noted that, different service types correspond to different service engines, such as the MYSQL engine and the ORACLE engine of the relational database management system, so as to obtain a database engine suitable for the current service.
Step S40: and scanning the current monitoring data through a sensitive data scanning tool according to the network address information to obtain current sensitive data.
In this embodiment, the table structure and the data content in the database are scanned one by one according to the configured database IP, instance name, and user name/password according to the type of the built-in sensitive data, so as to obtain the current sensitive data.
Step S50: and acquiring a strategy making request, and adding the current sensitive data according to the strategy making request to obtain an auditing strategy.
It can be understood that the strategy instruction can be carried out through a preset interface, and an auditing strategy meeting the requirement is generated to realize the auditing of the database.
Step S60: and auditing the database to be audited according to the server engine and the auditing strategy.
According to the scheme, the network address information, the corresponding port information, the current monitoring data and the database to be audited in the database audit request are extracted by obtaining the database audit request; scanning the current monitoring data through a service scanning tool according to the port information to obtain service discovery information; searching a corresponding server engine according to the service discovery information; scanning the current monitoring data through a sensitive data scanning tool according to the network address information to obtain current sensitive data; acquiring a strategy making request, and adding the current sensitive data according to the strategy making request to obtain an auditing strategy; and auditing the database to be audited according to the server engine and the auditing strategy, so that the current monitoring data is screened through the network address information and the port information, the auditing of the database is realized aiming at the screened data, and the aim of improving the auditing efficiency of the sensitive data is fulfilled.
Referring to fig. 3, fig. 3 is a schematic flowchart of a second embodiment of the database auditing method according to the present invention, and the second embodiment of the database auditing method according to the present invention is proposed based on the first embodiment shown in fig. 2.
In the second embodiment, the step S30 includes:
step S301, obtaining condition retrieval information, wherein the condition retrieval information comprises service type information, port number information, operating system type information and operating system version information.
The condition search information includes: service name (service type), server IP, port number, status, version information, operating system type, operating system version, etc. Meanwhile, list display is provided for the scanning result, and three reports of summary statistics, service type classification statistics and operating system type statistics are provided; and providing a joining engine operation for the scanned database service.
Step S302, adjusting the service discovery information according to the service type information, the port number information, the operating system type information and the operating system version information to obtain target retrieval information.
In this embodiment, the current service can be processed more specifically by configuring specific items discovered by the service.
Step S303, searching a corresponding server engine according to the target retrieval information.
Further, the step S40 includes:
scanning the current monitoring data through a sensitive data scanning tool according to the network address information to obtain reference scanning data; and acquiring a sensitive data rule, and screening the reference scanning data according to the sensitive data rule to obtain the current sensitive data.
It should be noted that the sensitive data may be screened by setting a sensitive data rule, where the sensitive data rule may include a user name, a password, a database instance, an IP address, a start IP address, an end IP address, a service type, a port number, and the like, and may further include configuration of other parameters, which is not limited in this embodiment.
According to the scheme, the sensitive data are screened by setting the sensitive data rule, so that customized sensitive data are realized, and the data processing efficiency is improved.
Referring to fig. 4, fig. 4 is a schematic flowchart of a third embodiment of the database auditing method according to the present invention, and the third embodiment of the database auditing method according to the present invention is proposed based on the first embodiment or the second embodiment.
In the third embodiment, before the step S50, the method further includes:
step S501, acquiring a data type and a scanning range, and adjusting the current sensitive data according to the data type and the scanning range to obtain a sensitive data list.
In this embodiment, configuration items such as data types and scanning ranges are provided, scanning results are displayed in a list form, and four reports such as summary statistics, sensitive data servers, sensitive type distribution and database type distribution are provided.
Further, the step S50 includes:
step S502, a strategy making request is obtained, the sensitive data list is added according to the strategy making request, and an auditing strategy is obtained.
Further, before the step S502, the method further includes:
acquiring global parameter information, and adding the sensitive data list to the global parameter information according to data types to obtain target global parameter information;
it should be noted that the global object is a condition parameter that can be referred to when the rule is customized, and includes an IP address set, a source application program set, an operating system user set, an operating system host set, a database user set, a table group set, a storage process set, a database list set, a database Schema set, a sensitive data group set, and a query group set.
Obtaining a strategy making request, adding the sensitive data list according to the strategy making request to obtain an auditing strategy, comprising the following steps:
and acquiring a strategy making request, and quoting the target global parameter information according to the strategy making request to obtain an auditing strategy.
It can be understood that the audit policy includes conditions, rules, policies, a default high-risk policy, SQL attacks, a super white list, secondary authentication, and the like, where the conditions are expressed as feature names and feature values to be matched, the rules are a set of conditions + matching manner + operation action, the policies are a set of rules, the default high-risk is a high-risk operation feature set defined by the system, the SQL attacks are SQL injection and buffer overflow detection feature sets, the super white list is an SQL statement set used by a database connection tool, and the secondary authentication is a white list policy in a database firewall mode.
In this embodiment, policy configuration can be performed through a policy configuration page, where the policy configuration page is all policy management pages and is composed of four pages, namely a user-defined policy, SQL attack features, a super white list, and secondary authentication. The custom policy provides operations of adding, editing and deleting the default high-risk policy and the custom policy, and provides operations of adding, deleting, editing, moving up and moving down to the rules in the policy. The SQL attack is a management page with SQL attack characteristics and buffer overflow detection characteristics, and provides addition, editing, deletion, enabling and disabling operations, and meanwhile, the SQL attack is exceptional in query and deletion operations.
Further, before the acquiring the database audit request and extracting the network address information, the corresponding port information and the current monitoring data in the database audit request, the method further includes:
calling a preset monitoring program; and monitoring the network address information and the corresponding port information through the preset monitoring program to obtain current monitoring data.
Further, after the step S60, the method further includes:
obtaining an audit result, storing the audit result to a preset storage area, configuring preset interface information for the preset storage area, obtaining a query request, calling the preset interface information to access the preset storage area according to the query request, obtaining a query result, and visually displaying the query result.
According to the scheme, the monitoring data are collected by setting the monitoring program, the preset interface is configured for the audit result, the audit result is queried and directly called, the flexibility of data processing is improved, the query result is visually displayed, and the humanized design of data processing is improved.
In addition, an embodiment of the present invention further provides a storage medium, where a database audit program is stored on the storage medium, and the database audit program, when executed by a processor, implements the steps of the terminal network access method described above.
Since the storage medium adopts all technical solutions of all the embodiments, at least all the beneficial effects brought by the technical solutions of the embodiments are achieved, and no further description is given here.
In addition, referring to fig. 5, an embodiment of the present invention further provides a database auditing apparatus, where the database auditing apparatus includes:
the obtaining module 10 is configured to obtain a database audit request, and extract network address information, corresponding port information, current monitoring data, and a database to be audited in the database audit request.
In this embodiment, the database audit request is a database audit request initiated according to a current interface, and network address information and corresponding port information can be set through the interface, so as to implement auditing of data monitored by a specific port, where the current monitoring data is monitoring data obtained through monitoring by a preset monitoring program, and also can be obtained through a third-party application program, and this embodiment is not limited thereto.
And the scanning module 20 is configured to scan the current monitoring data through a service scanning tool according to the port information to obtain service discovery information.
It can be understood that service and sensitive Data discovery is a function of assisting database auditing decision, and an application service port scanning mechanism based on a Network scanning and sniffing toolkit (NMAP) mode and a database sensitive Data scanning based on Java database Connectivity (JDBC) are adopted.
In order to realize service discovery, scanning result operation, network segment setting, port setting, service type and single IP timeout setting are selected for data scanning by configuring Internet Protocol (IP) information and port information, and the scanned result is displayed in service discovery and data discovery.
In a specific implementation, the service discovery is performed by accurately scanning according to a configured port number, for example, a Transmission Control Protocol (TCP) Protocol port number, a destination IP, or an IP segment, to obtain a service discovery result, a summary, a service type, and an operating system type.
It should be noted that, in order to implement host discovery, by sending a probe packet to a target host, if a reply is received, it indicates that the target host is on, the NMAP supports more than ten different host probing methods, and a user can flexibly select different methods to probe the target host under different conditions.
In order to realize port scanning, by sending a synchronization Sequence number (SYN) to a target port, if an ACK reply is received by receiving an SYN/Acknowledge Character (ACK), it can be determined that the port is open; if a reset RST packet is received, the port is closed. If no reply is received, it may be determined that the port is shielded. This approach is relatively hidden and efficient because it only sends SYN packets to a specific port of the target host, but does not establish a complete TCP connection.
To implement version detection, first check if the ports that open the open and open | filtered states are in the excluded port list. If the port is on the exclusion list, the port is removed, and if the port is a TCP port, an attempt is made to establish a TCP connection. The attempt waits for a moment, usually 6 seconds or more, usually within the waiting time, receives 'WelcoomeBanner' information sent by the target machine, compares the received Banner with the signature in the NULL probe in the nmap-services-probes, searches the name and version information of the corresponding application program, if the version of the application program cannot be determined through the 'Welcome Banner', tries to send other probe packets, namely selects a proper probe from the nmap-services-probes, compares the probe-obtained reply packet with the signature in the database, and prints out an application return message if the application cannot be obtained through repeated detection, so that the user can make a further judgment.
To detect the operating system, different operating systems and devices are identified by using TCP/IP protocol stack fingerprints. In Request For Comments (RFC) specification, there are places where there is no mandatory provision For implementing TCP/IP, so that different TCP/IP schemes may have their own specific ways, the type of operating system is determined according to the differences in these details, the fingerprint characteristics of 2600 known systems are included inside, in a file nmap-os-db, the fingerprint database is used as a sample library For fingerprint comparison, an open port and a closed port are selected respectively, a well-designed TCP/User Data Protocol (UDP)/Internet Control Message Protocol (ICMP) data packet is sent to the fingerprint database, a system fingerprint is generated according to the returned data packet, the detected fingerprint is compared with the fingerprint in nmap-os-db, and finding a matched system. If the matching fails, possible systems are listed in a probability mode, and therefore the detection of the operating system is achieved.
And the searching module 30 is configured to search a corresponding server engine according to the service discovery information.
It should be noted that, different service types correspond to different service engines, such as the MYSQL engine and the ORACLE engine of the relational database management system, so as to obtain a database engine suitable for the current service.
The scanning module 20 is further configured to scan the current monitoring data through a sensitive data scanning tool according to the network address information, so as to obtain current sensitive data.
In this embodiment, the table structure and the data content in the database are scanned one by one according to the configured database IP, instance name, and user name/password according to the type of the built-in sensitive data, so as to obtain the current sensitive data.
The obtaining module 10 is further configured to obtain a policy making request, and add the current sensitive data according to the policy making request to obtain an audit policy.
It can be understood that the strategy instruction can be carried out through a preset interface, and an auditing strategy meeting the requirement is generated to realize the auditing of the database.
And the auditing module 40 is used for auditing the database to be audited according to the server engine and the auditing strategy.
According to the scheme, the network address information, the corresponding port information, the current monitoring data and the database to be audited in the database audit request are extracted by obtaining the database audit request; scanning the current monitoring data through a service scanning tool according to the port information to obtain service discovery information; searching a corresponding server engine according to the service discovery information; scanning the current monitoring data through a sensitive data scanning tool according to the network address information to obtain current sensitive data; acquiring a strategy making request, and adding the current sensitive data according to the strategy making request to obtain an auditing strategy; and auditing the database to be audited according to the server engine and the auditing strategy, so that the current monitoring data is screened through the network address information and the port information, the auditing of the database is realized aiming at the screened data, and the aim of improving the auditing efficiency of the sensitive data is fulfilled.
The database auditing device of the invention adopts all technical schemes of all the embodiments, so that the database auditing device at least has all the beneficial effects brought by the technical schemes of the embodiments, and the details are not repeated.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (10)
1. A database auditing method is characterized by comprising the following steps:
acquiring a database audit request, and extracting network address information, corresponding port information, current monitoring data and a database to be audited in the database audit request;
scanning the current monitoring data through a service scanning tool according to the port information to obtain service discovery information;
searching a corresponding server engine according to the service discovery information;
scanning the current monitoring data through a sensitive data scanning tool according to the network address information to obtain current sensitive data;
acquiring a strategy making request, and adding the current sensitive data according to the strategy making request to obtain an auditing strategy;
and auditing the database to be audited according to the server engine and the auditing strategy.
2. The database auditing method of claim 1, where said looking up a corresponding server engine from the service discovery information comprises:
acquiring condition retrieval information, wherein the condition retrieval information comprises service type information, port number information, operating system type information and operating system version information;
adjusting the service discovery information according to the service type information, the port number information, the operating system type information and the operating system version information to obtain target retrieval information;
and searching a corresponding server engine according to the target retrieval information.
3. The database auditing method of claim 1, where said scanning the current monitored data according to the network address information by a sensitive data scanning tool to obtain current sensitive data comprises:
scanning the current monitoring data through a sensitive data scanning tool according to the network address information to obtain reference scanning data;
and acquiring a sensitive data rule, and screening the reference scanning data according to the sensitive data rule to obtain the current sensitive data.
4. The database auditing method according to any one of claims 1 to 3 where, in acquiring the policy making request, adding the current sensitive data according to the policy making request, before obtaining the auditing policy, the method further comprises:
acquiring a data type and a scanning range, and adjusting the current sensitive data according to the data type and the scanning range to obtain a sensitive data list;
the obtaining of the policy making request adds the current sensitive data according to the policy making request to obtain an audit policy, and the obtaining of the audit policy comprises the following steps:
and acquiring a strategy making request, and adding the sensitive data list according to the strategy making request to obtain an auditing strategy.
5. The database auditing method of claim 4, where the obtaining a policy formulation request adds to the sensitive data list according to the policy formulation request, before obtaining an auditing policy, the method further comprises:
acquiring global parameter information, and adding the sensitive data list to the global parameter information according to data types to obtain target global parameter information;
obtaining a strategy making request, adding the sensitive data list according to the strategy making request to obtain an auditing strategy, comprising the following steps:
and acquiring a strategy making request, and quoting the target global parameter information according to the strategy making request to obtain an auditing strategy.
6. The database auditing method according to any one of claims 1 to 3, where before said obtaining a database audit request, extracting network address information, corresponding port information and current monitoring data in the database audit request, the method further comprises:
calling a preset monitoring program;
and monitoring the network address information and the corresponding port information through the preset monitoring program to obtain current monitoring data.
7. The database auditing method according to any one of claims 1 to 3, said method further comprising, after said auditing of said target database according to said server engine and an auditing policy:
obtaining an audit result, storing the audit result to a preset storage area, and configuring preset interface information for the preset storage area;
acquiring a query request, calling the preset interface information to access the preset storage area according to the query request to obtain a query result, and visually displaying the query result.
8. A database audit device, wherein the database audit device comprises: memory, a processor and a database auditing program stored on the memory and running on the processor, the database auditing program when executed by the processor implementing the steps of the database auditing method of any of claims 1 to 7.
9. A storage medium having stored thereon a database auditing program which, when executed by a processor, implements the steps of a database auditing method according to any one of claims 1 to 7.
10. A database auditing apparatus, comprising:
the system comprises an acquisition module, a database audit request processing module and a monitoring module, wherein the acquisition module is used for acquiring the database audit request and extracting network address information, corresponding port information, current monitoring data and a database to be audited in the database audit request;
the scanning module is used for scanning the current monitoring data through a service scanning tool according to the port information to obtain service discovery information;
the searching module is used for searching a corresponding server engine according to the service discovery information;
the scanning module is further configured to scan the current monitoring data through a sensitive data scanning tool according to the network address information to obtain current sensitive data;
the obtaining module is further configured to obtain a policy making request, and add the current sensitive data according to the policy making request to obtain an audit policy;
and the auditing module is used for auditing the database to be audited according to the server engine and the auditing strategy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911402355.2A CN111104395B (en) | 2019-12-30 | 2019-12-30 | Database auditing method, equipment, storage medium and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911402355.2A CN111104395B (en) | 2019-12-30 | 2019-12-30 | Database auditing method, equipment, storage medium and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111104395A true CN111104395A (en) | 2020-05-05 |
| CN111104395B CN111104395B (en) | 2023-06-06 |
Family
ID=70424014
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911402355.2A Active CN111104395B (en) | 2019-12-30 | 2019-12-30 | Database auditing method, equipment, storage medium and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111104395B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111913854A (en) * | 2020-09-21 | 2020-11-10 | 安徽长泰信息安全服务有限公司 | Comprehensive log auditing system alarming method for system data safety protection |
| CN112784554A (en) * | 2021-04-12 | 2021-05-11 | 南京蜂泰互联网科技有限公司 | Report management system and method based on intelligent computer |
| CN113010494A (en) * | 2021-03-18 | 2021-06-22 | 北京金山云网络技术有限公司 | Database auditing method and device and database proxy server |
| CN113032184A (en) * | 2021-04-19 | 2021-06-25 | 深圳潮数软件科技有限公司 | Method for automatically configuring backup client program |
| CN113704573A (en) * | 2021-08-26 | 2021-11-26 | 北京中安星云软件技术有限公司 | Database sensitive data scanning method and device |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010012170A1 (en) * | 2008-07-28 | 2010-02-04 | 成都市华为赛门铁克科技有限公司 | Database security monitoring method, device and system |
| CN101764704A (en) * | 2009-12-10 | 2010-06-30 | 陕西鼎泰科技发展有限责任公司 | Method for auditing internet sensitive contents and device thereof |
| CN103049708A (en) * | 2012-12-27 | 2013-04-17 | 华为技术有限公司 | Audit configuration method and audit configuration system for database |
| US20150278320A1 (en) * | 2014-03-31 | 2015-10-01 | Mckesson Specialty Care Distribution Corporation | Systems and methods for generating and implementing database audit functionality across multiple platforms |
| CN105490866A (en) * | 2014-09-19 | 2016-04-13 | 国家电网公司 | Method and system for auditing open ports of hosts |
| CN106339305A (en) * | 2016-08-30 | 2017-01-18 | 孙鸿鹏 | Supervision and examination method for security of database |
| WO2017049309A1 (en) * | 2015-09-17 | 2017-03-23 | Eoriginal, Inc. | System and method for electronic data capture and management for audit, monitoring, reporting and compliance |
| CN107465661A (en) * | 2017-07-04 | 2017-12-12 | 重庆邮电大学 | A kind of cloud Method of Database Secure Audit method based on Docker virtualizations |
| CN109600271A (en) * | 2019-02-21 | 2019-04-09 | 成都安恒信息技术有限公司 | A kind of mixed cloud management method based on O&M auditing system |
| US20190122296A1 (en) * | 2017-10-23 | 2019-04-25 | Alibaba Group Holding Limited | Data auditing method and device |
| CN109885554A (en) * | 2018-12-20 | 2019-06-14 | 顺丰科技有限公司 | Method of Database Secure Audit method, system and computer readable storage medium |
| CN113704573A (en) * | 2021-08-26 | 2021-11-26 | 北京中安星云软件技术有限公司 | Database sensitive data scanning method and device |
-
2019
- 2019-12-30 CN CN201911402355.2A patent/CN111104395B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010012170A1 (en) * | 2008-07-28 | 2010-02-04 | 成都市华为赛门铁克科技有限公司 | Database security monitoring method, device and system |
| CN101764704A (en) * | 2009-12-10 | 2010-06-30 | 陕西鼎泰科技发展有限责任公司 | Method for auditing internet sensitive contents and device thereof |
| CN103049708A (en) * | 2012-12-27 | 2013-04-17 | 华为技术有限公司 | Audit configuration method and audit configuration system for database |
| US20150278320A1 (en) * | 2014-03-31 | 2015-10-01 | Mckesson Specialty Care Distribution Corporation | Systems and methods for generating and implementing database audit functionality across multiple platforms |
| CN105490866A (en) * | 2014-09-19 | 2016-04-13 | 国家电网公司 | Method and system for auditing open ports of hosts |
| WO2017049309A1 (en) * | 2015-09-17 | 2017-03-23 | Eoriginal, Inc. | System and method for electronic data capture and management for audit, monitoring, reporting and compliance |
| CN106339305A (en) * | 2016-08-30 | 2017-01-18 | 孙鸿鹏 | Supervision and examination method for security of database |
| CN107465661A (en) * | 2017-07-04 | 2017-12-12 | 重庆邮电大学 | A kind of cloud Method of Database Secure Audit method based on Docker virtualizations |
| US20190122296A1 (en) * | 2017-10-23 | 2019-04-25 | Alibaba Group Holding Limited | Data auditing method and device |
| CN109885554A (en) * | 2018-12-20 | 2019-06-14 | 顺丰科技有限公司 | Method of Database Secure Audit method, system and computer readable storage medium |
| CN109600271A (en) * | 2019-02-21 | 2019-04-09 | 成都安恒信息技术有限公司 | A kind of mixed cloud management method based on O&M auditing system |
| CN113704573A (en) * | 2021-08-26 | 2021-11-26 | 北京中安星云软件技术有限公司 | Database sensitive data scanning method and device |
Non-Patent Citations (2)
| Title |
|---|
| 晏明春;李酒;: "一种新型在线数据库审计系统", 计算机工程与设计 * |
| 范镭澎;: "浅谈网络扫描在信息系统审计中的应用", 现代经济信息 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111913854A (en) * | 2020-09-21 | 2020-11-10 | 安徽长泰信息安全服务有限公司 | Comprehensive log auditing system alarming method for system data safety protection |
| CN113010494A (en) * | 2021-03-18 | 2021-06-22 | 北京金山云网络技术有限公司 | Database auditing method and device and database proxy server |
| CN112784554A (en) * | 2021-04-12 | 2021-05-11 | 南京蜂泰互联网科技有限公司 | Report management system and method based on intelligent computer |
| CN112784554B (en) * | 2021-04-12 | 2021-07-06 | 南京蜂泰互联网科技有限公司 | Report management system and method based on intelligent computer |
| CN113032184A (en) * | 2021-04-19 | 2021-06-25 | 深圳潮数软件科技有限公司 | Method for automatically configuring backup client program |
| CN113704573A (en) * | 2021-08-26 | 2021-11-26 | 北京中安星云软件技术有限公司 | Database sensitive data scanning method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111104395B (en) | 2023-06-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111104395B (en) | Database auditing method, equipment, storage medium and device | |
| CN109067815B (en) | Attack event tracing analysis method, system, user equipment and storage medium | |
| CN111988339B (en) | Network attack path discovery, extraction and association method based on DIKW model | |
| US9847968B2 (en) | Method and system for generating durable host identifiers using network artifacts | |
| US10659335B1 (en) | Contextual analyses of network traffic | |
| US8146146B1 (en) | Method and apparatus for integrated network security alert information retrieval | |
| CN112115183B (en) | Honeypot system threat information analysis method based on graph | |
| Kaushik et al. | Network forensic system for port scanning attack | |
| CN111010405B (en) | SaaS-based website security monitoring system | |
| CN110351237B (en) | Honeypot method and device for numerical control machine tool | |
| CN111541673A (en) | Efficient method and system for detecting HTTP request security | |
| US20180316702A1 (en) | Detecting and mitigating leaked cloud authorization keys | |
| CN113923003A (en) | Attacker portrait generation method, system, equipment and medium | |
| CN110837646A (en) | Risk investigation device of unstructured database | |
| CN117040779A (en) | Network abnormal access information acquisition method and device | |
| KR20170095704A (en) | Method and system for scanning vulnerability of the network printer | |
| CN113132340B (en) | Phishing website identification method based on vision and host characteristics and electronic device | |
| CN111404903B (en) | Log processing method, device, equipment and storage medium | |
| CN111031068B (en) | DNS analysis method based on complex network | |
| CN111368294B (en) | Virus file identification method and device, storage medium and electronic device | |
| CN115883258B (en) | IP information processing method, device, electronic equipment and storage medium | |
| CN115242467B (en) | Network data identification method and system | |
| CN112487433A (en) | Vulnerability detection method and device and storage medium | |
| Patel et al. | Analyzing network traffic data using Hive queries | |
| Yang et al. | Research of intrusion detection system based on vulnerability scanner |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |