KR102521784B1 - Access management apparatus and method for managing database access based on web application server - Google Patents

Abstract

The present invention relates to an access management apparatus for managing database access based on a web application server and a method thereof. More specifically, the present invention relates to the access management apparatus for managing database access based on a web application server and the method thereof, which prevent performance degradation of a web application server by automatically mapping a relation between a uniform resource locator (URL) request and a structured query language (SQL) request transmitted based on the URL request by the web application server receiving the URL request through session connection with a user terminal, without using a resource of the web application server. The access management apparatus for managing database access based on a web application server obtains the URL request and the SQL request through sniffing without the need to insert an agent program for information collection into the web application server. The access management apparatus for managing database access based on a web application server can also easily identify an SQL executed by an application user by connecting the relation between the SQL request and the URL request obtained through an intuitive mapping algorithm. Accordingly, the access management apparatus for managing database access based on a web application server supports performance analysis of an application module and a security function, such as abuse detection to execute the performance analysis of the application module and the security function without inserting the agent program for information collection into the web application server. Therefore, the access management apparatus for managing database access based on a web application server can fundamentally block the generation of an existing fatal problem, such as performance degradation and a failure of the web application server caused by excessive resource use of the web application server by the agent program for information collection. Moreover, the access management apparatus for managing database access based on a web application server can contribute to an increase of the resource availability of the web application server.

Description

Access management apparatus and method for managing database access based on web application server

The present invention relates to an access management apparatus and method for managing access to a database based on a web application server, and more particularly, to a web application server that receives a URL request through a session connection with a user terminal, to a database based on the URL request. An access management device and method for managing web application server-based database access that prevents performance degradation of the web application server by automatically mapping the relationship between the transmitted SQL request and the URL request without using web application server resources. it's about

When operating a web application server, it is necessary to record and analyze when and how much key data is viewed, changed, or deleted by users performing assigned tasks using applications that inquire and manipulate key data such as personal information. Security threats such as misuse and abuse of personal information can be detected and notified, and the cause of an accident (leakage or manipulation) can be traced.

Also, through this analysis, the performance of the application module can be analyzed and optimized.

1 is a diagram showing the configuration and operation of an existing web application server.

As shown, the web application server communicating with the user terminal establishes a HTTP (HyperText Transfer Protocol) session with the user terminal, and a shared database session (shared database session) with the database to respond to a URL request received through the session. database session) is established, and an SQL request corresponding to the URL request is transmitted to the database.

At this time, among the SQL requests transmitted from the web application server, there may be an SQR request for accessing security information such as personal information stored in a database.

In such an operating environment of the web application server, the relation between the URL request and the SQL request generated for the URL request transmitted by the user terminal must be established in the web application server to record the history of the user accessing the database through the web application server. and a security function of analyzing the performance of the web application server based on the recorded information and tracking and blocking URL requests from user terminals without access to security information.

To this end, as shown in FIG. 2, after obtaining SQL information generated by the web application server to respond to the URL request of the user terminal in an environment where applications are operated using a web application server, the URL request and SQL An information collection agent, an information collection program, is inserted and operated in the web application server to obtain a record of the information in the database accessed by the user by establishing a relationship between requests.

The information collection agent monitors the session established in the web application server, creates an access history table including information mapping URL requests and SQL requests of the web application server corresponding to URL requests transmitted from the user terminal, and , Based on this access history table, it is possible to record and analyze the user's database search details and manage the security of security information through identification of the user's access rights to security information.

However, since the information collection agent that is inserted into the web application server and operates in this way uses the resources of the web application server, it slows down the performance of the web application server. There is an inefficiency problem.

Korean Patent Publication No. 10-2010-0078738

According to the present invention, a web application server generates a SQL request corresponding to a URL request transmitted from a user terminal and automatically identifies the SQL used by the user by automatically identifying the relationship between the URL request and the SQL request generated in the process of accessing a database. It provides an access management device that can detect the access history of the user's database without being inserted in the form of an agent program into the web application server, thereby reducing performance by overusing the resources of the web application server. The purpose of Shiki is to help solve the problems of the existing agent program.

An access management device sniffing packets transmitted and received through an HTTP session established for communication with a user terminal in a WAS (web application server) according to an embodiment of the present invention and a DB session established by the WAS for communication with a DB. An access management method for managing web application server-based database access includes a URL check step of acquiring a URL request transmitted from the user terminal to the WAS through the sniffing and then checking the URL type of the URL request. And, check the SQL request transmitted from the WAS to the DB for each one or more DB sessions set in the WAS during the URL session period corresponding to the URL request received by the WAS through the sniffing, and the one After identifying one or more SQL types corresponding to the identified one or more SQL requests for each DB session in which SQL requests are confirmed among the DB sessions, a SQL group is created by matching the URL session duration and the URL type. When a specific SQL type is included in only a specific SQL group among one or more SQL groups corresponding to a grouping step and a specific URL session duration that does not overlap with other URL session durations or a plurality of different URL session durations in which mutually overlapping durations exist, the specific SQL type is included in the specific SQL group. A matching step of setting a group as a valid SQL group and generating mapping information by matching a URL type included in the valid SQL group with one or more SQL types.

As an example related to the present invention, the access management device includes a first switch for mediating an HTTP session established by the WAS for communication with a user terminal and a second switch mediating a DB session established by the WAS for communication with a DB. It may be characterized in that packets connected to a switch and transmitted and received through the HTTP session and the DB session are sniffed through the first and second switches.

As an example related to the present invention, the URL session period is from the time the user terminal transmits the URL request to the WAS to the completion of the response corresponding to the URL request from the WAS to the user terminal that has transmitted the URL request. It may be characterized as a period of time up to a point in time.

As an example related to the present invention, the SQL type may be characterized in that the SQL type is the rest except for constants and variables in the SQL request.

As an example related to the present invention, in the matching step, the SQL type included in one or more SQL groups corresponding to the specific URL session duration that does not overlap with other URL session durations is checked, and SQL types corresponding to the specific URL session duration are checked. For the above SQL groups, each SQL group that includes SQL types that do not exist in other SQL groups can be characterized as being set as a valid SQL group.

As an example related to the present invention, the matching step may further include deleting the remaining SQR groups if there are remaining SQL groups having the same URL session duration as the valid SQL group.

As an example related to the present invention, the matching step includes one or more SQL types and URL types included in the valid SQL information based on the valid SQL information, and a URL session period different from a URL session period according to the valid SQL information It may be characterized by further comprising the step of setting the SQL group for which the period is set as other valid SQL information.

As an example related to the present invention, after the matching step, a plurality of mapping information is obtained by performing the URL checking step, grouping step, and matching step for each of a plurality of URL requests received by the WAS from a plurality of different user terminals. Generating and generating map information including the plurality of mapping information and extracting identification information of the user terminal and a specific URL request from a packet transmitted from the user terminal to the WAS through the sniffing, and requesting the specific URL One or more SQL requests are extracted from packets transmitted from the WAS to the DB during the URL session period corresponding to, and after identifying one or more SQL types corresponding to the URL type of the specific URL request based on the map information, the Among the extracted one or more SQL requests, one or more SQL requests corresponding to the identified one or more SQL types are identified, and access information including the identified one or more SQL requests, the specific URL request, and identification information of the user terminal. It may be characterized in that it further comprises the step of generating.

As an example related to the present invention, after the step of generating the access information, if at least one of the one or more SQL requests according to the access information is a SQL request for accessing security information, a dictionary corresponding to the identification information of the user terminal Based on the stored authority information, it is determined whether the user has access authority corresponding to the user terminal to the security information, and if the user does not have access authority to the security information, the access information corresponding to the user is stored in the WAS. or transmitting notification information for blocking access of the user terminal.

An access management apparatus for managing access to a web application server-based database according to an embodiment of the present invention includes an HTTP session established for communication with a user terminal in a WAS (web application server) and the WAS configured for communication with a DB. A communication unit sniffing packets transmitted and received through a DB session and sniffing the packets through the communication unit, and obtaining a URL request transmitted from the user terminal to the WAS from the packet obtained through the sniffing After checking the URL type of the URL request, and from the packet obtained through the sniffing, the WAS to the DB for each one or more DB sessions established in the WAS during the URL session period corresponding to the URL request received by the WAS. After confirming the SQL request to be transmitted, and identifying one or more SQL types corresponding to the one or more SQL requests for each DB session in which the SQL request is confirmed among the one or more DB sessions, the URL A SQL group is created by matching the session duration and the URL type, and a specific SQL group of one or more SQL groups corresponding to a specific URL session duration that does not overlap with other URL session durations or to a plurality of different URL session durations having mutually overlapping durations. When a specific SQL type is included only in the group, a control unit may be configured to set the specific SQL group as an effective SQL group and generate mapping information by matching a URL type included in the effective SQL group with one or more SQL types.

The present invention obtains a URL request and a SQL request through sniffing without the need to insert an agent program for information collection into a web application server, and connects the relationship between the obtained URL request and the SQL request through a priori mapping algorithm so that the application user It is possible to easily identify SQL executed by the user, and through this, security functions such as misuse detection and performance analysis of application modules can be performed without inserting an agent program for information collection into the web application server. It is possible to fundamentally block fatal problems such as performance degradation and failure of the web application server due to excessive use of resources of the web application server by the agent program for information collection, and has an effect of contributing to increase the resource availability of the web application server.

In addition, the present invention can support to easily identify and track a user who has used SQL to access security information by identifying the relationship between a URL request and a SQL request, and through this, a separate agent program is installed in a web application server. Since the security function for the web application server can be provided without insertion, the available resources of the web application server can be expanded and the security of the web application server can be guaranteed.

1 and 2 are exemplary views of a driving environment of an existing web application server;
3 is a block diagram of an access management device for managing access to a database based on a web application server according to an embodiment of the present invention.
4 is a flowchart of an access management method for managing access to a database based on a web application server according to an embodiment of the present invention.
5 to 15 are operational examples of an access management device for managing access to a web application server-based database according to an embodiment of the present invention.

Hereinafter, detailed embodiments of the present invention will be described with reference to the drawings.

3 is a block diagram of an access management device 100 for managing web application server-based database access according to an embodiment of the present invention.

First of all, the web application server (hereinafter WAS) may communicate with a user terminal accessing the WAS through a communication network, and a HyperText Transfer Protocol (HTTP) session for communication with the user terminal ) can be assigned.

At this time, of course, the WAS can establish a plurality of HTTP sessions respectively corresponding to a plurality of user terminals.

In addition, the WAS may communicate with a database system (hereinafter referred to as DB) through a communication network, and the DB may store various information requested by the user of the user terminal.

At this time, the DB may be configured as a DB server.

In addition, the WAS may allocate and set a shared database session for communication with the DB according to the DB search request of the user terminal, and in response to the search request received from a plurality of user terminals, a plurality of mutual You can set up another shared DB session.

Hereinafter, the shared DB session will be referred to as a DB session.

In the above configuration, the user terminal transmits a URL (Uniform Resource Locator) request for a DB search request to the WAS through the HTTP session, and the WAS generates a SQL (Structured Query Language) request corresponding to the URL request and transmits it to the DB, receives response information corresponding to the SQL request from the DB, and transmits it to the user terminal.

During the operation of this WAS, various key information such as personal information can be stored in the DB, and accordingly, it is required that the WAS manages and analyzes the records of users of user terminals accessing the DB, and in the case of information requiring security It is required to block access by users without access rights.

In order to perform such access recording and analysis and security functions, it is necessary to establish a relationship between the URL request requested by the user terminal and the SQL request generated by the WAS in response to the URL request. In the past, such URL request and SQL request Although an agent program was inserted into the WAS to create and analyze access records according to the relationship between the relationship settings and the relationship settings, this agent program excessively uses resources of the WAS, degrading the performance of the WAS or causing failure. There is a very inefficient problem.

In order to solve this problem, the access management device 100 according to the present invention is configured separately from the WAS and sniffs packets transmitted and received to the WAS to easily obtain URL requests and requests without being inserted (configured) into the WAS. After creating information that identifies (sets) the relationship between SQL requests, based on this, it is possible to create and analyze records of user access to the DB, as well as to perform security functions for DB access, thus using WAS resources. By not doing so, the performance of the WAS can be increased by lowering the load of the WAS, which will be described in detail through the following drawings based on the above configuration.

4 is an operation flowchart of the access management device 100 according to an embodiment of the present invention.

Referring to FIG. 3, the access management device 100 includes the first switch 11 for mediating the HTTP session established for communication with the user terminal in the WAS and the WAS configured for communication with the DB. It may be connected to the second switch 12 mediating one DB session.

In this case, each of the first switch 11 and the second switch 12 may be configured as a switch or a Test Access Point (TAP).

In addition, the access management device 100 includes a first network interface card (hereinafter referred to as a first NIC) connected to the first switch 11 and a second connected to the second switch 12 A communication unit 110 including a network interface card (hereinafter, a second NIC), a storage unit 130 for storing various information, and a control unit that performs overall control functions of the access management device 100 It may be configured to include (120).

Also, the controller 120 may communicate with the first and second switches 11 and 12 through the first and second NICs.

Accordingly, the control unit 120 sniffs the packet transmitted and received through the HTTP session through communication with the first switch 11 connected to the first NIC, and receives it from the first switch 11, A packet transmitted and received through the DB session may be sniffed through communication with the second switch 12 connected to the second NIC and received from the second switch 12 .

Hereinafter, sniffing configuration through communication with the first and second switches of the above-described access management device 100 will be omitted.

In addition, the control unit 120 executes overall control functions of the access management device 100 using programs and data stored in the storage unit 130 . Also, the controller 120 may include RAM, ROM, CPU, GPU, and a bus, and RAM, ROM, CPU, and GPU may be connected to each other through a bus.

In addition, the storage unit 130 may store various types of information, and the storage unit 130 may be configured in various forms such as a hard disk drive (HDD) and a solid state drive (SSD).

The controller 120 obtains a URL request (URLR: URL Request) (URL request information) from a packet transmitted from the user terminal to the WAS through the sniffing, and obtains a URL type (URLT: URL Type) from the URL request. (URL type information) can be checked (identified) (S1).

In this case, the URL type is a type of URL request, and multiple URL requests may be requested for the same URL type during an application execution process.

5, as shown, the control unit 120 sniffs URL request 1 (URLR 1) transmitted from the first user terminal (user terminal #1) to the WAS, and the variable part (? The part (http://www.sinsiway.com:80/path/urlt1.html) excluding key1=scott&key2=management can be identified as URL type (URLT 1).

In addition, the control unit 120 sniffs the URL request 2 (URLR 2) transmitted from the second user terminal (user terminal #2) to the WAS, and the part except for the variable part (?key1=tiger&key2=business) (http ://www.sinsiway.com:80/path/urlt1.html) may be identified as a URL type (URLT 1).

At this time, since the URL type of the URL request 1 and the URL type of the URL request 2 are the same, the controller 120 can identify the URL request 1 and the URL request 2 as the same URL type (URLT 1). .

In addition, the control unit 120 may perform one or more URLs set in the WAS during a URL session period (URLS: URL Session) (or URL session interval) corresponding to the URL request received by the WAS from the packet obtained through the sniffing. It is possible to check SQL requests (SQL request information) transmitted from the WAS to the DB for each DB session (S2).

At this time, the URL session period is a period during which one URL request is performed (executed), and from the time the user terminal transmits the URL request to the WAS, the WAS requests the URL to the user terminal that has transmitted the URL request. It may mean a period of time until a response corresponding to is completed (a time when the WAS transmits a response corresponding to the URL request to the user terminal).

In addition, the control unit 120 may generate the URL session duration by sniffing a network coming into the WAS. For example, the control unit 120 may generate the URL session duration by sniffing a packet received by the WAS. there is.

For example, as shown in FIG. 5 , the control unit 120 sends a response corresponding to URL request 1 from the WAS from the time when URL request 1 is transmitted to the WAS from a first user terminal through sniffing. The time from t1 to t7, which is the time required for transmission to the user terminal, can be identified as the URL session period (URLS 1).

In addition, the control unit 120 determines the time required from the time when the URL request 2 is transmitted to the WAS from the second user terminal through the sniffing until the WAS transmits the response corresponding to the URL request 2 to the user terminal. The time from t4 to t7 may be set as a URL session period (URLS 2) different from the URS session period.

At this time, the control unit 120 can divide different URL session periods into time ranges constituting the URL session periods, and use these time ranges as URL session period identifiers for distinguishing different URL session periods. That is, the control unit 120 compares the time range of the first URL session period with the time range of the second URL session period different from the first URL session period, and determines the first URL session period and the second URL session period. can be distinguished.

In addition, the controller 120 may establish one or more DB sessions during the URL session period, and freely use any DB session among one or more DB sessions established by the WAS to perform the URL request in the WAS. can

In addition, the control unit 120 may check the SQL type (SQLT: SQL Type) for each SQL request transmitted from the WAS to the DB through one or more DB sessions during the URL session period.

At this time, the SQL type (SQL type information) is the type of SQL request, which is the remainder of the SQL statement (SQL request) minus constants and variables, and the WAS is based on the same (one) SQL type, with only constants and variables different. Thus, different SQL requests can be generated, and a plurality of different SQL requests generated using any one SQL type can be identified by the control unit 120 as the same SQL type.

For example, as shown in FIG. 5 , the control unit 120 transmits SQL request 1 (SQLR 1) and SQL request 2 (SQLR 1) transmitted from the WAS to the DB through DB session 1 during the URL session period (URLS 1). SQLR 2) can be identified by sniffing, and the part (select * from emp where ename = ) excluding the variable part ('scott') in SQL request 1 can be identified as the SQL type (SQLT 1) of SQL request 1. there is.

In addition, the controller 120 controls the SQL request 2 transmitted from the WAS to the DB through the DB session 1 during the URL session period (URLS 1) except for the variable part ('management') (select * from dept where dname). = ) can be identified as the SQL type of SQL request 2 (SQLT 2).

In addition, the control unit 120 can identify SQL request 3 (SQLR 3) and SQL request 4 (SQLR 4) transmitted during the different URL session period (URLS 2), and the SQL type and SQL of the SQL request 3 You can identify the SQL type of request 4.

At this time, since the SQL types of SQL request 1 and SQL request 3 are the same, and the SQL types of SQL request 2 and SQL request 4 are the same, the controller 120 determines the SQL type of SQL request 1 and SQL request 3. It can be identified as the same first SQL type (SQLT 1), and the SQL types of SQL request 2 and SQL request 4 can be identified as the same second SQL type (SQLT 2).

In addition, the control unit 120 may identify one or more DB sessions established by the WAS during the URL session period through sniffing, and may set a DB session identifier for each of the identified one or more DB sessions, and may set a plurality of different DB sessions. Different DB session identifiers can be set for each DB session.

Accordingly, the control unit 120 can distinguish a specific DB session from other DB sessions through the DB session identifier.

In addition, the control unit 120 determines the identified one or more DB sessions for each DB session in which the SQL request is confirmed (transmitted) during the URL session period (or during the period (time) according to the URL session period). One or more SQL types corresponding to one or more SQL requests can be identified.

That is, the control unit 120 may identify the SQL type for each of the one or more SQL requests confirmed in the DB session for each of the one or more DB sessions in which the SQL request is confirmed during the URL session period, through which the DB session You can identify one or more SQL types used to create one or more SQL requests identified in .

In addition, the control unit 120 assigns the identified one or more SQL types corresponding to the URL session period to the URL session period and the URL session period for each one or more DB sessions in which SQL requests are confirmed during the URL session period. After matching the URL type of the URL request to create a SQL group, it can be stored in the storage unit 130 (S3).

At this time, if there are a plurality of overlapping SQL types among the plurality of SQL types identified for the URL session period, the control unit 120 includes only one of the plurality of overlapping SQL types in the SQL group and the rest are included in the SQL group. can be excluded or deleted.

For example, the control unit 120 sets one or more SQL types respectively corresponding to one or more SQL requests transmitted through the first DB session during a specific URL session period corresponding to a specific URL request to a specific URL session duration and first DB session and one or more SQL types identified to correspond to the specific URL session duration and the first DB session and a specific URL type identified for a specific URL request corresponding to the specific URL session duration and the specific URL session duration. A first SQL group may be created by mutual matching, and the first SQL group may be matched with a DB session identifier of the first DB session.

That is, the identified one or more SQL types, the specific URL session period, and the specific URL type may be included in a mutually matched state in the first SQL group.

At this time, after the control unit 120 creates the first SQL group including one or more SQL types identified to correspond to the specific URL session duration and the first DB session and the specific URL session duration and the specific URL type, The first SQL group and the first DB session identifier may be matched and stored in the storage unit 130, or the first DB session identifier may be set or included in the first SQL group.

In addition, as described above, the control unit 120 determines one or more SQL types respectively corresponding to one or more SQL requests transmitted through the second DB session during the specific URL session period, the specific URL session duration, and the specific URL type. In a mutually matched state, a second SQL group may be created, and the second SQL group and the second DB session identifier are matched and stored in the storage unit 130, or the second SQL group is stored in the second SQL group. A second DB session identifier corresponding to the second DB session may be included or set.

In addition, the control unit 120 may create a URL session period corresponding to a URL request whenever a URL request is received by the WAS, and as described above for each of a plurality of different URL session periods, one or more SQL groups may be generated. can create

In the above configuration, the SQL group may be one piece of information (data), and will be described below as a SQL group.

In addition, the control unit 120 generates mapping information in which a relationship between a URL type and an SQL type is set through a pre-stored mapping algorithm based on a plurality of SQL groups stored in the storage unit 130, and the mapping Based on the information, access to the database for each user can be identified and an access history table for the access history for each user can be created. 15 for a detailed explanation.

First of all, as shown, the control unit 120 can check the URL session period in each of the plurality of SQL groups for the plurality of SQL groups stored in the storage unit 130, and does not overlap with other URL session periods. If a specific SQL type is included in only a specific SQL group among one or more SQL groups corresponding to a specific URL session period or a plurality of different URL session periods having mutually overlapping periods, the specific SQL group can be set as an effective SQL group ( S4).

For example, the control unit 120 checks a specific URL session period in any one of the plurality of SQL groups, and determines that another URL session period overlapping with the specific URL session period is based on the plurality of SQL groups. You can determine if it exists.

In addition, if the specific URL session duration does not overlap with other URL session durations, the control unit 120 checks the SQL types included in one or more SQL groups corresponding to the specific URL session duration, and determines the specific URL session duration. Each SQL group including an SQL type that does not exist in other SQL groups may be set as a valid SQL group for one or more corresponding SQL groups and stored in the storage unit 130 .

For example, if the first SQL type exists only in the first SQL group among one or more SQL groups corresponding to the specific URL session period that does not have a period overlapping with another URL session period, the control unit 120 determines the first SQL type. An SQL group may be set as a valid group, and if the second SQL type exists only in a second SQL group among one or more SQL groups corresponding to the specific URL session period, the second SQL group may be set as a valid group.

In addition, the control unit 120, based on the plurality of SQL groups stored in the storage unit 130, determines one or more SQL groups and the specific URL corresponding to one or more other URL session periods overlapping a specific URL session period and a partial period. One or more SQL groups corresponding to the session period may be identified and extracted from the storage unit 130, and if a specific SQL type is included in only a specific SQL group among the plurality of extracted SQL groups, the specific SQL group is a valid SQL group. It can be identified as a group, and the specific SQL group can be set as an effective SQL group and stored in the storage unit 130 .

For example, if the third SQL type exists only in the third SQL group corresponding to the third URL session period among the extracted plurality of SQL groups, the controller 120 sets the third SQL group as an effective SQL group, , If the 4th SQL type exists only in the 4th SQL group corresponding to the 4th URL session period that partially overlaps with the 3rd URL session period, the 4th SQL group can be set as an effective SQL group.

In addition, the control unit 120 may generate mapping information by matching a URL type included in the valid SQL group with one or more SQL types whenever the valid SQL group is set, and store the mapping information in the storage unit 130 It can be stored in (S5).

For example, the control unit 120 matches one or more SQL types included in the specific valid SQL group to a specific URL type included in the specific effective SQL group, and matches one or more SQL types matched to the specific URL type and the Mapping information including a specific URL type can be created.

In addition, the control unit 120, if remaining SQL groups other than a valid SQL group among one or more SQL groups having mutually identical URL session durations (including mutually identical URL session durations) exist in the storage unit 130, The remaining SQL groups having the same URL session duration as the effective SQL group may be deleted.

For example, when a plurality of SQL groups corresponding to a specific URL session period are created, the control unit 120 determines one or more SQL groups other than one or more effective SQL groups among the plurality of SQL groups corresponding to the specific URL session period. is determined to be fake (invalid), and one or more SQL groups corresponding to the remainder may be deleted from the storage unit 130.

6 to 11, the control unit 120 determines the first URL session period (hereafter, URLS-11) corresponding to the first URL request (hereafter, URLR 1). ), it is possible to identify a plurality of DB sessions (DB Session 1, DB Session 2, DB Session 3) established by the WAS through sniffing.

In addition, the control unit 120 checks the plurality of SQL requests transmitted from the WAS to the DB during the URLS-11 through the DB session 1 through the sniffing, and then the plurality of SQL types corresponding to the plurality of SQL requests. (SQLT 11, SQLT 12, SQLT 13) and the plurality of SQL types (SQLT 11, SQLT 12, SQLT 13) are identified for the URLS-11 and the URLR 1. The first URL type (hereafter referred to as URLT 1) ) and URLS-11 to create the first SQL group (A).

In addition, the control unit 120 determines a plurality of SQL types (SQLT 11 and SQLT 22) respectively corresponding to a plurality of SQL requests transmitted from the WAS to the DB during the URLS-11 through the DB session 2 using sniffing. can be identified, and a second SQL group (B) can be created by matching a plurality of SQL types (SQLT 11 and SQLT 22) with the URLS-11 and the URLT 1.

In addition, if the SQL request is not transmitted in the DB session 3 during the URLS-11, the control unit 120 does not create an SQL group corresponding to URLS-11 and DB session 3, or does not include the SQL type and URLS A third SQL group (C) containing only -11 and URLT 1 can be created. In addition, the control unit 120 may exclude the third SQL group (C), which does not include the SQL type, from the valid SQL group determination target.

If there is no period in which the URLS-11 overlaps with other URL session periods, the control unit 120 assigns SQLT 11, SQLT 12, and SQLT 13 only to the first SQL group (A) created to correspond to the URLS-11. is included to set the first SQL group (A) as a valid SQL group, and only include SQLT 21 and SQLT 22 in the second SQL group (B) to set the second SQL group (B) as a valid SQL group. can

However, as shown, if a period overlapping with the URLS-11 exists and URLS-21 and URLS-31, which are URL session periods different from the URLS-11, exist, the control unit 120, in the URLS-21 One or more SQL groups created for each DB session (DB Session 1, DB Session 2, DB Session 3) to correspond, and each DB session (DB Session 1, DB Session 2, DB Session 3) to correspond to the URLS-31. It is possible to determine whether one or more SQL groups created by , and an SQL type that exists only in one of the first SQL group (A) and the second SQL group (B) corresponding to the URLS-11 exist.

At this time, the control unit 120 includes one or more SQL groups created for each DB session (DB session 1, DB session 2, and DB session 3) to correspond to the URLS-21, and a DB session to correspond to the URLS-31. Review one or more SQL groups created by each (DB session 1, DB session 2, DB session 3), and the first SQL group (A) and the second SQL group (B) corresponding to the URLS-11, respectively. You can set it as a target group.

Accordingly, as shown in FIG. 6, since SQLT 11 exists only in the first SQL group (A) among a plurality of review target groups, the control unit 120 determines the first SQL group (A) among the plurality of review target groups. SQLT 11, which exists only in 1 SQL group (A), can be identified, and through this, the first SQL group (A) is determined as a valid SQL group and the first SQL group (A) is set as a valid SQL group. can

Alternatively, in the case of SQLT 34, which is an SQL type, since it is included only in the 4th SQL group (D), which is one SQR group corresponding to URLS-31 among the plurality of review target groups, the 4th SQL group (D) is valid. It can be set as a SQL group.

In addition, as shown in FIGS. 6 to 9, the control unit 120 has (including) the same URL session period (URLS-11) as the first SQL group (A) set as the effective SQL group, and DB Session 2 The second SQL group (B) corresponding to can be deleted from the storage unit 130. In addition, if the third SQL group (C) corresponding to the URLS-11 exists in the DB session 3, the control unit 120 may delete the third SQL group (C).

That is, the control unit 120 determines that the plurality of SQL types (SQLT21 and SQLT22) belonging to the second SQL group (B) generated during the period of URLS-11 are SQL requests for URLR 1 corresponding to URLS-11. It is determined that it is identified from a SQL request transmitted during a session period other than the URL identified from the request, and the second SQL group (B) may be deleted.

Similarly, the control unit 120 controls the fifth SQL group corresponding to DB session 2 having (including) the same URL session duration (URLS-31) as the fourth SQL group D corresponding to DB session 3 set as the effective SQL group. The sixth SQL group (F) corresponding to the SQL group (E) and DB session 1 may be deleted from the storage unit 130 .

In addition, the control unit 120 targets one or more SQL groups corresponding to other URL session periods for which an effective SQL group is not determined among one or more other URL session periods overlapping with a specific URL session period for which an effective SQL group is determined. By deleting an SQL group in which at least one of the one or more SQL types included in the valid SQL group corresponding to the specific URL session period exists, based on the valid SQL group corresponding to the specific URL session period, corresponding to the other URL session period One or more SQL groups can be identified and deleted as fake.

In addition, the control unit 120 deletes one SQL group by using an effective SQL group among one or more SQL groups corresponding to another URL session period in which a partial period overlaps with the specific URL session period and an effective SQL group is not determined. If only exists (remains), the one SQL group can be set as an effective SQL group corresponding to the other URL session period.

For example, as shown in FIGS. 8 and 9, it is determined whether a URL session period in which an effective SQL group is not determined exists among one or more other URLS session periods in which a period overlapping with the URLS-11 in which an effective SQL group is determined exists. And, as a result of the determination, if there is a URL session period for which a valid SQL group has not been determined, URLS-21, which is the URL session period, can be identified.

In addition, the control unit 120 identifies one or more SQL groups (G, H, I) corresponding to the URLS-21, and selects one or more SQL groups (G, H, I) corresponding to the URLS-21. An SQL group (H) including at least one of one or more SQL types included in the first SQL group (A), which is a valid SQL group corresponding to URLS-11, may be determined as fake and deleted.

In addition, since the URLS-21 overlaps with the URLS-31 in which the effective SQL group is determined, the control unit 120 determines that the URLS-31 corresponds to the URLS-31 among one or more SQL groups (G, I) corresponding to the URLS-21. An SQL group (I) including at least one of one or more SQL types included in the fourth SQL group (D), which is a valid SQL group, may be determined as fake and deleted.

Through this, the control unit 120, when only one SQL group (G) remains through a deletion process using the effective SQL group targeting one or more SQL groups corresponding to the URLS-21, returns to the URLS-21. The corresponding one SQL group (G) may be set as an effective SQL group.

Meanwhile, as shown in FIGS. 10 and 11 , the controller 120 includes one or more SQL types and URL types included in the valid SQL information based on the valid SQL information stored in the storage 130. And other SQL groups in which a URL session period different from the URL session period according to the valid SQL information is set can be set as the valid SQL information.

For example, the controller 120 determines the URL type (URLT 2) included in the 7th SQL group (G) and one or more SQL groups based on the 7th SQL group (G), which is an effective SQL group corresponding to URLS-21. The storage of the 8th SQL group (J) including the same type (SQLT21, SQLT22, SQLT23, SQLT24) and setting URLS-71, which is another URL session period different from the URL session period according to the 7th SQL group (G) It can be identified in unit 130, and the eighth SQL group (J) can be set as an effective SQL group.

That is, the control unit 120 identifies an SQL group having the same URL type and SQL type set as the valid SQL group and having a different URL session period from the valid SQL group as a valid SQL group, and can set the SQL group as the valid SQL group. .

In addition, the control unit 120 determines one or more SQL groups created for each DB session different from the DB session corresponding to the eighth SQL group during the same URL session period as the eighth SQL group set as the valid SQL group as fake. and can be deleted from the storage unit 130.

In addition, as shown in FIG. 12, the control unit 120 matches information about the time when the WAS transmitted the SQL request corresponding to the SQL type for each SQL type belonging to the SQL group with the SQL type. and included in the SQL group.

Accordingly, the control unit 120 determines that the transmission time of a specific SQL type (SQLT63) belonging to a SQL group (K) that is not set as a valid SQL group among a plurality of SQL groups corresponding to a specific DB session is affected by the specific DB session. If it exists between the transmission time of the 5th SQL type (SQLT62) and the 6th SQL type (SQLT64) included in the corresponding specific valid SQL group (L), the specific SQL type (SQLT63) is assigned to the specific valid SQL group (L). Can be included in group (L).

In addition, the control unit 120 determines that the duration of a URL session included in a specific SQL group corresponding to a specific DB session and not set as a valid SQL group is equal to the duration of a URL session included in a valid SQL group corresponding to the specific DB session. If included, the specific SQL group can be deleted from the storage unit 130 .

In addition, as shown in FIG. 13, the control unit 120 includes map information (URLT_SQLT Map) including one or more mapping information stored in the storage unit 130 and defining a relationship between a URL type and an SQL type. It can be generated and stored in the storage unit 130 (S6).

That is, the map information may include at least one piece of mapping information about a relationship between a URL type and an SQL type.

In addition, as shown in FIG. 14, the control unit 120 targets an SQL group that has not yet been set as a valid SQL group in the storage unit 130 based on the mapping information included in the map information, and performs the mapping An SQL group that includes both the URL type included in the information and one or more SQL types can be set as an effective SQL group.

In addition, the control unit 120 may determine and delete other SQL groups corresponding to the URL session period according to the SQL group set as a valid SQL group as fake based on the mapping information.

Meanwhile, as shown in FIG. 15, the control unit 120 extracts a URL type and one or more SQL types from the SQL group set as the effective SQL group as described above for each SQL group set as the effective SQL group, and then matches them with each other. to generate mapping information.

In addition, the control unit 120 generates a plurality of mapping information by performing the above-described operation for each of a plurality of URL requests received by the WAS from a plurality of different user terminals, and then stores the information in the storage unit 130. and map information including the plurality of mapping information stored in the storage unit 130 may be generated.

In addition, the control unit 120 may extract identification information of a user terminal and a specific URL request from a packet transmitted from the user terminal to the WAS through the sniffing.

In this case, the identification information of the user terminal may include various information such as a user ID registered in the WAS and Internet Protocol (IP) information of the user terminal.

In addition, the control unit 120 may extract one or more SQL requests from packets transmitted from the WAS to the DB during the URL session period corresponding to the specific URL request through the sniffing.

In addition, the control unit 120 identifies one or more SQL types corresponding to the URL type of the specific URL request based on the map information (or mapping information), and then the identified one or more SQL types of the extracted one or more SQL requests. One or more SQL requests corresponding to each of the above SQL types may be identified, and access information including the identified one or more SQL requests, the specific URL request, and identification information of the user terminal may be generated (S7).

In addition, the control unit 120 may generate one or more pieces of access information for each user terminal that accesses the web application server and transmits a URL request, and stores the information in the storage unit 130. An access history table (access history information) may be created based on one or more pieces of access information.

Also, the communication unit 110 may include a communication module for communicating with the WAS, and the control unit 120 may transmit the access history table to the WAS through the communication unit 110.

In addition, the controller 120 selects one or more SQL requests for accessing security information among one or more SQL requests according to the access information corresponding to a specific user terminal based on preset setting information for one or more SQL requests for accessing security information. can identify, and if at least one of the one or more SQL requests according to the access information is a SQL request for accessing security information, the storage unit 130 identifies authority information corresponding to the identification information of the specific user terminal Then, based on the authority information, it is possible to determine whether or not the user has access authority corresponding to the specific user terminal to the security information.

In this case, the security information may mean information requiring security such as personal information.

In addition, the control unit 120 transmits the access information of the user corresponding to the specific user terminal to the WAS through the communication unit 110 when the user of the specific user terminal does not have access to security information, or Notification information for blocking access of the specific user terminal may be transmitted through the communication unit 110 .

As described above, the present invention obtains URL requests and SQL requests through sniffing without the need to insert an information collection agent program into a web application server, and the relationship between the acquired URL requests and SQL requests is determined by a priori mapping algorithm. Through this, it is possible to easily identify the SQL executed by the application user, and through this, security functions such as misuse detection and performance analysis of application modules can be performed without inserting an agent program for information collection into the web application server. support, it is possible to fundamentally block the occurrence of fatal problems such as performance degradation and failure of the web application server due to the excessive use of resources of the web application server by the existing information collection agent program, and to contribute to increasing the resource availability of the web application server. there is.

In addition, the present invention can support to easily identify and track a user who has used SQL to access security information by identifying the relationship between a URL request and a SQL request, and through this, a separate agent program is installed in a web application server. Since the security function for the web application server can be provided without insertion, the security of the web application server can be guaranteed along with the expansion of the available resources of the web application server.

The components described in the embodiments of the present invention are, for example, a storage unit 130 such as a memory, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, and an FPGA. hardware such as a field programmable gate array (PLU), programmable logic unit (PLU), microprocessor, software including an instruction set, or any combination thereof, or any other device capable of executing and responding to instructions, such as one or more It may be implemented using a general purpose computer or a special purpose computer.

The foregoing may be modified and modified by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are not intended to limit the technical idea of the present invention, but to explain, and the scope of the technical idea of the present invention is not limited by these embodiments. The protection scope of the present invention should be construed according to the claims below, and all technical ideas within the equivalent range should be construed as being included in the scope of the present invention.

100: access management device 110: communication unit
120: control unit 130: storage unit

Claims (10)

In the access management method of an access management device sniffing packets transmitted and received through an HTTP session established by WAS (web application server) for communication with a user terminal and a DB session established by the WAS for communication with a DB,
a URL check step of obtaining a URL request transmitted from the user terminal to the WAS through the sniffing and then checking a URL type of the URL request;
During the URL session period corresponding to the URL request received by the WAS through the sniffing, an SQL request transmitted from the WAS to the DB is checked for each one or more DB sessions established in the WAS, and the one or more DBs A grouping step of identifying one or more SQL types corresponding to the one or more SQL requests identified for each DB session in which SQL requests during the session are confirmed, and then matching the URL session duration and the URL type to create a SQL group. ; and
If a specific SQL type is included in only a specific SQL group among one or more SQL groups corresponding to a specific URL session duration that does not overlap with other URL session durations or multiple different URL session durations in which mutually overlapping durations exist, the specific SQL group is valid. A matching step of setting a SQL group and generating mapping information by matching a URL type included in the valid SQL group with one or more SQL types;
An access management method for managing access to a web application server-based database including.
The method of claim 1,
The access management device is connected to a first switch that mediates an HTTP session established by the WAS for communication with a user terminal and a second switch that mediates a DB session established by the WAS for communication with a DB, thereby providing the HTTP session and An access management method for managing web application server-based database access, characterized in that for sniffing packets transmitted and received through the DB session through the first and second switches.
The method of claim 1,
The URL session period is a period from the time when the user terminal transmits the URL request to the WAS to the time when a response corresponding to the URL request is completed from the WAS to the user terminal that has transmitted the URL request. An access management method for managing web application server-based database access.
The method of claim 1,
The SQL type is an access management method for managing access to a web application server-based database, characterized in that the rest except for constants and variables in the SQL request.
The method of claim 1,
The matching step is
By checking the SQL types included in one or more SQL groups corresponding to the specific URL session duration that do not overlap with other URL session durations, the SQL types that do not exist in other SQL groups corresponding to the specific URL session duration are checked. An access management method for managing access to a web application server-based database, characterized in that each SQL group including an SQL type is set as an effective SQL group.
The method of claim 1,
The matching step is
The method of managing access to a web application server based database, further comprising the step of deleting the remaining SQL groups if there are remaining SQL groups having the same URL session duration as the effective SQL group.
The method of claim 1,
The matching step is
Based on the valid SQL information, a SQL group including one or more SQL types and URL types included in the valid SQL information and having a URL session period different from the URL session period according to the valid SQL information is set as other valid SQL information. An access management method for managing access to a web application server-based database, further comprising the step of:
The method of claim 1,
After the matching step,
For each of a plurality of URL requests received by the WAS from a plurality of different user terminals, the URL checking step, the grouping step, and the matching step are performed to generate a plurality of mapping information, and map information including the plurality of mapping information. generating; and
Through the sniffing, identification information of the user terminal and a specific URL request are extracted from the packet transmitted from the user terminal to the WAS, and one from the packet transmitted from the WAS to the DB during the URL session period corresponding to the specific URL request. Extracting one or more SQL requests, identifying one or more SQL types corresponding to the URL type of the specific URL request based on the map information, and then corresponding to the identified one or more SQL types among the extracted one or more SQL requests. Identifying one or more SQL requests, and generating access information including the identified one or more SQL requests, the specific URL request, and identification information of the user terminal.
An access management method for managing access to a web application server-based database, further comprising:
The method of claim 8,
After generating the access information,
If at least one of the one or more SQL requests according to the access information is an SQL request for accessing security information, based on pre-stored authority information corresponding to identification information of the user terminal, corresponding to the user terminal for the security information Determining whether a user has access authority, and if the user does not have access authority to the security information, transmits the access information corresponding to the user to the WAS or transmits notification information for blocking access of the user terminal An access management method for managing access to a web application server-based database, further comprising the step of:
A communication unit for sniffing packets transmitted and received through an HTTP session established by WAS (web application server) for communication with a user terminal and a DB session established by the WAS for communication with a DB; and
The packet is sniffed through the communication unit, and after obtaining a URL request transmitted to the WAS from the user terminal from the packet obtained through the sniffing, the URL type of the URL request is checked, and the sniffing Check the SQL request transmitted from the WAS to the DB for each one or more DB sessions set in the WAS during the URL session period corresponding to the URL request received by the WAS from the packet obtained through After identifying one or more SQL types corresponding to the identified one or more SQL requests for each DB session in which SQL requests are confirmed among one or more DB sessions, a SQL group is created by matching the URL session duration and the URL type. and, among one or more SQL groups corresponding to a specific URL session period that does not overlap with another URL session period or a plurality of different URL session periods with mutually overlapping periods, if only a specific SQL group includes a specific SQL type, the specific SQL group a control unit that sets as a valid SQL group and creates mapping information by matching a URL type included in the valid SQL group with one or more SQL types;
An access management device for managing access to a web application server-based database including a.

Images