CN112199677A - Data processing method and device - Google Patents
Data processing method and device Download PDFInfo
- Publication number
- CN112199677A CN112199677A CN202011211262.4A CN202011211262A CN112199677A CN 112199677 A CN112199677 A CN 112199677A CN 202011211262 A CN202011211262 A CN 202011211262A CN 112199677 A CN112199677 A CN 112199677A
- Authority
- CN
- China
- Prior art keywords
- data
- request
- sql
- plug
- web
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 19
- 238000012545 processing Methods 0.000 claims abstract description 46
- 238000000034 method Methods 0.000 claims abstract description 41
- 230000004044 response Effects 0.000 claims abstract description 12
- 230000002596 correlated effect Effects 0.000 claims abstract description 11
- 230000006399 behavior Effects 0.000 claims description 46
- 238000004458 analytical method Methods 0.000 claims description 38
- 238000004422 calculation algorithm Methods 0.000 claims description 29
- 238000005516 engineering process Methods 0.000 claims description 27
- 238000002347 injection Methods 0.000 claims description 17
- 239000007924 injection Substances 0.000 claims description 17
- 238000010801 machine learning Methods 0.000 claims description 17
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 13
- 238000001514 detection method Methods 0.000 claims description 12
- 238000007405 data analysis Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 claims description 10
- 238000012550 audit Methods 0.000 claims description 6
- 238000011156 evaluation Methods 0.000 description 15
- 230000002159 abnormal effect Effects 0.000 description 13
- 239000000523 sample Substances 0.000 description 13
- 238000012549 training Methods 0.000 description 12
- 230000000875 corresponding effect Effects 0.000 description 11
- 230000007123 defense Effects 0.000 description 9
- 206010000117 Abnormal behaviour Diseases 0.000 description 8
- 238000012544 monitoring process Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000005065 mining Methods 0.000 description 5
- 238000007781 pre-processing Methods 0.000 description 5
- 238000012098 association analyses Methods 0.000 description 4
- 238000001914 filtration Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 239000000243 solution Substances 0.000 description 4
- 210000002268 wool Anatomy 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000005336 cracking Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 2
- 230000008260 defense mechanism Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000009877 rendering Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 241000283725 Bos Species 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000009412 basement excavation Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013079 data visualisation Methods 0.000 description 1
- 238000013210 evaluation model Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 238000009499 grossing Methods 0.000 description 1
- 238000012886 linear function Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000013138 pruning Methods 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
- 238000009333 weeding Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F40/00—Handling natural language data
- G06F40/20—Natural language analysis
- G06F40/253—Grammatical analysis; Style critique
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Artificial Intelligence (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Hardware Design (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Health & Medical Sciences (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a data processing method and a data processing device, relates to the technical field of databases, and mainly solves the technical problem of correlating a user HTTP request event with a database SQL response event. The invention comprises the following steps: the service server creates request processing threads for the requests, wherein the request processing threads of different requests are isolated from each other; the business server adopts an HTTP plug-in to intercept the web request and acquire web request data, and adopts an SQL plug-in to intercept the SQL request and acquire SQL request data in each request processing thread; and the business server correlates the web request data and the SQL request data in each request processing thread to obtain correlated data. The method and the system correlate the web request data with the SQL request data by 100 percent, reduce the station correlation error rate in the data, and also realize the accurate positioning and accurate tracing of the data.
Description
Technical Field
The present invention relates to the field of database technologies, and in particular, to a data processing method and apparatus.
Background
Under the data center platform architecture, besides the data interaction between the traditional browser and the Web server and between the Web server and the database server, the data interaction between the Web server and the API server, between the API server and between the API server and the database server is also included. In the application of the architecture, it is difficult to associate the user HTTP request event with the SQL response event of the database one-to-one.
The traditional database auditing system is difficult to accurately correlate two kinds of information of an under-desk user request and data query in data, and cannot realize accurate positioning and accurate tracing of security events.
In some existing data association methods, post manual, semi-automatic or full-automatic association is performed on HTTP audit logs and SQL audit logs which are independently audited by establishing some association models, the association models generally adopt methods based on timestamps, probability statistics, association rules or SQL template learning and the like, the association degree of 100% is difficult to achieve from the technical principle, and particularly the association error rate of a data center platform is greatly improved under the conditions of high concurrency and high flow.
In the prior art, HTTP bidirectional data is mirrored in front of a Web server, and TDS bidirectional data is mirrored in front of an sql server. And carrying out fuzzy matching on the keywords contained in the HTTP returned content and the SQL returned result, wherein the HTTP request and the SQL request are associated when matching is successful. Under the condition of large concurrency of a data center architecture, query requests of similar queries (with similar result sets) under the same time dimension are wrongly correlated, and accurate positioning and accurate tracing cannot be realized.
In addition, in the prior art, after the user HTTP request event is associated with the SQL response event of the database, the data protection measures in the database are taken to judge the abnormal operation of the user and to perform the operations such as portrait and the like on the user behavior, so that the user request event and the data in the database are attacked at any time, the user data is stolen, and the database data is stolen.
Disclosure of Invention
One of the purposes of the present invention is to provide a data processing method and apparatus, which solve the technical problem of associating a user HTTP request event with a database SQL response event in the prior art. Advantageous effects can be achieved in preferred embodiments of the present invention, as described in detail below.
In order to achieve the purpose, the invention provides the following technical scheme:
the invention relates to a data processing method, which comprises the following steps:
the service server creates request processing threads for the requests, wherein the request processing threads of different requests are isolated from each other;
the business server adopts an HTTP plug-in to intercept the web request and acquire web request data, and adopts an SQL plug-in to intercept the SQL request and acquire SQL request data in each request processing thread;
and the business server correlates the web request data and the SQL request data in each request processing thread to obtain correlated data.
Further, the method also comprises the following steps:
and after the service is started, the business server loads the HTTP plug-in and the SQL plug-in by adopting a JVM process, and the HTTP plug-in and the SQL plug-in are added into a class for processing requests in advance by adopting a java byte code instrumentation technology.
Further, the service server is a web server or an API server.
Further, the association data includes: the method comprises the steps of a user IP, a login account, browser information, a request URL, request time, a request identification, an SQL statement, an operation table name, a data field name, SQL response time, an SQL response state, an SQL return line number, database information and Web server information.
Further, the method also comprises the following steps:
and the audit server acquires the associated data from the service server and performs data protection and/or novel data attack detection according to the associated data.
Further, the data protection includes:
performing SQL injection judgment based on syntactic analysis; and/or the presence of a gas in the gas,
threat ranking is based on machine learning.
Further, the SQL injection determination based on the syntax analysis includes:
after SQL statement analysis is carried out on the associated data, an abstract syntax tree is obtained;
and determining the taint condition of each statement block by deeply traversing the abstract syntax tree.
Further, the threat ranking based on machine learning includes:
and judging the threat level of the associated data by using a Real Adaboost algorithm and an FP-growth algorithm.
Further, the novel data attack detection comprises:
and a big data analysis technology and a machine learning technology are adopted, and novel data attacks are identified through access frequency, access time, access intention and access behaviors.
The invention also comprises a data processing apparatus comprising:
a business server, an HTTP plug-in and an SQL plug-in;
the service server is used for creating request processing threads for the requests, wherein the request processing threads of different requests are isolated from each other; in each request processing thread, adopting an HTTP plug-in to intercept a web request and obtain web request data, and adopting an SQL plug-in to intercept an SQL request and obtain SQL request data; and correlating the web request data and the SQL request data in each request processing thread to obtain correlated data.
The data processing method and the data processing device provided by the invention at least have the following beneficial technical effects:
1. solve the data association problem under the data middle platform architecture
The distributed application service system is deployed in a non-invasive soft probe mode, is not influenced by a network architecture, supports a virtualization and cloud environment, and meets auditing requirements of the distributed application service system. The method and the system realize the accurate association of background database access and foreground specific access requests under a data center architecture, and provide an accurate data basis for the analysis and traceability of post security events.
2. Improving detection capability of novel data attacks such as hitting library, pulling wool and the like
Traditional database attackers mainly adopt SQL injection, remote overflow, vulnerability utilization and other modes, and defense against traditional database attacks mainly carries out defense through devices such as firewalls and the like and through a characteristic matching mode. And new data attacks such as library collision, library dragging, malicious registration, wool pulling and the like are developed within the range allowed by the existing security defense system, and meanwhile, any attack speciality is not provided, so that the detection of the new data attacks is difficult. Aiming at the characteristics of novel data attack, a technical scheme for realizing data access behavior analysis is designed, a big data analysis technology and a machine learning technology are adopted, and the novel data attack is identified through access frequency, access time, access intention and access behavior.
3. Solve the problem of high false alarm of data auditing equipment
The traditional database auditing equipment mainly depends on rules, on one hand, the traditional database auditing equipment has certain defense aiming at a known attack form, and has no protection capability aiming at unknown attack, and on the other hand, even if the traditional database auditing equipment is a known attack behavior, the traditional database auditing equipment has the problem that a defense mechanism bypasses due to the natural limitation of a regular expression and extremely flexible and changeable grammars of languages such as shell, php and the like. The SQL request submitted by the data visitor is parsed through an SQL parsing technology, and the legality of the data request is judged through the parsing without depending on a rule base, so that the problem of high false alarm of database auditing equipment is solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow diagram of a data processing method of the present invention;
FIG. 2 is a schematic diagram of the structure of the data processing method of the present invention;
FIG. 3 is a SQL taint level relationship diagram of a SQL injection decision method based on syntactic analysis;
FIG. 4 is a schematic diagram of the structure of the data processing apparatus of the present invention;
FIG. 5 is a functional flow diagram of a data processing apparatus of the present invention;
FIG. 6 is a schematic diagram of a system based on a data processing device according to the present invention.
In the figure, 1 is a business server, 2 is an HTTP plug-in and 3 is an SQL plug-in.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be described in detail below. It is to be understood that the described embodiments are merely exemplary of the invention, and not restrictive of the full scope of the invention. All other embodiments, which can be derived by a person skilled in the art from the examples given herein without any inventive step, are within the scope of the present invention.
Referring to fig. 1 and 2, a data processing method of the present invention includes:
s1: the service server creates request processing threads for the requests, wherein the request processing threads of different requests are isolated from each other;
s2: the business server adopts an HTTP plug-in to intercept the web request and acquire web request data, and adopts an SQL plug-in to intercept the SQL request and acquire SQL request data in each request processing thread;
s3: and the business server correlates the web request data and the SQL request data in each request processing thread to obtain correlated data.
The invention associates 100% of the web request data of the service server with the SQL request data of the database, and greatly reduces the association error rate of the data in the case of high concurrency and large flow. According to the method, under the large concurrence of the data center platform framework, query requests of similar queries (with similar result sets) under the same time dimension cannot be correlated in error, and accurate positioning and accurate source tracing of data are achieved.
Preferably, the present invention further comprises:
and after the service is started, the business server loads the HTTP plug-in and the SQL plug-in by adopting a JVM process, and the HTTP plug-in and the SQL plug-in are added into a class for processing requests in advance by adopting a java byte code instrumentation technology.
Preferably, the service server is a web server or an API server.
The associated data includes: the method comprises the steps of a user IP, a login account, browser information, a request URL, request time, a request identification, an SQL statement, an operation table name, a data field name, SQL response time, an SQL response state, an SQL return line number, database information and Web server information.
It will be appreciated that the above-described,
the invention provides a data association method based on a data center architecture, which specifically comprises the following operations:
deploying a software probe in the Web server, adding an interception code in a Class of Web middleware processing requests through a java byte code instrumentation technology, acquiring all data requests sent by a visitor to the server through a monitoring application program Class, and acquiring data contents returned to the visitor by the server. The monitoring of the whole data interaction process is realized on the premise of not modifying application program codes and monitoring network flow.
The software probe is deployed on a Web server or an API server, and after the Web application or the API server is started, the HTTP plug-in library and the SQL plug-in library are loaded through a JVM process.
In the data center platform architecture, an API server is generally arranged between the Web server and the database server for service transfer, the probe can be deployed in the API server, multi-layer forwarding is supported, and the full monitoring of the service data interaction process among the user terminal, the Web server, the API server and the database server is realized.
When a user initiates an HTTP request, a Web server or an API server creates a request processing thread, an HTTP plug-in intercepts a Web request and generates Web request data, wherein the Web request data comprises: and requesting identification and obtaining metadata.
When the JVM process executes the SQL request, the SQL request is intercepted by the SQL plug-in, and the execution result of the SQL statement (i.e. the SQL request data) is recorded, including information such as SQL operation metadata, operation type, operation result, and number of return lines.
The software probe isolates threads, so that web request data and SQL operation data can be correlated with the correlation accuracy of 100%, wherein the correlated data comprises: the method comprises the steps of providing accurate data bases for post data analysis by a user IP, a login account, browser information, a request URL, request time, a request identification, an SQL statement, an operation table name, a data field name, SQL response time, an SQL response state, an SQL return line number, database information, Web server information and the like.
The invention also includes:
and the audit server acquires the associated data from the service server and performs data protection and/or novel data attack detection according to the associated data.
Preferably, the data protection includes:
performing SQL injection judgment based on syntactic analysis; and/or the presence of a gas in the gas,
threat ranking is based on machine learning.
Preferably, the SQL injection determination based on the syntax analysis and/or the threat classification based on the machine learning each include:
and carrying out SQL coding preprocessing and lexical analysis algorithm on the associated data.
It can be understood that based on the data association method under the data center architecture in the foregoing, the HTTP request data and the SQL request data of the user can be acquired, and 100% accurate association is realized. The invention simplifies the traditional SQL code preprocessing and lexical analysis flow, and realizes the data protection under the data center platform architecture by the SQL injection judgment method based on the syntactic analysis and the threat classification technology based on the machine learning based on the coded SQL request metadata.
The SQL injection judgment based on the syntax analysis comprises the following steps:
after SQL statement analysis is carried out on the associated data, an abstract syntax tree is obtained;
and determining the taint condition of each statement block by deeply traversing the abstract syntax tree.
It should be noted that, in the following description,
the SQL injection judgment method based on the syntactic analysis is that after SQL sentences are analyzed, an abstract syntactic tree containing code syntactic information is obtained, and the stain condition of each sub-sentence block can be detected through deep traversal of the syntactic tree. And feeding back the stain information of each layer of statement block to a superior abstract statement block, and feeding back layer by layer to finally judge whether the system has SQL injection attack.
By designing a specific data structure for recording taint information, not only can character string information corresponding to a specific taint statement be recorded, but also position information of the statement containing the taint information in an abstract syntax tree and Token state information of the taint statement can be recorded. The application program can analyze the attack type according to the state of Token, and set different types of early warning mechanisms according to different attack types. The hierarchical relationship of the taint nodes is described by the structural form of the ternary tree, and the structure is shown in figure 3.
Fig. 3 is explained:
the left child node of each node represents that the node belongs to a 'brother' relationship with the node, and represents in the hierarchical relationship of the SQL statement block, and the left child node are semantically in the same layer, namely belong to different components of the same statement block.
The middle child node of each node describes the character taint state corresponding to Token of the current statement block, and the node is a leaf node.
The right child node of each node is represented as a child statement block of the statement block represented by the node of the layer in the SQL statement hierarchical relationship.
In the ternary tree data structure, taint data information is recorded in all leaf nodes, and a path from a root node to a leaf node represents the position of the taint information in an SQL syntax tree. In the data structure depicted in fig. 3, if the left child node of the node is empty, it indicates that no sibling statement block is contained or that no taint information is contained in the sibling statement block; if the middle child node is empty, it indicates that the character string corresponding to the Token of the current node does not contain the taint information; and if the right child node is empty, the statement block corresponding to the current node does not contain the child statement block, or the child statement block does not contain the stain information. The nodes describe Token information and taint character string information of each component in the SQL statement block, and the positions of taint information in the syntax tree can be clearly found by traversing the binary tree.
The algorithmic process for determining whether taint information is contained based on the data protection technique of the syntactic analysis is described as follows:
(1) and accessing the statement block of the syntax tree, if the current statement block has the sub-statement block, recursively accessing the sub-statement block until the statement block does not contain the sub-statement block any more.
(2) And (3) judging whether the current statement block also contains other statement blocks in the same level, if so, traversing the next statement block in the same level according to the step (1) in a deep mode, and acquiring returned child node information. And if the node information of the current statement block is null, generating a new node, wherein the right child node and the child node of the new node are null, and the return node is the right child node of the current new node. And if the node information of the current statement block is not null, setting the returned node as the left child node of the current node.
(3) And judging whether the character string corresponding to the Token of the current statement block is a taint character string, and if the character string is the taint character string, judging whether the node information of the current statement block is empty. And if the current sentence block node is not empty, setting the child node as a middle node of the current sentence block node.
(4) And (3) judging whether the current statement block contains a sub-statement block, if not, traversing the syntax tree of the sub-statement block according to the depth in the step (1) to obtain node information returned by the sub-statement block. And if the node information of the current statement block is null, generating a new node, wherein the left child node and the middle child node of the new node are null, and the return node is the right child node of the current new node. And if the node information of the current statement block is not null, setting the returned node as the right child node of the current node.
(5) And returning the current node to the last layer statement block, if the current node is null, returning a null pointer, and if the current node is not null, returning the corresponding node.
The algorithm finally judges whether the injection attack occurs by judging whether the node information returned by the SQL statement block is empty, if so, the injection attack does not occur, otherwise, the attack is proved to occur. If the attack occurs, the detailed taint character string information and the hierarchical structure of the statement block where the taint character string information is located are recorded in the taint information corresponding to the node information. The specific attack type may be determined based on the hierarchy. And setting corresponding early warning mechanisms according to different attack types.
The machine learning based threat ranking comprises:
and judging the threat level of the associated data by using a Real Adaboost algorithm and an FP-growth algorithm.
It should be noted that, in the following description,
the machine learning algorithm adopted by the invention is Real Adaboost algorithm and FP-growth algorithm, the method of matching the characteristics of the syntax tree is adopted to realize the protection of SQL injection, and 5 characteristics of the abstract syntax tree are provided, which comprises the following steps: the number of subtrees, the height of the tree, the number of nodes of the first subtree and the type of the first node. Extracting 3 characteristics of the length of the character string, the number of times of coding and the type of coding according to information obtained by SQL coding preprocessing; according to the information obtained by the lexical analysis algorithm, the number of keywords, the number of paired SQL keywords (such as select … to …, insert … into … and the like), the number of incomplete quotation marks, the number of complete quotation marks, whether SQL contains annotation symbols, whether SQL contains connection symbols and other features are extracted, and each item of the corresponding token list can be used as a feature.
The threat classification technology is to concretize the classification result generated by the Real Adaboost algorithm, classify the sample according to the characteristics of the user input type, the coding mode and the like, compare the classification result generated by the Real Adaboost algorithm with the association rule generated by the FP-growth algorithm only when the classification result generated by the Real Adaboost algorithm is too close to the set threshold value, and jointly determine the classification result of the sample.
The Real Adaboost algorithm is that a function of dividing a plurality of disjoint subspaces and respectively calculating and outputting each subspace is added on the basis of the Adaboost M1 algorithm, and the core algorithm of the algorithm is as follows:
given a training set: (X)1,Y1),...,(Xm,Ym);
Initial distribution of training set samples:
cycle T ═ 1,2,. T: (T is the number of classifiers);
dividing the value space of each dimension feature into several disjoint sub-space bins (X)1,...Xm)
The output of each of the weak classifiers is computed,
where ε is a small normal quantity, usually taken to be the output of the smoothing circuit
h (x) is a piecewise linear function with different output values at each subspace;
a normalization factor is calculated and used to normalize the image,
calculating the product of positive and negative samples with weights and sums on each subspace, and then adding the products;
selecting the weak classifier h (x) with the smallest Z as the weak classifier selected by the iteration, Zt=minZ,ht=argminZ;
Updating the sample distribution Dt+1(i)=Dt(i)exp[-yiht(xi)];
The final strong classifier is:
where b is a threshold, set by the user.
Since what is needed is the threat level of the sample that is output. Therefore, the output of the final strong classifier does not need to be subtracted by the threshold b, but is output in a percentile form, and then compared with the threshold b converted into a percentile, and the result is compared as follows:
h (x) is judged to be no threat;
h (x) -b < [ (100-b)/3] is judged as low threat;
(x) b < [2(100-b)/3] is judged as a medium threat;
h (x) -b > [2(100-b)/3] is judged as a high threat.
The FP-growth algorithm is an association rule mining algorithm improved from the Apriori algorithm. The algorithm adopts a method for generating the FP-tree to improve the process of mining a frequent item set of the Apriori algorithm. The algorithm reduces the times of scanning the database to 2, the database is scanned for the first time to count the occurrence frequency of each data item, the FP tree is created for the second time, and then a frequent item set is mined through the FP tree. Finally, by mining association rules through a frequent set of items, the database does not need to be scanned again in this step.
The algorithm for constructing the FP-tree is as follows:
inputting: data set, minimum scale;
and (3) outputting: FP tree, head pointer table;
traversing a data set, counting the occurrence times of each element item, and creating a head pointer table;
removing element items which do not meet the minimum value scale in the head pointer table;
and traversing the data set for the second time to create the FP tree. For each set of items in each dataset:
initializing an empty FP tree;
filtering and reordering each set of items;
the FP-tree is updated with this set of entries, starting from the root node of the FP-tree:
if the first element item of the current item set exists in a child node of the current node of the FP tree, updating the count value of the child node;
otherwise, creating a new child node and updating the head pointer table;
the process of recursively updating the FP-tree for the remaining elemental items of the current item set and the corresponding children of the current elemental item.
After the FP-tree is created, a frequent item set therein can be found according to the FP-tree, which is mainly divided into 3 steps: obtaining a conditional pattern base from the FP tree; constructing a conditional FP tree by using a conditional mode base; the above steps are iteratively repeated until the tree contains one element item.
After the frequent item set is obtained, association rules in the frequent item set can be mined through connection and pruning of items. By utilizing the rule that if a certain rule does not meet the minimum reliability requirement, all subsets of the rule do not meet the minimum reliability requirement, the mining efficiency of the association rule can be effectively improved.
For example, a frequent item set {1,2,3,4} is possessed, and possible association rules are {1,2,3} → {4}, {1,2} → {3,4}, {1,4} → {2,3} → {1} → {2,3,4} and the like, which are 14 in total, and if {1,2,3} → {4} does not satisfy the set minimum confidence requirement, any rule with a suffix of 4 does not stand, and other 6 candidate association rules with a suffix of 4 can be excluded.
Preferably, the novel data attack detection comprises:
and a big data analysis technology and a machine learning technology are adopted, and novel data attacks are identified through access frequency, access time, access intention and access behaviors.
It should be explained that,
the novel data attack detection method mainly aims to construct a normal behavior profile of a user and judge whether the current user behavior is abnormal or not by comparing whether the current user behavior deviates from a user behavior model or not. Firstly, the characteristics of abnormal behaviors of a user need to be extracted; then, valuable information is obtained from the mass data by applying a data analysis method, and abnormal user behaviors are found from the valuable information.
The problems to be considered in the user behavior modeling include: how to select proper user behaviors from a plurality of user behaviors to construct a user model needs to extract which user attributes to describe the selected user behaviors, and how to extract proper characteristics from the existing data to assign the selected user attributes. The user trust evaluation model is divided into 2 stages: a preprocessing stage and a log behavior trust evaluation stage.
The pretreatment stage comprises:
1) metadata record database: for storing metadata records to be evaluated or for which evaluation has been completed.
2) Acquiring the behavior characteristics: and acquiring relevant characteristic parameter values according to various behavior attributes recorded by the log.
3) Trust evaluation method parameters: the method is used for the trust value evaluation method, plays an important role in the quality of the evaluation result, and can be manually adjusted.
4) And (3) behavior trust evaluation: and processing and analyzing the user behavior characteristic value by using a trust value evaluation method.
5) And (3) trust value evaluation result: and obtaining a trust value evaluation result by a trust value evaluation method.
6) And (3) comprehensive analysis and comparison: and comparing the trust value evaluation result obtained by the system with the example sample, wherein the comparison result acts on the log record database and the trust value evaluation method parameter.
The user behavior trust level distribution strategy adopted by the invention is based on the working thought of the model, and provides an important reference basis for the evaluation method. For users with lower action trust level, the danger level of the access action of the users is higher, and the users need to be marked as suspicious users and take effective measures to limit the users to carry out the normative action operation. At present, the user behavior trust level is temporarily divided into 4 levels of 'high', 'medium' and 'low', and the user suspicious levels respectively correspond to 'normal', 'low suspicious', 'medium suspicious' and 'high suspicious', and the user behavior trust value is assumed to be t. Assuming dl, dm, dh is the threshold for distinguishing the confidence level of the user behavior, the suspicious level decision function based on the confidence level of the user behavior is:
according to the invention, the users with high trust degree for a long time and stable state can be added into the white list of the credible user group through two indexes of average trust degree and trust standard deviation, and only intermittent behavior trust result spot check and update are carried out on the users of the credible user group.
The log behavior trust evaluation phase comprises the following steps:
1. abnormal behavior feature extraction
According to several kinds of main abnormal operation data of the user, the abnormal behavior feature extraction is carried out according to a method of carrying out fragment statistics on different dimensions. The abnormal behavior characteristics are shown in the following table.
2. Abnormal behavior analysis model
The invention takes a w-iForest unsupervised algorithm as an anomaly detection model, and designs the following various user anomaly behavior analysis models aiming at different anomaly detection scenes:
(1) abnormal login equipment fingerprint abnormal login comprises the behaviors of frequently registering, logging in, modifying or resetting passwords and other operating equipment fingerprints of the same equipment within a certain time period, and frequently logging in non-working time. According to the difference of the byte number of the sending instruction, the success and the failure of the user login can be analyzed. By combining user log data provided by a non-invasive soft probe, various abnormal login models can be extracted, such as frequent login, brute force cracking, remote login, database collision attack and the like. The common point of violent device fingerprint solution and library collision attack is that the same device fingerprint has a large amount of login operations, and the interval time of each login is very short or the device fingerprint has a fixed rule. The method is characterized in that brute force cracking is that the same user name has a plurality of password attempts, most of the passwords fail to log in the fingerprint of the equipment, and the number of successful times is small. A library-hit attack is characterized by each username being essentially only verified once, mostly because the username does not exist and fails.
(2) Frequent login: and fusing the log records of the user logging in the system with the user equipment fingerprints, performing aggregation analysis, and calculating the entropy of the access volumes, wherein the access volumes meet the power law. And giving alarm prompts according to the access quantity exceeding the power law, the possibility of abnormality and the exceeding quantity level.
(3) Breaking violence: the brute force cracking is characterized by program execution, high login access frequency, and more password errors of the same user name. And (4) accessing the URL of the login page, establishing a time sequence model according to learning, judging whether frequent login behaviors are violently cracked or not according to the success or failure of logging in the URL, the incorrect password and the wrong login times and the user properties of the fingerprint of the equipment when the access is abnormal compared with the model. For example, whether the login is successful or failed is determined according to the maximum number of times of the user allowed error passwords and the byte return number of log-in URL log information, and the fingerprint of the device with the login number exceeding a certain amount (10 times) is analyzed.
(4) Sensitive configuration item (key) operations: and modifying database information without permission, modifying other account database permissions without permission, and the like.
(5) Logging in at different places: the client login is not logged in the user registration area or is not logged in the general access area. And determining the area of the client according to the client account, acquiring the area of the client login according to the IP login information, comparing the areas, and performing remote login if the areas are not in the same area.
(6) Abnormal access: deep analysis is carried out on the protocol by collecting access records of different dimensions of the visitor and the server), association analysis and comparison are carried out, whether abnormal behaviors or unknown threats exist is judged, and early warning and early prevention are carried out.
(7) High-frequency operation: compared with other user frequencies, a person largely repeats the operation of a specific mode within a certain time period, such as frequently visiting and querying an information system more than 100 times within 30 minutes.
(8) Performing cross-region operation: the remote IP frequently accesses the local service system across regions to perform operation irrelevant to work, for example, a person in Shanghai often accesses an application system in Beijing.
(9) Sensitive behavior operation: some normal operations are abnormal in number and frequency, and some operations are irrelevant to actual work or have low relevance. For example, the number of times of accessing a certain service system in a certain time is increased, certain specific information is accessed in a targeted manner, a large amount of fuzzy query information is obtained, and the like.
(10) Sensitive key (condition) operation: and sensitive information is queried and accessed outside the work requirement. Such as querying personal information of leaders, scheduling, obtaining information of famous persons, information related to hot events and the like.
(11) Special ultra low frequency operation: certain operations occur only under certain circumstances and occur only infrequently. Concerns arise for such operations.
(12) High-frequency operation: frequent database authorizations and cancellations.
(13) Special authority operation (claim): after the authority is improved, more modifications can be made to the database and the service system, more security risks are brought, and important monitoring is needed.
(14) Data export operation: batch export data, bulk file export behavior.
3. Data analysis model training
Training a forward model (forward guidance method): the forward model training refers to directly obtaining a training sample through data analysis according to a characteristic value provided by a user. And extracting user information from the log, counting the user information by various dimensions, and finally deducing a suspect list by taking a technical and tactical model preset by experience as filtering processing. The results of the forward model training may be modified manually.
And secondly, reverse model training (a reverse mining method), wherein the reverse model training searches original log records according to samples provided by users, and the training samples are obtained after the logs are analyzed from all angles. And excavating a list of people with similar behaviors according to the list of the abnormal people. The results of the reverse training may also be modified manually.
And thirdly, managing and maintaining the result obtained by model training by model management.
And fourthly, real-time detection of the model, namely selecting the model to mine and analyze the log to obtain an analysis result. If the obtained result is deviated from the actual situation, the model can be adjusted and maintained through model management.
The manual judgment of the model is assisted: by utilizing a big data visualization technology, the system provides a display interface for data analysis as an auxiliary means for manual judgment. And through analyzing the characteristic values, providing a preliminary analysis result through an intuitive interface, and analyzing and judging the data by an operator through a visual result and by combining self business experience.
Referring to fig. 4 and 5, the present invention also includes a data processing apparatus including:
a business server, an HTTP plug-in and an SQL plug-in;
the service server is used for creating request processing threads for the requests, wherein the request processing threads of different requests are isolated from each other; in each request processing thread, adopting an HTTP plug-in to intercept a web request and obtain web request data, and adopting an SQL plug-in to intercept an SQL request and obtain SQL request data; and correlating the web request data and the SQL request data in each request processing thread to obtain correlated data.
The method and the device realize 100% association of the web request data and the SQL request data, reduce the station association error rate in the data, realize accurate positioning and accurate source tracing of the data, and improve the basis of high trust for subsequent data processing and analysis of the associated data.
It should be noted that, in the following description,
the invention realizes the accurate association of background database access and foreground specific access request based on the data association method under the data center architecture, the audit logs are used as the basic data of data association analysis, user behavior portrayal is realized through technologies such as big data analysis and machine learning, and a threat information base is combined to effectively prevent sql injection, library dragging, library collision attack, data robots and other data attacks. The invention can provide visual display of various risk data from macro to micro, assist analysis and decision, effectively improve the sensing capability of internet service data and user personal information security situation under new situation, change passive defense into active defense, realize data security visualization, form closed loop of early warning, notification and disposal workflow, and effectively prevent company reputation damage and user personal information leakage caused by data leakage attack.
The general flow chart for the functional implementation of the present device is shown in fig. 4.
The core functions realized by the device are as follows:
1) and (3) data security: the method prevents batch information export or SQL injection attack which is performed by utilizing legal identity or embezzled identity and simulating legal service logic through programming.
2) Wind control is preposed: before the client accesses the business system, the man-machine recognition is realized, the whole wind control embodiment is extended to the client, and the preposition of the wind control is realized.
3) And (4) service security: weeding wool/oxen, attacking library, violence breaking, overburdening inventory, discount coupon breaking, operation acceleration and verification code bypassing.
4) Fingerprint tracing: the client side is subjected to 'unique identification' and panoramic access record, the concealment and the attack of the fake client side are identified, and the tracing is accurate.
5) Encryption monitoring: the soft probe based on the java instrumentation technology performs panoramic monitoring on data after decryption of an application layer, and can solve the contradiction between data encryption and data auditing.
Based on the system architecture of the data processing device of the present invention, as shown in figure 6,
1. information acquisition layer
The non-invasive soft probe core technology is to adopt a byte code instrumentation technology to dynamically obtain information from a program, and is a technology for inserting additional codes into the program for the purpose of obtaining dynamic running information of the program. And the inserted additional code is utilized to push the JS file to the data visitor terminal equipment on the one hand, so that the fingerprint tracking of the access terminal is realized. On the other hand, the program running information is monitored through the codes, and the method mainly acquires quintuple information, SQL statements, access time and access intention of the data access request.
The multidimensional fingerprint acquisition module is mainly used for acquiring the fingerprint of the equipment and combining a JS file which is implanted into the user terminal by a non-invasive soft probe. In the invention, the characteristic parameters containing enough information entropy are collected, so that the browsers of all users can be distinguished. Such as a User-Agent string (User-Agent) containing the name, the exact version number of the operating system and browser. The pixels produced by different web sites rendering text or WebGL rendering canvas elements differ. Fundamentally, each terminal device uses different image processing engines, different export options, and different compression levels, so that the graphics drawn by each computer are somewhat different, and these patterns can be used to assign specific numbers (fingerprints) to the user devices, and can be used to identify different users. The JS file draws the text first, its selected font and size, and adds the background color. Next, the script calls the API of the canvas to retrieve the pixel data of the dataURL format canvas, which is essentially a Base64 encoded representation of the binary pixel data. Finally, the script adopts the hash value of the text coding pixel data, which is used as the user equipment fingerprint and provides a basis for tracing and source tracing and collaborative defense.
The service threat information module mainly collects information such as malicious mobile phone numbers, postboxes, IP (Internet protocol) and behaviors and is mainly used for providing data support for the behavior analysis module of the later-stage novel data attack.
2. Secure big data layer
The safety big data analysis platform uses the elastic search as a storage engine of log data, alarm data, packet string data (PSTR) and session data, and establishes corresponding indexes for the log data, the alarm data and the session data respectively, so that the quick data association analysis and data playback functions are provided, and an important basis is provided for subsequent identification of suspicious abnormal behaviors.
The data storage module is mainly responsible for receiving information submitted by the non-invasive soft probe, performing data preprocessing operation on a data set, screening useless fields and invalid fields in the data in the modes of data cleaning, filtering and the like, and generating and storing formatted metadata.
The comprehensive analysis module utilizes the processed data set to perform feature extraction work, extracts features capable of effectively expressing user behaviors and distinguishing features between normal users and abnormal users according to the features of the data set, and then detects potential abnormal behaviors in the acquired data.
The traditional database auditing equipment mainly depends on rules, on one hand, the traditional database auditing equipment has certain defense aiming at a known attack form, and has no protection capability aiming at unknown attack, and on the other hand, even if the traditional database auditing equipment is a known attack behavior, the traditional database auditing equipment has the problem that a defense mechanism bypasses due to the natural limitation of a regular expression and extremely flexible and changeable grammars of languages such as shell, php and the like. Therefore, the system design carries out syntactic analysis on the SQL request submitted by the data visitor through an SQL syntactic analysis technology, judges the legality of the data request through syntactic semantic analysis under the condition of not depending on a rule base, and solves the problem of high false alarm of database auditing equipment by combining a threat classification technology based on machine learning.
In addition to the SQL grammar analysis technology, aiming at novel data attacks which are difficult to detect by existing security defense systems such as a collision library, a dragging library, malicious registration and wool, a data access behavior analysis technical scheme is designed and realized by carrying out deeper analysis and excavation on SQL flow behaviors, and the novel data attacks are identified by access frequency, access time, access intention and access behavior by adopting a big data behavior analysis technology. By long-term monitoring and flow acquisition of network access conditions of specific objects in a network, an access relation model for the object is automatically summarized based on a machine learning technology, real-time access data and the access relation model are matched, abnormal access deviating from the access relation model is identified, divergence association analysis and tracing calculation are carried out by combining fingerprint information and threat information, suspicious behaviors hidden in mass data requests are found, advanced attacks and unknown threats in the network are found, and the sensing capability of feature matching and firewall IP and port filtering of a traditional database auditing device is surpassed.
The result analysis module inputs the processed feature set into the machine learning model, and the w-iForest algorithm is adopted as an anomaly detection model to form a user behavior portrait, so that anomaly judgment is performed on threat information of novel data attack alarm in an event library, and the accuracy of threat alarm is further improved.
3. Function display layer
The method mainly displays chart information such as real-time data access condition, asset general view, service damage, time period attack total number, damaged assets, attack backtracking, attack data and the like, conveniently and intuitively knows the current multi-service transaction security situation, data asset security condition, attack behavior and the like, and intuitively displays the attack and damage state suffered by the currently protected data asset to a user by combining the comprehensive evaluation level of the attack type, frequency and influence range. The method helps a user to locate key points, is convenient for the client to know the damaged condition in time, quickly locate the damaged data assets, determine the influence range and form an emergency treatment scheme.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (10)
1. A data processing method, comprising:
the service server creates request processing threads for the requests, wherein the request processing threads of different requests are isolated from each other;
the business server adopts an HTTP plug-in to intercept the web request and acquire web request data, and adopts an SQL plug-in to intercept the SQL request and acquire SQL request data in each request processing thread;
and the business server correlates the web request data and the SQL request data in each request processing thread to obtain correlated data.
2. The data processing method of claim 1, further comprising:
and after the service is started, the business server loads the HTTP plug-in and the SQL plug-in by adopting a JVM process, and the HTTP plug-in and the SQL plug-in are added into a class for processing requests in advance by adopting a java byte code instrumentation technology.
3. The data processing method of claim 1, wherein the service server is a web server or an API server.
4. The data processing method of claim 1, wherein the association data comprises: the method comprises the steps of a user IP, a login account, browser information, a request URL, request time, a request identification, an SQL statement, an operation table name, a data field name, SQL response time, an SQL response state, an SQL return line number, database information and Web server information.
5. The data processing method according to any one of claims 1 to 4, further comprising:
and the audit server acquires the associated data from the service server and performs data protection and/or novel data attack detection according to the associated data.
6. The data processing method of claim 5, wherein the data protection comprises:
performing SQL injection judgment based on syntactic analysis; and/or the presence of a gas in the gas,
threat ranking is based on machine learning.
7. The data processing method of claim 6, wherein the SQL injection decision based on the syntax analysis comprises:
after SQL statement analysis is carried out on the associated data, an abstract syntax tree is obtained;
and determining the taint condition of each statement block by deeply traversing the abstract syntax tree.
8. The data processing method of claim 7, wherein the machine learning based threat ranking comprises:
and judging the threat level of the associated data by using a Real Adaboost algorithm and an FP-growth algorithm.
9. The data processing method of claim 5, wherein the novel data attack detection comprises:
and a big data analysis technology and a machine learning technology are adopted, and novel data attacks are identified through access frequency, access time, access intention and access behaviors.
10. A data processing apparatus, comprising:
a business server, an HTTP plug-in and an SQL plug-in;
the service server is used for creating request processing threads for the requests, wherein the request processing threads of different requests are isolated from each other; in each request processing thread, adopting an HTTP plug-in to intercept a web request and obtain web request data, and adopting an SQL plug-in to intercept an SQL request and obtain SQL request data; and correlating the web request data and the SQL request data in each request processing thread to obtain correlated data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011211262.4A CN112199677A (en) | 2020-11-03 | 2020-11-03 | Data processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011211262.4A CN112199677A (en) | 2020-11-03 | 2020-11-03 | Data processing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112199677A true CN112199677A (en) | 2021-01-08 |
Family
ID=74033033
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011211262.4A Pending CN112199677A (en) | 2020-11-03 | 2020-11-03 | Data processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112199677A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113094110A (en) * | 2021-04-07 | 2021-07-09 | 山东省计算中心(国家超级计算济南中心) | Method and system for filtering serial port data |
| CN113297580A (en) * | 2021-05-18 | 2021-08-24 | 广东电网有限责任公司 | Code semantic analysis-based electric power information system safety protection method and device |
| CN114547697A (en) * | 2022-04-27 | 2022-05-27 | 北京原点数安科技有限公司 | Method, system and storage medium for obtaining user information for accessing SQL database |
| CN115085956A (en) * | 2021-03-12 | 2022-09-20 | ***通信集团广东有限公司 | Intrusion detection method and device, electronic equipment and storage medium |
| CN115361242A (en) * | 2022-10-24 | 2022-11-18 | 长沙市智为信息技术有限公司 | Web attack detection method based on multidimensional feature network |
| CN117118752A (en) * | 2023-10-23 | 2023-11-24 | 山东爱书人家庭教育科技有限公司 | Method, system, device and medium for resisting information attack |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388899A (en) * | 2007-09-12 | 2009-03-18 | 北京启明星辰信息技术有限公司 | Front-background related auditing method and system for Web server |
| CN103647794A (en) * | 2013-12-31 | 2014-03-19 | 北京启明星辰信息安全技术有限公司 | Data correlation method based on J2EE platform and correlation plug-in |
| CN104113598A (en) * | 2014-07-21 | 2014-10-22 | 蓝盾信息安全技术有限公司 | Three-layer auditing method for database |
| CN104143064A (en) * | 2013-05-08 | 2014-11-12 | 朱烨 | Website data security system based on association analysis of database activity and web access |
| CN106021576A (en) * | 2016-05-31 | 2016-10-12 | 北京启明星辰信息安全技术有限公司 | Information processing method, association plug-in, WEB server and system |
| CN106991322A (en) * | 2016-01-21 | 2017-07-28 | 北京启明星辰信息安全技术有限公司 | The detection method and device of a kind of SQL SQL injection attack |
| CN107832618A (en) * | 2017-09-20 | 2018-03-23 | 武汉虹旭信息技术有限责任公司 | A kind of SQL injection detecting system and its method based on fine granularity control of authority |
| CN107911466A (en) * | 2017-11-29 | 2018-04-13 | 北京安华金和科技有限公司 | A kind of association method under multi-layer framework |
| CN108563954A (en) * | 2018-04-25 | 2018-09-21 | 杭州闪捷信息科技股份有限公司 | The method of database risk detection based on association WEB requests |
| CN109918505A (en) * | 2019-02-26 | 2019-06-21 | 西安电子科技大学 | A kind of network security incident visualization method based on text-processing |
| CN110990168A (en) * | 2019-11-27 | 2020-04-10 | 深信服科技股份有限公司 | Three-layer associated information generation method and system, electronic equipment and storage medium |
-
2020
- 2020-11-03 CN CN202011211262.4A patent/CN112199677A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388899A (en) * | 2007-09-12 | 2009-03-18 | 北京启明星辰信息技术有限公司 | Front-background related auditing method and system for Web server |
| CN104143064A (en) * | 2013-05-08 | 2014-11-12 | 朱烨 | Website data security system based on association analysis of database activity and web access |
| CN103647794A (en) * | 2013-12-31 | 2014-03-19 | 北京启明星辰信息安全技术有限公司 | Data correlation method based on J2EE platform and correlation plug-in |
| CN104113598A (en) * | 2014-07-21 | 2014-10-22 | 蓝盾信息安全技术有限公司 | Three-layer auditing method for database |
| CN106991322A (en) * | 2016-01-21 | 2017-07-28 | 北京启明星辰信息安全技术有限公司 | The detection method and device of a kind of SQL SQL injection attack |
| CN106021576A (en) * | 2016-05-31 | 2016-10-12 | 北京启明星辰信息安全技术有限公司 | Information processing method, association plug-in, WEB server and system |
| CN107832618A (en) * | 2017-09-20 | 2018-03-23 | 武汉虹旭信息技术有限责任公司 | A kind of SQL injection detecting system and its method based on fine granularity control of authority |
| CN107911466A (en) * | 2017-11-29 | 2018-04-13 | 北京安华金和科技有限公司 | A kind of association method under multi-layer framework |
| CN108563954A (en) * | 2018-04-25 | 2018-09-21 | 杭州闪捷信息科技股份有限公司 | The method of database risk detection based on association WEB requests |
| CN109918505A (en) * | 2019-02-26 | 2019-06-21 | 西安电子科技大学 | A kind of network security incident visualization method based on text-processing |
| CN110990168A (en) * | 2019-11-27 | 2020-04-10 | 深信服科技股份有限公司 | Three-layer associated information generation method and system, electronic equipment and storage medium |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115085956A (en) * | 2021-03-12 | 2022-09-20 | ***通信集团广东有限公司 | Intrusion detection method and device, electronic equipment and storage medium |
| CN115085956B (en) * | 2021-03-12 | 2023-11-24 | ***通信集团广东有限公司 | Intrusion detection method, intrusion detection device, electronic equipment and storage medium |
| CN113094110A (en) * | 2021-04-07 | 2021-07-09 | 山东省计算中心(国家超级计算济南中心) | Method and system for filtering serial port data |
| CN113094110B (en) * | 2021-04-07 | 2022-11-22 | 山东省计算中心(国家超级计算济南中心) | Method and system for filtering serial port data |
| CN113297580A (en) * | 2021-05-18 | 2021-08-24 | 广东电网有限责任公司 | Code semantic analysis-based electric power information system safety protection method and device |
| CN113297580B (en) * | 2021-05-18 | 2024-03-22 | 广东电网有限责任公司 | Code semantic analysis-based electric power information system safety protection method and device |
| CN114547697A (en) * | 2022-04-27 | 2022-05-27 | 北京原点数安科技有限公司 | Method, system and storage medium for obtaining user information for accessing SQL database |
| CN115361242A (en) * | 2022-10-24 | 2022-11-18 | 长沙市智为信息技术有限公司 | Web attack detection method based on multidimensional feature network |
| CN117118752A (en) * | 2023-10-23 | 2023-11-24 | 山东爱书人家庭教育科技有限公司 | Method, system, device and medium for resisting information attack |
| CN117118752B (en) * | 2023-10-23 | 2024-01-09 | 山东爱书人家庭教育科技有限公司 | Method, system, device and medium for resisting information attack |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110233849B (en) | Method and system for analyzing network security situation | |
| CN112199677A (en) | Data processing method and device | |
| CN107241352B (en) | Network security event classification and prediction method and system | |
| Azeez et al. | Identifying phishing attacks in communication networks using URL consistency features | |
| US8225402B1 (en) | Anomaly-based detection of SQL injection attacks | |
| CN111585955B (en) | HTTP request abnormity detection method and system | |
| US11716349B2 (en) | Machine learning detection of database injection attacks | |
| Han et al. | Generating fake documents using probabilistic logic graphs | |
| CN106961419A (en) | WebShell detection methods, apparatus and system | |
| Wenyin et al. | Phishing Web page detection | |
| CN111488590A (en) | SQ L injection detection method based on user behavior credibility analysis | |
| US11100218B2 (en) | Systems and methods for improving accuracy in recognizing and neutralizing injection attacks in computer services | |
| CN111049819A (en) | Threat information discovery method based on threat modeling and computer equipment | |
| CN108023868A (en) | Malice resource address detection method and device | |
| US9600644B2 (en) | Method, a computer program and apparatus for analyzing symbols in a computer | |
| CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
| CN113067792A (en) | XSS attack identification method, device, equipment and medium | |
| CN117473571B (en) | Data information security processing method and system | |
| Adebiyi et al. | An sql injection detection model using chi-square with classification techniques | |
| Aliero et al. | Review on SQL injection protection methods and tools | |
| Abbott et al. | Automated recognition of event scenarios for digital forensics | |
| Montaruli et al. | Raze to the ground: Query-efficient adversarial html attacks on machine-learning phishing webpage detectors | |
| Sahin et al. | An efficient firewall for web applications (EFWA) | |
| Win et al. | A simple and efficient framework for detection of sql injection attack | |
| Atimorathanna et al. | NoFish; total anti-phishing protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |