CN112217809A - Clinical risk early warning method and system based on libpcap - Google Patents
Clinical risk early warning method and system based on libpcap Download PDFInfo
- Publication number
- CN112217809A CN112217809A CN202011033521.9A CN202011033521A CN112217809A CN 112217809 A CN112217809 A CN 112217809A CN 202011033521 A CN202011033521 A CN 202011033521A CN 112217809 A CN112217809 A CN 112217809A
- Authority
- CN
- China
- Prior art keywords
- message
- tds
- sql statement
- libpcap
- early warning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000004458 analytical method Methods 0.000 claims abstract description 51
- 238000007405 data analysis Methods 0.000 claims description 8
- 238000012423 maintenance Methods 0.000 abstract description 11
- 238000005516 engineering process Methods 0.000 description 5
- 230000004044 response Effects 0.000 description 5
- 230000001960 triggered effect Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 241000239290 Araneae Species 0.000 description 1
- 206010035664 Pneumonia Diseases 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000009254 shuang-huang-lian Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16H—HEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
- G16H50/00—ICT specially adapted for medical diagnosis, medical simulation or medical data mining; ICT specially adapted for detecting, monitoring or modelling epidemics or pandemics
- G16H50/80—ICT specially adapted for medical diagnosis, medical simulation or medical data mining; ICT specially adapted for detecting, monitoring or modelling epidemics or pandemics for detecting, monitoring or modelling epidemics or pandemics, e.g. flu
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
Landscapes
- Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Public Health (AREA)
- Medical Informatics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Databases & Information Systems (AREA)
- Computing Systems (AREA)
- Biomedical Technology (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Pathology (AREA)
- Epidemiology (AREA)
- General Health & Medical Sciences (AREA)
- Primary Health Care (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a clinical risk early warning method based on libpcap, which comprises the following steps: a. acquiring a request packet of a request sent by a client; b. analyzing the request packet according to a plurality of preset analysis rules to generate an analysis result containing a database table name and an SQL statement field value; c. and calling the database table name and the SQL statement field value of the analysis result, judging whether the database table name and the SQL statement field value are matched with the preset database table name and SQL statement field value of the normal value, if so, sending a normal signal, and if not, sending an early warning signal. The invention also discloses a clinical risk early warning system based on the libpcap. The method and the system can reduce the potential safety hazard of operation of internal personnel, the potential safety hazard of third-party maintenance personnel, the potential safety hazard of system shared accounts and the potential safety hazard of users with the highest authority.
Description
Technical Field
The invention relates to the field of risk early warning, in particular to a clinical risk early warning method and system based on libpcap.
Background
With the continuous deepening of the enterprise informatization process, business systems of enterprises become more and more complex, and security problems caused by illegal operations of internal staff and system operation and maintenance staff are increasingly prominent. Conventional security products such as firewalls, antivirus systems, intrusion detection systems and the like can solve a part of security problems, but do not help the illegal operation of internal personnel. In the development process of enterprises, due to strategic positioning, manpower and other reasons, non-core services are increasingly outsourced to equipment vendors or other professional maintenance agents. How to effectively monitor the operation behaviors of equipment manufacturers and maintenance-substituting personnel is a key problem faced by enterprises. Strict regulations only restrict the behavior of a part of people, and effective execution of the safety management system can be ensured only through strict authority control and operation audit. Based on the traditional maintenance mode, no matter the internal operation and maintenance personnel or the third-party maintenance personnel, the system account is directly adopted to complete the authentication of the system level, and then the maintenance operation can be carried out. With the continuous bulkiness of the system, the cross relationship between operation and maintenance personnel and the system account is more and more complex, the account is not unique, and the password policy of the system account is difficult to implement. If the password is leaked, the password cannot be traced; if misoperation or malicious operation exists, the person in charge cannot be traced. Generally, a manager determines whether a security event occurs by observing whether a system log has a spider trail left after an intrusion. From this point of view, the superusers of the system have long been in unmanageable states. Therefore, with the continuous deepening of the enterprise informatization process, the potential safety hazards of operation of internal personnel, the potential safety hazards of third-party maintenance personnel, the potential safety hazards of system shared account numbers and the potential safety hazards of users with the highest authority exist.
Disclosure of Invention
Aiming at the problems, the invention provides a clinical risk early warning method and system based on libpcap, which can reduce the potential safety hazard of operation of internal personnel, the potential safety hazard of maintenance personnel of a third party, the potential safety hazard of a system shared account and the potential safety hazard of a user with the highest authority.
In order to solve the technical problem, the invention provides a clinical risk early warning method based on libpcap, which comprises the following steps:
a. acquiring a request packet of a request sent by a client;
b. analyzing the request packet according to a plurality of preset analysis rules to generate an analysis result containing a database table name and an SQL statement field value;
c. and calling the database table name and the SQL statement field value of the analysis result, judging whether the database table name and the SQL statement field value are matched with the preset database table name and SQL statement field value of the normal value, if so, sending a normal signal, and if not, sending an early warning signal.
The working principle of the technical scheme is as follows:
acquiring a full-flow network message from the libpcap by building a port mirror image, analyzing a TCP message from the network message, and acquiring a plurality of TDS messages and response packets according to the TCP message; and storing a plurality of analysis rules for analyzing the data in the TDS message, analyzing the request packet according to the plurality of analysis rules, and outputting an analysis result.
The common network layout comprises a server, an exchanger and a client, when the client access information on the server is required to be acquired in real time but the operation on the server is inconvenient, the flow forwarding is realized by using a port mirroring technology, and all the flow can be monitored at a set port; the libpcap is a c-function library and can capture network card events. We have developed a program in language c that listens for network card events at all times. When a message is sent to the network card, the message can be captured by the program. Since this message is a TCP message, the TCP body message is an application protocol. In our application scenario, it is TDS messaging protocol. The TDS messaging protocol is used to communicate in a database. The TDS protocol is a non-fully disclosed protocol. With the help of microsoft published partial documentation, we recognize partial semantics in the TDS protocol. In a TCP protocol, there is only one header protocol and one body protocol. The TDS head has a field specially judging whether the section is a request packet or a return packet, the TDS head has a total length of 8 bytes, the second byte represents a request packet sent by a client to a server if the second byte is 3, and finally the request packet is analyzed according to a plurality of analysis rules and an analysis result is output.
In a further technical scheme, the specific steps of the step a are as follows:
a1, building a port mirror image, acquiring a request sent by a client user, and forwarding the client flow to a fixed port of the switch;
a2, acquiring a message through libpcap;
a3, analyzing the TCP message according to the message, and acquiring a TDS message according to the TCP message;
a4, respectively acquiring the request packets in the TDS messages.
In the technical scheme, when the operation on the server is inconvenient, the port mirroring technology can be used for knowing which clients on the server access in real time.
In a further technical solution, the TCP packet includes a TCP header packet and a TCP body packet, and the TCP body packet includes a TDS packet.
In the technical scheme, the TCP message is divided into 2 parts, namely a head part and a body part.
In a further technical solution, the step a3 further includes the following steps:
and analyzing the IP address and port number information of the client server according to the TCP header message.
In the technical scheme, the TCP header message can analyze information such as an IP address, a port number and the like, and the TCP body message is applied to a program protocol. In our application scenario, this program protocol is TDS protocol, which is a protocol used by databases to communicate.
In a further technical scheme, the TDS messages include TDS header messages and TDS body messages, and the TDS body messages include SQL statement texts.
In a further technical scheme, between the step a and the step b, the method further comprises the following steps:
the TDS header message sends the TDS header message and the serial number to the server side from the client side.
In this solution, the TDS protocol is a non-fully disclosed protocol. With the help of microsoft published partial documentation, we recognize partial semantics in the TDS protocol. The TDS protocol also includes a TDS header and a TDS body. The TDS header indicates that the protocol is sent by the client to the server along with the sequence number. The TDS body is SQL statement text. SQL statement types are identified, such as select, insert, update, delete, etc.
In a further technical scheme, the specific steps of the step b are as follows:
b1, identifying the SQL statement type, matching events and sending template information to a specified user according to a plurality of analysis rules;
b2, identifying the SQL statement type according to the multiple analysis rules, analyzing the SQL statement, extracting the value of the field in the SQL statement, and matching the value of the field to obtain a matching result;
b3, obtaining a matching value through a plurality of analysis rules according to the matching result.
In the technical scheme, after the SQL statement is identified, the SQL statement is analyzed, the values of the fields in the SQL statement are extracted, and then the values are matched to obtain the required matching values.
In a further technical solution, in step b3, different matching rules are established through multiple analysis rules according to the matching values and different usage scenarios.
In the technical scheme, different matching rules are established according to different use scenes. In the matching rule, the table name of the event which cannot be recorded is set, and after the SQL statement is analyzed, the table name is the set value and cannot be triggered, so that the event cannot be recorded, and therefore the event cannot be sent to the manager.
In a further technical scheme, the step a4 comprises the following steps:
a4-1, setting TDS message judgment rules;
a4-2, judging whether the packet in the TDS message is a request packet according to the TDS message judgment rule, if so, analyzing, and if not, entering the step a 1.
In the technical scheme, only one packet can be grabbed each time. Only one TCP packet can be contained in one packet. Only one TDS packet can be contained in one TCP packet. Only one state can be found in one TDS packet. This state indicates that this TDS packet is a "request packet sent by the client to the server" or a "response packet returned by the server to the client", we analyze the request packet, and if not, we do not analyze.
Finally, the contents sent by the user are obtained through the name of the database table and the field value of the SQL statement, and the judgment is carried out according to the contents sent by the user: firstly, whether the content sent by a user is illegal or not; and secondly, whether the content sent by the user contains specific keyword information and different keyword information. Different alarms will be triggered based on the above.
In order to solve the technical problems, the invention also provides a clinical risk early warning system based on libpcap, which comprises a data acquisition module, a data analysis module and an early warning module, wherein:
the data acquisition module is used for acquiring a request packet of a request sent by a client;
the data analysis module is used for analyzing the request packet according to a plurality of preset analysis rules and generating an analysis result containing a database table name and an SQL statement field value;
and the early warning module is used for calling the database table name and the SQL statement field value of the analysis result, judging whether the database table name and the SQL statement field value are matched with the preset normal value, if so, sending a normal signal, and if not, sending an early warning signal.
The invention has the beneficial effects that:
1. when the operation on the server is inconvenient, the port mirroring technology can be used for knowing which clients on the server access in real time;
2. the acquisition unit is used for easily acquiring the request and the request packet sent by the client, the analysis unit is used for generating an analysis result, and whether early warning is generated or not is judged according to the analysis result, so that the operation hidden danger of external personnel can be reduced;
3. the potential safety hazards of operation of internal personnel, the potential safety hazards of third-party maintenance personnel, the potential safety hazards of system shared accounts and the potential safety hazards of users with the highest authority are reduced.
Drawings
FIG. 1 is a flow chart of a clinical risk early warning method based on libpcap according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a step S101 in a clinical risk early warning method based on libpcap according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a step S102 in a clinical risk pre-warning method based on libpcap according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a step S101-4 of a clinical risk early warning method based on libpcap according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a clinical risk early warning system based on libpcap according to an embodiment of the present invention.
Description of reference numerals:
10. a data acquisition module; 11. a data analysis module; 12. and an early warning module.
Detailed Description
The embodiments of the present invention will be further described with reference to the accompanying drawings.
Example (b):
as shown in fig. 1, a clinical risk early warning method based on libpcap includes the following steps:
s101, acquiring a request packet of a client sending request.
S102, analyzing the request packet according to a plurality of preset analysis rules to generate an analysis result containing the database table name and the field value of the SQL statement.
S103, calling the database table name and the SQL statement field value of the analysis result, judging whether the database table name and the SQL statement field value are matched with the preset database table name and SQL statement field value of the normal value, if so, sending a normal signal, and if not, sending an early warning signal.
In the embodiment, the full-flow network message is acquired from the libpcap by building a port mirror image, the TCP message is analyzed from the network message, and a plurality of TDS messages and response packets are acquired according to the TCP message; and storing a plurality of analysis rules for analyzing the data in the TDS message, analyzing the request packet according to the plurality of analysis rules, and outputting an analysis result.
The common network layout comprises a server, an exchanger and a client, when the client access information on the server is required to be acquired in real time but the operation on the server is inconvenient, the flow forwarding is realized by using a port mirroring technology, and all the flow can be monitored at a set port; the libpcap is a c-function library and can capture network card events. We have developed a program in language c that listens for network card events at all times. When a message is sent to the network card, the message can be captured by the program. Since this message is a TCP message, the TCP body message is an application protocol. In our application scenario, it is TDS messaging protocol. The TDS messaging protocol is used to communicate in a database. The TDS protocol is a non-fully disclosed protocol. With the help of microsoft published partial documentation, we recognize partial semantics in the TDS protocol. In a TCP protocol, there is only one header protocol and one body protocol. The TDS head has a field specially judging whether the section is a request packet or a return packet, the TDS head has a total length of 8 bytes, the second byte represents a request packet sent by a client to a server if the second byte is 3, and finally the request packet is analyzed according to a plurality of analysis rules and an analysis result is output.
In the above embodiment, the specific steps of step S101 are as follows:
s101-1, building a port mirror image, acquiring a request sent by a client user, and forwarding client flow to a fixed port of an exchanger;
s101-2, acquiring a message through a libpcap;
s101-3, analyzing the TCP message according to the message, and acquiring a TDS message according to the TCP message;
s101-4, respectively acquiring request packets in the TDS messages.
In this embodiment, a port Mirroring (port Mirroring) function is configured to forward data traffic of one or more source ports to a certain specified port on a switch or a router to implement monitoring on a network, where the specified port is referred to as a "Mirroring port" or a "destination port", and the flow of the network may be monitored and analyzed through the Mirroring port without seriously affecting normal throughput of the source ports. The mirror image function is used in the enterprise, network data in the enterprise can be well monitored and managed, and when the network fails, the fault can be quickly positioned. When the operation on the server is inconvenient, the port mirroring technology can be used for knowing which clients on the server have access in real time.
The libpcap is a c-function library and can capture network card events. We have developed a program in language c that listens for network card events at all times. When a message is sent to the network card, the message can be captured by the program, and the captured message is a TCP message.
In the above embodiment, the TCP messages include a TCP header message and a TCP body message, and the TCP body message includes a TDS message. The TCP message is divided into 2 parts, a header and a body. The TCP header message can analyze information such as an IP address, a port number and the like, and the TCP body message is applied to a program protocol. In our application scenario, this program protocol is TDS protocol, which is a protocol used by databases to communicate.
In another embodiment, the specific steps of step S101-3 are as follows:
and analyzing the IP address and port number information of the client server according to the TCP header message.
In this embodiment, the TCP header message may resolve information such as an IP address and a port number, and the TCP body message applies a program protocol. In our application scenario, this program protocol is TDS protocol, which is a protocol used by databases to communicate. According to the IP address and port number information of the client server, the server used can be judged.
In the above embodiment, the TDS message includes a TDS header message and a TDS body message, and the TDS body message includes an SQL statement text.
In this embodiment, the TDS protocol is a non-fully disclosed protocol. With the help of microsoft published partial documentation, we recognize partial semantics in the TDS protocol. The TDS protocol also includes a TDS header and a TDS body. The TDS header indicates that the protocol is sent by the client to the server along with the sequence number. The TDS body is SQL statement text. SQL statement types are identified, such as select, insert, update, delete, etc.
In another embodiment, between step S101 and step S102, the following steps are further included:
the TDS header message sends the TDS header message and the serial number to the server side from the client side.
In this embodiment, the TDS protocol is a non-fully disclosed protocol. With the help of microsoft published partial documentation, we recognize partial semantics in the TDS protocol. The TDS header indicates that the protocol is sent by the client to the server along with the sequence number.
In the above embodiment, the specific steps of step S102 are as follows:
s102-1, identifying the SQL statement type, matching events and sending template information to a specified user according to a plurality of analysis rules;
s102-2, identifying the type of the SQL statement according to the multiple analysis rules, analyzing the SQL statement, extracting the value of a field in the SQL statement, and matching the value of the field to obtain a matching result;
and S102-3, obtaining a matching value through a plurality of analysis rules according to the matching result.
In the embodiment, the SQL statement business system is a very typical scenario with a few reads and writes. So 90% of the statements, all being select statements, are concerned with insert, update, delete events. After the SQL statement type is identified, SQL analysis is carried out on insert statements, update statements and delete statements, and values of fields in the SQL statements are extracted. These values are then matched. Such as: insert inter output values ('11234', 'zhangsan', 'registration') are out-patient registration events such as: insert _ OP _ medical _ order ("11234", "oral shuanghuanglian") is an outpatient ordering event. Here, the "OP _ media _ order" is the matching value we are interested in.
In the above embodiment, in step S102-3, different matching rules are established by a plurality of analysis rules according to the matching values and different usage scenarios.
In the present embodiment, different matching rules are established according to different usage scenarios. For example, if the outpatient manager is interested in the registration event, the message can be sent to the designated person through the WeChat interface, the short message interface, or the websocket. For example, a leader issued to a designated radiology department can be used to monitor the occurrence of new coronary pneumonia. The multiple analysis rules are used for identifying the type of the SQL statement, wherein insert inter output values ('11234', 'zhangsan', 'registration') exist in the SQL statement, and the SQL statement is analyzed by using a parser developed by itself, so that the following information can be obtained: insert indicates an insert event, outpatient indicates an inserted table, 11234 indicates field 1, zhangsan indicates field 2, and registration indicates field 3. In another SQL statement, insert _ abc value ('11234', 'zhangsan', 'registration'), after parsing the SQL statement, the table name abc is not triggered, and the event is not recorded and therefore not sent to the administrator via WeChat.
In the above embodiment, the specific steps of step S101-4 are as follows:
s101-4-1, setting TDS message judgment rules;
s101-4-2, judging whether a packet in the TDS message is a request packet according to the TDS message judgment rule, if so, analyzing, and if not, entering the step S101-1.
In this embodiment, only one packet can be grabbed at a time. Only one TCP packet can be contained in one packet. Only one TDS packet can be contained in one TCP packet. Only one state can be found in one TDS packet. This state indicates that: this TDS packet is a "request packet sent by the client to the server" or a "response packet returned by the server to the client", and we analyze the request packet.
Finally, the contents sent by the user are obtained through the name of the database table and the field value of the SQL statement, and the judgment is carried out according to the contents sent by the user: firstly, whether the content sent by a user is illegal or not; and secondly, whether the content sent by the user contains specific keyword information and different keyword information. Different alarms will be triggered based on the above.
In another embodiment, as shown in fig. 2, the embodiment discloses a clinical risk early warning system based on libpcap, which includes a data acquisition module, a data analysis module and an early warning module, wherein:
the data acquisition module is used for acquiring a request packet of a request sent by a client;
the data analysis module is used for analyzing the request packet according to a plurality of preset analysis rules and generating an analysis result containing a database table name and an SQL statement field value;
and the early warning module is used for calling the database table name and the SQL statement field value of the analysis result, judging whether the database table name and the SQL statement field value are matched with the preset normal value, if so, sending a normal signal, and if not, sending an early warning signal.
In this embodiment, the data acquisition module builds a port mirror image, acquires client user information, analyzes a TCP message according to the client user information, acquires a TDS message according to the TCP message, stores a plurality of analysis rules for analyzing data in the TDS message, acquires a plurality of TDS messages and response packets from a libpcap file, acquires request packets in each TDS message, and the data analysis module analyzes the request packets according to the plurality of analysis rules and outputs an analysis result. The early warning module is used for judging whether the data base table name is matched with the preset normal value database table name and the SQL sentence field value or not and sending a signal according to the judgment result.
The above examples only express the specific embodiments of the present invention, and the description thereof is more specific and detailed, but not to be construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention.
Claims (10)
1. A clinical risk early warning method based on libpcap is characterized by comprising the following steps:
a. acquiring a request packet of a request sent by a client;
b. analyzing the request packet according to a plurality of preset analysis rules to generate an analysis result containing a database table name and an SQL statement field value;
c. and calling the database table name and the SQL statement field value of the analysis result, judging whether the database table name and the SQL statement field value are matched with the preset database table name and SQL statement field value of the normal value, if so, sending a normal signal, and if not, sending an early warning signal.
2. The clinical risk early warning method based on libpcap as claimed in claim 1, wherein the specific steps of step a are as follows:
a1, building a port mirror image, acquiring a request sent by a client user, and forwarding the client flow to a fixed port of the switch;
a2, acquiring a message through libpcap;
a3, analyzing the TCP message according to the message, and acquiring a TDS message according to the TCP message;
a4, respectively acquiring the request packets in the TDS messages.
3. The clinical risk early warning method based on libpcap according to claim 2, wherein the TCP messages include a TCP header message and a TCP body message, and the TCP body message includes a TDS message.
4. The clinical risk pre-warning method based on libpcap as claimed in claim 3, wherein the step a3 further comprises the following steps:
and analyzing the IP address and port number information of the client server according to the TCP header message.
5. The clinical risk early warning method based on libpcap according to claim 3 or 4, wherein the TDS messages comprise TDS header messages and TDS body messages, and the TDS body messages comprise SQL sentence texts.
6. The clinical risk pre-warning method based on libpcap as claimed in claim 5, further comprising the following steps between the step a and the step b:
the TDS header message sends the TDS header message and the serial number to the server side from the client side.
7. The clinical risk early warning method based on libpcap as claimed in claim 5, wherein the specific steps of the step b are as follows:
b1, identifying the SQL statement type, matching events and sending template information to a specified user according to a plurality of analysis rules;
b2, identifying the SQL statement type according to the multiple analysis rules, analyzing the SQL statement, extracting the value of the field in the SQL statement, and matching the value of the field to obtain a matching result;
b3, obtaining a matching value through a plurality of analysis rules according to the matching result.
8. The clinical risk warning method based on libpcap as claimed in claim 7, wherein in the step b3, different matching rules are established by multiple analysis rules according to the matching values and different usage scenarios.
9. The clinical risk early warning method based on libpcap as claimed in claim 2, wherein the step a4 comprises the following steps:
a4-1, setting TDS message judgment rules;
a4-2, judging whether the packet in the TDS message is a request packet according to the TDS message judgment rule, if so, analyzing, and if not, entering the step a 1.
10. The clinical risk early warning system based on libpcap is characterized by comprising a data acquisition module, a data analysis module and an early warning module, wherein:
the data acquisition module is used for acquiring a request packet of a request sent by a client;
the data analysis module is used for analyzing the request packet according to a plurality of preset analysis rules and generating an analysis result containing a database table name and an SQL statement field value;
and the early warning module is used for calling the database table name and the SQL statement field value of the analysis result, judging whether the database table name and the SQL statement field value are matched with the preset normal value, if so, sending a normal signal, and if not, sending an early warning signal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011033521.9A CN112217809A (en) | 2020-09-27 | 2020-09-27 | Clinical risk early warning method and system based on libpcap |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011033521.9A CN112217809A (en) | 2020-09-27 | 2020-09-27 | Clinical risk early warning method and system based on libpcap |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112217809A true CN112217809A (en) | 2021-01-12 |
Family
ID=74051974
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011033521.9A Pending CN112217809A (en) | 2020-09-27 | 2020-09-27 | Clinical risk early warning method and system based on libpcap |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112217809A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113141282A (en) * | 2021-05-12 | 2021-07-20 | 平安国际智慧城市科技股份有限公司 | Packet capturing method, device, equipment and storage medium based on Libpcap |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101631122A (en) * | 2009-08-03 | 2010-01-20 | 杭州安恒信息技术有限公司 | Method for improving TDS protocol analysis accuracy in packet-losing environment |
| US20140019610A1 (en) * | 2012-07-10 | 2014-01-16 | Microsoft Corporation | Correlated Tracing of Connections through TDS |
| CN104063473A (en) * | 2014-06-30 | 2014-09-24 | 江苏华大天益电力科技有限公司 | Database auditing monitoring system and database auditing monitoring method |
| CN107454109A (en) * | 2017-09-22 | 2017-12-08 | 杭州安恒信息技术有限公司 | A kind of network based on HTTP flow analyses is stolen secret information behavioral value method |
| CN108965208A (en) * | 2017-05-19 | 2018-12-07 | 南京骏腾信息技术有限公司 | Log audit method based on correlation analysis |
-
2020
- 2020-09-27 CN CN202011033521.9A patent/CN112217809A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101631122A (en) * | 2009-08-03 | 2010-01-20 | 杭州安恒信息技术有限公司 | Method for improving TDS protocol analysis accuracy in packet-losing environment |
| US20140019610A1 (en) * | 2012-07-10 | 2014-01-16 | Microsoft Corporation | Correlated Tracing of Connections through TDS |
| CN104063473A (en) * | 2014-06-30 | 2014-09-24 | 江苏华大天益电力科技有限公司 | Database auditing monitoring system and database auditing monitoring method |
| CN108965208A (en) * | 2017-05-19 | 2018-12-07 | 南京骏腾信息技术有限公司 | Log audit method based on correlation analysis |
| CN107454109A (en) * | 2017-09-22 | 2017-12-08 | 杭州安恒信息技术有限公司 | A kind of network based on HTTP flow analyses is stolen secret information behavioral value method |
Non-Patent Citations (1)
| Title |
|---|
| 廖雯娟: "电力企业数据库审计***设计与实现", 《中国优秀硕士学位论文全文数据库:信息科技辑》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113141282A (en) * | 2021-05-12 | 2021-07-20 | 平安国际智慧城市科技股份有限公司 | Packet capturing method, device, equipment and storage medium based on Libpcap |
| CN113141282B (en) * | 2021-05-12 | 2022-03-18 | 深圳赛安特技术服务有限公司 | Packet capturing method, device, equipment and storage medium based on Libpcap |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10110637B2 (en) | Directing audited data traffic to specific repositories | |
| KR101327317B1 (en) | Apparatus and method for sap application traffic analysis and monitoring, and the information protection system thereof | |
| US8185488B2 (en) | System and method for correlating events in a pluggable correlation architecture | |
| CN104063473B (en) | A kind of database audit monitoring system and its method | |
| US20030084318A1 (en) | System and method of graphically correlating data for an intrusion protection system | |
| US10885185B2 (en) | Graph model for alert interpretation in enterprise security system | |
| US20030083847A1 (en) | User interface for presenting data for an intrusion protection system | |
| US20120158454A1 (en) | Method and system for monitoring high risk users | |
| CN112905548B (en) | Security audit system and method | |
| JP2007536646A (en) | Pattern discovery method and system in network security system | |
| US20030084340A1 (en) | System and method of graphically displaying data for an intrusion protection system | |
| CN111274276A (en) | Operation auditing method and device, electronic equipment and computer-readable storage medium | |
| CN111241104A (en) | Operation auditing method and device, electronic equipment and computer-readable storage medium | |
| CN112217809A (en) | Clinical risk early warning method and system based on libpcap | |
| US20080243872A1 (en) | Computer network security data management system and method | |
| US7499937B2 (en) | Network security data management system and method | |
| Herrerias et al. | A log correlation model to support the evidence search process in a forensic investigation | |
| KR20020012855A (en) | Integrated log analysis and management system and method thereof | |
| JP2006295232A (en) | Security monitoring apparatus, and security monitoring method and program | |
| CN116633594A (en) | Flamingo gateway security system | |
| CN114969450A (en) | User behavior analysis method, device, equipment and storage medium | |
| KR102657163B1 (en) | Data management device, data management method and a computer-readable storage medium for storing data management program | |
| KR102669472B1 (en) | Data management device, data management method and a computer-readable storage medium for storing data management program | |
| KR102657161B1 (en) | Data management device, data management method and a computer-readable storage medium for storing data management program | |
| KR102669468B1 (en) | Data management device, data management method and a computer-readable storage medium for storing data management program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210112 |
|
| RJ01 | Rejection of invention patent application after publication |