CN112527772A - Graph database auditing method and auditing equipment - Google Patents
Graph database auditing method and auditing equipment Download PDFInfo
- Publication number
- CN112527772A CN112527772A CN202011462144.0A CN202011462144A CN112527772A CN 112527772 A CN112527772 A CN 112527772A CN 202011462144 A CN202011462144 A CN 202011462144A CN 112527772 A CN112527772 A CN 112527772A
- Authority
- CN
- China
- Prior art keywords
- database
- flow
- auditing
- graph database
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 230000004044 response Effects 0.000 claims abstract description 46
- 230000006798 recombination Effects 0.000 claims abstract description 31
- 238000005215 recombination Methods 0.000 claims abstract description 31
- 238000012550 audit Methods 0.000 claims abstract description 23
- 230000015654 memory Effects 0.000 claims description 17
- 230000005540 biological transmission Effects 0.000 claims description 10
- 230000008521 reorganization Effects 0.000 claims 1
- 238000004590 computer program Methods 0.000 description 7
- 238000012986 modification Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000001681 protective effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/50—Information retrieval; Database structures therefor; File system structures therefor of still image data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention relates to the technical field of computers, in particular to a graph database auditing method and auditing equipment. The embodiment of the invention provides a graph database auditing method and auditing equipment, wherein the method comprises the following steps: obtaining the flow of a graph database; performing flow recombination on the flow; if the recombination is successful, carrying out protocol analysis on the recombined flow to obtain message data; if the message data is request information, extracting request characteristic information of the request information, and storing the request characteristic information into a database of the database audit equipment; and if the message data is response information, extracting response characteristic information of the response information, and storing the response characteristic information into a database of the database audit equipment. The invention realizes the auditing of various operations in a business system using the graph database by acquiring the flow of the graph database, recombining the flow, analyzing the protocol and storing the characteristic information into the database.
Description
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a graph database auditing method and auditing equipment.
Background
The graph database Neo4j is a type of NoSQL database that applies graph theory to store relational information between entities. The graph database is a non-relational database that stores relational information between entities using graph theory. The most common example is the interpersonal relationship in social networks. Relational databases are not effective for storing "relational" data, are complex, slow, and beyond expectations in querying, and the unique design of graphic databases just remedies this deficiency.
Neo4j uses Cypher as a query language, "Cypher" is a descriptive graphical query language that allows queries that are expressive and efficient on graphical storage without having to write traversal code for the graph structure. Cypher is also continuing to develop and mature, which means that grammatical changes are likely to occur, and that the component is not subjected to rigorous performance testing.
However, in the current market, there is no audit method and device related to the graph database.
Disclosure of Invention
Aiming at the defects in the prior art, the embodiment of the invention mainly solves the technical problem of providing a graph database auditing method and auditing equipment, which can audit a graph database.
In order to solve the above technical problem, in a first aspect, an embodiment of the present invention adopts a technical solution that: the graph database auditing method is applied to graph database auditing equipment and is characterized by comprising the following steps:
obtaining the flow of a graph database;
performing flow recombination on the flow;
if the recombination is successful, carrying out protocol analysis on the recombined flow to obtain message data;
if the message data is request information, extracting request characteristic information of the request information, and storing the request characteristic information into a database of the database audit equipment;
and if the message data is response information, extracting response characteristic information of the response information, and storing the response characteristic information into a database of the database audit equipment.
In some embodiments, the obtaining of the traffic of the graph database comprises:
and acquiring the traffic of the NEO4j map database by a bypass drainage or proxy drainage mode.
In some embodiments, the obtaining of the traffic of the graph database further comprises:
presetting an IP address and a port of a target graph database;
if the flow contains the IP address and the port of the destination graph database, acquiring the flow;
discarding the traffic if the traffic does not contain the IP address and port of the destination graph database.
In some embodiments, said stream recombining said traffic comprises:
if the flow is not recombined successfully within the preset time, carrying out flow recombination again on the flow;
and if the flow is not recombined successfully after the preset time is exceeded, discarding the flow.
In some embodiments, if the reassembly is successful, performing protocol analysis on the reassembled traffic to obtain message data includes:
if the recombination is successful, analyzing the recombined flow according to a tcp/ip protocol to obtain Ethernet layer data, network layer data, transmission layer data and application layer data; and analyzing the application layer data according to a bolt protocol to obtain a plaintext data message, wherein the message data comprises Ethernet layer data, network layer data, transmission layer data and the plaintext data message.
In some embodiments, the request characteristic information is a sending time, an IP address of the sending end, a port of the sending end, the first plaintext data packet, an operation type, and an operation terminal.
In some embodiments, the operation type is create, match, return, where, delete, or remove.
In some embodiments, the response characteristic information is a sending time, an IP address of the sending end, a port of the sending end, and the second plaintext data packet.
In order to solve the above technical problem, in a second aspect, an embodiment of the present invention provides a map database auditing apparatus, where the map database auditing apparatus includes: at least one processor, and a memory communicatively coupled to the at least one processor, wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the graph database auditing method of the first aspect.
In order to solve the above technical problem, in a third aspect, an embodiment of the present invention further provides a non-volatile computer-readable storage medium storing computer-executable instructions that, when executed by an electronic device, cause the electronic device to perform the graph database auditing method according to the first aspect.
To solve the above technical problem, in a fourth aspect, the present invention further provides a computer program product including a computer program stored on a computer-readable storage medium, the computer program including program instructions that, when executed by a computer, cause the computer to perform the method according to the first aspect.
The beneficial effects of the embodiment of the invention are as follows: different from the situation of the prior art, the embodiment of the invention provides a graph database auditing method and auditing equipment, wherein the method comprises the following steps: obtaining the flow of a graph database; performing flow recombination on the flow; if the recombination is successful, carrying out protocol analysis on the recombined flow to obtain message data; if the message data is request information, extracting request characteristic information of the request information, and storing the request characteristic information into a database of the database audit equipment; and if the message data is response information, extracting response characteristic information of the response information, and storing the response characteristic information into a database of the database audit equipment. The embodiment of the invention realizes the auditing of various operations in a business system using the graph database by acquiring the flow of the graph database, recombining the flow, analyzing the protocol and storing the characteristic information into the database.
Drawings
One or more embodiments are illustrated by the accompanying figures in the drawings that correspond thereto and are not to be construed as limiting the embodiments, wherein elements/modules and steps having the same reference numerals are represented by like elements/modules and steps, unless otherwise specified, and the drawings are not to scale.
FIG. 1 is a schematic diagram of an application environment of a graph database auditing method according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart diagram illustrating a method for auditing a database according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of obtaining traffic of a graph database according to an embodiment of the present invention;
fig. 4 is a schematic flow chart of flow recombination for the traffic according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a graph database auditing apparatus according to an embodiment of the present invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will assist those skilled in the art in further understanding the invention, but are not intended to limit the invention in any way. It should be noted that variations and modifications can be made by persons skilled in the art without departing from the spirit of the invention. All falling within the scope of the present invention.
In order to facilitate an understanding of the present application, the present application is described in more detail below with reference to the accompanying drawings and specific embodiments. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used in the description of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
It should be noted that, if not conflicted, the various features of the embodiments of the invention may be combined with each other within the scope of protection of the present application. In addition, although the functional blocks are divided in the device diagram, in some cases, the blocks may be divided differently from those in the device. Further, the terms "first," "second," and the like, as used herein, do not limit the data and the execution order, but merely distinguish the same items or similar items having substantially the same functions and actions.
At present, no graph database auditing method exists, and in order to solve the problems, the embodiment of the invention provides a graph database auditing method which is applied to graph database auditing equipment and can provide auditing for a graph database.
Fig. 1 is a schematic diagram of an application environment of a graph database auditing method according to an embodiment of the present invention, where the application environment includes: a graph database server 10, a graph database auditing apparatus 20, and a core switch 30. The core switch 30 is connected with the graph database server 10 and the graph database auditing device 20 respectively.
The map database auditing apparatus 20 is an apparatus capable of automatically and rapidly processing mass data according to a program, and is generally composed of a hardware system and a software system, for example: a server, etc. The graph database server 10 is loaded with a graph database (e.g., a NEO4j graph database, all exemplified below by a NEO4j graph database). The user can access the resources of the graph database server 10 through the core switch 30, and the graph database auditing device 20 intercepts the traffic message of the user through the core switch 30, so as to audit the traffic message.
Specifically, the NEO4j graph database in the graph database server 10 generates a message when data transmission is performed. The traffic message is acquired by mirroring the core switch 30, and a port mirroring mode or TAP shunting monitoring mode is set on the core switch 30, so that the graph database auditing device 20 can monitor all the operations of all the users communicating with the graph database server 10 through the core switch 30. Thus, the message is audited by the map database auditing device 20, for example, the message is parsed and stored for backup.
It should be noted that the graph database auditing method provided by the embodiment of the present invention is generally executed by the graph database auditing device 20, and specifically, the embodiment of the present invention is further described below with reference to the drawings.
Referring to fig. 2, the graph database auditing method includes:
step S1: obtaining the flow of a graph database;
the flow refers to a data packet related to NEO4j graph database data in a network, and the flow can be captured and acquired from a node such as a network card and used as basic data.
Specifically, in some embodiments, a bypass drainage mode may be adopted, a mirror port mode is set by using a core switch, traffic of the NEO4j graph database is drained to an audit device, and then the graph database audit device captures the traffic, so as to obtain the traffic of the NEO4j graph database.
In other embodiments, a proxy drainage mode may also be adopted, and system monitoring software is deployed at the end of the NEO4j map database, and the system monitoring software may capture the traffic of the NEO4j map database, and then the system monitoring software forwards the traffic to the map database auditing device, so that the map database auditing device obtains the traffic of the NEO4j map database. The system monitoring software can use agent client software, when the agent client software is deployed at the end of the NEO4j graph database, the flow rate can be captured through a data packet capturing function library, then the captured flow rate is transmitted to graph database auditing equipment through socket communication, and the graph database auditing equipment is enabled to obtain the flow rate of the NEO4j graph database. In practical applications, the system monitoring software may use other suitable system monitoring software, and need not be limited to the embodiments of the present invention.
Step S2: performing flow recombination on the flow;
the traffic collected in step S1 does not necessarily include complete data information, and when the data content length of the transmitted packet exceeds the maximum value of the maximum transmission end element, the transmitted packet is divided into a plurality of data packets for transmission. Meanwhile, the flow recombination is also beneficial to analyzing the subsequent operation behavior, for example, the information such as software connected with the NEO4j database, the current time connected with the NEO4j database and the like can be analyzed.
Specifically, in some embodiments, tcp/ip protocol may be used to perform stream reassembly on the traffic, to reassemble the traffic including the same ethernet layer data, network layer data, and transport layer data, to merge the application layer data of the traffic into a complete application layer data, that is, to reassemble the traffic into a complete traffic, so that the reassembled traffic includes complete data information.
Step S3: if the recombination is successful, carrying out protocol analysis on the recombined flow to obtain message data;
specifically, if the reassembly is successful, the reassembled traffic may be analyzed according to a tcp/ip protocol to obtain ethernet layer data, network layer data, transport layer data, and application layer data; and then, analyzing the application layer data according to a bolt protocol to obtain a plaintext data message, wherein the message data comprises Ethernet layer data, network layer data, transmission layer data and the plaintext data message. Because the NEO4j map database communicates through the bolt protocol, the application layer data can be analyzed by the bolt protocol to obtain the plaintext data message, meanwhile, because the traffic of the NEO4j map database only contains the request information and the response information, if the message data is the request information, the plaintext data message obtained after the analysis is the request statement, and for the NEO4j map database, the request statement is the CQL statement; and if the message data is response information, the plaintext data message obtained after analysis is response data.
Step S4: if the message data is request information, extracting request characteristic information of the request information, and storing the request characteristic information into a database of the database audit equipment;
specifically, in the message data obtained in step S3, the ethernet layer data, the network layer data, and the transport layer data may be analyzed to determine whether the message data is the request information. For example, whether the IP address and port of the sending end are the IP address and port of the client is judged, if yes, the message data is the request information, and if not, the message data is the response information. Or judging whether the IP address and the port of the sending end are the IP address and the port of the NEO4j map database, if so, the message data is response information, and if not, the message data is request information. Or, judging whether the IP address and the port of the receiving end are the IP address and the port of the client, if so, the message data is response information, and if not, the message data is request information. Or, judging whether the IP address and the port of the receiving end are the IP address and the port of the NEO4j map database, if so, the message data is request information, and if not, the message data is response information.
In order to ensure the accuracy of the determination, in some other embodiments, the IP addresses and ports of the sending end and the receiving end may be determined in combination, for example, after the IP address and port of the sending end are determined to be the IP address and port of the client, it may be further determined whether the IP address and port of the receiving end are the IP address and port of the NEO4j map database, and if so, the message data is the request information. In practical applications, the means for determining the message data may be set according to actual needs, and the limitation in the embodiments of the present invention is not required.
After the message data is judged to be the request information, because the message data comprises request characteristic information such as sending time, an IP address of a sending end, a port of the sending end, a first plaintext data message, an operation type, an operation terminal and the like, the request characteristic information can be extracted from the message data, and the obtained request characteristic information is stored in a database, so that the access condition is recorded, and an audit report is formed.
For the request information, after the protocol is analyzed in step S3, the first plaintext data packet is a CQL statement, and then the CQL statement is split and identified, and the operation types of the request information can be obtained by analyzing the beginning of the CQL statement, and then the operation types are analyzed, so that the access condition of the NEO4j graph database can be obtained. These operation types usually reflect the access situation of the graph database, and the security of the graph database is very important, and generally, the operation types of the NEO4j graph database are create, match, return, where, delete, remove, and the like. Wherein, for CQL statements, create commands can create nodes, attributes, relationships, etc. at the NEO4j graph database; the match command can query related nodes, relations, attributes, matching relations and the like in the NEO4j graph database; the where command may be used to provide conditions to filter the search data, etc.; the return command may be used to return a particular query result, etc.; the delete command may delete nodes, attributes, relationships, etc. in the NEO4j graph database; the remove command may delete nodes, attributes, relationships, etc. in the NEO4j graph data.
By storing the request characteristic information into the database, information such as the time period of access of the NEO4j database, the client information of access of the NEO4j database, and the request content can be known in audit analysis. And according to the request characteristic information, corresponding protective measures or early warning measures can be taken. For example, the authority of the user to access the NEO4j map database is divided into query authority, modification authority and the like, only the user with the query authority can query the NEO4j map database and the user with the modification authority can query and modify the NEO4j map database, and by identifying and determining the operation type of the request information, when the user without the modification authority is found to perform data modification operation, the user can be intercepted or alarmed.
Step S5: and if the message data is response information, extracting response characteristic information of the response information, and storing the response characteristic information into a database of the database audit equipment.
Specifically, in the message data obtained in step S3, the ethernet layer data, the network layer data, and the transport layer data may be analyzed to determine whether the message data is response information. The specific determination means may refer to the above means for determining whether the message data is the request information, and will not be described herein again.
After the message data is judged to be response information, because the message data comprises response characteristic information such as sending time, an IP address of a sending end, a port of the sending end, a second plaintext data message and the like, the response characteristic information can be extracted from the message data, and the obtained response characteristic information is stored in a database, so that the response condition is recorded, and an audit report is formed so as to facilitate audit analysis. For the response message, after the protocol analysis is performed in step S3, the second plaintext data packet is the response data of the NEO4j database.
By storing the response characteristic information into the database, the following auditing analysis can know the time period of the data returned by the NEO4j database, the receiving end information of the data returned by the NEO4j database, the returned content and other information, and corresponding protective measures or early warning measures can be taken according to the response characteristic information. For example, response data returned to the user from the NEO4j database is divided into normal data, sensitive data and the like, the normal user does not have the right to receive the sensitive data from the NEO4j database, and by identifying and determining the type of the data returned to the normal user, when the user without the right to access the key data is found to receive the key data, the user can be tracked, or an alarm is given to the behavior, and a dangerous access client is determined.
In some embodiments, the database storing the request characteristic information or the database storing the response characteristic information may use a MySQL database or an Elasticsearch database, the storage format is a MySQL data table format or a json format, and the original data may be restored through the stored audit information. In practical applications, the database storing the audit record may be set according to practical requirements, and the limitation in the embodiment of the present invention is not required to be restricted herein.
In some other embodiments, referring to fig. 3, the step S1 of obtaining the traffic of the map database further includes:
step S11: presetting an IP address and a port of a target graph database;
step S12: if the flow contains the IP address and the port of the destination graph database, acquiring the flow;
step S13: discarding the traffic if the traffic does not contain the IP address and port of the destination graph database.
Specifically, in order to accurately obtain the traffic of the graph database to be audited, an IP address and a port of a destination graph database may be preset, where the IP address and the port of the destination graph database are the IP address and the port of the NEO4j graph database to be audited, and by judging whether the captured traffic includes the IP address and the port of the destination graph database, if so, the traffic is obtained and audited, and if not, the traffic is discarded.
In some other embodiments, referring to fig. 4, the step S2: performing flow recombination on the traffic, including:
step S21: if the flow is not recombined successfully within the preset time, carrying out flow recombination again on the flow;
step S22: and if the flow is not recombined successfully after the preset time is exceeded, discarding the flow.
Specifically, a recombination duration of the stream recombination may be preset, if the stream recombination is not successful within the recombination duration, the stream recombination is performed on the traffic again, and if the recombination duration is exceeded, the traffic is still not successfully recombined, and the traffic is discarded.
In other embodiments, the number of recombination times of the flow recombination may be preset, and if the recombination times are not successful, the flow is recombined again, and if the recombination times exceed the preset recombination times, the flow is still not successfully recombined, and the flow is discarded.
The graph database auditing method provided by the embodiment of the invention can record the request data and the response data of graph database operation, and can realize the auditing of the graph database by acquiring the flow of the graph database, recombining the flow, analyzing the protocol, and then extracting and recording the characteristic information.
An embodiment of the present invention further provides a graph database auditing device, please refer to fig. 5, which shows a hardware structure of the graph database auditing device capable of executing the graph database auditing method described in fig. 2 to fig. 4. The map database auditing apparatus 20 may be the map database auditing apparatus 10 shown in FIG. 1. The map database auditing apparatus 20 includes: at least one processor 21; and a memory 22 communicatively coupled to the at least one processor 21, with one processor 21 being illustrated in fig. 5 as an example. The memory 22 stores instructions executable by the at least one processor 21 to enable the at least one processor 21 to perform the graph database auditing method described above with respect to FIGS. 2-4 when executed by the at least one processor 21. The processor 21 and the memory 22 may be connected by a bus or other means, and fig. 5 illustrates the connection by a bus as an example.
The memory 22, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the graph database auditing method in the embodiments of the present application. The processor 21 executes various functional applications and data processing of the map database auditing apparatus by executing the nonvolatile software programs, instructions and modules stored in the memory 22, that is, implements the map database auditing method in the above-described method embodiments.
The memory 22 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created from use of the map database auditing apparatus, and the like. Further, the memory 22 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 22 optionally includes memory located remotely from processor 21, and these remote memories may be connected to the graph database auditing apparatus via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 22 and, when executed by the one or more processors 21, perform the graph database auditing method of any of the method embodiments described above, e.g., performing the method steps of fig. 2-4 described above, implementing the functionality of a graph database auditing apparatus.
The product can execute the method provided by the embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to the methods provided in the embodiments of the present application.
Embodiments of the present invention also provide a non-transitory computer-readable storage medium storing computer-executable instructions, which when executed by one or more processors, such as the processor 21 in fig. 5, may cause the one or more processors to perform the method for auditing the map database in any of the method embodiments described above, such as the method steps S1 to S5 in fig. 2, the method steps S11 to S13 in fig. 2, and the method steps S21 to S22 in fig. 3, to implement the function of auditing the map database.
Embodiments of the present invention also provide a computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform a method for graph database auditing according to any of the above-described method embodiments, perform method steps S1-S5 in fig. 2, method steps S11-S13 in fig. 2, and method steps S21-S22 in fig. 3, as described above, and implement a function of graph database auditing.
The embodiment of the invention provides a graph database auditing method and auditing equipment, wherein the method comprises the following steps: obtaining the flow of a graph database; performing flow recombination on the flow; if the recombination is successful, carrying out protocol analysis on the recombined flow to obtain message data; if the message data is request information, extracting request characteristic information of the request information, and storing the request characteristic information into a database of the database audit equipment; and if the message data is response information, extracting response characteristic information of the response information, and storing the response characteristic information into a database of the database audit equipment. The invention realizes the auditing of various operations in a business system using the graph database by acquiring the flow of the graph database, recombining the flow, analyzing the protocol and storing the characteristic information into the database.
It should be noted that the above-described device embodiments are merely illustrative, where the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a general hardware platform, and certainly can also be implemented by hardware. It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a computer readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; within the idea of the invention, also technical features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A map database auditing method is applied to map database auditing equipment and is characterized in that the map database auditing method comprises the following steps:
obtaining the flow of a graph database;
performing flow recombination on the flow;
if the recombination is successful, carrying out protocol analysis on the recombined flow to obtain message data;
if the message data is request information, extracting request characteristic information of the request information, and storing the request characteristic information into a database of the database audit equipment;
and if the message data is response information, extracting response characteristic information of the response information, and storing the response characteristic information into a database of the database audit equipment.
2. The method for auditing a graph database according to claim 1, wherein said obtaining flow of graph databases comprises:
and acquiring the flow of the graph database in a bypass drainage or proxy drainage mode.
3. The method for auditing a graph database according to claim 1, wherein said obtaining a flow of graph databases further comprises:
presetting an IP address and a port of a target graph database;
if the flow contains the IP address and the port of the destination graph database, acquiring the flow;
discarding the traffic if the traffic does not contain the IP address and port of the destination graph database.
4. A method for graph database auditing according to claim 1, where said stream reassembly of said traffic flow comprises:
if the flow is not recombined successfully within the preset time, carrying out flow recombination again on the flow;
and if the flow is not recombined successfully after the preset time is exceeded, discarding the flow.
5. A graph database auditing method according to claim 1, where if the reorganization is successful, performing protocol analysis on the reorganized traffic to obtain message data, comprises:
if the recombination is successful, analyzing the recombined flow according to a tcp/ip protocol to obtain Ethernet layer data, network layer data, transmission layer data and application layer data; and analyzing the application layer data according to a bolt protocol to obtain a plaintext data message, wherein the message data comprises Ethernet layer data, network layer data, transmission layer data and the plaintext data message.
6. A graph database auditing method according to claim 1, characterised in that said request characteristic information is transmission time, the IP address of the transmitting end, the port of the transmitting end, the first plaintext data packet, the type of operation and the operating terminal.
7. A method for auditing a database according to claim 6, where said operation type is create, match, return, where, delete or remove.
8. A method for auditing a graph database according to claim 1, where said response characteristics information is time of transmission, the IP address of the sender, the port of the sender, and the second plaintext data message.
9. A map database auditing apparatus, characterized in that the map database auditing apparatus comprises:
at least one processor, and a memory communicatively coupled to the at least one processor, wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the graph database auditing method of any of claims 1-8.
10. A non-transitory computer-readable storage medium having stored thereon computer-executable instructions that, when executed by an electronic device, cause the electronic device to perform the method for graph database auditing according to any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011462144.0A CN112527772A (en) | 2020-12-11 | 2020-12-11 | Graph database auditing method and auditing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011462144.0A CN112527772A (en) | 2020-12-11 | 2020-12-11 | Graph database auditing method and auditing equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112527772A true CN112527772A (en) | 2021-03-19 |
Family
ID=74999324
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011462144.0A Pending CN112527772A (en) | 2020-12-11 | 2020-12-11 | Graph database auditing method and auditing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112527772A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116471125A (en) * | 2023-06-19 | 2023-07-21 | 杭州美创科技股份有限公司 | Encryption database flow auditing method, device, computer equipment and storage medium |
| CN117633901A (en) * | 2024-01-25 | 2024-03-01 | 深圳昂楷科技有限公司 | Dynamic database desensitizing method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103595661A (en) * | 2013-11-28 | 2014-02-19 | 杭州华三通信技术有限公司 | Message fragmentation restructuring method and device |
| CN111177779A (en) * | 2019-12-24 | 2020-05-19 | 深圳昂楷科技有限公司 | Database auditing method, device thereof, electronic equipment and computer storage medium |
| CN111191247A (en) * | 2019-12-26 | 2020-05-22 | 深圳昂楷科技有限公司 | Database security audit system |
| CN111209266A (en) * | 2019-12-20 | 2020-05-29 | 深圳昂楷科技有限公司 | Auditing method and device based on Redis database and electronic equipment |
-
2020
- 2020-12-11 CN CN202011462144.0A patent/CN112527772A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103595661A (en) * | 2013-11-28 | 2014-02-19 | 杭州华三通信技术有限公司 | Message fragmentation restructuring method and device |
| CN111209266A (en) * | 2019-12-20 | 2020-05-29 | 深圳昂楷科技有限公司 | Auditing method and device based on Redis database and electronic equipment |
| CN111177779A (en) * | 2019-12-24 | 2020-05-19 | 深圳昂楷科技有限公司 | Database auditing method, device thereof, electronic equipment and computer storage medium |
| CN111191247A (en) * | 2019-12-26 | 2020-05-22 | 深圳昂楷科技有限公司 | Database security audit system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116471125A (en) * | 2023-06-19 | 2023-07-21 | 杭州美创科技股份有限公司 | Encryption database flow auditing method, device, computer equipment and storage medium |
| CN116471125B (en) * | 2023-06-19 | 2023-09-08 | 杭州美创科技股份有限公司 | Encryption database flow auditing method, device, computer equipment and storage medium |
| CN117633901A (en) * | 2024-01-25 | 2024-03-01 | 深圳昂楷科技有限公司 | Dynamic database desensitizing method and system |
| CN117633901B (en) * | 2024-01-25 | 2024-05-07 | 深圳昂楷科技有限公司 | Dynamic database desensitizing method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109600258B (en) | Industrial protocol message recording device and method | |
| CN112383546B (en) | Method for processing network attack behavior, related equipment and storage medium | |
| CN109829310B (en) | Similar attack defense method, device, system, storage medium and electronic device | |
| CN107294982B (en) | Webpage backdoor detection method and device and computer readable storage medium | |
| EP3496338A1 (en) | Method for identifying application information in network traffic, and apparatus | |
| IL262866A (en) | Automated forensics of computer systems using behavioral intelligence | |
| CN111740868B (en) | Alarm data processing method and device and storage medium | |
| CN109643358A (en) | Across tenant data leakage isolation | |
| CN108052824B (en) | Risk prevention and control method and device and electronic equipment | |
| CN105743732B (en) | Method and system for recording transmission path and distribution condition of local area network files | |
| CN112527772A (en) | Graph database auditing method and auditing equipment | |
| CN109474603B (en) | Data packet grabbing processing method and terminal equipment | |
| CN110620768A (en) | Baseline safety detection method and device for intelligent terminal of Internet of things | |
| US20240179228A1 (en) | System and methods for automated computer security policy generation and anomaly detection | |
| CN108924159B (en) | Verification method and device of message feature recognition library | |
| CN115766258B (en) | Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph | |
| CN110633195A (en) | Performance data display method and device, electronic equipment and storage medium | |
| CN114465741A (en) | Anomaly detection method and device, computer equipment and storage medium | |
| CN109800571A (en) | Event-handling method and device and storage medium and electronic device | |
| CN112668005A (en) | Webshell file detection method and device | |
| CN111324809A (en) | Hotspot information monitoring method, device and system | |
| CN102316074A (en) | HTTP (hyper text transfer protocol) multithreading restoration method based on libnids | |
| CN111526109A (en) | Method and device for automatically detecting running state of web threat recognition defense system | |
| CN111698168B (en) | Message processing method, device, storage medium and processor | |
| CN115017502A (en) | Flow processing method and protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |