WO2017138673A1 - Method and system for tracking web-database user by using data mining - Google Patents

Method and system for tracking web-database user by using data mining Download PDF

Info

Publication number
WO2017138673A1
WO2017138673A1 PCT/KR2016/001451 KR2016001451W WO2017138673A1 WO 2017138673 A1 WO2017138673 A1 WO 2017138673A1 KR 2016001451 W KR2016001451 W KR 2016001451W WO 2017138673 A1 WO2017138673 A1 WO 2017138673A1
Authority
WO
WIPO (PCT)
Prior art keywords
url
query
collected
web
database
Prior art date
Application number
PCT/KR2016/001451
Other languages
French (fr)
Korean (ko)
Inventor
임성욱
이재주
서경은
Original Assignee
(주)모니터랩
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)모니터랩 filed Critical (주)모니터랩
Priority to PCT/KR2016/001451 priority Critical patent/WO2017138673A1/en
Publication of WO2017138673A1 publication Critical patent/WO2017138673A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present invention relates to a web-database user tracking method and system, and more particularly, to a web-database user using data mining that can track a user who has generated an abnormal query based on a temporal correlation between a web service request and a query. To a tracking method and system.
  • most web sites for providing Internet services provide web applications as a window for providing Internet services to users, and the web applications are linked to a database.
  • the web server receives it and sends it back to a web application server (WAS).
  • WAS combines the prepared QUERY with the input parameter values and prepares the complete query statement and sends it to the database.
  • the database performs the action according to the passed query and the result is the input parameter value. It is delivered to the user in the reverse order.
  • FIG. 1 illustrates a configuration of a conventional general database security product
  • FIG. 2 illustrates a configuration of a database security product including a conventional WEB / WAS.
  • a main product is a type of product that controls access and authority and leaves an audit log for all SQLs.
  • the conventional database security products provide security functions for the users directly accessing through the DB client program, the WAS (Web Application Server, WEB Server) and the commonly used as shown in FIG.
  • WAS Web Application Server, WEB Server
  • FIG. 1 For the database communication accessed through the same middleware, only the information of the middleware can be traced, and there is a problem in that it is not possible to check who actually obtained and modified the information by accessing the database.
  • FIG. 3 is a diagram provided to describe a technique for tracking an attacker based on conditional identity or similarity between a parameter of a URL included in a conventional web service request and a DB-QUERY.
  • URL1 and Query1 can be tracked based on similarity, but the parameter 'free' of URL2 is processed in a web server (or WAS) and is impossible to track when modified to '1'. There was this.
  • an aspect of the present invention is to provide a web-database user tracking method and system using data mining that can track a user who has generated an abnormal query based on a temporal correlation between a web service request and a query.
  • Web-database user tracking method for solving this technical problem is to collect the URL included in the web service request to the web server, query transmitted to the database server from the web server Collecting, determining URLs collected before a predetermined time on the basis of collection time of the collected queries as candidate URLs for generating the queries, and for each of the collected queries, each of the collected URLs is determined as candidate URLs. Calculating a degree of association between the collected query and the collected URL using the number of times.
  • the method may further comprise determining a URL that is most relevant to the collected query as the URL that generated the collected query.
  • the method may further include blocking the requested web service request from the IP address corresponding to the URL that caused the abnormal query.
  • Web-database user tracking system for solving this technical problem, a web security unit for collecting the URL included in the web service request delivered to the web server, and forwarded from the web server to the database server Collect the queries, determine the URLs collected before a predetermined time based on the collection time of the collected queries as candidate URLs for generating the queries, and for each of the collected queries, each of the collected URLs is defined as candidate URLs. And a database security unit configured to calculate an association degree between the collected query and the collected URL using the number of times.
  • the database security unit may determine a URL that is most relevant to the collected query as the URL that generated the collected query.
  • the web security unit may block the requested web service request from the IP address corresponding to the URL that caused the abnormal query.
  • the degree of association between the collected query and the collected URL may be defined by the following equation.
  • R NM is the degree of association between Query-N and URL-M
  • P NM is the probability that Query-N and URL-M appear at the same time
  • P M is the probability that URL-M appears
  • P N is Query denotes the probability of the occurrence -N
  • C NM is a URL-M a number of times
  • C ij is a j-URL specified by the URL of the candidate Query-N can be defined as the number of times specified by the URL of the candidate Query-i.
  • the URL included in the web service request may be collected together with an IP address that requested the web service.
  • the web database user can record the SQL caused by the web server or the WAS, and can track the user who actually caused the SQL.
  • This has the advantage of blocking DB attacks by blocking web service requests from specific IPs.
  • FIG. 1 is a diagram illustrating the configuration of a conventional general database security product.
  • FIG. 2 is a diagram illustrating a configuration of a database security product including a conventional WEB / WAS.
  • FIG. 3 is a diagram provided to describe a technique for tracking an attacker based on conditional identity or similarity between a parameter of a URL included in a conventional web service request and a DB-QUERY.
  • FIG. 4 is a block diagram illustrating a configuration of a web-database user tracking system using data mining according to an embodiment of the present invention.
  • FIG. 5 is a flowchart illustrating an operation of a web-database user tracking system using data mining according to an embodiment of the present invention.
  • FIG. 4 is a block diagram illustrating a configuration of a web-database user tracking system using data mining according to an embodiment of the present invention.
  • the web-database user tracking system using data mining may include a web security unit 210 and a database security unit (hereinafter referred to as a 'DB security unit') 230. .
  • the user terminal 100 is a communication terminal used by a user to use a web service.
  • the user terminal 100 may be a laptop computer, a workstation, a palmtop computer, a personal digital assistant (PDA), a web pad, as well as a desktop computer. It can be made of a communication terminal having a computing power by having a memory means such as a microprocessor.
  • the user terminal 100 may transmit a web service request message in the form of a TCP / IP-based HTTP message to the web server 20 through the communication network 10, and may receive the response data and provide the response data to the user.
  • the user may input a specific input parameter value on the web browser of the user terminal 100 and include the same in a web request message to transmit to the web server 220. For example, when a user puts a '?' After a URL in the address bar (URL input window) of a web browser, and then inputs an input parameter name and a value for an input parameter, the user obtains a web request message including a predetermined input parameter value. Can be transmitted to the web server 220.
  • users can also send web request messages by POST by entering input parameter values in the HTTP form of the web page.
  • the communication network 10 does not select a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), the Internet, and the like. It doesn't matter what type of communication you have.
  • LAN local area network
  • MAN metropolitan area network
  • WAN wide area network
  • the Internet and the like. It doesn't matter what type of communication you have.
  • the web service request transmitted from the user terminal 100 to the web server 220 is transmitted to the web security unit 210 corresponding to the web firewall located in front of the web server 220 before being transmitted to the web server 220. Can be inspected according to a predetermined policy.
  • the web security unit 210 receives a web service request from the plurality of user terminals 100 connected through the communication network 10 to the web server 220 to determine whether it is normal or abnormal, and determines whether the web is abnormal.
  • the service request may be blocked from being delivered to the web server 220.
  • the web security unit 210 collects a URL (Uniform Resource Locator) included in a web service request transmitted from the user terminal 100 and an IP address of the user terminal 100 and transmits the collected data to the DB security unit 230. Perform the function. In the following description, it is referred to as URL information including an IP collected together with a URL.
  • URL information including an IP collected together with a URL.
  • the web security unit 210 transmits the information on the time when the web security unit 210 collected the URL information (or the time when the web service request was received by the web security unit 210) together with the URL information. It is desirable to.
  • the web security unit 210 may be implemented to periodically transmit the URL information collected for a predetermined time with the URL collection time information. Meanwhile, the URL collection time may be replaced with information that can distinguish the order in which the URL information is collected by the web security unit 210.
  • the web server 220 provides the user terminal 100 with response data according to a web service request transmitted from the user terminal 100.
  • the web server 220 generates and delivers a DB query QUERY (hereinafter referred to as a 'DB query') for a database service request to the DB server 240 if necessary according to a web service request, and accordingly the database response data. Received may be provided to the user terminal 100.
  • a DB query QUERY hereinafter referred to as a 'DB query'
  • the web server 220 generates a DB query.
  • a WAS server (not shown) is provided separately from the web server 220 to generate a DB query in the WAS server. It can also be implemented to pass
  • the WAS server When the WAS server is provided separately from the web server 220, the WAS server prepares a complete SQL query by combining the prepared query and the input parameter values, and requests the database service to the DB server 240. And receive the database response data accordingly and deliver the data back to the web server 220.
  • the web server 220 may be understood to include the function of the WAS server, and as described above, the web server 220 may be implemented separately from the WAS server.
  • the DB security unit 230 receives a DB query transmitted from the web server 220 to the DB server 240 to determine whether it is normal or abnormal, and blocks the abnormal DB query from being transmitted to the DB server 240. Function can be performed.
  • the DB security unit 230 may collect a DB query and calculate an association degree between the DB query and the URL by using the URL information collected by the web security unit 210. In addition, the DB security unit 230 may determine a URL that is most relevant to the collected DB queries as the URL that generated the query. In addition, the DB security unit 230 may transfer the IP address corresponding to the URL that caused the abnormal query to the web security unit 210 to block the web service request requested from the IP.
  • the following table describes how to calculate the degree of association between DB queries and URLs.
  • Time1 URL-1 10.0.0.101
  • Time2 URL-2 10.0.0.102
  • Time3 URL-3 10.0.0.103
  • Time4 URL-4 10.0.0.104 ... ... ...
  • the DB security unit 230 may have a URL information collection table as shown in Table 1 in which URL information collected by the web security unit 210 is recorded.
  • Table 1 TIME represents a time at which URL information is collected by the web security unit 210.
  • URLs may be arranged in the order of time collected by the web security unit 210.
  • the DB security unit 230 may designate a URL collected before a predetermined time as a candidate URL based on the time of collecting the corresponding DB query with reference to the URL information collection table.
  • the collection point of a specific DB query (Query-1) is 13:00, and it is set to designate a URL collected three seconds before the DB query collection point as a candidate URL, and Time3 is 12:59:58.
  • the DB security unit 230 may designate URL-3 and URL-4 as candidate URLs for generating a DB query.
  • the DB security unit 230 may create a query-URL association table as illustrated in Table 2 below by counting the number of times each URL is designated as a candidate URL of the corresponding DB query for each DB query.
  • URL-1 URL-2 URL-3 ... URL-M ... Query-1 C 11 C 12 C 13 ... C 1M ... Query-2 C 21 C 22 C 23 ... C 2M ... Query-3 C 31 C 32 C 33 ... C 3M ... ... ... ... ... ... ... ... Query-N C N1 C N2 C N3 ... C NM ... ... ... ... ... ... ... ... ... ... ... ...
  • C NM indicates the number of times that URL-M is designated as a candidate URL for Query-N.
  • the DB security unit 230 may calculate a degree of association between the DB query and the URL according to Equation 1 below using the association table of Table 2.
  • R NM is the degree of association between Query-N and URL-M
  • P NM is the probability that Query-N and URL-M appear at the same time
  • P M is the probability that URL-M appears
  • P N is Query Indicates the probability of -N.
  • C NM may be defined as the number of times that URL-M is designated as the candidate URL of Query-N
  • C ij may be defined as the number of times that URL-j is designated as the candidate URL of Query-i.
  • the DB security unit 230 may determine a URL having the highest correlation with respect to a specific DB query as the URL that generated the DB query. In addition, when a specific DB query is determined to be an abnormal query, the DB security unit 230 may check an IP corresponding to the URL determined to have generated the query in Table 1.
  • the DB security unit 230 may transfer the IP corresponding to the URL that generated the DB query determined to be abnormal to the web security unit 210 to block the web service request transmitted from the IP.
  • FIG. 5 is a flowchart illustrating an operation of a web-database user tracking system using data mining according to an embodiment of the present invention.
  • the web security unit 210 includes a uniform resource locator (URL) and a user included in a web service request transmitted from a plurality of user terminals 100 connected through a communication network 10 to a web server 220.
  • the IP address and the like of the terminal 100 are collected (S510).
  • the URL information collected in step S510 may be transferred to the DB security unit 230 and recorded in the URL information collection table as illustrated in Table 1 described above.
  • the DB security unit 230 collects each time a DB query is transmitted from the web server 220 to the DB server 240 (S520). Steps S510 and S520 are continuously performed each time a web service request or DB query is received while the web-database user tracking system according to the present invention is operating.
  • the DB security unit 230 designates candidate URLs with reference to Table 1 with respect to the collected DB queries (S530).
  • the DB security unit 230 may designate a URL collected before a predetermined time as a candidate URL based on the time of collecting the corresponding DB query by referring to the URL information collection table.
  • the predetermined time that is, the time difference between the URL collection time and the DB query collection time may vary according to the administrator's setting, and may be adjusted according to a network environment in which the web server 220 and the DB server 240 are connected.
  • the DB security unit 230 may generate a query-URL association table as illustrated in Table 2 by counting the number of times designated as candidate URLs of the corresponding DB queries.
  • the DB security unit 230 may calculate an association degree between the collected DB query and the URL using the query-URL association table (S540).
  • the degree of association between the DB query and the URL may be calculated by Equation 1 described above.
  • the DB security unit 230 may determine a URL having the highest association with respect to the collected DB queries as the URL that generated the query (S550).
  • the DB security unit 230 may transfer the IP address corresponding to the URL that caused the abnormal query to the web security unit 210 to block the web service request requested from the corresponding IP (S560).
  • Embodiments of the invention include a computer readable medium containing program instructions for performing various computer-implemented operations.
  • This medium records a program for executing the web-database user tracking method using data mining described above.
  • the media may include, alone or in combination with the program instructions, data files, data structures, and the like. Examples of such media include magnetic media such as hard disks, floppy disks and magnetic tape, optical recording media such as CDs and DVDs, floppy disks and program commands such as magnetic-optical media, ROM, RAM, flash memory, and the like.
  • Hardware devices configured to store and perform such operations.
  • the medium may be a transmission medium such as an optical or metal wire, a waveguide, or the like including a carrier wave for transmitting a signal specifying a program command, a data structure, and the like.
  • program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.

Abstract

The present invention relates to a method and a system for tracking a web-database user by using data mining, and the method according to the present invention comprises the steps of: collecting a URL included in a web service request transmitted to a web server; collecting a query transmitted from the web server to a database server; determining, as a candidate URL having caused the query, a URL collected before a predetermined time on the basis of a collecting time point of the collected query; and calculating the correlation between the collected query and the collected URL by using the number of times each collected URL for each collected query is determined as a candidate URL. According to the present invention, an SQL, having been induced by a web database user through a web server or a WAS, can be recorded, and an actual user having induced the SQL can be tracked. Therefore, a DB attack can be blocked by a method for blocking a web service request occurring in a specific IP.

Description

데이터마이닝을 이용한 웹-데이터베이스 사용자 추적 방법 및 시스템Web-database user tracking method and system using data mining
본 발명은 웹-데이터베이스 사용자 추적 방법 및 시스템에 관한 것으로, 보다 상세하게는 웹 서비스 요청과 쿼리 상의 시간적 연관도를 기초로 비정상적 쿼리를 발생시킨 사용자를 추적할 수 있는 데이터마이닝을 이용한 웹-데이터베이스 사용자 추적 방법 및 시스템에 관한 것이다.The present invention relates to a web-database user tracking method and system, and more particularly, to a web-database user using data mining that can track a user who has generated an abnormal query based on a temporal correlation between a web service request and a query. To a tracking method and system.
최근 들어 컴퓨터 통신 기술의 발전에 따라 인터넷을 통해서 상품을 구입하거나 은행 업무를 보는 등의 전자상거래 서비스, 각종 증명서 발급 서비스 및 게임서비스 등 다양한 인터넷 서비스 제공이 폭발적으로 증가하고 있다.Recently, with the development of computer communication technology, various Internet services such as electronic commerce services such as purchasing goods or banking through the Internet, various certificate issuance services, and game services have exploded.
그런데 인터넷을 통한 서비스의 급증만큼이나 금전적, 정치적 또는 명예욕 등의 다양한 목적을 가진 해킹 시도가 급증하고 있다. 특히 최근 들어 해킹의 화두는 웹 애플리케이션의 취약성을 이용하는 것이다.However, hacking attempts for various purposes such as monetary, political, or honorary desires are increasing as much as the increase of services through the Internet. In particular, the topic of hacking in recent years is exploiting the vulnerability of web applications.
일반적으로 인터넷 서비스를 제공하기 위한 대부분의 웹 사이트는 사용자들에게 인터넷 서비스를 제공하기 위한 창구로 웹 애플리케이션을 제공하고 있으며, 웹 애플리케이션은 데이터베이스에 연동되어 있다. 사용자들이 인터넷 서비스를 이용하기 위해서 웹 브라우저에서 특정 파라미터 값을 입력하여 전송하면 웹 서버는 이를 받아들여 다시 웹 애플리케이션 서버(WAS:Web Application Server)로 전달한다. WAS는 사전에 준비된 질의문(QUERY)과 전달받은 입력 파라미터 값을 조합하여 완전한 질의문을 작성하여 데이터베이스로 전달하고 데이터베이스는 전달된 질의문에 따른 동작을 수행하고 그 결과는 입력 파라미터 값이 전달된 반대 순서로 사용자에게 전달된다. In general, most web sites for providing Internet services provide web applications as a window for providing Internet services to users, and the web applications are linked to a database. When a user enters a specific parameter value in a web browser to use an Internet service, the web server receives it and sends it back to a web application server (WAS). WAS combines the prepared QUERY with the input parameter values and prepares the complete query statement and sends it to the database. The database performs the action according to the passed query and the result is the input parameter value. It is delivered to the user in the reverse order.
그런데 사용자가 정상적인 값을 입력한 경우 문제가 없으나 비정상적인 값을 입력하고 입력 값에 대한 검증이 수행되지 않은 경우 WAS에서 질의문으로 조합되는 과정에서 문법에 맞지 않는 잘못 작성된 질의문이 데이터베이스에 전달되어 구문 오류를 발생시킬 수 있으며, 더 나아가서는 부정한 의도를 가지는 공격자가 적절한 입력 값 조작으로 개발 당시 의도하지 않은 결과를 유도시킬 수 있다. 이러한 공격을 SQL 삽입 공격이라고 한다.However, if the user inputs a normal value, there is no problem, but if the user inputs an abnormal value and the input value is not validated, an incorrectly written query that is not grammatical is passed to the database when it is combined with the query in WAS. It can cause errors, and furthermore, a malicious attacker can lead to unintended results at the time of development by manipulating appropriate input values. Such attacks are called SQL injection attacks.
위에서 설명한 것과 같은 SQL 삽입 공격 외에도 다양한 형태의 데이터베이스 공격이 시도되고 있으며, 이러한 공격들로부터 데이터베이스를 보호하기 위한 데이터베이스 보안 제품이 출시되고 있다. 또한 웹 서버 자체에 대한 공격을 탐지하여 대응하기 위한 웹 서버 보안 제품도 출시되고 있으며, 일반적으로 데이터베이스 보안 제품과는 별도로 설치되어 운영되고 있다.In addition to the SQL injection attacks described above, various types of database attacks have been attempted, and database security products have been released to protect the database from these attacks. In addition, Web server security products have been released to detect and respond to attacks on the web server itself, and are generally installed and operated separately from database security products.
도 1은 종래 일반적인 데이터베이스 보안 제품의 구성을 예시한 것이고, 도 2는 종래 WEB/WAS를 포함한 데이터베이스 보안 제품의 구성을 예시한 것이다.1 illustrates a configuration of a conventional general database security product, and FIG. 2 illustrates a configuration of a database security product including a conventional WEB / WAS.
종래 데이터베이스를 보호하기 위해 사용되는 데이터베이스 보안 제품으로 도 1에 예시한 것과 같이 접근 및 권한을 제어하고 모든 SQL에 대한 감사 로그를 남기는 형태의 제품이 주류를 이루고 있다. 하지만 종래의 데이터베이스 보안 제품에서는 DB 클라이언트(Client) 프로그램을 통해 직접 접근하는 사용자에 대해서는 보안 기능을 제공하고 있지만, 도 2에 예시한 것과 같이 일반적으로 많이 사용되는 WAS(Web Application Server, WEB Server)와 같은 미들웨어를 통해 접근되는 데이터베이스 통신에 대해서는 미들웨어의 정보만 추적가능하고, 실제로 누가 데이터베이스에 접근하여 정보를 획득, 수정했는지 확인할 수 없는 문제점을 가지고 있었다.As a database security product used to protect a conventional database, as shown in FIG. 1, a main product is a type of product that controls access and authority and leaves an audit log for all SQLs. However, although the conventional database security products provide security functions for the users directly accessing through the DB client program, the WAS (Web Application Server, WEB Server) and the commonly used as shown in FIG. For the database communication accessed through the same middleware, only the information of the middleware can be traced, and there is a problem in that it is not possible to check who actually obtained and modified the information by accessing the database.
특히 종래 데이터베이스 보안의 가장 큰 문제점은 WAS와 같은 미들웨어를 통한 공격일 경우, 실제 공격을 유발한 사용자에 대한 정보를 얻을 수 없기 때문에 다양한 우회 공격 등을 시도할 경우, 실제 사용자에 대한 접근을 차단하는 방법을 제공할 수 없었다.In particular, the biggest problem of conventional database security is that when the attack is through middleware such as WAS, it is impossible to obtain information about the user who caused the actual attack. Could not provide a way.
한편 웹 서비스 요청에 포함된 URL의 파라미터와 DB-쿼리(QUERY)의 조건적 동일성 또는 유사성을 기반으로 해당 공격을 시도한 공격자를 추적하는 기술이 알려져있다.On the other hand, there is a known technique for tracking the attacker who attempted the attack based on the conditional identity or similarity between the URL parameter included in the web service request and the DB-QUERY.
도 3은 종래 웹 서비스 요청에 포함된 URL의 파라미터와 DB-쿼리(QUERY)의 조건적 동일성 또는 유사성을 기반으로 공격자를 추적하는 기술을 설명하기 위해 제공되는 도면이다.FIG. 3 is a diagram provided to describe a technique for tracking an attacker based on conditional identity or similarity between a parameter of a URL included in a conventional web service request and a DB-QUERY.
도 3에 예시한 것과 같이 URL1과 Query1은 유사성을 기반으로 추적이 가능하지만, URL2의 파라미터 'free'는 웹서버(또는 WAS)에서 가공되어 '1'로 변형이 이루어지면 추적이 불가능하게 되는 문제점이 있었다.As illustrated in FIG. 3, URL1 and Query1 can be tracked based on similarity, but the parameter 'free' of URL2 is processed in a web server (or WAS) and is impossible to track when modified to '1'. There was this.
따라서 본 발명이 이루고자 하는 기술적 과제는 웹 서비스 요청과 쿼리 상의 시간적 연관도를 기초로 비정상적 쿼리를 발생시킨 사용자를 추적할 수 있는 데이터마이닝을 이용한 웹-데이터베이스 사용자 추적 방법 및 시스템을 제공하는 것이다.Accordingly, an aspect of the present invention is to provide a web-database user tracking method and system using data mining that can track a user who has generated an abnormal query based on a temporal correlation between a web service request and a query.
이러한 기술적 과제를 해결하기 위한 본 발명의 한 실시예에 따른 웹-데이터베이스 사용자 추적 방법은 웹 서버로 전달되는 웹 서비스 요청에 포함된 URL을 수집하는 단계, 상기 웹 서버로부터 데이터베이스 서버로 전달되는 쿼리를 수집하는 단계, 상기 수집된 쿼리의 수집 시점을 기준으로 미리 정해진 시간 이전에 수집된 URL을 상기 쿼리를 발생시킨 후보 URL로 정하는 단계, 그리고 상기 수집된 쿼리별로 상기 수집된 URL 각각이 후보 URL로 정해진 횟수를 이용하여 상기 수집된 쿼리와 상기 수집된 URL 사이의 연관도를 계산하는 단계를 포함한다.Web-database user tracking method according to an embodiment of the present invention for solving this technical problem is to collect the URL included in the web service request to the web server, query transmitted to the database server from the web server Collecting, determining URLs collected before a predetermined time on the basis of collection time of the collected queries as candidate URLs for generating the queries, and for each of the collected queries, each of the collected URLs is determined as candidate URLs. Calculating a degree of association between the collected query and the collected URL using the number of times.
상기 방법은 상기 수집된 쿼리에 대해서 가장 연관도가 높은 URL을 상기 수집된 쿼리를 발생시킨 URL로 결정하는 단계를 더 포함할 수 있다.The method may further comprise determining a URL that is most relevant to the collected query as the URL that generated the collected query.
상기 방법은 비정상적 쿼리를 발생시킨 URL에 대응되는 아이피 주소로부터 요청된 웹 서비스 요청을 차단하는 단계를 더 포함할 수 있다.The method may further include blocking the requested web service request from the IP address corresponding to the URL that caused the abnormal query.
이러한 기술적 과제를 해결하기 위한 본 발명의 한 실시예에 따른 웹-데이터베이스 사용자 추적 시스템은, 웹 서버로 전달되는 웹 서비스 요청에 포함된 URL을 수집하는 웹 보안부, 그리고 상기 웹 서버로부터 데이터베이스 서버로 전달되는 쿼리를 수집하고, 상기 수집된 쿼리의 수집 시점을 기준으로 미리 정해진 시간 이전에 수집된 URL을 상기 쿼리를 발생시킨 후보 URL로 정하며, 상기 수집된 쿼리별로 상기 수집된 URL 각각이 후보 URL로 정해진 횟수를 이용하여 상기 수집된 쿼리와 상기 수집된 URL 사이의 연관도를 계산하는 데이터베이스 보안부를 포함한다.Web-database user tracking system according to an embodiment of the present invention for solving this technical problem, a web security unit for collecting the URL included in the web service request delivered to the web server, and forwarded from the web server to the database server Collect the queries, determine the URLs collected before a predetermined time based on the collection time of the collected queries as candidate URLs for generating the queries, and for each of the collected queries, each of the collected URLs is defined as candidate URLs. And a database security unit configured to calculate an association degree between the collected query and the collected URL using the number of times.
상기 데이터베이스 보안부는, 상기 수집된 쿼리에 대해서 가장 연관도가 높은 URL을 상기 수집된 쿼리를 발생시킨 URL로 결정할 수 있다.The database security unit may determine a URL that is most relevant to the collected query as the URL that generated the collected query.
상기 웹 보안부는 비정상적 쿼리를 발생시킨 URL에 대응되는 아이피 주소로부터 요청된 웹 서비스 요청을 차단할 수 있다.The web security unit may block the requested web service request from the IP address corresponding to the URL that caused the abnormal query.
상기 수집된 쿼리와 상기 수집된 URL 사이의 연관도는 아래 수학식에 의해 정질 수 있다.The degree of association between the collected query and the collected URL may be defined by the following equation.
[수학식][Equation]
Figure PCTKR2016001451-appb-I000001
Figure PCTKR2016001451-appb-I000001
Figure PCTKR2016001451-appb-I000002
Figure PCTKR2016001451-appb-I000002
Figure PCTKR2016001451-appb-I000003
Figure PCTKR2016001451-appb-I000003
Figure PCTKR2016001451-appb-I000004
Figure PCTKR2016001451-appb-I000004
여기서, RNM은 Query-N과 URL-M의 연관도이고, PNM은 Query-N과 URL-M이 동시에 출현할 확률이며, PM은 URL-M이 출현할 확률이고, PN은 Query-N이 출현할 확률을 나타내며, CNM은 URL-M이 Query-N의 후보 URL로 지정된 횟수, Cij는 URL-j가 Query-i의 후보 URL로 지정된 횟수로 정의될 수 있다.Where R NM is the degree of association between Query-N and URL-M, P NM is the probability that Query-N and URL-M appear at the same time, P M is the probability that URL-M appears, and P N is Query denotes the probability of the occurrence -N, C NM is a URL-M a number of times, C ij is a j-URL specified by the URL of the candidate Query-N can be defined as the number of times specified by the URL of the candidate Query-i.
상기 웹 서비스 요청에 포함된 URL은 상기 웹 서비스를 요청한 아이피(IP) 주소와 함께 수집될 수 있다.The URL included in the web service request may be collected together with an IP address that requested the web service.
본 발명에 의하면, 웹 데이터베이스 사용자가 웹 서버 또는 WAS를 통해 유발시킨 SQL을 기록할 수 있고, 실제 SQL을 유발시킨 사용자를 추적할 수 있는 장점이 있다. 이로 인해 특정 IP에서 발생하는 웹 서비스 요청을 차단하는 방식으로 DB 공격을 차단할 수 있는 장점이 있다.According to the present invention, there is an advantage that the web database user can record the SQL caused by the web server or the WAS, and can track the user who actually caused the SQL. This has the advantage of blocking DB attacks by blocking web service requests from specific IPs.
도 1은 종래 일반적인 데이터베이스 보안 제품의 구성을 예시한 도면이다.1 is a diagram illustrating the configuration of a conventional general database security product.
도 2는 종래 WEB/WAS를 포함한 데이터베이스 보안 제품의 구성을 예시한 도면이다.2 is a diagram illustrating a configuration of a database security product including a conventional WEB / WAS.
도 3은 종래 웹 서비스 요청에 포함된 URL의 파라미터와 DB-쿼리(QUERY)의 조건적 동일성 또는 유사성을 기반으로 공격자를 추적하는 기술을 설명하기 위해 제공되는 도면이다.FIG. 3 is a diagram provided to describe a technique for tracking an attacker based on conditional identity or similarity between a parameter of a URL included in a conventional web service request and a DB-QUERY.
도 4는 본 발명의 일 실시예에 따른 데이터마이닝을 이용한 웹-데이터베이스 사용자 추적 시스템의 구성을 예시한 블록도이다.4 is a block diagram illustrating a configuration of a web-database user tracking system using data mining according to an embodiment of the present invention.
도 5는 본 발명의 일 실시예에 따른 데이터마이닝을 이용한 웹-데이터베이스 사용자 추적 시스템의 동작을 설명하기 위한 흐름도이다.5 is a flowchart illustrating an operation of a web-database user tracking system using data mining according to an embodiment of the present invention.
그러면 첨부한 도면을 참고로 하여 본 발명의 실시예에 대하여 본 발명이 속하는 기술 분야에서 통상의 지식을 가진 자가 용이하게 실시할 수 있도록 상세히 설명한다.DETAILED DESCRIPTION Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention.
도 4는 본 발명의 일 실시예에 따른 데이터마이닝을 이용한 웹-데이터베이스 사용자 추적 시스템의 구성을 예시한 블록도이다.4 is a block diagram illustrating a configuration of a web-database user tracking system using data mining according to an embodiment of the present invention.
도 4를 참고하면, 본 발명의 일 실시예에 따른 데이터마이닝을 이용한 웹-데이터베이스 사용자 추적 시스템은 웹 보안부(210)와 데이터베이스 보안부(이하 'DB 보안부'라 함)(230)를 포함할 수 있다.Referring to FIG. 4, the web-database user tracking system using data mining according to an embodiment of the present invention may include a web security unit 210 and a database security unit (hereinafter referred to as a 'DB security unit') 230. .
사용자 단말기(100)는 웹 서비스를 이용하기 위해 사용자가 이용하는 통신 단말장치로서, 데스크톱 컴퓨터뿐만 아니라 노트북 컴퓨터, 워크스테이션, 팜톱(palmtop) 컴퓨터, 개인 휴대 정보 단말기(personal digital assistant:PDA), 웹 패드 등과 같은 메모리 수단을 구비하고 마이크로 프로세서를 탑재하여 연산 능력을 갖춘 통신 단말기로 이루어질 수 있다.The user terminal 100 is a communication terminal used by a user to use a web service. The user terminal 100 may be a laptop computer, a workstation, a palmtop computer, a personal digital assistant (PDA), a web pad, as well as a desktop computer. It can be made of a communication terminal having a computing power by having a memory means such as a microprocessor.
사용자 단말기(100)는 웹 서버(20)에 통신망(10)을 통해 웹 서비스 요청 메시지를 TCP/IP 기반의 HTTP 메시지 형태로 전송할 수 있으며, 그에 따른 응답 데이터를 제공받아 사용자에 제공할 수 있다. 사용자는 사용자 단말기(100)의 웹 브라우저 상에서 특정 입력 파라미터 값을 입력하고 웹 요청 메시지에 포함시켜 웹 서버(220)로 전달할 수 있다. 예컨대, 사용자는 웹 브라우저의 주소창(URL 입력창)에서 URL 뒤에 '?'를 붙이고 그 뒤에 입력 파라미터 이름과 입력 파라미터에 대한 값을 입력하면, 소정의 입력 파라미터 값이 포함된 웹 요청 메시지를 GET 방식으로 웹 서버(220)에 전송할 수 있다. 물론 사용자는 웹 페이지의 HTTP 폼에 입력 파라미터 값을 입력하여 POST 방식으로 웹 요청 메시지를 전송할 수도 있다.The user terminal 100 may transmit a web service request message in the form of a TCP / IP-based HTTP message to the web server 20 through the communication network 10, and may receive the response data and provide the response data to the user. The user may input a specific input parameter value on the web browser of the user terminal 100 and include the same in a web request message to transmit to the web server 220. For example, when a user puts a '?' After a URL in the address bar (URL input window) of a web browser, and then inputs an input parameter name and a value for an input parameter, the user obtains a web request message including a predetermined input parameter value. Can be transmitted to the web server 220. Of course, users can also send web request messages by POST by entering input parameter values in the HTTP form of the web page.
통신망(10)은 구내 정보 통신망(local area network:LAN), 도시권 통신망(metropolitan area network:MAN), 광역 통신망(wide area network:WAN), 인터넷 등을 가리지 않고, 통신 방식도 유선, 무선을 가리지 않으며 어떠한 통신 방식이라도 상관없다.The communication network 10 does not select a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), the Internet, and the like. It doesn't matter what type of communication you have.
사용자 단말기(100)에서 웹 서버(220)로 전송되는 웹 서비스 요청은, 웹 서버(220)로 전달되기 전에, 웹 서버(220)의 앞 단에 위치한 웹 방화벽에 해당하는 웹 보안부(210)에 의해 미리 정해진 정책에 따라 검사될 수 있다.The web service request transmitted from the user terminal 100 to the web server 220 is transmitted to the web security unit 210 corresponding to the web firewall located in front of the web server 220 before being transmitted to the web server 220. Can be inspected according to a predetermined policy.
보다 자세하게는 웹 보안부(210)는 통신망(10)을 통해 연결된 복수의 사용자 단말기(100)로부터 웹 서버(220)로 전달되는 웹 서비스 요청을 수신하여 정상적인지 또는 비정상적인지 여부를 판단하고, 비정상적 웹 서비스 요청이 웹 서버(220)로 전달되는 것을 차단하는 기능을 수행할 수 있다.In more detail, the web security unit 210 receives a web service request from the plurality of user terminals 100 connected through the communication network 10 to the web server 220 to determine whether it is normal or abnormal, and determines whether the web is abnormal. The service request may be blocked from being delivered to the web server 220.
웹 보안부(210)는 사용자 단말기(100)로부터 전달되는 웹 서비스 요청에 포함된 URL(Uniform Resource Locator)과 사용자 단말기(100)의 아이피(IP) 주소 등을 수집하여 DB 보안부(230)로 전달하는 기능을 수행한다. 이하에서는 URL과 함께 수집되는 IP를 포함하여 URL 정보라고 한다. The web security unit 210 collects a URL (Uniform Resource Locator) included in a web service request transmitted from the user terminal 100 and an IP address of the user terminal 100 and transmits the collected data to the DB security unit 230. Perform the function. In the following description, it is referred to as URL information including an IP collected together with a URL.
웹 보안부(210)는 URL 정보를 수집할 때마다 웹 보안부(210)에서 해당 URL 정보를 수집한 시간(또는 해당 웹 서비스 요청을 웹 보안부(210)에서 수신한 시간) 정보를 URL 정보와 함께 전달하는 것이 바람직하다. 물론 실시예에 따라서 웹 보안부(210)는 주기적으로 일정 시간 동안 수집된 URL 정보를 URL 수집 시간 정보와 함께 전달하도록 구현하는 것도 가능하다. 한편 여기서 URL 수집 시간은 URL 정보가 웹 보안부(210)에서 수집된 순서를 구분할 수 있는 정보로 대체되는 것도 가능하다.Each time the web security unit 210 collects the URL information, the web security unit 210 transmits the information on the time when the web security unit 210 collected the URL information (or the time when the web service request was received by the web security unit 210) together with the URL information. It is desirable to. Of course, according to an embodiment, the web security unit 210 may be implemented to periodically transmit the URL information collected for a predetermined time with the URL collection time information. Meanwhile, the URL collection time may be replaced with information that can distinguish the order in which the URL information is collected by the web security unit 210.
웹 서버(220)는 사용자 단말기(100)로부터 전송되는 웹 서비스 요청에 따른 응답 데이터를 사용자 단말기(100)에 제공하는 기능을 수행한다. 웹 서버(220)는 웹 서비스 요청에 따라 필요한 경우 DB 서버(240)에 데이터베이스 서비스 요청을 위한 DB 질의문(QUERY)(이하 'DB 쿼리'라 함)을 생성하여 전달하고, 그에 따른 데이터베이스 응답 데이터를 제공받아 사용자 단말기(100)에 제공할 수 있다.The web server 220 provides the user terminal 100 with response data according to a web service request transmitted from the user terminal 100. The web server 220 generates and delivers a DB query QUERY (hereinafter referred to as a 'DB query') for a database service request to the DB server 240 if necessary according to a web service request, and accordingly the database response data. Received may be provided to the user terminal 100.
도 4의 실시예에서는 웹 서버(220)에서 DB 쿼리를 생성하는 것으로 예시하였으나, WAS 서버(도시하지 않음)를 웹 서버(220)와 별도로 구비하여 WAS 서버에서 DB 쿼리를 생성하여 DB 서버(240)로 전달하도록 구현하는 것도 가능하다.In the embodiment of FIG. 4, the web server 220 generates a DB query. However, a WAS server (not shown) is provided separately from the web server 220 to generate a DB query in the WAS server. It can also be implemented to pass
WAS 서버를 웹 서버(220)와 별도로 구비한 경우, WAS 서버는 사전에 준비된 질의문(QUERY)과 전달받은 입력 파라미터 값을 조합하여 완전한 SQL 질의문을 작성하여 DB 서버(240)로 데이터베이스 서비스 요청을 전달하고, 그에 따른 데이터베이스 응답 데이터를 제공받아 다시 웹 서버(220)로 전달할 수 있다.When the WAS server is provided separately from the web server 220, the WAS server prepares a complete SQL query by combining the prepared query and the input parameter values, and requests the database service to the DB server 240. And receive the database response data accordingly and deliver the data back to the web server 220.
이하에서 웹 서버(220)는 WAS 서버의 기능도 포함하는 것으로 이해될 수 있으며, 앞에서 설명한 것과 같이 WAS 서버와 별도로 구현되는 것고 가능하다.Hereinafter, the web server 220 may be understood to include the function of the WAS server, and as described above, the web server 220 may be implemented separately from the WAS server.
DB 보안부(230)는 웹 서버(220)로부터 DB 서버(240)로 전달되는 DB 쿼리를 수신하여 정상적인지 또는 비정상적인지 여부를 판단하고, 비정상적 DB 쿼리가 DB 서버(240)로 전달되는 것을 차단하는 기능을 수행할 수 있다.The DB security unit 230 receives a DB query transmitted from the web server 220 to the DB server 240 to determine whether it is normal or abnormal, and blocks the abnormal DB query from being transmitted to the DB server 240. Function can be performed.
DB 보안부(230)는 DB 쿼리를 수집하고 웹 보안부(210)에서 수집된 URL 정보를 이용하여 DB 쿼리와 URL 사이의 연관도를 계산할 수 있다. 또한 DB 보안부(230)는 수집된 DB 쿼리에 대해서 가장 연관도가 높은 URL을 해당 쿼리를 발생시킨 URL로 결정할 수 있다. 또한 DB 보안부(230)는 비정상적 쿼리를 발생시킨 URL에 대응되는 아이피 주소를 웹 보안부(210)에 전달하여 해당 아이피로부터 요청된 웹 서비스 요청을 차단하도록 할 수도 있다.The DB security unit 230 may collect a DB query and calculate an association degree between the DB query and the URL by using the URL information collected by the web security unit 210. In addition, the DB security unit 230 may determine a URL that is most relevant to the collected DB queries as the URL that generated the query. In addition, the DB security unit 230 may transfer the IP address corresponding to the URL that caused the abnormal query to the web security unit 210 to block the web service request requested from the IP.
DB 쿼리와 URL 사이의 연관도를 계산하는 방법에 대해 아래 표를 참조하여 보다 자세하게 설명한다.The following table describes how to calculate the degree of association between DB queries and URLs.
시간(TIME)TIME URLURL IPIP
Time1Time1 URL-1URL-1 10.0.0.10110.0.0.101
Time2Time2 URL-2URL-2 10.0.0.10210.0.0.102
Time3Time3 URL-3URL-3 10.0.0.10310.0.0.103
Time4Time4 URL-4URL-4 10.0.0.10410.0.0.104
DB 보안부(230)는 웹 보안부(210)에서 수집된 URL 정보를 기록한 표 1과 같은 URL 정보 수집 테이블을 가지고 있을 수 있다. 표 1에서 시간(TIME)은 URL 정보가 웹 보안부(210)에서 수집된 시간을 나타낸다. URL 정보 수집 테이블에는 URL이 웹 보안부(210)에서 수집된 시간 순서대로 정렬되어 있을 수 있다.The DB security unit 230 may have a URL information collection table as shown in Table 1 in which URL information collected by the web security unit 210 is recorded. In Table 1, TIME represents a time at which URL information is collected by the web security unit 210. In the URL information collection table, URLs may be arranged in the order of time collected by the web security unit 210.
DB 보안부(230)는 URL 정보 수집 테이블을 참조하여 해당 DB 쿼리를 수집한 시간을 기준으로 미리 정해진 시간 이전에 수집된 URL을 후보 URL로 지정할 수 있다.The DB security unit 230 may designate a URL collected before a predetermined time as a candidate URL based on the time of collecting the corresponding DB query with reference to the URL information collection table.
예컨대 특정 DB 쿼리(Query-1)의 수집 시점이 13시 00분이고, DB 쿼리 수집 시점으로부터 3초 이전에 수집된 URL을 후보 URL로 지정하도록 설정되어 있다고 가정하면, Time3가 12시 59분 58초이고, Time4가 12시 59분 59초인 경우, DB 보안부(230)는 URL-3와 URL-4를 DB 쿼리(Query-1)를 발생시킨 후보 URL로 지정할 수 있다.For example, suppose that the collection point of a specific DB query (Query-1) is 13:00, and it is set to designate a URL collected three seconds before the DB query collection point as a candidate URL, and Time3 is 12:59:58. When Time4 is 12:59:59, the DB security unit 230 may designate URL-3 and URL-4 as candidate URLs for generating a DB query.
DB 보안부(230)는 아래 표 2에 예시한 것과 같이 DB 쿼리별로 각각의 URL이 해당 DB 쿼리의 후보 URL로 지정된 횟수를 계수하여 아래 표 2에 예시한 것과 같은 쿼리-URL 연관표를 작성할 수 있다.As shown in Table 2 below, the DB security unit 230 may create a query-URL association table as illustrated in Table 2 below by counting the number of times each URL is designated as a candidate URL of the corresponding DB query for each DB query.
URL-1URL-1 URL-2URL-2 URL-3URL-3 URL-MURL-M
Query-1Query-1 C11 C 11 C12 C 12 C13 C 13 C1M C 1M
Query-2Query-2 C21 C 21 C22 C 22 C23 C 23 C2M C 2M
Query-3Query-3 C31 C 31 C32 C 32 C33 C 33 C3M C 3M
Query-NQuery-N CN1 C N1 CN2 C N2 CN3 C N3 CNM C NM
표 2에서 CNM은 Query-N에 대해서 URL-M이 후보 URL로 지정된 횟수를 나타낸다. DB 보안부(230)는 웹 서버(220)에서 DB 서버(240)로 전달되는 DB 쿼리를 수집할 때마다 앞서 표 1에 예시한 것과 같은 URL 정보 수집 테이블을 참조하여 해당 DB 쿼리에 대한 후보 URL을 지정하고 표 2를 업데이트 할 수 있다.In Table 2, C NM indicates the number of times that URL-M is designated as a candidate URL for Query-N. Whenever the DB security unit 230 collects a DB query transmitted from the web server 220 to the DB server 240, the DB security unit 230 refers to a URL information collection table as illustrated in Table 1 above to obtain a candidate URL for the corresponding DB query. You can specify and update Table 2.
DB 보안부(230)는 표 2의 연관표를 이용하여 아래 수학식 1에 의해 DB 쿼리와 URL의 연관도를 계산할 수 있다.The DB security unit 230 may calculate a degree of association between the DB query and the URL according to Equation 1 below using the association table of Table 2.
Figure PCTKR2016001451-appb-M000001
Figure PCTKR2016001451-appb-M000001
Figure PCTKR2016001451-appb-I000005
Figure PCTKR2016001451-appb-I000005
Figure PCTKR2016001451-appb-I000006
Figure PCTKR2016001451-appb-I000006
Figure PCTKR2016001451-appb-I000007
Figure PCTKR2016001451-appb-I000007
여기서, RNM은 Query-N과 URL-M의 연관도이고, PNM은 Query-N과 URL-M이 동시에 출현할 확률이며, PM은 URL-M이 출현할 확률이고, PN은 Query-N이 출현할 확률을 나타낸다. CNM은 URL-M이 Query-N의 후보 URL로 지정된 횟수, Cij는 URL-j가 Query-i의 후보 URL로 지정된 횟수로 정의될 수 있다.Where R NM is the degree of association between Query-N and URL-M, P NM is the probability that Query-N and URL-M appear at the same time, P M is the probability that URL-M appears, and P N is Query Indicates the probability of -N. C NM may be defined as the number of times that URL-M is designated as the candidate URL of Query-N, and C ij may be defined as the number of times that URL-j is designated as the candidate URL of Query-i.
DB 보안부(230)는 특정 DB 쿼리에 대해서 연관도가 가장 높은 URL을 해당 DB 쿼리를 발생시킨 URL로 판정할 수 있다. 그리고 DB 보안부(230)는 특정 DB 쿼리가 비정상적 쿼리로 판정된 경우 해당 쿼리를 발생시킨 것으로 판정된 URL에 대응되는 아이피(IP)를 표 1에서 확인할 수 있다.The DB security unit 230 may determine a URL having the highest correlation with respect to a specific DB query as the URL that generated the DB query. In addition, when a specific DB query is determined to be an abnormal query, the DB security unit 230 may check an IP corresponding to the URL determined to have generated the query in Table 1.
DB 보안부(230)는 비정상적인 것으로 판정된 DB 쿼리를 발생시킨 URL에 대응되는 아이피를 웹 보안부(210)에 전달하여 해당 아이피로부터 전송되는 웹 서비스 요청을 차단하도록 할 수도 있다.The DB security unit 230 may transfer the IP corresponding to the URL that generated the DB query determined to be abnormal to the web security unit 210 to block the web service request transmitted from the IP.
도 5는 본 발명의 일 실시예에 따른 데이터마이닝을 이용한 웹-데이터베이스 사용자 추적 시스템의 동작을 설명하기 위한 흐름도이다.5 is a flowchart illustrating an operation of a web-database user tracking system using data mining according to an embodiment of the present invention.
도 5를 참고하면, 먼저 웹 보안부(210)는 통신망(10)을 통해 연결된 복수의 사용자 단말기(100)로부터 웹 서버(220)로 전달되는 웹 서비스 요청에 포함된 URL(Uniform Resource Locator)과 사용자 단말기(100)의 아이피(IP) 주소 등을 수집한다(S510). 단계(S510)에서 수집된 URL 정보는 DB 보안부(230)로 전달되어 앞에서 설명한 표 1에 예시한 것과 같은 URL 정보 수집 테이블에 기록될 수 있다.Referring to FIG. 5, first, the web security unit 210 includes a uniform resource locator (URL) and a user included in a web service request transmitted from a plurality of user terminals 100 connected through a communication network 10 to a web server 220. The IP address and the like of the terminal 100 are collected (S510). The URL information collected in step S510 may be transferred to the DB security unit 230 and recorded in the URL information collection table as illustrated in Table 1 described above.
한편 DB 보안부(230)는 웹 서버(220)로부터 DB 서버(240)로 DB 쿼리가 전달될 때마다 수집한다(S520). 단계(S510)와 단계(S520)는 본 발명에 따른 웹-데이터베이스 사용자 추적 시스템이 동작하는 동안 웹 서비스 요청을 수신하거나 DB 쿼리를 수신할 때마다 계속적으로 수행된다.Meanwhile, the DB security unit 230 collects each time a DB query is transmitted from the web server 220 to the DB server 240 (S520). Steps S510 and S520 are continuously performed each time a web service request or DB query is received while the web-database user tracking system according to the present invention is operating.
다음으로 DB 보안부(230)는 수집된 DB 쿼리에 대해서 표 1을 참조하여 후보 URL을 지정한다(S530). 단계(S530)에서 DB 보안부(230)는 URL 정보 수집 테이블을 참조하여 해당 DB 쿼리를 수집한 시간을 기준으로 미리 정해진 시간 이전에 수집된 URL을 후보 URL로 지정할 수 있다. 여기서 미리 정해진 시간은 즉 URL 수집 시간과 DB 쿼리 수집 시간의 시간차는 관리자의 설정에 따라 달라질 수 있으며, 웹 서버(220)와 DB 서버(240)가 연결된 네트워크 환경에 따라 조절될 수 있다. Next, the DB security unit 230 designates candidate URLs with reference to Table 1 with respect to the collected DB queries (S530). In operation S530, the DB security unit 230 may designate a URL collected before a predetermined time as a candidate URL based on the time of collecting the corresponding DB query by referring to the URL information collection table. Here, the predetermined time, that is, the time difference between the URL collection time and the DB query collection time may vary according to the administrator's setting, and may be adjusted according to a network environment in which the web server 220 and the DB server 240 are connected.
DB 보안부(230)는 수집된 DB 쿼리에 대해서 후보 URL이 지정될 때마다, 해당 DB 쿼리의 후보 URL로 지정된 횟수를 계수하여 앞서 표 2에 예시한 것과 같은 쿼리-URL 연관표를 작성할 수 있다.Whenever candidate URLs are designated for the collected DB queries, the DB security unit 230 may generate a query-URL association table as illustrated in Table 2 by counting the number of times designated as candidate URLs of the corresponding DB queries.
이후 DB 보안부(230)는 쿼리-URL 연관표를 이용하여 수집된 DB 쿼리와 URL 사이의 연관도를 계산할 수 있다(S540). DB 쿼리와 URL 사이의 연관도는 앞서 설명한 수학식 1에 의해 계산될 수 있다.Thereafter, the DB security unit 230 may calculate an association degree between the collected DB query and the URL using the query-URL association table (S540). The degree of association between the DB query and the URL may be calculated by Equation 1 described above.
다음으로 DB 보안부(230)는 수집된 DB 쿼리에 대해서 가장 연관도가 높은 URL을 해당 쿼리를 발생시킨 URL로 결정할 수 있다(S550). Next, the DB security unit 230 may determine a URL having the highest association with respect to the collected DB queries as the URL that generated the query (S550).
그리고 DB 보안부(230)는 비정상적 쿼리를 발생시킨 URL에 대응되는 아이피 주소를 웹 보안부(210)에 전달하여 해당 아이피로부터 요청된 웹 서비스 요청을 차단하도록 할 수도 있다(S560).In addition, the DB security unit 230 may transfer the IP address corresponding to the URL that caused the abnormal query to the web security unit 210 to block the web service request requested from the corresponding IP (S560).
본 발명의 실시예는 다양한 컴퓨터로 구현되는 동작을 수행하기 위한 프로그램 명령을 포함하는 컴퓨터로 읽을 수 있는 매체를 포함한다. 이 매체는 지금까지 설명한 데이터마이닝을 이용한 웹-데이터베이스 사용자 추적 방법을 실행시키기 위한 프로그램을 기록한다. 이 매체는 프로그램 명령, 데이터 파일, 데이터 구조 등을 단독으로 또는 조합하여 포함할 수 있다. 이러한 매체의 예에는 하드디스크, 플로피디스크 및 자기 테이프와 같은 자기 매체, CD 및 DVD와 같은 광기록 매체, 플롭티컬 디스크(floptical disk)와 자기-광 매체, 롬, 램, 플래시 메모리 등과 같은 프로그램 명령을 저장하고 수행하도록 구성된 하드웨어 장치 등이 있다. 또는 이러한 매체는 프로그램 명령, 데이터 구조 등을 지정하는 신호를 전송하는 반송파를 포함하는 광 또는 금속선, 도파관 등의 전송 매체일 수 있다. 프로그램 명령의 예에는 컴파일러에 의해 만들어지는 것과 같은 기계어 코드뿐만 아니라 인터프리터 등을 사용해서 컴퓨터에 의해서 실행될 수 있는 고급 언어 코드를 포함한다.Embodiments of the invention include a computer readable medium containing program instructions for performing various computer-implemented operations. This medium records a program for executing the web-database user tracking method using data mining described above. The media may include, alone or in combination with the program instructions, data files, data structures, and the like. Examples of such media include magnetic media such as hard disks, floppy disks and magnetic tape, optical recording media such as CDs and DVDs, floppy disks and program commands such as magnetic-optical media, ROM, RAM, flash memory, and the like. Hardware devices configured to store and perform such operations. Alternatively, the medium may be a transmission medium such as an optical or metal wire, a waveguide, or the like including a carrier wave for transmitting a signal specifying a program command, a data structure, and the like. Examples of program instructions include not only machine code generated by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like.
이상에서 본 발명의 바람직한 실시예에 대하여 상세하게 설명하였지만 본 발명의 권리범위는 이에 한정되는 것은 아니고 다음의 청구범위에서 정의하고 있는 본 발명의 기본 개념을 이용한 당업자의 여러 변형 및 개량 형태 또한 본 발명의 권리범위에 속하는 것이다.Although the preferred embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. It belongs to the scope of rights.

Claims (8)

  1. 웹 서버로 전달되는 웹 서비스 요청에 포함된 URL을 수집하는 단계,Collecting the URL included in the web service request forwarded to the web server,
    상기 웹 서버로부터 데이터베이스 서버로 전달되는 쿼리를 수집하는 단계,Collecting queries transmitted from the web server to a database server;
    상기 수집된 쿼리의 수집 시점을 기준으로 미리 정해진 시간 이전에 수집된 URL을 상기 쿼리를 발생시킨 후보 URL로 정하는 단계, 그리고Setting a URL collected before a predetermined time as a candidate URL for generating the query based on a collection time of the collected query, and
    상기 수집된 쿼리별로 상기 수집된 URL 각각이 후보 URL로 정해진 횟수를 이용하여 상기 수집된 쿼리와 상기 수집된 URL 사이의 연관도를 계산하는 단계Calculating an association degree between the collected query and the collected URL by using the number of times that each of the collected URLs is a candidate URL for each of the collected queries;
    를 포함하는 웹-데이터베이스 사용자 추적 방법.Web-database user tracking method comprising a.
  2. 제 1 항에서,In claim 1,
    상기 수집된 쿼리와 상기 수집된 URL 사이의 연관도는 아래 수학식에 의해 정해지는 웹-데이터베이스 사용자 추적 방법:The degree of association between the collected query and the collected URL is determined by the following equation:
    Figure PCTKR2016001451-appb-I000008
    Figure PCTKR2016001451-appb-I000008
    Figure PCTKR2016001451-appb-I000009
    Figure PCTKR2016001451-appb-I000009
    Figure PCTKR2016001451-appb-I000010
    Figure PCTKR2016001451-appb-I000010
    Figure PCTKR2016001451-appb-I000011
    Figure PCTKR2016001451-appb-I000011
    여기서, RNM은 Query-N과 URL-M의 연관도이고, PNM은 Query-N과 URL-M이 동시에 출현할 확률이며, PM은 URL-M이 출현할 확률이고, PN은 Query-N이 출현할 확률을 나타내며, CNM은 URL-M이 Query-N의 후보 URL로 지정된 횟수, Cij는 URL-j가 Query-i의 후보 URL로 지정된 횟수로 정의된다.Where R NM is the degree of association between Query-N and URL-M, P NM is the probability that Query-N and URL-M appear at the same time, P M is the probability that URL-M appears, and P N is Query denotes the probability of the occurrence -N, C NM is the number of times specified by the URL-M candidate URL of the Query-N, C ij is defined as the number of the j-URL specified by the URL of the candidate Query-i.
  3. 제 1 항 또는 제 2 항에서,The method of claim 1 or 2,
    상기 수집된 쿼리에 대해서 가장 연관도가 높은 URL을 상기 수집된 쿼리를 발생시킨 URL로 결정하는 단계Determining the most relevant URL for the collected query as the URL that generated the collected query
    를 더 포함하는 웹-데이터베이스 사용자 추적 방법.Web-database user tracking method further comprising.
  4. 제 3 항에서,In claim 3,
    상기 웹 서비스 요청에 포함된 URL은 상기 웹 서비스를 요청한 아이피(IP) 주소와 함께 수집되고,The URL included in the web service request is collected together with the IP address that requested the web service,
    비정상적 쿼리를 발생시킨 URL에 대응되는 아이피 주소로부터 요청된 웹 서비스 요청을 차단하는 단계Blocking the requested web service request from the IP address corresponding to the URL that caused the abnormal query
    를 더 포함하는 웹-데이터베이스 사용자 추적 방법.Web-database user tracking method further comprising.
  5. 웹 서버로 전달되는 웹 서비스 요청에 포함된 URL을 수집하는 웹 보안부, 그리고A web security department that collects URLs included in web service requests sent to a web server, and
    상기 웹 서버로부터 데이터베이스 서버로 전달되는 쿼리를 수집하고, 상기 수집된 쿼리의 수집 시점을 기준으로 미리 정해진 시간 이전에 수집된 URL을 상기 쿼리를 발생시킨 후보 URL로 정하며, 상기 수집된 쿼리별로 상기 수집된 URL 각각이 후보 URL로 정해진 횟수를 이용하여 상기 수집된 쿼리와 상기 수집된 URL 사이의 연관도를 계산하는 데이터베이스 보안부Collects a query transmitted from the web server to a database server, sets a URL collected before a predetermined time based on a collection time of the collected query as a candidate URL for generating the query, and collects the collected query for each collected query. A database security unit that calculates an association degree between the collected query and the collected URLs using a number of times each of the URLs determined as candidate URLs
    를 포함하는 웹-데이터베이스 사용자 추적 시스템.Web-database user tracking system comprising a.
  6. 제 5 항에서,In claim 5,
    상기 수집된 쿼리와 상기 수집된 URL 사이의 연관도는 아래 수학식에 의해 정해지는 웹-데이터베이스 사용자 추적 시스템:The degree of association between the collected query and the collected URL is determined by the following equation:
    Figure PCTKR2016001451-appb-I000012
    Figure PCTKR2016001451-appb-I000012
    Figure PCTKR2016001451-appb-I000013
    Figure PCTKR2016001451-appb-I000013
    Figure PCTKR2016001451-appb-I000014
    Figure PCTKR2016001451-appb-I000014
    Figure PCTKR2016001451-appb-I000015
    Figure PCTKR2016001451-appb-I000015
    여기서, RNM은 Query-N과 URL-M의 연관도이고, PNM은 Query-N과 URL-M이 동시에 출현할 확률이며, PM은 URL-M이 출현할 확률이고, PN은 Query-N이 출현할 확률을 나타내며, CNM은 URL-M이 Query-N의 후보 URL로 지정된 횟수, Cij는 URL-j가 Query-i의 후보 URL로 지정된 횟수로 정의된다.Where R NM is the degree of association between Query-N and URL-M, P NM is the probability that Query-N and URL-M appear at the same time, P M is the probability that URL-M appears, and P N is Query denotes the probability of the occurrence -N, C NM is the number of times specified by the URL-M candidate URL of the Query-N, C ij is defined as the number of the j-URL specified by the URL of the candidate Query-i.
  7. 제 5 항 또는 제 6 항에서,In claim 5 or 6,
    상기 데이터베이스 보안부는,The database security unit,
    상기 수집된 쿼리에 대해서 가장 연관도가 높은 URL을 상기 수집된 쿼리를 발생시킨 URL로 결정하는 웹-데이터베이스 사용자 추적 시스템.A web-database user tracking system that determines the most relevant URL for the collected query as the URL that generated the collected query.
  8. 제 7 항에서,In claim 7,
    상기 웹 서비스 요청에 포함된 URL은 상기 웹 서비스를 요청한 아이피(IP) 주소와 함께 수집되고,The URL included in the web service request is collected together with the IP address that requested the web service,
    상기 웹 보안부는 비정상적 쿼리를 발생시킨 URL에 대응되는 아이피 주소로부터 요청된 웹 서비스 요청을 차단하는 웹-데이터베이스 사용자 추적 시스템.The web security unit web-database user tracking system that blocks the requested web service request from the IP address corresponding to the URL that caused the abnormal query.
PCT/KR2016/001451 2016-02-12 2016-02-12 Method and system for tracking web-database user by using data mining WO2017138673A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/KR2016/001451 WO2017138673A1 (en) 2016-02-12 2016-02-12 Method and system for tracking web-database user by using data mining

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/KR2016/001451 WO2017138673A1 (en) 2016-02-12 2016-02-12 Method and system for tracking web-database user by using data mining

Publications (1)

Publication Number Publication Date
WO2017138673A1 true WO2017138673A1 (en) 2017-08-17

Family

ID=59563248

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2016/001451 WO2017138673A1 (en) 2016-02-12 2016-02-12 Method and system for tracking web-database user by using data mining

Country Status (1)

Country Link
WO (1) WO2017138673A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070136312A1 (en) * 2005-12-12 2007-06-14 Imperva, Inc System and method for correlating between http requests and sql queries
US20080034425A1 (en) * 2006-07-20 2008-02-07 Kevin Overcash System and method of securing web applications across an enterprise
KR20090058271A (en) * 2007-12-04 2009-06-09 (주)모니터랩 Integration security system and method by tracking web-database attack detection log data
US20110288692A1 (en) * 2010-05-20 2011-11-24 Accenture Global Services Gmbh Malicious attack detection and analysis
US20150092431A1 (en) * 2013-09-28 2015-04-02 GM Global Technology Operations LLC Headlamps for a vehicle

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070136312A1 (en) * 2005-12-12 2007-06-14 Imperva, Inc System and method for correlating between http requests and sql queries
US20080034425A1 (en) * 2006-07-20 2008-02-07 Kevin Overcash System and method of securing web applications across an enterprise
KR20090058271A (en) * 2007-12-04 2009-06-09 (주)모니터랩 Integration security system and method by tracking web-database attack detection log data
US20110288692A1 (en) * 2010-05-20 2011-11-24 Accenture Global Services Gmbh Malicious attack detection and analysis
US20150092431A1 (en) * 2013-09-28 2015-04-02 GM Global Technology Operations LLC Headlamps for a vehicle

Similar Documents

Publication Publication Date Title
US10593004B2 (en) System and methods for identifying compromised personally identifiable information on the internet
US11212305B2 (en) Web application security methods and systems
US20080222299A1 (en) Method for preventing session token theft
US20070136312A1 (en) System and method for correlating between http requests and sql queries
CN1415099A (en) System and method for blocking harmful information online, and computer readable medium therefor
US9258115B2 (en) Securing information exchanged via a network
US9911005B2 (en) Protecting search privacy using policy-based search terms
WO2017138673A1 (en) Method and system for tracking web-database user by using data mining
KR100937020B1 (en) Integration security system and method by tracking web-database attack detection log data
CN111901290B (en) Identity authentication method and device
RU2745362C1 (en) System and method of generating individual content for service user
KR101755427B1 (en) Method and system for tracking web-database user using data mining
JP2006058948A (en) Content information collection device, content information collection method, and content information collection program for executing to computer the method
JP2005339008A (en) Access control method and program, and recording medium
CN112637171A (en) Data traffic processing method, device, equipment, system and storage medium
WO2010002227A2 (en) A method of securing passwords used in web pages and a recording medium readable by a computer having a program installed to execute said method
CN115514539B (en) Network attack protection method and device, storage medium and electronic equipment
CN106789988A (en) A kind of network inquiry platform
CN117857176A (en) Network security protection method
JP2022007278A (en) Signature generation device, detection device, signature generation program, and detection program
Wang et al. Efficient Classification of Darknet Access Activity with Partial Traffic
WO2023192781A1 (en) Systems, methods, and devices for preventing credential passing attacks
WO2022266771A1 (en) Security risk remediation tool
CN116208392A (en) Active defense method and device for Web attack
CN114338069A (en) System and method for granting access to a user's data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16889980

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16889980

Country of ref document: EP

Kind code of ref document: A1