CN115914334A - Method, device, equipment and medium for processing access session of database - Google Patents
Method, device, equipment and medium for processing access session of database Download PDFInfo
- Publication number
- CN115914334A CN115914334A CN202211549869.2A CN202211549869A CN115914334A CN 115914334 A CN115914334 A CN 115914334A CN 202211549869 A CN202211549869 A CN 202211549869A CN 115914334 A CN115914334 A CN 115914334A
- Authority
- CN
- China
- Prior art keywords
- access session
- type
- database
- user identifier
- internet protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000012545 processing Methods 0.000 title claims abstract description 47
- 238000012423 maintenance Methods 0.000 claims abstract description 57
- 238000013145 classification model Methods 0.000 claims abstract description 43
- 238000012549 training Methods 0.000 claims description 22
- 238000004590 computer program Methods 0.000 claims description 15
- 238000003672 processing method Methods 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 claims description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000006399 behavior Effects 0.000 description 6
- 230000002159 abnormal effect Effects 0.000 description 4
- 238000007635 classification algorithm Methods 0.000 description 4
- 238000012550 audit Methods 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The application provides a method, a device, equipment and a medium for processing an access session of a database. According to the method, after the access session is obtained, the type of the access session is determined according to a user identifier, a sender internet protocol address and a database operation statement in the access session, or the type of the access session is determined according to an access session classification model, the user identifier, the sender internet protocol, sending time and the database operation statement in the access session. According to the scheme, the type of the access session is determined through the information in the access session, and the operation and maintenance access session and the application access session are distinguished.
Description
Technical Field
The present application relates to the field of information security, and in particular, to a method, an apparatus, a device, and a medium for processing an access session of a database.
Background
The database audit is a method for supervising the operation behavior of accessing the database, carries out the compliance management of fine-grained audit on the database operation, and carries out real-time alarm on the abnormal behavior suffered by the database.
In the prior art, when a server corresponding to a database receives an access session, the access session can be analyzed, and the operation behavior of the session on the database is recorded and forwarded. However, an access session includes two types: the operation and maintenance access session and the application access session, and the server operates the database according to the operation and maintenance access session, so that the abnormality is more likely to occur, and only the operation and maintenance access session can be audited to improve the auditing efficiency and reduce the occupied space of the memory.
However, the prior art cannot distinguish the types of the access sessions, so a method for processing the access sessions of the database is needed to distinguish the operation and maintenance access sessions from the application access sessions.
Disclosure of Invention
Embodiments of the present application provide a method, an apparatus, a device, and a medium for processing an access session of a database, so as to solve a problem that in the prior art, a type of an access session cannot be distinguished, and therefore a method for processing an access session of a database is urgently needed to distinguish an operation and maintenance access session from an application access session.
In a first aspect, an embodiment of the present application provides a method for processing an access session of a database, including:
obtaining an access session to a database, wherein the access session comprises a user identifier, a sender internet protocol address, a database operation statement and sending time;
determining the type of the access session according to the user identifier, the sender internet protocol address and the database operation statement, or determining the type of the access session according to an access session classification model and the user identifier, the sender internet protocol, the sending time and the database operation statement, wherein the access session classification model is a pre-trained calculation model for determining the type of the access session according to the user identifier, the sender internet protocol, the sending time and the database operation statement, and the type of the access session comprises an operation and maintenance access session and an application access session.
In a specific embodiment, the determining the type of the access session according to the user identifier, the sender internet protocol address, and the database operation statement includes:
and if the user identifier belongs to a preset application type user identifier set, the sender internet protocol address belongs to a preset application type internet protocol address set, and the type of the database operation statement belongs to a preset application type database operation statement type set, determining the type of the access session as an application access session.
In a specific embodiment, the determining the type of the access session according to the user identifier, the sender internet protocol address, and the database operation statement includes:
and if the user identifier does not belong to a preset application type user identifier set, or the sender internet protocol address does not belong to a preset application type internet protocol address set, or the type of the database operation statement does not belong to a preset application type database operation statement type set, determining that the type of the access session is an operation and maintenance access session.
In a specific embodiment, the determining the type of the access session according to the access session classification model and the user identifier, the sender internet protocol address, the sending time, and the database operation statement includes:
and inputting the user identification, the sender internet protocol, the sending time and the database operation statement into the access session classification model to obtain the type of the access session.
In one embodiment, the method further comprises:
if the type of the access session is an application access session, updating the type of the access session according to a preset application type user identifier set, a preset application type internet interconnection protocol address set, a preset application type database operation statement type set, the user identifier, the sender internet interconnection protocol address and the database operation statement.
In a specific embodiment, the updating the type of the access session according to a preset application type user identifier set, a preset application type internet protocol address set, a preset application type database operation statement type set, the user identifier, the sender internet protocol address, and the database operation statement includes:
and if the user identifier does not belong to a preset application type user identifier set, or the sender internet protocol address does not belong to a preset application type internet protocol address set, or the type of the database operation statement does not belong to a preset application type database operation statement type set, updating the type of the access session to be an operation and maintenance access session.
In one embodiment, before the obtaining the access session to the database, the method further comprises:
acquiring a plurality of groups of training data, wherein each group of training data comprises a user identifier, a sender internet protocol, sending time, a database operation statement and an access session type label, and the access session type label comprises an operation and maintenance access session label and an application access session label;
and performing model training on a preset supervised learning model by adopting the multiple groups of training data to obtain the access session classification model.
In a second aspect, an embodiment of the present application provides an access session processing apparatus for a database, including:
the system comprises an acquisition module, a database processing module and a database processing module, wherein the acquisition module is used for acquiring an access session of a database, and the access session comprises a user identifier, a sender internet interconnection protocol address, a database operation statement and sending time;
and the processing module is used for determining the type of the access session according to the user identifier, the sender internet protocol address and the database operation statement, or determining the type of the access session according to an access session classification model, the user identifier, the sender internet protocol, the sending time and the database operation statement, wherein the access session classification model is a pre-trained calculation model used for determining the type of the access session according to the user identifier, the sender internet protocol, the sending time and the database operation statement, and the type of the access session comprises an operation and maintenance access session and an application access session.
In a third aspect, an embodiment of the present application provides an electronic device, including:
a processor, a memory, a communication interface;
the memory is used for storing executable instructions of the processor;
wherein the processor is configured to perform the method of access session handling of a database of any of the first aspects via execution of the executable instructions.
In a fourth aspect, the present application provides a readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the access session processing method for the database according to any one of the first aspect.
In a fifth aspect, the present application provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program is used to implement the access session processing method for the database according to any one of the first aspect.
According to the method, the device, the equipment and the medium for processing the access session of the database, after the access session is obtained, the type of the access session is determined according to the user identification, the internet interconnection protocol address of the sending party and the database operation statement in the access session, or the type of the access session is determined according to the access session classification model, the user identification, the internet interconnection protocol address of the sending party, the database operation statement in the access session. According to the scheme, the type of the access session is determined through the information in the access session, and the operation and maintenance access session and the application access session are distinguished.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and those skilled in the art can obtain other drawings without inventive labor.
Fig. 1 is a schematic flowchart of a first embodiment of a processing method for an access session of a database provided by the present application;
fig. 2 is a schematic flowchart of a second embodiment of a database access session processing method provided in the present application;
fig. 3 is a schematic flowchart of a third embodiment of a processing method for an access session of a database provided by the present application;
fig. 4 is a schematic flowchart of a fourth embodiment of a database access session processing method provided in the present application;
FIG. 5 is a schematic structural diagram of an embodiment of an access session processing apparatus for a database provided in the present application;
fig. 6 is a schematic structural diagram of an electronic device provided in the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments that can be made by one skilled in the art based on the embodiments in the present application in light of the present disclosure are within the scope of the present application.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the above-described drawings (if any) are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
With the development of science and technology, more and more data are generated in various fields, and the data management by using the database is a simple and effective method. In the operation behaviors of the database, if abnormal operation behaviors occur, the data in the database can be damaged, and in order to reduce the problems, the operation behaviors of accessing the database can be supervised through database audit.
In the prior art, when a server corresponding to a database receives an access session, the access session can be analyzed, and the operation behavior of the session on the database is recorded and forwarded. However, an access session includes two types: the operation and maintenance access session and the application access session, and the server operates the database according to the operation and maintenance access session, so that the abnormality is more likely to occur, and only the operation and maintenance access session can be audited to improve the auditing efficiency and reduce the occupied space of the memory. In the prior art, the types of access sessions cannot be distinguished, so that a method for processing an access session of a database is urgently needed to distinguish an operation and maintenance access session from an application access session.
In view of the problems in the prior art, the inventor finds that, in the process of researching the access session processing method of the database, the type of the access session can be determined according to the information in the access session. After the access session of the database is obtained, the type of the access session can be determined according to the user identifier, the sender internet interconnection protocol address, the database operation statement, the preset application type user identifier set, the preset application type internet interconnection protocol address set and the preset application type database operation statement type set in the access session. The type of the access session can also be determined according to the access session classification model and the user identification, the sender internet protocol, the sending time and the database operation statement in the access session. The type of the access session can be determined according to the access session classification model, the user identifier in the access session, the internet protocol of the sender, the sending time and the database operation statement, and when the determined type of the access session is the application access session, the type of the access session is updated according to the user identifier in the access session, the internet protocol address of the sender, the database operation statement, the preset application type user identifier set, the preset application type internet protocol address set and the preset application type database operation statement type set. Based on the inventive concept, the access session processing scheme of the database in the application is designed.
The execution subject of the access session processing method of the database in the present application may be a server, or may be a device such as a computer or a terminal device, and the present application is not limited thereto.
An application scenario of the method for processing an access session of a database provided by the present application is described below.
Illustratively, in the application scenario, an operation and maintenance person uses a terminal device to access a database, and the terminal device sends an access session to a server corresponding to the database.
When the server receives the access session, the server acquires the user identification, the sender internet protocol, the sending time and the database operation statement, and then inputs the user identification, the sender internet protocol, the sending time and the database operation statement into the access session classification model to obtain the type of the access session. And if the type of the obtained access session is the operation and maintenance access session, auditing the session.
If the type of the obtained access session is an application access session, in order to ensure the correct type, the type of the access session needs to be determined again according to the user identifier, the sender internet protocol address, the database operation statement, and the preset application type user identifier set, the preset application type internet protocol address set, and the preset application type database operation statement type set in the access session.
And if the type of the access session determined again is the operation and maintenance access session, auditing the session. If the type of the access session determined again is the application access session, the session is not audited.
It should be noted that the above scenario is only an example of an application scenario provided in the embodiment of the present application, and the embodiment of the present application does not limit actual forms of various devices included in the scenario, nor limits an interaction manner between the devices, and in a specific application of a scheme, the scenario may be set according to actual requirements.
Hereinafter, the technical means of the present application will be described in detail by specific examples. It should be noted that the following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.
Fig. 1 is a schematic flow diagram of a first embodiment of a method for processing an access session of a database according to the present application, which is used for explaining a situation in which a server acquires an access session and determines an access session type according to information in the access session. The method in this embodiment may be implemented by software, hardware, or a combination of software and hardware. As shown in fig. 1, the method for processing an access session of a database specifically includes the following steps:
s101: an access session to a database is obtained.
When an application program on a server running the application program accesses the database, an access session is sent to the server corresponding to the database. And when the operation and maintenance personnel want to access the database, sending an access session to a server corresponding to the database through the terminal equipment.
In this step, after the server or the terminal device running the application program sends the access session to the server corresponding to the database, the server corresponding to the database can obtain the access session to the database, so as to determine the type of the access session in the following. The access session includes a user identification, a sender internet protocol address, a database operation statement, and a sending time.
When the executing agent in this embodiment is not the server corresponding to the database, but another server, or a device such as a computer terminal device, the server corresponding to the database may send the access session to the executing agent after receiving the access session to the database, so that the executing agent may determine the type of the access session.
S102: and determining the type of the access session according to the user identification, the internet interconnection protocol address of the sender and the database operation statement, or determining the type of the access session according to the access session classification model, the user identification, the internet interconnection protocol address of the sender, the sending time and the database operation statement.
In this step, after the server obtains the access session to the database, the type of the access session may be determined according to whether the user identifier, the sender ip address, and the database operation statement in the access session belong to the corresponding set. The types of access sessions include operation and maintenance access sessions and application access sessions.
The type of the access session can also be determined according to the access session classification model and the user identification, the sender internet protocol, the sending time and the database operation statement in the access session. The access session classification model is a pre-trained calculation model used for determining the type of the access session according to the user identification, the sender internet protocol, the sending time and the database operation statement. Because the access session classification model is a calculation model trained according to the user identifier, the sender internet protocol, the sending time, the database operation statement and the access session type label, and the access session type label comprises the operation and maintenance access session label and the application access session label, the user identifier, the sender internet protocol, the sending time and the database operation statement in the access session can be input into the access session classification model, and the type of the access session can be obtained.
After the type of the access session is determined according to the access session classification model, the user identifier in the access session, the internet protocol address of the sender, and the database operation statement, if the determined type of the access session is the application access session, the type of the access session is updated according to the user identifier in the access session, the internet protocol address of the sender, and the database operation statement.
After the server determines the type of the access session, the operation and maintenance access session can be audited subsequently, so that the auditing efficiency is improved, and the occupied space of a memory is reduced. And subsequently, further processing the access session of the operation and maintenance access session type, such as monitoring the access session meeting the monitoring condition in the operation and maintenance access session type, and improving the monitoring efficiency. And subsequently, the reason of the abnormal access can be determined by combining the abnormal access condition, and when the access session for logging in the database occurs for many times and the logging fails, the reason of the abnormal access can be determined to be improper application program configuration or man-made malicious logging according to the type of the session.
In the method for processing an access session of a database provided in this embodiment, the type of the access session is determined according to the user identifier, the internet protocol address of the sending party, and the database operation statement in the access session, and/or according to the classification model of the access session and the user identifier, the internet protocol address of the sending party, the sending time, and the database operation statement in the access session. Compared with the prior art that the access session is not subjected to type distinguishing processing, the method and the device for distinguishing the type of the access session can determine that the type of the access session is the operation and maintenance access session or the application access session through the information in the access session, so that the type of the access session is distinguished, the auditing efficiency can be effectively improved, and the occupied space of a memory can be reduced.
Fig. 2 is a schematic flow diagram of a second embodiment of a method for processing an access session of a database according to the present application, where on the basis of the foregoing embodiments, in the embodiment of the present application, a case where a server determines an access session type according to a user identifier, an internet protocol address of a sender, a database operation statement, a preset application-type user identifier set, a preset application-type internet protocol address set, and a preset application-type database operation statement type set in an access session is described. As shown in fig. 2, the method for processing an access session of a database specifically includes the following steps:
s201: an access session to a database is obtained.
It should be noted that this step is similar to step S101 in the first embodiment, and is not described here again.
S202: judging whether the user identification belongs to a preset application type user identification set or not; if the visited user identifier belongs to the preset application type user identifier set, executing step S203; if the ue does not belong to the preset application ue set, step S206 is executed.
S203: judging whether the internet interconnection protocol address of the sender belongs to a preset application type internet interconnection protocol address set or not; if the sending-side internet protocol address belongs to the preset application-type internet protocol address set, executing step S204; if the sending ip address does not belong to the predetermined set of app-like ip addresses, step S206 is executed.
S204: judging whether the type of the access database operation statement belongs to a preset application type database operation statement type set or not; if the type of the database operation statement belongs to the preset application type database operation statement type set, executing step S205; if the type of the database operation statement does not belong to the preset application-type database operation statement type set, step S206 is executed.
S205: determining the type of the access session as an application access session.
S206: and determining the type of the access session as an operation and maintenance access session.
In the above steps, after the server acquires the access session to the database, the type of the access session can be determined according to the information in the access session. Because the user identification of the access session of the application access session type, the internet interconnection protocol address of the sender and the type of the database operation statement are all in a certain range, whether the user identification in the access session belongs to a preset application type user identification set or not can be judged firstly.
If the user identifier in the access session does not belong to the preset application type user identifier set, it is indicated that the type of the access session is not an application access session but an operation and maintenance access session, and the type of the access session is determined to be the operation and maintenance access session.
If the user identifier in the access session belongs to the preset application type user identifier set, in order to improve the accuracy of determining the access session, it is further required to determine whether the internet protocol address of the sender in the access session belongs to the preset application type internet protocol address set.
If the internet interconnection protocol address of the sender in the access session does not belong to the preset application type internet interconnection protocol address set, it is indicated that the type of the access session is not an application access session but an operation and maintenance access session, and the type of the access session is determined to be the operation and maintenance access session.
If the internet interconnection protocol address of the sender in the access session belongs to the preset application type internet interconnection protocol address set, in order to improve the accuracy of judging the access session, it is also necessary to judge whether the type of the database operation statement in the access session belongs to the preset application type database operation statement type set.
If the type of the database operation statement in the access session belongs to the preset application type database operation statement type set, the type of the access session is the application access session, and the type of the access session is determined to be the application access session.
If the type of the database operation statement in the access session does not belong to the preset application type database operation statement type set, it is indicated that the type of the access session is not an application access session but an operation and maintenance access session, and the type of the access session is determined to be the operation and maintenance access session.
It should be noted that the execution sequence of step S203, step S204 and step S205 may be to execute step S203, then execute step S204 and finally execute step S205. Step S205, step S204, and step S203 may be executed first. Step S204 is executed first, step S205 is executed next, and step S203 is executed last. The execution sequence of steps S203, S204, and S205 is not limited in the embodiment of the present application, and may be set according to actual situations.
It should be noted that the preset application type user identifier set, the preset application type internet protocol address set and the preset application type database operation statement type set are set by the staff according to the historical access session and are used for determining the type of the range and the session, the preset application type user identifier set, the preset application type internet protocol address set and the preset application type database operation statement type set are not limited in the embodiment of the application and can be set according to the actual situation,
according to the method for processing the access session of the database, the type of the access session is determined according to the user identifier, the internet protocol address of the sender and the database operation statement in the access session, and the preset application type user identifier set, the preset application type internet protocol address set and the preset application type database operation statement type set, so that whether the access session type is an application access session or an operation and maintenance access session is distinguished, only the operation and maintenance access session is audited subsequently, and the auditing efficiency can be improved.
Fig. 3 is a schematic flow diagram of a third embodiment of a method for processing an access session of a database according to the present application, and based on the foregoing embodiments, in this embodiment, a server determines a type of the access session according to an inter-session classification model, a user identifier in the access session, a sender internet protocol, sending time, and a database operation statement, and further, when the determined type of the access session is an application access session, a case of updating the type of the access session according to the user identifier in the access session, the sender internet protocol address, and the database operation statement is described. As shown in fig. 3, the method for processing an access session of a database specifically includes the following steps:
s301: and inputting the user identification, the sender internet interconnection protocol, the sending time and the database operation statement into the access session classification model to obtain the type of the access session.
In this step, after the server obtains the access session to the database, since the access session classification model is a calculation model for classifying the access session, the user identifier, the sender internet protocol, the sending time, and the database operation statement in the access session can be input into the access session classification model to obtain the type of the access session.
S302: judging whether the type of the access session is an application access session or not; if the type of the access session is an operation and maintenance access session, executing step S303; if the type of the access session is an application access session, step S304 is executed.
S303: the type of access session is not updated.
In the above steps, after the server obtains the type of the access session according to the access session classification model, in order to ensure that the access session of the operation and maintenance access session type is not missed during subsequent examination, reduce the rate of missing the operation and maintenance access session type, improve the accuracy of judging the type of the access session, and further determine whether the type of the access session is an application access session.
If the type of the access session is the operation and maintenance access session, in order to reduce the rate of missing judgment on the type of the operation and maintenance access session, the access session does not need to be further processed, the type of the access session is not updated, and the type of the access session is determined to be the operation and maintenance access session.
S304: and updating the type of the access session according to a preset application type user identifier set, a preset application type internet interconnection protocol address set, a preset application type database operation statement type set, the user identifier, a sender internet interconnection protocol address and a database operation statement.
In this step, if the type of the access session is an operation and maintenance access session, in order to reduce the rate of missing the operation and maintenance access session type and ensure that the access session of the operation and maintenance access session type is not missed in the subsequent examination, the type of the access session needs to be determined again.
Updating the type of the access session according to a preset application type user identification set, a preset application type internet protocol address set, a preset application type database operation statement type set, user identifications in the access session, a sender internet protocol address and a database operation statement.
And if the user identifier in the access session does not belong to a preset application type user identifier set, or the internet interconnection protocol address of the sender in the access session does not belong to a preset application type internet interconnection protocol address set, or the type of the database operation statement in the access session does not belong to a preset application type database operation statement type set, updating the type of the access session to be the operation and maintenance access session.
And if the user identifier in the access session belongs to a preset application type user identifier set, the internet interconnection protocol address of a sender in the access session belongs to a preset application type internet interconnection protocol address set, and the type of the database operation statement in the access session belongs to a preset application type database operation statement type set, determining that the type of the access session is still the application access session.
It should be noted that, for the access session whose type is determined as the application access session according to the access session classification model, and further determined as the operation and maintenance access session according to the user identifier, the internet interconnection protocol address of the sending party, and the database operation statement in the access session, the access session can be stored, and when the number of the stored access sessions is equal to the preset number, the access session classification model can be trained continuously according to the user identifier, the internet interconnection protocol of the sending party, the sending time, the database operation statement, and the operation and maintenance access session label in the access sessions. The preset number may be 5000, 6000, 12000, which is not limited in the embodiment of the present application and may be set according to an actual situation.
In the method for processing the access session of the database provided by this embodiment, after the type of the access session is determined according to the access session classification model, if the type of the access session is the application access session, the type of the access session is further updated according to the user identifier, the sender internet protocol address, and the database operation statement in the access session, so that the accuracy of determining the type of the access session is effectively improved.
Fig. 4 is a schematic flow chart of a fourth embodiment of the method for processing an access session of a database provided by the present application, and on the basis of the foregoing embodiment, the present application describes a training process of an access session classification model. As shown in fig. 4, the method for processing an access session of a database specifically includes the following steps:
s401: multiple sets of training data are acquired.
In this step, in order to obtain an access session classification model, the server first obtains multiple sets of training data, where each set of training data includes a user identifier, a sender internet protocol, sending time, a database operation statement, and an access session type tag, and the access session type tag includes an operation and maintenance access session tag and an application access session tag.
S402: and performing model training on a preset supervised learning model by adopting multiple groups of training data to obtain an access session classification model.
In this step, after obtaining a plurality of sets of training data, the server trains according to the plurality of sets of training data, inputs the training data into a pre-set supervised learning model, which has a pre-set classification algorithm, and updates parameters in the pre-set classification algorithm according to the user identifier, the sender internet protocol, the sending time, the database operation statement, and the access session type tag, thereby obtaining the access session classification model.
It should be noted that the preset classification algorithm may be a K-nearest neighbor algorithm, a naive bayes algorithm, a decision tree algorithm, or the like, and the preset classification algorithm is not limited in the embodiment of the present application and can be selected according to actual situations.
According to the method for processing the access session of the database, the supervised learning model is subjected to model training according to the user identification, the internet protocol of the sender, the sending time, the database operation statement and the access session type label in the access session to obtain the access session classification model, so that the accuracy of determining the access session type can be effectively improved.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
Fig. 5 is a schematic structural diagram of an embodiment of an access session processing apparatus for a database provided in the present application.
As shown in fig. 5, the database access session processing device 50 includes:
an obtaining module 51, configured to obtain an access session to a database, where the access session includes a user identifier, a sender ip address, a database operation statement, and sending time;
a processing module 52, configured to determine the type of the access session according to the user identifier, the sender internet protocol address, and the database operation statement, or determine the type of the access session according to an access session classification model and the user identifier, the sender internet protocol, the sending time, and the database operation statement, where the access session classification model is a pre-trained calculation model for determining the type of the access session according to the user identifier, the sender internet protocol, the sending time, and the database operation statement, and the type of the access session includes an operation and maintenance access session and an application access session.
Further, the processing module 52 is specifically configured to:
and if the user identifier belongs to a preset application type user identifier set, the sender internet protocol address belongs to a preset application type internet protocol address set, and the type of the database operation statement belongs to a preset application type database operation statement type set, determining the type of the access session as an application access session.
Further, the processing module 52 is specifically configured to:
and if the user identifier does not belong to a preset application type user identifier set, or the sender internet protocol address does not belong to a preset application type internet protocol address set, or the type of the database operation statement does not belong to a preset application type database operation statement type set, determining that the type of the access session is an operation and maintenance access session.
Further, the processing module 52 is specifically configured to:
and inputting the user identification, the sender internet protocol, the sending time and the database operation statement into the access session classification model to obtain the type of the access session.
Further, the processing module 52 is specifically configured to:
if the type of the access session is an application access session, updating the type of the access session according to a preset application type user identifier set, a preset application type internet interconnection protocol address set, a preset application type database operation statement type set, the user identifier, the sender internet interconnection protocol address and the database operation statement.
Further, the processing module 52 is specifically configured to:
and if the user identifier does not belong to a preset application type user identifier set, or the sender internet protocol address does not belong to a preset application type internet protocol address set, or the type of the database operation statement does not belong to a preset application type database operation statement type set, updating the type of the access session to be an operation and maintenance access session.
Further, the obtaining module 51 is further configured to:
acquiring a plurality of groups of training data, wherein each group of training data comprises a user identifier, a sender internet protocol, sending time, a database operation statement and an access session type label, and the access session type label comprises an operation and maintenance access session label and an application access session label.
Further, the processing module 52 is further configured to:
and performing model training on a preset supervised learning model by adopting the multiple groups of training data to obtain the access session classification model.
The access session processing apparatus for a database provided in this embodiment is configured to execute the technical solution in any one of the foregoing method embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 6 is a schematic structural diagram of an electronic device provided in the present application. As shown in fig. 6, the electronic device 60 includes:
a processor 61, a memory 62, and a communication interface 63;
the memory 62 is used for storing executable instructions of the processor 61;
wherein the processor 61 is configured to perform the technical solution of any of the preceding method embodiments via executing the executable instructions.
Alternatively, the memory 62 may be separate or integrated with the processor 61.
Optionally, when the memory 62 is a device independent from the processor 61, the electronic device 60 may further include:
the bus 64, the memory 62 and the communication interface 63 are connected with the processor 61 through the bus 64 and communicate with each other, and the communication interface 63 is used for communicating with other devices.
Alternatively, the communication interface 63 may be implemented by a transceiver. The communication interface is used for realizing communication between the database access device and other equipment (such as a client, a read-write library and a read-only library). The memory may comprise Random Access Memory (RAM) and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The bus 64 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The processor may be a general-purpose processor, including a central processing unit CPU, a Network Processor (NP), and the like; but also a digital signal processor DSP, an application specific integrated circuit ASIC, a field programmable gate array FPGA or other programmable logic device, discrete gate or transistor logic, discrete hardware components.
The electronic device is configured to execute the technical solution in any one of the foregoing method embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.
The embodiment of the present application further provides a readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the technical solutions provided by any of the foregoing method embodiments.
The embodiment of the present application further provides a computer program product, which includes a computer program, and the computer program is used for implementing the technical solution provided by any of the foregoing method embodiments when being executed by a processor.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.
Claims (11)
1. A method for processing an access session of a database, comprising:
obtaining an access session to a database, wherein the access session comprises a user identifier, a sender internet protocol address, a database operation statement and sending time;
determining the type of the access session according to the user identifier, the sender internet protocol address and the database operation statement, or determining the type of the access session according to an access session classification model and the user identifier, the sender internet protocol address, the sending time and the database operation statement, wherein the access session classification model is a pre-trained calculation model for determining the type of the access session according to the user identifier, the sender internet protocol address, the sending time and the database operation statement, and the type of the access session comprises an operation and maintenance access session and an application access session.
2. The method of claim 1, wherein determining the type of the access session based on the user identifier, the sender internet protocol address, and the database operation statement comprises:
and if the user identifier belongs to a preset application type user identifier set, the sender internet protocol address belongs to a preset application type internet protocol address set, and the type of the database operation statement belongs to a preset application type database operation statement type set, determining the type of the access session as an application access session.
3. The method of claim 1, wherein determining the type of the access session based on the user identification, the sender internet protocol address, and the database operation statement comprises:
and if the user identifier does not belong to a preset application type user identifier set, or the sender internet protocol address does not belong to a preset application type internet protocol address set, or the type of the database operation statement does not belong to a preset application type database operation statement type set, determining that the type of the access session is an operation and maintenance access session.
4. The method of claim 1, wherein determining the type of the access session based on the access session classification model and the user identification, the sender internet protocol address, the sending time, and the database operation statement comprises:
and inputting the user identification, the sender internet protocol, the sending time and the database operation statement into the access session classification model to obtain the type of the access session.
5. The method of claim 4, further comprising:
if the type of the access session is an application access session, updating the type of the access session according to a preset application type user identifier set, a preset application type internet protocol address set, a preset application type database operation statement type set, the user identifier, the sender internet protocol address and the database operation statement.
6. The method of claim 5, wherein updating the type of the access session according to a set of predetermined application-type user identifiers, a set of predetermined application-type IP addresses, a set of predetermined application-type database operation statement types, and the user identifier, the sender IP address, and the database operation statement comprises:
and if the user identifier does not belong to a preset application type user identifier set, or the sender internet protocol address does not belong to a preset application type internet protocol address set, or the type of the database operation statement does not belong to a preset application type database operation statement type set, updating the type of the access session to be an operation and maintenance access session.
7. The method of claim 1, wherein prior to the obtaining the access session to the database, the method further comprises:
acquiring a plurality of groups of training data, wherein each group of training data comprises a user identifier, a sender internet protocol, sending time, a database operation statement and an access session type label, and the access session type label comprises an operation and maintenance access session label and an application access session label;
and performing model training on a preset supervised learning model by adopting the multiple groups of training data to obtain the access session classification model.
8. An access session processing apparatus for a database, comprising:
the system comprises an acquisition module, a database processing module and a database processing module, wherein the acquisition module is used for acquiring an access session of a database, and the access session comprises a user identifier, a sender internet interconnection protocol address, a database operation statement and sending time;
and the processing module is used for determining the type of the access session according to the user identifier, the sender internet protocol address and the database operation statement, or determining the type of the access session according to an access session classification model, the user identifier, the sender internet protocol, the sending time and the database operation statement, wherein the access session classification model is a pre-trained calculation model used for determining the type of the access session according to the user identifier, the sender internet protocol, the sending time and the database operation statement, and the type of the access session comprises an operation and maintenance access session and an application access session.
9. An electronic device, comprising:
a processor, a memory, a communication interface;
the memory is used for storing executable instructions of the processor;
wherein the processor is configured to perform the access session handling method of the database of any of claims 1 to 7 via execution of the executable instructions.
10. A readable storage medium on which a computer program is stored, the computer program, when executed by a processor, implementing an access session processing method for a database according to any one of claims 1 to 7.
11. A computer program product comprising a computer program which, when executed by a processor, is adapted to carry out the method of processing an access session for a database according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211549869.2A CN115914334A (en) | 2022-12-05 | 2022-12-05 | Method, device, equipment and medium for processing access session of database |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211549869.2A CN115914334A (en) | 2022-12-05 | 2022-12-05 | Method, device, equipment and medium for processing access session of database |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115914334A true CN115914334A (en) | 2023-04-04 |
Family
ID=86496779
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211549869.2A Pending CN115914334A (en) | 2022-12-05 | 2022-12-05 | Method, device, equipment and medium for processing access session of database |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115914334A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170331826A1 (en) * | 2016-05-11 | 2017-11-16 | International Business Machines Corporation | Hybrid database access control in external-to-database security systems |
| US20180316689A1 (en) * | 2017-04-28 | 2018-11-01 | Web Service Development | System and heuristics for verifying origin of request |
| CN111984625A (en) * | 2020-08-24 | 2020-11-24 | 北京人大金仓信息技术股份有限公司 | Database load characteristic processing method, device, medium and electronic equipment |
| US20210126980A1 (en) * | 2017-08-28 | 2021-04-29 | Ping An Technology (Shenzhen) Co., Ltd. | Method and device for customer resource acquisition, terminal device and storage medium |
| CN114531304A (en) * | 2022-04-24 | 2022-05-24 | 北京安华金和科技有限公司 | Session processing method and system based on data packet |
-
2022
- 2022-12-05 CN CN202211549869.2A patent/CN115914334A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170331826A1 (en) * | 2016-05-11 | 2017-11-16 | International Business Machines Corporation | Hybrid database access control in external-to-database security systems |
| US20180316689A1 (en) * | 2017-04-28 | 2018-11-01 | Web Service Development | System and heuristics for verifying origin of request |
| US20210126980A1 (en) * | 2017-08-28 | 2021-04-29 | Ping An Technology (Shenzhen) Co., Ltd. | Method and device for customer resource acquisition, terminal device and storage medium |
| CN111984625A (en) * | 2020-08-24 | 2020-11-24 | 北京人大金仓信息技术股份有限公司 | Database load characteristic processing method, device, medium and electronic equipment |
| CN114531304A (en) * | 2022-04-24 | 2022-05-24 | 北京安华金和科技有限公司 | Session processing method and system based on data packet |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11792229B2 (en) | AI-driven defensive cybersecurity strategy analysis and recommendation system | |
| US20220014560A1 (en) | Correlating network event anomalies using active and passive external reconnaissance to identify attack information | |
| US20220224723A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US11218510B2 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| WO2018031921A1 (en) | Detecting scripted or otherwise anomalous interactions with social media platform | |
| US9916445B2 (en) | Attack detection device, attack detection method, and non-transitory computer readable recording medium recorded with attack detection program | |
| CN107465642B (en) | Method and device for judging abnormal login of account | |
| CN110417772A (en) | The analysis method and device of attack, storage medium, electronic device | |
| US20220210202A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| CN113986693A (en) | Alarm response level determination method and device, electronic equipment and storage medium | |
| US11122143B2 (en) | Comparison of behavioral populations for security and compliance monitoring | |
| WO2021216163A2 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| CN113780506A (en) | Production management method, system, equipment and storage medium based on active identification | |
| WO2016014014A1 (en) | Remedial action for release of threat data | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| CN108229157A (en) | Server attack early warning method and apparatus | |
| CN111931189A (en) | API interface transfer risk detection method and device and API service system | |
| CN112437034B (en) | False terminal detection method and device, storage medium and electronic device | |
| CN108154033A (en) | A kind of method, apparatus, electronic equipment and the storage medium of administrative vulnerability information | |
| CN115914334A (en) | Method, device, equipment and medium for processing access session of database | |
| CN116049822A (en) | Application program supervision method, system, electronic device and storage medium | |
| CN111079140A (en) | Method, device and system for preventing cheating | |
| CN115484326A (en) | Method, system and storage medium for processing data | |
| Betancourt et al. | Linking intrusion detection system information and system model to redesign security architecture | |
| CN114416507A (en) | Communication behavior monitoring method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |