CN1858738B - Method and device for access data bank - Google Patents
Method and device for access data bank Download PDFInfo
- Publication number
- CN1858738B CN1858738B CN2006100076097A CN200610007609A CN1858738B CN 1858738 B CN1858738 B CN 1858738B CN 2006100076097 A CN2006100076097 A CN 2006100076097A CN 200610007609 A CN200610007609 A CN 200610007609A CN 1858738 B CN1858738 B CN 1858738B
- Authority
- CN
- China
- Prior art keywords
- database
- client
- operation requests
- unit
- record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
This invention relates to a method and a device for accessing database, in which, said method includes: A, verifying the validity of a request for accessing the database by a received customer end and sending the legal operation request to the database and records said operation request, B, the database operates the received operation request and feeds back the result to the customer end, said device includes: a database customer end inserts a data access agent as the tool for accessing the database and packages the operation request to it, a unified certification and journal unit connected with the access agent of the customer end of the database used in drafting a safety strategy, a journal strategy and /or alarm strategy and alarms when abnormal events happen, a database connected withthe customer end for storing data of user relations.
Description
Technical field
The present invention relates to database technology, particularly relate to a kind of Database Accessing Methods and device.
Background technology
Development along with society, lot of data need store, data to storage, using certain data access method according to requirements of different users handles, described database is a kind of technology that adapts to this demand, briefly, database is that data can be preserved lastingly with a kind of, and the data acquisition of can operated mode preserving.Database Systems comprise that by a database and environment on every side its user of software, operating system, hardware and use forms.For make the user can have access to easily database (such as, user need inquire about the data in the database, add, operation such as deletion, modification), database needs data to carry out control corresponding.Wherein, database mainly comprises the control function of data: 1) data integrity control is meant correctness, the validity of storing data; 2) data security control is meant that protected data do not used, do not cause divulging a secret of data by illegal person; 3) the concurrent control of data is meant multi-user's concurrent operations is controlled and coordinated; 4) data recovery function is meant the conversion that database is returned to a certain known correct status from a certain error condition.
The architecture of described Database Systems is total frameworks of Database Systems.Although the actual database software product is of a great variety, the database language of use is different, and fundamental operation system difference, most Database Systems all have the architectural feature of three-level schema on general structure.That is: external schema, pattern, internal schema.Wherein, described external schema claims subpattern or user model again, is the subclass of pattern, is the local logic structure of data, also is the Data View that database user is seen; Described pattern claims logical schema again, is the global logic structure of all data in the database and the description of characteristic, also is all users' common data view; Described internal schema claims memory module again, is the internal representations of data in Database Systems, the i.e. description of the physical arrangement of database and storage mode.
Please refer to Fig. 1, for using the logical schematic of the client terminal accessing database of database at present.Its access process is: at first determine the connection parameter of associated databases, as data library name, URL(uniform resource locator) (URL) and user's name etc.; Connecting parameter by the database that obtains then sets up and being connected of this database; The 3rd, then be demand encapsulation SQL (Structured Query Language (SQL)) statement according to the Database Systems accessing operation, carry out the SQI statement after encapsulating then, return result.
Specifically shown in Figure 1, use the application program 101 (comprising application program 1,2 and 3) of database client 10 to identify (database user) accessing database 2, and carry out corresponding operating, such as SQL (Structured Query Language (SQL)) statement by external schema.Wherein, described external schema (database user) sign comprises: user name, password etc. are the signs of applications accessing database system, can carry out the encryption of certain mode to it, with guarantee user name, password is unlikely leaks.And purview certification system 201 is set in database 20, in order to checking user's legitimacy and rights of using etc., simultaneously, the user also is set in database allows table or the Data View 202 seen, and other data of forbidding not returning this external schema in disabled user's accessing database and being allowed.
Aforesaid way is for large-scale application system such as mobile communication, bank, when making up Database Systems, can use unified external schema to set up the data model of system, the personnel of all application clients and maintenance system all use this pattern or the littler external schema of authority to come operating database (SQL statement), as list of modification structure, the data of inquiry correlation table and the data of list of modification etc.But for these operations, the change to inquiry, change and the list structure of client ip address, privacy of user correlation table in the present this Database Accessing Methods is not all write down, safety certification and alarm triggered mechanism.Therefore there is following defective in disclosed disclosed technical scheme at present:
1) can't follow the tracks of the operation (SQL statement) of database, and uncontrollable.That is to say be difficult to determine when certain user takes place the destructive procedure (SQL statement) of database, and login up from any station terminal, concrete user be who etc.;
2) in abnormal operation (SQL statement to database, as revise list structure, delete list, deletion storing process etc.) when taking place, the system manager can't in time be known, cause safeness of Data Bank (at application) to reduce greatly, may cause using application system (as BOSS support system, the banking system etc.) paralysis of this database, increase the difficulty of the maintenance management of database simultaneously greatly.
Summary of the invention
The technical matters that the present invention solves provides a kind of Database Accessing Methods and device, is not controlled and problem that can not follow the tracks of with the request that solves accessing database in the present technical scheme; And can not prevent, and the problem that can not fully be ensured to safety of data.
For addressing the above problem, the invention provides a kind of Database Accessing Methods, it is characterized in that, comprise step:
A, data access agency verify the legitimacy of received client-access database manipulation request by calling security certification system, and legal operation requests sent to database, call log system simultaneously and write down described operation requests, wherein, calling the process that log system writes down described operation requests is: described log system carries out record according to the daily record rank to described operation requests;
B, database are handled the operation requests that receives, and result are returned client.
The operation requests that described security certification system will meet the security alarm strategy sends to warning system as alarm event, and the reporting system keeper.
Described legitimacy is to measure according to the safety certification strategy that pre-establishes, and described safety certification strategy comprises: the legitimacy of authority, the validity of request and attack are checked.
The operation requests that described log system will meet daily record warning strategy sends to warning system as alarm event, and the reporting system keeper.
Among the step B result being returned the client path is: database directly feeds back result client or by the data access agency result is fed back client.
In addition, the present invention also provides a kind of device of accessing database, and described device comprises:
Database client is used to send the database manipulation request;
Safety certification unit is used for the legitimacy of authentication-access database manipulation request, and corresponding warning strategies is set, and the incident that meets warning strategies is sent alarm;
The log record unit is used for all operations request of record access database, and corresponding warning strategies is set, and after incident is finished the incident that meets warning strategies is sent alarm;
Database, the data that are used to store customer relationship, and the database manipulation request of handling fed back to database client;
The data access agent unit, link to each other respectively with database with database client, safety certification unit, log record unit, be used to receive the database manipulation solicited message that sends with database client, and call the legitimacy that safety certification unit is verified described operation requests information, legal operation requests information is sent to database; And call all operations solicited message that the log record unit record receives.
Described data access agent unit is embedded into database client, is used for the instrument of client-access database, and to the operation requests in its encapsulation of data storehouse.
Described device also comprises Alarm Unit, links to each other respectively with the log record unit with safety certification unit, is used for the alarm event reporting system keeper about Database Systems that safety certification unit and log record unit are sent.
In addition, the present invention provides a kind of device of accessing database again, and described device comprises:
Database client, this client embed data access agency, are used for the instrument of client-access database, and to the operation requests in its encapsulation of data storehouse;
Unified certification and log unit, link to each other with the data access agency of database client, be used for unified security strategy, daily record strategy and/or the warning strategies of formulating data access, and when anomalous event, send alarm, wherein, described daily record strategy is the described operation requests of record, and the process that writes down described operation requests is: according to the daily record rank described operation requests is carried out record;
Database links to each other with database client, is used to store the data of customer relationship.
Described device also comprises Alarm Unit, links to each other with unified certification and log unit, is used for the alarm event reporting system keeper about Database Systems that unified certification and log unit are sent.
At last, the present invention provides a kind of device of accessing database again, and described device comprises:
Database client, be embedded in data access agency, safety certification subelement and log record subelement in this client, be used for the operation requests information of accessing database is encapsulated in the data access agency, through safety certification subelement is verified the legitimacy of described operation requests, and legal operation requests sent to database, and described operation requests is carried out record by the log record subelement, the process that wherein writes down described operation requests is: described log record subelement carries out record according to the daily record rank to described operation requests; Also unified security strategy, daily record strategy and/or the warning strategies of formulating data access of described database client, and when anomalous event, send alarm;
Database links to each other with database client, is used to store the data of customer relationship;
Described device also comprises Alarm Unit, links to each other with database client, is used for the alarm event reporting system keeper about Database Systems that database client is sent.
Compared with prior art, the present invention has following beneficial effect: the present invention is by being provided with the data access agency between client and database, be used to intercept and capture the database manipulation request that client sends, and the accessing operation request (SQL statement) of database is all verified its legitimacy according to corresponding security strategy; Simultaneously, the database operation requests is carried out record according to corresponding log record strategy, when data of database is destroyed, can track the saboteur; When the Database Systems of all-access unusual request (SQL statement) incident is arranged the time, all can be by security alarm strategy, the daily record warning strategies that is provided with, anomalous event is sent to Alarm Unit, the timely reporting system keeper of described Alarm Unit (DBA), so that the system manager supervises client-access control data of database situation, and abnormal conditions are in time handled it and safeguard, improve safeness of Data Bank.In addition, (client requests (SQL) of coming as certain IP address will be under an embargo etc., and shielding is to the attack of database by corresponding attack protection strategy is set.Through safety certification the security strategy of system is distributed different authorities to different clients, even if use the same user model of database, also can limit its classification access request to database.Database user as the BOSS application system is BOSS; client is all logined this database with BOSS; but through safety certification system is provided with corresponding strategy, and the SQL statement that promptly meets some condition is authorized to or the security that action comes the protected data storehouse such as forbids.Therefore, the operation requests of all-access database all is controlled, traceable.Because scheme of the present invention is only monitored the operation requests (SQL statement) of client, and the database that protect is not had any overhead.
Description of drawings
Fig. 1 is the logical schematic of accessing database in the prior art;
Fig. 2 is the process flow diagram of Database Accessing Methods of the present invention;
Fig. 3 is the sequential synoptic diagram of Database Accessing Methods of the present invention;
Fig. 4 is the logical organization synoptic diagram of the device of accessing database of the present invention;
Fig. 5 is a kind of embodiment of the device of accessing database of the present invention;
Fig. 6 is another embodiment of the device of accessing database of the present invention;
Fig. 7 is another embodiment of the device of accessing database of the present invention;
Fig. 8 is the another kind of embodiment of the device of accessing database of the present invention.
Embodiment
Core of the present invention is between database client and database, and a data access agent is set, and is used to intercept and capture all accessing operation requests to database; Described data access proxy call security certification system checking client sends the legitimacy of database access operation requests, simultaneously, the database access operation requests that database client is sent sends to log system, described log system to the database accessing operation request carry out record, when data of database is destroyed, can track the saboteur.In addition, the present invention can also can be provided with corresponding warning strategies at described security certification system and log system, and the abnormal operation request that will meet warning strategies sends to warning system as alarm event, warning system in time sends to system manager (DBA) with this incident, so that the system manager is in time known relevant abnormalities, this database is in time safeguarded, improved safeness of Data Bank.
The present invention is described further below in conjunction with accompanying drawing.
See also Fig. 2, be the process flow diagram of Database Accessing Methods of the present invention, described method comprises step:
Step S11: verify the legitimacy of received client-access database manipulation request, and legal operation requests is sent to database, write down described operation requests simultaneously;
Step S12: database is handled the operation requests that receives, and result is returned client.
Database client sends the operation requests (being SQL statement) of accessing database; After the data access agency receives described client's operation requests (being SQL statement), at first resolve this SQL statement, and call security certification system, whether the operation requests of authentication-access database is legal, the judgement of described legitimacy is to measure according to the strategy that security certification system pre-establishes, wherein, described strategy comprises: the validity of authority legitimacy, request and attack inspection etc.; But described strategy is not limited to that disclosed these are several, can also formulate other strategy accordingly according to actual needs.The present invention is the security strategy of system through safety certification, can distribute different rights of using to different clients, even if use the same user model of database, also can limit its classification access request to database.Database user such as the BOSS application system is BOSS; client is all logined this database with BOSS; but through safety certification system is provided with corresponding strategy, and the SQL statement that promptly meets some condition is authorized to or the security that action comes the protected data storehouse such as forbids.
Described security certification system will be verified feedback data access agent as a result; Simultaneously, the operation requests (being SQL statement) that security certification system will meet the security alarm strategy sends to warning system as alarm event, so that system manager (DBA) in time knows, prevents trouble before it happens.
The checking of the feedback that receives as described data access agency is as a result the time, and the result makes corresponding processing according to this checking, if that is: verify that this operation requests is an illegal request, does not then allow accessing database, and this result is directly fed back to client; If this operation requests is a legitimate request, the operation requests (SQL statement) of the accessing database that described data access agency is all with database client all sends to log system and carries out record, when data of database is destroyed, can track the saboteur according to record.Described log system carries out record according to the daily record rank to the accessing operation request, and the accessing operation request that will meet the daily record warning strategies sends to warning system as alarm event, with timely reporting system keeper (DBA).Simultaneously, described data access agency sends to database with all legal operation requests of client, described database is handled the operation requests that receives, and the result that will handle directly feeds back to database client, perhaps by the data access agency result fed back to database client.In addition, in above-mentioned implementation procedure, described data access agency will legal operation requests sends to process that database handles and operation requests with all clients transmissions and sends to the process that log system writes down and walk abreast, and the two is independent of each other.The sequential chart of the implementation procedure of its described method specifically sees Fig. 3 for details.
Also please refer to Fig. 4, be the logical organization synoptic diagram of the device of accessing database of the present invention.Described device comprises: database client 11, data access agent unit 12, safety certification unit 13, log record unit 14 and database 15.In addition, described device can also comprise Alarm Unit 16.
Wherein, described database client 11, it is the client of wanting accessing database, be the main user of database 15, send database manipulation request (SQL statement) by it, described database manipulation request mainly comprises: operation requests such as data query language DQL, data manipulation language (DML) DML, data definition language (DDL) DDL, data control language (DCL) DCL.Client described below all refers to database client.
Described data access agent unit 12, link to each other with database client 11, safety certification unit 13, log record unit 14 and database 15 respectively, be used for the database manipulation solicited message that the interception database client sends, and call the legitimacy of security certification system verification operation request according to corresponding security strategy, if security certification system thinks that this operation requests is illegal, just do not meet the security strategy that pre-establishes, then the data access agency directly will verify return data storehouse client as a result; If this operation requests is legal, then all operation requests is sent to log system and carry out record.Simultaneously, legal operation requests is sent to database.Wherein, 12 of described data access agent units are intercepted and captured the SQL statement that client sends, (be that client visits database by this data access of visit earlier agency, rather than direct accessing database), and resolve the SQL statement received, obtain the operation which kind of type is this SQL statement be, visit be which the table etc., these information are bases that security strategy and warning strategies are set.The principle of described security strategy and warning strategies setting is just made certain action at the request that meets certain condition, and this has been a known technology for a person skilled in the art, no longer describes at this.Described data access agent unit 12 is indifferent to returning of database processing result, that is to say, database processing result can directly return to database client 11 without data access agent unit 12; Also result can be fed back to data access agent unit 12 earlier, be transmitted to database client 11 (as shown in phantom in Figure 4) by data access agent unit 12 again.
In addition, data access agent unit 12 of the present invention and present middleware Technology (such as the AS of CICS, the ORACLE of TUXEDO, the IBM of BEA, the middleware systems such as MIDAS of DEPHI) are different on framework, in described middleware Technology, the parts of its similar data access agent functionality are mainly used in the otherness between the shielding multisystem, accomplish transparent transmission, and process processing accordingly making request package and returning Bao Jun.And data access agent unit of the present invention mainly is an intercepted data storehouse operation requests, and it is carried out safety certification and log record, and and be indifferent to the real result of returning of database, promptly do not carry out any processing and handle returning bag.
Described safety certification unit 13 is connected with data access agent unit 12 and/or Alarm Unit 16 respectively, is the legitimacy according to the security strategy authentication-access database manipulation request of system's setting.Described security strategy sets in advance, and concrete strategy is the difference according to application system, and it is provided with also different.Such as being provided with of, security strategy can be unallowed to the inquiry of which table according to the client of which IP address; Client except certain IP address is to delete, to change the strategies such as structure of all tables.Simultaneously, described safety certification unit 13 also can be provided with corresponding warning strategies, and the operation requests incident that will meet warning strategies is sent alarm to Alarm Unit 16; Also can refuse simultaneously this operation requests (SQL statement).When described warning strategies can be meant the data of certain table of client query of certain unknown IP address, notify certain system manager by note system, or situation such as denied access, safety certification unit can be accomplished obviate like this.
Described log record unit 14, be connected with data access agent unit 12 and/or Alarm Unit 16 respectively, all database manipulation solicited messages that data access agent unit 12 is sended over all write down separate, stored, the mode of described storage can be that database, file system, flash memory or internal memory are stored etc., but is not limited to this several modes.Described log record unit also can be provided with corresponding warning strategies simultaneously, and (it is provided with principle with the warning strategies of safety certification unit is identical, but can only be to alarm here afterwards, because the record of the 14 pairs of SQL statement in log record unit is to walk abreast with the execution of this SQL statement at database), and the incident that meets warning strategies sent alarm to Alarm Unit 16.
Described database 15, respectively with the database of being monitored by this data access agent unit 12, it is storing the data of the real relation of user; And the database manipulation request of handling fed back to database client; Or the operation requests of handling fed back to data access agent unit 12 earlier, described data access agent unit returns to database client 11 in the feedback result that will receive.
Described device can also comprise Alarm Unit 16, and described Alarm Unit 16 links to each other respectively with log record unit 14 with safety certification unit 13, and described Alarm Unit 16 is to be provided with according to the needs of application system.Be used for to receive the alarm event reporting system keeper (DBA) that safety certification unit 13 and log record unit 14 send, be convenient to the system manager and in time know, prevent trouble before it happens about Database Systems.Wherein, described Alarm Unit 16 can come the reporting system keeper by note, voice or Email.
In addition, in said apparatus, described data access agent unit 12 can be embedded into database client 11, as the instrument of personnel's accessing database of final use database, and on the database client 11 that embeds data access agent unit 11 operation requests of encapsulation all-access database.
In addition, described database client 11 and data access agent unit 12 are divisions in logic, can separate in actual applications, also can be compatibility together.Described safety certification unit 13 and log record unit also are divisions in logic, can separate in actual applications, also can compatibility together.Its concrete implementation procedure also please refer to following specific embodiment.
Please refer to Fig. 5, for being a kind of embodiment of the device of accessing database of the present invention.Described device comprises: database client 21, unified certification and log unit 22 and database 23.Described device can also comprise Alarm Unit 24, and wherein said Alarm Unit is that example illustrates with note subelement 241.
Described database client 21 embeds data access agency 211 in client, as the instrument of the personnel's of final use database accessing database, and to the operation requests in its encapsulation of data storehouse.
Described unified certification and log unit 22, link to each other with the data access agency 211 of database client 21, comprise safety certification subelement 221 and log record subelement 222, and unified security strategy, daily record strategy and/or the warning strategies of formulating data access, alarm sent to the note subelement 241 in the warning system 24 when anomalous event is arranged, described note subelement 241 sends to system manager (DBA) with alarm.The present invention determines by security strategy whether the operation requests (SQL statement) of this database can continue; Determine by warning strategies whether whether the operation requests (SQL statement) of this database notifies the related personnel, know such as system manager DBA; By daily record strategy record the operation requests (SQL statement) of client-access database is arranged more,, when data of database is destroyed, can track the saboteur so that the visit of system is followed the tracks of.
Described database 23 links to each other with database client 21, is used to store the data of customer relationship.
All use the personnel of this database client 21 at first to carry out secure log, this moment unified certification unit 22 need to write down, the legitimacy of the uniqueness sign (as host name, IP address, MAC Address and login username etc.) of checking client process place main frame, and will verify that the result feeds back to the data access agency 211 of database client 21, described data access agency 211 sends to database 23 with legal database manipulation request (SQL statement) and handles, simultaneously, data access agency 211 calls the log record unit and carries out record.After database 23 is finished dealing with, with result return data storehouse client 21.Wherein the processing request of the record of daily record and database walks abreast, and that is to say, the success of log record and failure and database do not have any relation to the result of client-requested.
Therefore, the characteristics of embodiment of the present invention can be used for the application system maintenance in large database application system (such as fields such as communication, banks), because this system generally is to use identical user model, are safeguarded jointly by many people; In addition, all database manipulations (SQL statement) have been encapsulated at database client 21, to substitute general database client, intercepted and captured all database manipulation requests (SQL statement) of using this client simultaneously, and this operation requests is sent to unified certification unit 22 authenticated and record; Described unified certification and log unit 22 according to the warning strategies that sets in advance, are alarmed the abnormal operation request (SQL statement) that database 23 receives, and make the system manager in time know relevant abnormalities.Therefore, present embodiment can be avoided randomness, the non-trackability of database maintenance basically, thereby has improved safeness of Data Bank.
Please refer to Fig. 6 again, for being another embodiment of the device of accessing database of the present invention.Described device comprises: database client 31, safety certification unit 32 and log record unit 33 and database 34.Described device can also comprise Alarm Unit 35, and wherein said Alarm Unit is that example illustrates with note subelement 351.
In described database client 31 processes are embedded in data access agency 311,, and it all operation requests to database have been encapsulated as the instrument of the personnel's of final use database accessing database; All use the personnel of this database client 31 at first to carry out secure log, this moment, safety certification unit 32 needed the uniqueness sign (as host name, IP address, MAC Address and login username etc.) of database of record client 31 process place main frames, and then carried out follow-up database manipulation request (SQL statement); The operation requests (SQL statement) of 32 pairs of database clients 31 of safety certification unit is verified simultaneously, and operation requests (SQL statement) is refused according to being provided with of security strategy, or when anomalous event is arranged, operation requests (SQL statement) is alarmed according to being provided with of warning strategies.And alarm sent to note subelement 251 in the Alarm Unit 25, described note subelement 251 sends to system manager (DBA) with alarm.
All database manipulation requests (SQL statement) send to database 34 and handle through after authenticating, and carry out record simultaneously.After database 34 is finished dealing with, result is returned to database client 31.Described log record unit 33 is by daily record strategy database of record operation requests (SQL statement), so that the visit of system is followed the tracks of.Wherein, the processing request of the record of described daily record and database walks abreast, and that is to say, the success of log record and failure and database do not have any relation to the result of client-requested.
Therefore, present embodiment and the foregoing description (as shown in Figure 4) are basic identical, and its difference is that safety certification unit and log record unit are respectively unit independently.Its characteristics are identical with the characteristics of the foregoing description, see for details above-mentionedly, do not repeat them here.
Also please refer to Fig. 7, is another embodiment of the device of described accessing database for the present invention.Described device comprises: database client 41 and database 42.Described device can also comprise Alarm Unit 43, and wherein said Alarm Unit is that example illustrates with note subelement 431.
The present invention is packaged into the Fat Client database client of security control (promptly with) with database client 41, data access is acted on behalf of unit such as subelement 411, safety certification subelement 412, log record subelement 413 and all is encapsulated into together; Unified security strategy, daily record strategy and/or the warning strategies of formulating data access sends to alarm when anomalous event is arranged in the note subelement 431 of Alarm Unit 43, and described note subelement 431 sends to system manager (DBA) with alarm.The present invention determines by security strategy whether this operation requests (SQL statement) can continue; Determine by warning strategies whether this operation requests (SQL statement) notifies related personnel such as system manager DBA to know; By the operation requests (SQL statement) of daily record strategy record all-access database, so that can follow the tracks of to the visit of system.
All use the personnel of this database client 41 at first to carry out secure log, this moment safety certification subelement 412 need to write down, the legitimacy of the uniqueness sign (as host name, IP address, MAC Address and login username etc.) of checking client process place main frame, and then carry out follow-up database manipulation request (SQL statement); All database manipulation requests (SQL statement) send to database 42 and handle through after authenticating, and carry out record at log record subelement 413 simultaneously.After database place 42 reasons are finished, result is returned to client.Wherein, the processing request of the record of daily record and database walks abreast, and that is to say, the success of log record and failure and database do not have any relation to the result of client-requested.
Therefore, present embodiment and the foregoing description (as shown in Figure 4) are basic identical, and its difference part is that unit such as data access agency, safety certification, log record all are encapsulated in the database client process.Its characteristics are identical with the characteristics of the foregoing description, specifically see for details above-mentionedly, do not repeat them here.In addition, the deployment of present embodiment is comparatively convenient.
Please refer to Fig. 8 at last, is the another kind of embodiment of the device of described accessing database for the present invention.Described device comprises: database client 51, data access agent unit 52, unified certification and log unit 53 and database 54.Wherein said unified certification and log unit 53 comprise: safety certification subelement 531 and log record subelement 532.Described device can also comprise Alarm Unit 55, and wherein said Alarm Unit 55 is that example illustrates with note subelement 551.
Described database client 51 is used to send the database manipulation request.Described data access agent unit 52, link to each other respectively with database 53 with database client 51, unified certification and log unit 52, be used to receive the database manipulation solicited message that sends with database client 51, and call the legitimacy that safety certification subelement 531 is verified received operation requests information, legal operation requests information is sent to database 53; And the operation requests of database is sent to log record subelement 532 carry out record.Described unified certification and log unit 53 link to each other with data access agent unit 52 with database client 51, be used for unified security strategy, daily record strategy and/or the warning strategies of formulating data access, and send alarm when anomalous event.Described database 54 links to each other with database client 51, is used to store the data of customer relationship.Described device also comprises Alarm Unit 55, links to each other with unified certification and log unit 53, be used for unified certification and log unit send about the alarm event of Database Systems by note subelement 551 reporting system keepers.Its concrete realization sees for details above-mentioned, does not repeat them here.
The above only is a preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (12)
1. a Database Accessing Methods is characterized in that, comprises step:
A, data access agency verify the legitimacy of received client-access database manipulation request by calling security certification system, and legal operation requests sent to database, call log system simultaneously and write down described operation requests, wherein, calling the process that log system writes down described operation requests is: described log system carries out record according to the daily record rank to described operation requests;
B, database are handled the operation requests that receives, and result are returned client.
2. according to the described Database Accessing Methods of claim 1, it is characterized in that the operation requests that described security certification system will meet the security alarm strategy sends to warning system as alarm event, and the reporting system keeper.
3. according to claim 1 or 2 described Database Accessing Methods, it is characterized in that described legitimacy is to measure according to the safety certification strategy that pre-establishes, described safety certification strategy comprises: the legitimacy of authority, the validity of request and attack are checked.
4. according to the described Database Accessing Methods of claim 1, it is characterized in that the operation requests that described log system will meet daily record warning strategy sends to warning system as alarm event, and the reporting system keeper.
5. according to the described Database Accessing Methods of claim 1, it is characterized in that, among the step B result is returned the client path and be: database directly feeds back result client or by the data access agency result is fed back client.
6. the device of an accessing database comprises:
Database client is used to send the database manipulation request;
Safety certification unit is used for the legitimacy of authentication-access database manipulation request, and corresponding warning strategies is set, and the incident that meets warning strategies is sent alarm;
The log record unit is used for all operations request of record access database, and corresponding warning strategies is set, and after incident is finished the incident that meets warning strategies is sent alarm;
Database, the data that are used to store customer relationship, and the database manipulation request of handling fed back to database client;
It is characterized in that described device also comprises:
The data access agent unit, link to each other respectively with database with database client, safety certification unit, log record unit, be used to receive the database manipulation solicited message that sends with database client, and call the legitimacy that safety certification unit is verified described operation requests information, legal operation requests information is sent to database; And call all operations solicited message that the log record unit record receives.
7. according to the device of the described accessing database of claim 6, it is characterized in that described data access agent unit is embedded into database client, is used for the instrument of client-access database, and to the operation requests in its encapsulation of data storehouse.
8. according to the device of claim 6 or 7 described accessing databases, it is characterized in that, described device also comprises Alarm Unit, link to each other respectively with the log record unit with safety certification unit, be used for the alarm event reporting system keeper that safety certification unit and log record unit are sent about Database Systems.
9. the device of an accessing database is characterized in that, comprising:
Database client, this client embed data access agency, are used for the instrument of client-access database, and to the operation requests in its encapsulation of data storehouse;
Unified certification and log unit, link to each other with the data access agency of database client, be used for unified security strategy, daily record strategy and/or the warning strategies of formulating data access, and when anomalous event, send alarm, wherein, described daily record strategy is the described operation requests of record, and the process that writes down described operation requests is: according to the daily record rank described operation requests is carried out record;
Database links to each other with database client, is used to store the data of customer relationship.
10. according to the device of the described accessing database of claim 9, it is characterized in that, described device also comprises Alarm Unit, links to each other with unified certification and log unit, is used for the alarm event reporting system keeper about Database Systems that unified certification and log unit are sent.
11. the device of an accessing database is characterized in that, comprising:
Database client, be embedded in data access agency, safety certification subelement and log record subelement in this client, be used for the operation requests information of accessing database is encapsulated in the data access agency, through safety certification subelement is verified the legitimacy of described operation requests, and legal operation requests sent to database, and described operation requests is carried out record by the log record subelement, the process that wherein writes down described operation requests is: described log record subelement carries out record according to the daily record rank to described operation requests; Also unified security strategy, daily record strategy and/or the warning strategies of formulating data access of described database client, and when anomalous event, send alarm;
Database links to each other with database client, is used to store the data of customer relationship;
12. the device according to the described accessing database of claim 11 is characterized in that, described device also comprises Alarm Unit, links to each other with database client, is used for the alarm event reporting system keeper about Database Systems that database client is sent.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2006100076097A CN1858738B (en) | 2006-02-15 | 2006-02-15 | Method and device for access data bank |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2006100076097A CN1858738B (en) | 2006-02-15 | 2006-02-15 | Method and device for access data bank |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1858738A CN1858738A (en) | 2006-11-08 |
CN1858738B true CN1858738B (en) | 2010-08-25 |
Family
ID=37297647
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2006100076097A Active CN1858738B (en) | 2006-02-15 | 2006-02-15 | Method and device for access data bank |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN1858738B (en) |
Families Citing this family (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4989431B2 (en) * | 2007-11-30 | 2012-08-01 | 株式会社富士通ビー・エス・シー | Security management program, security management method, and portable terminal device |
CN101739422B (en) * | 2008-11-05 | 2013-12-18 | 深圳迪贝守望信息技术有限公司 | Method and system for controlling access to front-end database based on database protocol proxy |
CN101515931B (en) * | 2009-03-24 | 2012-09-19 | 北京理工大学 | Method for enhancing the database security based on agent way |
CN101930434A (en) * | 2009-06-19 | 2010-12-29 | 深圳市守望网络技术有限公司 | Cell security mode based database access security method and system |
CN101763593A (en) * | 2009-12-17 | 2010-06-30 | 中国电力科学研究院 | Method and device for realizing audit log of system |
CN102195795B (en) * | 2010-03-19 | 2014-03-12 | Tcl集团股份有限公司 | Intelligent district log system and log recording method thereof |
CN101833620A (en) * | 2010-04-28 | 2010-09-15 | 国网电力科学研究院 | Custom security JDBC driver-based database protective method |
CN102654864A (en) * | 2011-03-02 | 2012-09-05 | 华北计算机系统工程研究所 | Independent transparent security audit protection method facing real-time database |
CN102801699B (en) * | 2011-12-28 | 2015-07-29 | 北京安天电子设备有限公司 | The system preventing server data from distorting, method and apparatus |
CN102722667B (en) * | 2012-03-07 | 2015-12-02 | 甘肃省电力公司信息通信公司 | Based on the database safeguarding system and method for virtual data base and virtual patch |
CN102750357A (en) * | 2012-06-12 | 2012-10-24 | 苏州微逸浪科技有限公司 | Event data processing method based on heterogeneous data base |
CN104424447A (en) * | 2013-09-02 | 2015-03-18 | 中国移动通信集团四川有限公司 | Method and device for creating database firewalls |
CN103905464B (en) * | 2014-04-21 | 2017-03-01 | 西安电子科技大学 | Network security policy checking system based on formalization method and method |
CN104166812B (en) * | 2014-06-25 | 2017-05-24 | 中国航天科工集团第二研究院七〇六所 | Database safety access control method based on independent authorization |
CN105279169A (en) * | 2014-06-26 | 2016-01-27 | 中兴通讯股份有限公司 | Database operation processing method and apparatus |
CN104504014B (en) * | 2014-12-10 | 2018-03-13 | 无锡城市云计算中心有限公司 | Data processing method and device based on big data platform |
CN104899278B (en) * | 2015-05-29 | 2019-05-03 | 北京京东尚科信息技术有限公司 | A kind of generation method and device of Hbase database data operation log |
CN105447408A (en) * | 2015-12-03 | 2016-03-30 | 曙光信息产业(北京)有限公司 | Data protection method and apparatus |
CN105512569A (en) * | 2015-12-17 | 2016-04-20 | 浪潮电子信息产业股份有限公司 | Database security reinforcing method and device |
CN105429826A (en) * | 2015-12-25 | 2016-03-23 | 北京奇虎科技有限公司 | Fault detection method and device for database cluster |
CN106021335A (en) * | 2016-05-06 | 2016-10-12 | 北京奇虎科技有限公司 | A database accessing method and device |
CN107741948A (en) * | 2017-09-01 | 2018-02-27 | 郑州云海信息技术有限公司 | A kind of database alarm method, device and terminal |
CN109828983B (en) * | 2018-12-15 | 2024-05-07 | 平安科技(深圳)有限公司 | PG database processing method, device, electronic equipment and storage medium |
CN109413111B (en) * | 2018-12-21 | 2021-10-26 | 郑州云海信息技术有限公司 | Security access system and method based on intelligent data center |
CN109934011A (en) * | 2019-03-18 | 2019-06-25 | 国网安徽省电力有限公司黄山供电公司 | A kind of data safety partition method applied to O&M auditing system |
CN110457944B (en) * | 2019-08-02 | 2023-08-25 | 爱友智信息科技(苏州)有限公司 | Data sharing method and system |
CN112769739B (en) * | 2019-11-05 | 2023-08-04 | 中国移动通信集团安徽有限公司 | Database operation violation processing method, device and equipment |
CN110995657A (en) * | 2019-11-11 | 2020-04-10 | 广州市品高软件股份有限公司 | Data access method, server and system based on data label |
CN111092910B (en) * | 2019-12-30 | 2022-11-22 | 深信服科技股份有限公司 | Database security access method, device, equipment, system and readable storage medium |
CN112231733A (en) * | 2020-10-29 | 2021-01-15 | 刘秀萍 | MAC protection enhancement system of object proxy feature database |
CN112632171B (en) * | 2020-12-30 | 2024-05-28 | 中国农业银行股份有限公司 | Interception auditing method and system for data access |
CN112817833B (en) * | 2021-01-20 | 2024-08-20 | 中国银联股份有限公司 | Method and device for monitoring database |
CN113919000B (en) * | 2021-12-16 | 2022-03-29 | 北京交研智慧科技有限公司 | User database management method and device |
CN114385594A (en) * | 2022-01-12 | 2022-04-22 | 未鲲(上海)科技服务有限公司 | Method, device, equipment and storage medium for managing data modification process |
CN115906178B (en) * | 2022-12-23 | 2024-06-04 | 星环信息科技(上海)股份有限公司 | Database management method, data subscription terminal and data publishing terminal |
-
2006
- 2006-02-15 CN CN2006100076097A patent/CN1858738B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN1858738A (en) | 2006-11-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN1858738B (en) | Method and device for access data bank | |
CN110543464B (en) | Big data platform applied to intelligent park and operation method | |
US20210209077A1 (en) | Communicating fine-grained application database access to a third-party agent | |
CN105656903B (en) | A kind of user safety management system of Hive platforms and application | |
CN103501228B (en) | A kind of dynamic two-dimension code token and dynamic two-dimension code command identifying method | |
CN107508812B (en) | Industrial control network data storage method, calling method and system | |
CN103490886B (en) | The verification method of permissions data, apparatus and system | |
CN103095720B (en) | A kind of method for managing security of cloud storage system of dialogue-based management server | |
US20070118534A1 (en) | Auditing database end user activity in one to multi-tier web application and local environments | |
CN102891840B (en) | Based on the Information Security Management System of separation of the three powers and the management method of information security | |
JP2006500657A (en) | Server, computer memory, and method for supporting security policy maintenance and distribution | |
CN109995530B (en) | Safe distributed database interaction system suitable for mobile positioning system | |
CN112468504B (en) | Industrial control network access control method based on block chain | |
CN106603488A (en) | Safety system based on power grid statistical data searching method | |
CN109936555A (en) | A kind of date storage method based on cloud platform, apparatus and system | |
CN114881469A (en) | Performance assessment and management system and method for enterprise workers | |
CN101540704B (en) | Unreliable DBMS malicious intrusion detection system and method | |
CN110430180A (en) | A kind of platform of internet of things and implementation method based on hot plug | |
WO2019191635A1 (en) | System and methods for preventing reverse transactions in a distributed environment | |
CN112015111B (en) | Industrial control equipment safety protection system and method based on active immunity mechanism | |
CN1760914A (en) | Network gridding service system of national geolopy spatial data | |
Gu et al. | IoT security and new trends of solutions | |
CN100555237C (en) | Be used to detect and prevent the method and system of replay attack | |
CN105828323A (en) | Privacy protection method and system for common database of Android mobile phone | |
US7937762B2 (en) | Tracking and identifying operations from un-trusted clients |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |