CN114116411A - Operation and maintenance operation management and control system for monitoring database security - Google Patents

Operation and maintenance operation management and control system for monitoring database security Download PDF

Info

Publication number
CN114116411A
CN114116411A CN202210107559.9A CN202210107559A CN114116411A CN 114116411 A CN114116411 A CN 114116411A CN 202210107559 A CN202210107559 A CN 202210107559A CN 114116411 A CN114116411 A CN 114116411A
Authority
CN
China
Prior art keywords
data
user
proportion
control unit
delta
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210107559.9A
Other languages
Chinese (zh)
Other versions
CN114116411B (en
Inventor
王龙华
詹越
苗棋江
张倚榕
付斌
李先峰
陈杰皓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Guoxin Wanglian Technology Co ltd
Original Assignee
Beijing Guoxin Wanglian Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Guoxin Wanglian Technology Co ltd filed Critical Beijing Guoxin Wanglian Technology Co ltd
Priority to CN202210107559.9A priority Critical patent/CN114116411B/en
Publication of CN114116411A publication Critical patent/CN114116411A/en
Application granted granted Critical
Publication of CN114116411B publication Critical patent/CN114116411B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/211Schema design and management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Quality & Reliability (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to an operation and maintenance operation control system for monitoring database security, which relates to the technical field of database security. Particularly, the method and the system perform user behavior identification and data security identification in the user access process, and adjust the control strength and fineness of the data in the database when the user behavior is determined to be not compliant and the data is determined to be unsafe, so that the control precision of the system is improved, and the security of the database is further improved.

Description

Operation and maintenance operation management and control system for monitoring database security
Technical Field
The invention relates to the technical field of database security, in particular to an operation and maintenance operation management and control system for monitoring database security.
Background
With the rapid development of tobacco industry informatization, namely the application of new technologies such as cloud planning, virtualization, mobile application and the like, the information security of the tobacco industry faces new challenges, and a tobacco industry information security guarantee system is the basis and guarantee of the informatization healthy development of the industry and is an important component of all levels of data centers of the industry. The method is used for promoting the construction of an industrial information safety guarantee system and improving the information safety management level and guarantee capability.
However, the infrastructure of the information system of the current tobacco industry, including host storage, an operating system, a database, middleware and the like, almost depends on foreign brands to a great extent, so that the information system of the tobacco industry is easier to be mastered abroad, with the rapid development of electronic commerce, the information system of the tobacco industry is changed from a semi-closed intra-industry network to the internet, novel services such as online ordering, online marketing and the like are increasingly combined with the internet, the same faced network attacks and threat forms are increasingly complex and severe, and the traditional internet threats (such as botnet, virus, trojan and the like) threaten the information security of the tobacco industry.
In the prior art, for the guarantee of information security, a security guarantee mechanism of a terminal, a host and an application system is lacked, the vulnerability and weakness of the system are not discovered and compensated in time, a large number of weak passwords and other problems exist, the terminal security is not guaranteed, a unified terminal management platform is lacked, and the control precision of personnel and data is not high, so that the security of a database is not high.
Disclosure of Invention
Therefore, the invention provides an operation and maintenance operation control system for monitoring the safety of a database, which is used for overcoming the problem that the safety of the database is not high due to low control precision of personnel and data when the database is accessed in the prior art.
In order to achieve the above object, the present invention provides an operation and maintenance operation management and control system for monitoring database security, including:
the virtual authentication module comprises a security access unit used for carrying out user identity authentication and an authority determining unit used for determining whether a user can enter the computer room or not and determining the access authority of the user to the database stored in the computer room according to the user identity authentication result of the security access unit;
the safety identification module comprises a user behavior identification unit for identifying and recording behaviors of a user in the process of accessing the machine room and the database and a data identification unit for identifying the safety of the user accessing the data in the storage database;
the data security management and control module comprises a data control unit, a sensitive data identification unit and a desensitization unit, wherein the data control unit is used for controlling sensitive data of data in a storage database accessible to a user, the sensitive data identification unit is used for identifying the sensitive data when the user accesses the storage database, and the desensitization unit is used for desensitizing the sensitive data in real time according to behaviors and user permissions in the user access process;
and when the user accesses the storage database, the user behavior identification unit determines whether the user behavior is in compliance and whether the data is safe according to the behavior of the user access process and the accessed data, and adjusts the proportion of sensitive data in the data accessed by the user when the user behavior is not in compliance.
Furthermore, when the security access unit performs user identity authentication, the security access unit performs face recognition according to the face recognition equipment to preliminarily confirm the user identity, and performs multi-combination identity authentication on the user after the recognition is completed, and the permission determination unit determines that the user can enter the access storage database when the security access unit determines that the multi-combination identity authentication of the user passes, and determines the accessible data level Ui of the user according to the user information.
Further, the user behavior identification unit obtains whether the user has wrong authentication in the authentication process when the authority determination unit determines that the data level Ui accessible to the user is completed, obtains the number of wrong authentication times C when the wrong authentication exists, and determines whether the user behavior is in compliance according to the number of wrong authentication times, the user behavior identification unit is provided with a preset number of wrong authentication times C0,
if C > C0, the user behavior recognizing unit judges that the user behavior is not compliant,
if C is less than or equal to C0, the user behavior recognition unit preliminarily determines user behavior compliance.
Further, the user behavior identification unit, when preliminarily determining user behavior compliance, determines whether the user accesses a data level Ui beyond which the user can access, and if so, determines that the user behavior is not compliant, and if not, determines that the user behavior is compliant, where i =1, 2, … n.
Further, the data identification unit identifies data in the storage database accessed by the user when the user accesses the storage database, identifies whether the data is maliciously downloaded, acquires the number of attempts of maliciously downloading F if the data is maliciously downloaded, and determines whether the data is safe according to the ratio B of the number of attempts F to the preset number of attempts F, the preset number ratio B0 is set in the data identification unit, if B is less than or equal to B0, the data is preliminarily determined to be safe, and if B is greater than B0, the data is determined to be unsafe.
Furthermore, the data control unit is provided with an accessible sensitive data proportion Bmi corresponding to a data level Ui, when the user behavior identification unit judges that the user behavior is not compliant and C is greater than C0, the data control unit calculates a frequency difference value Δ C between the number of false authentications C and a preset number of false authentications C, sets Δ C = C-C0, and selects a corresponding adjusting coefficient according to a comparison result of the frequency difference value and the preset frequency difference value to adjust the data proportion of the accessible sensitive data,
wherein the data control unit is provided with a first preset time difference value delta C1, a second preset time difference value delta C2, a third preset time difference value delta C3, a first data proportion adjustment coefficient Kb1, a second data proportion adjustment coefficient Kb2 and a third data proportion adjustment coefficient Kb3, the delta C1 is more than the delta C2 is more than the delta C3, the 0.7 is more than the Kb1 is more than the Kb2 is more than the Kb3 is less than 1,
when the deltaC is less than or equal to deltaC 1, the data control unit selects a first data proportion adjusting coefficient Kb1 to adjust the accessible sensitive data proportion Bmi;
when the delta C1 is more than the delta C and less than or equal to the delta C2, the data control unit selects a first data proportion adjusting coefficient Kb2 to adjust the accessible sensitive data proportion Bmi;
when the delta C2 is more than the delta C and less than or equal to the delta C3, the data control unit selects a third data proportion adjusting coefficient Kb3 to adjust the accessible sensitive data proportion Bmi;
when the data control unit selects the jth data proportion adjusting coefficient Kbj to adjust the accessible sensitive data proportion Bmi, j =1, 2, 3 is set, and the data control unit sets the adjusted accessible sensitive data proportion to Bmi 'and sets Bmi' = Bmi × Kbj.
Further, the data control unit judges that the user behavior is not compliant and the user accesses the data level Ui beyond the access of the user in the user behavior identification unit, the data control unit acquires the sensitive data proportion B in the accessed data identified by the sensitive data identification unit and compares the B with the Bmi,
if B is less than or equal to Bmi, the data control unit judges that the user can access the data;
if B > Bmi, the data control unit determines that the user does not access the data.
Further, still include:
the data storage module comprises an access data storage unit for storing an access process of a user accessing the storage database and an accessed data storage unit for storing data accessed when the user accesses the storage database;
the data control unit is further configured to, when data is determined to be unsafe, obtain the historical access behaviors of the user stored in the data storage unit, calculate a yield R when the user historically accesses the database according to the historical access behaviors of the user, set R = C/C0+ B/Bmi, and determine whether the user can continue to access the database according to a comparison result of the yield R and a preset yield, where the preset yield includes a first preset yield R1, a second preset yield R2, and a third preset yield R3, where R1 < R2 < R3,
when R is not more than R1, the data control unit judges that the user can continuously access the storage database;
when R1 is more than R and less than or equal to R2, the data control unit judges that the user can continuously access the storage database and needs to correct the proportion of sensitive data when the user accesses the data;
when R2 < R ≦ R3, the data control unit determines that the user may continue to access the stored database and the level of data accessible to the user needs to be decreased;
when R > R3, the data control unit denies user access to the storage database.
Further, when the data control unit judges that the user can continuously access the storage database and needs to correct the sensitive data proportion, the data control unit calculates the qualification rate difference value delta R between the qualification rate and the first preset qualification rate R1, selects a corresponding correction coefficient according to the comparison result of the qualification rate difference value and the preset qualification rate difference value to correct the sensitive data proportion,
wherein the data control unit is further provided with a first preset yield difference value delta R1, a second preset yield difference value delta R2, a third preset yield difference value delta R3, a first data proportion correction coefficient Xb1, a second data proportion correction coefficient Xb2 and a third data proportion correction coefficient Xb3, wherein the delta R1 delta R2 delta R3 is set to be 0.5 < Xb1 < Xb2 < Xb3 < 1,
when the delta R is less than or equal to the delta R1, the data control unit selects a first data proportion correction coefficient Xb1 to correct the proportion of the sensitive data;
when the delta R is more than 1 and less than or equal to the delta R2, the data control unit selects a second data proportion correction coefficient Xb2 to correct the proportion of the sensitive data;
when the delta R is more than 2 and less than or equal to the delta R3, the data control unit selects a third data proportion correction coefficient Xb3 to correct the proportion of the sensitive data;
when the data control unit selects the z-th data proportion correction coefficient Xbz to correct the sensitive data proportion, setting z =1, 2, 3, the data control unit sets the accessible sensitive data proportion after correction to Bmi '″ with setting Bmi' = Bmi × Xbz.
Further, when the data control unit judges that the user can continuously access the storage database and the level of the data accessible to the user needs to be reduced, the level of the accessible data reduced by the user is reduced by one level, and the desensitization unit carries out real-time desensitization on the sensitive data according to the proportion of the accessible sensitive data when the user downloads the data.
Compared with the prior art, the method has the advantages that the virtual authentication module is arranged in the database management and control system and used for carrying out virtual authentication on the user, the authority of data accessible by the user is determined according to the authentication result during authentication, so that the user is guaranteed to be isolated from the database when accessing the database, the user is placed to directly enter the database through a false means, and the user enters the database when authentication is completed through a multi-combination authentication mode, and the safety of the database is guaranteed.
Particularly, the method and the system perform user behavior identification and data security identification in the user access process, and adjust the control strength and fineness of the data in the database when the user behavior is determined to be not compliant and the data is determined to be unsafe, so that the control precision of the system is improved, and the security of the database is further improved.
Furthermore, when determining whether the user behavior is in compliance according to the user behavior, the method firstly determines whether the user behavior is in the error authentication in the user login authentication process, acquires the times of the error authentication when the error authentication exists, judges the compliance of the user behavior according to the times of the error authentication, and judges the compliance of the user behavior according to whether the user accesses data which does not correspond to the data level corresponding to the authority of the user when determining that the compliance is finished according to the times of the error authentication, so that the problem of reduction of the security of the database caused by the non-compliance access of the user is further improved.
Furthermore, the invention determines whether the malicious download exists in the user access process, and determines the data security according to the ratio of the number of attempts of the malicious download to the preset number of attempts and the comparison result of the ratio to the preset number of times when the malicious download exists, thereby further improving the security of the database.
Furthermore, when the user behavior is determined not to be in compliance, the method adjusts the proportion of the sensitive data when the user downloads the accessed data, so that the data desensitization unit carries out desensitization processing, and selects a corresponding adjusting coefficient to adjust the proportion of the sensitive data according to the comparison result of the difference value between the number of times of error authentication and the number of times of preset error authentication and a plurality of difference values of preset times when the proportion of the sensitive data is adjusted, so as to further improve the control precision of the system, and further improve the safety of a database.
Furthermore, when the data is judged to be unsafe, the qualification rate of the user for accessing the storage database is calculated, whether the user can continuously access the database is determined according to the qualification rate and the preset qualification rate, when the user can access the database, the proportion of the sensitive data is determined to be corrected or the accessible data level of the user is reduced according to the actual qualification rate, and when the proportion of the sensitive data is corrected, the corresponding correction coefficient is selected according to the difference value between the qualification rate and the preset qualification rate and the difference values between the preset qualification rates to correct the proportion of the accessible sensitive data, so that the control precision of the system is further improved, and the safety of the database is further improved.
Drawings
Fig. 1 is a logic block diagram of an operation and maintenance operation management and control system for monitoring database security according to the present invention.
Detailed Description
In order that the objects and advantages of the invention will be more clearly understood, the invention is further described below with reference to examples; it should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are only for explaining the technical principle of the present invention, and do not limit the scope of the present invention.
It should be noted that in the description of the present invention, the terms of direction or positional relationship indicated by the terms "upper", "lower", "left", "right", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, which are only for convenience of description, and do not indicate or imply that the device or element must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present invention.
Furthermore, it should be noted that, in the description of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
Fig. 1 is a logic block diagram of an operation and maintenance operation management and control system for monitoring database security according to the present invention.
The operation and maintenance operation management and control system for monitoring the safety of the database comprises the following components:
the virtual authentication module comprises a security access unit used for carrying out user identity authentication and an authority determining unit used for determining whether a user can enter the computer room or not and determining the access authority of the user to the database stored in the computer room according to the user identity authentication result of the security access unit;
the safety identification module comprises a user behavior identification unit for identifying and recording behaviors of a user in the process of accessing the machine room and the database and a data identification unit for identifying the safety of the user accessing the data in the storage database;
the data storage module comprises an access data storage unit for storing an access process of a user accessing the storage database and an accessed data storage unit for storing data accessed when the user accesses the storage database;
the data security management and control module comprises a data control unit, a sensitive data identification unit and a desensitization unit, wherein the data control unit is used for controlling sensitive data of data in a storage database accessible to a user, the sensitive data identification unit is used for identifying the sensitive data when the user accesses the storage database, and the desensitization unit is used for desensitizing the sensitive data in real time according to behaviors and user permissions in the user access process;
the safety access unit primarily confirms the user identity according to the face recognition of the face recognition equipment when the user identity authentication is carried out, and carries out multi-combination identity authentication on the user after the user identity authentication is finished, and the permission determining unit determines that the user can enter the access storage database when the safety access unit determines that the multi-combination identity authentication of the user passes, and determines the accessible data level Ui of the user according to the user information.
And the user behavior identification unit acquires whether the user has error authentication in the authentication process when the permission determination unit determines that the data level Ui accessible to the user is finished, acquires the error authentication frequency C when the user has error authentication, and determines whether the user behavior is in compliance according to the error authentication frequency.
Specifically, the user behavior identification unit is provided with a preset error authentication frequency C0, if C is more than C0, the user behavior identification unit judges that the user behavior is not in compliance, and if C is less than or equal to C0, the user behavior identification unit preliminarily judges that the user behavior is in compliance.
When preliminarily judging the user behavior compliance, the user behavior identification unit determines whether the user accesses a data level Ui beyond which the user can access, if so, the user behavior is judged to be not compliant, and if not, the user behavior compliance is judged, wherein i =1, 2, … n.
The data identification unit identifies data in a storage database accessed by the user when the user accesses the storage database, identifies whether the data is maliciously downloaded, acquires the trial frequency F of the maliciously downloaded data if the data is maliciously downloaded, and determines whether the data is safe according to the ratio B of the trial frequency F and the preset trial frequency F, the preset frequency ratio B0 is arranged in the data identification unit, if B is less than or equal to B0, the data is preliminarily determined to be safe, and if B is more than B0, the data is determined to be unsafe.
Specifically, the malicious download is whether a user attempts to download data to the terminal and/or send the data to the outside.
Accessible sensitive data proportion Bmi corresponding to a data level Ui is arranged in the data control unit, when the user behavior identification unit judges that the user behavior is not compliant and C is more than C0, the data control unit calculates the frequency difference value Delta C between the error authentication frequency C and the preset error authentication frequency C, sets Delta C = C-C0, selects a corresponding adjusting coefficient according to the comparison result of the frequency difference value and the preset frequency difference value to adjust the data proportion of the accessible sensitive data,
wherein the data control unit is provided with a first preset time difference value delta C1, a second preset time difference value delta C2, a third preset time difference value delta C3, a first data proportion adjustment coefficient Kb1, a second data proportion adjustment coefficient Kb2 and a third data proportion adjustment coefficient Kb3, the delta C1 is more than the delta C2 is more than the delta C3, the 0.7 is more than the Kb1 is more than the Kb2 is more than the Kb3 is less than 1,
when the deltaC is less than or equal to deltaC 1, the data control unit selects a first data proportion adjusting coefficient Kb1 to adjust the accessible sensitive data proportion Bmi;
when the delta C1 is more than the delta C and less than or equal to the delta C2, the data control unit selects a first data proportion adjusting coefficient Kb2 to adjust the accessible sensitive data proportion Bmi;
when the delta C2 is more than the delta C and less than or equal to the delta C3, the data control unit selects a third data proportion adjusting coefficient Kb3 to adjust the accessible sensitive data proportion Bmi;
when the data control unit selects the jth data proportion adjusting coefficient Kbj to adjust the accessible sensitive data proportion Bmi, j =1, 2, 3 is set, and the data control unit sets the adjusted accessible sensitive data proportion to Bmi 'and sets Bmi' = Bmi × Kbj.
The data control unit judges that the user behavior is not in compliance in the user behavior identification unit and the user accesses the data level Ui beyond the accessible data level Ui, the data control unit acquires the sensitive data proportion B in the accessed data identified by the sensitive data identification unit and compares the B with the Bmi,
if B is less than or equal to Bmi, the data control unit judges that the user can access the data;
if B > Bmi, the data control unit determines that the user does not access the data.
In the embodiment of the present invention, the sensitive data includes, but is not limited to, a sensitive word and a sensitive sentence.
The data control unit is further configured to, when data is determined to be unsafe, obtain the historical access behaviors of the user stored in the data storage unit, calculate a yield R when the user historically accesses the database according to the historical access behaviors of the user, set R = C/C0+ B/Bmi, and determine whether the user can continue to access the database according to a comparison result of the yield R and a preset yield, where the preset yield includes a first preset yield R1, a second preset yield R2, and a third preset yield R3, where R1 < R2 < R3,
when R is not more than R1, the data control unit judges that the user can continuously access the storage database;
when R1 is more than R and less than or equal to R2, the data control unit judges that the user can continuously access the storage database and needs to correct the proportion of sensitive data when the user accesses the data;
when R2 < R ≦ R3, the data control unit determines that the user may continue to access the stored database and the level of data accessible to the user needs to be decreased;
when R > R3, the data control unit denies user access to the storage database.
When the data control unit judges that the user can continuously access the storage database and needs to correct the sensitive data proportion, the data control unit calculates the qualification rate difference value delta R of the qualification rate and the first preset qualification rate R1, selects a corresponding correction coefficient according to the comparison result of the qualification rate difference value and the preset qualification rate difference value to correct the sensitive data proportion,
wherein the data control unit is further provided with a first preset yield difference value delta R1, a second preset yield difference value delta R2, a third preset yield difference value delta R3, a first data proportion correction coefficient Xb1, a second data proportion correction coefficient Xb2 and a third data proportion correction coefficient Xb3, wherein the delta R1 delta R2 delta R3 is set to be 0.5 < Xb1 < Xb2 < Xb3 < 1,
when the delta R is less than or equal to the delta R1, the data control unit selects a first data proportion correction coefficient Xb1 to correct the proportion of the sensitive data;
when the delta R is more than 1 and less than or equal to the delta R2, the data control unit selects a second data proportion correction coefficient Xb2 to correct the proportion of the sensitive data;
when the delta R is more than 2 and less than or equal to the delta R3, the data control unit selects a third data proportion correction coefficient Xb3 to correct the proportion of the sensitive data;
when the data control unit selects the z-th data proportion correction coefficient Xbz to correct the sensitive data proportion, setting z =1, 2, 3, the data control unit sets the accessible sensitive data proportion after correction to Bmi '″ with setting Bmi' = Bmi × Xbz.
And when the data control unit judges that the user can continuously access the storage database and the level of the data accessible by the user needs to be lowered, lowering the level of the accessible data lowered by the user by one level.
And when the user downloads data, the desensitization unit performs real-time desensitization on the sensitive data according to the proportion of the accessible sensitive data.
In particular, the system may formulate a sensitive data desensitization strategy, such as printing, for different sensitive data types. Different desensitization rules can be adopted for different fields of different databases, for example, different desensitization rules are selected for a certain field of a certain table, and sensitive contents are automatically displayed by using a star.
Data simulation: simulating the data content to generate high-simulation data with correct format and semantic, but not real;
data masking: replacing the shielding content of the data by using special characters to destroy the readability of the data;
random character string: randomly changing the data to ensure that the original semantics and format of the data are not reserved;
resetting the fixed value: a fixed number or string, such as a password column, may be reset to "8888888888" for a particular data column;
hash (encrypted): carrying out Hash encryption on complete data to make the data unreadable;
column association: maintaining correspondence or operational relationship between columns, such as identity card field and birthday, age, etc.;
longitudinal disorder: maintaining or disordering the corresponding relation of each row of data between the columns;
calculating the association column: when there is an operational relationship between columns (e.g., a + B = C), the desensitized data still has the same operational relationship;
dictionary mapping: according to the feature dictionary, data conforming to the features are replaced by specified values, for example, all three of Zhang can be uniformly replaced by Liqu;
random mapping: according to the feature dictionary, data conforming to the features are randomly replaced, for example, all the Zhang-three can be replaced by any one of the Li-four, the Wang-five and the Zhao-six.
So far, the technical solutions of the present invention have been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of the present invention is obviously not limited to these specific embodiments. Equivalent changes or substitutions of related technical features can be made by those skilled in the art without departing from the principle of the invention, and the technical scheme after the changes or substitutions can fall into the protection scope of the invention.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention; various modifications and alterations to this invention will become apparent to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. An operation and maintenance operation management and control system for monitoring database security, comprising:
the virtual authentication module comprises a security access unit used for carrying out user identity authentication and an authority determining unit used for determining whether a user can enter the computer room or not and determining the access authority of the user to the database stored in the computer room according to the user identity authentication result of the security access unit;
the safety identification module comprises a user behavior identification unit for identifying and recording behaviors of a user in the process of accessing the machine room and the database and a data identification unit for identifying the safety of the user accessing the data in the storage database;
the data security management and control module comprises a data control unit, a sensitive data identification unit and a desensitization unit, wherein the data control unit is used for controlling sensitive data of data in a storage database accessible to a user, the sensitive data identification unit is used for identifying the sensitive data when the user accesses the storage database, and the desensitization unit is used for desensitizing the sensitive data in real time according to behaviors and user permissions in the user access process;
and when the user accesses the storage database, the user behavior identification unit determines whether the user behavior is in compliance and whether the data is safe according to the behavior of the user access process and the accessed data, and adjusts the proportion of sensitive data in the data accessed by the user when the user behavior is not in compliance.
2. The operation and maintenance operation management and control system for monitoring database security according to claim 1, wherein the security access unit performs face recognition according to a face recognition device to preliminarily confirm the identity of the user when performing user identity authentication, performs multi-combination identity authentication on the user after the recognition is completed, and the permission determination unit determines that the user can access the storage database when the security access unit determines that the multi-combination identity authentication of the user passes, and determines the accessible data level Ui of the user according to the user information.
3. The operation and maintenance operation management and control system for monitoring database security according to claim 2, wherein the user behavior identification unit obtains whether there is an error authentication in the authentication process of the user when the permission determination unit determines that the data level Ui accessible to the user is completed, and obtains the number of times of error authentication C when there is an error authentication, and determines whether the user behavior is compliant according to the number of times of error authentication, the user behavior identification unit is provided with a preset number of times of error authentication C0,
if C > C0, the user behavior recognizing unit judges that the user behavior is not compliant,
if C is less than or equal to C0, the user behavior recognition unit preliminarily determines user behavior compliance.
4. The operation and maintenance management and control system for monitoring database security according to claim 3, wherein the user behavior identification unit determines whether the user accesses a data level Ui beyond which the user can access when preliminarily determining user behavior compliance, determines that the user behavior is not compliant if exceeded, and determines that the user behavior is compliant if not exceeded, where i =1, 2, … n.
5. The operation and maintenance operation management and control system for monitoring database security according to claim 4, wherein the data identification unit identifies data in the storage database accessed by the user when the user accesses the storage database, identifies whether the data is maliciously downloaded, obtains the number of attempts for maliciously downloading F if the data is maliciously downloaded, and determines whether the data is secure according to a ratio B between the number of attempts F and a preset number of attempts F, the data identification unit is provided with a preset number ratio B0, if B is less than or equal to B0, the data is preliminarily determined to be secure, and if B > B0, the data is determined to be unsecure.
6. The operation and maintenance operation control system for monitoring database security according to claim 5, wherein the data control unit has an accessible sensitive data ratio Bmi corresponding to a data level Ui, and when the user behavior identification unit determines that the user behavior is not compliant and C > C0, the data control unit calculates a difference Δ C between the number of false authentications C and a preset number of false authentications C, sets Δ C = C-C0, and selects a corresponding adjustment coefficient according to a comparison result between the difference Δ C and the preset number difference to adjust the accessible sensitive data ratio,
wherein the data control unit is provided with a first preset time difference value delta C1, a second preset time difference value delta C2, a third preset time difference value delta C3, a first data proportion adjustment coefficient Kb1, a second data proportion adjustment coefficient Kb2 and a third data proportion adjustment coefficient Kb3, the delta C1 is more than the delta C2 is more than the delta C3, the 0.7 is more than the Kb1 is more than the Kb2 is more than the Kb3 is less than 1,
when the deltaC is less than or equal to deltaC 1, the data control unit selects a first data proportion adjusting coefficient Kb1 to adjust the accessible sensitive data proportion Bmi;
when the delta C1 is more than the delta C and less than or equal to the delta C2, the data control unit selects a first data proportion adjusting coefficient Kb2 to adjust the accessible sensitive data proportion Bmi;
when the delta C2 is more than the delta C and less than or equal to the delta C3, the data control unit selects a third data proportion adjusting coefficient Kb3 to adjust the accessible sensitive data proportion Bmi;
when the data control unit selects the jth data proportion adjusting coefficient Kbj to adjust the accessible sensitive data proportion Bmi, j =1, 2, 3 is set, and the data control unit sets the adjusted accessible sensitive data proportion to Bmi 'and sets Bmi' = Bmi × Kbj.
7. The operation and maintenance operation management and control system for monitoring database security according to claim 6, wherein the data control unit determines that the user behavior is not compliant and the user accesses the data level Ui beyond the user's access level in the user behavior identification unit, the data control unit obtains the proportion B of the sensitive data in the accessed data identified by the sensitive data identification unit and compares B with Bmi,
if B is less than or equal to Bmi, the data control unit judges that the user can access the data;
if B > Bmi, the data control unit determines that the user does not access the data.
8. The operation and maintenance management and control system for monitoring database security according to claim 7, further comprising:
the data storage module comprises an access data storage unit for storing an access process of a user accessing the storage database and an accessed data storage unit for storing data accessed when the user accesses the storage database;
the data control unit is further configured to, when data is determined to be unsafe, obtain the historical access behaviors of the user stored in the data storage unit, calculate a yield R when the user historically accesses the database according to the historical access behaviors of the user, set R = C/C0+ B/Bmi, and determine whether the user can continue to access the database according to a comparison result of the yield R and a preset yield, where the preset yield includes a first preset yield R1, a second preset yield R2, and a third preset yield R3, where R1 < R2 < R3,
when R is not more than R1, the data control unit judges that the user can continuously access the storage database;
when R1 is more than R and less than or equal to R2, the data control unit judges that the user can continuously access the storage database and needs to correct the proportion of sensitive data when the user accesses the data;
when R2 < R ≦ R3, the data control unit determines that the user may continue to access the stored database and the level of data accessible to the user needs to be decreased;
when R > R3, the data control unit denies user access to the storage database.
9. The operation and maintenance management and control system for monitoring database security according to claim 8, wherein the data control unit calculates a difference Δ R between the qualified rate and a first predetermined qualified rate R1 when determining that the user can continuously access the stored database and needs to modify the sensitive data ratio, and selects a corresponding modification coefficient to modify the sensitive data ratio according to a comparison result between the difference Δ R and the difference R,
wherein the data control unit is further provided with a first preset yield difference value delta R1, a second preset yield difference value delta R2, a third preset yield difference value delta R3, a first data proportion correction coefficient Xb1, a second data proportion correction coefficient Xb2 and a third data proportion correction coefficient Xb3, wherein the delta R1 delta R2 delta R3 is set to be 0.5 < Xb1 < Xb2 < Xb3 < 1,
when the delta R is less than or equal to the delta R1, the data control unit selects a first data proportion correction coefficient Xb1 to correct the proportion of the sensitive data;
when the delta R is more than 1 and less than or equal to the delta R2, the data control unit selects a second data proportion correction coefficient Xb2 to correct the proportion of the sensitive data;
when the delta R is more than 2 and less than or equal to the delta R3, the data control unit selects a third data proportion correction coefficient Xb3 to correct the proportion of the sensitive data;
when the data control unit selects the z-th data proportion correction coefficient Xbz to correct the sensitive data proportion, setting z =1, 2, 3, the data control unit sets the accessible sensitive data proportion after correction to Bmi '″ with setting Bmi' = Bmi × Xbz.
10. The operation and maintenance operation management and control system for monitoring database security according to claim 9, wherein the data control unit lowers the accessible data level lowered by the user by one level when determining that the user can continue to access the storage database and the accessible data level of the user needs to be lowered, and the desensitization unit performs real-time desensitization of sensitive data according to the proportion of accessible sensitive data determined when the user downloads data.
CN202210107559.9A 2022-01-28 2022-01-28 Operation and maintenance operation management and control system for monitoring database security Active CN114116411B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210107559.9A CN114116411B (en) 2022-01-28 2022-01-28 Operation and maintenance operation management and control system for monitoring database security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210107559.9A CN114116411B (en) 2022-01-28 2022-01-28 Operation and maintenance operation management and control system for monitoring database security

Publications (2)

Publication Number Publication Date
CN114116411A true CN114116411A (en) 2022-03-01
CN114116411B CN114116411B (en) 2022-05-03

Family

ID=80362082

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210107559.9A Active CN114116411B (en) 2022-01-28 2022-01-28 Operation and maintenance operation management and control system for monitoring database security

Country Status (1)

Country Link
CN (1) CN114116411B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107194270A (en) * 2017-04-07 2017-09-22 广东精点数据科技股份有限公司 A kind of system and method for realizing data desensitization
CN110443048A (en) * 2019-07-04 2019-11-12 广州海颐信息安全技术有限公司 Data center looks into number system
CN112115482A (en) * 2020-09-16 2020-12-22 安徽长泰信息安全服务有限公司 Big data-based data security monitoring system for protecting data
US20210182423A1 (en) * 2019-01-31 2021-06-17 Salesforce.Com, Inc. Systems, methods, and apparatuses for storing pii information via a metadata driven blockchain using distributed and decentralized storage for sensitive user information

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107194270A (en) * 2017-04-07 2017-09-22 广东精点数据科技股份有限公司 A kind of system and method for realizing data desensitization
US20210182423A1 (en) * 2019-01-31 2021-06-17 Salesforce.Com, Inc. Systems, methods, and apparatuses for storing pii information via a metadata driven blockchain using distributed and decentralized storage for sensitive user information
CN110443048A (en) * 2019-07-04 2019-11-12 广州海颐信息安全技术有限公司 Data center looks into number system
CN112115482A (en) * 2020-09-16 2020-12-22 安徽长泰信息安全服务有限公司 Big data-based data security monitoring system for protecting data

Also Published As

Publication number Publication date
CN114116411B (en) 2022-05-03

Similar Documents

Publication Publication Date Title
US11665150B2 (en) System and method for credentialed access to a remote server
WO2019088985A1 (en) Data security hub
US20040103317A1 (en) Method and apparatus for protecting secure credentials on an untrusted computer platform
US20140331293A1 (en) Risk Adjusted, Multifactor Authentication
US11899808B2 (en) Machine learning for identity access management
US20150121532A1 (en) Systems and methods for defending against cyber attacks at the software level
US8196197B2 (en) Preventing trivial character combinations
US8601553B1 (en) Techniques of imposing access control policies
CN111400723A (en) TEE extension-based operating system kernel mandatory access control method and system
US11392677B2 (en) Modifying application function based on login attempt confidence score
CN110084053A (en) Data desensitization method, device, electronic equipment and storage medium
CN107194272A (en) Database-access rights application method and device
CN116208426B (en) Data hierarchical authorization query control system and method
CN111159762B (en) Subject credibility verification method and system under mandatory access control
CN106951796A (en) A kind of desensitization method and its device of data-privacy protection
CN112069527A (en) Tax control invoice protection method and system based on multiple safety protection measures
CN112434270B (en) Method and system for enhancing data security of computer system
CN114116411B (en) Operation and maintenance operation management and control system for monitoring database security
CN114499922A (en) Intelligent zero-trust dynamic authorization method
CN113722703A (en) White list self-adaptive program management method, system, terminal and storage medium
CN110611913B (en) Wireless network access method, system management platform and access system for nuclear power plant
EP3935538A1 (en) Secure policy ingestion into trusted execution environments
CN110086826A (en) Information processing method
CN113364798A (en) Redis-based user access frequency processing device
CN117978548B (en) Network security access method for electronic information storage system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant