CN114157501A - Parameter analysis method and device based on Tianri database - Google Patents

Parameter analysis method and device based on Tianri database Download PDF

Info

Publication number
CN114157501A
CN114157501A CN202111489854.7A CN202111489854A CN114157501A CN 114157501 A CN114157501 A CN 114157501A CN 202111489854 A CN202111489854 A CN 202111489854A CN 114157501 A CN114157501 A CN 114157501A
Authority
CN
China
Prior art keywords
data
message
database
response
target data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111489854.7A
Other languages
Chinese (zh)
Other versions
CN114157501B (en
Inventor
王泽元
姚磊
邹希良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202111489854.7A priority Critical patent/CN114157501B/en
Publication of CN114157501A publication Critical patent/CN114157501A/en
Application granted granted Critical
Publication of CN114157501B publication Critical patent/CN114157501B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a parameter analysis method and device based on a Tianri database, relates to the technical field of data processing, and comprises the following steps: acquiring a data message flowing to a TianRui database, and analyzing the data message to obtain target data; then judging whether the data message is an encrypted message or not according to the target data; if not, determining a normal response message of the answer sentence from the target data; and finally, acquiring the number of return/influence lines of the normal response message and response result data to obtain a parameter analysis result, completely restoring the response parameters of the TianRui database, and avoiding the condition that the parameters cannot be restored under the condition of data packet encryption, thereby realizing effective and safe database security audit.

Description

Parameter analysis method and device based on Tianri database
Technical Field
The application relates to the technical field of data processing, in particular to a parameter analysis method and device based on a TianRui database.
Background
The Tianri database (Teradata database) is a relational database, the largest commercial database in the world. The existing database parameter analysis method is generally a method for analyzing and restoring SQL commands and parameters of a Shentong database, a data packet is obtained through a bypass, interactive data of the Shentong database are obtained through filtering, and corresponding analysis and restoration processes are executed according to different data packet types to obtain SQL commands and parameter contents. However, in practice, it is found that the existing method only aims at the Shentong database, is not suitable for the Tianri database, cannot directly extract the response parameters in the Tianri database, and cannot restore the parameters of the corresponding database when the data packet is encrypted. Therefore, the existing method cannot be suitable for the Tianri database, and the situation that the parameters cannot be restored under the condition of data packet encryption exists.
Disclosure of Invention
An object of the embodiments of the present application is to provide a parameter analysis method and apparatus based on a Tianri database, which can completely restore response parameters of the Tianri database, and can avoid the situation that the parameters cannot be restored under the condition of data packet encryption, thereby realizing effective and safe database security audit.
A first aspect of an embodiment of the present application provides a parameter parsing method based on a natural Rui database, including:
acquiring a data message flowing to an application layer of the Tianri database, and analyzing the data message to obtain target data;
judging whether the data message is an encrypted message or not according to the target data;
if not, determining a normal response message of a response sentence from the target data;
and acquiring the return/influence line number and response result data of the normal response message to obtain a parameter analysis result.
In the implementation process, firstly, acquiring a data message flowing to a sky database, and analyzing the data message to obtain target data; then judging whether the data message is an encrypted message or not according to the target data; if not, determining a normal response message of the answer sentence from the target data; and finally, acquiring the number of return/influence lines of the normal response message and response result data to obtain a parameter analysis result, completely restoring the response parameters of the TianRui database, and avoiding the condition that the parameters cannot be restored under the condition of data packet encryption, thereby realizing effective and safe database security audit.
Further, the determining whether the data packet is an encrypted packet according to the target data includes:
judging whether the TianRui database is preset with transmission message encryption configuration or not;
if not, acquiring an encryption identification value of a first appointed byte of the target data head;
judging whether the encrypted identification value is a preset encrypted value or not;
if yes, determining that the data message is an encrypted message;
if not, determining that the data message is not an encrypted message.
In the implementation process, whether the data packet is encrypted or not can be judged in advance, so that the condition that the parameters cannot be restored under the condition of data packet encryption is avoided.
Further, determining a normal response packet of a response statement from the target data includes:
acquiring a message type identification value of a second specified byte in front of the head of the target data;
extracting a response message of a response statement from the target data according to the message type identification value;
acquiring a positive abnormal identification value of the target data after the target data is offset by a first offset byte;
and determining a normal response message from the target data according to the positive abnormal identification value.
Further, the obtaining the number of return/impact lines of the normal response packet and the response result data to obtain a parameter analysis result includes:
acquiring a return/influence line number identification value after the normal response message is offset by a second offset byte;
acquiring the number of return/influence lines of the normal response message after offsetting the third offset byte according to the identification value of the number of return/influence lines;
calculating the data length of a response result according to the data length of the head of the normal response message;
acquiring data of the response result data length after the normal response message deviates a fourth deviation byte to obtain response result data;
and generating a parameter analysis result according to the response result data and the return/influence line number.
Further, the method further comprises:
performing security detection on the parameter analysis result according to a preset database firewall security policy to obtain a detection result;
and performing releasing or blocking processing on the data message according to the detection result.
A second aspect of the embodiments of the present application provides a parameter analysis device based on a natural Rui database, including:
the first acquisition unit is used for acquiring a data message flowing to an application layer of the sky Rui database;
the analysis unit is used for analyzing the data message to obtain target data;
the judging unit is used for judging whether the data message is an encrypted message or not according to the target data;
a determining unit, configured to determine, when it is determined that the data packet is not an encrypted packet, a normal response packet of a response statement from the target data if the data packet is not an encrypted packet;
and the second acquisition unit is used for acquiring the return/influence line number and response result data of the normal response message to obtain a parameter analysis result.
In the implementation process, a first obtaining unit obtains a data message flowing to a sky Rui database, and an analyzing unit analyzes the data message to obtain target data; then the judging unit judges whether the data message is an encrypted message according to the target data; if not, the determining unit determines a normal response message of the answer sentence from the target data; and finally, the second acquisition unit acquires the return/influence line number and response result data of the normal response message to obtain a parameter analysis result, so that the response parameters of the Tianri database can be completely restored, the condition that the parameters cannot be restored under the condition of data packet encryption can be avoided, and effective and safe database security audit is realized.
Further, the judging unit includes:
the first subunit is used for judging whether the sky Rui database is preset with transmission message encryption configuration or not;
the second subunit is configured to, when it is determined that the transmission packet encryption configuration is not preset, obtain an encryption identification value of a first specified byte of the header of the target data;
the first subunit is further configured to determine whether the encrypted identification value is a preset encrypted value;
a third sub-unit, configured to determine that the data packet is an encrypted packet if the preset encrypted value is determined; and when the data message is judged not to be the preset encryption value, determining that the data message is not the encryption message.
Further, the determining unit includes:
a fourth sub-unit, configured to obtain a message type identifier value of a second specified byte before the header of the target data; extracting a response message of a response statement from the target data according to the message type identification value;
a fifth subunit, configured to obtain a positive abnormal identification value after the target data is offset by the first offset byte; and determining a normal response message from the target data according to the positive abnormal identification value.
A third aspect of embodiments of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the method for parameter resolution based on a sky Rui database according to any one of the first aspect of embodiments of the present application.
A fourth aspect of the embodiments of the present application provides a computer-readable storage medium, which stores computer program instructions, which when read and executed by a processor, perform the method for parameter resolution based on a sky-Rui database according to any one of the first aspect of the embodiments of the present application.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
FIG. 1 is a flowchart illustrating a parameter parsing method based on a TianRui database according to an embodiment of the present application;
FIG. 2 is a schematic structural diagram of a parameter analysis device based on a TianRui database according to an embodiment of the present application;
fig. 3 is a schematic diagram illustrating an application flow of a database firewall according to an embodiment of the present disclosure;
fig. 4 is a logic diagram of a flow of influence/return line number and response result data in a recovery antenna database message according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a parameter analysis method based on a sky Rui database according to an embodiment of the present application. The parameter analysis method based on the TianRui database comprises the following steps:
s101, acquiring a data message flowing to a Tianri database, and analyzing the data message to obtain target data.
In the embodiment of the application, the method is applied to the field of database firewalls, and the execution subject is a parameter analysis device based on a Tianri database.
In the embodiment of the application, the database firewall is serially arranged in front of the database server, so that the problems of the application side and the operation and maintenance side of the database are solved, the database security protection system is based on the database protocol analysis and control technology, and access behavior control, dangerous operation blocking and suspicious behavior audit of the database can be realized.
In the embodiment of the application, the core switch can be used for guiding the communication data of the client and the Tianui database to the internet access of the database firewall equipment in a mirror image mode, then the communication data is mapped to the local by the packet capturing engine on the database firewall equipment, further, the analysis engine on the database firewall equipment directly utilizes the obtained packets to perform layer-by-layer stripping analysis to obtain the data messages, wherein the data messages comprise the data packets which are obtained by filtering according to the port number and flow to the server of the Tianui database.
In the embodiment of the application, a Tianri database (Teradata database) is an intelligent high-performance database, can automatically complete a plurality of time consuming functions of a series of tasks such as workload management, compression decision, virtual partition, time sequence condition and the like, and greatly improves the overall performance and the manageability of a data warehouse. The Tianri database supports various data formats, and is most suitable for JSON data stored in various forms of data in a BSON format, UBJSON formats specially optimized for digital data, JSON text data formats and the like. The client can seamlessly use the three JSON storage formats in a mixed mode according to the service requirements and the data attributes, and faster query performance is obtained. The Teradata database has a strong function of analyzing JSON data, operation data and historical service data.
In the embodiment of the present application, the target data includes a data header and a data body.
S102, judging whether a transmission message encryption configuration is preset in a TianRui database, and if not, executing the step S103 to the step S104; if so, step S105 is performed.
S103, acquiring the encrypted identification value of the first appointed byte of the target data header.
In the embodiment of the application, before the data message is analyzed, whether the transmission message is encrypted or not needs to be judged according to the data header, and if the transmission message is encrypted, subsequent analysis is not performed. When determining whether to encrypt, firstly, it needs to determine whether to preset transmission message encryption configuration, taking a borui official client terminal TTU connected to a server as an example, when checking ENCRYPTDATA ON the borui official client terminal interface, it indicates that transmission message encryption configuration is preset, and then data message analysis is not performed; conversely, when the selection ENCRYPTDATA is OFF, no encryption is performed.
S104, judging whether the encrypted identification value is a preset encrypted value, and if not, executing the step S106 to the step S113; if so, step S105 is performed.
In this embodiment of the present application, the data message may also be identified, a value of a second byte of the data header is obtained first, to obtain an encrypted identifier value, and if the encrypted identifier value is a preset encrypted value, the encrypted identifier value represents that the data message is encrypted, and data analysis is not performed, specifically, the preset encrypted value is 81 or 82, where 81 represents that the request message is encrypted, and 82 represents that the response message is encrypted.
S105, determining that the data message is an encrypted message, and ending the process.
S106, determining that the data message is not an encrypted message, and executing the step S107 to the step S113.
In the embodiment of the present application, by implementing the steps S102 to S106, it can be determined whether the data packet is an encrypted packet according to the target data.
In the embodiment of the application, through identifying the option mark of the Tianri official client and identifying the header mark byte of the application layer of the transmission message, the two methods can judge whether the data message of the Tianri database is encrypted in the transmission process, if the data message is encrypted, whether the message is decrypted or analyzed in a abandoning way can be judged according to the actual requirement, and the parameters and commands of the Tianri database can be more accurately identified, classified and analyzed.
S107, obtaining the message type identification value of the second specified byte in front of the target data head.
In the embodiment of the present application, when the message is not encrypted, the value of the first 4 bytes of the header of the target data is first determined, and each protocol header has 4 bytes in total, which marks the beginning of the message. The second byte is used for recording the request and response direction of the communication, 01 represents the request direction, and 02 represents the response direction.
In the embodiment of the application, the message type identification value of the second specified byte before the header of the target data is obtained, that is, the value of the first 4 bytes of the header of the target data is obtained, so as to obtain the message type identification value.
In this embodiment, the target data may include four message types, which are a response message for determining a database version packet, a request message for determining an execution program/tool, a request message for determining a request statement, and a response message for determining a response statement. The response packet needs to be identified from the target data according to the packet type identification value.
In this embodiment of the application, when the current 4 bytes are 03020 a 00, the data packet is a response packet of the database version packet. The response message structure of the protocol version packet mainly comprises: the first four bytes are 03020 a 00, which is the fixed beginning of the response protocol acquisition version packet message, then 438 fixed padding bytes, and then the version number length is 2 bytes long, the length of the version number of the sky Rui database is recorded, and the value is assumed to be A. Followed by an a-byte length version number.
In the embodiment of the application, the response message of the database version packet can be analyzed, and the corresponding version number length and version number are extracted.
In this embodiment, when the current 4 bytes are 03010 a 00, the data message is an execution program/tool request message. The structure of the request message for executing the program/tool is mainly as follows: the first four bytes 03010 a 00 is the fixed beginning of the request protocol packet, then 67 fixed padding bytes, and then the length of the executive name is 1 byte in length, which records the length of the sky database client, and assumes its value as B. Followed by the name of the executing program of B bytes in length.
In the embodiment of the application, the executive program/tool request message can be analyzed, and the corresponding executive program name length and the corresponding executive program name are extracted.
In this embodiment, when the current 4 bytes are 03010500, the data message is a request message of a request statement. The message structure of the request statement mainly comprises: the first four bytes are 03010500, which are the fixed beginning of the request protocol packet, then 75 fixed padding bytes, and then the length of the request statement of 2 bytes, and the length of the SQL statement is recorded, assuming that the value is C. Followed by a request statement of (C-4) bytes in length.
In the embodiment of the application, the request message of the request statement can be analyzed, and the corresponding length of the request statement and the corresponding request statement are extracted.
In this embodiment, when the current 4 bytes are 03020500, the response message is a response message of the response statement. The response messages are divided into two types, one is a normal response message, the other is an error reporting response, and the response message is a response message with an error code.
After step S107, the following steps are also included:
and S108, extracting the response message of the answer sentence from the target data according to the message type identification value.
And S109, acquiring the positive abnormal identification value of the target data after the target data is shifted by the first shift byte.
In the embodiment of the present application, the message structure of the normal response mainly includes: the first four bytes 03020500 are the fixed beginning of the reply protocol message, followed by a 2-byte impact/return line number flag, which is 03 when the number of impact lines is present and 01 or 02 when the number of return lines is present. And continuing to offset by 2 bytes and then obtaining the response statement length of 2 bytes, wherein the record length needs to be added by 52 to obtain the response message load length. Continuing to offset by 66 bytes and taking 4 bytes as the number of return/impact lines. Continuing to offset by 58 bytes is the result set actually output at the server echo.
In the embodiment of the present application, the message structure of the abnormal response mainly includes: the first four bytes are 03020500, which are the fixed beginning of the response protocol message, and then after 60 bytes are shifted, 2 bytes are taken, the value is error code/return code, the next 2 bytes are error information prompt length, assuming that the value is D, the error information prompt data with the length of D bytes is followed, and the prompt information related to the error code, such as error reporting content, is recorded.
In the embodiment of the application, the message of the abnormal response can be analyzed, and the corresponding error code/return code, the error information prompt length and the error information prompt data are extracted.
As an optional implementation manner, by analyzing the target data layer by layer, corresponding data information (such as a version number, an execution program name, a request statement, an error code/return code, or error information prompt data, etc.) can be extracted according to a requirement, and the data information is output for a user to browse and refer.
In the embodiment of the present application, the first offset byte is 64 bytes. Firstly, offsetting 4 bytes to determine a response message, then continuously offsetting 2 bytes to obtain an influence/return line number mark, and then continuously offsetting 58 bytes to obtain an error code/return code of two bytes, wherein the error code/return code is the positive abnormal identification value.
S110, determining a normal response message from the target data according to the positive abnormal identification value.
In the embodiment of the present application, by implementing the steps S107 to S110, the normal response packet of the response sentence can be determined from the target data.
And S111, acquiring the number of return/influence lines of the normal response message and response result data to obtain a parameter analysis result.
As an optional implementation manner, obtaining the number of return/impact lines of the normal response packet and the response result data to obtain a parameter analysis result includes:
acquiring a return/influence line number identification value after the normal response message is offset by the second offset byte;
acquiring the number of return/influence lines of the normal response message after offsetting the third offset byte according to the identification value of the number of the return/influence lines;
calculating the data length of the response result according to the data length of the head of the normal response message;
acquiring data of the response result data length after the normal response message deviates the fourth deviation byte to obtain response result data;
and generating a parameter analysis result according to the response result data and the return/influence line number.
In the above embodiment, the formula for calculating the response result data length N is: n-application layer header length-164 bytes.
In the above embodiment, after obtaining the return/impact line number identification value of the normal response packet after offsetting by the second offset byte, that is, after obtaining the normal response packet after offsetting by 4 bytes, the return/impact line number identification value of 2 bytes is obtained, where the impact line number flag is 03, and the return line number flag is 01 or 02, and when the return/impact line number identification value is 00, it indicates that there is no return/impact line number.
In the above embodiment, the number of return/impact lines after the normal response packet is shifted by the third offset byte is obtained, that is, after the normal response packet is shifted by 76 bytes, the number of return/impact lines of 4 bytes is obtained.
In the above embodiment, when the return/influence line number identification value is 00, it indicates that there is no return/influence line number, and it is not necessary to acquire the return/influence line number.
In the above embodiment, the data of the response result data length after the normal response packet is shifted by the fourth shift byte is obtained, and the response result data is obtained, that is, after the normal response packet is shifted by 134 bytes, the data of N bytes is obtained, and the response result data is obtained.
In the embodiment of the present application, the response result data includes a complete query result set.
In the embodiment of the application, the request message and the response message are classified and decomposed by capturing, filtering, analyzing and analyzing the load part of a Data type Data packet of a communication protocol between a borui application system client and a borui database, and a complete message is obtained according to the parameter position; and the bypass mode is adopted, network change or configuration modification is not needed to be carried out on the existing system, and the normal operation of the system is not influenced.
After step S111, the following steps are also included:
and S112, carrying out security detection on the parameter analysis result according to a preset database firewall security policy to obtain a detection result.
And S113, performing releasing or blocking processing on the data message according to the detection result.
In the embodiment of the application, the firewall security policy of the database is matched with the restored response result data and the number of the influence/return lines, security detection is performed, and the message is blocked or released according to the detection result, so that the aim of protecting the TianRui database is fulfilled.
In the embodiment of the application, the preset database firewall security policy comprises an anti-collision library, a dangerous operation blocking policy, a sensitive information access desensitization policy, an access return line number control policy and the like, wherein the attack terminal can be locked when the password input times reach a preset threshold value through the anti-collision library; blocking the behaviors when the dangerous behaviors such as full deletion, modification and the like are executed by applying the dangerous operation blocking strategy; the desensitization strategy can be accessed through sensitive information, different data are returned according to the authority of an accessor, real data can be seen when the authority is enough, desensitized data are returned when the authority is insufficient, and sensitive information leakage is avoided; and managing parameter analysis results according to the access return line number control strategy, so that the phenomenon that a large amount of databases are illegally exported at one time to cause large amount of data loss is avoided.
In the embodiment of the application, the method can completely restore SQL commands and parameters of the TianRui database and a complete query result set so as to realize effective and safe database security audit.
In the embodiment of the application, the method mainly depends on a bypass analysis mode and recognition aiming at message characteristics, and the difficulty and labor cost of data auditing are reduced. The bypass analysis method mainly obtains interactive messages of the sky Rui database client and the server through an unofficial channel, such as network packet analysis software, so as to analyze and analyze communication message rules.
Referring to fig. 3 and fig. 4 together, fig. 3 is a schematic diagram of a database firewall application flow provided in the embodiment of the present application, and fig. 4 is a logical diagram of a flow of influence/return row number and response result data in a recovery antenna database message provided in the embodiment of the present application. As shown in fig. 3, for example, by restoring the number of influence/return lines and the response result data in the natural database message, the specific flow is as follows, and corresponding request and response packet types are obtained according to the header analysis of the application layer header data:
firstly, judging the 2 nd byte value, and encrypting the data message without analyzing when the value is 82. When the value is 02, the message is a response message. 9-10 bytes are extracted, and the record length is the response message load length if 52 bytes need to be added.
Second, as shown in fig. 4, when the current 4 bytes are 03020500, to determine the response statement message, 2 bytes are taken as the influence line number/return line number flag without offset, the influence line number flag is 03, the return line number flag is 01 or 02, after 58 bytes are continuously offset, 2 bytes are taken as the error code/return code, and then the third step or the fourth step is executed.
Thirdly, as shown in fig. 4, when it is determined that the response message is an abnormal response message according to the error code/return code, on the basis of the second step, 2 bytes are continuously taken backward as the error information prompt length, assuming that the length is D, the error information prompt is taken by continuously shifting D bytes according to the length, and the process is ended.
And a fourth step, as shown in fig. 4, when it is determined that the response message is a normal response message according to the error code/return code, on the basis of the second step, after continuously offsetting 10 bytes, taking 4 bytes as the number of return/influence lines, if the previous return/influence flag is 00, the number of return/influence lines cannot be taken, and after continuously offsetting 58 last bytes, taking N bytes as a response result data message, and turning to the fifth step.
And fifthly, matching the firewall security policy of the database with the restored response result data and the number of the influence/return lines, performing security detection, and blocking or releasing the message according to the detection result so as to achieve the aim of protecting the TianRui database.
In the embodiment of the application, the method is used for completely analyzing and analyzing the communication protocol of the TianRui database, parameters and SQL sentences of a request and a response are restored, the accuracy of data auditing is improved, and method reference is provided for personnel engaged in related work, so that corresponding prevention and blocking are realized.
It can be seen that, by implementing the parameter analysis method based on the natural Rui database described in this embodiment, the response parameters of the natural Rui database can be completely restored, and the situation that the parameters cannot be restored under the condition of data packet encryption can be avoided, thereby realizing effective and safe database security audit.
Example 2
Please refer to fig. 2, fig. 2 is a schematic structural diagram of a parameter analysis apparatus based on a sky Rui database according to an embodiment of the present application. As shown in fig. 2, the parameter analysis apparatus based on the antenna database includes:
a first obtaining unit 210, configured to obtain a data packet flowing to a sky database;
in the embodiment of the application, the method is applied to the field of database firewalls.
In the embodiment of the application, the database firewall is serially arranged in front of the database server, so that the problems of the application side and the operation and maintenance side of the database are solved, the database security protection system is based on the database protocol analysis and control technology, and access behavior control, dangerous operation blocking and suspicious behavior audit of the database can be realized.
In the embodiment of the application, the core switch can be used for guiding the communication data of the client and the Tianui database to the internet access of the database firewall equipment in a mirror image mode, then the communication data is mapped to the local by the packet capturing engine on the database firewall equipment, further, the analysis engine on the database firewall equipment directly utilizes the obtained packets to perform layer-by-layer stripping analysis to obtain the data messages, wherein the data messages comprise the data packets which are obtained by filtering according to the port number and flow to the server of the Tianui database.
In the embodiment of the application, a Tianri database (Teradata database) is an intelligent high-performance database, can automatically complete a plurality of time consuming functions of a series of tasks such as workload management, compression decision, virtual partition, time sequence condition and the like, and greatly improves the overall performance and the manageability of a data warehouse. The Tianri database supports various data formats, and is most suitable for JSON data stored in various forms of data in a BSON format, UBJSON formats specially optimized for digital data, JSON text data formats and the like. The client can seamlessly use the three JSON storage formats in a mixed mode according to the service requirements and the data attributes, and faster query performance is obtained. The Teradata database has a strong function of analyzing JSON data, operation data and historical service data.
The parsing unit 220 is configured to parse the data packet to obtain target data;
a judging unit 230, configured to judge whether the data packet is an encrypted packet according to the target data;
a determining unit 240, configured to determine, when it is determined that the data packet is not an encrypted packet, a normal response packet of a response statement from the target data if the data packet is not the encrypted packet;
a second obtaining unit 250, configured to obtain the number of return/impact lines of the normal response packet and response result data, so as to obtain a parameter analysis result.
As an optional implementation, the determining unit 230 includes:
a first subunit 231, configured to determine whether the sky database is preset with a transmission message encryption configuration;
a second subunit 232, configured to, when it is determined that the transmission packet encryption configuration is not preset, obtain an encryption identification value of a first specified byte of a header of the target data;
the first sub-unit 231, further configured to determine whether the encrypted identifier value is a preset encrypted value;
a third sub-unit 233, configured to determine that the data packet is an encrypted packet if the predetermined encrypted value is determined; and when the data message is judged not to be the preset encryption value, determining that the data message is not the encryption message.
As an alternative embodiment, the determining unit 240 includes:
a fourth sub-unit 241, configured to obtain a message type identifier value of a second specified byte before the header of the target data; extracting a response message of a response statement from the target data according to the message type identification value;
a fifth sub-unit 242, configured to obtain a positive abnormal identification value after the target data is shifted by the first shift byte; and determining a normal response message from the target data according to the positive abnormal identification value.
As an alternative embodiment, the second obtaining unit 250 includes:
a sixth subunit 251, configured to obtain a return/impact line number identification value after the normal response packet is offset by the second offset byte; acquiring the number of return/influence lines of the normal response message after offsetting the third offset byte according to the identification value of the number of the return/influence lines;
a seventh sub-unit 252, configured to calculate a data length of a response result according to the header data length of the normal response packet; acquiring data of the response result data length after the normal response message deviates the fourth deviation byte to obtain response result data;
the eighth subunit 253 is configured to generate a parameter analysis result according to the response result data and the number of return/impact lines.
As an optional implementation, the parameter analysis apparatus based on the antenna database further includes:
the security detection unit 260 is configured to perform security detection on the parameter analysis result according to a preset database firewall security policy to obtain a detection result;
and a message processing unit 270, configured to perform passing or blocking processing on the data message according to the detection result.
In the embodiment of the application, the preset database firewall security policy comprises an anti-collision library, a dangerous operation blocking policy, a sensitive information access desensitization policy, an access return line number control policy and the like, wherein the attack terminal can be locked when the password input times reach a preset threshold value through the anti-collision library; blocking the behaviors when the dangerous behaviors such as full deletion, modification and the like are executed by applying the dangerous operation blocking strategy; the desensitization strategy can be accessed through sensitive information, different data are returned according to the authority of an accessor, real data can be seen when the authority is enough, desensitized data are returned when the authority is insufficient, and sensitive information leakage is avoided; and managing parameter analysis results according to the access return line number control strategy, so that the phenomenon that a large amount of databases are illegally exported at one time to cause large amount of data loss is avoided.
In the embodiment of the application, the parameter analysis device based on the Tianri database analyzes through the bypass, the complete analysis of the communication protocol of the Tianri database can be used for analyzing and restoring the request and responding the SQL command and the audit parameter, the accuracy of safety audit is improved, the audit difficulty is reduced, but the protection point of the scheme is not only that, any parameter analysis and restoration, replacement and content supplement of the Tianri database by using the method are all within the protection range of the scheme. Meanwhile, the two methods can be used for judging whether the data message of the Tianri database is encrypted in the transmission process or not by identifying the option mark of the Tianri official client and identifying the header mark byte of the application layer of the transmission message, if the data message is encrypted, whether the message is decrypted or analyzed is judged according to actual requirements, and parameters and commands of the Tianri database can be identified, classified and analyzed more accurately.
In this embodiment, the target data may include four message types, which are a response message for determining a database version packet, a request message for determining an execution program/tool, a request message for determining a request statement, and a response message for determining a response statement. The response packet needs to be identified from the target data according to the packet type identification value.
In the embodiment of the application, the response message of the database version packet can be analyzed, and the corresponding version number length and version number are extracted.
In the embodiment of the application, the executive program/tool request message can be analyzed, and the corresponding executive program name length and the corresponding executive program name are extracted.
In the embodiment of the application, the request message of the request statement can be analyzed, and the corresponding length of the request statement and the corresponding request statement are extracted.
In the embodiment of the application, the message of the abnormal response can be analyzed, and the corresponding error code/return code, the error information prompt length and the error information prompt data are extracted.
As an optional implementation manner, by analyzing the target data layer by layer, corresponding data information (such as a version number, an execution program name, a request statement, an error code/return code, or error information prompt data, etc.) can be extracted according to a requirement, and the data information is output for a user to browse and refer.
In the embodiment of the present application, for the explanation of the parameter analysis device based on the antenna database, reference may be made to the description in embodiment 1, and further description is not repeated in this embodiment.
It can be seen that, the parameter analysis device based on the natural Rui database described in this embodiment can completely restore the response parameters of the natural Rui database, and can avoid the situation that the parameters cannot be restored under the condition of data packet encryption, thereby implementing effective and safe database security audit.
An embodiment of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the parameter parsing method based on the sky Rui database in embodiment 1 of the present application.
An embodiment of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the method for parameter resolution based on a sky Rui database in embodiment 1 of the present application is performed.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A parameter analysis method based on a TianRui database is characterized by comprising the following steps:
acquiring a data message flowing to an application layer of the Tianri database, and analyzing the data message to obtain target data;
judging whether the data message is an encrypted message or not according to the target data;
if not, determining a normal response message of a response sentence from the target data;
and acquiring the return/influence line number and response result data of the normal response message to obtain a parameter analysis result.
2. The method of claim 1, wherein the determining whether the data packet is an encrypted packet according to the target data comprises:
judging whether the TianRui database is preset with transmission message encryption configuration or not;
if not, acquiring an encryption identification value of a first appointed byte of the target data head;
judging whether the encrypted identification value is a preset encrypted value or not;
if yes, determining that the data message is an encrypted message;
if not, determining that the data message is not an encrypted message.
3. The method of claim 1, wherein the determining the normal response message of the response sentence from the target data comprises:
acquiring a message type identification value of a second specified byte in front of the head of the target data;
extracting a response message of a response statement from the target data according to the message type identification value;
acquiring a positive abnormal identification value of the target data after the target data is offset by a first offset byte;
and determining a normal response message from the target data according to the positive abnormal identification value.
4. The method as claimed in claim 1, wherein the obtaining the number of return/impact lines of the normal response packet and the response result data to obtain the parameter analysis result comprises:
acquiring a return/influence line number identification value after the normal response message is offset by a second offset byte;
acquiring the number of return/influence lines of the normal response message after offsetting the third offset byte according to the identification value of the number of return/influence lines;
calculating the data length of a response result according to the data length of the head of the normal response message;
acquiring data of the response result data length after the normal response message deviates a fourth deviation byte to obtain response result data;
and generating a parameter analysis result according to the response result data and the return/influence line number.
5. The method of claim 1, wherein the method further comprises:
performing security detection on the parameter analysis result according to a preset database firewall security policy to obtain a detection result;
and performing releasing or blocking processing on the data message according to the detection result.
6. A parameter analysis device based on a Tianri database, the parameter analysis device based on the Tianri database comprising:
the first acquisition unit is used for acquiring a data message flowing to an application layer of the sky Rui database;
the analysis unit is used for analyzing the data message to obtain target data;
the judging unit is used for judging whether the data message is an encrypted message or not according to the target data;
a determining unit, configured to determine, when it is determined that the data packet is not an encrypted packet, a normal response packet of a response statement from the target data if the data packet is not an encrypted packet;
and the second acquisition unit is used for acquiring the return/influence line number and response result data of the normal response message to obtain a parameter analysis result.
7. The parameter analysis device based on the antenna database according to claim 6, wherein the determination unit comprises:
the first subunit is used for judging whether the sky Rui database is preset with transmission message encryption configuration or not;
the second subunit is configured to, when it is determined that the transmission packet encryption configuration is not preset, obtain an encryption identification value of a first specified byte of the header of the target data;
the first subunit is further configured to determine whether the encrypted identification value is a preset encrypted value;
a third sub-unit, configured to determine that the data packet is an encrypted packet if the preset encrypted value is determined; and when the data message is judged not to be the preset encryption value, determining that the data message is not the encryption message.
8. The apparatus for analyzing parameters based on a sky Rui database as claimed in claim 6, wherein the determining unit comprises:
a fourth sub-unit, configured to obtain a message type identifier value of a second specified byte before the header of the target data; extracting a response message of a response statement from the target data according to the message type identification value;
a fifth subunit, configured to obtain a positive abnormal identification value after the target data is offset by the first offset byte; and determining a normal response message from the target data according to the positive abnormal identification value.
9. An electronic device, characterized in that the electronic device comprises a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to perform the method of parameter resolution based on a sky Rui database as claimed in any one of claims 1 to 5.
10. A readable storage medium, wherein computer program instructions are stored in the readable storage medium, and when the computer program instructions are read and executed by a processor, the method for parameter resolution based on a sky Rui database as claimed in any one of claims 1 to 5 is performed.
CN202111489854.7A 2021-12-08 2021-12-08 Parameter analysis method and device based on TianRui database Active CN114157501B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111489854.7A CN114157501B (en) 2021-12-08 2021-12-08 Parameter analysis method and device based on TianRui database

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111489854.7A CN114157501B (en) 2021-12-08 2021-12-08 Parameter analysis method and device based on TianRui database

Publications (2)

Publication Number Publication Date
CN114157501A true CN114157501A (en) 2022-03-08
CN114157501B CN114157501B (en) 2024-01-23

Family

ID=80453321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111489854.7A Active CN114157501B (en) 2021-12-08 2021-12-08 Parameter analysis method and device based on TianRui database

Country Status (1)

Country Link
CN (1) CN114157501B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277880A (en) * 2022-06-17 2022-11-01 奇安信科技集团股份有限公司 Network message analysis method and device
CN115529110A (en) * 2022-09-30 2022-12-27 潍柴动力股份有限公司 Data processing method and device

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101561806A (en) * 2008-04-17 2009-10-21 北京启明星辰信息技术股份有限公司 Information extraction and audit method of DB2 database operation, device and system thereof
CN103761140A (en) * 2013-11-29 2014-04-30 北京中启智源数字信息技术有限责任公司 Method for implementing transaction processing in isomeric relational database
CN105262728A (en) * 2015-09-10 2016-01-20 北京北信源软件股份有限公司 Control method and system for SMTP (Simple Message Transfer Protocol) non-encrypted email
CN109639655A (en) * 2018-11-30 2019-04-16 南京中新赛克科技有限责任公司 A kind of intelligent depth resolution system and analytic method
CN111177779A (en) * 2019-12-24 2020-05-19 深圳昂楷科技有限公司 Database auditing method, device thereof, electronic equipment and computer storage medium
CN111209266A (en) * 2019-12-20 2020-05-29 深圳昂楷科技有限公司 Auditing method and device based on Redis database and electronic equipment
CN111339552A (en) * 2020-02-12 2020-06-26 厦门网宿有限公司 Database access method and device
CN111651758A (en) * 2020-06-08 2020-09-11 成都安恒信息技术有限公司 Method for auditing result set of relational database of operation and maintenance auditing system
CN112463759A (en) * 2019-09-06 2021-03-09 西安交大捷普网络科技有限公司 Information analysis method for Gbase database audit
CN112463824A (en) * 2019-09-06 2021-03-09 西安交大捷普网络科技有限公司 Analysis method of Shentong database select query result set
CN112487483A (en) * 2020-12-14 2021-03-12 深圳昂楷科技有限公司 Encrypted database flow auditing method and device
CN112769739A (en) * 2019-11-05 2021-05-07 中国移动通信集团安徽有限公司 Database operation violation processing method, device and equipment
CN112769784A (en) * 2020-12-29 2021-05-07 北京明朝万达科技股份有限公司 Text processing method and device, computer readable storage medium and processor
WO2021217846A1 (en) * 2020-04-28 2021-11-04 平安国际智慧城市科技股份有限公司 Interface data processing method and apparatus, and computer device and storage medium

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101561806A (en) * 2008-04-17 2009-10-21 北京启明星辰信息技术股份有限公司 Information extraction and audit method of DB2 database operation, device and system thereof
CN103761140A (en) * 2013-11-29 2014-04-30 北京中启智源数字信息技术有限责任公司 Method for implementing transaction processing in isomeric relational database
CN105262728A (en) * 2015-09-10 2016-01-20 北京北信源软件股份有限公司 Control method and system for SMTP (Simple Message Transfer Protocol) non-encrypted email
CN109639655A (en) * 2018-11-30 2019-04-16 南京中新赛克科技有限责任公司 A kind of intelligent depth resolution system and analytic method
CN112463824A (en) * 2019-09-06 2021-03-09 西安交大捷普网络科技有限公司 Analysis method of Shentong database select query result set
CN112463759A (en) * 2019-09-06 2021-03-09 西安交大捷普网络科技有限公司 Information analysis method for Gbase database audit
CN112769739A (en) * 2019-11-05 2021-05-07 中国移动通信集团安徽有限公司 Database operation violation processing method, device and equipment
CN111209266A (en) * 2019-12-20 2020-05-29 深圳昂楷科技有限公司 Auditing method and device based on Redis database and electronic equipment
CN111177779A (en) * 2019-12-24 2020-05-19 深圳昂楷科技有限公司 Database auditing method, device thereof, electronic equipment and computer storage medium
CN111339552A (en) * 2020-02-12 2020-06-26 厦门网宿有限公司 Database access method and device
WO2021217846A1 (en) * 2020-04-28 2021-11-04 平安国际智慧城市科技股份有限公司 Interface data processing method and apparatus, and computer device and storage medium
CN111651758A (en) * 2020-06-08 2020-09-11 成都安恒信息技术有限公司 Method for auditing result set of relational database of operation and maintenance auditing system
CN112487483A (en) * 2020-12-14 2021-03-12 深圳昂楷科技有限公司 Encrypted database flow auditing method and device
CN112769784A (en) * 2020-12-29 2021-05-07 北京明朝万达科技股份有限公司 Text processing method and device, computer readable storage medium and processor

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115277880A (en) * 2022-06-17 2022-11-01 奇安信科技集团股份有限公司 Network message analysis method and device
CN115277880B (en) * 2022-06-17 2024-04-19 奇安信科技集团股份有限公司 Network message analysis method and device
CN115529110A (en) * 2022-09-30 2022-12-27 潍柴动力股份有限公司 Data processing method and device

Also Published As

Publication number Publication date
CN114157501B (en) 2024-01-23

Similar Documents

Publication Publication Date Title
CN107657174B (en) Database intrusion detection method based on protocol fingerprint
CN114157501B (en) Parameter analysis method and device based on TianRui database
CN110012005B (en) Method and device for identifying abnormal data, electronic equipment and storage medium
KR101676366B1 (en) Attacks tracking system and method for tracking malware path and behaviors for the defense against cyber attacks
CN108924118B (en) Method and system for detecting database collision behavior
CN109344611B (en) Application access control method, terminal equipment and medium
CN111641658A (en) Request intercepting method, device, equipment and readable storage medium
US10505986B1 (en) Sensor based rules for responding to malicious activity
CN114154990B (en) Big data anti-attack method based on online payment and storage medium
CN109409113B (en) Power grid data safety protection method and distributed power grid data safety protection system
CN107302586A (en) A kind of Webshell detection methods and device, computer installation, readable storage medium storing program for executing
CN114154995A (en) Abnormal payment data analysis method and system applied to big data wind control
CN112182604A (en) File detection system and method
CN112925805A (en) Big data intelligent analysis application method based on network security
CN112671801A (en) Network security detection method and system
CN112714118A (en) Network flow detection method and device
CN116185785A (en) Early warning method and device for file abnormal change
CN109190408B (en) Data information security processing method and system
CN116451071A (en) Sample labeling method, device and readable storage medium
CN114969450A (en) User behavior analysis method, device, equipment and storage medium
CN114186278A (en) Database abnormal operation identification method and device and electronic equipment
CN112668023A (en) Database operation security detection method and device and operation system
CN111934949A (en) Safety test system based on database injection test
CN114760083A (en) Method and device for issuing attack detection file and storage medium
CN117201190B (en) Mail attack detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant