CN116089390A - Database security audit method - Google Patents
Database security audit method Download PDFInfo
- Publication number
- CN116089390A CN116089390A CN202310068565.2A CN202310068565A CN116089390A CN 116089390 A CN116089390 A CN 116089390A CN 202310068565 A CN202310068565 A CN 202310068565A CN 116089390 A CN116089390 A CN 116089390A
- Authority
- CN
- China
- Prior art keywords
- database
- audit
- information
- audited
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000012550 audit Methods 0.000 title claims abstract description 140
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000012216 screening Methods 0.000 claims abstract description 8
- 230000006399 behavior Effects 0.000 claims description 43
- 230000004913 activation Effects 0.000 claims description 12
- 239000011159 matrix material Substances 0.000 claims description 6
- 238000012544 monitoring process Methods 0.000 claims description 6
- 239000003795 chemical substances by application Substances 0.000 claims description 3
- 230000007547 defect Effects 0.000 abstract description 3
- 230000002194 synthesizing effect Effects 0.000 abstract 1
- 238000004458 analytical method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1805—Append-only file systems, e.g. using logs or journals to store data
- G06F16/1815—Journaling file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
- G06F16/211—Schema design and management
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to database audit, in particular to a database security audit method, which is used for receiving a database audit request and extracting database information to be audited from the database audit request; acquiring a database log of a database to be audited according to the information of the database to be audited, and receiving a database audit rule configured by an audit user; matching the database log with a database audit rule, and obtaining a first database audit result based on the matching result; extracting a plurality of operation user information from a database log, and screening the operation user information to obtain target user information; performing rationality judgment on the operation characteristics of the target user, and obtaining a second database audit result based on the judgment result; synthesizing the first database audit result and the second database audit result, and analyzing to obtain a database security audit result; the technical scheme provided by the invention can effectively overcome the defect that the auditing result has errors due to the fact that only the database log of the database to be audited is analyzed.
Description
Technical Field
The invention relates to database audit, in particular to a database security audit method.
Background
The development of the Internet brings about mass growth of various data, is used as a database technology of a data storage basis, directly relates to data security, and also influences various decision bases. The development of technology brings positive effects, and threatens the database, such as misuse of resources, leakage of enterprise confidential information, hacking and the like, which all put higher demands on the security audit of the database.
Database audit, DBAudio for short, can record database activities on a network in real time, conduct compliance management of fine-grained audit on database operation, alarm risk behaviors suffered by the database, block attack behaviors and the like. The method helps the user to generate a compliance report after the fact through recording and analyzing the behavior of accessing the database by the user, trace the source of the accident, strengthen the network behavior recording of the internal and external databases and improve the safety of the data asset.
However, the existing database security audit generally only analyzes the database log of the database to be audited, which easily causes errors in the database security audit result.
Disclosure of Invention
(one) solving the technical problems
Aiming at the defects existing in the prior art, the invention provides a database security audit method, which can effectively overcome the defect that the audit result has errors due to the fact that only the database log of the database to be audited is analyzed in the prior art.
(II) technical scheme
In order to achieve the above purpose, the invention is realized by the following technical scheme:
a database security audit method comprising the steps of:
s1, receiving a database audit request, and extracting database information to be audited from the database audit request;
s2, acquiring a database log of the database to be audited according to the information of the database to be audited, and receiving a database audit rule configured by an audit user;
s3, matching the database log with a database audit rule, and obtaining a first database audit result based on a matching result;
s4, extracting a plurality of operation user information from the database log, and screening the operation user information to obtain target user information;
s5, rationality judgment is carried out on the operation characteristics of the target user, and a second database audit result is obtained based on the judgment result;
s6, integrating the first database audit result and the second database audit result, and analyzing to obtain a database security audit result.
Preferably, in S2, obtaining a database log of the database to be audited according to the information of the database to be audited includes:
and calling a preset monitoring program, monitoring the database to be audited by using the preset monitoring program according to the information of the database to be audited, and generating a database log of the database to be audited according to the monitoring information.
Preferably, in S2, obtaining a database log of the database to be audited according to the information of the database to be audited includes:
determining a database to be audited according to the information of the database to be audited, receiving database logs of the database to be audited sent by each distributed log data acquisition agent, putting the received database logs into a designated queue, and acquiring the database logs of the database to be audited from the designated queue.
Preferably, in S3, the matching between the database log and the database audit rule, and obtaining a first database audit result based on the matching result includes:
periodically matching sentences in the database log with database audit rules, and obtaining a first database audit result based on the matching result;
the database audit rule comprises audit states and corresponding audit state activation identifiers.
Preferably, the periodically matching the statement in the database log with the database audit rule, and obtaining the first database audit result based on the matching result includes:
determining an audit state activation identifier in a database audit rule, and periodically matching sentences in a database log with the audit state activation identifier;
if the statement in the database log has the audit state activation identification, outputting a first database audit result of the risk of the database content to be audited; otherwise, outputting a first database auditing result that the database content to be audited does not have risk.
Preferably, in S4, extracting a plurality of operation user information from the database log, and filtering the operation user information to obtain target user information, including:
extracting a plurality of operation user information from a database log, and determining validity characteristics corresponding to the operation user based on the operation user information;
and screening the operation user information according to the legality characteristics to obtain target user information.
Preferably, in S5, performing rationality judgment on the operation feature of the target user, and obtaining a second database audit result based on the judgment result, including:
and acquiring corresponding operation behavior reference information according to the target user information, performing rationality judgment on the operation characteristics of the target user by utilizing the operation behavior reference information, and acquiring a second database audit result based on the judgment result.
Preferably, the obtaining the corresponding operation behavior reference information according to the target user information includes:
acquiring historical user information containing operation user information and corresponding historical operation information, generating vector information by the historical user information and the historical operation information, and acquiring weight information and bias matrix information of the historical user information and the historical operation information;
generating operation behavior reference information according to the vector information, the weight information and the bias matrix information of the historical user information and the historical operation information, and storing the operation behavior reference information into an operation behavior database;
and acquiring corresponding operation behavior reference information from the operation behavior database according to the target user information.
Preferably, the performing rationality judgment on the operation feature of the target user by using the operation behavior reference information, and obtaining the second database audit result based on the judgment result includes:
acquiring corresponding reasonable operation behaviors from the operation behavior reference information according to the target user information, and judging the rationality of the operation characteristics of the target user by utilizing the reasonable operation behaviors;
if the operation characteristics of the target user which do not accord with the reasonable operation behaviors exist, outputting a second database auditing result that the database user to be audited has risks; otherwise, outputting a second database auditing result that the database user to be audited does not have risk.
(III) beneficial effects
Compared with the prior art, the database security audit method provided by the invention has the following beneficial effects:
1) Receiving a database audit request, extracting database information to be audited from the database audit request, acquiring a database log of the database to be audited according to the database information to be audited, receiving a database audit rule configured by an audit user, matching the database log with the database audit rule, acquiring a first database audit result based on the matching result, and effectively performing security audit on the database log by configuring the database audit rule to acquire the first database audit result about the database content;
2) Extracting a plurality of operation user information from a database log, screening the operation user information to obtain target user information, performing rationality judgment on the operation characteristics of the target user, obtaining a second database audit result based on the judgment result, and performing rationality judgment on the operation characteristics of the target user to effectively perform security audit on the operation user to obtain the second database audit result related to the database user;
3) And integrating the first database audit result and the second database audit result, and fully considering the database content and the security audit condition of the database user, so that the database security audit result obtained by final analysis is more accurate and comprehensive.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is evident that the drawings in the following description are only some embodiments of the present invention and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art.
FIG. 1 is a schematic flow chart of the present invention;
FIG. 2 is a flow chart of obtaining a first database audit result based on a matching result of a database log and a database audit rule in the present invention;
fig. 3 is a schematic flow chart of obtaining a second database audit result based on a rationality judgment result of an operation feature of a target user in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more clear, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. It will be apparent that the described embodiments are some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
A database security audit method is shown in fig. 1 and 2, (1) a database audit request is received, and database information to be audited is extracted from the database audit request.
(2) And acquiring a database log of the database to be audited according to the information of the database to be audited, and receiving a database audit rule configured by an audit user.
1) Obtaining a database log of the database to be audited according to the information of the database to be audited, comprising:
and calling a preset monitoring program, monitoring the database to be audited by using the preset monitoring program according to the information of the database to be audited, and generating a database log of the database to be audited according to the monitoring information.
2) Obtaining a database log of the database to be audited according to the information of the database to be audited, comprising:
determining a database to be audited according to the information of the database to be audited, receiving database logs of the database to be audited sent by each distributed log data acquisition agent, putting the received database logs into a designated queue, and acquiring the database logs of the database to be audited from the designated queue.
(3) Matching the database log with the database audit rule, and obtaining a first database audit result based on the matching result, wherein the method specifically comprises the following steps:
periodically matching sentences in the database log with database audit rules, and obtaining a first database audit result based on the matching result;
the database audit rule comprises audit states and corresponding audit state activation identifiers.
Periodically matching sentences in the database log with database audit rules, and obtaining a first database audit result based on the matching result, wherein the periodically matching the sentences with the database audit rules comprises the following steps:
determining an audit state activation identifier in a database audit rule, and periodically matching sentences in a database log with the audit state activation identifier;
if the statement in the database log has the audit state activation identification, outputting a first database audit result of the risk of the database content to be audited; otherwise, outputting a first database auditing result that the database content to be audited does not have risk.
According to the technical scheme, the database audit request is received, the database information to be audited is extracted from the database audit request, the database log of the database to be audited is obtained according to the database information to be audited, the database log is matched with the database audit rule configured by the audit user, a first database audit result is obtained based on the matching result, and effective security audit can be carried out on the database log by configuring the database audit rule, so that the first database audit result about the database content is obtained.
As shown in fig. 1 and 3, (4) extracting a plurality of operation user information from a database log, and filtering the operation user information to obtain target user information, which specifically includes:
extracting a plurality of operation user information from a database log, and determining validity characteristics corresponding to the operation user based on the operation user information;
and screening the operation user information according to the legality characteristics to obtain target user information.
(5) Performing rationality judgment on the operation characteristics of the target user, and obtaining a second database audit result based on the judgment result, wherein the method specifically comprises the following steps:
and acquiring corresponding operation behavior reference information according to the target user information, performing rationality judgment on the operation characteristics of the target user by utilizing the operation behavior reference information, and acquiring a second database audit result based on the judgment result.
1) Acquiring corresponding operation behavior reference information according to target user information, including:
acquiring historical user information containing operation user information and corresponding historical operation information, generating vector information by the historical user information and the historical operation information, and acquiring weight information and bias matrix information of the historical user information and the historical operation information;
generating operation behavior reference information according to the vector information, the weight information and the bias matrix information of the historical user information and the historical operation information, and storing the operation behavior reference information into an operation behavior database;
and acquiring corresponding operation behavior reference information from the operation behavior database according to the target user information.
2) Performing rationality judgment on the operation characteristics of the target user by using the operation behavior reference information, and obtaining a second database audit result based on the judgment result, wherein the method comprises the following steps:
acquiring corresponding reasonable operation behaviors from the operation behavior reference information according to the target user information, and judging the rationality of the operation characteristics of the target user by utilizing the reasonable operation behaviors;
if the operation characteristics of the target user which do not accord with the reasonable operation behaviors exist, outputting a second database auditing result that the database user to be audited has risks; otherwise, outputting a second database auditing result that the database user to be audited does not have risk.
According to the technical scheme, the plurality of operation user information is extracted from the database log, the operation user information is screened to obtain the target user information, the rationality judgment is carried out on the operation characteristics of the target user, the second database audit result is obtained based on the judgment result, and the effective security audit can be carried out on the operation user by carrying out the rationality judgment on the operation characteristics of the target user, so that the second database audit result about the database user is obtained.
(6) And integrating the first database audit result and the second database audit result, and analyzing to obtain a database security audit result.
According to the technical scheme, the first database audit result and the second database audit result are synthesized, and the database content and the safety audit condition of the database user are fully considered, so that the database safety audit result obtained by final analysis is more accurate and comprehensive.
The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (9)
1. A database security audit method is characterized in that: the method comprises the following steps:
s1, receiving a database audit request, and extracting database information to be audited from the database audit request;
s2, acquiring a database log of the database to be audited according to the information of the database to be audited, and receiving a database audit rule configured by an audit user;
s3, matching the database log with a database audit rule, and obtaining a first database audit result based on a matching result;
s4, extracting a plurality of operation user information from the database log, and screening the operation user information to obtain target user information;
s5, rationality judgment is carried out on the operation characteristics of the target user, and a second database audit result is obtained based on the judgment result;
s6, integrating the first database audit result and the second database audit result, and analyzing to obtain a database security audit result.
2. The database security auditing method of claim 1, wherein: s2, obtaining a database log of the database to be audited according to the information of the database to be audited, including:
and calling a preset monitoring program, monitoring the database to be audited by using the preset monitoring program according to the information of the database to be audited, and generating a database log of the database to be audited according to the monitoring information.
3. The database security auditing method of claim 1, wherein: s2, obtaining a database log of the database to be audited according to the information of the database to be audited, including:
determining a database to be audited according to the information of the database to be audited, receiving database logs of the database to be audited sent by each distributed log data acquisition agent, putting the received database logs into a designated queue, and acquiring the database logs of the database to be audited from the designated queue.
4. The database security auditing method of claim 1, wherein: and S3, matching the database log with the database audit rule, and obtaining a first database audit result based on the matching result, wherein the method comprises the following steps:
periodically matching sentences in the database log with database audit rules, and obtaining a first database audit result based on the matching result;
the database audit rule comprises audit states and corresponding audit state activation identifiers.
5. The database security auditing method of claim 4, wherein: the periodically matching is performed on the sentences in the database log and the database audit rules, and a first database audit result is obtained based on the matching result, including:
determining an audit state activation identifier in a database audit rule, and periodically matching sentences in a database log with the audit state activation identifier;
if the statement in the database log has the audit state activation identification, outputting a first database audit result of the risk of the database content to be audited; otherwise, outputting a first database auditing result that the database content to be audited does not have risk.
6. The database security auditing method of claim 1, wherein: s4, extracting a plurality of operation user information from a database log, screening the operation user information to obtain target user information, wherein the method comprises the following steps:
extracting a plurality of operation user information from a database log, and determining validity characteristics corresponding to the operation user based on the operation user information;
and screening the operation user information according to the legality characteristics to obtain target user information.
7. The database security auditing method of claim 6, wherein: and S5, performing rationality judgment on the operation characteristics of the target user, and obtaining a second database audit result based on the judgment result, wherein the method comprises the following steps:
and acquiring corresponding operation behavior reference information according to the target user information, performing rationality judgment on the operation characteristics of the target user by utilizing the operation behavior reference information, and acquiring a second database audit result based on the judgment result.
8. The database security auditing method of claim 7, wherein: the obtaining corresponding operation behavior reference information according to the target user information includes:
acquiring historical user information containing operation user information and corresponding historical operation information, generating vector information by the historical user information and the historical operation information, and acquiring weight information and bias matrix information of the historical user information and the historical operation information;
generating operation behavior reference information according to the vector information, the weight information and the bias matrix information of the historical user information and the historical operation information, and storing the operation behavior reference information into an operation behavior database;
and acquiring corresponding operation behavior reference information from the operation behavior database according to the target user information.
9. The database security auditing method of claim 8, wherein: the method for judging rationality of the operation characteristics of the target user by using the operation behavior reference information, and obtaining the second database audit result based on the judgment result comprises the following steps:
acquiring corresponding reasonable operation behaviors from the operation behavior reference information according to the target user information, and judging the rationality of the operation characteristics of the target user by utilizing the reasonable operation behaviors;
if the operation characteristics of the target user which do not accord with the reasonable operation behaviors exist, outputting a second database auditing result that the database user to be audited has risks; otherwise, outputting a second database auditing result that the database user to be audited does not have risk.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310068565.2A CN116089390A (en) | 2023-02-06 | 2023-02-06 | Database security audit method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310068565.2A CN116089390A (en) | 2023-02-06 | 2023-02-06 | Database security audit method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116089390A true CN116089390A (en) | 2023-05-09 |
Family
ID=86206047
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310068565.2A Withdrawn CN116089390A (en) | 2023-02-06 | 2023-02-06 | Database security audit method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116089390A (en) |
-
2023
- 2023-02-06 CN CN202310068565.2A patent/CN116089390A/en not_active Withdrawn
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111859400B (en) | Risk assessment method, risk assessment device, computer system and medium | |
| CN116861446A (en) | Data security assessment method and system | |
| CN111915316B (en) | Method and device for monitoring suspicious transactions, computer equipment and storage medium | |
| CN109902747B (en) | Identity recognition method, device, equipment and computer readable storage medium | |
| CN116846619A (en) | Automatic network security risk assessment method, system and readable storage medium | |
| CN117421761A (en) | Database data information security monitoring method | |
| CN113709170A (en) | Asset safe operation system, method and device | |
| CN114091042A (en) | Risk early warning method | |
| CN112734177A (en) | Wind control system and method for intelligent shunting automatic decision | |
| CN114785710A (en) | Method and system for evaluating service capability of industrial internet identification analysis secondary node | |
| CN117670023A (en) | Customer service center call platform data security risk assessment method based on artificial intelligence | |
| CN115499840A (en) | Security assessment system and method for mobile internet | |
| CN112445785B (en) | Account blasting detection method and related device | |
| CN117691733A (en) | Assessment method and device for information security protection of power distribution automation system | |
| CN116089390A (en) | Database security audit method | |
| CN111885088A (en) | Log monitoring method and device based on block chain | |
| CN113067835B (en) | Integrated self-adaptive collapse index processing system | |
| CN114022114B (en) | Data management system and method based on telecommunication industry | |
| CN115795475A (en) | Method and device for determining software system risk and electronic equipment | |
| CN113691552A (en) | Threat intelligence effectiveness evaluation method, device, system and computer storage medium | |
| CN114493858A (en) | Illegal fund transfer suspicious transaction monitoring method and related components | |
| CN113791980A (en) | Test case conversion analysis method, device, equipment and storage medium | |
| CN111934949A (en) | Safety test system based on database injection test | |
| CN118350004B (en) | Vulnerability scanning method and system based on load library | |
| CN115914005B (en) | Data auditing system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20230509 |