CN114186225A - Database detection method and device, electronic equipment and storage medium - Google Patents
Database detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114186225A CN114186225A CN202111482967.4A CN202111482967A CN114186225A CN 114186225 A CN114186225 A CN 114186225A CN 202111482967 A CN202111482967 A CN 202111482967A CN 114186225 A CN114186225 A CN 114186225A
- Authority
- CN
- China
- Prior art keywords
- detection
- database
- behavior
- preset
- current database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 165
- 230000006399 behavior Effects 0.000 claims abstract description 130
- 238000000034 method Methods 0.000 claims abstract description 40
- 238000000605 extraction Methods 0.000 claims abstract description 16
- 238000004590 computer program Methods 0.000 claims description 9
- 230000004083 survival effect Effects 0.000 claims description 5
- 230000000903 blocking effect Effects 0.000 claims description 4
- 238000007689 inspection Methods 0.000 claims 2
- 230000003542 behavioural effect Effects 0.000 claims 1
- 238000012423 maintenance Methods 0.000 abstract description 6
- 238000012545 processing Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The application provides a database detection method, a database detection device, electronic equipment and a storage medium. The method comprises the following steps: acquiring flow data aiming at a current database; extracting a first behavior characteristic aiming at a current database from the flow data through a preset extraction strategy; and carrying out safety detection on the first behavior characteristic through a preset detection rule base to obtain a detection result representing whether the flow data forms a safety threat on the current database. The detection rules in the preset detection rule base can be used for detecting similar attack behaviors of multiple types of databases, and can uniformly perform security detection on different types of databases, so that corresponding detection rules do not need to be deployed independently for different types of databases, and the difficulty in detection and operation and maintenance management of the databases can be reduced.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a database detection method, an apparatus, an electronic device, and a storage medium.
Background
In the internet era, the security of the database is more and more emphasized by many people, and the database is used as a medium for storing data, so that the protection of the database becomes an important link in a data protection way. At present, database auditing systems or database firewalls on the market can realize the auditing function and partial detection function of a database, but aiming at the detection of the password attack of the database, the system needs to extract the password attack behavior of the database according to different database types, and then configures database examples aiming at different types of databases to detect the extracted information related to the database, so that the detection and operation and maintenance difficulty is large.
Disclosure of Invention
An object of the embodiments of the present application is to provide a database detection method, an apparatus, an electronic device, and a storage medium, which can solve the problem of high difficulty in detection and operation and maintenance when performing security detection on multiple types of databases.
In order to achieve the above object, embodiments of the present application are implemented as follows:
in a first aspect, an embodiment of the present application provides a database detection method, where the method includes: acquiring flow data aiming at a current database; extracting a first behavior feature aiming at the current database from the flow data through a preset extraction strategy; and performing security detection on the first behavior feature through a preset detection rule base to obtain a detection result representing whether the traffic data forms a security threat on the current database, wherein the preset detection rule base comprises a plurality of detection rules, and each detection rule is used for detecting similar attack behaviors aiming at multiple databases.
In the above embodiment, the first behavior feature for the current database is extracted from the traffic data, and then the first behavior feature is subjected to security detection by using a preset detection rule base. The detection rules in the preset detection rule base can be used for detecting similar attack behaviors of multiple types of databases, and can uniformly perform security detection on different types of databases, so that corresponding detection rules do not need to be deployed independently for different types of databases, and the difficulty of database detection and operation and maintenance can be reduced.
With reference to the first aspect, in some optional embodiments, before obtaining the traffic data for the current database, the method further comprises:
acquiring behavior data aiming at a plurality of databases; extracting second behavior characteristics corresponding to each type of attack behaviors of the multi-type database according to the behavior data; and creating a detection rule corresponding to each type of attack behavior according to the second behavior characteristics to form the preset detection rule base.
In the foregoing embodiment, the second behavior feature of the same type of attack behavior for multiple types of databases is extracted, and then the detection rule for detecting the second behavior feature is created, so that in the process of detecting the attack behavior for the databases, the unified detection of the same type of attack behavior for different types of databases can be realized by using one detection rule, and the influence that the unified detection cannot be performed for different types of databases due to different behavior data can be eliminated.
With reference to the first aspect, in some optional implementations, performing security detection on the first behavior feature through a preset detection rule base to obtain a detection result indicating whether the traffic data forms a security threat on the current database, includes:
carrying out password attack detection on the first behavior characteristic through a preset detection rule base;
when the first behavior feature representation meets a preset condition of password error, matching a target node corresponding to the first behavior feature on a rotating tree, wherein the rotating tree comprises a plurality of preset nodes, and each preset node comprises a corresponding class of data sets;
and when the frequency or the number of times of matching the target node reaches a corresponding set value, outputting the detection result representing that the flow data forms a security threat on the current database.
In the above embodiment, the rotational tree storage node can improve the matching efficiency of the node, and therefore, the detection efficiency is improved by combining the preset detection rule base with the rotational tree.
With reference to the first aspect, in some optional embodiments, matching a target node corresponding to the first behavior feature on a rotation tree includes:
and matching the first behavior feature with the nodes in the survival state on the rotating tree, wherein the nodes which have a key value relation with the first behavior feature are used as the matched target nodes, and each node on the rotating tree has a corresponding life cycle.
With reference to the first aspect, in some optional embodiments, the method further comprises:
removing nodes from the rotating tree that characterize the end of the lifecycle.
With reference to the first aspect, in some optional embodiments, the method further comprises:
and blocking the flow data when the detection result represents that the flow data forms a security threat on the current database.
With reference to the first aspect, in some optional embodiments, the method further comprises:
and outputting an alarm prompt when the detection result represents that the flow data forms a security threat on the current database.
In a second aspect, the present application further provides a database detection apparatus, including:
an acquisition unit configured to acquire traffic data for a current database;
the characteristic extraction unit is used for extracting first behavior characteristics aiming at the current database from the flow data through a preset extraction strategy;
and the detection unit is used for carrying out security detection on the first behavior characteristics through a preset detection rule base to obtain a detection result representing whether the traffic data forms security threats to the current database, wherein the preset detection rule base comprises a plurality of detection rules, and each detection rule is used for detecting similar attack behaviors aiming at multiple databases.
In a third aspect, the present application further provides an electronic device, which includes a processor and a memory coupled to each other, and the memory stores a computer program, and when the computer program is executed by the processor, the electronic device is caused to perform the above-mentioned method.
In a fourth aspect, the present application also provides a computer-readable storage medium having stored thereon a computer program which, when run on a computer, causes the computer to perform the method described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Fig. 2 is a schematic flowchart of a database detection method according to an embodiment of the present application.
Fig. 3 is a flowchart illustrating the sub-steps of step S130.
Fig. 4 is a block diagram of a database detection apparatus according to an embodiment of the present application.
Icon: 10-an electronic device; 11-a processing module; 12-a storage module; 13-a communication module; 200-database detection means; 210-an obtaining unit; 220-a feature extraction unit; 230-detection unit.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It should be noted that the terms "first," "second," and the like are used merely to distinguish one description from another, and are not intended to indicate or imply relative importance. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Referring to fig. 1, the present application provides an electronic device 10, which can perform security supervision on multiple types of databases to improve security of database operations.
The electronic device 10 may include a processing module 11 and a memory module 12. The memory module 12 stores therein a computer program which, when executed by the processing module 11, enables the electronic device 10 to perform the steps of the database detection method described below.
The electronic device 10 may be, but is not limited to, a personal computer, a server, etc., and may collect traffic data for a corresponding operation of a database.
It should be noted that the structure shown in fig. 1 is only a schematic structural diagram of the electronic device 10, and the electronic device 10 may further include more components than those shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof. For example, the electronic device 10 may further include a communication module 13 for establishing a communication connection with other devices. For example, the electronic device 10 may establish a communication connection with a user terminal, a server in which a database is deployed, or the like.
Referring to fig. 2, the present application provides a database detection method, which can be applied to the electronic device 10, where the electronic device 10 executes or implements each step of the method, and the method may include the following steps:
step S110, acquiring flow data aiming at a current database;
step S120, extracting a first behavior characteristic aiming at the current database from the flow data through a preset extraction strategy;
step S130, performing security detection on the first behavior feature through a preset detection rule base to obtain a detection result representing whether the traffic data forms a security threat on the current database, where the preset detection rule base includes a plurality of detection rules, and each detection rule is used to detect a similar attack behavior for multiple types of databases.
In the above embodiment, the first behavior feature for the current database is extracted from the traffic data, and then the first behavior feature is subjected to security detection by using a preset detection rule base. The detection rules in the preset detection rule base can be used for detecting similar attack behaviors of multiple types of databases, and can uniformly perform security detection on different types of databases, so that corresponding detection rules do not need to be deployed independently for different types of databases, and the difficulty of database detection and operation and maintenance can be reduced.
The individual steps of the process are explained in detail below, as follows:
prior to step S110, the method may comprise the step of creating a preset detection rule base. For example, prior to step S110, the method may comprise:
step S101, behavior data aiming at a plurality of types of databases are obtained;
step S102, extracting second behavior characteristics corresponding to each type of attack behaviors of the multi-type database according to the behavior data;
step S103, establishing a detection rule corresponding to each type of attack behavior according to the second behavior characteristics to form the preset detection rule base.
In step S101, the behavior data may be historical data collected from traffic data for a multi-class database. The type of the database in the multi-class database can be flexibly determined according to actual situations, and exemplarily, the database includes but is not limited to MySQL database, Oracle database, and the like, which are well known to those skilled in the art.
The behavior data may include, but is not limited to, source user information, server information of a destination database, database information, database operation commands, database server response information, and the like, and may be flexibly determined according to actual situations.
For example, when a user needs to log into a database, the behavior data may include the contents of fields corresponding to the login behavior. Among these, different types of databases generally have differences in the contents of fields corresponding to login behavior.
In step S102, when the same type of behavior is embodied in different types of databases, the corresponding behavior data usually have differences. For example, when the login password of the login MySQL database is wrong, an error code is automatically generated; when the login password of the login Oracle database is wrong, an error code is automatically generated. The contents of these two error codes are not identical, but represent the same behavior characteristics, namely: the login password is in error.
The second behavior feature may be understood as a feature characterizing a possible attack behavior, for example the "login password error" described above, which may be regarded as a second behavior feature.
The type of the attack behavior can be flexibly determined according to actual conditions, and the attack behavior comprises but is not limited to data tampering, password brute force cracking and the like. By performing characteristic abstraction on the behavior data of the similar attack behaviors of the multiple databases, behavior characteristics required by password attack detection are formed (for example, the behavior data of the error code is abstracted into the behavior characteristic of error login password), so that the behavior characteristics of the behavior data of various databases can be detected, and the influence that unified detection cannot be performed on various databases due to different types of the databases is eliminated.
In step S103, the detection rule may be flexibly determined according to actual situations, and may be, but is not limited to, a regular expression for detecting various types of behavior characteristics. Each detection rule may have a unique number to facilitate differentiation and indexing. The detection rules corresponding to each type of attack behavior can form a rule base to serve as a preset detection rule base.
Therefore, in the process of detecting the attack behaviors of the database, the unified detection of the attack behaviors of different types of databases can be realized by using one detection rule, and the influence that the unified detection of the different types of databases cannot be realized due to different behavior data can be eliminated.
In step S110, the electronic device 10 may acquire traffic data formed by various operations of the user with respect to the current database.
In this embodiment, one electronic device 10 may simultaneously obtain traffic data for one or more types of databases, so that the detection and analysis of the multiple types of databases may be performed simultaneously. The flow data may be real-time data formed by real-time operation of an operator or an attacker on the corresponding database, or historical data.
The traffic data includes, but is not limited to, user information of an operation user, device information, information of a server where the current database is located, information of the current database, a database operation command, and database server response information.
In step S120, the preset extraction policy may be flexibly determined according to actual conditions, and is used to extract data or key fields related to the operation behavior in the traffic data, and then determine behavior features corresponding to the key fields as the first behavior features based on the extracted key fields or data.
For example, the preset extraction policy may extract an error code representing that a password of the user logging in the database is wrong in the traffic data, and then based on the error code, obtain a behavior feature representing "login password is wrong" as the first behavior feature.
In step S130, after the first behavior feature is extracted, the first behavior feature may be detected by using a corresponding detection rule in a preset detection rule library, so as to obtain a corresponding detection result.
Referring to fig. 3, the step S130 includes the following sub-steps:
step S131, password attack detection is carried out on the first behavior characteristic through a preset detection rule base;
step S132, when the first behavior feature representation meets a preset condition of password error, matching a target node corresponding to the first behavior feature on a rotating tree, wherein the rotating tree comprises a plurality of preset nodes, and each preset node comprises a corresponding data set of one type;
step S133, when the number of times or frequency of matching to the target node reaches a corresponding set value, outputting the detection result representing that the traffic data forms a security threat to the current database.
In step S131, the detection rules in the preset detection rule base may be used to detect whether the first behavior feature satisfies the corresponding preset condition. Different detection rules may correspond to different preset conditions.
For example, the detection rule may detect whether the first behavior feature is a behavior feature that "the login password error exceeds a preset upper limit of times within a preset time period".
If the first behavior feature satisfies the corresponding predetermined condition, it indicates that the first behavior feature is a signature of a password attack, and then the process goes to step S132.
In step S132, the spin tree is a structure in which the password attack detection engine in the electronic device 10 caches the detection state. One node on the rotation tree may correspond to a type of data set. For example, a node corresponds to the relevant behavior data of an operating user.
Understandably, the nodes in the rotation tree are pre-created. In the process of creating nodes of the rotating tree, the detection rule and the behavior data or the behavior characteristics matched with the detection rule can be taken as one node and stored on the rotating tree. The nodes corresponding to the plurality of detection rules may form a plurality of nodes on the rotation tree. In this way, a key value relationship may exist between nodes on the rotation tree and behavior features corresponding to the behavior data. The behavior characteristics can be used as 'Key' of the index node, behavior data in the node can be used as 'Value', and the node corresponding to the second behavior characteristics can be indexed on the rotating tree based on the correspondence of Key-Value.
The use of the rotation tree storage node can improve the retrieval efficiency under the condition that the key values are not complex, and is beneficial to improving the performance problem which may occur due to the addition of the detection engine on the electronic device 10.
Step S132 may include: and matching the first behavior feature with the nodes in the survival state on the rotating tree, wherein the nodes which have a key value relation with the first behavior feature are used as the matched target nodes, and each node on the rotating tree has a corresponding life cycle.
Understandably, each node on the rotating tree has a corresponding life cycle, and the life cycles of different nodes can be different and can be flexibly set according to actual conditions. When the first behavior feature is matched with the nodes on the rotating tree, the matched nodes are all the nodes in the survival state, so that the timeliness and the reliability of detection can be improved.
In step S133, the setting value may be a threshold corresponding to the number of times or a threshold corresponding to the frequency, and may be flexibly determined according to the actual situation. When the frequency or the frequency of the matched target node reaches a corresponding set value, the flow data can form security threat on the current database, and at the moment, a detection result representing that the database has the security threat can be output.
For example, if the same user (e.g., the same IP address or the same account number) is detected to have a set number of login password errors during logging in the database for a set period of time, the electronic device 10 may output a detection result indicating that the current operation (or traffic data) poses a security threat to the database.
As an optional implementation, the method may further include: removing nodes from the rotating tree that characterize the end of the lifecycle.
After the nodes with the end of the life cycle are removed from the rotating tree, invalid nodes can be prevented from participating in matching and affecting the matching efficiency.
As an optional implementation, the method may further include:
and blocking the flow data when the detection result represents that the flow data forms a security threat on the current database.
In the above embodiment, when the traffic data may form a security threat to the current database, the network security of the current database may be improved and the risk of being attacked may be reduced by blocking the traffic data.
As an optional implementation, the method may further include:
and outputting an alarm prompt when the detection result represents that the flow data forms a security threat on the current database.
When the flow data can form security threat to the current database, the alarm prompt is sent out, so that management personnel can conveniently and timely check the current condition, and the loss caused by password attack is avoided or reduced.
Referring to fig. 4, an embodiment of the present application further provides a database detection apparatus 200, which can be applied to the electronic device 10 for executing the steps of the method. The database detection apparatus 200 includes at least one software functional module which can be stored in the form of software or Firmware (Firmware) in the storage module 12 or solidified in an Operating System (OS) of the electronic device 10. The processing module 11 is used for executing executable modules stored in the storage module 12, such as software functional modules and computer programs included in the database detection apparatus 200.
The database detection apparatus 200 may include an acquisition unit 210, a feature extraction unit 220, and a detection unit 230, and each unit may have the following functions:
an obtaining unit 210, configured to obtain traffic data for a current database;
a feature extraction unit 220, configured to extract a first behavior feature for the current database from the traffic data through a preset extraction policy;
the detecting unit 230 is configured to perform security detection on the first behavior feature through a preset detection rule base, so as to obtain a detection result indicating whether the traffic data forms a security threat on the current database, where the preset detection rule base includes a plurality of detection rules, and each detection rule is used to detect a similar attack behavior for multiple types of databases.
The database checking device 200 may further include a rule base establishing unit. Before the obtaining unit 210 obtains the traffic data for the current database, the obtaining unit 210 is further configured to obtain behavior data for multiple classes of databases; the feature extraction unit 220 is configured to extract, according to the behavior data, a second behavior feature corresponding to each type of attack behavior for the multi-type database; and the rule base establishing unit is used for establishing a detection rule corresponding to each type of attack behavior according to the second behavior characteristics so as to form the preset detection rule base.
Optionally, the detection unit 230 may be further configured to:
carrying out password attack detection on the first behavior characteristic through the preset detection rule base;
when the first behavior feature representation meets a preset condition of password error, matching a target node corresponding to the first behavior feature on a rotating tree, wherein the rotating tree comprises a plurality of preset nodes, and each preset node comprises a corresponding class of data sets;
and when the frequency or the number of times of matching the target node reaches a corresponding set value, outputting the detection result representing that the flow data forms a security threat on the current database.
Optionally, the detection unit 230 may be further configured to: and matching the first behavior feature with the nodes in the survival state on the rotating tree, wherein the nodes which have a key value relation with the first behavior feature are used as the matched target nodes, and each node on the rotating tree has a corresponding life cycle.
Optionally, the database detecting apparatus 200 may further include a node updating unit for removing a node representing that the life cycle has ended from the rotation tree.
Optionally, the database detection apparatus 200 may further include an interception unit, configured to block the traffic data when the detection result indicates that the traffic data forms a security threat to the current database.
Optionally, the database detection apparatus 200 may further include a prompt unit, configured to output an alarm prompt when the detection result indicates that the traffic data forms a security threat to the current database.
In this embodiment, the processing module 11 may be an integrated circuit chip having signal processing capability. The processing module 11 may be a general-purpose processor. For example, the processor may be a Central Processing Unit (CPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present Application.
The memory module 12 may be, but is not limited to, a random access memory, a read only memory, a programmable read only memory, an erasable programmable read only memory, an electrically erasable programmable read only memory, and the like. In this embodiment, the storage module 12 may be configured to store a preset extraction policy, a preset detection rule base, and the like. Of course, the storage module 12 may also be used to store a program, and the processing module 11 executes the program after receiving the execution instruction.
It should be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the electronic device 10 and the database detection apparatus 200 described above may refer to the corresponding processes of the steps in the foregoing method, and are not described in detail herein.
The embodiment of the application also provides a computer readable storage medium. The computer-readable storage medium has stored therein a computer program which, when run on a computer, causes the computer to execute the database detection method as described in the above embodiments.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by hardware, or by software plus a necessary general hardware platform, and based on such understanding, the technical solution of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions to enable a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments of the present application.
In summary, in the present solution, the first behavior feature for the current database is extracted from the traffic data, and then the first behavior feature is subjected to security detection by using the preset detection rule base. The detection rules in the preset detection rule base can be used for detecting similar attack behaviors of multiple types of databases, and can uniformly perform security detection on different types of databases, so that corresponding detection rules do not need to be deployed independently for different types of databases, and the difficulty of database detection and operation and maintenance management can be reduced.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus, system, and method may be implemented in other ways. The apparatus, system, and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A database inspection method, the method comprising:
acquiring flow data aiming at a current database;
extracting a first behavior feature aiming at the current database from the flow data through a preset extraction strategy;
and performing security detection on the first behavior feature through a preset detection rule base to obtain a detection result representing whether the traffic data forms a security threat on the current database, wherein the preset detection rule base comprises a plurality of detection rules, and each detection rule is used for detecting similar attack behaviors aiming at multiple databases.
2. The method of claim 1, wherein prior to obtaining traffic data for a current database, the method further comprises:
acquiring behavior data aiming at a plurality of databases;
extracting second behavior characteristics corresponding to each type of attack behaviors of the multi-type database according to the behavior data;
and creating a detection rule corresponding to each type of attack behavior according to the second behavior characteristics to form the preset detection rule base.
3. The method according to claim 1, wherein performing security detection on the first behavior feature through a preset detection rule base to obtain a detection result indicating whether the traffic data forms a security threat to the current database comprises:
carrying out password attack detection on the first behavior characteristic through the preset detection rule base;
when the first behavior feature representation meets a preset condition of password error, matching a target node corresponding to the first behavior feature on a rotating tree, wherein the rotating tree comprises a plurality of preset nodes, and each preset node comprises a corresponding class of data sets;
and when the frequency or the number of times of matching the target node reaches a corresponding set value, outputting the detection result representing that the flow data forms a security threat on the current database.
4. The method of claim 3, wherein matching the target node corresponding to the first behavioral feature on the rotation tree comprises:
and matching the first behavior feature with the nodes in the survival state on the rotating tree, wherein the nodes which have a key value relation with the first behavior feature are used as the matched target nodes, and each node on the rotating tree has a corresponding life cycle.
5. The method of claim 4, further comprising:
removing nodes from the rotating tree that characterize the end of the lifecycle.
6. The method of claim 1, further comprising:
and blocking the flow data when the detection result represents that the flow data forms a security threat on the current database.
7. The method of claim 1, further comprising:
and outputting an alarm prompt when the detection result represents that the flow data forms a security threat on the current database.
8. A database inspection apparatus, the apparatus comprising:
an acquisition unit configured to acquire traffic data for a current database;
the characteristic extraction unit is used for extracting first behavior characteristics aiming at the current database from the flow data through a preset extraction strategy;
and the detection unit is used for carrying out security detection on the first behavior characteristics through a preset detection rule base to obtain a detection result representing whether the traffic data forms security threats to the current database, wherein the preset detection rule base comprises a plurality of detection rules, and each detection rule is used for detecting similar attack behaviors aiming at multiple databases.
9. An electronic device, characterized in that the electronic device comprises a processor and a memory coupled to each other, the memory storing a computer program which, when executed by the processor, causes the electronic device to perform the method according to any of claims 1-7.
10. A computer-readable storage medium, in which a computer program is stored which, when run on a computer, causes the computer to carry out the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111482967.4A CN114186225A (en) | 2021-12-07 | 2021-12-07 | Database detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111482967.4A CN114186225A (en) | 2021-12-07 | 2021-12-07 | Database detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114186225A true CN114186225A (en) | 2022-03-15 |
Family
ID=80542549
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111482967.4A Pending CN114186225A (en) | 2021-12-07 | 2021-12-07 | Database detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114186225A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106407830A (en) * | 2015-07-29 | 2017-02-15 | 阿里巴巴集团控股有限公司 | Detection method and device of cloud-based database |
| CN111885061A (en) * | 2020-07-23 | 2020-11-03 | 深信服科技股份有限公司 | Network attack detection method, device, equipment and medium |
| CN112615865A (en) * | 2020-12-21 | 2021-04-06 | 曹佳乐 | Data anti-intrusion method based on big data and artificial intelligence and big data server |
| CN113486343A (en) * | 2021-07-13 | 2021-10-08 | 深信服科技股份有限公司 | Attack behavior detection method, device, equipment and medium |
| CN113721569A (en) * | 2021-08-25 | 2021-11-30 | 上海电力大学 | Attack intrusion detection device and method for distributed control system |
-
2021
- 2021-12-07 CN CN202111482967.4A patent/CN114186225A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106407830A (en) * | 2015-07-29 | 2017-02-15 | 阿里巴巴集团控股有限公司 | Detection method and device of cloud-based database |
| CN111885061A (en) * | 2020-07-23 | 2020-11-03 | 深信服科技股份有限公司 | Network attack detection method, device, equipment and medium |
| CN112615865A (en) * | 2020-12-21 | 2021-04-06 | 曹佳乐 | Data anti-intrusion method based on big data and artificial intelligence and big data server |
| CN113486343A (en) * | 2021-07-13 | 2021-10-08 | 深信服科技股份有限公司 | Attack behavior detection method, device, equipment and medium |
| CN113721569A (en) * | 2021-08-25 | 2021-11-30 | 上海电力大学 | Attack intrusion detection device and method for distributed control system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108881294B (en) | Attack source IP portrait generation method and device based on network attack behaviors | |
| RU2454705C1 (en) | System and method of protecting computing device from malicious objects using complex infection schemes | |
| KR101676366B1 (en) | Attacks tracking system and method for tracking malware path and behaviors for the defense against cyber attacks | |
| US20170061126A1 (en) | Process Launch, Monitoring and Execution Control | |
| US10505986B1 (en) | Sensor based rules for responding to malicious activity | |
| US10839074B2 (en) | System and method of adapting patterns of dangerous behavior of programs to the computer systems of users | |
| EP3623983A1 (en) | Method and device for identifying security threats, storage medium, processor and terminal | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| CN107426196B (en) | Method and system for identifying WEB invasion | |
| CN112749097B (en) | Performance evaluation method and device for fuzzy test tool | |
| US20170277887A1 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| Rahman et al. | A data mining framework to predict cyber attack for cyber security | |
| CN114268452A (en) | Network security protection method and system | |
| US11003772B2 (en) | System and method for adapting patterns of malicious program behavior from groups of computer systems | |
| RU2481633C2 (en) | System and method for automatic investigation of safety incidents | |
| CN114598506A (en) | Industrial control network security risk tracing method and device, electronic equipment and storage medium | |
| CN115766258B (en) | Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph | |
| CN114186225A (en) | Database detection method and device, electronic equipment and storage medium | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN117391214A (en) | Model training method and device and related equipment | |
| CN115086081A (en) | Escape prevention method and system for honeypots | |
| CN114205146A (en) | Processing method and device for multi-source heterogeneous security log | |
| CN113055396B (en) | Cross-terminal traceability analysis method, device, system and storage medium | |
| RU2468427C1 (en) | System and method to protect computer system against activity of harmful objects |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |