CN114238279A - Database security protection method, device, system, storage medium and electronic equipment - Google Patents

Database security protection method, device, system, storage medium and electronic equipment Download PDF

Info

Publication number
CN114238279A
CN114238279A CN202111564547.0A CN202111564547A CN114238279A CN 114238279 A CN114238279 A CN 114238279A CN 202111564547 A CN202111564547 A CN 202111564547A CN 114238279 A CN114238279 A CN 114238279A
Authority
CN
China
Prior art keywords
database
target
quintuple information
application server
user equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111564547.0A
Other languages
Chinese (zh)
Inventor
吴摇摇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202111564547.0A priority Critical patent/CN114238279A/en
Publication of CN114238279A publication Critical patent/CN114238279A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/217Database tuning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2282Tablespace storage structures; Management thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a database security protection method, a device, a system, a storage medium and electronic equipment, wherein the database security protection method comprises the following steps: receiving a database access request sent by an application server; the database access request carries target quintuple information related to target user equipment, and the target quintuple information is quintuple information of access data from the target user equipment to the application server; detecting whether the database access request has an attack behavior or not; and if the database access request is determined to have the attack behavior, extracting the target quintuple information from the database access request and sending the target quintuple information to the application server protection system, so that the application server protection system can block the access of the target user equipment to the database according to the target quintuple information. By means of the technical scheme, the embodiment of the application can realize accurate blocking of the threatened user equipment, and further can improve the safety of the database.

Description

Database security protection method, device, system, storage medium and electronic equipment
Technical Field
The present application relates to the field of database security technologies, and in particular, to a database security protection method, apparatus, system, storage medium, and electronic device.
Background
In an internet environment, a database may store service information, and a user may send an operation request, such as an information query request or an information modification request, to the database through a user device. And after receiving the operation request, the database executes the database operation step corresponding to the operation request, so that an operation result is obtained and returned to the user.
However, some malicious programs may perform network attack on the database in order to illegally obtain the service information from the database. A specific means of network attack is that a malicious program injects a malicious database operation statement into access data sent by user equipment by using a vulnerability of the user equipment, and the database executes the maliciously injected database operation statement when processing an operation request, thereby suffering from network attack.
Therefore, a database security protection method is needed to prevent the database from being attacked by the network, so as to improve the security of the database.
Disclosure of Invention
An object of the embodiments of the present application is to provide a database security protection method, apparatus, system, storage medium, and electronic device, so as to implement accurate blocking of a threatening user equipment.
In a first aspect, an embodiment of the present application provides a database security protection method, where the database security protection method is applied to a database firewall in a database security protection system, where the database security protection system includes a database, a target user device, an application server protection system, and a database firewall, and the database security protection method includes: receiving a database access request sent by an application server; the database access request carries target quintuple information related to target user equipment, and the target quintuple information is quintuple information of access data from the target user equipment to the application server; detecting whether the database access request has an attack behavior or not; and if the database access request is determined to have the attack behavior, extracting the target quintuple information from the database access request and sending the target quintuple information to the application server protection system, so that the application server protection system can block the access of the target user equipment to the database according to the target quintuple information.
Therefore, in the embodiment of the application, the application server obtains the target quintuple information of the access data from the target user equipment to the application server, adds the target quintuple information into the database access request, and then sends the target quintuple information to the application server protection system when the condition of the attack behavior is determined to exist through the database access request, so that the application server protection system can conveniently block the access of the target user equipment to the database according to the target quintuple information.
In one possible embodiment, the database security protection method further includes: and carrying out attack tracing based on the target quintuple information to obtain an attack tracing result.
In a second aspect, an embodiment of the present application provides a database security protection method, where the database security protection method is applied to an application server protection system in a database security protection system, the database security protection system includes a database, a target user device, an application server, a database firewall, and an application server protection system, and the database security protection method includes: receiving target quintuple information sent by a database firewall; the target quintuple information is extracted from the database access request by the database firewall under the condition that the attack behavior of the database access request is determined, and is the quintuple information of the access data from the target user equipment to the application server; and blocking the access of the target user equipment to the database according to the target quintuple information.
In one possible embodiment, blocking access to the database by the target user equipment according to the target five-tuple information comprises: searching a session related to the target user equipment according to the target quintuple information; and blocking the session related to the target user equipment.
In a third aspect, an embodiment of the present application provides a database security protection device, where the database security protection device is applied to a database firewall in a database security protection system, the database security protection system includes a database, a target user equipment, an application server protection system, and the database firewall, and the database security protection device includes: the first receiving module is used for receiving a database access request sent by an application server; the database access request carries target quintuple information related to target user equipment, and the target quintuple information is quintuple information of access data from the target user equipment to the application server; the detection module is used for detecting whether the database access request has an attack behavior or not; and the sending module is used for extracting the target quintuple information from the database access request and sending the target quintuple information to the application server protection system if the attack behavior of the database access request is determined, so that the application server protection system can block the access of the target user equipment to the database according to the target quintuple information.
In one possible embodiment, the database security guard further comprises: and the attack tracing module is used for carrying out attack tracing based on the target quintuple information to obtain an attack tracing result.
In a fourth aspect, an embodiment of the present application provides a database security protection device, where the database security protection device is applied to an application server protection system in a database security protection system, the database security protection system includes a database, a target user device, an application server, a database firewall, and the application server protection system, and the database security protection device includes: the second receiving module is used for receiving the target quintuple information sent by the database firewall; the target quintuple information is extracted from the database access request by the database firewall under the condition that the attack behavior of the database access request is determined, and is the quintuple information of the access data from the target user equipment to the application server; and the blocking module is used for blocking the access of the target user equipment to the database according to the target quintuple information.
In a possible embodiment, the blocking module is specifically configured to: searching a session related to the target user equipment according to the target quintuple information; and blocking the session related to the target user equipment.
In a fifth aspect, the present application provides a storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the method according to the first aspect or any optional implementation manner of the first aspect.
In a sixth aspect, the present application provides a storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the method of the second aspect or any optional implementation manner of the second aspect.
In a seventh aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the method of the first aspect or any of the alternative implementations of the first aspect.
In an eighth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the method of the second aspect or any of the alternative implementations of the second aspect.
In a ninth aspect, the present application provides a computer program product which, when run on a computer, causes the computer to perform the method of the first aspect or any possible implementation manner of the first aspect.
In a tenth aspect, the present application provides a computer program product which, when run on a computer, causes the computer to perform the method of the second aspect or any possible implementation of the second aspect.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic diagram illustrating an application scenario provided in an embodiment of the present application;
FIG. 2 is a flowchart illustrating a database security protection method according to an embodiment of the present disclosure;
FIG. 3 is a block diagram illustrating a database security guard according to an embodiment of the present disclosure;
FIG. 4 is a block diagram illustrating an alternative database security guard provided by an embodiment of the present application;
fig. 5 shows a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
In the internet era, behavior data, portrait data, information data and the like generated in the process of human-to-human and human-to-social interaction are increasing in an exponential mode, and the value and importance of the data are self-evident. The database is used as a data carrier, products and technologies are more and more mature, and the security of the database is also more important.
The security of the database refers to protecting the database from data leakage, alteration or damage caused by illegal use. And whether the safety protection measure is effective is the main technical index of the database, the data safety is like a barrel, and whether the whole protection system is firm or not depends on the short plate completely. Therefore, even if the security protection of the network layer and the operating system is relatively complete, if the database storing the core information is not protected, a serious data security crisis is also caused.
In addition, the database firewall is a data security protection device which is specially used for the data database after the traditional network firewall, the next-generation firewall and other security protection devices. The database firewall is a database security protection device aiming at abnormal data access at an application side, and generally adopts an active defense mechanism, defines a risk policy through behavior modeling, and combines a database virtual patch, an injection rule and an application association protection mechanism, so that the control of access behaviors of a database, high-risk blocking, suspicious behavior audit and the like are realized.
In addition, the database firewall generally implements defense against database attacks and event tracing by analyzing the communication protocol of the database, performing technologies such as a blacklist and whitelist mechanism, database vulnerability protection, database application audit and the like, and detecting and analyzing the database application flow, and the following are the main ideas and functions of several protection methods:
(1) parsing of database communication protocols
According to the application data of the database, the communication protocol of the application data of the database is analyzed according to different application types (such as Mysql, Oracl, PostgreSQL and the like), and the application layer data obtained through analysis is the basis for the database firewall to perform safety protection on the risk behaviors and illegal operations of the database. And the more accurate the communication protocol is analyzed, the more careful and safe the protection work of the database is.
(2) Black and white list mechanism
In the process of protecting the database by the database firewall, in addition to setting a corresponding risk interception and violation Structured Query Language (SQL) operation predefined policy by using information analyzed by a data communication protocol, a common protection mode also includes building a dynamic model through a learning mode and SQL syntax analysis to form an SQL white list and an SQL black list. The behavior model combines a black list and a white list, and carries out strategy setting on the database through the mixing of a forbidding rule, an alarm rule, a release rule and a plurality of mode rules, thereby protecting the database.
(3) Database vulnerability protection
In the protection process of the database, besides the login limitation, malicious SQL operation interception, batch data downloading and deletion for safety protection, the potential safety hazard caused by some bug defects existing in the database is also within the protection range of a database firewall. The careful and rigorous protection of the risk behaviors is also a key item for embodying the firewall value of the database, detection and defense are usually performed in a virtual patch mode, and after vulnerability threat data is detected, the data message is discarded.
(4) Database application auditing
And recording database activities on a network in real time, performing fine-grained audit on database operation, and performing real-time alarm on risk behaviors suffered by the database. And the user is helped to generate a compliance report and trace the source of an accident after the incident by recording, analyzing and reporting the behavior of accessing the database, and meanwhile, an efficient inquiry and audit report is provided by a big data search technology, the reason of the incident is positioned, so that the inquiry, analysis and filtration are facilitated in the future, the monitoring and audit of the network behavior of the internal and external databases are enhanced, and the data asset safety is improved.
Further, the database firewall can be deployed between the application server and the database, and can detect and identify database attacks and abnormal behaviors through methods such as black and white lists, SQL statement analysis, virtual patch detection, machine learning, big data analysis and the like, and block database requests after identifying the database attacks and the abnormal behaviors.
And the database firewall can also record the database activity on the network in real time, and issue a database audit report for database management personnel to analyze the security state of the database and adjust the corresponding security policy.
Moreover, the application server generally connects the database deployed behind the application server by means of database connection or connection pool, etc. to obtain the data resources required by the application program to run. However, at this time, the connection from the user equipment to the application server and the connection from the application server to the database do not have a corresponding relationship, and it is impossible to accurately defend the attack behavior, and it is difficult to track the user equipment that actually initiates the attack according to the attack behavior.
For example, when the user equipment is connected to the application server by way of the connection pool and the database firewall determines that the user equipment in a certain connection pool has an attack behavior, the database firewall cannot determine which user equipment in the connection pool has the attack behavior, so that in order to ensure the security of the database, the database firewall can only block all the user equipment in the connection pool from accessing the database, and further, the user equipment which normally accesses the database cannot normally operate.
Based on this, an embodiment of the present application skillfully provides a database security protection method, in which a database access request sent by an application server is received, where the database access request carries target quintuple information related to a target user equipment, and the target quintuple information is quintuple information of access data from the target user equipment to the application server, and then whether the database access request has an attack behavior is detected, and finally, if it is determined that the database access request has the attack behavior, the target quintuple information is extracted from the database access request and sent to an application server protection system, so that the application server protection system blocks access of the target user equipment to the database according to the target quintuple information.
Therefore, in the embodiment of the application, the application server obtains the target quintuple information of the access data from the target user equipment to the application server, adds the target quintuple information into the database access request, and then sends the target quintuple information to the application server protection system when the condition of the attack behavior is determined to exist through the database access request, so that the application server protection system can conveniently block the access of the target user equipment to the database according to the target quintuple information.
Referring to fig. 1, fig. 1 is a schematic diagram illustrating an application scenario provided in an embodiment of the present application. As shown in fig. 1, the application scenario includes three user equipments, an application server protection system, an application server, a database firewall, and a database. The three user devices are all connected with the application server protection system, the application server protection system is respectively connected with the application server and the database firewall, and the database firewall is connected with the database.
It should be understood that the specific device of the user equipment, the specific device of the application server protection system, the specific device of the application server, the specific device of the database firewall, the specific device of the database, and the like may all be set according to actual requirements, and the embodiment of the present application is not limited thereto.
For example, the user equipment may be a mobile phone, a computer, or the like.
Specifically, access data of the user equipment for requesting access to the database is sent from the user equipment to the application server, and the application server can extract quintuple information of the corresponding user equipment from the access data. And, the application server may add quintuple information corresponding to the user equipment to the database access request in a process of generating the database access request. Subsequently, the application server may send the generated database access request to a database firewall, so that the database firewall may detect whether an attack action exists in the database access request. If the database firewall determines that the attack behavior exists, the database firewall can send quintuple information corresponding to the database access request to an application server protection system. Subsequently, the application server protection system can block the access of the attacking user equipment to the database according to the target quintuple information.
It should be understood that although fig. 1 shows a specific application scenario, those skilled in the art should understand that those skilled in the art can also set the application scenario according to actual needs, and those skilled in the art are not limited to this.
For example, although fig. 1 shows three user devices, the application scenario may also include more or fewer user devices.
Referring to fig. 2, fig. 2 is a flowchart illustrating a database security protection method according to an embodiment of the present disclosure. The database security protection method shown in fig. 2 includes:
in step S210, the application server receives the access data sent by the target user equipment, and may extract target quintuple information from the access data. Wherein the access data is usable to request access to the database.
In order to facilitate understanding of the embodiments of the present application, the following description is given by way of specific examples.
Specifically, after the application server receives the access data sent by the target user equipment, five-tuple information of the access data can be acquired. The five-tuple information may include a source IP address, a source port, a destination IP address, a destination port, and a protocol type.
In step S220, the application server generates a database access request using the target quintuple information.
It should be understood that the specific method for the application server to generate the database access request by using the target quintuple information may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
For example, the application server may add the target five-tuple information to the database access request in the form of a database request statement comment or a protocol reservation field.
It should also be understood that two sets of five-tuple information may be included in the database access request, wherein the source IP address in one set of five-tuple information may be the IP address of the application server, and the source IP address in the other set of five-tuple information may be the IP address of the target user equipment, etc.
That is, compared to the existing database access request, it may be considered that a field in which quintuple information is recorded is added to the database access request, and the added quintuple information is quintuple information of access data from the target user equipment to the application server.
In step S230, the application server sends a database access request to the database firewall. Correspondingly, the database firewall receives a database access request sent by the application server.
In step S240, the database firewall detects whether there is an attack behavior in the database access request.
If it is determined through the detection that there is an attack behavior, performing step S250; if it is determined by the detection that there is no aggressive behavior, step 270 is performed.
In particular, the database firewall may analyze the database access request to determine whether there is an attack on the database access request.
And step S250, the database firewall extracts the target quintuple information from the database access request and sends the target quintuple information to the application server protection system. Correspondingly, the application server protection system receives the target quintuple information sent by the database firewall.
It should be further noted that, in the case where the database firewall determines that there is an attack behavior, the database firewall may record the attack behavior in addition to sending the target five-tuple information to the application server protection system.
And the database firewall can also perform threat analysis and attack tracing according to the recorded target quintuple information to obtain an attack tracing result.
For example, the database firewall may search a corresponding source IP address from the target five-tuple information, and may determine the user equipment corresponding to the source IP address as the target user equipment that attacks the database, so that the determined attack tracing result is the determined relevant information of the target user equipment.
And step S260, the application server protection system blocks the access of the target user equipment to the database according to the target quintuple information.
It should be understood that the specific process of blocking the access of the target user equipment to the database by the application server protection system according to the target quintuple information may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
Optionally, the application server protection system may search for a session related to the target user equipment according to the target five-tuple information, and may block the session related to the target user equipment.
It should also be understood that the application server protection system may perform a specific process of searching for a session related to a target ue according to the target five-tuple information, which may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
For example, the application server protection system may look up a session between the target user equipment and the application server based on the source IP address, the source port, the destination IP address, and the destination port in the target five tuple information.
It should also be understood that the specific process of the application server protection system for blocking the session related to the target user equipment may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
For example, the application server protection system may terminate the threatening access session by sending a special message or generating a blacklist policy, etc.
It should also be understood that the specific message form of the special message may be set according to actual requirements, and the embodiment of the present application is not limited thereto.
For example, the special message may be a RESET (RST) message.
In step S270, the database firewall allows access.
Therefore, the attack of the database is detected through the quintuple information of the access data from the target user equipment to the application server, so that the problems that the connection from the user equipment to the application server and the connection from the application server to the database do not have a corresponding relation and the attack behavior cannot be accurately defended are solved.
And quintuple information related to the target user equipment newly added in the database access request is used as an important identity basis for database firewall audit, and the risk event content is combined, so that security personnel can be helped to quickly and accurately finish the tracing and responsibility tracing of the risk event.
It should be understood that the above database security protection method is only exemplary, and those skilled in the art can make various changes, modifications or alterations according to the above method and fall within the protection scope of the present application.
Referring to fig. 3, fig. 3 is a block diagram illustrating a database security apparatus 300 according to an embodiment of the present disclosure. It should be understood that the database security device 300 corresponds to the above method embodiment, and can perform the steps related to the firewall side of the database in the above method embodiment, and the specific functions of the database security device 300 can be referred to the above description, and the detailed description is omitted here to avoid repetition. Database security guard 300 includes at least one software function that may be stored in memory in the form of software or firmware (firmware) or may be resident in an Operating System (OS) of database security guard 300. Specifically, the database security device 300 includes:
a first receiving module 310, configured to receive a database access request sent by an application server; the database access request carries target quintuple information related to target user equipment, and the target quintuple information is quintuple information of access data from the target user equipment to the application server;
the detection module 320 is configured to detect whether an attack behavior exists in the database access request;
the sending module 330 is configured to, if it is determined that the database access request has an attack behavior, extract target quintuple information from the database access request, and send the target quintuple information to the application server protection system, so that the application server protection system blocks access of the target user equipment to the database according to the target quintuple information.
In one possible embodiment, the database security guard 300 further comprises: and the attack tracing module (not shown) is used for performing attack tracing based on the target quintuple information to obtain an attack tracing result.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
Referring to fig. 4, fig. 4 is a block diagram illustrating another database security device 400 according to an embodiment of the present disclosure. It should be understood that the database security protection apparatus 400 corresponds to the above method embodiment and is capable of executing the steps involved in the application server protection system in the above method embodiment, and the specific functions of the database security protection apparatus 400 may be referred to the above description, and the detailed description is appropriately omitted here to avoid repetition. Database security guard 400 includes at least one software function that may be stored in memory in the form of software or firmware (firmware) or may be resident in an Operating System (OS) of database security guard 400. Specifically, the database security guard 400 includes:
a second receiving module 410, configured to receive target quintuple information sent by the database firewall; the target quintuple information is extracted from the database access request by the database firewall under the condition that the attack behavior of the database access request is determined, and is the quintuple information of the access data from the target user equipment to the application server;
and a blocking module 420, configured to block, according to the target quintuple information, access to the database by the target user equipment.
In a possible embodiment, the blocking module 420 is specifically configured to: searching a session related to the target user equipment according to the target quintuple information; and blocking the session related to the target user equipment.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
Referring to fig. 5, fig. 5 is a block diagram illustrating an electronic device 500 according to an embodiment of the present disclosure. Electronic device 500 may include a processor 510, a communication interface 520, a memory 530, and at least one communication bus 540. Wherein the communication bus 540 is used for realizing direct connection communication of these components. The communication interface 520 in the embodiment of the present application is used for communicating signaling or data with other devices. Processor 510 may be an integrated circuit chip having signal processing capabilities. The Processor 510 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 510 may be any conventional processor or the like.
The Memory 530 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 530 stores computer readable instructions, and when the computer readable instructions are executed by the processor 510, the electronic device 500 may perform the steps of the corresponding side of the above method embodiments.
The electronic device 500 may further include a memory controller, an input-output unit, an audio unit, and a display unit.
The memory 530, the memory controller, the processor 510, the peripheral interface, the input/output unit, the audio unit, and the display unit are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, these elements may be electrically coupled to each other via one or more communication buses 540. Processor 510 is used to execute executable modules stored in memory 530.
The input and output unit is used for providing input data for a user to realize the interaction of the user and the server (or the local terminal). The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
The audio unit provides an audio interface to the user, which may include one or more microphones, one or more speakers, and audio circuitry.
The display unit provides an interactive interface (e.g. a user interface) between the electronic device and a user or for displaying image data to a user reference. In this embodiment, the display unit may be a liquid crystal display or a touch display. In the case of a touch display, the display can be a capacitive touch screen or a resistive touch screen, which supports single-point and multi-point touch operations. The support of single-point and multi-point touch operations means that the touch display can sense touch operations simultaneously generated from one or more positions on the touch display, and the sensed touch operations are sent to the processor for calculation and processing.
It will be appreciated that the configuration shown in FIG. 5 is merely illustrative and that the electronic device 500 may include more or fewer components than shown in FIG. 5 or may have a different configuration than shown in FIG. 5. The components shown in fig. 5 may be implemented in hardware, software, or a combination thereof.
The present application also provides a storage medium having a computer program stored thereon, which, when executed by a processor, performs the method of the method embodiments.
The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the system described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (11)

1. A database security protection method is applied to a database firewall in a database security protection system, wherein the database security protection system comprises a database, target user equipment, an application server protection system and the database firewall, and the database security protection method comprises the following steps:
receiving a database access request sent by the application server; the database access request carries target quintuple information related to the target user equipment, and the target quintuple information is quintuple information of access data from the target user equipment to the application server;
detecting whether the database access request has an attack behavior or not;
and if the database access request is determined to have an attack behavior, extracting the target quintuple information from the database access request, and sending the target quintuple information to the application server protection system, so that the application server protection system can block the access of the target user equipment to the database according to the target quintuple information.
2. The database security protection method of claim 1, further comprising:
and carrying out attack tracing based on the target quintuple information to obtain an attack tracing result.
3. A database security protection method is applied to an application server protection system in a database security protection system, wherein the database security protection system comprises a database, target user equipment, an application server, a database firewall and the application server protection system, and the database security protection method comprises the following steps:
receiving target quintuple information sent by the database firewall; the target quintuple information is extracted from a database access request by the database firewall under the condition that the attack behavior of the database access request is determined, and is the quintuple information of access data from the target user equipment to the application server;
and blocking the access of the target user equipment to the database according to the target quintuple information.
4. The database security protection method according to claim 3, wherein the blocking access to the database by the target user equipment according to the target quintuple information comprises:
searching a session related to the target user equipment according to the target quintuple information;
and blocking the session related to the target user equipment.
5. A database security protection device, wherein the database security protection device is applied to a database firewall in a database security protection system, the database security protection system includes a database, a target user device, an application server protection system and the database firewall, and the database security protection device includes:
the first receiving module is used for receiving a database access request sent by the application server; the database access request carries target quintuple information related to the target user equipment, and the target quintuple information is quintuple information of access data from the target user equipment to the application server;
the detection module is used for detecting whether the database access request has an attack behavior or not;
and the sending module is used for extracting the target quintuple information from the database access request and sending the target quintuple information to the application server protection system if the attack behavior of the database access request is determined, so that the application server protection system can block the access of the target user equipment to the database according to the target quintuple information.
6. The database security apparatus of claim 5, wherein the database security apparatus further comprises:
and the attack tracing module is used for carrying out attack tracing based on the target quintuple information to obtain an attack tracing result.
7. A database security protection apparatus, wherein the database security protection apparatus is applied to an application server protection system in a database security protection system, the database security protection system includes a database, a target user device, an application server, a database firewall, and the application server protection system, and the database security protection apparatus includes:
the second receiving module is used for receiving the target quintuple information sent by the database firewall; the target quintuple information is extracted from a database access request by the database firewall under the condition that the attack behavior of the database access request is determined, and is the quintuple information of access data from the target user equipment to the application server;
and the blocking module is used for blocking the access of the target user equipment to the database according to the target quintuple information.
8. The database security guard of claim 7, wherein the blocking module is specifically configured to: searching a session related to the target user equipment according to the target quintuple information; and blocking the session related to the target user equipment.
9. A storage medium having stored thereon a computer program for performing the database security protection method according to any one of claims 1 to 8 when executed by a processor.
10. An electronic device, characterized in that the electronic device comprises: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is operating, the machine-readable instructions when executed by the processor performing the database security protection method of any one of claims 1-8.
11. A database security protection system, comprising:
the target user equipment is used for sending access data to the application server;
the application server is used for receiving the access data, extracting target quintuple information from the access data, generating a database access request according to the target quintuple information and sending the database access request to a database firewall;
the database firewall is used for receiving the database access request, detecting whether the database access request has an attack behavior, extracting the target quintuple information from the database access request if the database access request has the attack behavior, and sending the target quintuple information to an application server protection system;
and the application server protection system is used for receiving the target quintuple information and blocking the target user equipment from accessing the database according to the target quintuple information.
CN202111564547.0A 2021-12-20 2021-12-20 Database security protection method, device, system, storage medium and electronic equipment Pending CN114238279A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111564547.0A CN114238279A (en) 2021-12-20 2021-12-20 Database security protection method, device, system, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111564547.0A CN114238279A (en) 2021-12-20 2021-12-20 Database security protection method, device, system, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN114238279A true CN114238279A (en) 2022-03-25

Family

ID=80759512

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111564547.0A Pending CN114238279A (en) 2021-12-20 2021-12-20 Database security protection method, device, system, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN114238279A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710491A (en) * 2022-03-31 2022-07-05 深圳昂楷科技有限公司 Protection method of database cluster, database firewall and medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710491A (en) * 2022-03-31 2022-07-05 深圳昂楷科技有限公司 Protection method of database cluster, database firewall and medium
CN114710491B (en) * 2022-03-31 2024-04-26 深圳昂楷科技有限公司 Protection method of database cluster, database firewall and medium

Similar Documents

Publication Publication Date Title
JP6863969B2 (en) Detecting security incidents with unreliable security events
US10601848B1 (en) Cyber-security system and method for weak indicator detection and correlation to generate strong indicators
CN109302426B (en) Unknown vulnerability attack detection method, device, equipment and storage medium
WO2017152742A1 (en) Risk assessment method and apparatus for network security device
US11582242B2 (en) System, computer program product and method for risk evaluation of API login and use
US10142343B2 (en) Unauthorized access detecting system and unauthorized access detecting method
CN102045319B (en) Method and device for detecting SQL (Structured Query Language) injection attack
US11960604B2 (en) Online assets continuous monitoring and protection
CN106685899B (en) Method and device for identifying malicious access
JP6717206B2 (en) Anti-malware device, anti-malware system, anti-malware method, and anti-malware program
JP7204247B2 (en) Threat Response Automation Methods
CN110598404A (en) Security risk monitoring method, monitoring device, server and storage medium
CN113660224A (en) Situation awareness defense method, device and system based on network vulnerability scanning
CN107666464B (en) Information processing method and server
CN110879889A (en) Method and system for detecting malicious software of Windows platform
EP3172692A1 (en) Remedial action for release of threat data
CN113411297A (en) Situation awareness defense method and system based on attribute access control
CN114238279A (en) Database security protection method, device, system, storage medium and electronic equipment
CN111756745B (en) Alarm method, alarm device, terminal equipment and computer readable storage medium
CN110086812B (en) Safe and controllable internal network safety patrol system and method
KR101081875B1 (en) Prealarm system and method for danger of information system
KR20050075950A (en) Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices
CN112637171A (en) Data traffic processing method, device, equipment, system and storage medium
Sykosch et al. Hunting observable objects for indication of compromise
Xu et al. [Retracted] Method of Cumulative Anomaly Identification for Security Database Based on Discrete Markov chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination