CN112417443A - Database protection method and device, firewall and computer readable storage medium - Google Patents
Database protection method and device, firewall and computer readable storage medium Download PDFInfo
- Publication number
- CN112417443A CN112417443A CN202011315140.XA CN202011315140A CN112417443A CN 112417443 A CN112417443 A CN 112417443A CN 202011315140 A CN202011315140 A CN 202011315140A CN 112417443 A CN112417443 A CN 112417443A
- Authority
- CN
- China
- Prior art keywords
- database
- rule
- identification rule
- operation identification
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6254—Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
Abstract
The application provides a database protection method, a database protection device, a firewall and a computer readable storage medium, wherein the method comprises the following steps: acquiring request data corresponding to a database access request; determining whether the requested data hits at least one sensitive operation identification rule; if the request data hits at least one sensitive operation identification rule, intercepting a database access request; if the request data does not hit the sensitive operation identification rule, response data returned by the database based on the database access request is obtained; determining a target desensitization rule from a preset desensitization rule table according to role information in the request data; desensitizing the response data according to the target desensitization rule to obtain target response data, and sending the target response data to the client for display. The method and the device improve the safety of the database and the sensitive information. The present application also relates to the field of blockchain, and the computer-readable storage medium may store data created from use of blockchain nodes.
Description
Technical Field
The present application relates to the field of security protection technologies, and in particular, to a database protection method, an apparatus, a firewall, and a computer-readable storage medium.
Background
At present, many enterprises use databases to store important data such as customer data, financial data, attendance data and the like, so the security of the database is particularly important. The existing database protection mode is mainly used for protecting external attacks, and high-risk operations such as batch deletion, batch export and the like of operation and maintenance personnel inside an enterprise or third-party operation and maintenance personnel on the database cannot be identified, so that data in the database is easily leaked or unavailable, and great loss is brought to the enterprise. Therefore, how to improve the security of the database is an urgent problem to be solved at present.
Disclosure of Invention
The embodiment of the application provides a database protection method, a database protection device, a firewall and a computer readable storage medium, and aims to improve the security of a database.
In a first aspect, an embodiment of the present application provides a database protection method, which is applied to a database firewall, where the database firewall is connected to a network splitter, and a sensitive operation identification rule base is configured in the database firewall, where the method includes:
acquiring a database access request distributed by a network shunt, and acquiring request data corresponding to the database access request;
determining whether the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base;
if the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base, intercepting the database access request;
if the request data does not hit the sensitive operation identification rule, response data returned by the database based on the database access request is obtained;
determining a target desensitization rule from a preset desensitization rule table according to role information in the request data;
desensitizing the response data according to the target desensitization rule to obtain target response data, and sending the target response data to a client for display.
In a second aspect, an embodiment of the present application further provides a database protection device, where the database protection device is applied to a database firewall, the database firewall is connected to a network splitter, and a sensitive operation identification rule base is configured in the database firewall, and the database protection device includes:
the acquisition module is used for acquiring a database access request distributed by the network shunt and acquiring request data corresponding to the database access request;
a rule hit module for determining whether the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base;
the intercepting module is used for intercepting the database access request if the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base;
the obtaining module is further configured to obtain response data returned by the database based on the database access request if the request data misses the sensitive operation identification rule;
the rule determining module is used for determining a target desensitization rule from a preset desensitization rule table according to the role information in the request data;
the desensitization module is used for desensitizing the response data according to the target desensitization rule to obtain target response data;
and the sending module is used for sending the target response data to a client for displaying.
In a third aspect, an embodiment of the present application further provides a database firewall, where the database firewall includes a processor, a memory, and a computer program stored on the memory and executable by the processor, where the computer program, when executed by the processor, implements the steps of the database protection method as described above.
In a fourth aspect, this application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the database protection method as described above.
The embodiment of the application provides a database protection method, a device, a firewall and a computer readable storage medium, when a database access request distributed by a network shunt is obtained, request data corresponding to the database access request is obtained, whether the request data hit at least one sensitive operation identification rule in a sensitive operation identification rule base is determined, if the request data hit at least one sensitive operation identification rule, the database access request is intercepted, if the sensitive operation identification rule does not hit, a target desensitization rule is obtained from a preset desensitization rule table according to role information in the request data, desensitization processing is carried out on response data returned based on the database access request according to the target desensitization rule, then the desensitized target response data are sent to a client side for display, and dangerous database access requests can be intercepted, and the response data can be desensitized dynamically based on the role information of the access user, so that the sensitive information can be protected, and the safety of the database and the sensitive information is greatly improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flowchart of a database protection method according to an embodiment of the present application;
FIG. 2 is a flow diagram illustrating sub-steps of the database protection method of FIG. 1;
FIG. 3 is a flow diagram illustrating sub-steps of the database protection method of FIG. 1;
FIG. 4 is a schematic block diagram of a database guard provided by an embodiment of the present application;
FIG. 5 is a schematic block diagram of sub-modules of the database guard of FIG. 4;
fig. 6 is a schematic block diagram of a structure of a database firewall according to an embodiment of the present application.
The implementation, functional features and advantages of the objectives of the present application will be further described with reference to the accompanying drawings.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The flow diagrams depicted in the figures are merely illustrative and do not necessarily include all of the elements and operations/steps, nor do they necessarily have to be performed in the order depicted. For example, some operations/steps may be decomposed, combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
At present, many enterprises use databases to store important data such as customer data, financial data, attendance data and the like, so the security of the database is particularly important. The existing database protection mode is mainly used for protecting external attacks, and high-risk operations such as batch deletion, batch export and the like of operation and maintenance personnel inside an enterprise or third-party operation and maintenance personnel on the database cannot be identified, so that data in the database is easily leaked or unavailable, and great loss is brought to the enterprise. Therefore, how to improve the security of the database is an urgent problem to be solved at present.
In order to solve the above problem, embodiments of the present application provide a database protection method, an apparatus, a firewall, and a computer-readable storage medium, where when a database access request distributed by a network splitter is obtained, request data corresponding to the database access request is obtained, and it is determined whether the request data hits at least one sensitive operation identification rule in a sensitive operation identification rule base, if the request data hits at least one sensitive operation identification rule, the database access request is intercepted, and if the sensitive operation identification rule does not hit, a target desensitization rule is obtained from a preset desensitization rule table according to role information in the request data, and desensitization processing is performed on response data returned based on the database access request according to the target desensitization rule, and then the desensitized target response data is sent to a client for display, so as to enable a database access request to be intercepted, and the response data can be desensitized dynamically based on the role information of the access user, so that the sensitive information can be protected, and the safety of the database and the sensitive information is greatly improved.
Some embodiments of the present application will be described in detail below with reference to the accompanying drawings. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a database protection method according to an embodiment of the present disclosure. The database protection method is applied to a database firewall, the database firewall is connected with a network shunt, a sensitive operation identification rule base is configured in the database firewall, and sensitive operation identification rules in the sensitive operation identification rule base are used for identifying sensitive operations for accessing the database.
As shown in fig. 1, the database protection method includes steps S101 to S106.
Step S101, a database access request distributed by the network shunt is obtained, and request data corresponding to the database access request is obtained.
The client is connected with the network shunt, the network shunt is connected with the database firewall, the database firewall is connected with the database, the database firewall is also connected with the rule management server, the database firewall stores a sensitive operation identification rule base and a preset desensitization rule table, the sensitive operation identification rule in the sensitive operation identification rule base is used for identifying whether the database access operation corresponding to the database access request is sensitive operation, the desensitization rule in the preset desensitization rule table is used for desensitizing sensitive information in response data, the sensitive operation identification rule base and the preset desensitization rule table stored in the database firewall can be configured by developers through the rule management server, the sensitive information can comprise names, certificate numbers, contact addresses, contact modes, bank card numbers and the like, and the database can comprise an Oracle, SQLServer, DB2, Mysql, MongoDB, Redis, and Memcache.
When a user needs to access the database, a database access request can be sent to the database through the client, the network flow divider intercepts the database access request sent to the database by the client and distributes the database access request to the database firewall, and the database firewall acquires the database access request distributed by the network flow divider and acquires request data corresponding to the database access request. The request data may include a get message, a cookie, a refer field, an X-Forward-For field, and the like of the http protocol.
Step S102, determining whether the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base.
The sensitive operation identification rule base comprises any one of an SQL injection attack identification rule table, an XSS attack identification rule table and a high-risk operation identification rule table, the SQL injection attack identification rule table comprises one or more SQL injection attack identification rules, the SQL injection attack identification rules are used for identifying external SQL injection attacks, the XSS attack identification rule table comprises one or more XSS attack identification rules, the XSS attack identification rules are used for identifying external XSS attacks, the high-risk operation identification rule table comprises one or more high-risk operation identification rules, and the high-risk operation identification rules are used for identifying high-risk operations of the database.
In an embodiment, as shown in fig. 2, step S102 may include sub-steps S1021 through S1023.
And a substep S1021, determining whether the request data hits at least one SQL injection attack recognition rule in the SQL injection attack recognition rule table.
Illustratively, extracting a first SQL syntax element and a first SQL syntax field in the request data; it is determined whether the first SQL syntax element and the first SQL syntax field hit at least one SQL injection attack recognition rule in the SQL injection attack recognition rule table. The SQL injection attack recognition rule is a regular expression generated based on the SQL syntax elements and the SQL syntax fields corresponding to the SQL injection attack.
Taking a single SQL injection attack recognition rule as an example, obtaining an SQL syntax element and an SQL syntax field from the SQL injection attack recognition rule, determining whether the first SQL syntax element is the same as the SQL syntax element, and determining whether the first SQL syntax field is the same as the SQL syntax field, if the first SQL syntax element is the same as the SQL syntax element and the first SQL syntax field is the same as the SQL syntax field, it may be determined that the first SQL syntax element and the first SQL syntax field hit the SQL injection attack recognition rule, and if the first SQL syntax element is different from the SQL syntax element and/or the first SQL syntax field is different from the SQL syntax field, it may be determined that the first SQL syntax element and the first SQL syntax field do not hit the SQL injection attack recognition rule.
Sub-step S1022, determining whether the requested data hits at least one XSS attack recognition rule in the XSS attack recognition rule table.
Illustratively, extracting a content string in the request data; it is determined whether a content character in the content string hits at least one XSS attack recognition rule in the XSS attack recognition rule table. The XSS attack recognition rule is obtained through statistics according to characteristics of XSS attacks, and is a regular expression generated on the basis of one or more content characters corresponding to the XSS attacks. For example, the XSS attack recognition rules include < "," > ", and "," < ' s script \ s > All over \\ s \ s \ ".
Taking a single XSS attack recognition rule as an example, reading one or more content characters from the XSS attack recognition rule, comparing each content character in the content character string with each read content character, if the content character string comprises each read content character, determining that the content character string hits the XSS attack recognition rule, and if one content character in each read content character is different from the content character in the content character string, determining that the content character string does not hit the XSS attack recognition rule.
And a substep S1023 of determining whether the requested data hits at least one high-risk operation identification rule in the high-risk operation identification rule table.
Illustratively, extracting a second SQL syntax element and a second SQL syntax field in the request data; and determining whether the second SQL syntax element and the second SQL syntax field hit the high-risk operation identification rule in the high-risk operation identification rule table. The high-risk operation identification rule is a regular expression generated based on SQL syntax elements and SQL syntax fields corresponding to high-risk operations, and the high-risk operations comprise batch data deletion operations, batch data update operations, batch data export operations and the like of the database.
Taking a single high-risk operation identification rule as an example, acquiring an SQL syntax element and an SQL syntax field from the high-risk operation identification rule, determining whether a second SQL syntax element is the same as the SQL syntax element, determining whether the second SQL syntax field is the same as the SQL syntax field, if the second SQL syntax element is the same as the SQL syntax element and the second SQL syntax field is the same as the SQL syntax field, determining that the second SQL syntax element and the second SQL syntax field hit the high-risk operation identification rule, and if the second SQL syntax element is different from the SQL syntax element and/or the second SQL syntax field is different from the SQL syntax field, determining that the second SQL syntax element and the second SQL syntax field miss the high-risk operation identification rule.
Step S103, if the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base, intercepting the database access request.
And if the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base, intercepting the database access request. For example, if the requested data hits at least one SQL injection attack recognition rule in the SQL injection attack recognition rule table, and/or the requested data hits at least one XSS attack recognition rule in the XSS attack recognition rule table, and/or the requested data hits at least one high-risk operation recognition rule in the high-risk operation recognition rule table, the database access request is intercepted, so that SQL injection attack, XSS attack, and high-risk operation of the database can be prevented, and the security of the database can be ensured.
And step S104, if the request data does not hit the sensitive operation identification rule, acquiring response data returned by the database based on the database access request.
And if the request data does not hit the sensitive operation identification rule, accessing the corresponding database according to the database access request, and executing the corresponding database access operation to obtain response data returned by the database based on the database access request.
And S105, determining a target desensitization rule from a preset desensitization rule table according to the role information in the request data.
The preset desensitization rule table comprises a name desensitization rule, a certificate desensitization rule, a contact address desensitization rule, a contact way desensitization rule, a company name desensitization rule and the like. The name desensitization rule is used for shielding the client name, namely, the surname in the client name is replaced by a preset character instead of the first name in the client name, or both the surname and the first name in the client name are replaced by the preset character. The certificate desensitization rule is used for shielding the certificate numbers of clients (the certificate numbers comprise house property certificate numbers, identity certificate numbers, driver license numbers, business license numbers and the like), namely, replacing a part of the certificate numbers with preset characters, or replacing all the certificate numbers with preset characters.
The contact address desensitization rule is used for shielding a contact address of a client (the contact address comprises a company address and a family address), namely, detailed information such as district and county streets in the contact address is replaced by preset characters, or detailed information such as provinces, cities, district and county streets in the contact address is replaced by preset characters. The contact desensitization rule is used for shielding the contact of a client (the contact comprises a mobile phone number and a fixed telephone number), namely replacing part of the mobile phone number or the fixed telephone number with preset characters, or replacing all the mobile phone number or the fixed telephone number with the preset characters. The company name desensitization rule is used for shielding the company name of the client, namely replacing part of characters in the company name with preset characters. It should be noted that the preset characters can be set by those skilled in the art according to actual needs, and the embodiment is not limited.
In an embodiment, the preset desensitization rule table stores the mapping relationship between the role information and the desensitization rule, and the target desensitization rule can be acquired according to the mapping relationship between the role information and the desensitization rule in the desensitization rule table and the role information in the request data. For example, the desensitization rule table is shown in table 1 below.
TABLE 1
| Character information | Rule of desensitization |
| Role A | Rules of desensitization of credentials |
| Role B | Name desensitization rules, credential desensitization rules |
| Role C | Certificate desensitization rule and contact desensitization rule |
| Character D | Certificate desensitization rule, certificate desensitization rule and contact desensitization rule |
For example, if the role information in the request data is role B, the target desensitization rules include name desensitization rules, credential desensitization rules, and for example, if the role information in the request data is role C, the target desensitization rules include credential desensitization rules, contact desensitization rules.
And S106, desensitizing the response data according to the target desensitization rule to obtain target response data, and sending the target response data to a client for display.
After the target desensitization rule is determined and the response data are obtained, desensitization processing is carried out on the response data according to the target desensitization rule to obtain target response data, and the target response data are obtained. For example, the target desensitization rule includes a certificate desensitization rule and a contact desensitization rule, and then desensitizes the certificate number and the contact in the response data, and for example, the target desensitization rule includes a name desensitization rule and a certificate desensitization rule, and then desensitizes the certificate number and the name in the response data.
In an embodiment, as shown in fig. 3, step S106 may include sub-steps S1061-S1062.
And a substep S1061 of determining target sensitive information to be desensitized in the response data according to the target desensitization rule.
The sensitive information comprises a name, a certificate number, a contact address, a contact way, a bank card number and the like, for example, when the target desensitization rule is a name desensitization rule, the name of a client in the response data is determined as target sensitive information to be desensitized, and when the target desensitization rule is an evidence number desensitization rule, the evidence number in the response data is determined as the target sensitive information to be desensitized, when the target desensitization rule is a contact address desensitization rule, the contact address in the response data is determined as the target sensitive information to be desensitized, and when the target desensitization rule is a bank desensitization card number rule, the bank card number in the response data is determined as the target sensitive information to be desensitized.
And a substep S1062 of replacing part of characters or all characters in the target sensitive information with preset characters.
The preset characters may be set based on actual conditions, which is not specifically limited in the embodiment of the present application, for example, the preset characters are "+" or "#".
For example, the last name of the customer name is replaced with the preset character without replacing the first name in the customer name, or both the last name and the first name of the customer name are replaced with the preset character. For another example, the certificate number is masked (the certificate number includes a house property certificate number, an identification certificate number, a driver license number, a business license number, etc.), that is, a part of the certificate number is replaced with a preset character, or all of the certificate number is replaced with a preset character.
For another example, the contact address is masked (the contact address includes a company address and a home address), that is, the detailed information such as prefecture and county streets in the contact address is replaced by preset characters, or the detailed information such as province, city, prefecture and county streets in the contact address is replaced by preset characters. For another example, the contact method is masked (the contact method includes a mobile phone number and a landline phone number), that is, a part of the mobile phone number or the landline phone number is replaced with a preset character, or all of the mobile phone number or the landline phone number is replaced with a preset character.
Further, replacing part of characters or all characters in the target sensitive information with preset characters corresponding to the target desensitization rule. For example, the preset character corresponding to the name desensitization rule and the contact address desensitization rule is a first preset character, and the preset character corresponding to the evidence number desensitization rule and the contact method desensitization rule is a second preset character. Wherein, the first preset character can be selected as 'x', and the second preset character can be selected as '#'.
In the database protection method provided in the above embodiment, when a database access request distributed by a network splitter is acquired, request data corresponding to the database access request is acquired, and it is determined whether the request data hits at least one sensitive operation identification rule in a sensitive operation identification rule base, if the request data hits at least one sensitive operation identification rule, the database access request is intercepted, and if the sensitive operation identification rule does not hit, a target desensitization rule is acquired from a preset desensitization rule table according to role information in the request data, desensitization processing is performed on response data returned based on the database access request according to the target desensitization rule, and then the desensitized target response data is sent to a client for display, so that a dangerous database access request can be intercepted, and desensitization can be dynamically performed on the response data based on the role information of an access user, sensitive information can be protected, and the safety of the database and the sensitive information is greatly improved.
Referring to fig. 4, fig. 4 is a schematic block diagram of a database protection device according to an embodiment of the present application. The database protection device is applied to a database firewall, the database firewall is connected with a network shunt, and a sensitive operation identification rule base is configured in the database firewall.
As shown in fig. 4, the database guard 200 includes: an acquisition module 210, a rule hit module 220, an interception module 230, a rule determination module 240, a desensitization module 250, and a sending module 260, wherein:
the obtaining module 210 is configured to obtain a database access request distributed by a network splitter, and obtain request data corresponding to the database access request;
the rule hit module 220 is configured to determine whether the requested data hits at least one sensitive operation identification rule in the sensitive operation identification rule base;
the intercepting module 230 is configured to intercept the database access request if the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base;
the obtaining module 210 is further configured to obtain response data returned by the database based on the database access request if the request data misses the sensitive operation identification rule;
the rule determining module 240 is configured to determine a target desensitization rule from a preset desensitization rule table according to the role information in the request data;
the desensitization module 250 is configured to perform desensitization processing on the response data according to the target desensitization rule to obtain target response data;
the sending module 260 is configured to send the target response data to a client for display.
In an embodiment, as shown in fig. 5, the sensitive operation identification rule base includes any one of an SQL injection attack identification rule table, an XSS attack identification rule table, and a high-risk operation identification rule table, and the rule hit module 220 includes:
a first rule hit sub-module 221, configured to determine whether the requested data hits at least one SQL injection attack recognition rule in the SQL injection attack recognition rule table;
a second rule hit sub-module 222, configured to determine whether the requested data hits at least one XSS attack recognition rule in the XSS attack recognition rule table;
the third rule hit sub-module 223 is configured to determine whether the requested data hits at least one high-risk operation identification rule in the high-risk operation identification rule table.
In one embodiment, the first rule hit sub-module 221 is further configured to:
extracting a first SQL syntax element and a first SQL syntax field in the request data;
determining whether the first SQL syntax element and the first SQL syntax field hit at least one SQL injection attack recognition rule in the SQL injection attack recognition rule table;
the SQL injection attack identification rule is a regular expression generated based on SQL syntax elements and SQL syntax fields corresponding to the SQL injection attack.
In one embodiment, the second rule hit sub-module 222 is further configured to:
extracting a content character string in the request data;
determining whether content characters in the content character string hit at least one XSS attack identification rule in the XSS attack identification rule table;
the XSS attack identification rule is a regular expression generated based on one or more content characters corresponding to XSS attack.
In one embodiment, the third rule hit sub-module 223 is further configured to:
extracting a second SQL syntax element and a second SQL syntax field in the request data;
determining whether the second SQL syntax element and the second SQL syntax field hit a high-risk operation identification rule in the high-risk operation identification rule table;
the high-risk operation identification rule is a regular expression generated based on SQL syntax elements and SQL syntax fields corresponding to high-risk operations, and the high-risk operations comprise data batch deletion operations, data batch update operations and data batch export operations of the database.
In one embodiment, the desensitization module 250 is further configured to:
determining target sensitive information to be desensitized in the response data according to the target desensitization rule;
and replacing part of characters or all characters in the target sensitive information with preset characters.
In one embodiment, the desensitization module 250 is further configured to:
and replacing part of characters or all characters in the target sensitive information with preset characters corresponding to the target desensitization rule.
It should be noted that, as will be clear to those skilled in the art, for convenience and brevity of description, the specific working processes of the apparatus and each module and unit described above may refer to the corresponding processes in the foregoing database protection method embodiment, and are not described herein again.
The apparatus provided by the above embodiments may be implemented in the form of a computer program that can be run on a database firewall as shown in fig. 6.
Please refer to fig. 6 and fig. 6, which are schematic block diagrams illustrating a database firewall according to an embodiment of the present application. The client is connected with the network shunt, the network shunt is connected with the database firewall, the database firewall is connected with the database, and the database firewall is further connected with the rule management server.
As shown in fig. 6, the database firewall includes a processor, a memory, and a network interface connected by a system bus, wherein the memory may include a storage medium and an internal memory.
The storage medium may store an operating system and a computer program. The computer program includes program instructions that, when executed, cause a processor to perform any one of the database protection methods.
The processor is used for providing calculation and control capability and supporting the operation of the whole database firewall.
The internal memory provides an environment for the execution of a computer program on a storage medium, which when executed by a processor causes the processor to perform any of the database protection methods.
The network interface is used for network communication, such as sending assigned tasks and the like. Those skilled in the art will appreciate that the architecture shown in fig. 6 is a block diagram of only a portion of the architecture associated with the subject application and does not constitute a limitation on the database firewall to which the subject application applies, and that a particular database firewall may include more or fewer components than shown, or some components may be combined, or have a different arrangement of components.
It should be understood that the Processor may be a Central Processing Unit (CPU), and the Processor may be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, etc. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Those skilled in the art will appreciate that the architecture shown in fig. 6 is a block diagram of only a portion of the architecture associated with the subject application and does not constitute a limitation on the database firewall to which the subject application applies, and that a particular database firewall may include more or fewer components than shown, or some components may be combined, or have a different arrangement of components.
It should be understood that the Processor may be a Central Processing Unit (CPU), and the Processor may be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, etc. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Wherein, in an embodiment, the processor is configured to run a computer program stored in the memory to implement the steps of:
acquiring a database access request distributed by a network shunt, and acquiring request data corresponding to the database access request;
determining whether the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base;
if the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base, intercepting the database access request;
if the request data does not hit the sensitive operation identification rule, response data returned by the database based on the database access request is obtained;
determining a target desensitization rule from a preset desensitization rule table according to role information in the request data;
desensitizing the response data according to the target desensitization rule to obtain target response data, and sending the target response data to a client for display.
In an embodiment, the sensitive operation identification rule base includes any one of an SQL injection attack identification rule table, an XSS attack identification rule table, and a high-risk operation identification rule table, and the processor, when implementing the determining whether the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base, is configured to implement:
determining whether the request data hits at least one SQL injection attack recognition rule in the SQL injection attack recognition rule table;
and/or
Determining whether the request data hits at least one XSS attack identification rule in the XSS attack identification rule table;
and/or
And determining whether the request data hits at least one high-risk operation identification rule in the high-risk operation identification rule table.
In one embodiment, the processor, in performing determining whether the request data hits at least one SQL injection attack recognition rule in the SQL injection attack recognition rule table, is configured to perform:
extracting a first SQL syntax element and a first SQL syntax field in the request data;
determining whether the first SQL syntax element and the first SQL syntax field hit at least one SQL injection attack recognition rule in the SQL injection attack recognition rule table;
the SQL injection attack identification rule is a regular expression generated based on SQL syntax elements and SQL syntax fields corresponding to the SQL injection attack.
In one embodiment, the processor, in implementing determining whether the requested data hits at least one XSS attack recognition rule in the XSS attack recognition rule table, is configured to implement:
extracting a content character string in the request data;
determining whether content characters in the content character string hit at least one XSS attack identification rule in the XSS attack identification rule table;
the XSS attack identification rule is a regular expression generated based on one or more content characters corresponding to XSS attack.
In an embodiment, the processor, in implementing determining whether the requested data hits at least one high-risk operation identification rule in the high-risk operation identification rule table, is configured to implement:
extracting a second SQL syntax element and a second SQL syntax field in the request data;
determining whether the second SQL syntax element and the second SQL syntax field hit a high-risk operation identification rule in the high-risk operation identification rule table;
the high-risk operation identification rule is a regular expression generated based on SQL syntax elements and SQL syntax fields corresponding to high-risk operations, and the high-risk operations comprise data batch deletion operations, data batch update operations and data batch export operations of the database.
In one embodiment, the processor, when performing desensitization processing on the response data according to the target desensitization rule, is configured to perform:
determining target sensitive information to be desensitized in the response data according to the target desensitization rule;
and replacing part of characters or all characters in the target sensitive information with preset characters.
In one embodiment, the processor, when implementing replacement of a part of characters or all characters in the target sensitive information by preset characters, is configured to implement:
and replacing part of characters or all characters in the target sensitive information with preset characters corresponding to the target desensitization rule.
It should be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the database firewall described above may refer to the corresponding process in the foregoing database protection method embodiment, and is not described herein again.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes instructions for enabling a database firewall (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments of the present application.
Embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, where the computer program includes program instructions, and when the program instructions are executed, a method implemented by the computer program instructions may refer to the embodiments of the database protection method in the present application.
The computer readable storage medium may be volatile or nonvolatile. The computer readable storage medium may be an internal storage unit of the database firewall described in the foregoing embodiment, for example, a hard disk or a memory of the database firewall. The computer readable storage medium may also be an external storage device of the database firewall, such as a plug-in hard disk provided on the database firewall, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like.
Further, the computer-readable storage medium may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to the use of the blockchain node, and the like.
The block chain referred by the application is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
It is to be understood that the terminology used in the description of the present application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification of the present application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments. While the invention has been described with reference to specific embodiments, the scope of the invention is not limited thereto, and those skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the invention. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A database protection method is applied to a database firewall, the database firewall is connected with a network splitter, a sensitive operation identification rule base is configured in the database firewall, and the method comprises the following steps:
acquiring a database access request distributed by a network shunt, and acquiring request data corresponding to the database access request;
determining whether the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base;
if the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base, intercepting the database access request;
if the request data does not hit the sensitive operation identification rule, response data returned by the database based on the database access request is obtained;
determining a target desensitization rule from a preset desensitization rule table according to role information in the request data;
desensitizing the response data according to the target desensitization rule to obtain target response data, and sending the target response data to a client for display.
2. The database protection method according to claim 1, wherein the sensitive operation identification rule base includes any one of an SQL injection attack identification rule table, an XSS attack identification rule table, and a high-risk operation identification rule table, and the determining whether the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base includes:
determining whether the request data hits at least one SQL injection attack recognition rule in the SQL injection attack recognition rule table;
and/or
Determining whether the request data hits at least one XSS attack identification rule in the XSS attack identification rule table;
and/or
And determining whether the request data hits at least one high-risk operation identification rule in the high-risk operation identification rule table.
3. The database protection method according to claim 2, wherein said determining whether the requested data hits at least one SQL injection attack recognition rule in the SQL injection attack recognition rule table comprises:
extracting a first SQL syntax element and a first SQL syntax field in the request data;
determining whether the first SQL syntax element and the first SQL syntax field hit at least one SQL injection attack recognition rule in the SQL injection attack recognition rule table;
the SQL injection attack identification rule is a regular expression generated based on SQL syntax elements and SQL syntax fields corresponding to the SQL injection attack.
4. The database protection method according to claim 2, wherein the determining whether the requested data hits at least one XSS attack recognition rule in the XSS attack recognition rule table comprises:
extracting a content character string in the request data;
determining whether content characters in the content character string hit at least one XSS attack identification rule in the XSS attack identification rule table;
the XSS attack identification rule is a regular expression generated based on one or more content characters corresponding to XSS attack.
5. The database protection method according to claim 2, wherein the determining whether the requested data hits at least one high-risk operation identification rule in the high-risk operation identification rule table comprises:
extracting a second SQL syntax element and a second SQL syntax field in the request data;
determining whether the second SQL syntax element and the second SQL syntax field hit a high-risk operation identification rule in the high-risk operation identification rule table;
the high-risk operation identification rule is a regular expression generated based on SQL syntax elements and SQL syntax fields corresponding to high-risk operations, and the high-risk operations comprise data batch deletion operations, data batch update operations and data batch export operations of the database.
6. The database guarding method according to any one of claims 1 to 5, wherein the desensitization processing of the response data according to the target desensitization rule includes:
determining target sensitive information to be desensitized in the response data according to the target desensitization rule;
and replacing part of characters or all characters in the target sensitive information with preset characters.
7. The database protection method according to claim 6, wherein the replacing of some or all characters in the target sensitive information with preset characters comprises:
and replacing part of characters or all characters in the target sensitive information with preset characters corresponding to the target desensitization rule.
8. The utility model provides a database protector, characterized by is applied to database firewall, database firewall is connected with the network shunt, dispose sensitive operation identification rule base in the database firewall, database protector includes:
the acquisition module is used for acquiring a database access request distributed by the network shunt and acquiring request data corresponding to the database access request;
a rule hit module for determining whether the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base;
the intercepting module is used for intercepting the database access request if the request data hits at least one sensitive operation identification rule in the sensitive operation identification rule base;
the obtaining module is further configured to obtain response data returned by the database based on the database access request if the request data misses the sensitive operation identification rule;
the rule determining module is used for determining a target desensitization rule from a preset desensitization rule table according to the role information in the request data;
the desensitization module is used for desensitizing the response data according to the target desensitization rule to obtain target response data;
and the sending module is used for sending the target response data to a client for displaying.
9. A database firewall, characterized in that it comprises a processor, a memory, and a computer program stored on said memory and executable by said processor, wherein said computer program, when executed by said processor, implements the steps of the database protection method according to any one of claims 1 to 7.
10. A computer-readable storage medium, having a computer program stored thereon, wherein the computer program, when executed by a processor, performs the steps of the database protection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011315140.XA CN112417443A (en) | 2020-11-20 | 2020-11-20 | Database protection method and device, firewall and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011315140.XA CN112417443A (en) | 2020-11-20 | 2020-11-20 | Database protection method and device, firewall and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112417443A true CN112417443A (en) | 2021-02-26 |
Family
ID=74778697
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011315140.XA Pending CN112417443A (en) | 2020-11-20 | 2020-11-20 | Database protection method and device, firewall and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112417443A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112948877A (en) * | 2021-03-03 | 2021-06-11 | 北京中安星云软件技术有限公司 | Dynamic database desensitization method and system based on TCP (Transmission control protocol) proxy |
| CN113010904A (en) * | 2021-03-17 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Data processing method and device and electronic equipment |
| CN113127915A (en) * | 2021-05-12 | 2021-07-16 | 平安信托有限责任公司 | Data encryption desensitization method and device, electronic equipment and storage medium |
| CN114398653A (en) * | 2022-01-13 | 2022-04-26 | 百度在线网络技术(北京)有限公司 | Data processing method, device, electronic equipment and medium |
| CN114866355A (en) * | 2022-07-06 | 2022-08-05 | 浙江国利网安科技有限公司 | Message flow forwarding method and device, and computer equipment |
| CN117235781A (en) * | 2023-08-21 | 2023-12-15 | 广州市玄武无线科技股份有限公司 | Data desensitization method, system, device and storage medium |
-
2020
- 2020-11-20 CN CN202011315140.XA patent/CN112417443A/en active Pending
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112948877A (en) * | 2021-03-03 | 2021-06-11 | 北京中安星云软件技术有限公司 | Dynamic database desensitization method and system based on TCP (Transmission control protocol) proxy |
| CN113010904A (en) * | 2021-03-17 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Data processing method and device and electronic equipment |
| CN113127915A (en) * | 2021-05-12 | 2021-07-16 | 平安信托有限责任公司 | Data encryption desensitization method and device, electronic equipment and storage medium |
| CN114398653A (en) * | 2022-01-13 | 2022-04-26 | 百度在线网络技术(北京)有限公司 | Data processing method, device, electronic equipment and medium |
| CN114398653B (en) * | 2022-01-13 | 2022-11-08 | 百度在线网络技术(北京)有限公司 | Data processing method, device, electronic equipment and medium |
| CN114866355A (en) * | 2022-07-06 | 2022-08-05 | 浙江国利网安科技有限公司 | Message flow forwarding method and device, and computer equipment |
| CN117235781A (en) * | 2023-08-21 | 2023-12-15 | 广州市玄武无线科技股份有限公司 | Data desensitization method, system, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112417443A (en) | Database protection method and device, firewall and computer readable storage medium | |
| US9152808B1 (en) | Adapting decoy data present in a network | |
| EP3378007A1 (en) | Systems and methods for anonymizing log entries | |
| EP2939173B1 (en) | Real-time representation of security-relevant system state | |
| US11436358B2 (en) | Data based web application firewall | |
| CA2868741A1 (en) | Method and system for detecting unauthorized access to and use of network resources with targeted analytics | |
| CN111651784A (en) | Log desensitization method, device, equipment and computer readable storage medium | |
| CN106228084A (en) | Data guard method that the sensitive field of based role dynamically adjusts and system | |
| US9591030B1 (en) | Lock-free updates to a domain name blacklist | |
| CN113498589B (en) | Managed secret management transmission system and method | |
| CN110662184A (en) | Information pushing method and device, computer equipment and storage medium | |
| CN113378193A (en) | Privacy information access control method and device based on ontology reasoning | |
| US20160301693A1 (en) | System and method for identifying and protecting sensitive data using client file digital fingerprint | |
| CN113127915A (en) | Data encryption desensitization method and device, electronic equipment and storage medium | |
| WO2020098085A1 (en) | Block chain-based business information sharing method, electronic device and readable storage medium | |
| CN114422197A (en) | Permission access control method and system based on policy management | |
| Kim et al. | A system for detection of abnormal behavior in BYOD based on web usage patterns | |
| CN115879156A (en) | Dynamic desensitization method, device, electronic equipment and storage medium | |
| CN110719263B (en) | Multi-tenant DNS security management method, device and storage medium | |
| CN113468217A (en) | Data query management method and device, computer equipment and readable storage medium | |
| EP3861473A1 (en) | System, method and architecture for secure sharing of customer intelligence | |
| CN112667730B (en) | External data verification method, system, equipment and storage medium | |
| US20210374267A1 (en) | Information processing device, information processing method, and recording medium | |
| CN113906405A (en) | Modifying data items | |
| CN117459327B (en) | Cloud data transparent encryption protection method, system and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |