CN116136901A - Application program anti-counterfeiting method and device, computer equipment and storage medium - Google Patents

Application program anti-counterfeiting method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN116136901A
CN116136901A CN202310420177.6A CN202310420177A CN116136901A CN 116136901 A CN116136901 A CN 116136901A CN 202310420177 A CN202310420177 A CN 202310420177A CN 116136901 A CN116136901 A CN 116136901A
Authority
CN
China
Prior art keywords
application program
identity
fingerprint information
sql
matching
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310420177.6A
Other languages
Chinese (zh)
Other versions
CN116136901B (en
Inventor
周杰
柳遵梁
闻建霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Meichuang Technology Co ltd
Original Assignee
Hangzhou Meichuang Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Meichuang Technology Co ltd filed Critical Hangzhou Meichuang Technology Co ltd
Priority to CN202310420177.6A priority Critical patent/CN116136901B/en
Publication of CN116136901A publication Critical patent/CN116136901A/en
Application granted granted Critical
Publication of CN116136901B publication Critical patent/CN116136901B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The embodiment of the invention discloses an application program anti-counterfeiting method, an application program anti-counterfeiting device, computer equipment and a storage medium. The method comprises the following steps: when the application program is initialized, the fingerprint of the application program is learned to obtain fingerprint information; associating the fingerprint information with the identity of the application program to obtain identity information with the fingerprint information; when the terminal uses the application program to log in the database, the identity matching and fingerprint information identification of the application program are carried out so as to obtain an identification result; judging whether the identification result is successful in matching; if yes, acquiring SQL information which is accumulated and executed after logging in a database when executing SQL, and matching fingerprint information associated with the identity of the application program; judging whether the matching is successful or not; if yes, the application program is released; if not, the application program is blocked. By implementing the method of the embodiment of the invention, the difficulty of identifying the counterfeit application program can be solved, and the security risk of authorizing access based on the name of the application program is reduced.

Description

Application program anti-counterfeiting method and device, computer equipment and storage medium
Technical Field
The present invention relates to database security, and more particularly, to an application program anti-impersonation method, apparatus, computer device, and storage medium.
Background
In the database security gateway product, in order to separate and control operation and maintenance personnel and business personnel from the source, a multidimensional security authentication mode such as terminal authentication of a business system is adopted, and common operation and maintenance tools such as SQLPLUS, TOAD and the like are used for identification and authentication, so that the credibility and controllability of the operation and maintenance source are ensured. At the same time, the operation and maintenance tool is prevented from impersonating the business application program.
Among the factors, client application name is an important factor, and is commonly used to distinguish between different systems and to assign different access rights based on application name. Based on the application name identity factor, some application scenarios face the impersonation problem of the application program, such as: the method comprises the steps that an application name HIS is used on a service terminal, and an operation and maintenance tool with a counterfeit application name HIS on an operation and maintenance terminal accesses a database through a database security gateway respectively, the security gateway grants permission to access the database based on the application name HIS, and at the moment, the counterfeit application name HIS on the operation and maintenance terminal can acquire access permission which the operation and maintenance terminal cannot own, so that hidden danger is brought to the database security; another example is: the operation and maintenance tools with application names of HIS and counterfeit application names of HIS are used on the service terminal to access the database through the database security gateway respectively, and the security gateway grants the authority to access the database based on the application name of HIS. At the moment, the counterfeit application name HIS can acquire access rights which the HIS cannot possess, and hidden danger is brought to the database security. For the problems faced by the two above-mentioned scenes, the first scene can distinguish the two terminals through the IP or MAC address, but, in the second scene, since the fake HIS and the HIS are on the same terminal, the fake application name cannot be identified according to the conventional identity factors such as the common IP, MAC, OS name, etc., the scene where the NAT exists for the network is also a vulnerability.
Therefore, there is a need to devise a new approach to solving the difficulty of impersonating an application, reducing the security risk of authorizing access based on the application name.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide an application program anti-counterfeiting method, an application program anti-counterfeiting device, computer equipment and a storage medium.
In order to achieve the above purpose, the present invention adopts the following technical scheme: an application anti-counterfeiting method, comprising:
when an application program is initialized, learning fingerprints of the application program to obtain fingerprint information;
associating the fingerprint information with the identity of the application program to obtain identity information with the fingerprint information;
when a terminal logs in a database by using an application program, carrying out identity matching and fingerprint information identification of the application program according to the name of the application program so as to obtain an identification result;
judging whether the identification result is successful in matching;
if the identification result is successful in matching, acquiring SQL information which is accumulated and executed after logging in a database when executing SQL, and matching fingerprint information associated with the identity of the application program to obtain a matching result;
judging whether the matching result is successful;
If the matching result is that the matching is successful, the application program is released;
and if the matching result is not successful, blocking the application program.
The further technical scheme is as follows: when the application program is initialized, learning the fingerprint of the application program to obtain fingerprint information, including:
when an application program is initialized, all sessions of the same database are selected from the database gateway audit information;
screening out the sessions related to the application program from all the sessions to obtain a target session;
screening SQL sentences with the same characteristics from a plurality of SQL sentences which are the same in the target session to obtain screening results;
and storing SQL features in the screening result according to the application program name and the type of the database to obtain fingerprint information.
The further technical scheme is as follows: the fingerprint information comprises SQL template features and SQL execution sequences.
The further technical scheme is as follows: the identity of the application includes at least one of an IP address, a database account, and an application name.
The further technical scheme is as follows: when the terminal logs in the database by using the application program, the identity matching and fingerprint information identification of the application program are performed according to the name of the application program, so as to obtain an identification result, which comprises the following steps:
When a terminal logs in a database by using an application program, resolving the name of the application program to obtain a name to be matched;
searching the identity of the application program corresponding to the name to be matched to obtain a searching result;
judging whether the searching result is successful;
if the searching result is that the searching is successful, determining whether the identity of the corresponding application program has associated fingerprint information or not so as to obtain an information determining result;
judging whether the information determination result is fingerprint information related to the identity of the corresponding application program;
and if the information determination result is that the identity of the corresponding application program has the associated fingerprint information, determining that the identification result is successful in matching.
The further technical scheme is as follows: the step of obtaining SQL information which is accumulated and executed after logging in a database and matching fingerprint information associated with the identity of an application program when executing SQL to obtain a matching result comprises the following steps:
acquiring SQL accumulated execution times when the application program executes SQL;
judging whether the SQL accumulated execution times is smaller than a set times threshold value or not;
initializing a numerical value and hit number if the SQL accumulated execution times are smaller than a set times threshold;
taking out the SQL sentence corresponding to the numerical value;
Judging whether the numerical value is smaller than the set frequency threshold value or not;
if the numerical value is smaller than the set frequency threshold, judging whether SQL sentences corresponding to the numerical value are equal to corresponding SQL sentences in fingerprint information associated with the identity of the application program;
if the SQL statement corresponding to the numerical value is equal to the corresponding SQL statement in the fingerprint information related to the identity of the application program, adding one to the hit number to update the hit number;
adding one to the numerical value to update the numerical value, and executing the judgment on whether the numerical value is smaller than the set frequency threshold;
if the numerical value is not smaller than the set frequency threshold, calculating the hit rate according to the hit number;
judging whether the hit rate meets the requirement of fingerprint information associated with the identity of the application program;
and if the hit rate meets the requirement of the fingerprint information associated with the identity of the application program, determining that the matching result is successful.
The further technical scheme is as follows: after judging whether the SQL statement corresponding to the numerical value is equal to the corresponding SQL statement in the fingerprint information associated with the identity of the application program, the method further comprises:
if the SQL sentences corresponding to the numerical values are not equal to the corresponding SQL sentences in the fingerprint information associated with the identity of the application program, judging whether the fingerprint information associated with the identity of the application program is required to be matched according to a specific sequence;
If the fingerprint information associated with the identity of the application program does not require matching in a specific order, executing the step of adding one to the hit number to update the hit number;
if the fingerprint information associated with the identity of the application requires matching in a particular order, the incrementing of the value by one is performed to update the value.
The invention also provides an application program anti-counterfeiting device, which comprises:
the learning unit is used for learning the fingerprint of the application program when the application program is initialized so as to obtain fingerprint information;
the association unit is used for associating the fingerprint information with the identity of the application program to obtain identity information with the fingerprint information;
the identification unit is used for carrying out identity matching and fingerprint information identification of the application program according to the name of the application program when the terminal logs in the database by using the application program so as to obtain an identification result;
a first judging unit, configured to judge whether the identification result is successful in matching;
the matching unit is used for matching the SQL information which is accumulated and executed after the SQL is acquired and logged in the database and the fingerprint information associated with the identity of the application program when the SQL is executed if the identification result is successful in matching, so as to obtain a matching result;
The second judging unit is used for judging whether the matching result is successful;
the release unit is used for releasing the application program if the matching result is that the matching is successful;
and the blocking unit is used for blocking the application program if the matching result is not successful.
The invention also provides a computer device which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the method when executing the computer program.
The present invention also provides a storage medium storing a computer program which, when executed by a processor, implements the above method.
Compared with the prior art, the invention has the beneficial effects that: according to the invention, when the application program is initialized, the fingerprint of the application program is learned, the learned fingerprint information is associated with the identity of the application program, when the application program is used for logging in the database, the identity of the application program and the corresponding fingerprint information are matched according to the name of the application program, under the condition that the matching is successful, SQL information which is accumulated and executed after logging in the database is acquired and the fingerprint information associated with the identity of the application program is matched when SQL is executed, so that the anti-counterfeit identification processing is carried out in both a logging-in stage and an SQL execution stage, the difficult problem of counterfeit application program identification is solved, and the security risk of authorized access based on the name of the application program is reduced.
The invention is further described below with reference to the drawings and specific embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is an application scenario schematic diagram of an anti-counterfeiting method for an application program according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating an anti-counterfeiting method for an application according to an embodiment of the present invention;
FIG. 3 is a schematic sub-flowchart of an anti-counterfeiting method for an application according to an embodiment of the present invention;
FIG. 4 is a schematic sub-flowchart of an anti-counterfeiting method for an application according to an embodiment of the present invention;
FIG. 5 is a schematic sub-flowchart of an anti-counterfeiting method for an application according to an embodiment of the present invention;
FIG. 6 is a schematic block diagram of an anti-counterfeiting device for an application provided by an embodiment of the present invention;
FIG. 7 is a schematic block diagram of a learning unit of an application anti-counterfeiting device provided by an embodiment of the present invention;
FIG. 8 is a schematic block diagram of an identification unit of an application anti-counterfeiting device provided by an embodiment of the present invention;
FIG. 9 is a schematic block diagram of a matching unit of an application anti-counterfeiting device provided by an embodiment of the present invention;
fig. 10 is a schematic block diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
Referring to fig. 1 and fig. 2, fig. 1 is a schematic view of an application scenario of an application anti-counterfeiting method according to an embodiment of the present invention. Fig. 2 is a schematic flow chart of an application program anti-counterfeiting method provided by an embodiment of the invention. The application program anti-counterfeiting method is applied to the server. The server performs data interaction with the terminal, wherein an application program is used as the terminal to access a database in the server, fingerprint learning is performed firstly, fingerprint information of the application program is associated with the identity of the application program, and when the application program subsequently logs in the database, fingerprint information is recognized in a login stage and an SQL (structured query language) execution stage, so that whether the application program is counterfeited or not can be accurately recognized, and the application program can be applied to database gateway products and other scenes needing application of anti-counterfeiting; the method solves the difficulty of counterfeit application program identification, and reduces the security risk of authorized access based on the application program name. The fingerprint learning is to associate and extract the most stable characteristics of the application program according to the name, the type and the version number of the database of the connection information application program, and the association of the fingerprint information and the identity is to endow the application program with corresponding fingerprint information; the fingerprint information is identified by matching the fingerprint information corresponding to the application name within a limited SQL quantity range.
Fig. 2 is a flowchart of an application anti-counterfeiting method according to an embodiment of the present invention. As shown in fig. 2, the method includes the following steps S110 to S180.
S110, when the application program is initialized, the fingerprint of the application program is learned to obtain fingerprint information.
In this embodiment, the fingerprint information includes SQL template features and SQL execution order.
In the initialization process, each application program has own special SQL, including SQL template features and SQL execution sequences. These SQL's are unchanged after the application is published and can be characterized as well as their execution order to identify the application. These SQL are dynamic fingerprints of the application and thus identify whether the application is counterfeit.
Fingerprint learning is to count SQL with fixed features, including standardized SQL statements and execution sequences, that are executed after a user logs into a database using an application.
In one embodiment, referring to fig. 3, the step S110 may include steps S111 to S114.
S111, when an application program is initialized, all sessions of the same database are selected from the database gateway audit information;
and S112, screening out the sessions related to the application program from all the sessions to obtain a target session.
In this embodiment, the target session refers to a session of the same database related to the application.
S113, selecting SQL sentences with the same characteristics from the same SQL sentences in the target session to obtain a screening result.
In this embodiment, the filtering result refers to filtering out SQL statements with the same feature from the same plurality of SQL statements in the target session.
And S114, storing SQL features in the screening result according to the application program name and the type of the database to obtain fingerprint information.
For example: after a certain HIS system logs in an oracle 11g library, the front 5 SQL strips are found to be fixed according to the connection information statistics, and the SQL execution sequence and the SQL characteristics are extracted according to the fixed SQL information.
TABLE 1 fingerprint information
Sequence number SQL statement SQL hash value
1 DECLARE ERR_CODE VARchar2 ( 1 ); ERR_MSG VARchar2 ( 2 ); BEGIN 3 END 10667541762679298272
2 SELECT USERENV('SID') FROM DUAL 5733514747035643210
3 SELECT INSTANCE_NUMBER FROM V$INSTANCE 5397358425655405395
4 SELECT INVOKE_MODE FROM SYS_WCF_SERVICE_CONTRACT WHERE CONTRACT = 1 15584295184867701671
5 SELECT ADDRESS, CODE, NAME, SHORT_NAME, ORGAN_CODE, PARENT_CODE, ORGAN_LEVEL, ORGAN_LAYER, INPUTCODE1, INPUTCODE2, STATE, MODIFY_EMPID, MODIFY_TIME, DB_USER, DB_PASSWORD, ORG_CODE_GB FROM PUB_BRANCH WHERE CODE = 1 12864234109658982101
Also for example: the SQLPLUS client logs in the database of the oracle 11g version, and extracts the first 6 SQL as fingerprint features. The SQL execution sequence and SQL features are extracted according to the method and are shown in table 2.
TABLE 2 fingerprint information
Sequence number SQL statement SQL hash value
1 SELECT USER FROM DUAL 5471140483308777441
2 BEGIN DBMS_OUTPUT.DISABLE; END 9016909181530787652
3 SELECT ATTRIBUTE, SCOPE, NUMERIC_VALUE, char_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE ( UPPER ( 1 ) LIKE UPPER ( 2 ) ) AND ( USER LIKE USERID ) 11173064151533440634
4 SELECT char_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE ( UPPER ( 1 ) LIKE UPPER ( 2 ) ) AND ( ( USER LIKE USERID ) OR ( USERID = '3' ) ) AND ( UPPER ( 4 ) = '5' ) 6546174650309123120
5 BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL); END 15758632039875250654
6 SELECT DECODE ( 1 ) FROM DUAL 6307667949546028297
According to tables 1 and 2, fingerprint information of the application program HIS and the application program SQLPLUS is designed, and the specific code is lua language implementation.
bdg_all_fingerprints["HIS_DPF"] = {
["Oracle_11g"] = {
match_type = {type = 2, rate = 100},
count = 5,
content = {
["10667541762679298272"] = {index = 1},
["5733514747035643210"] = {index = 2},
["5397358425655405395"] = {index = 3},
["15584295184867701671"] = {index = 4},
["15584295184867701671"] = {index = 5}
}
},
}
bdg_all_fingerprints["SQLPLUS_DFP"] = {
["Oracle_11g"] = {
match_type = {type = 2, rate = 100},
count = 6,
content = {
["5471140483308777441"] = {index = 1},
["9016909181530787652"] = {index = 2},
["11173064151533440634"] = {index = 3},
["6546174650309123120"] = {index = 4},
["15758632039875250654"] = {index = 5},
["6307667949546028297"] = {index = 6},
}
},
}
Where bdg_all_finger prints [ "his_dfp" ] represents an SQL set with fingerprint name his_dfp; bdg_all_finger prints [ "sqlplus_dfp" ] represents an SQL set with fingerprint name sqlplus_dfp. Oracle_11g represents that the version of the Oracle database is 11g, match_type is a fingerprint matching mode, and type designates SQL matching mode as sequential matching or unordered matching; rate specifies the probability that a fingerprint requires an SQL hit; count represents the number of SQL bars contained in the fingerprint; content is a collection of SQL hashes, defining SQL hash values and sequence numbers.
And S120, associating the fingerprint information with the identity of the application program to obtain the identity information with the fingerprint information.
In this embodiment, the identity information with fingerprint information refers to the identity of the application program with fingerprint information.
Specifically, the identity of the application program includes at least one of an IP address, a database account, and an application program name.
In database gateway products, the principal attributes of accessing the database, including IP address, database account, application name, etc., may be referred to as the identity of the application. Fingerprint identity refers to the identity of an application with some SQL feature.
The association of fingerprint information is to associate a fingerprint learned by a fingerprint to the identity of the application. For example, the fingerprints "his_dpf" and "sqlplus_dpf" learned in step S110 are respectively associated with the identities of the application program names HIS and SQLPLUS, so as to obtain two identities with fingerprints, namely, an HIS fingerprint identity and an SQLPLUS fingerprint identity. HIS fingerprint identity refers to the application name being equal to HIS and the fingerprint name being "his_dpf"; the SQLPLUS fingerprint identity refers to an application name equal to SQLPLUS and a fingerprint name "sqlplus_dpf"; the identity information code is realized as follows:
bdg_all_identities["HIS"] = {
name = "HIS",
cond = "return equal(var_app_name,HIS)",
dfp = {"HIS_DFP"}
}
bdg_all_identities["SQLPLUS"] = {
name = "SQLPLUS",
cond = "return equal(var_app_name,'SQLPLUS')",
dfp = {"SQLPLUS_DFP"}
}。
And S130, when the terminal logs in the database by using the application program, carrying out identity matching and fingerprint information identification of the application program according to the name of the application program so as to obtain an identification result.
In this embodiment, the identification result refers to a result formed by performing identity matching according to the name of an application program and then performing identification according to fingerprint information associated with the matched identity when the terminal logs in the database by using the application program.
In one embodiment, referring to fig. 4, the step S130 may include steps S131 to S137.
S131, when the terminal logs in the database by using the application program, resolving the name of the application program to obtain the name to be matched.
In this embodiment, the name to be matched refers to a name of an application program used by the terminal according to the protocol.
S132, searching the identity of the application program corresponding to the name to be matched, so as to obtain a searching result.
In this embodiment, the search result refers to searching the content with the same name from the identity information stored with the fingerprint information in the server according to the name to be matched.
S133, judging whether the searching result is successful.
In this embodiment, when the content with the same name can be found, it indicates that the finding result is successful finding; when the content with the same name to be matched cannot be found, namely the identity information with the fingerprint information with the same name to be matched cannot be found, the finding result is not successful.
And S134, if the searching result is that the searching is successful, determining whether the identity of the corresponding application program has associated fingerprint information or not so as to obtain an information determining result.
In this embodiment, the information determination result refers to fingerprint information associated with the identity of the application in the search result.
S135, judging whether the information determination result is fingerprint information related to the identity of the corresponding application program;
s136, if the information determination result is that the identity of the corresponding application program has associated fingerprint information, determining that the identification result is successful in matching.
And S137, if the information determination result is not the fingerprint information related to the identity of the corresponding application program, determining that the identification result is failed in matching.
If the search result is not successful, the step S137 is executed.
When the identity information with fingerprint information corresponding to the name of the application program with the same name to be matched cannot be found, or the information determination result is not the fingerprint information related to the identity of the corresponding application program, the identity information can be evaluated according to rules set in actual situations to determine whether the application program is released or blocked from accessing the database. Rules include, but are not limited to: whether SQL sentences are high-risk operations such as library deletion, table deletion, full table updating and the like or not; whether to return mass data once, etc.
Fingerprint SQL is generally N pieces of SQL which are executed first, fingerprint matching is only carried out in the first N pieces of SQL for improving efficiency, and N is generally 1-10.
In the login phase, the known identity is matched in the identity configuration according to the application name. In this embodiment, the identities of the two applications are configured under the names HIS and SQLPLUS. The fake HIS login data is characterized in that the application name is HIS, the identity of the application name is searched in the identity configuration according to the application name, finally, the identity of the application name is matched with the identity of the application name, the identity is provided with fingerprint attribute, the fingerprint name is HIS_DFP, and the login is released for the identity of the application program hit with the fingerprint.
S140, judging whether the identification result is successful in matching;
s150, if the identification result is that the matching is successful, acquiring SQL information which is accumulated and executed after logging in a database when executing SQL and fingerprint information associated with the identity of the application program are matched to obtain a matching result;
in this embodiment, the matching result refers to a matching condition of the accumulated executed SQL information and the fingerprint information associated with the identity of the application program after the login database is acquired when the SQL is executed.
In one embodiment, referring to fig. 5, the step S150 may include steps S150A to S150M.
In this embodiment, after the terminal logs in the database by using the application program, the number of executed SQL is i, that is, the currently executed SQL is the ith, and the i is the accumulated execution times of the SQL.
S150A, starting matching, and initializing the accumulated execution times and hit times to be 0.
S150B, judging whether the SQL accumulated execution times are smaller than a set times threshold.
In this embodiment, the set number of times threshold refers to the total number of N pieces of SQL that are typically executed first in fingerprint SQL, that is, N is typically 1-10.
S150C, taking out the SQL statement corresponding to the numerical value.
S150D, judging whether the fingerprint comparison requires sequential comparison or not.
S150E, comparing the executed SQL sentences with sentences in the fingerprint information according to the sequence.
S150F, neglecting sequence positions for comparison.
S150G, judging whether the executing statement is consistent with the statement in the fingerprint information.
S150H, if the SQL statement corresponding to the numerical value is equal to the corresponding SQL statement in the fingerprint information related to the identity of the application program, adding one to the hit number to update the hit number;
S150I, adding one to the numerical value to update the numerical value, and executing the judgment on whether the numerical value is smaller than the set frequency threshold;
S150J, calculating the hit rate according to the hit number. I.e. the quotient of the number of hits and the number of fingerprint pieces in the fingerprint information.
S150K, judging whether the hit rate meets the requirement of fingerprint information associated with the identity of the application program;
the identity-related fingerprint information has an attribute: percentage of hit probability. If the hit rate is greater than or equal to the hit probability percentage, the matching is successful; if the hit probability is smaller than the hit probability percentage, the matching fails.
And S150L, if the hit rate meets the requirement of fingerprint information associated with the identity of the application program, determining that the matching result is successful. The matching process also ends. And if the hit rate does not meet the fingerprint information requirement, repeating S150C.
And S150M, if the execution times in the S150B comparison exceeds a preset times threshold, the matching is ended, and the matching result is that the matching fails, namely the missing fingerprint information.
In this embodiment, when the number of times of the SQL accumulated execution is greater than the set number of times threshold, that is, the fingerprint information is not hit, the evaluation may be performed according to the rule set in the actual situation, so as to determine whether to release or block the access to the database for the application. Rules include, but are not limited to: whether SQL sentences are high-risk operations such as library deletion, table deletion, full table updating and the like or not; whether to return mass data once, etc.
When the hit rate does not meet the requirement of fingerprint information associated with the identity of the application program, the hit rate can be evaluated according to other properties (people, equipment, application and account number) of the identity set by actual conditions, so as to determine whether the application program is permitted to pass or block access to the database.
For example: the application HIS impersonated by SQLPLUS matches the "HIS identity" according to the application name HIS during the login phase, since the HIS identity carries dynamic fingerprint information. However, when it is determined that the identity carries fingerprint information, further matching of the fingerprint information is required. After successful login of the fake HIS application, i.e. the SQLPLUS tool, it can be seen from table 2 above that the first 5 SQLs of the SQLPLUS tool do not satisfy the fingerprint feature of "HIS identity" shown in table 1 above. Therefore, the HIS application is judged to be counterfeit after executing 5 SQL.
S160, judging whether the matching result is successful;
s170, if the matching result is that the matching is successful, releasing the application program;
and S180, if the matching result is not successful, blocking the application program.
And if the identification result is not successful, executing the blocking processing on the application program.
In other embodiments, rules may be added to evaluate the content to determine whether to pass or block for application passes and blocks. Rules include, but are not limited to: other attributes of identity (person, device, application, account); classifying and grading results, sensibility and importance of the assets; the dangers of SQL operations themselves, etc.
According to the application program anti-counterfeiting method, when the application program is initialized, the fingerprints of the application program are learned, the learned fingerprint information is associated with the identity of the application program, when the application program is used for logging in the database, the identity of the application program and the corresponding fingerprint information are matched according to the name of the application program, when SQL is executed under the condition that matching is successful, SQL information which is executed in an accumulated mode after logging in the database is acquired to be matched with the fingerprint information associated with the identity of the application program, anti-counterfeiting identification processing is carried out in both a logging-in stage and an SQL execution stage, so that the difficulty of identification of the application program is solved, and the security risk of authorized access based on the name of the application program is reduced.
Fig. 6 is a schematic block diagram of an application anti-counterfeiting device 300 according to an embodiment of the present invention. As shown in fig. 6, the present invention also provides an application anti-counterfeiting device 300 corresponding to the above application anti-counterfeiting method. The application anti-impersonation device 300, which may be configured in a server, includes means for performing the application anti-impersonation method described above. Specifically, referring to fig. 6, the application anti-counterfeiting device 300 includes a learning unit 301, an association unit 302, an identification unit 303, a first determination unit 304, a matching unit 305, a second determination unit 306, a release unit 307, and a blocking unit 308.
A learning unit 301, configured to learn a fingerprint of an application program when the application program is initialized, so as to obtain fingerprint information; an association unit 302, configured to associate the fingerprint information with an identity of the application program, so as to obtain identity information with fingerprint information; the identifying unit 303 is configured to perform identity matching and fingerprint information identification of an application according to a name of the application when the terminal logs in the database using the application, so as to obtain an identification result; a first judging unit 304, configured to judge whether the identification result is successful in matching; the matching unit 305 is configured to, if the identification result is that the matching is successful, obtain SQL information that is accumulated and executed after logging in the database when executing SQL, and match fingerprint information associated with the identity of the application program, so as to obtain a matching result; a second judging unit 306, configured to judge whether the matching result is successful; a release unit 307, configured to perform release processing on the application program if the matching result is that the matching is successful; and the blocking unit 308 is configured to perform blocking processing on the application program if the matching result is not successful.
In one embodiment, as shown in fig. 7, the learning unit 301 includes a session selection subunit 3011, a session screening subunit 3012, a sentence screening subunit 3013, and a feature preservation subunit 3014.
A session selection subunit 3011, configured to select, when the application program is initialized, all sessions of the same database in the database gateway audit information; a session screening subunit 3012, configured to screen out sessions related to the application program from all sessions to obtain a target session; a statement screening subunit 3013, configured to screen SQL statements with the same characteristics from the same plurality of SQL statements in the target session, so as to obtain a screening result; and the feature storage subunit 3014 is configured to store the SQL features in the filtering result according to the application program name and the database type, so as to obtain fingerprint information.
In one embodiment, as shown in fig. 8, the identifying unit 303 includes an parsing subunit 3031, an identity searching subunit 3032, a searching result judging subunit 3033, a fingerprint information determining subunit 3034, a determining result judging subunit 3035 and a first determining subunit 3036.
A parsing subunit 3031, configured to parse a name of an application to obtain a name to be matched when the terminal logs in the database using the application; an identity searching subunit 3032, configured to search the identity of the application program corresponding to the name to be matched, so as to obtain a searching result; a search result judging subunit 3033, configured to judge whether the search result is a search success; a fingerprint information determining subunit 3034, configured to determine whether the identity of the corresponding application program has associated fingerprint information if the search result is that the search is successful, so as to obtain an information determining result; a determination result judging subunit 3035, configured to judge whether the information determination result is fingerprint information associated with the identity of the corresponding application program; the first determining subunit 3036 is configured to determine that the identification result is successful if the information determination result is fingerprint information associated with the identity of the corresponding application program.
In one embodiment, as shown in fig. 9, the matching unit 305 includes a number acquisition subunit 3051, a number determination subunit 3052, an initialization subunit 3053, a fetching subunit 3054, a numerical determination subunit 3055, a sentence determination subunit 3056, a hit number update subunit 3057, a numerical update subunit 3058, a hit rate calculation subunit 3059, a hit rate determination subunit 30510, a second determination subunit 30511, and a sequence determination subunit 30512.
The times acquisition subunit 3051 is configured to acquire an SQL accumulated execution times when the application program executes the SQL; the number judgment subunit 3052 is configured to judge whether the SQL accumulated execution number is smaller than a set number threshold; an initializing subunit 3053, configured to initialize a numerical value and a hit number if the SQL accumulated execution number is less than a set number threshold; a fetching subunit 3054, configured to fetch an SQL statement corresponding to the numerical value; a value judging subunit 3055, configured to judge whether the value is smaller than the set number threshold; a statement judging subunit 3056, configured to judge whether the SQL statement corresponding to the numerical value is equal to the corresponding SQL statement in the fingerprint information associated with the identity of the application if the numerical value is less than the set frequency threshold; a hit number updating subunit 3057, configured to add one to the hit number if the SQL statement corresponding to the numerical value is equal to the corresponding SQL statement in the fingerprint information associated with the identity of the application program, so as to update the hit number; a value updating subunit 3058, configured to add one to the value to update the value, and perform the determining whether the value is smaller than the set number of times threshold; a hit rate calculating subunit 3059, configured to calculate the hit rate according to the hit number if the determined number is not less than the set number threshold; a hit rate judging subunit 30510, configured to judge whether the hit rate meets a requirement of fingerprint information associated with an identity of an application program; the second determining subunit 30511 is configured to determine that the matching result is successful if the hit rate meets the requirement of fingerprint information associated with the identity of the application program. A sequence judging subunit 30512, configured to judge whether the fingerprint information associated with the identity of the application program requires matching according to a specific sequence if the SQL statement corresponding to the numerical value is not equal to the corresponding SQL statement in the fingerprint information associated with the identity of the application program; if the fingerprint information associated with the identity of the application program does not require matching in a specific order, executing the step of adding one to the hit number to update the hit number; if the fingerprint information associated with the identity of the application requires matching in a particular order, the incrementing of the value by one is performed to update the value.
It should be noted that, as will be clearly understood by those skilled in the art, the specific implementation process of the above-mentioned application anti-counterfeiting device 300 and each unit may refer to the corresponding description in the foregoing method embodiment, and for convenience and brevity of description, the description is omitted here.
The above-described application anti-impersonation apparatus 300 may be implemented in the form of a computer program that is executable on a computer device as shown in fig. 10.
Referring to fig. 10, fig. 10 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device 500 may be a server, where the server may be a stand-alone server or may be a server cluster formed by a plurality of servers.
With reference to FIG. 10, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a non-volatile storage medium 503 and an internal memory 504.
The non-volatile storage medium 503 may store an operating system 5031 and a computer program 5032. The computer program 5032 includes program instructions that, when executed, cause the processor 502 to perform an application anti-impersonation method.
The processor 502 is used to provide computing and control capabilities to support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the execution of a computer program 5032 in the non-volatile storage medium 503, which computer program 5032, when executed by the processor 502, causes the processor 502 to perform an application anti-impersonation method.
The network interface 505 is used for network communication with other devices. Those skilled in the art will appreciate that the architecture shown in fig. 10 is merely a block diagram of a portion of the architecture in connection with the present application and is not intended to limit the computer device 500 to which the present application is applied, and that a particular computer device 500 may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
Wherein the processor 502 is configured to execute a computer program 5032 stored in a memory to implement the steps of:
when an application program is initialized, learning fingerprints of the application program to obtain fingerprint information; associating the fingerprint information with the identity of the application program to obtain identity information with the fingerprint information; when a terminal logs in a database by using an application program, carrying out identity matching and fingerprint information identification of the application program according to the name of the application program so as to obtain an identification result; judging whether the identification result is successful in matching; if the identification result is successful in matching, acquiring SQL information which is accumulated and executed after logging in a database when executing SQL, and matching fingerprint information associated with the identity of the application program to obtain a matching result; judging whether the matching result is successful; if the matching result is that the matching is successful, the application program is released; and if the matching result is not successful, blocking the application program.
The fingerprint information comprises SQL template features and SQL execution sequences.
The identity of the application includes at least one of an IP address, a database account, and an application name.
In one embodiment, when the processor 502 learns the fingerprint of the application program to obtain the fingerprint information when the application program is initialized, the following steps are specifically implemented:
when an application program is initialized, all sessions of the same database are selected from the database gateway audit information; screening out the sessions related to the application program from all the sessions to obtain a target session; screening SQL sentences with the same characteristics from a plurality of SQL sentences which are the same in the target session to obtain screening results; and storing SQL features in the screening result according to the application program name and the type of the database to obtain fingerprint information.
In an embodiment, when the processor 502 performs the step of obtaining the recognition result by performing identity matching and fingerprint information recognition of the application according to the name of the application when the terminal logs in the database using the application, the following steps are specifically implemented:
When a terminal logs in a database by using an application program, resolving the name of the application program to obtain a name to be matched; searching the identity of the application program corresponding to the name to be matched to obtain a searching result; judging whether the searching result is successful; if the searching result is that the searching is successful, determining whether the identity of the corresponding application program has associated fingerprint information or not so as to obtain an information determining result; judging whether the information determination result is fingerprint information related to the identity of the corresponding application program; and if the information determination result is that the identity of the corresponding application program has the associated fingerprint information, determining that the identification result is successful in matching.
In an embodiment, when the processor 502 obtains the SQL information that is accumulated and executed after logging in the database and the fingerprint information associated with the identity of the application program to match when implementing the step of executing the SQL to obtain a matching result, the following steps are specifically implemented:
acquiring SQL accumulated execution times when the application program executes SQL; judging whether the SQL accumulated execution times is smaller than a set times threshold value or not; initializing a numerical value and hit number if the SQL accumulated execution times are smaller than a set times threshold; taking out the SQL sentence corresponding to the numerical value; judging whether the numerical value is smaller than the set frequency threshold value or not; if the numerical value is smaller than the set frequency threshold, judging whether SQL sentences corresponding to the numerical value are equal to corresponding SQL sentences in fingerprint information associated with the identity of the application program; if the SQL statement corresponding to the numerical value is equal to the corresponding SQL statement in the fingerprint information related to the identity of the application program, adding one to the hit number to update the hit number; adding one to the numerical value to update the numerical value, and executing the judgment on whether the numerical value is smaller than the set frequency threshold; if the numerical value is not smaller than the set frequency threshold, calculating the hit rate according to the hit number; judging whether the hit rate meets the requirement of fingerprint information associated with the identity of the application program; and if the hit rate meets the requirement of the fingerprint information associated with the identity of the application program, determining that the matching result is successful.
In an embodiment, after implementing the step of determining whether the corresponding SQL statement in the fingerprint information associated with the identity of the application program is equal to the corresponding SQL statement, the processor 502 further implements the following steps:
if the SQL sentences corresponding to the numerical values are not equal to the corresponding SQL sentences in the fingerprint information associated with the identity of the application program, judging whether the fingerprint information associated with the identity of the application program is required to be matched according to a specific sequence; if the fingerprint information associated with the identity of the application program does not require matching in a specific order, executing the step of adding one to the hit number to update the hit number; if the fingerprint information associated with the identity of the application requires matching in a particular order, the incrementing of the value by one is performed to update the value.
It should be appreciated that in embodiments of the present application, the processor 502 may be a central processing unit (Central Processing Unit, CPU), the processor 502 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSPs), application specific integrated circuits (Application Specific Integrated Circuit, ASICs), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Those skilled in the art will appreciate that all or part of the flow in a method embodying the above described embodiments may be accomplished by computer programs instructing the relevant hardware. The computer program comprises program instructions, and the computer program can be stored in a storage medium, which is a computer readable storage medium. The program instructions are executed by at least one processor in the computer system to implement the flow steps of the embodiments of the method described above.
Accordingly, the present invention also provides a storage medium. The storage medium may be a computer readable storage medium. The storage medium stores a computer program which, when executed by a processor, causes the processor to perform the steps of:
when an application program is initialized, learning fingerprints of the application program to obtain fingerprint information; associating the fingerprint information with the identity of the application program to obtain identity information with the fingerprint information; when a terminal logs in a database by using an application program, carrying out identity matching and fingerprint information identification of the application program according to the name of the application program so as to obtain an identification result; judging whether the identification result is successful in matching; if the identification result is successful in matching, acquiring SQL information which is accumulated and executed after logging in a database when executing SQL, and matching fingerprint information associated with the identity of the application program to obtain a matching result; judging whether the matching result is successful; if the matching result is that the matching is successful, the application program is released; and if the matching result is not successful, blocking the application program.
The fingerprint information comprises SQL template features and SQL execution sequences.
The identity of the application includes at least one of an IP address, a database account, and an application name.
In one embodiment, when the processor executes the computer program to realize the step of learning the fingerprint of the application program to obtain fingerprint information when the application program is initialized, the following steps are specifically realized:
when an application program is initialized, all sessions of the same database are selected from the database gateway audit information; screening out the sessions related to the application program from all the sessions to obtain a target session; screening SQL sentences with the same characteristics from a plurality of SQL sentences which are the same in the target session to obtain screening results; and storing SQL features in the screening result according to the application program name and the type of the database to obtain fingerprint information.
In one embodiment, when the processor executes the computer program to realize the step of performing identity matching and fingerprint information identification of the application program according to the name of the application program when the terminal logs in the database by using the application program, the method specifically realizes the following steps:
When a terminal logs in a database by using an application program, resolving the name of the application program to obtain a name to be matched; searching the identity of the application program corresponding to the name to be matched to obtain a searching result; judging whether the searching result is successful; if the searching result is that the searching is successful, determining whether the identity of the corresponding application program has associated fingerprint information or not so as to obtain an information determining result; judging whether the information determination result is fingerprint information related to the identity of the corresponding application program; and if the information determination result is that the identity of the corresponding application program has the associated fingerprint information, determining that the identification result is successful in matching.
In one embodiment, when the processor executes the computer program to realize the step of matching the accumulated executed SQL information after the login database is acquired and the fingerprint information associated with the identity of the application program to obtain a matching result, the processor specifically realizes the following steps:
acquiring SQL accumulated execution times when the application program executes SQL; judging whether the SQL accumulated execution times is smaller than a set times threshold value or not; initializing a numerical value and hit number if the SQL accumulated execution times are smaller than a set times threshold; taking out the SQL sentence corresponding to the numerical value; judging whether the numerical value is smaller than the set frequency threshold value or not; if the numerical value is smaller than the set frequency threshold, judging whether SQL sentences corresponding to the numerical value are equal to corresponding SQL sentences in fingerprint information associated with the identity of the application program; if the SQL statement corresponding to the numerical value is equal to the corresponding SQL statement in the fingerprint information related to the identity of the application program, adding one to the hit number to update the hit number; adding one to the numerical value to update the numerical value, and executing the judgment on whether the numerical value is smaller than the set frequency threshold; if the numerical value is not smaller than the set frequency threshold, calculating the hit rate according to the hit number; judging whether the hit rate meets the requirement of fingerprint information associated with the identity of the application program; and if the hit rate meets the requirement of the fingerprint information associated with the identity of the application program, determining that the matching result is successful.
In an embodiment, after executing the computer program to implement the step of determining whether the SQL statement corresponding to the numerical value is equal to the corresponding SQL statement in fingerprint information associated with the identity of the application program, the processor further implements the following steps:
if the SQL sentences corresponding to the numerical values are not equal to the corresponding SQL sentences in the fingerprint information associated with the identity of the application program, judging whether the fingerprint information associated with the identity of the application program is required to be matched according to a specific sequence; if the fingerprint information associated with the identity of the application program does not require matching in a specific order, executing the step of adding one to the hit number to update the hit number; if the fingerprint information associated with the identity of the application requires matching in a particular order, the incrementing of the value by one is performed to update the value.
The storage medium may be a U-disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk, or other various computer-readable storage media that can store program codes.
Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be combined, divided and deleted according to actual needs. In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The integrated unit may be stored in a storage medium if implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a terminal, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention.
While the invention has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.

Claims (10)

1. An application anti-counterfeiting method, comprising the steps of:
when an application program is initialized, learning fingerprints of the application program to obtain fingerprint information;
associating the fingerprint information with the identity of the application program to obtain identity information with the fingerprint information;
when a terminal logs in a database by using an application program, carrying out identity matching and fingerprint information identification of the application program according to the name of the application program so as to obtain an identification result;
judging whether the identification result is successful in matching;
if the identification result is successful in matching, acquiring SQL information which is accumulated and executed after logging in a database when executing SQL, and matching fingerprint information associated with the identity of the application program to obtain a matching result;
Judging whether the matching result is successful;
if the matching result is that the matching is successful, the application program is released;
and if the matching result is not successful, blocking the application program.
2. The application anti-impersonation method according to claim 1, wherein the learning the fingerprint of the application to obtain fingerprint information when the application is initialized comprises:
when an application program is initialized, all sessions of the same database are selected from the database gateway audit information;
screening out the sessions related to the application program from all the sessions to obtain a target session;
screening SQL sentences with the same characteristics from a plurality of SQL sentences which are the same in the target session to obtain screening results;
and storing SQL features in the screening result according to the application program name and the type of the database to obtain fingerprint information.
3. The application anti-impersonation method of claim 1, wherein the fingerprint information includes SQL template features and SQL execution order.
4. The application anti-impersonation method of claim 1, wherein the identity of the application includes at least one of an IP address, a database account, and an application name.
5. The application anti-counterfeiting method according to claim 1, wherein when the terminal logs in the database using the application, performing identity matching and fingerprint information identification of the application according to the name of the application to obtain an identification result, comprising:
when a terminal logs in a database by using an application program, resolving the name of the application program to obtain a name to be matched;
searching the identity of the application program corresponding to the name to be matched to obtain a searching result;
judging whether the searching result is successful;
if the searching result is that the searching is successful, determining whether the identity of the corresponding application program has associated fingerprint information or not so as to obtain an information determining result;
judging whether the information determination result is fingerprint information related to the identity of the corresponding application program;
and if the information determination result is that the identity of the corresponding application program has the associated fingerprint information, determining that the identification result is successful in matching.
6. The method for preventing application program impersonation according to claim 5, wherein the step of obtaining the SQL information accumulated after logging in the database to match with fingerprint information associated with the identity of the application program when executing the SQL to obtain a matching result includes:
Acquiring SQL accumulated execution times when the application program executes SQL;
judging whether the SQL accumulated execution times is smaller than a set times threshold value or not;
initializing a numerical value and hit number if the SQL accumulated execution times are smaller than a set times threshold;
taking out the SQL sentence corresponding to the numerical value;
judging whether the numerical value is smaller than the set frequency threshold value or not;
if the numerical value is smaller than the set frequency threshold, judging whether SQL sentences corresponding to the numerical value are equal to corresponding SQL sentences in fingerprint information associated with the identity of the application program;
if the SQL statement corresponding to the numerical value is equal to the corresponding SQL statement in the fingerprint information related to the identity of the application program, adding one to the hit number to update the hit number;
adding one to the numerical value to update the numerical value, and executing the judgment on whether the numerical value is smaller than the set frequency threshold;
if the numerical value is not smaller than the set frequency threshold, calculating the hit rate according to the hit number;
judging whether the hit rate meets the requirement of fingerprint information associated with the identity of the application program;
and if the hit rate meets the requirement of the fingerprint information associated with the identity of the application program, determining that the matching result is successful.
7. The method for preventing application program impersonation according to claim 6, wherein after determining whether the SQL statement corresponding to the numerical value is equal to the corresponding SQL statement in fingerprint information associated with the identity of the application program, further comprising:
if the SQL sentences corresponding to the numerical values are not equal to the corresponding SQL sentences in the fingerprint information associated with the identity of the application program, judging whether the fingerprint information associated with the identity of the application program is required to be matched according to a specific sequence;
if the fingerprint information associated with the identity of the application program does not require matching in a specific order, executing the step of adding one to the hit number to update the hit number;
if the fingerprint information associated with the identity of the application requires matching in a particular order, the incrementing of the value by one is performed to update the value.
8. An application anti-counterfeiting device, comprising:
the learning unit is used for learning the fingerprint of the application program when the application program is initialized so as to obtain fingerprint information;
the association unit is used for associating the fingerprint information with the identity of the application program to obtain identity information with the fingerprint information;
the identification unit is used for carrying out identity matching and fingerprint information identification of the application program according to the name of the application program when the terminal logs in the database by using the application program so as to obtain an identification result;
A first judging unit, configured to judge whether the identification result is successful in matching;
the matching unit is used for matching the SQL information which is accumulated and executed after the SQL is acquired and logged in the database and the fingerprint information associated with the identity of the application program when the SQL is executed if the identification result is successful in matching, so as to obtain a matching result;
the second judging unit is used for judging whether the matching result is successful;
the release unit is used for releasing the application program if the matching result is that the matching is successful;
and the blocking unit is used for blocking the application program if the matching result is not successful.
9. A computer device, characterized in that it comprises a memory on which a computer program is stored and a processor which, when executing the computer program, implements the method according to any of claims 1-7.
10. A storage medium storing a computer program which, when executed by a processor, implements the method of any one of claims 1 to 7.
CN202310420177.6A 2023-04-19 2023-04-19 Application program anti-counterfeiting method and device, computer equipment and storage medium Active CN116136901B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310420177.6A CN116136901B (en) 2023-04-19 2023-04-19 Application program anti-counterfeiting method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310420177.6A CN116136901B (en) 2023-04-19 2023-04-19 Application program anti-counterfeiting method and device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN116136901A true CN116136901A (en) 2023-05-19
CN116136901B CN116136901B (en) 2023-07-14

Family

ID=86333588

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310420177.6A Active CN116136901B (en) 2023-04-19 2023-04-19 Application program anti-counterfeiting method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116136901B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117113340A (en) * 2023-10-20 2023-11-24 杭州美创科技股份有限公司 Host computer sag detection method, device, computer equipment and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090089869A1 (en) * 2006-04-28 2009-04-02 Oracle International Corporation Techniques for fraud monitoring and detection using application fingerprinting
US20100121950A1 (en) * 2008-11-12 2010-05-13 Lin Yeejang James System and method for identifying real users behind application servers
CN105893376A (en) * 2014-12-05 2016-08-24 广西大学 Database access supervision method
CN106355094A (en) * 2016-07-08 2017-01-25 耿童童 SQL (structured query language) injection attack defensive system and defensive method based on grammar transformation
CN111259040A (en) * 2020-02-19 2020-06-09 中国工商银行股份有限公司 SQL statement auditing method and system
CN111970122A (en) * 2020-08-06 2020-11-20 中国联合网络通信集团有限公司 Official APP identification method, mobile terminal and application server
CN112069425A (en) * 2020-08-05 2020-12-11 北京北信源软件股份有限公司 Log management method and device, electronic equipment and readable storage medium
CN113190839A (en) * 2021-03-29 2021-07-30 贵州电网有限责任公司 Web attack protection method and system based on SQL injection
CN114372255A (en) * 2021-12-17 2022-04-19 北京美亚柏科网络安全科技有限公司 Identity authentication method and device based on application software fingerprint
CN115495245A (en) * 2022-09-29 2022-12-20 浪潮软件集团有限公司 Distributed database application load portrayal method and system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090089869A1 (en) * 2006-04-28 2009-04-02 Oracle International Corporation Techniques for fraud monitoring and detection using application fingerprinting
US20100121950A1 (en) * 2008-11-12 2010-05-13 Lin Yeejang James System and method for identifying real users behind application servers
CN105893376A (en) * 2014-12-05 2016-08-24 广西大学 Database access supervision method
CN106355094A (en) * 2016-07-08 2017-01-25 耿童童 SQL (structured query language) injection attack defensive system and defensive method based on grammar transformation
CN111259040A (en) * 2020-02-19 2020-06-09 中国工商银行股份有限公司 SQL statement auditing method and system
CN112069425A (en) * 2020-08-05 2020-12-11 北京北信源软件股份有限公司 Log management method and device, electronic equipment and readable storage medium
CN111970122A (en) * 2020-08-06 2020-11-20 中国联合网络通信集团有限公司 Official APP identification method, mobile terminal and application server
CN113190839A (en) * 2021-03-29 2021-07-30 贵州电网有限责任公司 Web attack protection method and system based on SQL injection
CN114372255A (en) * 2021-12-17 2022-04-19 北京美亚柏科网络安全科技有限公司 Identity authentication method and device based on application software fingerprint
CN115495245A (en) * 2022-09-29 2022-12-20 浪潮软件集团有限公司 Distributed database application load portrayal method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
YURII KRAVCHENKO 等: "Complex Dynamic Method of Web Applications Verification by the Criterion of Time Minimization", 《 2021 IEEE INTERNATIONAL CONFERENCE ON SMART INFORMATION SYSTEMS AND TECHNOLOGIES (SIST)》, pages 1 - 5 *
刘奇旭 等: "基于双向循环神经网络的安卓浏览器指纹识别方法", 《计算机研究与发展》, vol. 57, no. 11, pages 2294 - 2311 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117113340A (en) * 2023-10-20 2023-11-24 杭州美创科技股份有限公司 Host computer sag detection method, device, computer equipment and storage medium
CN117113340B (en) * 2023-10-20 2024-01-23 杭州美创科技股份有限公司 Host computer sag detection method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN116136901B (en) 2023-07-14

Similar Documents

Publication Publication Date Title
CN108156131B (en) Webshell detection method, electronic device and computer storage medium
US11552951B2 (en) Processing changes to authorized keys
US20220368671A1 (en) Pattern-based malicious url detection
US11308205B2 (en) Security tool for preventing internal data breaches
US20190387012A1 (en) Log analysis apparatus, log analysis method, and log analysis program
CN111221844B (en) Web server protection method based on mimicry instruction set randomization and database proxy node
CN116136901B (en) Application program anti-counterfeiting method and device, computer equipment and storage medium
CN110912855A (en) Block chain architecture security assessment method and system based on permeability test case set
CN112751804B (en) Method, device and equipment for identifying counterfeit domain name
US9600644B2 (en) Method, a computer program and apparatus for analyzing symbols in a computer
CN106790025B (en) Method and device for detecting link maliciousness
CN112507336A (en) Server-side malicious program detection method based on code characteristics and flow behaviors
CN112583827A (en) Data leakage detection method and device
US20190303605A1 (en) Information processing apparatus, control method, and program
CN111107101A (en) Firewall system and method for multi-dimensional filtering request of nginx
CN115242436B (en) Malicious traffic detection method and system based on command line characteristics
CN111857721B (en) SQL statement verification method, data acquisition method, equipment and storage device
CN110457600B (en) Method, device, storage medium and computer equipment for searching target group
CN114510717A (en) ELF file detection method and device and storage medium
CN114205146A (en) Processing method and device for multi-source heterogeneous security log
CN115695054B (en) WAF interception page identification method and device based on machine learning and related components
RU2740856C1 (en) Method and system for identifying clusters of affiliated websites
US11528189B1 (en) Network device identification and categorization using behavioral fingerprints
KR102446674B1 (en) Security method via network packet for tracking the information user
CN116820505A (en) Method and device for detecting firmware security of intelligent terminal equipment and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant