CN112749410A - Database security protection method and device - Google Patents

Database security protection method and device Download PDF

Info

Publication number
CN112749410A
CN112749410A CN202110023167.XA CN202110023167A CN112749410A CN 112749410 A CN112749410 A CN 112749410A CN 202110023167 A CN202110023167 A CN 202110023167A CN 112749410 A CN112749410 A CN 112749410A
Authority
CN
China
Prior art keywords
access
database
flow
user
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110023167.XA
Other languages
Chinese (zh)
Other versions
CN112749410B (en
Inventor
吴建亮
胡鹏
王永君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Jeeseen Network Technologies Co Ltd
Original Assignee
Guangzhou Jeeseen Network Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Jeeseen Network Technologies Co Ltd filed Critical Guangzhou Jeeseen Network Technologies Co Ltd
Priority to CN202110023167.XA priority Critical patent/CN112749410B/en
Publication of CN112749410A publication Critical patent/CN112749410A/en
Application granted granted Critical
Publication of CN112749410B publication Critical patent/CN112749410B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/1805Append-only file systems, e.g. using logs or journals to store data
    • G06F16/1815Journaling file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24553Query execution of query operations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The invention provides a database security protection method and device, and belongs to the technical field of database security. The invention provides a database security protection method, which is characterized in that a flow time sequence prediction model is established through a machine learning algorithm by recording and collecting database data access amount data in a period of time, wherein the data comprises access IP (Internet protocol), access time, access database number, access sentences and the like. In subsequent services, the access amount of the database is detected to be compared with a time sequence prediction model, if the comparison result is abnormal, a database data protection mechanism is triggered, the database data protection mechanism comprises modes of closing the database, forging an access port and the like, and the data security of the database is protected through the modes.

Description

Database security protection method and device
Technical Field
The invention relates to the technical field of database security, in particular to a database security protection method and device.
Background
The database can be said to be the core of the internet company, and almost all business processes are not supported by the database. Data security of the database is more critical in the core. The current database security protection technology basically comprises the technologies of database encryption, database firewall, data desensitization and the like. At present, internal data leakage often occurs when security of database data is threatened much, and the database data is stolen by taking a server as a springboard. These threat approaches often disable conventional solutions.
Therefore, today, with highly developed networks and high-speed development of large data, database protection is particularly important, and technicians search for various schemes for database protection.
Chinese patent application CN102480385A discloses a database security protection method, which includes: making a model generation strategy; performing statistics on database access operations; generating a normal behavior model according to the statistical result; and detecting whether the database operation is abnormal or not according to the normal behavior model. Receiving the message, extracting the structured query language sentence identifying the database operation in the message, and extracting the database access operation from the structured query language sentence. The statistics on the database access operation specifically includes: and performing classified statistics on the database access operation matched with the strategy parameters to obtain a statistical result, wherein the classified statistics is specifically to count the operation times of various operations in an observation period according to the operation types. Generating the normal behavior model according to the statistical result includes: in each model generation period, respectively calculating the operation times of all operations in each observation period in the previous sampling period according to the statistical result; respectively calculating the proportion of the operation times of various operations in each observation period to the operation times of all the operations; generating a normal behavior model according to the operation times of all operations and the proportion of the operation times of various operations to the operation times of all operations and a model generation strategy, comparing the difference between the proportion of the operation times of one type of operation in the current observation period to the operation times of all operations in the observation period and the average value of the proportion in the previous model generation period with the variance value of the proportion of the operation times of the type of operation to the operation times of all operations, and judging whether the database operation is abnormal or not according to the comparison result. This solution has a number of limitations. Since it is based on the operational model to make decisions and not on traffic. There is a possibility that a large data download may occur, which may be a normal access activity. In this case, the abnormality is not determined.
The prior art has at least the following disadvantages:
1. in the prior art, protection on a physical layer of a database is emphasized to a great extent, and the protection on a data layer is not achieved. The protection of data is usually determined based on operation behavior, which easily results in that the occurrence of behavior such as malicious downloading and data leakage cannot be fundamentally limited.
Disclosure of Invention
In order to solve the technical problems in the prior art, the invention provides a database data security protection method of a flow analysis algorithm. In subsequent services, the access amount of the database is detected to be compared with a time sequence prediction model, if the comparison result is abnormal, a database data protection mechanism is triggered, the database data protection mechanism comprises modes of closing the database, forging an access port and the like, and the data security of the database is protected through the modes.
The time series prediction algorithm is a regression prediction algorithm and belongs to quantitative prediction. The relationship model of data and time is established by performing statistical analysis on past time sequence data and eliminating interference random fluctuation data under the assumption of the development continuity of things. And (4) performing trend prediction through the set of established time relation model.
A database data security protection method based on a flow analysis algorithm is designed, and database data can be safely protected when internal and external attack behaviors come by establishing a time sequence prediction model of an access amount.
The invention provides a database security protection method, which comprises the following steps:
creating an access record table in a database, wherein the access record table is used for recording user access flow related information, and connection time connection _ time and access operation connection _ option can be obtained according to the information recorded by the access record table;
starting a flow monitoring tool and operating a database;
recording database logs and access record tables;
reading information of database logs and access record tables, and performing data analysis to obtain flow corresponding to each access time point of each user;
establishing a flow time sequence prediction model of each user according to the corresponding relation between the access time point of each user and the flow;
constructing a plurality of database risk avoiding measures of different levels for database protection after abnormal access is monitored;
running the flow time sequence prediction model of each user, and starting a flow monitoring tool to monitor access flow;
comparing the monitored access flow data value in the preset time period with the predicted value of the time sequence prediction model of the user corresponding to the flow, and judging whether the access flow is normal:
if the data is abnormal, triggering a database risk avoiding measure;
and if the access flow data value is normal, inputting the monitored preset time period and the corresponding access flow data value into the time sequence prediction model, optimizing the time sequence prediction model, and continuously monitoring.
Preferably, the creating of the access record table in the database comprises the following steps:
creating an access record table in a database;
setting in a database, and starting a record of an access record table;
setting in a database, and starting database log records, wherein the information of the database log records comprises: access time, connection id, and access operation.
Preferably, the information recorded by the access record table includes: connection id connect _ id, connection time connect _ time, visitor IP address, and visitor name connect _ name.
Preferably, the data analysis comprises the steps of:
inquiring database logs according to the connection id of each user in the access record table, and if the operation of the connection id is database data, acquiring the connection time connect _ time of the connection id;
according to the obtained connection time of each user and the IP address of the visitor, obtaining an access flow value corresponding to the connection time from a flow monitoring tool and recording the access flow value;
and acquiring a { T, H } data point set of the access flow H corresponding to each user at different access time points T and each access time point T.
Preferably, the establishing of the flow time sequence prediction model comprises:
according to a { T, H } data point set of each user obtained through data analysis, a k-order curve is selected to fit the relation between the flow and the access time of each user, and the fitting formula is as follows:
Figure BDA0002889420940000031
wherein i is the order of a fitted curve, and 0,1.. k is taken;
Tmaccess time for user m;
Hmtraffic for user m;
am,icoefficients of the ith term in the fitting formula for the user m;
and obtaining coefficients of each order expression in each user fitting formula by using least square fitting, and obtaining a k-order fitting time sequence prediction model of different access time points T of each user and access flow H corresponding to the access time points T.
Preferably, comparing the monitored access flow data value in the preset time period with the predicted value of the time sequence prediction model of the user corresponding to the flow, and judging whether the access flow is normal or not, includes:
recording access flow H within a preset time period delta TΔT
The time sequence prediction model calculates to obtain the predicted access flow H 'in the preset time period delta T'ΔT
Compare the access volumes HΔTAnd H'ΔTIf the relative difference is at a given preset threshold HεInner, i.e. satisfy | HΔT-H'ΔT|<HεIf the access flow is not satisfied, the access flow is abnormal.
Preferably, the preset threshold is a plurality of different values, and the access flow is a relative difference | HΔT-H'ΔTAnd correspondingly taking different database risk avoidance measures within different preset threshold ranges.
Preferably, the database risk avoiding measure includes: database shutdown, fake port, data distortion protection, access restriction, and automatic backup of data.
The invention provides a database security protection device, which comprises:
the system comprises a database operation module, a data analysis module, a time sequence prediction module and a database protection module;
the database operation module executes the following operations:
creating an access record table in a database for recording the relevant information of user access flow;
opening records of an access record table and records of database logs;
during the operation of the database, aiming at the access of the database, recording a database log and an access record table;
the data analysis module performs the following operations:
reading a database log and an access record table;
acquiring different access time points T of each user and a { T, H } data point set of access flow H corresponding to the access time points T;
the timing prediction module performs the following operations:
according to the obtained { T, H } data point set of the access flow H corresponding to different access time points T and access time points T of each user, fitting the relation between the flow of each user and the access time by adopting a k-order curve, and establishing a flow time sequence prediction model of each user, wherein the time sequence prediction model can predict the access flow in a preset time period according to the preset time period;
predicting access flow in a preset time period by utilizing a time sequence prediction model;
obtaining a relative access flow difference value according to the monitored access flow of the preset time period and the predicted access flow;
and comparing the relative difference value of the access flow with a plurality of preset thresholds, judging whether the access flow is normal or not, starting a risk avoidance measure of the database if the access flow is abnormal, and inputting the monitored preset time period and the corresponding access flow data value into the time sequence prediction model to optimize the time sequence prediction model if the access flow is normal.
Preferably, the access traffic relative difference value selects different levels of database risk avoiding measures within different preset thresholds, and the database risk avoiding measures respectively include, from high to low in level: database shutdown, fake port, data distortion protection, access restriction, and automatic backup of data.
Compared with the prior art, the invention has the following beneficial effects:
1. according to the method and the device, the time sequence prediction model is established through the access time point and the access flow corresponding to the access time point, the time sequence prediction model is compared with the actual monitoring flow to judge whether the access flow is abnormal or not, and the current access flow condition can be judged according to the historical access flow, so that the method and the device are more accurate.
2. The invention judges whether the access flow is abnormal or not by setting a plurality of threshold values, takes different risk avoidance measures for different threshold value ranges, protects the database to different degrees according to the abnormal degree, and has stronger adaptability.
Drawings
FIG. 1 is a flow diagram of a database security protection method according to an embodiment of the invention;
FIG. 2 is a flow diagram of the creation of a temporal prediction model according to one embodiment of the present invention;
FIG. 3 is a block diagram of a database security protection device according to an embodiment of the present invention.
Detailed Description
The following detailed description of the embodiments of the present invention is provided in conjunction with the accompanying drawings of fig. 1-3.
The invention provides a database security protection method, which comprises the following steps:
creating an access record table in a database, wherein the access record table is used for recording user access flow related information, and connection time connection _ time and access operation connection _ option can be obtained according to the information recorded by the access record table;
the database log can automatically record access time, connection id and access operation, but cannot record an IP address and a name of an accessor, the same connection id and what the access operation at the same access time is need to be acquired from the database log according to the information recorded by the access record table, and whether the access operation is abnormal access needs to be judged when the access operation is the operation of a data base;
starting a flow monitoring tool and operating a database;
the database needs to be open for a period of time in order to obtain enough data to build a flow timing prediction model. The flow monitoring tool can select zabbix, meanwhile, the flow monitoring tool needs to be configured, a database host name is set, a name for storing the zabbix data database is designated, a user name for connecting the database is designated, a password for connecting the database by a user is designated, the host setting is performed, the sock position used by the user for connecting the database is used, and the port number of the database is also set.
Recording database logs and access record tables;
reading information of database logs and access record tables, and performing data analysis to obtain flow corresponding to each access time point of each user;
the purpose of data analysis is to obtain access flows corresponding to different connection ids at different time points through recorded log information, firstly, the operation of the connection ids at the connection time needs to be obtained, only the operation of accessing database data needs to judge whether access is abnormal, and then the flow needs to be obtained, and if the operation is accessing database data, the access flows corresponding to the different connection ids at the different time points need to be further obtained from a flow monitoring tool.
Establishing a flow time sequence prediction model of each user according to the corresponding relation between the access time point of each user and the flow;
the method comprises the steps of collecting enough flow information, establishing a flow time sequence prediction model through machine learning, and judging whether the access flow is abnormal or not by using the established flow time sequence prediction model for subsequent judgment of the access flow in a preset time period. Here, the access traffic anomaly determination is performed based on the historical access conditions, and therefore, a closed-loop optimization process needs to be established in a later process to optimize the prediction model.
Constructing a plurality of database risk avoiding measures of different levels for database protection after abnormal access is monitored;
for the detected abnormal access, database risk avoiding measures of different levels need to be established to protect the database, and when the access amount and the prediction model ratio exceed a large amount, the protection level needs to be improved.
Running the flow time sequence prediction model of each user, and starting a flow monitoring tool to monitor access flow;
comparing the monitored access flow data value in the preset time period with the predicted value of the time sequence prediction model of the user corresponding to the flow, and judging whether the access flow is normal:
if the data is abnormal, triggering a database risk avoiding measure;
and if the access flow data value is normal, inputting the monitored preset time period and the corresponding access flow data value into the time sequence prediction model, optimizing the time sequence prediction model, and continuously monitoring.
As a preferred embodiment, the creating of the access record table in the database comprises the following steps:
creating an access record table in a database;
setting in a database, and starting a record of an access record table;
setting in a database, and starting database log records, wherein the information of the database log records comprises: access time, connection id, and access operation.
As a preferred embodiment, the information recorded by the access record table includes: connection id connect _ id, connection time connect _ time, visitor IP address, and visitor name connect _ name.
As a preferred embodiment, the data analysis comprises the steps of:
inquiring database logs according to the connection id of each user in the access record table, and if the operation of the connection id is database data, acquiring the connection time connect _ time of the connection id;
according to the obtained connection time of each user and the IP address of the visitor, obtaining an access flow value corresponding to the connection time from a flow monitoring tool and recording the access flow value;
and acquiring a { T, H } data point set of the access flow H corresponding to each user at different access time points T and each access time point T.
As a preferred embodiment, the establishing of the flow time sequence prediction model includes:
according to a { T, H } data point set of each user obtained through data analysis, a k-order curve is selected to fit the relation between the flow and the access time of each user, and the fitting formula is as follows:
Figure BDA0002889420940000061
wherein i is the order of a fitted curve, and 0,1.. k is taken;
Tmaccess time for user m;
Hmtraffic for user m;
am,icoefficients of the ith term in the fitting formula for the user m;
and obtaining coefficients of each order expression in each user fitting formula by using least square fitting, and obtaining a k-order fitting time sequence prediction model of different access time points T of each user and access flow H corresponding to the access time points T.
As a preferred embodiment, comparing the monitored access traffic data value in the preset time period with the predicted value of the time sequence prediction model of the user corresponding to the traffic, and determining whether the access traffic is normal includes:
recording access flow H within a preset time period delta TΔT
The time sequence prediction model calculates to obtain the predicted access flow H 'in the preset time period delta T'ΔT
Compare the access volumes HΔTAnd H'ΔTIf the relative difference is at a given preset threshold HεInner, i.e. satisfy | HΔT-H'ΔT|<HεIf the access flow is not satisfied, the access flow is abnormal.
In a preferred embodiment, the preset threshold is a plurality of different values, and the access flow is a relative difference | HΔT-H'ΔTAnd correspondingly taking different database risk avoidance measures within different preset threshold ranges.
As a preferred embodiment, the database risk avoiding measure includes: database shutdown, fake port, data distortion protection, access restriction, and automatic backup of data.
When database risk avoidance measures are initiated, access restrictions need to be performed on the visitor IP address. The highest level risk avoidance is to close the database and refuse any access; secondly, the port can be forged, so that a user initiating abnormal access cannot access the correct port, and the database is protected; moreover, the data in the database can be processed, so that the data obtained by the user who initiates the abnormal access is distorted and cannot be restored, and the legal user can be restored according to the protection measures; for some cases, the database can be protected by restricting the access of the IP address of the visitor to the database, which is the simplest and most direct method; the most primitive necessary measure is to perform automatic backup of data so that the database is not destroyed by the next access of the user who initiated the abnormal access.
The invention provides a database security protection device, which comprises:
the system comprises a database operation module, a data analysis module, a time sequence prediction module and a database protection module;
the database operation module executes the following operations:
creating an access record table in a database for recording the relevant information of user access flow;
opening records of an access record table and records of database logs;
during the operation of the database, aiming at the access of the database, recording a database log and an access record table;
the data analysis module performs the following operations:
reading a database log and an access record table;
acquiring different access time points T of each user and a { T, H } data point set of access flow H corresponding to the access time points T;
the timing prediction module performs the following operations:
according to the obtained { T, H } data point set of the access flow H corresponding to different access time points T and access time points T of each user, fitting the relation between the flow of each user and the access time by adopting a k-order curve, and establishing a flow time sequence prediction model of each user, wherein the time sequence prediction model can predict the access flow in a preset time period according to the preset time period;
predicting access flow in a preset time period by utilizing a time sequence prediction model;
obtaining a relative access flow difference value according to the monitored access flow of the preset time period and the predicted access flow;
and comparing the relative difference value of the access flow with a plurality of preset thresholds, judging whether the access flow is normal or not, starting a risk avoidance measure of the database if the access flow is abnormal, and inputting the monitored preset time period and the corresponding access flow data value into the time sequence prediction model to optimize the time sequence prediction model if the access flow is normal.
In a preferred embodiment, the access traffic relative difference value selects different levels of database risk avoiding measures within different preset thresholds, and the database risk avoiding measures respectively include, from high level to low level: database shutdown, fake port, data distortion protection, access restriction, and automatic backup of data.
Example 1
Referring to fig. 1-3, a detailed description of the data security protection method provided by the present invention will be given by using a 2 nd order fitting to establish a time sequence prediction model according to an embodiment of the present invention.
The invention provides a database security protection method, which comprises the following steps:
creating an access record table in a database, wherein the access record table is used for recording user access flow related information, and connection time connection _ time and access operation connection _ option can be obtained according to the information recorded by the access record table;
the creating of the access record table in the database comprises the following steps:
creating an access record table in a database;
setting in a database, and starting a record of an access record table;
setting in a database, and starting database log records, wherein the information of the database log records comprises: access time, connection id, and access operation;
the information recorded by the access record table comprises: connection id connect _ id, connection time connect _ time, visitor IP address, and visitor name connect _ name;
starting a flow monitoring tool and operating a database;
recording database logs and access record tables;
reading information of database logs and access record tables, and performing data analysis to obtain flow corresponding to each access time point of each user;
the data analysis comprises the following steps:
inquiring database logs according to the connection id of each user in the access record table, and if the operation of the connection id is database data, acquiring the connection time connect _ time of the connection id;
according to the obtained connection time of each user and the IP address of the visitor, obtaining an access flow value corresponding to the connection time from a flow monitoring tool and recording the access flow value;
and acquiring a { T, H } data point set of the access flow H corresponding to each user at different access time points T and each access time point T.
Establishing a flow time sequence prediction model of each user according to the corresponding relation between the access time point of each user and the flow;
the establishment of the flow time sequence prediction model comprises the following steps:
according to a { T, H } data point set of each user obtained through data analysis, a 2-order curve is selected to fit the relation between the flow and the access time of each user, and the fitting formula is as follows:
Figure BDA0002889420940000091
wherein i is the order of the fitted curve, and 0,1 and 2 are taken;
Tmaccess time for user m;
Hmtraffic for user m;
am,icoefficients of the ith term in the fitting formula for the user m;
obtaining coefficients of each order expression in each user fitting formula by using least square fitting, and obtaining k-order fitting time sequence prediction models of different access time points T of each user and access flow H corresponding to the access time points T;
constructing a plurality of database risk avoiding measures of different levels for database protection after abnormal access is monitored;
running the flow time sequence prediction model of each user, and starting a flow monitoring tool to monitor access flow;
comparing the monitored access flow data value in the preset time period with the predicted value of the time sequence prediction model of the user corresponding to the flow, and judging whether the access flow is normal:
if the data is abnormal, triggering a database risk avoiding measure;
and if the access flow data value is normal, inputting the monitored preset time period and the corresponding access flow data value into the time sequence prediction model, optimizing the time sequence prediction model, and continuously monitoring.
The step of comparing the monitored access flow data value in the preset time period with the predicted value of the time sequence prediction model of the user corresponding to the flow to judge whether the access flow is normal comprises the following steps:
recording access flow H within a preset time period delta TΔT
The time sequence prediction model calculates to obtain the predicted access flow H 'in the preset time period delta T'ΔT
Compare the access volumes HΔTAnd H'ΔTIf the relative difference is at a given preset threshold HεInner, i.e. satisfy | HΔT-H'ΔT|<HεIf the access flow is not satisfied, the access flow is abnormal.
The preset threshold is a plurality of different values, and the relative difference value | H of the access flowΔT-H'ΔTCorrespondingly taking different database risk avoiding measures within different preset threshold ranges
The database risk avoiding measures comprise: database shutdown, fake port, data distortion protection, access restriction, and automatic backup of data.
The invention provides a database security protection device, which comprises:
the system comprises a database operation module, a data analysis module, a time sequence prediction module and a database protection module;
the database operation module executes the following operations:
creating an access record table in a database for recording the relevant information of user access flow;
opening records of an access record table and records of database logs;
during the operation of the database, aiming at the access of the database, recording a database log and an access record table;
the data analysis module performs the following operations:
reading a database log and an access record table;
acquiring different access time points T of each user and a { T, H } data point set of access flow H corresponding to the access time points T;
the timing prediction module performs the following operations:
according to the obtained { T, H } data point set of the access flow H corresponding to different access time points T and access time points T of each user, fitting the relation between the flow of each user and the access time by adopting a k-order curve, and establishing a flow time sequence prediction model of each user, wherein the time sequence prediction model can predict the access flow in a preset time period according to the preset time period;
predicting access flow in a preset time period by utilizing a time sequence prediction model;
obtaining a relative access flow difference value according to the monitored access flow of the preset time period and the predicted access flow;
and comparing the relative difference value of the access flow with a plurality of preset thresholds, judging whether the access flow is normal or not, starting a risk avoidance measure of the database if the access flow is abnormal, and inputting the monitored preset time period and the corresponding access flow data value into the time sequence prediction model to optimize the time sequence prediction model if the access flow is normal.
Selecting database risk-avoiding measures of different levels within different preset thresholds according to the relative difference value of the access flow, wherein the database risk-avoiding measures respectively comprise the following steps from high to low according to the levels: database shutdown, fake port, data distortion protection, access restriction, and automatic backup of data.
Example 2
Referring to fig. 1-3, a flow time sequence prediction model establishment process in the data security protection method provided by the present invention is described in detail by taking mysql database as an example according to an embodiment of the present invention.
The first step is as follows: creating an access record table, and configuring a database:
1. firstly, creating a library logdatabase and an access record table connect _ log in a database, wherein fields and meanings in the connect _ log are as follows:
table 1 field meaning of access record table
Name of field id connect_id connect_time connect_name connetct_user
Means of Database self-increment id Connector id Connection time Name of connector Identity of the connetor
2. Adding init-connect setting in the database configuration, wherein the setting is as follows:
init-connect='insert into logdatabase.connect_log(id,connect_id,connect_time,connect_name,connetct_user)values(null,connection_id(),now(),user(),current_user()),’
3. configuring the authority of writing and accessing the record table:
select concat("grant insert on auditlog.t_audit to'",user,"'@'",host,"';")from mysql.user;
flush privileges;
secondly, after configuration is completed, restarting mysql;
thirdly, installing and configuring a flow monitoring tool;
4. installing an open source flow monitoring tool zabbix for monitoring access flow, configuring a database for storing monitoring data, and configuring the following:
DBHost is localhost; # database hostname, when set to localhost, link mysql through sock
DBName ═ zabbix; # name of database storing zabbix data
DBUser ═ zabbix; # specifies the user name to connect to the database
DBPasword ═ zb 123! @ $; password required for # user to connect to database
(iii) dbscott ═ var/lib/mysql/mysql.sock; # the host is set to localhost, the sock location used by the user to connect to the database,
DBPort 3306; the # database port number, when connected with sock, does not matter and needs to be set when connected through a network
Fourthly, after the server and the client of zabbix are installed and configured, starting a flow monitoring tool;
and fifthly, collecting log information used for establishing a flow time sequence prediction model:
5. opening a service website, normally collecting logs for a period of time and collecting corresponding flow monitoring, and recording related information by database logs and an access log table;
generally, services are accessed from a back end to a database, and basically, the identity of a connector is relatively fixed, and the back end connector is generally subjected to traffic analysis.
Sixthly, analyzing the collected log information to obtain a mapping relation between access time and access flow for connection:
6. the analysis flow is as follows:
firstly:
query the connection information with statement select from great database, connect _ log as follows:
+----+-----------+---------------------+---------------------------+-------------------------+
|id|connect_id|connect_time|connect_name|connetct_user|
+----+-----------+---------------------+---------------------------+-------------------------+
|1|5|1604977267|user_main@192.168.129.118|user_main@192.168.129.%|
|2|6|1604977322|user_test@192.168.129.153|user_test@192.168.129.%|
+----+-----------+---------------------+---------------------------+-------------------------+
3rows in set(0.00sec)
then:
inquiring access operation at the access time according to the connect _ id debinlog, screening out the time period of select operation, and after finding out the satisfied time period, inquiring the flow value at the time in zabbix, and finally obtaining an access flow value connected at a certain time;
and seventhly, performing fitting analysis by using each access flow and time mapping combination to obtain a flow time sequence prediction model:
and selecting a 2-order curve to fit the relation between the flow and the access time of each user for the obtained { T, H } data point set of each user, wherein the fitting formula is as follows:
Figure BDA0002889420940000131
determining coefficients a in the formula by using a least square methodm,0、am,1And am,2And obtaining a fitting formula of the user m, and completing the establishment of the flow time sequence prediction model.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (10)

1. A database security protection method is characterized by comprising the following steps:
creating an access record table in a database, wherein the access record table is used for recording user access flow related information, and connection time connection _ time and access operation connection _ option can be obtained according to the information recorded by the access record table;
starting a flow monitoring tool and operating a database;
recording database logs and access record tables;
reading information of database logs and access record tables, and performing data analysis to obtain flow corresponding to each access time point of each user;
establishing a flow time sequence prediction model of each user according to the corresponding relation between the access time point of each user and the flow;
constructing a plurality of database risk avoiding measures of different levels for database protection after abnormal access is monitored;
running the flow time sequence prediction model of each user, and starting a flow monitoring tool to monitor access flow;
comparing the monitored access flow data value in the preset time period with the predicted value of the time sequence prediction model of the user corresponding to the flow, and judging whether the access flow is normal:
if the data is abnormal, triggering a database risk avoiding measure;
and if the access flow data value is normal, inputting the monitored preset time period and the corresponding access flow data value into the time sequence prediction model, optimizing the time sequence prediction model, and continuously monitoring.
2. The database security protection method of claim 1, wherein the step of creating the access record table in the database comprises the steps of:
creating an access record table in a database;
setting in a database, and starting a record of an access record table;
setting in a database, and starting database log records, wherein the information of the database log records comprises: access time, connection id, and access operation.
3. The database security protection method of claim 1, wherein the information for accessing the record table record comprises: connection id connect _ id, connection time connect _ time, visitor IP address, number of database entries accessed, access statement, and visitor name connect _ name.
4. The database security protection method of claim 3, wherein the data analysis comprises the steps of:
inquiring database logs according to the connection id of each user in the access record table, and if the operation of the connection id is database data, acquiring the connection time connect _ time of the connection id;
according to the obtained connection time of each user and the IP address of the visitor, obtaining an access flow value corresponding to the connection time from a flow monitoring tool and recording the access flow value;
and acquiring a { T, H } data point set of the access flow H corresponding to each user at different access time points T and each access time point T.
5. The database security protection method of claim 4, wherein the establishing of the traffic time sequence prediction model comprises:
according to a { T, H } data point set of each user obtained through data analysis, a k-order curve is selected to fit the relation between the flow and the access time of each user, and the fitting formula is as follows:
Figure FDA0002889420930000021
wherein i is the order of a fitted curve, and 0,1.. k is taken;
Tmaccess time for user m;
Hmtraffic for user m;
am,icoefficients of the ith term in the fitting formula for the user m;
and obtaining coefficients of each order expression in each user fitting formula by using least square fitting, and obtaining a k-order fitting time sequence prediction model of different access time points T of each user and access flow H corresponding to the access time points T.
6. The database security protection method according to claim 1, wherein the comparing the monitored access traffic data value in the preset time period with the predicted value of the time sequence prediction model of the user corresponding to the traffic to determine whether the access traffic is normal comprises:
recording access flow H within a preset time period delta TΔT
The time sequence prediction model calculates to obtain the predicted access flow H 'in the preset time period delta T'ΔT
Compare the access volumes HΔTAnd H'ΔTIf the relative difference is at a given preset threshold HεInner, i.e. satisfy | HΔT-H'ΔT|<HεIf the access flow is not satisfied, the access flow is abnormal.
7. The database security protection method of claim 6, wherein the preset threshold is a plurality of different values, and the access flow is a relative difference | H |, of the valuesΔT-H'ΔTAnd correspondingly taking different database risk avoidance measures within different preset threshold ranges.
8. The database security protection method of claim 1, wherein the database risk avoidance measures include: database shutdown, fake port, data distortion protection, access restriction, and automatic backup of data.
9. A database security protection device, comprising:
the system comprises a database operation module, a data analysis module, a time sequence prediction module and a database protection module;
the database operation module executes the following operations:
creating an access record table in a database for recording the relevant information of user access flow;
opening records of an access record table and records of database logs;
during the operation of the database, aiming at the access of the database, recording a database log and an access record table;
the data analysis module performs the following operations:
reading a database log and an access record table;
acquiring different access time points T of each user and a { T, H } data point set of access flow H corresponding to the access time points T;
the timing prediction module performs the following operations:
according to the obtained { T, H } data point set of the access flow H corresponding to different access time points T and access time points T of each user, fitting the relation between the flow of each user and the access time by adopting a k-order curve, and establishing a flow time sequence prediction model of each user, wherein the time sequence prediction model can predict the access flow in a preset time period according to the preset time period;
predicting access flow in a preset time period by utilizing a time sequence prediction model;
obtaining a relative access flow difference value according to the monitored access flow of the preset time period and the predicted access flow;
and comparing the relative difference value of the access flow with a plurality of preset thresholds, judging whether the access flow is normal or not, starting a risk avoidance measure of the database if the access flow is abnormal, and inputting the monitored preset time period and the corresponding access flow data value into the time sequence prediction model to optimize the time sequence prediction model if the access flow is normal.
10. The database security protection device according to claim 9, wherein the access traffic relative difference value selects different levels of database risk avoidance measures within different preset thresholds, and the database risk avoidance measures respectively include, from high to low in level: database shutdown, fake port, data distortion protection, access restriction, and automatic backup of data.
CN202110023167.XA 2021-01-08 2021-01-08 Database security protection method and device Active CN112749410B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110023167.XA CN112749410B (en) 2021-01-08 2021-01-08 Database security protection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110023167.XA CN112749410B (en) 2021-01-08 2021-01-08 Database security protection method and device

Publications (2)

Publication Number Publication Date
CN112749410A true CN112749410A (en) 2021-05-04
CN112749410B CN112749410B (en) 2022-02-25

Family

ID=75650407

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110023167.XA Active CN112749410B (en) 2021-01-08 2021-01-08 Database security protection method and device

Country Status (1)

Country Link
CN (1) CN112749410B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113536288A (en) * 2021-06-23 2021-10-22 上海派拉软件股份有限公司 Data authentication method, device, authentication equipment and storage medium
WO2023109482A1 (en) * 2021-12-14 2023-06-22 International Business Machines Corporation Secure database-as-a-service system

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005276078A (en) * 2004-03-26 2005-10-06 Ntt Data Corp Database security system
CN106202560A (en) * 2016-07-29 2016-12-07 杭州迪普科技有限公司 A kind of method and device realizing database audit
CN107086944A (en) * 2017-06-22 2017-08-22 北京奇艺世纪科技有限公司 A kind of method for detecting abnormality and device
CN108874642A (en) * 2018-05-25 2018-11-23 平安科技(深圳)有限公司 SQL method for monitoring performance, device, computer equipment and storage medium
CN109885554A (en) * 2018-12-20 2019-06-14 顺丰科技有限公司 Method of Database Secure Audit method, system and computer readable storage medium
CN110086649A (en) * 2019-03-19 2019-08-02 深圳壹账通智能科技有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow
CN110830321A (en) * 2018-08-13 2020-02-21 阿里巴巴集团控股有限公司 Website detection scheduling method and device, storage medium and system
CN111159706A (en) * 2019-12-26 2020-05-15 深信服科技股份有限公司 Database security detection method, device, equipment and storage medium
US20200195668A1 (en) * 2018-12-13 2020-06-18 Imperva, Inc. Selective database logging with smart sampling
CN111988295A (en) * 2020-08-11 2020-11-24 程星星 Database auditing method and device, WEB server, database auditing system and storage medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005276078A (en) * 2004-03-26 2005-10-06 Ntt Data Corp Database security system
CN106202560A (en) * 2016-07-29 2016-12-07 杭州迪普科技有限公司 A kind of method and device realizing database audit
CN107086944A (en) * 2017-06-22 2017-08-22 北京奇艺世纪科技有限公司 A kind of method for detecting abnormality and device
CN108874642A (en) * 2018-05-25 2018-11-23 平安科技(深圳)有限公司 SQL method for monitoring performance, device, computer equipment and storage medium
CN110830321A (en) * 2018-08-13 2020-02-21 阿里巴巴集团控股有限公司 Website detection scheduling method and device, storage medium and system
US20200195668A1 (en) * 2018-12-13 2020-06-18 Imperva, Inc. Selective database logging with smart sampling
CN109885554A (en) * 2018-12-20 2019-06-14 顺丰科技有限公司 Method of Database Secure Audit method, system and computer readable storage medium
CN110086649A (en) * 2019-03-19 2019-08-02 深圳壹账通智能科技有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow
CN111159706A (en) * 2019-12-26 2020-05-15 深信服科技股份有限公司 Database security detection method, device, equipment and storage medium
CN111988295A (en) * 2020-08-11 2020-11-24 程星星 Database auditing method and device, WEB server, database auditing system and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
毕嘉娜等: "《无线传感器网络节能安全协议研究》", 30 April 2013 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113536288A (en) * 2021-06-23 2021-10-22 上海派拉软件股份有限公司 Data authentication method, device, authentication equipment and storage medium
CN113536288B (en) * 2021-06-23 2023-10-27 上海派拉软件股份有限公司 Data authentication method, device, authentication equipment and storage medium
WO2023109482A1 (en) * 2021-12-14 2023-06-22 International Business Machines Corporation Secure database-as-a-service system
US11860868B2 (en) 2021-12-14 2024-01-02 International Business Machines Corporation Secure database-as-a-service system

Also Published As

Publication number Publication date
CN112749410B (en) 2022-02-25

Similar Documents

Publication Publication Date Title
CN109525558B (en) Data leakage detection method, system, device and storage medium
CN108989150B (en) Login abnormity detection method and device
CN112184091B (en) Industrial control system security threat assessment method, device and system
CN112749410B (en) Database security protection method and device
CN111245793A (en) Method and device for analyzing abnormity of network data
CN111881452B (en) Safety test system for industrial control equipment and working method thereof
US20050108377A1 (en) Method for detecting abnormal traffic at network level using statistical analysis
CN111628900B (en) Fuzzy test method, device and computer readable medium based on network protocol
CN108256322B (en) Security testing method and device, computer equipment and storage medium
CN111510339B (en) Industrial Internet data monitoring method and device
CN108989294A (en) A kind of method and system for the malicious user accurately identifying website visiting
CN113987504A (en) Vulnerability detection method for network asset management
KR101666791B1 (en) System and method of illegal usage prediction and security for private information
CN117290803B (en) Energy storage inverter remote fault diagnosis method, system and medium
CN111092845B (en) Early warning evaluation method and system for accessing confidential files
CN117478441B (en) Dynamic access control method and system based on intelligent analysis of user behaviors
CN117201188B (en) IT safe operation risk prediction method, system and medium based on big data
JP4843546B2 (en) Information leakage monitoring system and information leakage monitoring method
CN115795475A (en) Method and device for determining software system risk and electronic equipment
CN113395268A (en) Online and offline fusion-based web crawler interception method
CN112329021A (en) Method and device for checking application bugs, electronic device and storage medium
CN117390707B (en) Data security detection system and detection method based on data storage equipment
CN115460059B (en) Risk early warning method and device
CN111131248B (en) Website application security defect detection model modeling method and defect detection method
CN114297712A (en) Data anti-attack method and device based on data flow-to-full-flow audit

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant