CN112506954A - Database auditing method and device - Google Patents

Database auditing method and device Download PDF

Info

Publication number
CN112506954A
CN112506954A CN202011564722.1A CN202011564722A CN112506954A CN 112506954 A CN112506954 A CN 112506954A CN 202011564722 A CN202011564722 A CN 202011564722A CN 112506954 A CN112506954 A CN 112506954A
Authority
CN
China
Prior art keywords
database
detection rule
log
matching
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011564722.1A
Other languages
Chinese (zh)
Inventor
盛洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sina Technology China Co Ltd
Original Assignee
Sina Technology China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sina Technology China Co Ltd filed Critical Sina Technology China Co Ltd
Priority to CN202011564722.1A priority Critical patent/CN112506954A/en
Publication of CN112506954A publication Critical patent/CN112506954A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor

Abstract

The application discloses a database auditing method and device, relates to the field of internet, and aims to solve the technical problem that response lag is caused by tracking a threat event after the threat event occurs in the related technology. Acquiring a database log of a database to be audited; acquiring a database detection rule; matching the database log with the database detection rule; and outputting an audit result based on the matching result. The method and the device are used for database security audit analysis.

Description

Database auditing method and device
Technical Field
The application relates to the field of internet, in particular to a database auditing method and device.
Background
In the age of rapid development of information, the internet has become a new product closely related to people in daily life, and users surf the internet while the information security problem existing in the internet is not ignored.
In the aspect of dealing with information security problems, related technologies usually track a threat event after the threat event occurs, which causes response lag and cannot solve the threat problem well.
Disclosure of Invention
The embodiment of the application provides a database auditing method, which aims to solve the problem that the response is lagged because the threat event is tracked after the threat event happens in the related technology.
In order to solve the technical problem, the present application is implemented as follows:
in a first aspect, an embodiment of the present application provides a database auditing method, where the database auditing method includes:
acquiring a database log of a database to be audited;
acquiring a database detection rule;
matching the database log with the database detection rule;
and outputting an audit result based on the matching result.
Optionally, in an embodiment, the obtaining a database log of a database to be audited includes: receiving database logs of a to-be-audited counting database sent by each distributed log data acquisition agent; putting the received database logs into a designated queue; and acquiring the database log from the specified queue.
Optionally, in an embodiment, the obtaining the database detection rule includes: receiving a database detection rule configured by a user; storing the database detection rule configured by the user into a specified database; and acquiring the database detection rule from the specified database.
Optionally, in an embodiment, the matching the database log with the database detection rule includes: matching elements in the database log with the database detection rule every unit period; the elements of the database log at least comprise SQL statements and at least one of a host IP, a host port, an access IP, a user name and a timestamp; the format of the database detection rule at least comprises the detection rule, and at least one of the identification of the detection rule, the activation state of the detection rule and the creation time of the detection rule.
Optionally, in an embodiment, the format of the database detection rule includes a detection rule and an activation state of the detection rule, and the matching, every unit period, the element in the database log with the database detection rule includes: determining a designated detection rule in the database detection rules, wherein the designated detection rule is a detection rule of which the activation state indicates 'activation' in the database detection rules; matching SQL sentences in the database logs with the specified detection rules; the outputting the audit result based on the matching result comprises: and under the condition that the SQL statement matched with the specified detection rule exists in the database log, outputting an audit result indicating that the threat exists.
Optionally, in one embodiment, the elements of the database log include: the method comprises the following steps that SQL sentences and target elements associated with elements in a configuration management library, and under the condition that the SQL sentences matched with the specified detection rules exist in the database logs, outputting audit results indicating that threats exist comprises the following steps: under the condition that SQL sentences matched with the specified detection rules exist in the database log, acquiring target elements of the database log; matching the target element with an element in the configuration management library; under the condition that the target element is successfully matched with the element in the configuration management library, acquiring at least one other element related to the element matched with the target element in the configuration management library; outputting an audit result indicating that there is a threat, the audit result including the SQL statement, the detection rule, and the at least one other element in the configuration management library that is related to the element matching the target element.
Optionally, in one embodiment, the elements of the database log include: host IP, host port, access IP, SQL statement, user name and timestamp; the target element is a host IP or an access IP, and the elements matched with the target element in the configuration management library include: managing IP, and configuring other elements related to the element matched with the target element in the management library, wherein the other elements comprise: departments and administrators; the output audit results indicating the presence of a threat include: host IP, host port, access IP, SQL statement, user name, timestamp, detection rule, administrator, department.
Optionally, in one embodiment, after outputting an audit result indicating that a threat exists, the method further comprises: creating a security threat detection tracking record; the security threat detection tracking record includes: recording identification, owner, recording state, recording result, title, creation time, updating time and remark; wherein the remarks comprise audit results.
In a second aspect, an embodiment of the present application provides a database auditing apparatus, where the database auditing apparatus includes:
the first acquisition module is used for acquiring a database log of a database to be audited;
the second acquisition module is used for acquiring the detection rule of the database;
the matching module is used for matching the database log with the database detection rule;
and the output module is used for outputting the audit result based on the matching result.
In a third aspect, an embodiment of the present application provides a server, which includes a memory, where program instructions are stored, and when the program instructions are executed, the method of any one of the above first aspects is implemented.
The embodiment of the application adopts at least one technical scheme which can achieve the following beneficial effects:
in the embodiment of the application, a database log of a database to be audited is obtained; acquiring a database detection rule; matching the database log with the database detection rule; and outputting an audit result based on the matching result. Therefore, before a threat event occurs, the database can be audited by utilizing the database log and the database detection rule, a possible potential threat event can be found before the threat event occurs, the response time is greatly advanced, and the threat problem can be well solved to a certain extent.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a flow chart of a database auditing method provided by an embodiment of the present application;
FIG. 2 is a flow chart of a database auditing method provided by an embodiment of the present application;
FIG. 3 is a flow chart of a database auditing method provided by an embodiment of the present application;
FIG. 4 is a flow chart of a database auditing method provided by an embodiment of the present application;
FIG. 5 is a flow chart of a database auditing method provided by an embodiment of the present application;
FIG. 6 is a flow chart of a database auditing method provided by an embodiment of the present application;
fig. 7 is a block diagram of a structure of a database auditing apparatus according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The features of the terms first and second in the description and in the claims of the present application may explicitly or implicitly include one or more of such features. In the description of the present application, "a plurality" means two or more unless otherwise specified. In addition, "and/or" in the specification and claims means at least one of connected objects, a character "/" generally means that a preceding and succeeding related objects are in an "or" relationship.
The database auditing method provided by the embodiment of the application can be applied to network equipment such as a server and the like.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 is a flowchart of a database auditing method according to an embodiment of the present application. Referring to fig. 1, a database auditing method provided in an embodiment of the present application may include:
step 110, obtaining a database log of a database to be audited;
the database logs can be obtained by gathering database log information on database cluster nodes through a distributed log data acquisition agent, gathering the database logs to a log message queue cluster, consuming data on a message queue by a data center service program, storing the data in a database, and finally actively obtaining the database log information of the database to be audited from the database, so that the database log information can be used for subsequent security audit correlation analysis of the database. Therefore, by adopting a distributed efficient log acquisition and processing system, a mass data storage and query system and an efficient data cache queue mechanism, the efficiency of data storage and query and the speed of data processing can be improved.
The database nodes can be servers provided with database software, a plurality of database nodes form a server cluster, and each server provided with the database software is a node; a database cluster may utilize at least two or more database servers to form a virtual single database logical image, such as a single database system, to provide transparent data services to clients.
In the embodiment of the present application, referring to fig. 2, step 110 may include steps 210, 220, and 230, which are explained below.
Step 210, receiving database logs of a to-be-examined database, which are sent by all distributed log data acquisition agents;
the distributed log data collection agents may be, for example, Flume distributed data collection agents, and the log information on the database cluster node may be obtained through the distributed log data collection agents. The flash is a highly available, highly reliable and distributed system for acquiring, aggregating and transmitting mass logs, can support various data senders customized in a log system for collecting data, and can provide the capability of simply processing the data and writing the data to various data receivers (customizable). Therefore, through the distributed log data acquisition proxy service, the system architecture of the existing system is not changed, an additional hardware system is not added, the stability of data service is improved, and the maintenance cost of hardware is reduced.
Step 220, putting the received database logs into a designated queue;
wherein the specified queue may be a Kafka queue. Kafka is a high-throughput distributed publish-subscribe messaging system that can handle all the action flow data of a consumer in a web site. And obtaining logs on the database cluster nodes through each distributed data acquisition agent, sending the logs to a Kafka queue, and caching the logs. Kafkacat is a debugging tool for Kafka, and relevant information on Kafka, such as a message and the like, can be checked.
It is understood that after the database log is placed in the designated queue, the format of the database log may be: host IP [ host port ] [ access IP ] [ SQL ] [ user name ] [ timestamp ]; among them, IP (Internet Protocol) is a Protocol designed for communication by interconnecting computer networks; SQL (Structured Query Language) is a special-purpose programming Language, a database Query and programming Language, used to access data and Query, update, and manage relational database systems.
Step 230, obtain database logs from the designated queue.
The cache data on the Kafka queue can be consumed and read by a data aggregation and collection service (Graylog (log monitoring system)), the message data of the queue is read and then written into an Elastic Search (ES) database index table for storage, and the log format can be formed as follows: [ index name ] [ host IP ] [ host port ] [ access IP ] [ SQL ] [ user name ] [ timestamp ]. Wherein, Graylog is an open-source log aggregation, analysis, audit, presentation and early warning tool; elastic Search is a distributed extensible real-time Search and analysis engine, which provides a distributed multi-user capability full-text Search engine; [ index name ] may refer to the table index name of the Elastic Search.
Therefore, abundant data query forms are provided through the database log collection management system, data query requirements of various systems can be met, various different languages and tool link systems are organically associated through the system, and association matching and tracing of database security audit are achieved.
It should be appreciated that steps 220 and 230 are optional steps. In the embodiment of the present application, the database log may also be read in other manners, for example, the database log is stored in a designated storage location of the server, and the database log is read from the designated storage location.
Step 120, obtaining a database detection rule;
in the embodiment of the present application, referring to fig. 3, step 120 may include steps 310, 320, and 330, which are explained below.
Step 310, receiving a database detection rule configured by a user;
it can be understood that the database security detection rule management system provides a visualization platform for creating security detection rules, a user can create the detection rules on line and issue the detection rules, at this time, the server can receive the database detection rules configured by the user, and the format of the detection rule information may be: [ ID ] [ detection rules ] [ activation state ] [ creation time ]. Wherein [ ID ] may be an identification of the detection rule; an active state may be an active state of a detection rule; the [ creation time ] may be the time at which the detection rule is created. Therefore, the detection rule can be created by the user in a self-defined mode, so that the database audit rule is flexible to customize and convenient to adjust, the audit strategy can be adjusted and changed in time, and the aims of quick execution and quick response of the safety audit processing are fulfilled.
Step 320, storing the database detection rule configured by the user into a specified database;
wherein the specified database may be a MySQL (relational database management System) database; MySQL is a relational database management system, and the relational database stores data in different tables instead of putting all data in a large warehouse, so that the speed is increased and the flexibility is improved; the SQL language used by MySQL is the most common standardized language for accessing databases. After a user publishes a new rule on the security detection rule management system, new rule data can be stored in a MySQL database table, and the format of the detection rule at this time can be as follows: table name ID detection rule activation state creation time. Where [ table name ] may refer to a database table of MySQL.
Step 330, obtaining the database detection rule from the specified database.
The database detection rule is obtained and can be used for subsequent database security audit association analysis.
It should be understood that step 110 and step 120 are not logically sequential. In the embodiment of the present application, step 110 may be performed before step 120, step 110 may be performed after step 120, or step 110 and step 120 may be performed concurrently.
Step 130, matching the database log with the database detection rule;
optionally, in an embodiment of the present application, the matching the database log with the database detection rule in step 130 may include: matching elements in the database log with the database detection rule every unit period; wherein, the elements of the database log at least comprise SQL statements and at least one of host IP, host port, access IP, user name and time stamp; the format of the database detection rule may include at least the detection rule, and may further include at least one of an identification of the detection rule, an activation status of the detection rule, and a creation time of the detection rule.
In an alternative embodiment of the present application, referring to fig. 4, step 130 may include step 410 and step 420, which are explained below as step 410 and step 420.
Step 410, determining a designated detection rule in the database detection rules, wherein the designated detection rule is a detection rule of which the activation state indicates "activation" in the database detection rules;
the database detection rule may include a detection rule whose activation state is "activated" or a detection rule whose activation state is "inactivated".
Step 420, matching the SQL statement in the database log with the specified detection rule;
the content of the SQL statement may be an SQL text string, and the content of the detection rule may be a string regular expression. Wherein, the regular expression is a logic formula operating on the character string.
It is understood that the above steps 410-420 are only an exemplary way to match the database log with the database detection rules. The manner of matching the database log with the database detection rule in the embodiment of the present application is not limited to the above example.
It is to be appreciated that in another embodiment, for example, referring to fig. 5, after step 420 is executed, in the case that there is an SQL statement matching the specified detection rule in the database log, step 510, step 520, step 530 may also be executed, and then step 140 is executed.
The steps 510, 520, 530 are explained below.
Step 510, acquiring a target element of the database log under the condition that the SQL statement matched with the specified detection rule exists in the database log;
the target element may be a host IP or an access IP.
Step 520, matching the target element with the elements in the configuration management library;
wherein the elements in the configuration management library may include: manage IP, departments, and administrators. The management IP may be an IP used by a machine capable of performing a management function.
Step 530, in case that the target element is successfully matched with the element in the configuration management library, acquiring at least one other element related to the element matched with the target element in the configuration management library;
wherein, the successful matching condition in this step can be that the host IP of the target element of the database log is successfully matched with the management IP of the configuration management library, or that the access IP of the target element of the database log is successfully matched with the management IP of the configuration management library; the elements in the configuration management library that match the target element may include: managing IP, and other elements related to the element matching the target element in the configuration management library may include: departments and administrators; the at least one other element in the configuration management repository that is related to the element that matches the target element may be a department and/or an administrator.
And step 140, outputting an auditing result based on the matching result.
The matching result may be matching success and matching failure. Accordingly, in the case that the matching result is a successful matching, the audit result may be an audit result indicating that there is a threat; in the event that the match result is a match failure, the audit result may be an audit result indicating that there is no threat.
In the case that the matching result of matching the database log with the database detection rule in step 130 is that the matching is successful, step 140 may specifically be: and outputting an audit result indicating that the threat exists under the condition that the matching result of the database log and the database detection rule is successful. Of course, in the case that the matching result of matching the database log with the database detection rule in step 130 is a matching failure, step 140 may specifically be: and under the condition that the matching result of the database log and the database detection rule is matching failure, outputting an audit result indicating that no threat exists.
In the case that step 130 includes step 410 and step 420, step 140 may specifically be: and under the condition that the SQL sentences matched with the specified detection rules exist in the database logs and the target elements of the database logs are successfully matched with the elements in the configuration management library, outputting an audit result indicating that the threat exists, wherein the audit result comprises the SQL sentences, the detection rules and the at least one other element related to the elements matched with the target elements in the configuration management library.
Optionally, in an embodiment of the present application, the output audit result indicating that there is a threat may include a host IP, a host port, an access IP, an SQL statement, a user name, a timestamp, a detection rule, an administrator, and a department.
Correspondingly, in this case, the database auditing method provided by the embodiment of the present application may further include: creating a security threat detection tracking record; the security threat detection trace record may include: recording identification, owner, recording state, recording result, title, creation time, updating time and remark; wherein the remarks may include audit results. Therefore, by creating the security threat detection tracking record, the relevant information of the database threatened can be recorded in time, and the subsequent processing of the security threat of the database is facilitated.
For better understanding, the above process of matching the database log with the database detection rule and outputting an audit result based on the matching result is exemplified as follows:
for example, the database security audit correlation analysis program may cyclically read the database logs in the ES database at intervals of N minutes, obtain [ SQL ] log element field information in the query results of multiple "database logs", and perform many-to-many matching detection by using the [ detection rule ] field contents of all records in which the [ activation state ] field flag in the "detection rule information" is "activated" one by one. When the regular expressions in the SQL characters match with the regular expressions in the detection rules, namely the character strings are the same, the SQL is related to the threat attack behaviors, and the executed SQL has potential safety hazards. When a rule detects a threat, the "host IP" in the "database log" may be associated with an administrator [ IP ] in a CMDB (Configuration Management Data Base) Configuration Management Base, and obtain [ administrator ] information [ department ] information, for example, as follows:
host IP [ host port ] [ access IP ] [ SQL ] [ user name ] [ timestamp ] [ detection rules ] [ administrator ] [ department ].
The above correlation can be analyzed to obtain: the information about the number of the [ host ports ] of the database is attacked, the number of the [ access IP ] of an attacker is, which [ SQL ] executes the attack, and what [ timestamp ] executes the attack is detected by which [ detection rule ], and the CMDB [ administrator ] corresponding to the database [ host IP ] belongs to which [ department ].
In addition, the above information can be used to create the security threat detection tracking record information, and the association relationship is as follows:
[ proposal No. ] the [ owner ] [ proposal state ] [ proposal result ] [ title ] [ creation time ] [ renewal time ] [ remark ].
Wherein, the proposal number can be a record mark; an owner may be created with a security operation and maintenance personnel ID; [ proposal state ] can be a recording state; [ proposal results ] can be recorded results; a "title" may be that the database [ host IP ] is subject to SQL injection attacks [ administrator ] section "[ host port ]; time of creation may be the time of record creation; the [ update time ] may be the time each time a record is processed; the [ remarks ] information may be composed of [ host IP ] [ host port ] [ access IP ] [ SQL ] [ user name ] [ timestamp ] [ detection rules ] [ administrator ] [ department ] field associations.
The database auditing device provided by the embodiment of the application acquires the database log of a database to be audited; acquiring a database detection rule; matching the database log with the database detection rule; and outputting an audit result based on the matching result. Therefore, before a threat event occurs, the database can be audited by utilizing the database log and the database detection rule, a possible potential threat event can be found before the threat event occurs, the response time is greatly advanced, and the threat problem can be well solved to a certain extent.
The database auditing method provided by the embodiment of the present application is further described in detail below with reference to an actual application scenario. As shown in fig. 6, the database auditing method provided by the embodiment of the present application may include the following steps:
step 610, aggregating database log information;
as shown in fig. 6, step 610 may further include step 611, step 612, and step 613.
In step 611, the database node log information may be obtained, and it may be understood that the data collection agent collects the logs of the database cluster node; step 612 may be processing log information in a format, and it is understood that the acquired log information is sent to a message queue for caching, and the log data is read by a log center service program; step 613 may be to store the log information in a database, and it is understood that the read log information is written into an ES database index table and stored.
Therefore, reasonable and effective data clustering management is carried out on diversified data input, automatic management of the data life cycle is achieved, and the operation and maintenance cost of the data is reduced.
Step 620, aggregating the database security detection rule information;
as shown in fig. 6, step 620 may further include step 621, step 622, and step 623.
Step 621 may be to obtain database security detection rule information, and it is understood that the database security detection rule management system provides a visualization platform for creating security detection rules, and security personnel may create and issue detection rules on line, and may obtain database security detection rule information configured by the security personnel from the detection rules; step 622 may be formatting security detection rule information, and it is understood that the detection rule created by security personnel is formatted and converted into format information that can be stored in a rule database; step 623 may be storing the security detection rule information in a database, and it is understood that after the security personnel release a new rule on the security detection rule management system, the new rule data may be stored in the MySQL database table after being formatted.
Therefore, safety detection rules can be created in a user-defined mode through safety personnel, the database audit rules are flexible to customize, adjustment is convenient, the audit strategy can be adjusted and changed in time, and the execution speed and the response speed of safety audit processing are improved.
It should be understood that step 610 and step 620 are not logically sequential. In the embodiment of the present application, step 610 may be performed before step 620, step 610 may be performed after step 620, or step 610 and step 620 may be performed concurrently.
Step 630, matching the database log information with the detection rule information;
step 640, performing security audit analysis on the database information;
as shown in fig. 6, step 640 may further include step 641 and step 642.
Step 641 may be performing association matching analysis with the configuration management library; step 642 may create a security threat detection trace record.
It can be understood that, the database security audit threat analysis association program circularly reads the database SQL statement execution log in the ES database through the REST (Representational State Transfer) API (Application Programming Interface) data query Interface function provided by the gray, and performs matching analysis according to the detection rule in the security detection rule database, if the SQL statement in the database log is found to conform to the feature described by the regular expression of the threat rule, further performs field association analysis, creates a transaction management trace event according to the analysis result, and generates an alarm to notify security personnel and a database server administrator. Where the REST API is a set of architectural rules, standards, or guidelines on how to construct the web application API, caching may be utilized to improve response speed.
It will be appreciated that the above example is merely one way to audit the security of the database. The way of auditing the security of the database in the embodiment of the present application is not limited to the above example.
Step 650, storing the data security audit analysis result to a database;
and 660, displaying the data security audit analysis result.
According to the database auditing method provided by the embodiment of the application, the log information and the safety detection rule information of the database are aggregated and matched, then the safety auditing analysis is carried out on the database information, and the data safety auditing analysis result is stored and stored in a warehouse and displayed. Therefore, the processing capacity of the database logs can be improved through the distributed efficient log collection system, the problem of low efficiency of positioning and analyzing safety problems based on texts and script programs is solved, database safety audit is solved, and the problem of response delay which can be discovered only after threats occur is solved. And by carrying out clustered management on the data, the automatic management of the data life cycle is realized, and the operation and maintenance cost of the data is reduced.
Fig. 7 is a block diagram of a structure of a database auditing apparatus according to an embodiment of the present application. Referring to fig. 7, a database auditing apparatus 700 provided in an embodiment of the present application may include: a first obtaining module 710, a second obtaining module 720, a matching module 730 and an output module 740.
The first obtaining module 710 is configured to obtain a database log of a database to be audited;
the second obtaining module 720 is configured to obtain a database detection rule;
the matching module 730 is configured to match the database log with the database detection rule;
the output module 740 is configured to output an audit result based on the matching result.
The database auditing device provided by the embodiment of the application acquires the database log of a database to be audited; acquiring a database detection rule; matching the database log with the database detection rule; and outputting an audit result based on the matching result. Therefore, before a threat event occurs, the database can be audited by utilizing the database log and the database detection rule, a possible potential threat event can be found before the threat event occurs, the response time is greatly advanced, and the threat problem can be well solved to a certain extent.
Optionally, in an embodiment, in the process of acquiring the database log of the database to be audited, the first acquiring module 710 may be specifically configured to: receiving database logs of a to-be-audited counting database sent by each distributed log data acquisition agent; putting the received database logs into a designated queue; and acquiring the database log from the specified queue.
Optionally, in an embodiment, in the process of acquiring the database detection rule, the second acquiring module 720 may specifically be configured to: receiving a database detection rule configured by a user; storing the database detection rule configured by the user into a specified database; and acquiring the database detection rule from the specified database.
Optionally, in an embodiment, in the process of matching the database log with the database detection rule, the matching module 730 may specifically be configured to: matching elements in the database log with the database detection rule every unit period; wherein, the elements of the database log at least comprise SQL statements and at least one of host IP, host port, access IP, user name and time stamp; the format of the database detection rule may include at least the detection rule, and may further include at least one of an identification of the detection rule, an activation status of the detection rule, and a creation time of the detection rule.
Optionally, in an embodiment, the format of the database detection rule may include a detection rule and an activation state of the detection rule, and in the process of matching the elements in the database log with the database detection rule every unit period, the matching module 730 may specifically be configured to: determining a designated detection rule in the database detection rules, wherein the designated detection rule is a detection rule of which the activation state indicates 'activation' in the database detection rules; matching SQL sentences in the database logs with the specified detection rules; the outputting the audit result based on the matching result may include: and under the condition that the SQL statement matched with the specified detection rule exists in the database log, outputting an audit result indicating that the threat exists.
Optionally, in one embodiment, the elements of the database log may include: in the process of outputting an audit result indicating that a threat exists when the SQL statement matching the specified detection rule exists in the database log, the output module 740 may be specifically configured to: under the condition that SQL sentences matched with the specified detection rules exist in the database log, acquiring target elements of the database log; matching the target element with an element in the configuration management library; under the condition that the target element is successfully matched with the element in the configuration management library, acquiring at least one other element related to the element matched with the target element in the configuration management library; outputting an audit result indicating that a threat exists, the audit result may include the SQL statement, the detection rule, and the at least one other element of the configuration management library that is related to the element matching the target element.
Optionally, the elements of the database log may include: host IP, host port, access IP, SQL statement, user name and timestamp; the target element may be a host IP, and the elements in the configuration management library that match the target element may include: managing IP, and other elements related to the element matching the target element in the configuration management library may include: departments and administrators; the output audit results indicating the presence of a threat may include: host IP, host port, access IP, SQL statement, user name, timestamp, detection rule, administrator, department.
Optionally, in an embodiment, after the process of outputting the audit result indicating that the threat exists, the output module 740 may be further specifically configured to: creating a security threat detection tracking record; the security threat detection trace record may include: recording identification, owner, recording state, recording result, title, creation time, updating time and remark; wherein the remarks may include audit results.
It should be noted that the database auditing apparatus provided in the embodiments of the present application corresponds to the above-mentioned database auditing method. The related contents can refer to the description of the database auditing method, and are not described herein again.
Also, embodiments of the present application provide a server, which includes a memory, on which program instructions are stored, and when executed, implement any one of the above-mentioned database auditing methods.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (10)

1. A database auditing method is characterized by comprising the following steps:
acquiring a database log of a database to be audited;
acquiring a database detection rule;
matching the database log with the database detection rule;
and outputting an audit result based on the matching result.
2. The database auditing method of claim 1, where obtaining the database log of the database to be audited comprises:
receiving database logs of a to-be-audited counting database sent by each distributed log data acquisition agent;
putting the received database logs into a designated queue;
and acquiring the database log from the specified queue.
3. The database audit method of claim 1, wherein the obtaining database detection rules includes:
receiving a database detection rule configured by a user;
storing the database detection rule configured by the user into a specified database;
and acquiring the database detection rule from the specified database.
4. The database auditing method of claim 1, where matching the database log to the database detection rule comprises:
matching elements in the database log with the database detection rule every unit period;
the elements of the database log at least comprise SQL statements and at least one of a host IP, a host port, an access IP, a user name and a timestamp;
the format of the database detection rule at least comprises the detection rule, and at least one of the identification of the detection rule, the activation state of the detection rule and the creation time of the detection rule.
5. The database audit method of claim 4, wherein the format of the database detection rule includes a detection rule and an activation status of a detection rule, and wherein matching the elements in the database log with the database detection rule every unit period includes:
determining a designated detection rule in the database detection rules, wherein the designated detection rule is a detection rule of which the activation state indicates 'activation' in the database detection rules;
matching SQL sentences in the database logs with the specified detection rules;
the outputting the audit result based on the matching result comprises: and under the condition that the SQL statement matched with the specified detection rule exists in the database log, outputting an audit result indicating that the threat exists.
6. The database audit method of claim 5, wherein the elements of the database log include: the method comprises the following steps that SQL sentences and target elements associated with elements in a configuration management library, and under the condition that the SQL sentences matched with the specified detection rules exist in the database logs, outputting audit results indicating that threats exist comprises the following steps:
under the condition that SQL sentences matched with the specified detection rules exist in the database log, acquiring target elements of the database log;
matching the target element with an element in the configuration management library;
under the condition that the target element is successfully matched with the element in the configuration management library, acquiring at least one other element related to the element matched with the target element in the configuration management library;
outputting an audit result indicating that there is a threat, the audit result including the SQL statement, the detection rule, and the at least one other element in the configuration management library that is related to the element matching the target element.
7. The database audit method of claim 6, wherein the elements of the database log include: host IP, host port, access IP, SQL statement, user name and timestamp; the target element is a host IP or an access IP, and the elements matched with the target element in the configuration management library include: managing IP, and configuring other elements related to the element matched with the target element in the management library, wherein the other elements comprise: departments and administrators;
the output audit results indicating the presence of a threat include: host IP, host port, access IP, SQL statement, user name, timestamp, detection rule, administrator, department.
8. The database audit method of claim 6, wherein after outputting an audit result indicating that a threat exists, the method further comprises:
creating a security threat detection tracking record;
the security threat detection tracking record includes: recording identification, owner, recording state, recording result, title, creation time, updating time and remark; wherein the remarks comprise audit results.
9. A database auditing apparatus, comprising:
the first acquisition module is used for acquiring a database log of a database to be audited;
the second acquisition module is used for acquiring the detection rule of the database;
the matching module is used for matching the database log with the database detection rule;
and the output module is used for outputting the audit result based on the matching result.
10. A server, characterized in that the server comprises a memory on which program instructions are stored, which program instructions, when executed, implement the method according to any one of claims 1-8.
CN202011564722.1A 2020-12-25 2020-12-25 Database auditing method and device Pending CN112506954A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011564722.1A CN112506954A (en) 2020-12-25 2020-12-25 Database auditing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011564722.1A CN112506954A (en) 2020-12-25 2020-12-25 Database auditing method and device

Publications (1)

Publication Number Publication Date
CN112506954A true CN112506954A (en) 2021-03-16

Family

ID=74922043

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011564722.1A Pending CN112506954A (en) 2020-12-25 2020-12-25 Database auditing method and device

Country Status (1)

Country Link
CN (1) CN112506954A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113010494A (en) * 2021-03-18 2021-06-22 北京金山云网络技术有限公司 Database auditing method and device and database proxy server
CN113792076A (en) * 2021-09-17 2021-12-14 甘肃同兴智能科技发展有限责任公司 Data auditing system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070283194A1 (en) * 2005-11-12 2007-12-06 Phillip Villella Log collection, structuring and processing
CN109977689A (en) * 2017-12-28 2019-07-05 中国移动通信集团广东有限公司 A kind of Method of Database Secure Audit method, apparatus and electronic equipment
CN111404909A (en) * 2020-03-10 2020-07-10 上海豌豆信息技术有限公司 Security detection system and method based on log analysis
CN111782473A (en) * 2020-06-30 2020-10-16 中国工商银行股份有限公司 Distributed log data processing method, device and system
CN111897834A (en) * 2020-08-12 2020-11-06 网易(杭州)网络有限公司 Log searching method and device and server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070283194A1 (en) * 2005-11-12 2007-12-06 Phillip Villella Log collection, structuring and processing
CN109977689A (en) * 2017-12-28 2019-07-05 中国移动通信集团广东有限公司 A kind of Method of Database Secure Audit method, apparatus and electronic equipment
CN111404909A (en) * 2020-03-10 2020-07-10 上海豌豆信息技术有限公司 Security detection system and method based on log analysis
CN111782473A (en) * 2020-06-30 2020-10-16 中国工商银行股份有限公司 Distributed log data processing method, device and system
CN111897834A (en) * 2020-08-12 2020-11-06 网易(杭州)网络有限公司 Log searching method and device and server

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113010494A (en) * 2021-03-18 2021-06-22 北京金山云网络技术有限公司 Database auditing method and device and database proxy server
CN113792076A (en) * 2021-09-17 2021-12-14 甘肃同兴智能科技发展有限责任公司 Data auditing system

Similar Documents

Publication Publication Date Title
US11196756B2 (en) Identifying notable events based on execution of correlation searches
US10192051B2 (en) Data acceleration
CN111581054B (en) Log embedded point service analysis alarm system and method based on ELK
CN111935082B (en) Network threat information correlation analysis system and method
CN107273267A (en) Log analysis method based on elastic components
CN107229556A (en) Log Analysis System based on elastic components
CN111881011A (en) Log management method, platform, server and storage medium
CN111770002B (en) Test data forwarding control method and device, readable storage medium and electronic equipment
CN113556254B (en) Abnormal alarm method and device, electronic equipment and readable storage medium
CN112506954A (en) Database auditing method and device
US20170180187A1 (en) Alarm to event tracing
CN111258798A (en) Fault positioning method and device for monitoring data, computer equipment and storage medium
CN113067717A (en) Network request log chain tracking method, full link call monitoring system and medium
CN112714118B (en) Network traffic detection method and device
CN115329381A (en) Sensitive data-based analysis and early warning method and device, computer equipment and medium
CN115150261A (en) Alarm analysis method and device, electronic equipment and storage medium
CN108337100B (en) Cloud platform monitoring method and device
CN116881100A (en) Log detection method, log alarm method, system, equipment and storage medium
US10353792B2 (en) Data layering in a network management system
CN113051333B (en) Data processing method and device, electronic equipment and storage medium
CN106802922B (en) Tracing storage system and method based on object
CN112347066B (en) Log processing method and device, server and computer readable storage medium
CN112346938B (en) Operation auditing method and device, server and computer readable storage medium
US11755430B2 (en) Methods and systems for storing and querying log messages using log message bifurcation
JP7408530B2 (en) Security management system and security management method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20230313

Address after: Room 501-502, 5/F, Sina Headquarters Scientific Research Building, Block N-1 and N-2, Zhongguancun Software Park, Dongbei Wangxi Road, Haidian District, Beijing, 100193

Applicant after: Sina Technology (China) Co.,Ltd.

Address before: 100080 7th floor, Sina headquarters scientific research building, plot n-1 and n-2, Zhongguancun Software Park Phase II (West Expansion), Dongbeiwang West Road, Haidian District, Beijing

Applicant before: Sina.com Technology (China) Co.,Ltd.