CN114070619A - Monitoring method, monitoring system, equipment and storage medium for abnormal access of database - Google Patents
Monitoring method, monitoring system, equipment and storage medium for abnormal access of database Download PDFInfo
- Publication number
- CN114070619A CN114070619A CN202111353989.0A CN202111353989A CN114070619A CN 114070619 A CN114070619 A CN 114070619A CN 202111353989 A CN202111353989 A CN 202111353989A CN 114070619 A CN114070619 A CN 114070619A
- Authority
- CN
- China
- Prior art keywords
- information
- access
- database
- network flow
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The application provides a monitoring method for abnormal access of a database, which can be applied to the technical field of information security. The monitoring method comprises the following steps: acquiring initial network flow for accessing a database; analyzing the initial network flow to obtain access key information; screening abnormal access information in the access key information; acquiring and analyzing network flow of the next time period based on the abnormal access information; and summarizing the abnormal access information and the network flow, and outputting the abnormal access information and the network flow in the form of alarm information. According to the monitoring method for abnormal access of the database, only the initial network flow is analyzed by the network layer, on one hand, all operations for accessing the database can be ensured to be included in the monitoring range, and the problem of incomplete monitoring of the database access is solved. On the other hand, the server performance resource consumption of the acquisition end is small, the resource consumption of data transmission and storage is controllable, and the stability of the operation of the database can be ensured.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method, a system, a device, a storage medium, and a program product for monitoring abnormal access to a database.
Background
A large amount of customer information and business data are stored in a database of a financial enterprise, a database abnormal access monitoring model is usually deployed to find out data leakage risks in time, a bypass deployment mode is mostly adopted in the enterprise, an operation log is obtained by analyzing a database communication data packet in network flow, but the problem that the consumption is too large or the whole network flow cannot be covered exists in abnormal monitoring measures based on the network flow.
Disclosure of Invention
The present application is directed to solving at least one of the problems in the prior art.
For example, the monitoring method for abnormal access of the database has low performance consumption, can cover all the flow for accessing the database, can improve the safety monitoring comprehensiveness of the database, and reduces the risk of information leakage.
In order to solve the above problem, a first aspect of the present application provides a method for monitoring abnormal access to a database, including the steps of:
acquiring initial network flow for accessing a database;
analyzing the initial network flow to obtain access key information;
screening abnormal access information in the access key information;
acquiring and analyzing network flow of the next time period based on the abnormal access information;
and summarizing the abnormal access information and the network flow, and outputting the abnormal access information and the network flow in the form of alarm information.
According to the monitoring method for abnormal access of the database, only the initial network flow is analyzed by the network layer, on one hand, all operations for accessing the database can be ensured to be included in the monitoring range, and the problem of incomplete monitoring of the database access is solved. On the other hand, the server performance resource consumption of the acquisition end is small, the resource consumption of data transmission and storage is controllable, and the stability of the operation of the database can be ensured.
Further, analyzing the initial network traffic to obtain access key information, including:
viewing a traffic log of the initial network traffic;
and obtaining access key information according to the flow log.
Further, the key information at least includes: source IP, destination IP, and port information.
Further, screening out abnormal access information in the access key information includes:
setting a white list of a source IP;
and when the source IP of the access key information does not hit the white list, determining the access key information as abnormal access information.
Further, screening out abnormal access information in the access key information includes:
setting a blacklist of a source IP;
and when the source IP of the access key information hits a blacklist, determining the access key information as abnormal access information.
Further, collecting and analyzing network traffic of the next time period based on the abnormal access information, including:
setting a network flow analysis parameter;
acquiring network flow of the next time period based on the abnormal access information;
and analyzing the network flow in the next time period according to the flow analysis parameters to obtain the access behavior.
Further, the network traffic resolution parameter includes: a data parsing time period and/or a data parsing number.
Further, the alarm information at least includes: source IP, access time, access location, and access content.
A second aspect of the present application provides a system for monitoring an abnormal access, including: the acquisition module is used for acquiring initial network flow for accessing the database; an analysis module to: analyzing the initial network flow to obtain access key information; the screening module is used for screening abnormal access information in the access key information; an acquisition module to: acquiring and analyzing network flow of the next time period based on the abnormal access information; and an alarm module, the alarm module being configured to: and summarizing the abnormal access information and the network flow, and outputting the abnormal access information and the network flow in the form of alarm information.
A third aspect of the present application provides an electronic device comprising: one or more processors; a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the monitoring method described above.
The fourth aspect of the present application also provides a computer-readable storage medium having stored thereon executable instructions, which when executed by a processor, cause the processor to perform the monitoring method described above.
The fifth aspect of the present application also provides a computer program product comprising a computer program which, when executed by a processor, implements the monitoring method described above.
Drawings
The foregoing and other objects, features and advantages of the application will be apparent from the following description of embodiments of the application with reference to the accompanying drawings in which:
FIG. 1 schematically illustrates an application scenario diagram of a method, system, device, medium, and program product for monitoring of database abnormal access according to an embodiment of the present application;
FIG. 2 schematically illustrates a flow chart of an abnormal access monitoring method according to an embodiment of the present application;
FIG. 3 schematically shows a diagram of steps for obtaining all access critical information according to an embodiment of the application;
FIG. 4(a) is a diagram schematically illustrating the steps of screening abnormal information through a white list according to an embodiment of the present application;
FIG. 4(b) is a diagram schematically illustrating the step of screening exception information through a blacklist according to an embodiment of the present application;
FIG. 5 schematically illustrates a diagram of steps for analyzing behavior based on anomaly information, according to an embodiment of the present application;
FIG. 6 is a block diagram schematically illustrating an abnormal access monitoring system according to an embodiment of the present application; and
fig. 7 schematically shows a block diagram of an electronic device adapted to implement the database abnormal access monitoring method according to an embodiment of the present application.
Detailed Description
Hereinafter, embodiments of the present application will be described with reference to the accompanying drawings. It is to be understood that such description is merely illustrative and not intended to limit the scope of the present application. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the application. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The financial enterprise database stores a large amount of customer information and business data, and in the face of hacker attacks and illegal disclosure of internal personnel, the enterprise can audit products and establish a database abnormal access monitoring model by deploying the database, and discover leaked data in time.
In order to avoid affecting the consumption of the local resource performance of the database, most database audit products adopt a bypass deployment mode, and an operation log is obtained by analyzing a database communication data packet in network flow. Theoretically, a database audit product can collect all the flow for accessing the database, but in practice, according to the system size of a financial enterprise, all the database access flow is mass data, and the mass data is processed by allocating sufficient network bandwidth resources and data storage resources for transmission and storage, and by constructing a high-performance processing server and a powerful analysis engine to analyze and process the data, the realization cost and difficulty are very high. If filtering is performed based on information such as database accounts and operations, each data packet needs to be analyzed to the application layer data, so that a large amount of resources such as a CPU (central processing unit), a memory, storage and the like need to be invested at an acquisition end, the cost is too high, and even the stable operation of the database can be influenced.
In view of the problem that the monitoring measures for the abnormal database access through network traffic in the prior art are too large in consumption or cannot be covered, the monitoring method for the database access is low in performance consumption and can cover all the accessed databases, safety monitoring comprehensiveness of the databases can be improved, and risk of information leakage is reduced.
Fig. 1 schematically shows a diagram of an application scenario for using a database with terminal devices 101, 102, 103 according to an embodiment of the application.
As shown in fig. 1, the application scenario 100 of this embodiment may include viewing the contents of a database with terminal devices 101, 102, 103. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables.
The terminal devices 101, 102, 103 may be used to interact with a server 105 over a network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have various communication client applications installed thereon, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, and social platform software.
The terminal devices 101, 102, 103 may be various electronic devices having display screens and supporting web browsing, including but not limited to smart phones, tablets, laptop portable computers, and desktop computers.
The server 105 may be a server that provides various services, such as a background management server that provides support for websites browsed by users using the terminal devices 101, 102, 103. The background management server can analyze and process the received data such as the user request and feed back the processing result to the terminal equipment.
It should be noted that the monitoring method provided in the embodiment of the present application may be generally executed by the server 105. Accordingly, the monitoring system provided in the embodiment of the present application may be generally disposed in the server 105. The monitoring method provided in the embodiments of the present application may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the monitoring system provided in the embodiment of the present application may also be disposed in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The following describes in detail a monitoring method for abnormal access to a database in the application embodiment with reference to fig. 2 to 5 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flow chart of a monitoring method according to an embodiment of the application.
It should be noted that there are many types of databases, such as: the method for monitoring the database can be applied to all types of databases.
As shown in fig. 2, the embodiment includes steps S210 to S250, and the transaction processing method may be performed by the monitoring system of fig. 6.
In step S210, initial network traffic to access the database is obtained.
And collecting all initial network traffic for accessing the relevant database, and ensuring that all operations accessing the database are completely included in the monitoring range.
It should be clear that the grabbing of network traffic is essentially the grabbing of network traffic packets. The initial network traffic may be understood as a network traffic data packet that is accessed to the database at a first time.
And after grabbing, providing all initial network traffic to the analysis module.
In step S220, the initial network traffic is analyzed to obtain access key information.
In the step, only the initial network flow data packet is analyzed by the network layer, so that the resource consumption of the acquisition end server is low, and the stability of the operation of the database is not influenced. Wherein the key information at least comprises: source IP, destination IP, and port information.
Acquiring access key information by parsing initial network traffic as shown in fig. 3, may be implemented through steps S221 to S222.
In step S221, a traffic log of the initial network traffic is viewed.
In step S222, access key information is obtained from the traffic log.
The initial network flow is analyzed to obtain a flow log, wherein the flow log comprises a connection log, a safety log and a certificate log. The connection log records the connection process information of the user connection related database, and the source IP, the destination IP and the port information can be searched from the connection log.
After the initial network flow is analyzed to obtain the access key information, the access key information is provided for the screening module.
In step S230, abnormal access information among the access-critical information is screened out.
Receiving the access key information provided by the analysis module, screening abnormal access information from the access key information according to the screening rule of the database, for example, only screening the source IP of the access key information, and after the source IP is screened, part of the source IP is not in the white list of the relevant database, and all the operations of the part of the source IP in the relevant database are processed into abnormal access information.
It is understood that step S230 is a screening of the operation devices, that is, by screening the access key information, an operation device with an exception may be obtained, and all operations performed on the operation device on the relevant database are processed as the exception access information.
There are two rules for acquiring an operating device having an exception and processing access key information in the relevant database on the operating device as exception access information, as shown in fig. 4(a) and 4 (b).
In fig. 4(a), the abnormal access information among the access key information is filtered out and implemented by a white list set in advance.
In step S231, a white list of source IPs is set.
In step S232, when the source IP of the access key information misses the white list, it is determined that the access key information is abnormal access information.
Setting a white list of source IPs of the database, searching all access key information for accessing the related database in the white list of the source IPs of the related database, and checking whether the access key information is listed in the white list of the source IPs of the related database. When the source IP accessing the relevant database does not appear in the white list of the source IP of the relevant database, the source IP and all operations of the source IP in the relevant database are all processed as abnormal access information.
The anomalous access information will be provided to the acquisition module and the partial source IPs listed in the white list of source IPs of the associated database and the operation of the source IPs in the associated database will be filtered with the normal access information.
In fig. 4(b), the filtering of abnormal access information from the access key information is implemented by a previously set blacklist.
In step S231', a blacklist of source IPs is set.
In step S232', when the source IP of the access key information hits the blacklist, it is determined that the access key information is abnormal access information.
Setting a blacklist of source IPs of the database, searching all access key information for accessing the relevant database in the blacklist of the source IPs of the relevant database, and checking whether the access key information is listed in the blacklist of the source IPs of the relevant database. When the source IP accessing the relevant database appears in the blacklist of the source IPs of the relevant database, the source IP and all operations of the source IP in the relevant database are all processed as abnormal access information.
The anomalous access information will be provided to the acquisition module and source IPs not listed in the blacklist of source IPs for the associated database and the operation of the source IPs in the associated database will be filtered with the normal access information.
Of course, the source IP is only one specific example to facilitate understanding of the present solution, accessing other information within the critical information, such as: the destination IP and the port information can also be used as a basis for establishing a white list or a black list.
All rules and parameters of the monitoring method in the application can be set in the user interaction module. In the step, a user accesses the user interaction module through the web page, finds the screening module in the user interaction module, and formulates the screening rule of the related database by modifying or adding the monitoring model rule.
In step S240, based on the abnormal access information, network traffic of the next time period is collected and analyzed.
And capturing the network traffic data packet of the next time period of the initial network traffic data packet listed as the abnormal access information, further tracking and analyzing the abnormal access information, and supplementing other associated information about the abnormal access information so as to analyze and obtain the access position and the access purpose of the visitor.
Fig. 5 is a step diagram for analyzing the visitor's visiting location and visiting purpose according to the abnormal information.
In step S241, a network traffic analysis parameter is set.
In the step, a user accesses the user interaction module through the web page, finds the acquisition module from the user interaction module, and formulates an acquisition rule of the network traffic data packet in the next time period by modifying or adding the network traffic analysis parameter.
The network flow analysis parameters comprise data analysis time periods and/or data analysis numbers.
The essence of analyzing the data of the network traffic is to analyze a network traffic data packet, a plurality of network traffic data packets exist in a segment of network traffic, and the network traffic data packet in a certain period of time can be selectively analyzed, or a part of the network traffic data packets in the plurality of network traffic data packets can be selectively analyzed, or a part of the network traffic data packets in a certain period of time can be selectively analyzed.
For example: the network traffic packets may be selected to be parsed for 1 minute, or the 5 network traffic packets may be selected to be parsed, or the first 5 network traffic packets within 1 minute may be selected to be parsed.
In step S242, based on the abnormal access information, network traffic of the next time period is collected.
And further tracking network traffic data of the access database in the next time period based on the screened abnormal access information, so as to acquire detailed operation information and access position of the visitor.
In step S243, the network traffic in the next time period is analyzed according to the traffic analysis parameter, so as to obtain an access behavior.
And analyzing the network flow data of the relevant database through the network flow analysis parameters to obtain the operation information of the user in the relevant database and the accessed position in the relevant database. The access purpose of the abnormal visitor and the data with the leakage risk can be obtained through analysis.
In step S250, summarizing the abnormal access information and the network traffic, and outputting the summarized abnormal access information and the network traffic in the form of alarm information, where the alarm information at least includes: source IP, access time, access location, and access content.
The operation information of the database related to the abnormal visitor is summarized and is output through an alarm module as alarm information, and the alarm information may include a user address (for example, an IP address) of the abnormal visitor, the database accessed by the abnormal visitor, a specific time for accessing the database, an operation for accessing the database, a content viewed by the database, and the like. The alarm information integrates the operation of an abnormal visitor in the access database, can predict the content with leakage risk, can make subsequent protective measures and remedial schemes in time, and reduces various losses caused by business secret leakage or personal information leakage.
According to the monitoring method for abnormal access of the database, only the initial network flow is analyzed by the network layer, on one hand, all operations for accessing the database can be ensured to be included in the monitoring range, and the problem of incomplete monitoring of the database access is solved. On the other hand, the server performance resource consumption of the acquisition end is small, the resource consumption of data transmission and storage is controllable, and the stability of the operation of the database can be ensured.
Based on the monitoring method, the application also provides a monitoring system for abnormal access. This system will be described in detail below in conjunction with fig. 6.
Fig. 6 schematically shows a block diagram of a monitoring system according to an embodiment of the present application.
As shown in fig. 6, the monitoring system 300 of this embodiment includes an obtaining module 310, a parsing module 320, a screening module 330, an acquiring module 340, and an alarming module 350.
The obtaining module 310 is used for obtaining initial network traffic for accessing the database. In an embodiment, the obtaining module 310 may be configured to perform the operation S210 described above, which is not described herein again.
The parsing module 320 is configured to: and analyzing the initial network flow to obtain access key information. In an embodiment, the obtaining module 310 may be configured to perform the operation S220 described above, which is not described herein again.
The screening module 330 is configured to screen out abnormal access information in the access-critical information. In an embodiment, the screening module 320 may be configured to perform the operation S230 described above, which is not described herein again.
The acquisition module 340 is configured to: and collecting and analyzing the network traffic of the next time period based on the abnormal access information. In an embodiment, the acquisition module 330 may be configured to perform the operation S240 described above, which is not described herein again.
The alarm module 350 is configured to: and summarizing the abnormal access information and the network flow data, and outputting the abnormal access information and the network flow data in the form of alarm information. In one embodiment, the alarm module 340 may be configured to perform the operation S250 described above, which is not described herein again.
According to the monitoring system for abnormal access, the monitoring method for abnormal access of the database can be realized, and only the initial network flow is analyzed by the network layer, so that on one hand, all operations for accessing the database can be ensured to be included in the monitoring range, and the problem of incomplete monitoring for access of the database is solved. On the other hand, the server performance resource consumption of the acquisition end is small, the resource consumption of data transmission and storage is controllable, and the stability of the operation of the database can be ensured.
According to the embodiment of the present application, any multiple modules of the obtaining module 310, the parsing module 320, the screening module 330, the collecting module 340 and the alarm module 350 may be combined into one module to be implemented, or any one module thereof may be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present application, at least one of the obtaining module 310, the parsing module 320, the screening module 330, the collecting module 340 and the alarm module 350 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware and firmware, or implemented by a suitable combination of any several of them. Alternatively, at least one of the acquisition module 310, the parsing module 320, the screening module 330, the acquisition module 340 and the alarm module 350 may be at least partially implemented as a computer program module, which when executed, may perform a corresponding function.
Fig. 7 schematically shows a block diagram of an electronic device adapted to implement the monitoring method according to an embodiment of the application.
As shown in fig. 7, an electronic device 400 according to an embodiment of the present application includes a processor 401 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)402 or a program loaded from a storage section 408 into a Random Access Memory (RAM) 403. Processor 401 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 401 may also include onboard memory for caching purposes. Processor 401 may include a single processing unit or multiple processing units for performing the various actions of the method flows in accordance with embodiments of the present application.
In the RAM 403, various programs and data necessary for the operation of the electronic apparatus 400 are stored. The processor 401, ROM 402 and RAM 403 are connected to each other by a bus 404. The processor 401 executes various operations of the method flows according to the embodiments of the present application by executing programs in the ROM 402 and/or the RAM 403. Note that the programs may also be stored in one or more memories other than the ROM 402 and RAM 403. The processor 401 may also perform various operations of the method flows according to embodiments of the present application by executing programs stored in the one or more memories.
According to an embodiment of the application, the electronic device 400 may further comprise an input/output (I/O) interface 405, the input/output (I/O) interface 405 also being connected to the bus 404. Electronic device 400 may also include one or more of the following components connected to I/O interface 405: an input section 406 including a keyboard, a mouse, and the like; an output section 407 including a display device such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 408 including a hard disk and the like; and a communication section 409 including a network interface card such as a LAN card, a modem, or the like. The communication section 409 performs communication processing via a network such as the internet. A driver 410 is also connected to the I/O interface 405 as needed. A removable medium 411 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 410 as necessary, so that a computer program read out therefrom is mounted into the storage section 408 as necessary.
The present application also provides a computer-readable storage medium, which may be embodied in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the present application.
According to embodiments of the present application, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present application, a computer-readable storage medium may include ROM 402 and/or RAM 403 and/or one or more memories other than ROM 402 and RAM 403 described above.
Embodiments of the present application also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the item recommendation method provided in the embodiment of the present application.
Which when executed by the processor 401, performs the above-described functions defined in the system/apparatus of embodiments of the present application. According to embodiments of the present application, the above-described systems, apparatuses, modules, units, etc. may be implemented by computer program modules.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of a signal on a network medium, downloaded and installed through the communication section 409, and/or installed from the removable medium 411. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 409, and/or installed from the removable medium 411. The computer program, when executed by the processor 401, performs the above-described functions defined in the system of the embodiment of the present application. According to embodiments of the present application, the above-described systems, devices, apparatuses, modules, units, etc. may be implemented by computer program modules.
According to embodiments of the present application, program code for executing computer programs provided in embodiments of the present application may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It will be appreciated by a person skilled in the art that various combinations and/or combinations of features described in the various embodiments and/or claims of the present application are possible, even if such combinations or combinations are not explicitly described in the present application. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present application may be made without departing from the spirit and teachings of the present application. All such combinations and/or associations are intended to fall within the scope of this application.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The embodiments of the present application are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present application. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the application is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present application, and such alternatives and modifications are intended to be within the scope of the present application.
Claims (12)
1. A monitoring method for abnormal access of a database is characterized by comprising the following steps:
acquiring initial network flow for accessing a database;
analyzing the initial network flow to obtain access key information;
screening abnormal access information in the access key information;
acquiring and analyzing network flow of the next time period based on the abnormal access information;
and summarizing the abnormal access information and the network flow, and outputting the abnormal access information and the network flow in the form of alarm information.
2. The monitoring method of claim 1, wherein parsing the initial network traffic to obtain access critical information comprises:
viewing a traffic log of the initial network traffic;
and obtaining access key information according to the flow log.
3. The monitoring method according to claim 2, wherein the key information includes at least: source IP, destination IP, and port information.
4. The monitoring method according to claim 3, wherein screening out abnormal access information from the access-critical information comprises:
setting a white list of a source IP;
and when the source IP of the access key information does not hit the white list, determining the access key information as abnormal access information.
5. The monitoring method according to claim 3, wherein screening out abnormal access information from the access-critical information comprises:
setting a blacklist of a source IP;
and when the source IP of the access key information hits a blacklist, determining the access key information as abnormal access information.
6. The monitoring method according to claim 1, wherein collecting and analyzing network traffic for a next time period based on the abnormal access information comprises:
setting a network flow analysis parameter;
acquiring network flow of the next time period based on the abnormal access information;
and analyzing the network flow in the next time period according to the flow analysis parameters to obtain the access behavior.
7. The monitoring method of claim 6, wherein the network traffic resolution parameters comprise: a data parsing time period and/or a data parsing number.
8. The monitoring method according to claim 1, characterized in that the alarm information comprises at least: source IP, access time, access location, and access content.
9. A system for monitoring for anomalous accesses, comprising:
the acquisition module is used for acquiring initial network flow for accessing the database;
an analysis module to: analyzing the initial network flow to obtain access key information;
the screening module is used for screening abnormal access information in the access key information;
an acquisition module to: acquiring and analyzing network flow of the next time period based on the abnormal access information; and
an alarm module to: and summarizing the abnormal access information and the network flow, and outputting the abnormal access information and the network flow in the form of alarm information.
10. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-8.
11. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 8.
12. A computer program product comprising a computer program which, when executed by a processor, implements a method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111353989.0A CN114070619A (en) | 2021-11-12 | 2021-11-12 | Monitoring method, monitoring system, equipment and storage medium for abnormal access of database |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111353989.0A CN114070619A (en) | 2021-11-12 | 2021-11-12 | Monitoring method, monitoring system, equipment and storage medium for abnormal access of database |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114070619A true CN114070619A (en) | 2022-02-18 |
Family
ID=80272545
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111353989.0A Pending CN114070619A (en) | 2021-11-12 | 2021-11-12 | Monitoring method, monitoring system, equipment and storage medium for abnormal access of database |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114070619A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978954A (en) * | 2022-06-16 | 2022-08-30 | 平安科技(深圳)有限公司 | Network isolation validity verification method, device, equipment and storage medium |
| CN115314266A (en) * | 2022-07-27 | 2022-11-08 | 阿里云计算有限公司 | Access control method and device, electronic equipment and readable storage medium |
| CN116962255A (en) * | 2023-09-20 | 2023-10-27 | 武汉博易讯信息科技有限公司 | Detection method, system, equipment and readable medium for finding PCDN user |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112333130A (en) * | 2019-08-05 | 2021-02-05 | 阿里巴巴集团控股有限公司 | Data processing method, device and storage medium |
| CN113132311A (en) * | 2019-12-31 | 2021-07-16 | 中国移动通信集团陕西有限公司 | Abnormal access detection method, device and equipment |
-
2021
- 2021-11-12 CN CN202111353989.0A patent/CN114070619A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112333130A (en) * | 2019-08-05 | 2021-02-05 | 阿里巴巴集团控股有限公司 | Data processing method, device and storage medium |
| CN113132311A (en) * | 2019-12-31 | 2021-07-16 | 中国移动通信集团陕西有限公司 | Abnormal access detection method, device and equipment |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978954A (en) * | 2022-06-16 | 2022-08-30 | 平安科技(深圳)有限公司 | Network isolation validity verification method, device, equipment and storage medium |
| CN114978954B (en) * | 2022-06-16 | 2023-05-26 | 平安科技(深圳)有限公司 | Network isolation validity verification method, device, equipment and storage medium |
| CN115314266A (en) * | 2022-07-27 | 2022-11-08 | 阿里云计算有限公司 | Access control method and device, electronic equipment and readable storage medium |
| CN116962255A (en) * | 2023-09-20 | 2023-10-27 | 武汉博易讯信息科技有限公司 | Detection method, system, equipment and readable medium for finding PCDN user |
| CN116962255B (en) * | 2023-09-20 | 2023-11-21 | 武汉博易讯信息科技有限公司 | Detection method, system, equipment and readable medium for finding PCDN user |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10762206B2 (en) | Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security | |
| EP3262815B1 (en) | System and method for securing an enterprise computing environment | |
| US9838419B1 (en) | Detection and remediation of watering hole attacks directed against an enterprise | |
| US11907366B2 (en) | Introspection driven by incidents for controlling infiltration | |
| US11916947B2 (en) | Generating user-specific polygraphs for network activity | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| CN114070619A (en) | Monitoring method, monitoring system, equipment and storage medium for abnormal access of database | |
| WO2015085244A1 (en) | Distributed monitoring, evaluation, and response for multiple devices | |
| CN114024764A (en) | Monitoring method, monitoring system, equipment and storage medium for abnormal access of database | |
| US11785036B2 (en) | Real-time validation of data transmissions based on security profiles | |
| US11310282B1 (en) | Scoring confidence in user compliance with an organization's security policies | |
| US11451575B2 (en) | Method and system for determining cybersecurity maturity | |
| CN111711617A (en) | Method and device for detecting web crawler, electronic equipment and storage medium | |
| WO2018027226A1 (en) | Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform | |
| US11727142B2 (en) | Identifying sensitive data risks in cloud-based enterprise deployments based on graph analytics | |
| US10291492B2 (en) | Systems and methods for discovering sources of online content | |
| CN113162937A (en) | Application safety automatic detection method, system, electronic equipment and storage medium | |
| WO2020102601A1 (en) | Comprehensive data loss prevention and compliance management | |
| WO2023034444A1 (en) | Generating user-specific polygraphs for network activity | |
| WO2022047415A1 (en) | System and method for secure evaluation of cyber detection products | |
| US20230344840A1 (en) | Method, apparatus, system, and non-transitory computer readable medium for identifying and prioritizing network security events | |
| US20230039079A1 (en) | Tracking and Mitigating Security Threats and Vulnerabilities in Browser Extension Engines | |
| CN114900352A (en) | Bypass blocking method, bypass blocking apparatus, electronic device, bypass blocking medium, and program product | |
| Masih et al. | An Analysis of the Significant Role Played by Mobile Cloud Forensics and its Key Obstacles | |
| CN115687284A (en) | Information processing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |