CN107657174B - Database intrusion detection method based on protocol fingerprint - Google Patents

Database intrusion detection method based on protocol fingerprint Download PDF

Info

Publication number
CN107657174B
CN107657174B CN201610597633.4A CN201610597633A CN107657174B CN 107657174 B CN107657174 B CN 107657174B CN 201610597633 A CN201610597633 A CN 201610597633A CN 107657174 B CN107657174 B CN 107657174B
Authority
CN
China
Prior art keywords
analysis
activity
protocol
information
sql
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610597633.4A
Other languages
Chinese (zh)
Other versions
CN107657174A (en
Inventor
吴朝雄
石波
陈志浩
沈德峰
胡佳
谢小明
郭江
沈艳林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN201610597633.4A priority Critical patent/CN107657174B/en
Publication of CN107657174A publication Critical patent/CN107657174A/en
Application granted granted Critical
Publication of CN107657174B publication Critical patent/CN107657174B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a database intrusion detection method based on protocol fingerprints, which comprises the following steps: s1, acquiring network data; s2, analyzing network layer data of the network data; s3, comparing and analyzing the information format and content of the data packet with the protocol fingerprint in the protocol fingerprint library, and analyzing the application layer data packet in the acquired network data so as to acquire the information of the SQL statement; s4, restoring the SQL statement and the user data to the analyzed data content according to the structure and the grammar of the SQL statement; s5, according to the pre-stored attack characteristics and the association rules, the SQL sentences and the SQL sentence parameters are restored by adopting characteristic matching analysis; and S6, judging whether the attack characteristics exist according to the analysis result, and responding to the detected attack characteristics.

Description

Database intrusion detection method based on protocol fingerprint
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a database intrusion detection method based on protocol fingerprints.
Background
Currently, in the aspect of database security protection, database security mechanisms such as access control, data encryption, security audit and the like are provided, so that illegal behaviors can be effectively prevented and prevented. However, these security mechanisms lack the ability to perform a location analysis of user behavior and do not satisfy the need for database security in a network environment. The database intrusion detection can deeply enter user data in a database access packet to perform fine-grained analysis on user behaviors, and the operation behaviors of users on the database can be well analyzed by analyzing information such as SQL statements, operations and parameters submitted by the users to the database.
The present invention mainly solves the following problems that the existing methods aiming at host intrusion detection and network intrusion detection are more, but the research specially aiming at database intrusion detection is less:
Figure BDA0001060157730000011
and realizing accurate analysis of various database access protocols through the protocol fingerprints.
Figure BDA0001060157730000012
And accurately restoring the user database information through lexical and grammatical analysis.
Figure BDA0001060157730000013
And realizing fine-grained detection of the database intrusion attack through correlation analysis.
Before setting forth the invention, relevant concepts and definitions involved in the invention are introduced:
fig. 1 is a diagram illustrating a structure of a database access packet, and as shown in fig. 1, the structure of the database access packet is as follows: the database access protocol defines the communication language between the database client and the server, such as session connection/disconnection, user login/logout, security authentication, operation information request/response, and the like. The user access database communicates via a proprietary database access protocol. The database access protocol is responsible for handling all data transfer details. The Database access protocol includes tns (transport Network subsystem), tds (custom Data stream), drda (distributed Relational Database architecture), and the like.
Protocol fingerprint: the characteristics of the network interaction data flow in various aspects of structure, content and the like during the operation of the protocol system are described. The protocol fingerprint is capable of uniquely identifying a protocol.
Attack feature library: the attack characteristic library is a set of a series of data dictionaries for describing relevant information of database intrusion detection, and the set completely defines data characteristic information of the database intrusion detection.
Associating the rule base: the association rule base is a set of violation business information configured and defined by a series of users according to business and actual requirements.
Disclosure of Invention
The invention discloses a database intrusion detection method based on protocol fingerprints, which is used for solving the problems in the prior art.
The invention relates to a database intrusion detection method based on protocol fingerprints, which comprises the following steps: s1, acquiring network data; s2, analyzing network layer data of the network data; s3, comparing and analyzing the information format and content of the data packet with the format characteristics and content characteristics of the protocol fingerprint in the protocol fingerprint database, finding out the protocol fingerprint with consistent information format and content characteristics, determining a database access protocol through the protocol fingerprint, and analyzing the application layer data packet in the acquired network data by using the database access protocol so as to acquire the information of the SQL statement; s4, restoring the SQL statement and the user data to the analyzed data content according to the structure and the grammar of the SQL statement; s5, according to the pre-stored attack characteristics and the association rules, the SQL sentences and the SQL sentence parameters are restored by adopting characteristic matching analysis; and S6, judging whether the attack characteristics exist according to the analysis result, and responding to the detected attack characteristics.
According to an embodiment of the method for detecting database intrusion based on protocol fingerprint, after the network data is obtained, the network data is further subjected to anomaly detection and message reassembly.
According to an embodiment of the method for detecting database intrusion based on protocol fingerprint, the analyzing the network data into analyzing the TCP/IP protocol data comprises the following steps: analyzing the IP message head and the TCP/UDP head to obtain an application layer data packet, comparing a protocol fingerprint library, judging whether the application layer protocol is a database access protocol, if not, directly discarding, and if so, entering S3.
According to an embodiment of the method for detecting the database intrusion based on the protocol fingerprint, the step of obtaining the operation data of the user on the database comprises the following steps: user information, application information, SQL statement information, SQL length information, and SQL parameter information.
According to an embodiment of the method for detecting database intrusion based on protocol fingerprint, the analyzing the IP packet header comprises: analyzing the source IP, the target IP and the transport layer protocol information of the data packet according to the information format of the IP protocol; parsing the TCP/UDP message header includes: and analyzing the information of the source port and the destination port of the data packet according to the information format of the TCP/UDP protocol.
According to an embodiment of the method for detecting database intrusion based on protocol fingerprint, after the network data is obtained, the performing anomaly detection and message reassembly on the network data further includes: detecting the fragment offset of the data packet fragments of the network data and the size information of the data unit, judging whether the received data packet is abnormal, if so, alarming in time, and if not, carrying out IP fragment recombination on the data packet to form a complete IP message.
According to an embodiment of the method for detecting database intrusion based on protocol fingerprint of the present invention, the step S4 includes the steps of: performing lexical analysis and syntactic analysis; the lexical analysis includes: dividing the content of an SQL statement into three types of information: the method comprises the steps of identifying, operating symbols and reserved words, wherein the reserved words are keywords carried in SQL grammar, the identifying comprises numbers and letters, any one of three types of information is called a word block, all the word blocks are used as input of a lexical analysis tool, and the lexical analysis is carried out on SQL content by utilizing rules generated by the lexical analysis tool to obtain a lexical analysis result; the parsing includes: according to the syntax and the structure of SQL, the lexical analysis result and an SQL syntax analysis tool are used for analyzing the lexical analysis result into SQL statements, the SQL statements obtained through analysis are split according to the sequence of activities to form a behavior sequence vector, elements in the sequence vector comprise primary activity behaviors of a database, and the activity behaviors comprise operation types, operation objects and operation conditions.
According to an embodiment of the method for detecting the database intrusion based on the protocol fingerprint, wherein according to the pre-stored attack characteristics and the association rules, the SQL sentences and the SQL sentence parameters which are restored by adopting the characteristic matching analysis comprise the following steps: and detecting and analyzing the database access behavior sequence according to the association rule and the attack characteristic, wherein the detection and analysis adopts two modes of pattern matching analysis and activity sequence association analysis, the pattern matching analysis aims at character matching analysis, and the activity sequence association analysis aims at database activity behavior analysis with activity sequences.
According to an embodiment of the method for detecting database intrusion based on protocol fingerprint, the pattern matching analysis includes: operation type, operation object and information OP represented by operation condition of the activityiAs a string (seq)i1,seqi2,seqi3) Showing that each attribute of the activity is subjected to matching analysis; if any seqijIf the matching analysis is successful, alarming, and if the matching is unsuccessful and seq is carried outjIf not, the next matching object is seqij+1If the match is not successful and seqiFor conditional filter attributes, the next matching object is seqijThe next byte of (a); the activity sequence association analysis process comprises: let the vector of the active sequence be C ═ OP1,OP2,..OPL) Setting the size of a sliding window to be L, and expressing the sliding window by H; selecting an active sequence OPiTo OPi+L-1As a sliding window, let H be (OP)i,OPi+1,..OPi+L-1) The length of the active sequence is equal to that of the active sequence C, and each active behavior of the active sequence is selected from the sliding window H and the active sequence C (OP)1,OP2,…OPL) Comparing and analyzing the activity behaviors corresponding to each other, if the operation type in each activity behavior of the activity sequence in the H is equal to the operation type of the activity behavior of the activity sequence C, considering that the correlation matching is successful, if any activity behavior in the H is not matched with the corresponding activity behavior in the C, sliding a sliding window backwards to form a new activity sequence, and then circularly performing the analysis and comparison until the matching is successfulAll activity sequences in alarm or H were compared once with activity sequence C.
In an embodiment of the method for detecting database intrusion based on protocol fingerprint according to the present invention, S6 includes: and comparing the result of the step S5 with a preset alarm condition, and carrying out intrusion response when a preset condition is met.
The method for detecting the database intrusion based on the protocol fingerprint can accurately analyze the behavior of the user data and discover potential threats in time, and meanwhile, the method can also be combined with user-defined association rules to perform detection analysis, so that a detection level aiming at the database intrusion is increased.
Drawings
FIG. 1 is a diagram of a database access packet structure;
fig. 2 is a flowchart illustrating a method for detecting database intrusion based on protocol fingerprint according to the present invention.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
The invention provides a database intrusion detection method based on protocol fingerprints, which is specially used for solving the problem that fine-grained analysis can not be carried out on user behaviors in database intrusion detection. Aiming at a database access protocol, according to database protocol fingerprints of different types of databases and a protocol structure of database access, performing layer-by-layer protocol analysis on a data packet accessing the database, deeply analyzing the database access protocol, performing accurate feature matching analysis, and accurately positioning a user operation database behavior, thereby realizing detection analysis and response on database intrusion attack, and being capable of accurately detecting intrusion behaviors aiming at the database, including SQL injection, authority improvement, buffer overflow, session abnormity, password attack and the like.
Fig. 2 is a flowchart illustrating a method for detecting database intrusion based on protocol fingerprints according to the present invention, and as shown in fig. 2, the method for detecting database intrusion based on protocol fingerprints according to the present invention includes:
step 1: network packets are captured from the network.
Step 2: and preprocessing the captured data packet such as abnormity inspection, message recombination and the like.
And step 3: TCP/IP protocol resolution. Analyzing the IP message head and the TCP/UDP head to obtain an application layer data packet, comparing a protocol fingerprint library, judging whether the application layer protocol is a database access protocol or not, and determining the type of the database access protocol. If the data access packet is not the database access packet, the discarding process is directly carried out, and if the data access packet is the database access packet, the step 4 is carried out.
And 4, step 4: and analyzing the database access protocol. Analyzing the obtained application layer data packet by using the database access protocol information, and obtaining the operation data of the user to the database, wherein the obtained information comprises user information, application program information, SQL statement information, SQL length information, SQL parameter information and the like.
And 5: and according to the structure and grammar of the SQL statement, performing lexical analysis and grammar analysis on the analyzed data content, and accurately restoring the SQL statement and the user data.
Step 6: and according to the attack characteristic library and the association rule library, adopting a characteristic matching analysis algorithm SQL statement, SQL statement parameters and the like.
And 7: and responding to the detected attack characteristics, including intrusion alarm, bypass blocking and the like.
The invention realizes the deep detection and analysis of the database intrusion according to the protocol fingerprints with respective characteristics of different protocols. User data is obtained through protocol fingerprint depth, information reduction of user operation behaviors and service data is achieved through lexical analysis and grammatical analysis, and detection of database intrusion is achieved on the basis of an association rule base and an attack feature detection base. After the protocol fingerprint analysis is adopted, the multi-class database access protocols can be accurately identified, the user data can be accurately obtained, the application data can be rapidly detected and analyzed, and the intrusion characteristics can be accurately identified.
As shown in fig. 2, an embodiment of a method for detecting database intrusion based on protocol fingerprint according to the present invention includes:
step 1: and (4) data capture. And capturing the data traffic packet in the network by adopting a network data capturing tool.
Step 2: and (4) preprocessing data. Detecting information such as fragment offset and data unit size of the captured data packet fragments, judging whether the received data packet is abnormal, if so, alarming in time, and if not, carrying out IP fragment recombination on the database to form a complete IP message.
And step 3: TCP/IP protocol resolution. Successively carrying out protocol analysis on the header in the IP message and the header of the TCP/UDP data packet, which specifically comprises the following steps:
(1) and (4) IP header resolution. And analyzing information such as a source IP, a target IP and a protocol of the data packet according to the information format of the IP protocol, comparing and analyzing the information with the information such as the source IP and the target IP contained in the association rule, judging whether the information meeting the association rule exists, and if so, carrying out intrusion alarm.
(2) TCP/UDP header parsing. And analyzing information such as a source port, a destination port and the like of the data packet according to the information format of the TCP/UDP protocol, comparing and analyzing the information with the information such as the port, the protocol and the like contained in the association rule, judging whether the information meeting the association rule exists, and if so, carrying out intrusion alarm.
And 4, step 4: and analyzing a database access protocol. Comparing and analyzing the format and content of the data packet information with the format characteristics and content characteristics of the protocol fingerprints in the protocol fingerprint database, finding out the protocol fingerprints with consistent information format and content characteristics, determining a data packet application protocol through the protocol fingerprints, analyzing the obtained application layer data packet by using the analyzed protocol fingerprint information, thereby obtaining the operation data of a user on the database, analyzing the data packet information, and obtaining information including SQL statements, user data, parameter information, SQL statement length and the like.
And 5: and (5) semantic analysis. The information reduction is mainly to SQL sentences and user data. The information recovery comprises two analysis phases: the lexical analysis and the grammatical analysis specifically comprise the following steps:
lexical analysis: according to the SQL statement content, the SQL statement content can be divided into three types of information: reserved words, operands, flags, or constants. The reserved words are the keywords carried by the SQL syntax, such as select, delete, update, from, and, or the like, the operation symbols include |, >, <, +, ", and, the flags or constants include numbers (9 numbers in total from 0 to 9), letters (a to Z, (,),',"%, and 59 letters in total). Any one of the three types of information is called a word block, such as select is a word block, and a word block. And taking all the word blocks as input of a lexical analysis tool, generating rules by the lexical analysis tool according to the classified word blocks, and then carrying out lexical analysis on the SQL content by using the generated rules to obtain a lexical analysis result W. Lexical analysis tools such as Lex, Flex, etc.
And (3) syntax analysis: and according to the specific grammar and structure of SQL, analyzing the W into SQL sentences, namely database executable sentences by utilizing the lexical analysis result W and an SQL grammar analysis tool. SQL parsing tools can be used yacc, bison, etc. Splitting the SQL sentences obtained by analysis according to the sequence of activities to form a behavior sequence vector, wherein B is { OP ═ OP1,OP2,…OPnDenotes, OPiRepresenting one-time activity behavior of the database, for OPiMay use triplets OPiType represents an operation type, object represents an operation object, condition represents an operation condition, and OPiIndicating that the type operation is performed on the object under condition. Such as:
a data set U with a column name value greater than 100 is queried from the database table tt, and then the records in the database table ss with a column name value and a value appearing in the set U are deleted. Specifically, it can be expressed as follows:
B=(OP1,OP2) Query the set U in the database table tt with attribute value greater than 100, delete the record in U of attribute value in ss;
OP1(query, database table tt, value greater than 100 in tt);
OP2(delete, database table ss, record of value attribute value in ss in U);
step 6: and (5) detecting and analyzing. And performing fine-grained detection analysis on the database access behavior sequence according to the association rule base and the attack characteristic base. The detection analysis adopts two types of pattern matching analysis and activity sequence correlation analysis. The pattern matching analysis is mainly directed to character matching analysis. And the activity sequence correlation analysis is realized by adopting a sliding window mechanism aiming at the activity behavior analysis of the database with a certain activity sequence.
The pattern matching analysis process is as follows:
will OPiIf the information represented by type, object, condition is treated as a character string, OP can be usedi=(seqi1,seqi2,seqi3) Denotes, seqi1,seqi2,seqi3Are all character strings.
To OP in sequenceiAnd performing matching analysis on each attribute in the triples.
If any seqjAnd if the matching analysis is successful, alarming.
If the match is unsuccessful and seqjIf not, the next matching object is seqj+1
If the match is unsuccessful and seqiFor conditional filter attributes, the next matching object is seqj+1,seqj+1 denotes seqjThe next byte of (a).
The activity sequence association analysis process is as follows:
according to a user-defined active sequence vector C ═ (OP)1,OP2,..OPL) The size of the sliding window is set to L, and the sliding window is denoted by H.
Selecting an activity sequence OP from a user behavior BiTo OPi+L-1As sliding window, i.e. H ═ OPi,OPi+1,..OPi+L-1) The length of the activity sequence is equal to the length of the user-defined sequence activity C, and each activity behavior of the activity sequence selected in the sliding window H is compared with the user-defined activity sequence C (OP)1,OP2,…OPL) The comparison analysis is carried out on the activity behaviors in one-to-one correspondence, namely the operation in each activity behavior of the activity sequence in HThe object is equal to the operation object of the activity behavior of the corresponding user-defined sequence activity C, the operation type in each activity behavior of the activity sequence in H is equal to the operation type of the activity behavior of the user-defined sequence activity C, the association matching is considered successful, if any activity behavior in H does not match the corresponding activity behavior in C, the sliding window slides back one activity behavior to form a new activity sequence, i.e. the sliding window becomes H ═ (OP) ═i+1,OPi+2…OPi+L) And then, the analysis and comparison are carried out in a circulating mode until the alarm is successfully matched or all the activity sequences in the H are compared with the activity sequences in the user C once, and the analysis is finished.
And 7: and responding by intrusion. And comparing the result obtained in the step 6 with a preset alarm condition, and carrying out intrusion response when the result meets a preset condition, wherein the intrusion response comprises recording detailed behaviors of intrusion alarm, implementing blocking measures and the like.
The detection of the database intrusion can be completed through the seven steps, the method for detecting the database intrusion based on the protocol fingerprint can accurately analyze the behavior of the user data and find out potential threats in time, and meanwhile, the method can also be combined with user-defined association rules to perform detection analysis, so that a detection level aiming at the database intrusion is increased.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (7)

1. A database intrusion detection method based on protocol fingerprint is characterized by comprising the following steps:
s1, acquiring network data;
s2, analyzing network layer data of the network data;
s3, comparing and analyzing the information format and content of the data packet with the format characteristics and content characteristics of the protocol fingerprint in the protocol fingerprint database, finding out the protocol fingerprint with consistent information format and content characteristics, determining a database access protocol through the protocol fingerprint, and analyzing the application layer data packet in the acquired network data by using the database access protocol so as to acquire the information of the SQL statement;
s4, restoring the SQL statement and the user data to the analyzed data content according to the structure and the grammar of the SQL statement;
s5, according to the pre-stored attack characteristics and the association rules, the SQL sentences and the SQL sentence parameters are restored by adopting characteristic matching analysis;
s6, judging whether attack characteristics exist or not according to the analysis result, and responding to the detected attack characteristics;
the restoring SQL statement and the user data of step S4 include: performing lexical analysis and syntactic analysis;
the lexical analysis includes: dividing the content of an SQL statement into three types of information: the method comprises the steps of identifying, operating symbols and reserved words, wherein the reserved words are keywords carried in SQL grammar, the identifying comprises numbers and letters, any one of three types of information is called a word block, all the word blocks are used as input of a lexical analysis tool, and the lexical analysis is carried out on SQL content by utilizing rules generated by the lexical analysis tool to obtain a lexical analysis result;
the parsing includes: according to the syntax and the structure of SQL, a lexical analysis result and an SQL syntax analysis tool are used for analyzing the lexical analysis result into SQL statements, the SQL statements obtained through analysis are split according to the sequence of activities to form a behavior sequence vector, elements in the sequence vector comprise primary activity behaviors of a database, and the activity behaviors comprise operation types, operation objects and operation conditions;
according to the pre-stored attack characteristics and the association rules, the SQL sentences and the SQL sentence parameters which are restored by adopting characteristic matching analysis comprise the following steps: detecting and analyzing the database access behavior sequence according to the association rule and the attack characteristic, wherein the detection and analysis adopt two modes of pattern matching analysis and activity sequence association analysis, the pattern matching analysis aims at character matching analysis, and the activity sequence association analysis aims at database activity behavior analysis with activity sequences;
the pattern matching analysis includes: operation type, operation object and information OP represented by operation condition of the activityiAs a string (seq)i1,seqi2,seqi3) Showing that each attribute of the activity is subjected to matching analysis; if any seqijIf the matching analysis is successful, alarming, and if the matching is unsuccessful and seq is carried outjIf not, the next matching object is seqij+1,If the match is unsuccessful and seqiFor conditional filter attributes, the next matching object is seqijThe next byte of (a); the activity sequence association analysis process comprises: let the vector of the active sequence be C ═ OP1,OP2,..OPL) Setting the size of a sliding window to be L, and expressing the sliding window by H; selecting an active sequence OPiTo OPi+L-1As a sliding window, let H be (OP)i,OPi+1,..OPi+L-1) The length of the active sequence is equal to that of the active sequence C, and each active behavior of the active sequence is selected from the sliding window H and the active sequence C (OP)1,OP2,…OPL) And comparing and analyzing the activity behaviors corresponding to each other one by one, if the operation type of each activity behavior of the activity sequence in the H is equal to the operation type of the activity behavior of the activity sequence C, considering that the association matching is successful, if any activity behavior in the H is not matched with the corresponding activity behavior in the C, sliding a sliding window backwards to form a new activity sequence, and then circularly performing analysis and comparison of the activity sequence association analysis until the matching is successful and an alarm is given or all the activity sequences in the H are compared with the activity sequence C once.
2. The method according to claim 1, wherein after the network data is obtained, the network data is further subjected to anomaly detection and message reassembly.
3. The method of claim 1, wherein parsing network data into TCP/IP protocol data comprises: analyzing the IP message head and the TCP/UDP head to obtain an application layer data packet, comparing a protocol fingerprint library, judging whether the application layer protocol is a database access protocol, if not, directly discarding, and if so, entering S3.
4. The method of claim 1, wherein the obtaining of the data of the user's operation on the database comprises: user information, application information, SQL statement information, SQL length information, and SQL parameter information.
5. The method of claim 3, wherein parsing the IP header comprises: analyzing the source IP, the target IP and the transport layer protocol information of the data packet according to the information format of the IP protocol; parsing the TCP/UDP message header includes: and analyzing the information of the source port and the destination port of the data packet according to the information format of the TCP/UDP protocol.
6. The method according to claim 2, wherein after the network data is obtained, further performing anomaly checking and message reassembly on the network data comprises: detecting the fragment offset of the data packet fragments of the network data and the size information of the data unit, judging whether the received data packet is abnormal, if so, alarming in time, and if not, carrying out IP fragment recombination on the data packet to form a complete IP message.
7. The protocol fingerprint-based database intrusion detection method according to claim 1, wherein S6 includes: and comparing the result of the step S5 with a preset alarm condition, and carrying out intrusion response when a preset condition is met.
CN201610597633.4A 2016-07-26 2016-07-26 Database intrusion detection method based on protocol fingerprint Active CN107657174B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610597633.4A CN107657174B (en) 2016-07-26 2016-07-26 Database intrusion detection method based on protocol fingerprint

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610597633.4A CN107657174B (en) 2016-07-26 2016-07-26 Database intrusion detection method based on protocol fingerprint

Publications (2)

Publication Number Publication Date
CN107657174A CN107657174A (en) 2018-02-02
CN107657174B true CN107657174B (en) 2020-11-10

Family

ID=61127195

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610597633.4A Active CN107657174B (en) 2016-07-26 2016-07-26 Database intrusion detection method based on protocol fingerprint

Country Status (1)

Country Link
CN (1) CN107657174B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108667840B (en) * 2018-05-11 2021-09-10 腾讯科技(深圳)有限公司 Injection vulnerability detection method and device
CN109327430A (en) * 2018-08-01 2019-02-12 中国科学院、水利部成都山地灾害与环境研究所 A kind of user request analysis method and apparatus
CN109688137A (en) * 2018-12-27 2019-04-26 深信服科技股份有限公司 A kind of detection method, system and the associated component of SQL injection attack
CN111984970B (en) * 2019-05-22 2023-11-07 深信服科技股份有限公司 SQL injection detection method and system, electronic equipment and storage medium
CN111737289B (en) * 2020-06-05 2023-07-25 北京奇艺世纪科技有限公司 Method and device for detecting SQL injection attack
CN112422567B (en) * 2020-11-18 2022-11-15 清创网御(合肥)科技有限公司 Network intrusion detection method oriented to large flow
CN112769833B (en) * 2021-01-12 2023-01-24 恒安嘉新(北京)科技股份公司 Method and device for detecting command injection attack, computer equipment and storage medium
CN112887274B (en) * 2021-01-12 2023-04-14 恒安嘉新(北京)科技股份公司 Method and device for detecting command injection attack, computer equipment and storage medium
CN113204570A (en) * 2021-04-14 2021-08-03 福建星瑞格软件有限公司 Database protocol identification method and device based on data characteristics
CN113722351B (en) * 2021-08-30 2024-01-30 杭州安恒信息安全技术有限公司 Parameter restoration method and device in Oracle database access flow
CN116107816B (en) * 2023-04-13 2023-08-01 山东捷瑞数字科技股份有限公司 MYSQL database back-file cloud platform
CN117633319B (en) * 2024-01-26 2024-04-30 杭州美创科技股份有限公司 Database automation response method, device, computer equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104484474A (en) * 2014-12-31 2015-04-01 南京盾垒网络科技有限公司 Database security auditing method
CN105678188A (en) * 2016-01-07 2016-06-15 杨龙频 Anti-leakage protocol identification method and device for database

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060059554A1 (en) * 2004-09-13 2006-03-16 Ofer Akerman System and method for information technology intrusion prevention

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104484474A (en) * 2014-12-31 2015-04-01 南京盾垒网络科技有限公司 Database security auditing method
CN105678188A (en) * 2016-01-07 2016-06-15 杨龙频 Anti-leakage protocol identification method and device for database

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
一种基于审计的入侵检测模型及其实现机制;刘海峰等;《电子学报》;20040108;第30卷(第8期);正文第1169-1170页 *
基于网络的数据库审计和风险控制研究;陈炜;《万方数据知识服务平台》;20131129;正文第11页、第15-32页、34页第4-6段、35-50页及图2-1、图3-15、表3-8、3-9 *

Also Published As

Publication number Publication date
CN107657174A (en) 2018-02-02

Similar Documents

Publication Publication Date Title
CN107657174B (en) Database intrusion detection method based on protocol fingerprint
CN107241352B (en) Network security event classification and prediction method and system
CN107645503B (en) Rule-based method for detecting DGA family to which malicious domain name belongs
CN106961419B (en) WebShell detection method, device and system
US20180069893A1 (en) Identifying Changes in Use of User Credentials
CN106209488B (en) Method and device for detecting website attack
CN101686239B (en) Trojan discovery system
CN113656807B (en) Vulnerability management method, device, equipment and storage medium
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
US10462170B1 (en) Systems and methods for log and snort synchronized threat detection
CN109698831B (en) Data protection method and device
CN107666468B (en) Network security detection method and device
CN112199677A (en) Data processing method and device
CN115766258B (en) Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph
Khan et al. Digital forensics and cyber forensics investigation: security challenges, limitations, open issues, and future direction
CN112507336A (en) Server-side malicious program detection method based on code characteristics and flow behaviors
CN110225009B (en) Proxy user detection method based on communication behavior portrait
CN110602020A (en) Botnet detection technology based on DGA domain name and periodic network connection session behavior
Wang et al. An unknown protocol syntax analysis method based on convolutional neural network
US20210075812A1 (en) A system and a method for sequential anomaly revealing in a computer network
CN114760083A (en) Method and device for issuing attack detection file and storage medium
CN115051874B (en) Multi-feature CS malicious encrypted traffic detection method and system
WO2016173327A1 (en) Method and device for detecting website attack
CN113382003B (en) RTSP mixed intrusion detection method based on two-stage filter
TWI667587B (en) Information security protection method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant