TWI579717B - Dynamic Web site HTTP network packet and database packet auditing system and method - Google Patents

Dynamic Web site HTTP network packet and database packet auditing system and method Download PDF

Info

Publication number
TWI579717B
TWI579717B TW105103466A TW105103466A TWI579717B TW I579717 B TWI579717 B TW I579717B TW 105103466 A TW105103466 A TW 105103466A TW 105103466 A TW105103466 A TW 105103466A TW I579717 B TWI579717 B TW I579717B
Authority
TW
Taiwan
Prior art keywords
variable
packet
http network
packets
sql database
Prior art date
Application number
TW105103466A
Other languages
Chinese (zh)
Other versions
TW201729128A (en
Inventor
Yin-Feng Lin
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed filed Critical
Priority to TW105103466A priority Critical patent/TWI579717B/en
Application granted granted Critical
Publication of TWI579717B publication Critical patent/TWI579717B/en
Publication of TW201729128A publication Critical patent/TW201729128A/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Description

動態網址的HTTP網路封包與資料庫封包稽核系統與方法HTTP network packet and database packet auditing system and method for dynamic URL

本發明係關於一種動態網址的HTTP網路封包與資料庫封包稽核系統與方法,特別是有關於一種應用統計數值運算的動態網址的HTTP網路封包與資料庫封包稽核系統與方法。The present invention relates to a HTTP network packet and database packet auditing system and method for dynamic web addresses, and more particularly to an HTTP network packet and database packet auditing system and method for dynamic web addresses using statistical numerical operations.

網路的普及性及便利性之發展快速,網際網路已成為現今傳遞資訊的主流媒介,各種公司或醫院等也都建立了屬於自己的區域網路。The popularity and convenience of the Internet has grown rapidly. The Internet has become the mainstream medium for delivering information today, and various companies or hospitals have established their own regional networks.

由於每個人都可以透過網路存取、修改資料,因此,衍伸出不少透過網際網路以不合法的手段存取或修改資料的行為。為此,透過網際網路存取資料的行為必須被紀錄,以作為資安責任的追究依據,然而,現有的網際網路中,係以一網路伺服器供用戶連結,用戶透過對網路伺服器傳送超文件傳輸協定(Hypertext Transfer Protocol,HTTP)的網路封包(HTTP request)進而可存取網路資料,而且該網路伺服器所提供的網路資料,並不是儲存在該網路伺服器中,而是儲存於一資料伺服器中,並由該網路伺服器連結至該資料伺服器,並對資料伺服器傳送SQL資料庫封包(SQL request)以取得要提供給用戶的網路資料。Since everyone can access and modify data through the Internet, there are many ways to access or modify data through the Internet through illegal means. To this end, the access to data over the Internet must be recorded as a basis for the investigation of the responsibility of the security. However, in the existing Internet, a network server is used for users to connect, and users access the network. The server transmits a Hypertext Transfer Protocol (HTTP) network packet (HTTP request) to access the network data, and the network data provided by the network server is not stored in the network. In the server, it is stored in a data server, and the network server is connected to the data server, and the SQL server is sent to the data server to obtain the network to be provided to the user. Road information.

台灣專利公告第I457774號揭露一種網路封包與資料庫封包稽核系統與方法,可藉由計算全球資源定址資訊與SQL資料庫述句於各時間區間分布的統計樣本,算出相關係數作為判斷網址的URL(Uniform Resource Locator,全球資源定址資訊)與SQL資料庫述句是否相關的依據,得以以數值計算代替複雜且運算量高的內容比對步驟,以大幅減少運算量並免去儲存大量封包內容,使關聯性學習分析程序可與稽核程序一起執行,又可進一步避免資安漏洞的產生,且於執行一段時間後(多個時間區間後)仍可於不增加儲存空間及運算量前提下,將最初接收的URL及SQL資料庫述句相對於時間區間分布都反應於新算出的相關係數中,可在不增加運算量的前提下提高判斷的準確度。Taiwan Patent Publication No. I457774 discloses a network packet and database packet auditing system and method, which can calculate a correlation coefficient as a judgment URL by calculating a global resource distribution information and a statistical sample of the SQL database for each time interval. The basis of whether the URL (Uniform Resource Locator) and the SQL database statement are related to each other can replace the complicated and high-computation content comparison step by numerical calculation, thereby greatly reducing the amount of calculation and eliminating the need to store a large amount of packet contents. The correlation learning analysis program can be executed together with the auditing program, and the occurrence of the security vulnerability can be further avoided, and after a certain period of execution (after multiple time intervals), the storage space and the calculation amount can be maintained without being increased. The initially received URL and the SQL database statement are all reflected in the newly calculated correlation coefficient with respect to the time interval distribution, and the accuracy of the judgment can be improved without increasing the amount of calculation.

上述的網路封包與資料庫封包稽核系統與方法是用於靜態網址之HTTP網路封包的稽核,靜態網址是在URL的字串中以問號符號(question mark)區分,在問號符號之前的字串為網頁路徑,在問號符號之後的字串則為變數。同一網頁路徑呼叫的都是同一SQL資料庫述句,只是其中的參數不同。在靜態網址中,運用統計的方式,將網頁路徑和SQL資料庫述句比對,相符則有意義,因為同時間使用者不止一個,相符的筆數越高,關聯性越高,用這種基本的關係來判斷及統計,找出哪些網頁路徑和哪些SQL資料庫述句具關聯性,依此建立出一個關聯表。這些都是運用統計的方式,每一段時間會去觀察 (每分鐘或者每五分鐘)。The above network packet and database packet auditing system and method are used for auditing HTTP network packets of static URLs. The static URL is distinguished by a question mark in the string of the URL, and the word before the question mark. The string is the web path, and the string after the question mark is a variable. The same web page path is the same SQL database description, but the parameters are different. In the static URL, using the statistical method to compare the web page path with the SQL database statement, it means that because there are more than one user at the same time, the higher the number of matches, the higher the relevance, the basic The relationship is judged and counted, and it is found out which web pages are related to which SQL database statements, and an association table is established accordingly. These are all statistical methods that are observed every time (every minute or every five minutes).

然而,因為現在很多網頁都已經改為動態網頁,動態網址難以根據問號符號區分為網頁路徑或變數值,也就是說,靜態網址在URL字串中以問號符號區分,在問號符號之前的字串為網頁路徑,在問號符號之後的字串則為變數值的判斷方式在動態網址上並不可行,因為在動態網址的URL字串是由網站網址(http://www.domain.com)與網站網址後面之第一個”/”之後的多個變數值所組成,這些變數值可能是字串、數字或符號。動態網址的網站網址後面之第一個”/”之後與問號符號之前的字串並非都是網頁路徑,也有可能是變數值,靜態網址的判別變數值的方式用在動態網址上不可行。因此上述之只適用於靜態網址的稽核方法對現今越來越多的動態網站來說,已不敷使用,因為在動態網址中,現有的HTTP網路封包與資料庫封包稽核系統無法真正的將動態網址模式化(patternized)。由此可知,上述的方法不適用於動態網址中,需要針對動態網址尋求封包稽核的解決方案。However, because many web pages have now been changed to dynamic web pages, dynamic URLs are difficult to distinguish between web page paths or variable values based on question mark symbols. That is, static URLs are distinguished by question mark symbols in the URL string, and strings before the question mark symbol. For web page paths, the way the string after the question mark symbol is changed is not feasible on the dynamic URL because the URL string in the dynamic URL is determined by the website URL (http://www.domain.com) The variable value after the first "/" after the website URL may be a string, a number or a symbol. The string after the first "/" after the website URL of the dynamic URL and the question mark symbol are not all webpage paths, and may be variable values. It is not feasible to use the variable value of the static URL for dynamic URLs. Therefore, the above-mentioned auditing method that only applies to static URLs is not enough for more and more dynamic websites today, because in the dynamic URL, the existing HTTP network packet and database packet auditing system cannot truly Dynamic URLs are patterned. It can be seen that the above method is not applicable to dynamic URLs, and a solution for seeking packet auditing for dynamic URLs is needed.

本創作之目的在提供一種動態網址的HTTP網路封包與資料庫封包稽核方法。透過該HTTP網路封包與資料庫封包的稽核方法,改善現有的稽核方法無法用於動態網頁的缺點。The purpose of this creation is to provide a method for HTTP network packet and database packet auditing of dynamic URLs. Through the HTTP network packet and database packet auditing method, the shortcomings of the existing auditing method cannot be used for dynamic web pages.

根據上述之目的,本創作提供一種動態網址的HTTP網路封包與資料庫封包稽核方法,其包含下列步驟: 接收一時間區間內之複數個HTTP網路封包和複數個SQL資料庫封包,每一該些HTTP網路封包包含複數個第一變數值,每一該些SQL資料庫封包包含複數個第二變數值; 計算該時間區間的該些HTTP網路封包所包含之每一該些第一變數值的一數量; 累計每一該些第一變數值的該數量至一變數數量累計表作為一變數統計雜湊表; 在該些SQL資料庫封包中剔除不同於該變數統計雜湊表之該些第一變數值的複數個第二變數值; 剔除與該變數統計雜湊表中數量超過一預設門檻值之第一變數值相同的該些第二變數值; 將該SQL資料庫封包中的該些第二變數值,依照相同該些第一變數值在該變數統計雜湊表的該數量從小到大排列該些第二變數值,並將該些第二變數值與在該時間區間內的該些HTTP網路封包的該些第一變數值進行比對; 當該些SQL資料庫封包所留存的該些第二變數值與該些HTTP網路封包所包含的該些第一變數值相同,從該些第一變數值中找到與該些SQL資料庫封包相關聯的該些HTTP網路封包,以建立該些SQL資料庫封包與該些HTTP網路封包的一稽核關聯表。According to the above purpose, the present invention provides a method for HTTP network packet and database packet auditing of a dynamic web address, which comprises the following steps: receiving a plurality of HTTP network packets and a plurality of SQL database packets in a time interval, each The HTTP network packet includes a plurality of first variable values, each of the SQL database packets includes a plurality of second variable values; and each of the first plurality of HTTP network packets included in the time interval is calculated a quantity of variable values; accumulating the quantity of each of the first variable values to a variable quantity accumulation table as a variable statistical hash table; excluding in the SQL database package different from the variable statistical hash table a plurality of second variable values of the first variable value; culling the second variable values that are the same as the first variable value of the variable statistical hash table that exceeds a predetermined threshold value; The second variable value, according to the same first variable value, the second variable value is arranged in the number of the variable statistical hash table from small to large, and the second variable value is at the time Comparing the first variable values of the HTTP network packets in the interval; the second variable values retained by the SQL database packets and the numbers included in the HTTP network packets The variable values are the same, and the HTTP network packets associated with the SQL database packages are found from the first variable values to establish an auditory association between the SQL database packets and the HTTP network packets. table.

本創作之另一目的在提供一種動態網址的HTTP網路封包與資料庫封包稽核系統,透過該動態網址的HTTP網路封包與資料庫封包稽核系統,可以找到HTTP網路封包的變數值,進而可以進行HTTP網路封包與SQL資料庫封包的稽核。Another purpose of this creation is to provide a dynamic web address HTTP packet and database packet auditing system. Through the HTTP network packet and database packet auditing system of the dynamic web address, the variable value of the HTTP network packet can be found, and then It can perform auditing of HTTP network packets and SQL database packets.

根據上述之目的,本創作提供一種HTTP網路封包與資料庫封包稽核系統,其包含: 一HTTP網路封包監聽器,用於擷取一用戶端傳輸給一網路伺服器的複數個HTTP網路封包,每一該些HTTP網路封包包含至少一URL; 一SQL資料庫封包監聽器,用於擷取該網路伺服器傳輸給一資料伺服器的複數個資料庫封包,且每一該些資料庫封包包含至少一SQL資料庫述句; 一關聯性稽核裝置,分別與該HTTP網路封包監聽器與該SQL資料庫封包監聽器連接,該HTTP網路封包監聽器於擷取滿一時間區間的複數個HTTP網路封包後傳輸該些HTTP網路封包至該關聯性稽核裝置,該SQL資料庫封包監聽器於擷取滿該時間區間的複數個SQL資料庫封包後傳輸該些SQL資料庫封包至該關聯性稽核裝置,且該關聯性稽核裝置包含: 一變數統計模組,用於將該時間區間內的該些HTTP網路封包所包含的該些第一變數值累計至一變數數量累計表作為一變數統計雜湊表; 一稽核模組,用與檢查該些SQL資料庫封包所包含的該些第二變數值,剔除在該變數統計雜湊表中不同於該些第一變數值的該些第二變數值,及剔除與該變數統計雜湊表中數量超過一預設門檻值之該些第一變數值相同的該些第二變數值,再以剩下的該些第二變數值找出與該些SQL資料庫封包所包含之SQL資料庫述句相關連之該些HTTP網路封包,以建立該些SQL資料庫封包與該些HTTP網路封包的一稽核關聯表。According to the above purpose, the present invention provides an HTTP network packet and database packet auditing system, which comprises: an HTTP network packet listener for capturing a plurality of HTTP networks transmitted by a client to a network server. a packet, each of the HTTP network packets includes at least one URL; a SQL database packet listener for capturing a database packet transmitted by the network server to a data server, and each of the packets The database package includes at least one SQL database statement; an associated auditing device, respectively connected to the HTTP network packet listener and the SQL database packet listener, the HTTP network packet listener is full Transmitting the HTTP network packets to the associated auditing device after the plurality of HTTP network packets in the time interval, the SQL database packet packet listener transmitting the SQL after capturing the plurality of SQL database packets in the time interval The database is encapsulated to the associated auditing device, and the associated auditing device includes: a variable statistics module, configured to include the first variables included in the HTTP network packets in the time interval The value is accumulated to a variable quantity accumulation table as a variable statistical hash table; an audit module uses and checks the second variable values included in the SQL database package, and the rejection is different from the variable statistical hash table. The second variable values of the first variable values, and the second variable values that are the same as the first variable values of the variable statistical hash table that exceed a predetermined threshold value, and then the remaining The second variable value finds the HTTP network packets associated with the SQL database statements included in the SQL database package to establish the SQL database package and one of the HTTP network packets. Audit the association table.

透過本創作的HTTP網路封包與資料庫封包的稽核系統與方法,可以將其應用於動態網頁中,找到動態網頁中的有效變數值,剔除無效的變數值,提高URL與SQL資料庫封包所包含之SQL資料庫述句關連的準確性,進而改善系統運算的負荷量。Through the creation of HTTP network packet and database packet auditing system and method, it can be applied to dynamic web pages, find valid variable values in dynamic web pages, eliminate invalid variable values, and improve URL and SQL database package The included SQL database describes the accuracy of the correlation, which in turn improves the load on the system.

以下配合圖式及本發明之較佳實施例,進一步闡述本創作為達成預定發明目的所採取的技術手段。The technical means adopted by the present invention for achieving the intended purpose of the invention are further explained below in conjunction with the drawings and preferred embodiments of the present invention.

圖1為本創作之動態網址的HTTP網路封包與資料庫封包稽核系統的方塊示意圖。如圖1所示,動態網址的HTTP網路封包與資料庫封包稽核系統10包含HTTP網路封包監聽器11、SQL資料庫封包監聽器12與關聯性稽核裝置13。FIG. 1 is a block diagram showing the HTTP network packet and database packet auditing system of the dynamic URL of the creation. As shown in FIG. 1, the HTTP network packet and database packet auditing system 10 of the dynamic URL includes an HTTP network packet listener 11, an SQL database packet listener 12, and an association auditing device 13.

HTTP網路封包監聽器11用於擷取用戶端傳輸至網路伺服器之HTTP網路封包,HTTP網路封包為超文件傳輸協議(Hypertext Transfer Protocol,HTTP)的網路封包,並於擷取滿一時間區間的HTTP網路封包後傳輸HTTP網路封包給關聯性稽核裝置13。每個HTTP網路封包包含至少一個URL資訊,且在每個HTTP網路封包之URL資訊中,網址後的第一個“/”之後包含複數個第一變數值。舉例來說,在動態網址的URL(http://www.domain.com/abc/index.php?catID=1&storyID=12245)包含第一區段(網站網址部分http://www.domain.com/)與第二區段(abc/index.php?catID=1&storyID=12245)。第二區段包含多個第一變數值,且第二區段依據區分符號“?”可分為第一句(abc/index.php)與第二句(catID=1&storyID=12245)。在第一句中,界定符號為“/”,第一變數值為abc與index.php。在第二句中,區分符號“?”之後為多個變數組,變數組的組成為“變數=變數值”,在識別符號“=”之後為一第一變數值,變數組間的界定符號為“&”,因此1與12245為第一變數值。SQL資料庫封包監聽器12用於擷取網路伺服器傳輸給資料伺服器的複數個資料庫封包,並於擷取滿一時間區間的SQL資料庫封包後傳輸給關聯性稽核裝置13,且每個SQL資料庫封包包含至少一個SQL資料庫述句(SQL query),每個SQL資料庫封包包含複數個第二變數值。The HTTP network packet listener 11 is used for extracting the HTTP network packet transmitted by the client to the network server, and the HTTP network packet is a network packet of the Hypertext Transfer Protocol (HTTP), and is captured. The HTTP network packet is transmitted to the correlation auditing device 13 after the HTTP network packet of the time interval. Each HTTP network packet contains at least one URL information, and in the URL information of each HTTP network packet, the first "/" after the URL includes a plurality of first variable values. For example, the URL of the dynamic URL (http://www.domain.com/abc/index.php?catID=1&storyID=12245) contains the first section (the website URL section http://www.domain.com /) with the second section (abc/index.php?catID=1&storyID=12245). The second section contains a plurality of first variable values, and the second section is divided into a first sentence (abc/index.php) and a second sentence (catID=1&storyID=12245) according to the distinguishing symbol "?". In the first sentence, the delimited symbol is "/" and the first variable is abc and index.php. In the second sentence, the distinguishing symbol "?" is followed by a plurality of variable arrays, the composition of the variable array is "variable = variable value", and after the identification symbol "=" is a first variable value, the defined symbol between the arrays is changed. It is "&", so 1 and 12245 are the first variable values. The SQL database packet listener 12 is configured to retrieve the data packet of the data database transmitted by the network server to the data server, and transmit the packet to the correlation auditing device 13 after capturing the SQL database packet of the time interval. Each SQL database package contains at least one SQL database statement (SQL query), and each SQL database package contains a plurality of second variable values.

關聯性稽核裝置13與該HTTP網路封包監聽器11及該資料庫封包監聽器12連接,且用於接收在該時間區間的HTTP網路封包和SQL資料庫封包。關聯性稽核裝置13包含一變數統計模組131與一稽核模組132,該變數統計模組131可將在時間區間內的HTTP網路封包所包含第一變數值的數量累計到變數數量累計表,作為變數統計雜湊表(Hash Table),又稱URL變數統計雜湊表。另外,變數統計模組131並依據變數數量累計表的保留時間,推移清除該變數數量累計表中超過保留時間的第一變數值。該保留時間是某一固定間隔的時間區段,其可以是12小時或1天,在此並不侷限。該稽核模組132檢查該SQL資料庫封包所包含的第二變數值,剔除不同於變數統計雜湊表之第一變數值的第二變數值,及剔除與該變數統計雜湊表中數量超過一預設門檻值之第一變數值相同的該些第二變數值,再以剩下的第二變數值找出與該SQL資料庫封包中所包含之SQL資料庫述句相關聯的HTTP網路封包,以建立SQL資料庫封包與HTTP網路封包的稽核關聯表,供稽核人員查詢。The association auditing device 13 is connected to the HTTP network packet listener 11 and the database packet listener 12, and is configured to receive the HTTP network packet and the SQL database packet in the time interval. The correlation auditing device 13 includes a variable statistic module 131 and an auditing module 132. The variable statistic module 131 can accumulate the number of first variable values included in the HTTP network packet in the time interval to the variable quantity accumulating table. As a variable statistics hash table (Hash Table), also known as URL variable statistics hash table. In addition, the variable statistics module 131 removes the first variable value exceeding the retention time in the variable quantity accumulation table according to the retention time of the variable quantity accumulation table. The retention time is a time interval of a certain fixed interval, which may be 12 hours or 1 day, and is not limited herein. The audit module 132 checks the second variable value included in the SQL database packet, and rejects the second variable value different from the first variable value of the variable statistical hash table, and the number of the hash table and the variable count table exceeds one Setting the second variable value with the same first change value of the threshold value, and then using the remaining second variable value to find the HTTP network packet associated with the SQL database statement included in the SQL database package To establish an audit association table between the SQL database package and the HTTP network packet for auditing personnel to query.

本創作的動態網址的HTTP網路封包與資料庫封包稽核系統10在記憶體中進行比對時,避免如先前技術中需要使用大量儲存空間來儲存HTTP網路封包與SQL資料庫所包含的內容,以及使用大量運算資源進行內容比對程序,更進一步避免先前技術中對URL和SQL資料庫數據間相關變數的複雜計算及高相關變數之URL和SQL資料庫述句的比對程序,使得URL與SQL資料庫述句的關聯性提高,並可以降低運算的負荷。When the HTTP network packet of the dynamic URL of the present creation is compared with the database packet auditing system 10 in the memory, it is avoided that a large amount of storage space is needed to store the content of the HTTP network packet and the SQL database as in the prior art. And using a large amount of computing resources for the content comparison program, further avoiding the complicated calculation of the correlation variables between the URL and the SQL database data in the prior art and the comparison procedure of the URL and the SQL database statement of the high correlation variable, so that the URL The correlation with the SQL database statement is improved, and the load of the operation can be reduced.

圖2為HTTP網路封包與資料庫封包稽核方法的流程圖。如圖2所示,在步驟S201中,分別透過HTTP網路封包監聽器與SQL資料庫封包監聽器接收一時間區間內之複數個HTTP網路封包和複數個SQL資料庫封包,每個網路封包包含複數個第一變數值,每個SQL資料庫封包包含複數個第二變數值。時間區間表示在某一固定間隔的時間區段,其可以是5分鐘或10分鐘,在此並不侷限。HTTP網路封包為動態網址之HTTP的網路封包,且在每個SQL資料庫封包中包含至少一個SQL資料庫述句(SQL query),在步驟S201中分別透過HTTP網路封包監聽器11與SQL資料庫封包監聽器12接收HTTP網路封包與SQL資料庫封包。接著,在步驟S202中,計算該時間區間的HTTP網路封包所包含之第一變數值的數量。HTTP網路封包與資料庫封包稽核方法中,需要計算每個第一變數值在HTTP網路封包中出現的數量,根據第一變數值在HTTP網路封包出現的數量判斷該第一變數值是否為有效的變數值。在步驟S203中,累計該數量至一變數數量累計表作為一變數統計雜湊表,為了在後續的步驟中可以藉由第一變數值的數量來判斷第二變數值是否為有效變數值,將第一變數值與第一變數值的數量製作成變數統計雜湊表,又可稱為URL變數統計雜湊表。在步驟S204中,在SQL資料庫封包中剔除不同於該變數統計雜湊表之第一變數值的第二變數值。SQL資料庫封包中包含許多不同的第二變數值,但是第二變數值中並非每個都是與HTTP網路封包的第一變數值相關,若在SQL資料庫封包中所包含的第二變數值不同於HTTP網路封包之變數統計雜湊表的第一變數值,其表示SQL資料庫封包中的第二變數值並非在該時間區間所需要的第二變數值,可將其排除。2 is a flow chart of an HTTP network packet and database packet auditing method. As shown in FIG. 2, in step S201, a plurality of HTTP network packets and a plurality of SQL database packets in a time interval are received through the HTTP network packet listener and the SQL database packet listener, respectively. The packet includes a plurality of first variable values, and each SQL database packet includes a plurality of second variable values. The time interval represents a time period at a certain fixed interval, which may be 5 minutes or 10 minutes, which is not limited herein. The HTTP network packet is a HTTP network packet of the dynamic URL, and at least one SQL database statement (SQL query) is included in each SQL database package, and the listener 11 is respectively intercepted by the HTTP network in step S201. The SQL database packet listener 12 receives the HTTP network packet and the SQL database packet. Next, in step S202, the number of first variable values included in the HTTP network packet of the time interval is calculated. In the HTTP network packet and database packet auditing method, it is necessary to calculate the number of occurrences of each first variable value in the HTTP network packet, and determine whether the first variable value is based on the number of occurrences of the HTTP network packet according to the first variable value. Is a valid variable value. In step S203, the quantity to a variable quantity accumulation table is accumulated as a variable statistical hash table, and in order to determine whether the second variable value is a valid variable value by the number of the first variable value in the subsequent step, A variable value and the number of first variable values are made into a variable statistical hash table, which may also be referred to as a URL variable statistical hash table. In step S204, a second variable value different from the first variable value of the variable statistical hash table is excluded from the SQL database package. The SQL database package contains many different second variable values, but not all of the second variable values are related to the first variable value of the HTTP network packet, if the second variable included in the SQL database packet The value is different from the first variable value of the variable statistics hash table of the HTTP network packet, which indicates that the second variable value in the SQL database packet is not the second variable value required in the time interval, and can be excluded.

然後,在步驟S205中,剔除與該變數統計雜湊表中數量超過一預設門檻值之第一變數值相同的第二變數值,HTTP網路封包中的複數個第一變數值中並非每個第一變數值都是有效的第一變數值,透過設定一預設門檻值,排除SQL資料庫封包中與變數統計雜湊表中數量過多之第一變數值相同的第二變數值,數量過多的第一變數值僅是動態網頁的無效變數值,因此將與該變數統計雜湊表中數量超過一預設門檻值之第一變數值相同的第二變數值剔除。在步驟S206中,將該SQL資料庫封包中的第二變數值,依照在變數統計雜湊表中相同該些第一變數值的數量從小到大排列第二變數值,並將第二變數值與在該時間區間內的該些HTTP網路封包的該些第一變數值進行比對。在步驟S207中,當該些SQL資料庫封包留存的第二變數值與HTTP網路封包所含的第一變數值相同,從該些第一變數值中找到與該些SQL資料庫封包相關聯的HTTP網路封包,以建立該些SQL資料庫封包與該些HTTP網路封包的一稽核關聯表。Then, in step S205, the second variable value that is the same as the first variable value of the variable statistical hash table that exceeds a preset threshold value is eliminated, and not each of the plurality of first variable values in the HTTP network packet The first variable value is a valid first variable value. By setting a preset threshold value, the second variable value in the SQL database packet that is the same as the first variable value in the variable statistics hash table is excluded. The first variable value is only the invalid variable value of the dynamic web page, and therefore the second variable value that is the same as the first variable value of the variable statistical hash table that exceeds a preset threshold value is eliminated. In step S206, the second variable value in the SQL database package is arranged according to the number of the first variable values in the variable statistics hash table, and the second variable value is arranged from small to large, and the second variable value is The first variable values of the HTTP network packets in the time interval are compared. In step S207, when the second variable value retained by the SQL database packet is the same as the first variable value included in the HTTP network packet, the first variable value is found to be associated with the SQL database package. The HTTP network packet is used to establish an audit association table of the SQL database packets and the HTTP network packets.

圖3顯示本創作之HTTP網路封包與資料庫封包稽核方法的變數統計程序與稽核程序的流程圖。如圖3所示,在變數統計程序中,在步驟S301中,持續接收一時間區間的HTTP網路封包,在步驟S302中,將各HTTP網路封包所包含之URL的網站網址後面的第一個“/”之後的項目皆視為第一變數值,在步驟S303中,將一時間區間內的HTTP網路封包包含的第一變數值的數量累計到變數數量累計表,然後在步驟S304中,將所累計之第一變數值與該數量作為變數統計雜湊表。Figure 3 shows the flow chart of the variable statistics program and auditing procedure of the HTTP network packet and database packet auditing method of the present invention. As shown in FIG. 3, in the variable statistics program, in step S301, the HTTP network packet of a time interval is continuously received, and in step S302, the first URL after the website URL of the URL included in each HTTP network packet is received. The items after the "/" are regarded as the first variable value, and in step S303, the number of the first variable values included in the HTTP network packet in a time interval is accumulated to the variable number accumulation table, and then in step S304. The accumulated first variable value and the quantity are used as a variable statistics hash table.

在稽核程序時,在步驟S305中,持續接收一時間區間的SQL資料庫封包,然後一一檢查每個SQL資料庫封包所包含的每個第二變數值。而在SQL資料庫封包所包含之第二變數值的排除程序中,在步驟S306中,從該SQL資料庫封包所包含第二變數值中剔除不同於變數統計雜湊表之第一變數值的第二變數值,及在步驟S307中,從該SQL資料庫封包所含第二變數值中剔除與變數統計雜湊表的數量超過預設門檻值之第一變數值相同的第二變數值。然後在步驟S308中,將該SQL資料庫封包通過排除程序的第二變數值,依照相同各第一變數值在變數統計雜湊表的數量進行從小到大的排序(數量越小的第二變數值,表示為特徵變數值的可能性越高,可作為判斷URL與SQL資料庫述句關聯性的依據),然後在S309中,將第二變數值與該時間區間內的該些HTTP網路封包所含的該些第一變數值進行比對。如該SQL資料庫封包留存的一第二變數值與一HTTP網路封包所含的一第一變數值相同,則從該第二變數值對應的HTTP網路封包,找到與該SQL資料庫封包相關聯的HTTP網路封包,建立一稽核關聯表。In the auditing process, in step S305, the SQL database packet of a time interval is continuously received, and then each second variable value included in each SQL database packet is checked one by one. In the exclusion procedure of the second variable value included in the SQL database package, in step S306, the first variable value different from the variable statistical hash table is removed from the second variable value included in the SQL database package. The second variable value, and in step S307, the second variable value that is the same as the first variable value of the variable threshold hash table exceeding the preset threshold value is excluded from the second variable value included in the SQL database packet. Then, in step S308, the SQL database is encapsulated by the second variable value of the exclusion program, and the number of the variable statistics hash table is sorted according to the same first variable value from small to large (the second variable value is smaller) , the higher the probability of being represented as a feature variable value, can be used as a basis for judging the relevance of the URL to the SQL database. Then, in S309, the second variable value and the HTTP network packets in the time interval are encapsulated. The first variable values contained are compared. If a second variable value retained by the SQL database packet is the same as a first variable value included in an HTTP network packet, the HTTP data packet corresponding to the second variable value is found and the SQL database is encapsulated. An associated HTTP network packet is created to establish an audit association table.

在稽核程序中,對於SQL資料庫封包留存的第二變數值依照相同各第一變數值在變數統計雜湊表的數量進行從小到大的排序,並從數量最小的第二變數值開始進行第二變數值與第一變數值的比對,使得一般性變數值透過這樣的程序執行達到被排除。變數統計程序是持續執行,以持續更新的變數統計雜湊表的第一變數值與稽核程序持續接收到的SQL資料庫封包包含的第二變數值進行比對,並將超出保留時間的舊資料從變數數量累計表中清除。In the auditing procedure, the second variable value retained for the SQL database packet is sorted from small to large according to the same first variable value in the number of variable statistical hash tables, and the second variable number is the second variable value. The comparison of the variable value with the first variable value causes the general variable value to be excluded by such program execution. The variable statistics program is continuously executed, and the first variable value of the continuously updated variable statistics hash table is compared with the second variable value included in the SQL database packet continuously received by the audit program, and the old data exceeding the retention time is The variable quantity is cleared in the cumulative table.

透過本創作的HTTP網路封包與資料庫封包的稽核系統與方法,可以將其應用於動態網頁中,找到動態網頁中的有效變數值,剔除無效的變數值,而且無需大量的儲存空間來儲存HTTP網路封包與SQL資料庫封包所包含的內容,提高URL與SQL資料庫封包所包含之SQL資料庫述句關連的準確性,進而改善傳統的稽核方法無法應用於動態網址的缺點。Through the creation of HTTP network packet and database packet auditing system and method, it can be applied to dynamic web pages, find valid variable values in dynamic web pages, eliminate invalid variable values, and do not need a large amount of storage space to store The content of the HTTP network packet and the SQL database package improves the accuracy of the association between the URL and the SQL database contained in the SQL database package, thereby improving the shortcomings of the traditional audit method that cannot be applied to the dynamic URL.

以上該僅是本創作的較佳實施例而已,並非對本創作做任何形式上的限制,雖然本創作已以較佳實施例揭露如上,然而並非用以限定本創作,任何熟悉本專業的技術人員,在不脫離本創作技術方案的範圍內,當可利用上述揭示的技術內容作出些許更動或修飾為等同變化的等效實施例,但凡是未脫離本創作技術方案的內容,依據本創作的技術實質對以上實施例所作的任何簡單修改、等同變化與修飾,均仍屬於本創作技術方案的範圍內。The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way. Although the present invention has been disclosed above in the preferred embodiments, it is not intended to limit the present invention, and any skilled person skilled in the art. The equivalents of the above-discussed technical content may be modified or modified to equivalent variations, without departing from the spirit and scope of the present invention. Any simple modifications, equivalent changes and modifications made to the above embodiments are still within the scope of the present technical solution.

10‧‧‧動態網址的HTTP網路封包與資料庫封包稽核系統
11‧‧‧HTTP網路封包監聽器
12‧‧‧SQL資料庫封包監聽器
13‧‧‧關聯性稽核裝置
131‧‧‧變數統計模組
132‧‧‧稽核模組10‧‧‧ HTTP network packet and database packet auditing system for dynamic URLs
11‧‧‧HTTP network packet listener
12‧‧‧SQL database packet listener
13‧‧‧Related auditing device
131‧‧‧Variable Statistics Module
132‧‧‧ audit module

圖1為本創作之動態網址的HTTP網路封包與資料庫封包稽核系統的方塊示意圖。 圖2為本創作之動態網址的HTTP網路封包與資料庫封包稽核方法的流程圖。 圖3顯示本創作之動態網址的HTTP網路封包與資料庫封包稽核方法的變數統計程序與稽核程序的流程圖。FIG. 1 is a block diagram showing the HTTP network packet and database packet auditing system of the dynamic URL of the creation. FIG. 2 is a flow chart of the HTTP network packet and database packet auditing method of the dynamic URL of the creation. FIG. 3 shows a flow chart of the variable statistics program and the auditing procedure of the HTTP network packet and the database packet auditing method of the dynamic URL of the present creation.

Claims (8)

一種動態網址的HTTP網路封包與資料庫封包稽核方法,其包含下列步驟: 接收一時間區間內之複數個HTTP網路封包和複數個SQL資料庫封包,每一該些HTTP網路封包包含複數個第一變數值,每一該些SQL資料庫封包包含複數個第二變數值; 計算該時間區間的該些HTTP網路封包所包含之每一該些第一變數值的一數量; 累計該數量至一變數數量累計表作為一變數統計雜湊表; 在該些SQL資料庫封包中剔除不同於該變數統計雜湊表之該些第一變數值的複數個第二變數值; 剔除與該變數統計雜湊表中數量超過一預設門檻值之該些第一變數值相同的該些第二變數值; 將該SQL資料庫封包中的該些第二變數值,依照相同該些第一變數值在該變數統計雜湊表的該數量從小到大排列該些第二變數值,並將該些第二變數值與在該時間區間內的該些HTTP網路封包的該些第一變數值進行比對; 當該些SQL資料庫封包所留存的該些第二變數值與該些HTTP網路封包所包含的該些第一變數值相同,從該些第二變數值中找到與該些SQL資料庫封包相關聯的該些HTTP網路封包,以建立該些SQL資料庫封包與該些HTTP網路封包的一稽核關聯表。A method for HTTP network packet and database packet auditing of a dynamic URL includes the following steps: receiving a plurality of HTTP network packets and a plurality of SQL database packets in a time interval, each of the HTTP network packets including a plurality of a first variable value, each of the SQL database packets includes a plurality of second variable values; calculating a quantity of each of the first variable values included in the HTTP network packets of the time interval; a quantity-to-variable quantity accumulation table as a variable statistical hash table; a plurality of second variable values different from the first variable values of the variable statistical hash table are excluded from the SQL database package; the culling and the variable statistics The second variable value in the hash table that is greater than a preset threshold value and the first variable value is the same; the second variable value in the SQL database packet is in accordance with the same first variable value Arranging the second variable values from the small to largest number of the variable statistics hash table, and the second variable values and the first variable values of the HTTP network packets in the time interval Row alignment; when the second variable values retained by the SQL database packets are the same as the first variable values included in the HTTP network packets, and the second variable values are found The SQL database packet is associated with the HTTP network packets to establish an audit association table of the SQL database packets and the HTTP network packets. 如請求項1所述之動態網址的HTTP網路封包與資料庫封包稽核方法,其中在接收該時間區間內之該些HTTP網路封包與該些SQL資料庫封包的該步驟中係分別透過一HTTP網路封包監聽器與一SQL資料庫封包監聽器接收在該時間區間的該些HTTP網路封包與該些資料庫封包。The HTTP network packet and the database packet auditing method of the dynamic URL according to claim 1, wherein in the step of receiving the HTTP network packets and the SQL database packets in the time interval, respectively, The HTTP network packet listener and a SQL database packet listener receive the HTTP network packets and the database packets in the time interval. 如請求項1所述之動態網址的HTTP網路封包與資料庫封包稽核方法,更包含依據該變數數量累計表的一保留時間,推移清除該變數數量累計表中超過該保留時間的該些第一變數值。The HTTP network packet and the database packet auditing method of the dynamic web address described in claim 1 further includes a retention time according to the variable quantity accumulation table, and the number of the variable number accumulation table exceeding the retention time is cleared. A variable value. 如請求項1所述之動態網址的HTTP網路封包與資料庫封包稽核方法,其中該些HTTP網路封包為一動態網址的HTTP網路封包。The HTTP network packet and the database packet auditing method of the dynamic URL according to claim 1, wherein the HTTP network packets are HTTP network packets of a dynamic URL. 如請求項1所述之動態網址的HTTP網路封包與資料庫封包稽核方法,其中在計算該時間區間的該些HTTP網路封包所包含之該些第一變數值的該些數量的該步驟中係將每一該些HTTP網路封包所包含之至少一全球資源定址資訊(URL)後的第一個符號”/”之後的複數個變數值視為該些第一變數值。The HTTP network packet and database packet auditing method of the dynamic web address described in claim 1, wherein the step of calculating the number of the first variable values included in the HTTP network packets in the time interval is The plurality of variable values after the first symbol "/" after at least one global resource address information (URL) included in each of the HTTP network packets are regarded as the first variable values. 一種動態網址的HTTP網路封包與資料庫封包稽核系統,其包含: 一HTTP網路封包監聽器,用於擷取一用戶端傳輸給一網路伺服器的複數個HTTP網路封包,每一該些HTTP網路封包包含至少一URL; 一SQL資料庫封包監聽器,用於擷取該網路伺服器傳輸給一資料伺服器的複數個SQL資料庫封包,且每一該些SQL資料庫封包包含至少一SQL資料庫述句; 一關聯性稽核裝置,分別與該HTTP網路封包監聽器與該SQL資料庫封包監聽器連接,該HTTP網路封包監聽器於擷取滿一時間區間的複數個HTTP網路封包後傳輸該些HTTP網路封包至該關聯性稽核裝置,該SQL資料庫封包監聽器於擷取滿該時間區間的複數個SQL資料庫封包後傳輸該些SQL資料庫封包至該關聯性稽核裝置,且該關聯性稽核裝置包含: 一變數統計模組,用於將該時間區間內的該些HTTP網路封包所包含的該些第一變數值累計至一變數數量累計表作為一變數統計雜湊表; 一稽核模組,用與檢查該些SQL資料庫封包所包含的該些第二變數值,剔除在該變數統計雜湊表中不同於該些第一變數值的該些第二變數值,及剔除與該變數統計雜湊表中數量超過一預設門檻值之每一該些第一變數值相同的每一該些第二變數值,再以剩下的該些第二變數值找出與該些SQL資料庫封包所包含之SQL資料庫述句相關連之該些HTTP網路封包,以建立該些SQL資料庫封包與該些HTTP網路封包的一稽核關聯表。A HTTP network packet and database packet auditing system for a dynamic web address, comprising: an HTTP network packet listener for capturing a plurality of HTTP network packets transmitted by a client to a network server, each The HTTP network packet includes at least one URL; an SQL database packet listener for capturing a plurality of SQL database packets transmitted by the network server to a data server, and each of the SQL databases The packet includes at least one SQL database statement; an associated auditing device is respectively connected to the HTTP network packet listener and the SQL database packet listener, and the HTTP network packet listener is in a time interval After the plurality of HTTP network packets are transmitted, the HTTP network packets are transmitted to the associated auditing device, and the SQL database packet listener transmits the SQL database packets after capturing the plurality of SQL database packets in the time interval. To the associated auditing device, the correlation auditing device includes: a variable statistic module, configured to accumulate the first variable values included in the HTTP network packets in the time interval to a change The quantity quantity accumulation table is used as a variable statistics hash table; an audit module uses and checks the second variable values included in the SQL database package, and the cull is different from the first variables in the variable statistics hash table And the second variable value of the value, and subtracting each of the second variable values that are the same as each of the first variable values in the variable statistics hash table by more than a predetermined threshold value, and then remaining The second variable value finds the HTTP network packets associated with the SQL database statements included in the SQL database package to establish the SQL database package and one of the HTTP network packets. Audit the association table. 如請求項6所述之動態網址的HTTP網路封包與資料庫封包稽核系統,其中該變數統計模組依據該變數數量累計表的一保留時間,推移清除該變數數量累計表中超過該保留時間的該些第一變數值。The HTTP network packet and the database packet auditing system of the dynamic URL according to claim 6, wherein the variable statistics module clears the retention time of the variable number accumulation table according to a retention time of the variable quantity accumulation table. The first variable values. 如請求項6所述之動態網址的HTTP網路封包與資料庫封包稽核系統,其中該些HTTP網路封包為一動態網址的HTTP網路封包。The HTTP network packet and the database packet auditing system of the dynamic web address as claimed in claim 6, wherein the HTTP network packets are HTTP network packets of a dynamic web address.
TW105103466A 2016-02-03 2016-02-03 Dynamic Web site HTTP network packet and database packet auditing system and method TWI579717B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW105103466A TWI579717B (en) 2016-02-03 2016-02-03 Dynamic Web site HTTP network packet and database packet auditing system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW105103466A TWI579717B (en) 2016-02-03 2016-02-03 Dynamic Web site HTTP network packet and database packet auditing system and method

Publications (2)

Publication Number Publication Date
TWI579717B true TWI579717B (en) 2017-04-21
TW201729128A TW201729128A (en) 2017-08-16

Family

ID=59240972

Family Applications (1)

Application Number Title Priority Date Filing Date
TW105103466A TWI579717B (en) 2016-02-03 2016-02-03 Dynamic Web site HTTP network packet and database packet auditing system and method

Country Status (1)

Country Link
TW (1) TWI579717B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108009291A (en) * 2017-12-25 2018-05-08 杭州闪捷信息科技有限公司 Network package and database package correlating method, device and realization device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030158792A1 (en) * 1997-10-27 2003-08-21 Ipf Inc. System and method for managing and serving consumer product related information over the internet
US20050289473A1 (en) * 2004-03-17 2005-12-29 Carl Gustafson Method and system for providing search information via a communications network
US20070300161A1 (en) * 2000-08-23 2007-12-27 Rajesh Bhatia Systems and methods for context personalized web browsing based on a browser companion agent and associated services
US20110087539A1 (en) * 2009-10-09 2011-04-14 Walter M. Rubinstein Packetized advertising utilizing information indicia

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030158792A1 (en) * 1997-10-27 2003-08-21 Ipf Inc. System and method for managing and serving consumer product related information over the internet
US20070300161A1 (en) * 2000-08-23 2007-12-27 Rajesh Bhatia Systems and methods for context personalized web browsing based on a browser companion agent and associated services
US20050289473A1 (en) * 2004-03-17 2005-12-29 Carl Gustafson Method and system for providing search information via a communications network
US20110087539A1 (en) * 2009-10-09 2011-04-14 Walter M. Rubinstein Packetized advertising utilizing information indicia

Also Published As

Publication number Publication date
TW201729128A (en) 2017-08-16

Similar Documents

Publication Publication Date Title
US9928301B2 (en) Classifying uniform resource locators
Marchal et al. PhishStorm: Detecting phishing with streaming analytics
US7640235B2 (en) System and method for correlating between HTTP requests and SQL queries
Gugelmann et al. An automated approach for complementing ad blockers’ blacklists
US9443019B2 (en) Optimized web domains classification based on progressive crawling with clustering
CN105827594B (en) A kind of dubiety detection method based on domain name readability and domain name mapping behavior
CN109905288B (en) Application service classification method and device
WO2017107965A1 (en) Web anomaly detection method and apparatus
US8429747B2 (en) Method and device for detecting flood attacks
WO2017113677A1 (en) User behavior data processing method and system
US20100162350A1 (en) Security system of managing irc and http botnets, and method therefor
US8752134B2 (en) System and method for detecting and preventing attacks against a server in a computer network
CN102685145A (en) Domain name server (DNS) data packet-based bot-net domain name discovery method
US9756063B1 (en) Identification of host names generated by a domain generation algorithm
US20180332126A1 (en) Method for detecting web tracking services
CN102945340A (en) Information object detection method and system
CN112929390A (en) Network intelligent monitoring method based on multi-strategy fusion
WO2017177591A1 (en) Method for analyzing source and destination of internet traffic
CN104239353B (en) WEB classification control and log audit method
Bai et al. Analysis and detection of bogus behavior in web crawler measurement
CN102130791A (en) Method, device and gateway server for detecting agent on gateway server
CN104202418B (en) Recommend the method and system of the content distributing network of business for content supplier
CN110572402A (en) internet hosting website detection method and system based on network access behavior analysis and readable storage medium
TWI579717B (en) Dynamic Web site HTTP network packet and database packet auditing system and method
TWI579708B (en) Method and apparatus for interacting with user data