CN113254997A - Method and device for defending database against dragging, electronic equipment and computer medium - Google Patents
Method and device for defending database against dragging, electronic equipment and computer medium Download PDFInfo
- Publication number
- CN113254997A CN113254997A CN202110617418.7A CN202110617418A CN113254997A CN 113254997 A CN113254997 A CN 113254997A CN 202110617418 A CN202110617418 A CN 202110617418A CN 113254997 A CN113254997 A CN 113254997A
- Authority
- CN
- China
- Prior art keywords
- data
- database
- client
- read
- defending
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Databases & Information Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present disclosure provides a method, an apparatus, an electronic device and a computer medium for defending a database dragged library, wherein the method for defending the database dragged library comprises: responding to a request of a client for acquiring first data, and feeding back the data through a read-write interface of a database; detecting whether the data fed back by the read-write interface comprises second data or not; and determining whether to modify the access right of the client according to the detection result of the second data. By the aid of the method and the device, abnormal operation of the dragged database of the database can be actively detected, access authority of the client is forbidden in time, vulnerability and potential safety hazard of the database are reduced, and data safety of the database is improved.
Description
Technical Field
The present disclosure relates to the field of database technologies, and in particular, to a method and an apparatus for defending a database from being dragged, an electronic device, and a computer medium.
Background
Databases (databases) are warehouses that organize, store, and manage data according to data structures, which have since sixty years ago, and with the development of information technology and markets, particularly after the nineties of the twentieth century, data management is no longer just storing and managing data, but is transformed into various ways of data management required by clients. Databases are of many types, ranging from the simplest tables that store various types of data to large database systems that are capable of mass data storage. The database can be generally divided into three types, namely a relational database, a non-relational database and a key-value database, and because the database stores a large amount of data, the security feature of the database becomes one of the most important research and development directions.
In the related art, the security measures of the traditional database mainly include means such as account password management, authority management, server system security setting, storage, transmission and encryption and the like.
However, the existing database has at least the following problems in terms of security features:
1. there is no effective means to prevent illegal operation of a legitimate account.
2. When the traditional security measures are broken through, the abnormal perception of the system lags behind, so that the abnormal operation of a hacker is difficult to prevent, and the risk of dragging the database exists.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
It is an object of the present disclosure to provide a method, apparatus, electronic device and computer medium for defending against database drag-out, which overcome, at least to some extent, the database drag-out problem due to limitations and disadvantages of the related art.
According to a first aspect of the embodiments of the present disclosure, there is provided a method for defending a database from being dragged, including: responding to a request of a client for acquiring first data, and feeding back the data through a read-write interface of the database; detecting whether the data fed back by the read-write interface comprises second data or not; and determining whether to modify the access authority of the client according to the detection result of the second data.
In an exemplary embodiment of the present disclosure, determining whether to modify the access right of the client according to the detection result of the second data includes: if the data fed back by the read-write interface comprises the second data, modifying the access authority into forbidden access; and if the data fed back by the read-write interface does not comprise the second data, keeping the access authority as the permission to access.
In an exemplary embodiment of the present disclosure, in response to a request for obtaining first data from a client, feeding back data via a read-write interface of the database includes: responding to a request of a client for acquiring first data, and verifying whether account information of the client is legal or not; if the account information of the client is determined to be legal, determining the operation authority of the client, wherein the operation authority comprises at least one of updating data, deleting data and inquiring data; feeding back data through a read-write interface of the database according to the operation authority and the request; and after the data are fed back, storing the operation record of the client.
In an exemplary embodiment of the present disclosure, in response to a request for obtaining first data from a client, feeding back data via a read-write interface of the database further includes: responding to a request of a client for acquiring first data, and determining a first encryption mode of the request; determining a public key-private key pair according to the encryption mode; determining a second encryption mode of the data to be fed back according to the public key-private key pair; encrypting the data to be fed back according to the second encryption mode; and feeding back the encrypted data to the client through the read-write interface.
In an exemplary embodiment of the present disclosure, before feeding back data through a read-write interface of the database, the method further includes: determining data attribute information of the first data; generating the second data according to the data attribute information of the first data; and writing the second data into the database, wherein the data attribute information of the first data is different from the data attribute information of the second data, and the data attribute information comprises at least one of a data format, a data length and an identification field.
In an exemplary embodiment of the present disclosure, writing the second data to the database includes: determining the storage time of the data in the database; determining first data belonging to the same storage time range according to the storage time; and randomly writing the second data into the data segment of the first data in the same storage time range.
In an exemplary embodiment of the present disclosure, writing the second data to the database further comprises: determining the data quantity of the data stored in the database; dividing data segments of the stored data according to a preset data volume threshold; and randomly writing the second data into any data segment.
According to a second aspect of the embodiments of the present disclosure, there is provided an apparatus for defending a database from being dragged, including: the transmission module is used for responding to a request of a client for acquiring first data and feeding back the data through a read-write interface of the database; the detection module is used for detecting whether the data fed back by the read-write interface comprises second data or not; and the security module is used for determining whether to modify the access authority of the client according to the detection result of the second data.
According to a third aspect of the present disclosure, there is provided an electronic device comprising: a memory; and a processor coupled to the memory, the processor configured to perform a method of defending a database against being dragged based on instructions stored in the memory as in any one of the above.
According to a fourth aspect of the present disclosure, there is provided a computer readable storage medium, having stored thereon a program which, when executed by a processor, implements a method of defending a database against being dragged as described in any of the above.
According to the embodiment of the disclosure, whether the database dragging behavior exists is judged by actively detecting whether the data fed back by the read-write interface includes the second data, so that the accuracy, timeliness and reliability of detecting the database dragging behavior are improved, and the safety characteristic of the database is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
FIG. 1 is a flow chart of a method of defending a database against a dragged library in an exemplary embodiment of the present disclosure;
FIG. 2 is a flow chart of a method of defending a database against a database drag in another exemplary embodiment of the present disclosure;
FIG. 3 is a flow chart of a method of defending a database against a database drag in another exemplary embodiment of the present disclosure;
FIG. 4 is a flow chart of a method of defending a database against a database drag in another exemplary embodiment of the present disclosure;
FIG. 5 is a flow chart of a method of defending a database against a database drag in another exemplary embodiment of the present disclosure;
FIG. 6 is a flow chart of a method of defending a database against a database drag in another exemplary embodiment of the present disclosure;
FIG. 7 is a flow chart of a method of defending a database against a database drag in another exemplary embodiment of the present disclosure;
FIG. 8 is a schematic diagram of a data interaction process for defending against a database being dragged in an exemplary embodiment of the present disclosure;
FIG. 9 is a schematic diagram of a data interaction process for defending against a database being dragged in another exemplary embodiment of the present disclosure;
FIG. 10 is a block diagram of an apparatus for defending against database drag libraries in an exemplary embodiment of the present disclosure;
fig. 11 is a block diagram of an electronic device in an exemplary embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
Further, the drawings are merely schematic illustrations of the present disclosure, in which the same reference numerals denote the same or similar parts, and thus, a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
The following detailed description of exemplary embodiments of the disclosure refers to the accompanying drawings.
FIG. 1 is a flow chart of a method of defending a database against a dragged library in an exemplary embodiment of the present disclosure.
Referring to fig. 1, a method of defending against a database being dragged may include:
and step S102, responding to a request of the client for acquiring the first data, and feeding back the data through the read-write interface of the database.
In an exemplary embodiment of the present disclosure, the client includes a mobile phone, a tablet, a computer, a smart home device, a smart wearable device, and the like, but is not limited thereto.
In an exemplary embodiment of the present disclosure, the database includes a relational database, a non-relational database, a key-value database, and the like, but is not limited thereto.
In an exemplary embodiment of the present disclosure, the read/write interface includes a serial interface, a parallel interface, and the like, but is not limited thereto.
And step S104, detecting whether the data fed back by the read-write interface comprises second data.
In an exemplary embodiment of the present disclosure, the first data is normal data, the second data is obfuscated data, and after the obfuscated data is read by the client, the obfuscated data is processed by the client as abnormal data that can be discarded, and the obfuscated data does not affect normal operation of the client.
And step S106, determining whether to modify the access authority of the client according to the detection result of the second data.
In an exemplary embodiment of the disclosure, the possibility that the database is dragged is reduced by actively detecting the second data and determining to freeze or disable the access right according to the detection result when the second data is detected.
In the above exemplary embodiment of the present disclosure, whether a library dragging behavior exists is determined by actively detecting whether the data fed back by the read-write interface includes the second data, so that accuracy, timeliness and reliability of detecting the library dragging behavior are improved, and safety characteristics of the database are improved.
The following describes each step of the method for defending against database dragging in detail.
As shown in fig. 2, determining whether to modify the access right of the client according to the detection result of the second data includes:
step S2062, if it is determined that the data fed back by the read/write interface includes the second data, modifying the access right to be prohibited from accessing.
In an exemplary embodiment of the present disclosure, the manner of detecting the second data includes, but is not limited to, a detection data length, a detection data format, a designated field of the detection data, and the like.
Step S2064, if it is determined that the data fed back by the read/write interface does not include the second data, the access right is kept as an allowed access.
In an exemplary embodiment of the disclosure, if it is determined that the data fed back by the read-write interface does not include the second data, it may be determined that the client does not have a large amount of data for reading the database, and therefore, the access right is maintained as an access permission, so as to ensure reliability and smoothness of data interaction between the client and the server.
As shown in fig. 3, in response to a request for obtaining first data from a client, feeding back data through a read-write interface of the database includes:
step S3022, in response to the request for the client to obtain the first data, verifying whether the account information of the client is valid.
In an exemplary embodiment of the disclosure, whether account information of a client is legal is verified, a verification item includes at least one of a verification account name, an account password, a verification code and an electronic signature, if all verification items pass, the account information is legal, and if any verification item does not pass, the account information is illegal, and access of the client is prohibited.
Step S3024, if it is determined that the account information of the client is legal, determining an operation authority of the client, where the operation authority includes at least one of update data, deletion data, and query data.
In an exemplary embodiment of the present disclosure, a corresponding relationship between account information and operation permissions is preset, and then after determining that the account information is legal, a corresponding operation permission is determined according to the account information, and after determining that a client can read data of a database according to the operation permission, whether a read-write interface reads out second data is detected, so that the data volume to be detected is reduced.
And step S3026, feeding back data through a read-write interface of the database according to the operation authority and the request.
In an exemplary embodiment of the present disclosure, after determining that the client reads data of the database according to the operation authority, feeding back the data through a read-write interface of the database, and monitoring whether the feedback data includes second data.
Step S3028, after feeding back the data, storing the operation record of the client.
In an exemplary embodiment of the present disclosure, after the data is fed back, the operation record of the storage client mainly includes, but is not limited to, IP information, read data, read content, and the like.
As shown in fig. 4, in response to a request for obtaining first data from a client, feeding back data through a read-write interface of the database further includes:
step S4022, in response to a request from a client to obtain first data, determines a first encryption scheme of the request.
Step S4024, determining a public key-private key pair according to the encryption mode.
In an exemplary embodiment of the disclosure, a firewall is arranged between the client and the database, data interacted between the client and the database is encrypted through a public key and decrypted through a private key, and the public key-private key pair is used for verifying the interacted data and account information through the firewall.
Step S4026, determining a second encryption mode of the data to be fed back according to the public key-private key pair.
Step S4028, encrypting the data to be fed back according to the second encryption mode.
In an exemplary embodiment of the present disclosure, the data to be fed back is encrypted by the second encryption method, so that the security and reliability of reading the data of the database can be further improved.
Step S4030, the encrypted data is fed back to the client via the read/write interface.
In an exemplary embodiment of the present disclosure, the first encryption manner and the second encryption manner may be the same or different.
As shown in fig. 5, before feeding back data through the read/write interface of the database, the method further includes:
step S502, determining data attribute information of the first data.
Step S504, generating the second data according to the data attribute information of the first data.
In an exemplary embodiment of the disclosure, the second data is generated through the data attribute information of the first data, that is, the obfuscated data is flexibly generated for the first data, the amount of generated obfuscated data can also be determined, the second data can be written into the database along with the storage time or storage amount of the first data, and the workload and the data interaction pressure for generating the second data are reduced.
Step S506, writing the second data into the database, where data attribute information of the first data is different from data attribute information of the second data, where the data attribute information includes at least one of a data format, a data length, and an identification field.
In an exemplary embodiment of the disclosure, by setting that data attribute information of first data is different from data attribute information of second data, it is possible to detect whether the second data exists in time and disable a client to access a database in time in a process of actively detecting feedback data.
As shown in fig. 6, writing the second data to the database includes:
step S602, determining a storage time of the data in the database.
And step S604, determining first data belonging to the same storage time range according to the storage time.
Step S606, randomly writing the second data into the data segment of the first data in the same storage time range.
In an exemplary embodiment of the disclosure, the first data belonging to the same storage time range is determined through the storage time, and the second data is randomly written into the data segment of the first data in the same storage time range, so as to improve the dispersion of the second data distributed in the database, thereby improving the reliability and timeliness of the detection of the second data.
As shown in fig. 7, writing the second data to the database further comprises:
step S702, determining the data amount of the data stored in the database.
Step S704, dividing the data segment of the storage data according to a preset data amount threshold.
Step S706, randomly writing the second data into any one of the data segments.
In an exemplary embodiment of the disclosure, by determining the data volume of the stored data in the database, dividing the data segment of the stored data according to a preset data volume threshold, and finally writing the second data into any one of the data segments at random, the uniformity of the distribution of the second data is improved, and the reliability and timeliness of the detection of the second data are also improved.
As shown in fig. 8, the data interaction process for defending against database being dragged in an exemplary embodiment of the present disclosure includes:
the client 802 requests to read data from the database 808 through the firewall 804 and the read-write interface API 806, and the security of the database is guaranteed through means such as a firewall, client password authority, data encryption, and the like.
The data in the database 808 is correspondingly stored in a key value form, and the stored first data is shown in table 1:
TABLE 1
| | Value | |
| 1 | |
|
| 3 | |
|
| 6 | |
|
| 7 | |
|
| 9 | Tr_9 |
However, when the client password is revealed, the anomalous client may obtain the full amount of data of the database 808.
For example, data with a number as the ID, the database 808 may be accessed using an incremental ID traversal to pull data for the entire database 808.
As shown in fig. 9, in another exemplary embodiment of the present disclosure, the data interaction process for defending against database being dragged includes:
the client 902 requests to read data from the database 908 through the firewall 904 and the read-write interface API 906, and the security of the database is guaranteed through means such as a firewall, client password authority, data encryption, and the like.
The data in the database 908 are correspondingly stored in a key value form, and the stored first data and second data are shown in table 2:
TABLE 2
| | Value | |
| 1 | |
|
| 2 | |
|
| 3 | Tr_3 | |
| 5 | |
|
| 6 | Tr_6 |
By adding the security processor 910, the security processor 910 intelligently generates and writes in a small amount of obfuscated data that is not accessed by normal services in the database 908, and when an abnormal client operation involves the obfuscated data, the read-write API 906 asynchronously reports the abnormal operation in the read-write event to the security processor 910. The security processor 910 will freeze the client 902 from obtaining subsequent data, preventing the database 908 from being dragged.
Adding confusion data which cannot be accessed in service into the database 908 as a trap, reading the confusion data (abnormal operation) certainly when an abnormal client performs full data pulling (library dragging) through an API (application programming interface), wherein the confusion data are as's 2 Ob' and's 5 Ob' in table 2, uploading abnormal operation information to the safety processor 910 by the system, performing processing such as account freezing on the client 902 which pulls the confusion data, and the like, and the database dragging operation cannot be performed, and the 'Tr _ 1', 'Tr _ 3' and 'Tr _ 6' in table 2 are first data, namely normal data.
In an exemplary embodiment of the present disclosure, the scheme for defending against database being dragged further includes:
1. the ID value discontinuity condition exists in the database table which normally runs.
2. And the system security module generates the confusion data ID-Value according to the scanned interval Value and maintains a confusion data table.
3. The Value of the obfuscated data is distinguished from the normal data (e.g., using a special content format, a special length, a special field).
4. The setting of the confusion data is random and irregular, and the data quantity is small, so that the system performance is not influenced.
5. The client updates, deletes and inquires the obfuscated data through the access API, records the operation as abnormal operation, and asynchronously reports the abnormal operation to the security module.
6. And the safety module judges whether to freeze the client according to the abnormal operation.
7. When the client performs library dragging operation, the client inevitably operates the confusion data, so that the account is frozen and the library dragging operation cannot be continued.
Corresponding to the method embodiment, the present disclosure further provides a device for defending a database from being dragged, which may be used to execute the method embodiment.
Fig. 10 is a block diagram of an apparatus for defending against database drag in an exemplary embodiment of the present disclosure.
Referring to fig. 10, the apparatus 1000 for defending against database being dragged may include:
the transmission module 1002 is configured to respond to a request for acquiring the first data from the client, and feed back data through the read-write interface of the database.
The detecting module 1004 is configured to detect whether the data fed back by the read/write interface includes second data.
A security module 1006, configured to determine whether to modify the access right of the client according to a detection result of the second data.
In an exemplary embodiment of the disclosure, the security module 1006 is further configured to: if the data fed back by the read-write interface comprises the second data, modifying the access authority into forbidden access; and if the data fed back by the read-write interface does not comprise the second data, keeping the access authority as the permission to access.
In an exemplary embodiment of the disclosure, the transmitting module 1002 is further configured to: responding to a request of a client for acquiring first data, and verifying whether account information of the client is legal or not; if the account information of the client is determined to be legal, determining the operation authority of the client, wherein the operation authority comprises at least one of updating data, deleting data and inquiring data; feeding back data through a read-write interface of the database according to the operation authority and the request; and after the data are fed back, storing the operation record of the client.
In an exemplary embodiment of the disclosure, the transmitting module 1002 is further configured to: responding to a request of a client for acquiring first data, and determining a first encryption mode of the request; determining a public key-private key pair according to the encryption mode; determining a second encryption mode of the data to be fed back according to the public key-private key pair; encrypting the data to be fed back according to the second encryption mode; and feeding back the encrypted data to the client through the read-write interface.
In an exemplary embodiment of the disclosure, the security module 1006 is further configured to: determining data attribute information of the first data; generating the second data according to the data attribute information of the first data; and writing the second data into the database, wherein the data attribute information of the first data is different from the data attribute information of the second data, and the data attribute information comprises at least one of a data format, a data length and an identification field.
In an exemplary embodiment of the disclosure, the security module 1006 is further configured to: determining the storage time of the data in the database; determining first data belonging to the same storage time range according to the storage time; and randomly writing the second data into the data segment of the first data in the same storage time range.
In an exemplary embodiment of the disclosure, the security module 1006 is further configured to: determining the data quantity of the data stored in the database; dividing data segments of the stored data according to a preset data volume threshold; and randomly writing the second data into any data segment.
Since the functions of the device 1000 for defending against database dragging are described in detail in the corresponding method embodiments, the detailed description of the disclosure is omitted here.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or program product. Thus, various aspects of the invention may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 1100 according to this embodiment of the invention is described below with reference to fig. 11. The electronic device 1100 shown in fig. 11 is only an example and should not bring any limitations to the function and the scope of use of the embodiments of the present invention.
As shown in fig. 11, electronic device 1100 is embodied in the form of a general purpose computing device. The components of the electronic device 1100 may include, but are not limited to: the at least one processing unit 1110, the at least one memory unit 1120, and a bus 1130 that couples various system components including the memory unit 1120 and the processing unit 1110.
Wherein the storage unit stores program code that is executable by the processing unit 1110 to cause the processing unit 1110 to perform steps according to various exemplary embodiments of the present invention as described in the above section "exemplary methods" of the present specification. For example, the processing unit 1110 may perform the methods as shown in the embodiments of the present disclosure.
The storage unit 1120 may include a readable medium in the form of a volatile memory unit, such as a random access memory unit (RAM)11201 and/or a cache memory unit 11202, and may further include a read only memory unit (ROM) 11203.
The electronic device 1100 may also communicate with one or more external devices 1140 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a client to interact with the electronic device 1100, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 1100 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 1150. Also, the electronic device 1100 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 1160. As shown, the network adapter 1160 communicates with the other modules of the electronic device 1100 over the bus 1130. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 1100, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above section "exemplary methods" of the present description, when said program product is run on the terminal device.
The program product for implementing the above method according to an embodiment of the present invention may employ a portable compact disc read only memory (CD-ROM) and include program codes, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the client computing device, partly on the client device, as a stand-alone software package, partly on the client computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the client computing device over any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., over the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes involved in methods according to exemplary embodiments of the invention, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
Claims (10)
1. A method of defending a database against being dragged, comprising:
responding to a request of a client for acquiring first data, and feeding back the data through a read-write interface of the database;
detecting whether the data fed back by the read-write interface comprises second data or not;
and determining whether to modify the access authority of the client according to the detection result of the second data.
2. The method of defending a database against being dragged according to claim 1, wherein determining whether to modify the access right of the client according to the detection result of the second data comprises:
if the data fed back by the read-write interface comprises the second data, modifying the access authority into forbidden access;
and if the data fed back by the read-write interface does not comprise the second data, keeping the access authority as the permission to access.
3. The method for defending a database against being dragged according to claim 1, wherein in response to a request for first data from a client, feeding back data via a read-write interface of the database comprises:
responding to a request of a client for acquiring first data, and verifying whether account information of the client is legal or not;
if the account information of the client is determined to be legal, determining the operation authority of the client, wherein the operation authority comprises at least one of updating data, deleting data and inquiring data;
feeding back data through a read-write interface of the database according to the operation authority and the request;
and after the data are fed back, storing the operation record of the client.
4. The method of defending a database against being dragged according to claim 1, wherein in response to a request from a client to obtain first data, feeding back data via a read-write interface of the database further comprises:
responding to a request of a client for acquiring first data, and determining a first encryption mode of the request;
determining a public key-private key pair according to the encryption mode;
determining a second encryption mode of the data to be fed back according to the public key-private key pair;
encrypting the data to be fed back according to the second encryption mode;
and feeding back the encrypted data to the client through the read-write interface.
5. The method for defending a database against being dragged according to any one of claims 1 to 4, wherein before feeding back data via a read-write interface of the database, the method further comprises:
determining data attribute information of the first data;
generating the second data according to the data attribute information of the first data;
writing the second data into the database, the data attribute information of the first data being different from the data attribute information of the second data,
wherein the data attribute information includes at least one of a data format, a data length, and an identification field.
6. The method of defending a database against being dragged according to claim 5, wherein writing the second data to the database comprises:
determining the storage time of the data in the database;
determining first data belonging to the same storage time range according to the storage time;
and randomly writing the second data into the data segment of the first data in the same storage time range.
7. The method of defending a database against being dragged according to claim 5, wherein writing the second data to the database further comprises:
determining the data quantity of the data stored in the database;
dividing data segments of the stored data according to a preset data volume threshold;
and randomly writing the second data into any data segment.
8. An apparatus for defending a database against being dragged, comprising:
the transmission module is used for responding to a request of a client for acquiring first data and feeding back the data through a read-write interface of the database;
the detection module is used for detecting whether the data fed back by the read-write interface comprises second data or not;
and the security module is used for determining whether to modify the access authority of the client according to the detection result of the second data.
9. An electronic device, comprising:
a memory; and
a processor coupled to the memory, the processor configured to execute the method of defending a database from being dragged according to any of claims 1-7 based on instructions stored in the memory.
10. A computer-readable storage medium on which a program is stored which, when executed by a processor, implements the method of defending a database against being dragged according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110617418.7A CN113254997A (en) | 2021-05-27 | 2021-05-27 | Method and device for defending database against dragging, electronic equipment and computer medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110617418.7A CN113254997A (en) | 2021-05-27 | 2021-05-27 | Method and device for defending database against dragging, electronic equipment and computer medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113254997A true CN113254997A (en) | 2021-08-13 |
Family
ID=77186307
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110617418.7A Pending CN113254997A (en) | 2021-05-27 | 2021-05-27 | Method and device for defending database against dragging, electronic equipment and computer medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113254997A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107563197A (en) * | 2017-08-30 | 2018-01-09 | 杭州安恒信息技术有限公司 | It is a kind of to drag storehouse to hit storehouse attack defense method for database layer |
| CN109657492A (en) * | 2018-12-12 | 2019-04-19 | 泰康保险集团股份有限公司 | Data base management method, medium and electronic equipment |
| CN111767269A (en) * | 2020-06-24 | 2020-10-13 | 苏州紫焰网络科技有限公司 | Health detection method, device and equipment of database instance and storage medium |
| CN112817833A (en) * | 2021-01-20 | 2021-05-18 | ***股份有限公司 | Method and device for monitoring database |
-
2021
- 2021-05-27 CN CN202110617418.7A patent/CN113254997A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107563197A (en) * | 2017-08-30 | 2018-01-09 | 杭州安恒信息技术有限公司 | It is a kind of to drag storehouse to hit storehouse attack defense method for database layer |
| CN109657492A (en) * | 2018-12-12 | 2019-04-19 | 泰康保险集团股份有限公司 | Data base management method, medium and electronic equipment |
| CN111767269A (en) * | 2020-06-24 | 2020-10-13 | 苏州紫焰网络科技有限公司 | Health detection method, device and equipment of database instance and storage medium |
| CN112817833A (en) * | 2021-01-20 | 2021-05-18 | ***股份有限公司 | Method and device for monitoring database |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11467891B2 (en) | Kernel event triggers for content item security | |
| US9961053B2 (en) | Detecting compromised credentials | |
| US9571499B2 (en) | Apparatus and method of providing security to cloud data to prevent unauthorized access | |
| US10484383B2 (en) | Pre-authorizing a client application to access a user account on a content management system | |
| CN109657492B (en) | Database management method, medium, and electronic device | |
| US9432369B2 (en) | Secure data containers | |
| US20150302210A1 (en) | Secure data access | |
| CN113254997A (en) | Method and device for defending database against dragging, electronic equipment and computer medium | |
| US9519759B2 (en) | Secure access to programming data | |
| CN113890726A (en) | Encryption key management for international data residency | |
| US20210089497A1 (en) | Method, device, and computer program product for managing data object | |
| CN114556346A (en) | Tamper-proofing of event logs | |
| CN108063771B (en) | Method and device for monitoring encrypted compressed file | |
| US20220156375A1 (en) | Detection of repeated security events related to removable media | |
| CN115391134A (en) | Data leakage tracing method, device and system | |
| KR20240039505A (en) | Security analysis method for detecting abnormal behavior in financial environment and apparatus | |
| US9928380B2 (en) | Managing file usage | |
| WO2023067338A1 (en) | Managing access to data | |
| CN113094332A (en) | File management method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220207 Address after: 100007 room 205-32, floor 2, building 2, No. 1 and No. 3, qinglonghutong a, Dongcheng District, Beijing Applicant after: Tianyiyun Technology Co.,Ltd. Address before: No.31, Financial Street, Xicheng District, Beijing, 100033 Applicant before: CHINA TELECOM Corp.,Ltd. |
|
| TA01 | Transfer of patent application right |