CN111191247A - Database security audit system - Google Patents
Database security audit system Download PDFInfo
- Publication number
- CN111191247A CN111191247A CN201911366496.3A CN201911366496A CN111191247A CN 111191247 A CN111191247 A CN 111191247A CN 201911366496 A CN201911366496 A CN 201911366496A CN 111191247 A CN111191247 A CN 111191247A
- Authority
- CN
- China
- Prior art keywords
- unit
- audit
- message
- configuration
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses a database security audit system. The database security audit system comprises: the external interface is used for establishing communication connection with the external function module and receiving or outputting data information; the audit configuration module is used for determining the audit configuration of the target database server according to the user instruction received by the external interface; the acquisition engine is used for acquiring messages generated by a data analysis tool accessing the target database server; the auditing engine is used for extracting a plurality of items of content information in the message; outputting a corresponding auditing result according to the content information and the auditing configuration; and the data analysis module is used for generating a corresponding audit report according to the audit result. The method can be applied to auditing work of the data analysis tool in a big data environment, and can be used for pertinently identifying whether the output result of the data analysis tool has a safety risk of indirectly revealing data.
Description
Technical Field
The invention relates to the technical field of database auditing, in particular to a database security auditing system.
Background
With the development of the internet, especially the mobile internet, the data volume generated by enterprises and individuals in production and consumption activities begins to show a explosive growth situation, and a huge amount of data information is generated. Traditional databases (e.g., MySQL, Oracle), etc. have been unable to meet the requirements for storage, querying, and analysis of such diverse and large amounts of data.
In order to meet the requirements for analysis, query and the like of massive and diversified data, a big data technology is developed. A number of widely used data analysis tools are provided, and values can be generated by analyzing data, acquiring behavior habits of users and discovering potential needs of the users.
However, these data analysis tools (such as apache spark) need to perform related operations on the database when performing data acquisition, data storage or data analysis. The access behavior of the analysis tools to the database and the finally output analysis results may have information security risks, and the problem of revealing privacy information of the database may exist.
In the process of implementing the present application, the inventor finds that the following problems exist in the prior art: in the existing database auditing method, a mode of directly auditing all access operations to a database is adopted, whether information security risks exist in data analysis results output by a data analysis tool or not cannot be determined or analyzed, and all-round information security guarantee cannot be provided for the database to prevent the risks.
Disclosure of Invention
The embodiment of the invention provides a database security auditing system, which is used for solving the problem that the existing database auditing method cannot audit a data analysis tool.
The first aspect of the embodiment of the invention provides a database security audit system. Wherein, the database security audit system includes:
a plurality of external interfaces are arranged and used for establishing communication connection with an external function module and receiving or outputting data information;
the audit configuration module is used for determining the audit configuration of the target database server according to the user instruction received by the external interface; the acquisition engine is used for acquiring messages generated by a data analysis tool accessing the target database server; the auditing engine is used for extracting a plurality of items of content information in the message; outputting a corresponding auditing result according to the content information and the auditing configuration; and the database analysis module is used for generating a corresponding audit report according to the audit result.
Optionally, the gathering engine comprises: the message mirror image unit and the message flow guiding unit; the message mirroring unit is used for acquiring a message generated by a data analysis tool accessing the target database server through a mirroring port; the message flow guiding unit is used for acquiring the message generated by the data analysis tool accessing the target database server in a message flow guiding mode.
Optionally, the gathering engine further comprises: a message filtering unit and a message forwarding unit; the message filtering unit is used for filtering the message according to the audit configuration; and the message forwarding unit is used for forwarding the residual messages filtered by the message filtering unit to the auditing engine.
Optionally, the audit configuration module includes: the system comprises a protected object configuration unit, an audit strategy configuration unit and a risk rule configuration unit; the protected object configuration unit is used for configuring an address port and a database type of the target database server; the risk rule configuration unit is used for configuring corresponding risk rules according to the access condition of the target database server; and the auditing strategy configuration unit is used for configuring a corresponding auditing strategy according to the risk rule and a strategy configuration instruction acquired by the external interface.
Optionally, the audit engine comprises: the system comprises a message recombination unit, an information extraction unit and a risk identification unit; the message recombination unit is used for recombining the message acquired by the acquisition engine; the information extraction unit is used for analyzing and extracting the content information in the recombined message; and the risk identification unit is used for identifying risk operation behaviors existing in the message according to the content information and the audit configuration of the target database server.
Optionally, the information extracting unit includes: a first information extraction unit for extracting visitor information, a second information extraction unit for extracting an operation sentence, and a third information extraction unit for extracting database information.
Optionally, the audit configuration module further includes an alarm rule configuration unit for configuring an alarm rule; the external interface also comprises an alarm output port for outputting alarm information;
and the risk identification unit of the audit engine is also used for judging whether the risk operation behavior accords with the alarm rule or not, and outputting the alarm information through the alarm output port when the risk operation behavior accords with the alarm rule.
Optionally, the data analysis module comprises: the log retrieval unit and the report statistics unit; the log retrieval unit is used for retrieving log information related to the audit result; and the report counting unit is used for counting and generating a corresponding audit report according to the log information and the audit result obtained by retrieval.
Optionally, the data analysis module further comprises: the real-time monitoring unit is used for monitoring the risk client or the risk server in real time; and the risk client and the risk server are determined according to a preset risk scene.
Optionally, the deployment mode of the database security audit system is bypass deployment, and the bypass deployment is used for monitoring the access behavior of the data analysis tool to the database.
The database security audit system provided by the embodiment of the invention can be applied to the audit work of a data analysis tool in a big data environment, and can be used for identifying whether the output result of the data analysis tool has the security risk of indirectly revealing data or not in a targeted manner.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and the embodiments of the present invention can be implemented according to the content of the description in order to make the technical means of the embodiments of the present invention more clearly understood, and the detailed description of the present invention is provided below in order to make the foregoing and other objects, features, and advantages of the embodiments of the present invention more clearly understandable.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present invention;
FIG. 2 is a functional block diagram of a database security audit system provided by an embodiment of the present invention;
FIG. 3 is a functional block diagram of a database security audit system provided by another embodiment of the present invention;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Fig. 1 is a schematic view illustrating an application scenario of a database security audit system according to an embodiment of the present invention. The database security audit system can provide related audit service, is used for monitoring and recording various operations on the database, auditing the operations or access behaviors and identifying whether dangerous behaviors such as illegal login, unauthorized operation, access sensitive information and the like exist. The final audit result can be stored in a database for subsequent query and retrieval and statistical report output. And high-risk behaviors can be directly alarmed so as to be processed in time.
As shown in fig. 1, the application scenario may include: database 100, data analysis tool 200, data analysis results 300, and database security audit system 400.
The database 100 may be any type of data collection for storing related activity data of an enterprise or an individual, such as a relational database Oracle, a non-relational database Hbase, and the like. The database 100 is organized, and stores a large amount of data information according to a specific rule, which can be used as raw data for data analysis, query, and the like.
The data analysis tool 200 may be any suitable type of data processing engine known for performing operations such as analyzing and querying mass data, such as the Apache spark tool. The Apache spark tool is a rapid and general analysis engine specially designed for big data processing, and can analyze user activity data in the Internet and realize functions of content recommendation, community discovery and the like.
The data analysis result 300 is data information that is obtained by analyzing and processing the basic data of the database 100 by the data analysis tool 200, and that is implied in the behavior habits, user requirements, and the like of the mass data, and has important value. The data analysis results 300 may also be stored in another database as data information to facilitate query invocation. For example, the data analysis results 300 may be stored in a MySQL database.
The database security audit system 400 is a functional module that focuses on the access behavior of the data analysis tool 200 and provides corresponding audit services. It may perform a security audit on the data analysis tool 200 for monitoring the access behavior of the data analysis tool to the database to ensure that the access behavior and the output data do not present significant risks.
In this embodiment, the database security audit system 400 may be deployed by-pass. That is, the audit service is in a branch of a normal workflow of big data analysis, and does not interfere with or affect the data analysis workflow of the data analysis tool 200 due to its own performance or failure.
Under the big data environment, the data analysis tools such as Spark can be audited, the data leakage risk indirectly caused by the data analysis tools can be identified, better information security protection of the database is achieved, and risk events are prevented.
Fig. 2 is a functional block diagram of a database security audit system 400 according to an embodiment of the present invention. As shown in FIG. 2, the database security audit system 400 may include: an external interface 410, an audit configuration module 420, an acquisition engine 430, an audit engine 440, and a data analysis module 450.
The external interface 410 is an interface for establishing a communication connection with an external function module and receiving or outputting data information.
The external interface 410 may be specifically configured according to the needs of actual situations, and is respectively used for establishing connections with different external devices to implement multiple functions. For example, the external interface 410 may include a platform input/output interface 411 for connecting with a centralized management platform, a terminal device interface 412 for connecting with an interconnection device, and a data backup interface 413 for connecting with a data backup server, and the like.
The audit configuration module 420 is a functional module for determining the audit configuration of the target database server according to a user instruction received by the external interface. "Audit configuration" refers to rules and policies followed when a target database server is audited. The audit configuration used specifically can be determined by the technician according to the needs of the actual situation, such as the database type of the target database server, the actual usage scenario, and the database risk to be avoided.
Specifically, the audit configuration module 420 may include a protected object configuration unit 421, an audit policy configuration unit 422, and a risk rule configuration unit 423.
The protected object configuration unit 421 is configured to configure the address port and the database type of the target database server. "target database server" refers to an object that needs to be audited or that provides auditing services. Based on the actual conditions of different database servers, corresponding audit configuration and audit modes may need to be adopted. Thereby, the target database server can be confirmed by the protected object configuration unit 421.
The risk rule configuration unit 422 is configured to configure a corresponding risk rule according to the access condition of the target database server. The risk rule is a rule or criteria that determines a risk level for an access activity. The specific risk rules may be determined or set according to the access conditions of the target database server, and in some embodiments, default or existing risk rules may be used directly.
The audit policy configuration unit 423 is configured to configure a corresponding audit policy according to the risk rule and the policy configuration instruction acquired by the external interface. An "audit policy" may be a process consisting of a series of decision conditions or decision logic. Which can be set by the user or a technician according to the actual needs of the user or the operation conditions of the database. Technicians or users can input strategy configuration instructions to the database security audit system through external equipment and the like so as to determine or configure a specific audit strategy.
In the actual use process, the configured risk rules can be applied to an auditing strategy to form a complete judgment criterion or a measurement standard. The audit policy is further applied to the corresponding protected object (i.e., the target database server) to complete a complete audit configuration, so that each protected object has a corresponding audit configuration.
The gathering engine 430 is used for gathering messages generated by the data analysis tool 200 accessing the target database server. The collection engine may specifically collect and obtain a message generated when the data analysis tool 200 performs big data analysis in a plurality of different ways, and the message is used as a basis for auditing services.
In some embodiments, as shown in fig. 2, the harvesting engine 430 may include: the message mirroring unit 431 and/or the message flow guiding unit 432 acquire the message accessed to the database by the data analysis tool 200 through mirroring or flow guiding.
The message mirroring unit 431 is configured to obtain, through a mirroring port, a message generated when a data analysis tool accesses the target database server. "mirroring" refers to forwarding data traffic from one or more source ports to a certain designated port to implement snooping on a network. The designated port is called a mirror port, so that messages for the data analysis tool to access the database can be acquired by means of the mirror port.
The message flow guiding unit 432 is configured to obtain a message generated by the data analysis tool accessing the target database server in a message flow guiding manner. The 'message flow guiding' is a method for guiding the message of the target server to the target node in a mode of installing and setting plug-in units on the target server.
The message acquired by the message mirroring unit 431 and/or the message stream guiding unit 432 may contain some invalid or useless data information. Preferably, the collection engine 430 may further include: a message filtering unit 433 and a message forwarding unit 434.
The message filtering unit 433 is configured to filter the message according to the audit configuration. The filtering is to set proper filtering conditions to primarily filter and filter the messages according to specific audit configuration, and remove irrelevant message information so as to facilitate subsequent security audit operation. For example, it may be an access packet that filters some non-critical information, a packet that filters access behavior of some security ports, etc.
The packet forwarding unit 434 is configured to forward the remaining packets filtered by the packet filtering unit to the auditing engine 440. The filtered message may be forwarded to provide value auditing engine 440 via message forwarding unit 434 for further analysis and auditing.
The auditing engine 440 is the core of the whole database security auditing system, and is used for extracting a plurality of items of content information in the message and outputting a corresponding auditing result according to the content information and the auditing configuration.
Based on the particular audit engine and audit configuration used, audit results containing information for a variety of dimensions can be formed. The auditing results, such as access frequency, modification of key information, time and place distribution of access behaviors, and the like, can be further stored in a corresponding database for subsequent examination and use.
Specifically, the auditing engine 440 may include: a message restructuring unit 441, an information extracting unit 442, an association analyzing unit 443, and a combination counting unit 444.
The message restructuring unit 441 is configured to restructure the message acquired by the acquisition engine. The message recombination is also a preprocessing process for the message data, and can be recombined into a new data packet form according to the actual situation of the message.
The information extraction unit 442 is configured to parse and extract content information in the reassembled message. The message will record the corresponding content information in a specific protocol. The information extraction unit 442 may parse and acquire the content information thereof in a corresponding parsing manner to determine the content of the message.
In some embodiments, the information extraction unit 442 includes: a first information extraction unit for extracting visitor information, a second information extraction unit for extracting an operation sentence, and a third information extraction unit for extracting database information.
The "database information" is one or more of predetermined content information according to the actual use condition of the database. The details of which may be determined based on the actual conditions of the database and the experience of the skilled person.
Of course, the information extraction unit may further extract more different types of content information according to the actual situation, including but not limited to user login information, database information, operation statements, returned results, tables, fields, and the like. The information extraction unit may also reduce extraction of one or more content information therein.
Based on the content information provided by the information extraction unit, the association analysis unit 443 may be configured to analyze data associations between the content information according to the audit configuration and to count distributions between the content information according to the audit configuration through the combination counting unit 444.
The 'association analysis' and the 'combination statistics' can well audit and determine the behavior mode of the access behavior or the access behavior under normal conditions, and summarize and provide specific statistical results of the access behavior of the database.
The data analysis module 450 is a functional module for generating a corresponding audit report according to the audit result. The 'audit report' takes the audit result as basic data, and visually displays the specific audit result from a plurality of different dimensions through various different types of tables or charts.
Specifically, the data analysis module 450 may include: a log retrieval unit 451 and a report statistics unit 452.
The log retrieving unit 451 is configured to retrieve log information related to the audit result. "Log information" is a log of the database recorded during daily operations. The log of a specific access port in a specific time period can be retrieved from all log information through corresponding retrieval conditions so as to facilitate complete auditing work.
The report statistics unit 452 is configured to perform statistics to generate a corresponding audit report according to the retrieved log information and the audit result. The report statistics unit 452 may use any suitable statistical method or statistical tool to obtain a report corresponding to the audit result.
The specific output audit report can be set according to the requirements of actual conditions, and various control buttons can be provided to switch and display various different data statistical results for users.
The database security audit system provided by the embodiment of the invention can adopt a BS framework, and technical personnel or related users perform audit configuration, audit result viewing, risk data alarm obtaining and the like on a front-end client page. And the plurality of functional modules at the rear end carry out message acquisition, message analysis and information extraction, and carry out risk identification and output audit results according to audit configuration.
The function module at the rear end can realize information transmission and communication with external equipment through an external interface, and realize various functions such as data backup, third-party equipment interconnection, risk alarm and the like.
FIG. 3 is a functional block diagram of a database security audit system according to another embodiment of the present invention. In contrast to the database security audit system shown in fig. 2, the database security audit system shown in fig. 3 further provides high-risk behavior alarm and real-time monitoring functions.
As shown in fig. 3, in addition to the functional modules shown in fig. 2, the external interface 410 of the database security audit system further includes an alarm output port 414, the audit configuration module 420 further includes an alarm rule configuration unit 421, and the audit engine 440 further includes a risk identification unit 445.
The alarm rule configuration unit 421 is configured to configure an alarm rule. The alarm rule is a series of preset judgment processes or standards for judging whether an alarm needs to be sent. Which can be specifically set by the skilled person according to the needs of the actual situation.
The risk identification unit 445 is configured to identify a risk operation behavior existing in the packet according to the content information and the audit configuration of the target database server, and determine whether the risk operation behavior meets the alarm rule.
When the alarm rule is met, the risk identification unit 445 may output the alarm information through the alarm output port, and feed the alarm information back to the user to implement a timely alarm for a high-risk operation behavior.
Specifically, as shown in fig. 3, the data analysis module may further include: and a real-time monitoring unit 453.
The real-time monitoring unit 453 is used for monitoring the real-time monitoring unit of the risk client or the risk server in real time. And the risk client and the risk server determine the high-risk client or the high-risk server according to a preset risk scene.
That is, these clients and servers have a high possibility of being an attacker or having a high possibility of information security risk, information leakage, and the like in a specific scenario. Through the real-time monitoring function, risks can be found in time, and unsafe events of the database are prevented from happening.
Fig. 4 is a schematic structural diagram of an embodiment of an electronic device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the electronic device.
As shown in fig. 4, the electronic device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
The processor 402, the communication interface 404, and the memory 406 communicate with each other via a communication bus 408. A communication interface 404 for communicating with network elements of other devices, such as clients or other servers. The processor 402 is configured to execute the program 410, and may specifically implement the functional modules in the database security audit system.
In particular, program 410 may include program code comprising computer operating instructions.
The processor 402 may be a central processing unit CPU, or an application specific Integrated circuit asic, or one or more Integrated circuits configured to implement an embodiment of the present invention. The electronic device comprises one or more processors, which can be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A database security audit system, comprising:
a plurality of external interfaces are arranged and used for establishing communication connection with an external function module and receiving or outputting data information;
the audit configuration module is used for determining the audit configuration of the target database server according to the user instruction received by the external interface;
the acquisition engine is used for acquiring messages generated by a data analysis tool accessing the target database server;
the auditing engine is used for extracting a plurality of items of content information in the message; outputting a corresponding auditing result according to the content information and the auditing configuration;
and the database analysis module is used for generating a corresponding audit report according to the audit result.
2. The database security audit system of claim 1 wherein the gathering engine includes: the message mirror image unit and the message flow guiding unit;
the message mirroring unit is used for acquiring a message generated by a data analysis tool accessing the target database server through a mirroring port;
the message flow guiding unit is used for acquiring the message generated by the data analysis tool accessing the target database server in a message flow guiding mode.
3. The database security audit system of claim 2 wherein the gathering engine further comprises: a message filtering unit and a message forwarding unit;
the message filtering unit is used for filtering the message according to the audit configuration;
and the message forwarding unit is used for forwarding the residual messages filtered by the message filtering unit to the auditing engine.
4. The database security audit system of claim 1 wherein the audit configuration module includes: the system comprises a protected object configuration unit, an audit strategy configuration unit and a risk rule configuration unit;
the protected object configuration unit is used for configuring an address port and a database type of the target database server;
the risk rule configuration unit is used for configuring corresponding risk rules according to the access condition of the target database server;
and the auditing strategy configuration unit is used for configuring a corresponding auditing strategy according to the risk rule and a strategy configuration instruction acquired by the external interface.
5. The database security audit system of claim 4 wherein the audit engine includes: the device comprises a message recombination unit, an information extraction unit, an association analysis unit and a combination statistical unit;
the message recombination unit is used for recombining the message acquired by the acquisition engine;
the information extraction unit is used for analyzing and extracting the content information in the recombined message;
the association analysis unit is used for analyzing data association between the content information according to the audit configuration;
and the combined statistical unit is used for counting the distribution characteristics among the content information according to the audit configuration.
6. The database security audit system of claim 5 wherein the information extraction unit includes:
a first information extraction unit for extracting visitor information, a second information extraction unit for extracting an operation sentence, and a third information extraction unit for extracting database information.
7. The database security audit system of claim 6 wherein the audit configuration module further includes an alarm rules configuration unit for configuring alarm rules; the external interface also comprises an alarm output port for outputting alarm information;
the audit engine further comprises: a risk identification unit; and the risk identification unit is used for identifying risk operation behaviors existing in the message according to the content information and the audit configuration of the target database server, and outputting the alarm information through the alarm output port when the risk operation behaviors accord with the alarm rule.
8. The database security audit system of claim 1 wherein the data analysis module includes: the log retrieval unit and the report statistics unit;
the log retrieval unit is used for retrieving log information related to the audit result;
and the report counting unit is used for counting and generating a corresponding audit report according to the log information and the audit result obtained by retrieval.
9. The database security audit system of claim 8 wherein the data analysis module further comprises:
the real-time monitoring unit is used for monitoring the risk client or the risk server in real time; and the risk client and the risk server are determined according to a preset risk scene.
10. The database security audit system according to any of claims 1-9, wherein the deployment mode of the database security audit system is bypass deployment for monitoring the access behavior of the data analysis tool to the database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911366496.3A CN111191247A (en) | 2019-12-26 | 2019-12-26 | Database security audit system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911366496.3A CN111191247A (en) | 2019-12-26 | 2019-12-26 | Database security audit system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111191247A true CN111191247A (en) | 2020-05-22 |
Family
ID=70709405
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911366496.3A Pending CN111191247A (en) | 2019-12-26 | 2019-12-26 | Database security audit system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111191247A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112162832A (en) * | 2020-09-08 | 2021-01-01 | 北京人大金仓信息技术股份有限公司 | Method and device for realizing audit data storage under multi-version concurrency control |
| CN112487483A (en) * | 2020-12-14 | 2021-03-12 | 深圳昂楷科技有限公司 | Encrypted database flow auditing method and device |
| CN112527772A (en) * | 2020-12-11 | 2021-03-19 | 深圳昂楷科技有限公司 | Graph database auditing method and auditing equipment |
| CN113067886A (en) * | 2021-03-30 | 2021-07-02 | 深圳红途创程科技有限公司 | Database three-layer correlation auditing method and device, computer equipment and storage medium |
| CN113360728A (en) * | 2021-07-02 | 2021-09-07 | 南方电网数字电网研究院有限公司 | User operation auditing method and device, computer equipment and storage medium |
| CN113408912A (en) * | 2021-06-23 | 2021-09-17 | 中央广播电视总台 | Auditing system and electronic device for television station |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107302529A (en) * | 2017-06-14 | 2017-10-27 | 苏州海加网络科技股份有限公司 | Database security auditing system and method based on scene perception |
| CN108763957A (en) * | 2018-05-29 | 2018-11-06 | 电子科技大学 | A kind of safety auditing system of database, method and server |
| CN109885554A (en) * | 2018-12-20 | 2019-06-14 | 顺丰科技有限公司 | Method of Database Secure Audit method, system and computer readable storage medium |
| CN110363014A (en) * | 2019-07-05 | 2019-10-22 | 上海瀚之友信息技术服务有限公司 | A kind of auditing system of database |
-
2019
- 2019-12-26 CN CN201911366496.3A patent/CN111191247A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107302529A (en) * | 2017-06-14 | 2017-10-27 | 苏州海加网络科技股份有限公司 | Database security auditing system and method based on scene perception |
| CN108763957A (en) * | 2018-05-29 | 2018-11-06 | 电子科技大学 | A kind of safety auditing system of database, method and server |
| CN109885554A (en) * | 2018-12-20 | 2019-06-14 | 顺丰科技有限公司 | Method of Database Secure Audit method, system and computer readable storage medium |
| CN110363014A (en) * | 2019-07-05 | 2019-10-22 | 上海瀚之友信息技术服务有限公司 | A kind of auditing system of database |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112162832A (en) * | 2020-09-08 | 2021-01-01 | 北京人大金仓信息技术股份有限公司 | Method and device for realizing audit data storage under multi-version concurrency control |
| CN112162832B (en) * | 2020-09-08 | 2024-02-09 | 北京人大金仓信息技术股份有限公司 | Method and device for realizing audit data storage under multi-version concurrency control |
| CN112527772A (en) * | 2020-12-11 | 2021-03-19 | 深圳昂楷科技有限公司 | Graph database auditing method and auditing equipment |
| CN112487483A (en) * | 2020-12-14 | 2021-03-12 | 深圳昂楷科技有限公司 | Encrypted database flow auditing method and device |
| CN112487483B (en) * | 2020-12-14 | 2024-05-03 | 深圳昂楷科技有限公司 | Encryption database flow auditing method and device |
| CN113067886A (en) * | 2021-03-30 | 2021-07-02 | 深圳红途创程科技有限公司 | Database three-layer correlation auditing method and device, computer equipment and storage medium |
| CN113408912A (en) * | 2021-06-23 | 2021-09-17 | 中央广播电视总台 | Auditing system and electronic device for television station |
| CN113408912B (en) * | 2021-06-23 | 2023-12-19 | 中央广播电视总台 | Audit system for television station and electronic equipment |
| CN113360728A (en) * | 2021-07-02 | 2021-09-07 | 南方电网数字电网研究院有限公司 | User operation auditing method and device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111191247A (en) | Database security audit system | |
| CN114143020B (en) | Rule-based network security event association analysis method and system | |
| CN107579956B (en) | User behavior detection method and device | |
| US8156553B1 (en) | Systems and methods for correlating log messages into actionable security incidents and managing human responses | |
| CN104063473B (en) | A kind of database audit monitoring system and its method | |
| CN111177779B (en) | Database auditing method, device, electronic equipment and computer storage medium | |
| US20100325685A1 (en) | Security Integration System and Device | |
| CN105659245A (en) | Context-aware network forensics | |
| CN111740868B (en) | Alarm data processing method and device and storage medium | |
| CN103124293A (en) | Cloud data safe auditing method based on multi-Agent | |
| CN110896386B (en) | Method, device, storage medium, processor and terminal for identifying security threat | |
| CN109462599A (en) | A kind of honey jar management system | |
| CN107733902A (en) | A kind of monitoring method and device of target data diffusion process | |
| US20150358292A1 (en) | Network security management | |
| CN114157504A (en) | Safety protection method based on Servlet interceptor | |
| CN114139178A (en) | Data link-based data security monitoring method and device and computer equipment | |
| CN107171818A (en) | Control method, system and device for mixed cloud | |
| CN104580090B (en) | The method and device that security strategy O&M is assessed | |
| CN102945254B (en) | The method of the data that note abnormalities in TB level magnanimity Audit data | |
| CN112769739B (en) | Database operation violation processing method, device and equipment | |
| CN111901199A (en) | Mass data-based quick early warning matching implementation method | |
| CN106254163B (en) | Monitor the method and device of the USB port of computer in local area network | |
| CN113792076A (en) | Data auditing system | |
| CN114244685A (en) | Cloud service center access exception handling system | |
| US20130205015A1 (en) | Method and Device for Analyzing Data Intercepted on an IP Network in order to Monitor the Activity of Users on a Website |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200522 |
|
| RJ01 | Rejection of invention patent application after publication |