CN115859273A - Method, device and equipment for detecting abnormal access of database and storage medium - Google Patents
Method, device and equipment for detecting abnormal access of database and storage medium Download PDFInfo
- Publication number
- CN115859273A CN115859273A CN202211568709.2A CN202211568709A CN115859273A CN 115859273 A CN115859273 A CN 115859273A CN 202211568709 A CN202211568709 A CN 202211568709A CN 115859273 A CN115859273 A CN 115859273A
- Authority
- CN
- China
- Prior art keywords
- behavior
- access
- database
- user
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application discloses a method, a device, equipment and a storage medium for detecting abnormal access of a database, and belongs to the technical field of big data. Historical behavior characteristic data are obtained through extraction; performing depth feature synthesis on the historical behavior feature data to generate a behavior feature set; performing user behavior characteristic analysis on the behavior characteristic set by using an association rule algorithm and constructing a behavior pattern library; extracting current behavior characteristic data; and performing correlation matching on the current behavior characteristic data and the access behaviors in the behavior pattern library to obtain a detection result of the current access behaviors. In addition, the present application also relates to blockchain techniques, where current behavior feature data may be stored. According to the method and the device, effective user access information is extracted from the audit log of the database, and user behavior pattern mining is performed by combining depth characteristics and characteristic association rules to obtain a behavior rule base of a general user access database so as to judge the compliance of user access behaviors.
Description
Technical Field
The application belongs to the technical field of big data, and particularly relates to a method, a device, equipment and a storage medium for detecting abnormal access of a database.
Background
Data plays an extremely important role in the current internet economic age, and under the trend of big data development, data security also faces more serious problems. The black industrial chain of information selling is becoming stronger nowadays, and the enterprise database is an entity for organizing, storing and managing enterprise business data, and becomes the attention target of attackers.
People generally consider that abnormal operation of a user on a database is the greatest concern of database security, and although the database generally sets access control to ensure that only users with related rights can access data, the access control has certain limitations and seriously influences user experience. Because of the complexity of the database structure and the uniqueness of semantics, the intrusion detection system for the database has a more complicated difficulty than the existing intrusion detection system applied to the network or the operating system, and the anomaly detection system applied to the network or the operating system cannot be directly applied to the database in general.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for detecting abnormal access to a database, a computer device, and a storage medium, so as to solve the technical problem of poor security performance of the database caused by a lack of an intrusion detection mechanism in the existing database.
In order to solve the foregoing technical problem, an embodiment of the present application provides a method for detecting abnormal access to a database, which adopts the following technical solutions:
a method for detecting abnormal access of a database comprises the following steps:
extracting user behavior characteristics from audit logs of a historical database to obtain historical behavior characteristic data;
performing depth feature synthesis on the historical behavior feature data to generate a behavior feature set;
performing user behavior characteristic analysis on the behavior characteristic set by using a preset association rule algorithm, and identifying normal access behaviors and abnormal access behaviors in the behavior characteristic set;
constructing a behavior pattern library based on the normal access behaviors and the abnormal access behaviors;
extracting user behavior characteristics from an audit log of a current database to obtain current behavior characteristic data;
performing correlation matching on the current behavior feature data and the access behaviors in the behavior pattern library, and obtaining the detection result of the current access behavior.
Further, the user behavior characteristics include a user identifier, a time point, an SQL instruction, an operation database object, and an access attribute, and the extracting the user behavior characteristics from the audit log of the historical database to obtain historical behavior characteristic data specifically includes:
analyzing the historical database audit log to obtain user identification, time points, SQL instructions, operation database objects and access attributes recorded in the historical database audit log;
and constructing the historical behavior characteristic data based on the user identification, the time point, the SQL instruction, the operation database object and the access attribute.
Further, the analyzing the historical database audit log to obtain the user identifier, the time point, the SQL instruction, the operation database object, and the access attribute recorded in the historical database audit log specifically includes:
analyzing the audit log of the historical database to obtain original data of the audit log;
preprocessing the original data of the audit log, wherein the preprocessing at least comprises data cleaning processing and data normalization processing;
and extracting the user identification, the time point, the SQL instruction, the operation database object and the access attribute from the preprocessed original data of the audit log.
Further, the performing, by using a preset association rule algorithm, user behavior feature analysis on the behavior feature set to identify a normal access behavior and an abnormal access behavior in the behavior feature set specifically includes:
traversing the behavior feature set, and calculating the minimum support degree of all frequent item sets in the behavior feature set by using the association rule algorithm, wherein the frequent item set at least comprises one behavior feature;
and comparing the minimum support degree of each frequent item set with a preset support degree threshold value, and identifying normal access behaviors and abnormal access behaviors in the behavior feature set.
Further, the traversing the behavior feature set, and calculating the minimum support of all frequent item sets in the behavior feature set by using the association rule algorithm specifically include:
traversing the behavior feature set, selecting behavior features in the behavior feature set for combination, and constructing a frequent item set;
and calculating the minimum support degree of all frequent item sets in the behavior feature set by using the association rule algorithm.
Further, the comparing the minimum support degree of each frequent item set with a preset support degree threshold value, and identifying a normal access behavior and an abnormal access behavior in the behavior feature set specifically includes:
sequentially comparing the minimum support degree of each frequent item set with the support degree threshold value;
if the minimum support degree of the frequent item set is smaller than a preset support degree threshold value, the user access behavior corresponding to the behavior characteristics contained in the frequent item set is a normal access behavior;
and if the minimum support degree of the frequent item set is greater than or equal to a preset support degree threshold value, the user access behavior corresponding to the behavior characteristics contained in the frequent item set is an abnormal access behavior.
Further, the associating and matching the current behavior feature data with the access behavior in the behavior pattern library to obtain a detection result of the current access behavior specifically includes:
performing feature mapping on the current behavior feature data and feature data of each access behavior in the behavior pattern library;
determining an access behavior matched with the current behavior characteristic data in the behavior pattern library to obtain a matched access behavior;
determining the access state of the matching access behavior, and taking the access state of the matching access behavior as the detection result of the current access behavior, wherein the access state of the matching access behavior comprises normal access and abnormal access.
In order to solve the foregoing technical problem, an embodiment of the present application further provides a device for detecting abnormal access to a database, where the following technical solutions are adopted:
an apparatus for detecting abnormal access to a database, comprising:
the historical characteristic extraction module is used for extracting user behavior characteristics from an audit log of a historical database to obtain historical behavior characteristic data;
the depth feature synthesis module is used for performing depth feature synthesis on the historical behavior feature data to generate a behavior feature set;
the behavior feature analysis module is used for carrying out user behavior feature analysis on the behavior feature set by utilizing a preset association rule algorithm and identifying normal access behaviors and abnormal access behaviors in the behavior feature set;
the behavior pattern library construction module is used for constructing a behavior pattern library based on the normal access behavior and the abnormal access behavior;
the current characteristic extraction module is used for extracting user behavior characteristics from the current database audit log to obtain current behavior characteristic data;
and the characteristic association matching module is used for performing association matching on the current behavior characteristic data and the access behaviors in the behavior pattern library to obtain a detection result of the current access behaviors.
In order to solve the above technical problem, an embodiment of the present application further provides a computer device, which adopts the following technical solutions:
a computer device comprising a memory having computer readable instructions stored therein and a processor which when executed implements the steps of a method of detecting abnormal database access as claimed in any one of the preceding claims.
In order to solve the above technical problem, an embodiment of the present application further provides a computer-readable storage medium, which adopts the following technical solutions:
a computer readable storage medium having computer readable instructions stored thereon which, when executed by a processor, implement the steps of a method of detecting database abnormal access as claimed in any one of the preceding claims.
Compared with the prior art, the embodiment of the application mainly has the following beneficial effects:
the application discloses a method, a device, equipment and a storage medium for detecting abnormal access of a database, and belongs to the technical field of big data. The method comprises the steps that user behavior characteristics are extracted from audit logs of a historical database, and historical behavior characteristic data are obtained; performing depth feature synthesis on the historical behavior feature data to generate a behavior feature set; performing user behavior characteristic analysis on the behavior characteristic set by using a preset association rule algorithm, and identifying normal access behaviors and abnormal access behaviors in the behavior characteristic set; constructing a behavior pattern library based on the normal access behavior and the abnormal access behavior; extracting user behavior characteristics from an audit log of a current database to obtain current behavior characteristic data; and performing correlation matching on the current behavior characteristic data and the access behaviors in the behavior pattern library to obtain a detection result of the current access behaviors. According to the method and the device, effective user access information is extracted from the audit log of the database, and user behavior pattern mining is performed by combining depth characteristics and characteristic association rules to obtain a behavior rule base of a general user access database so as to judge the compliance of user access behaviors.
Drawings
In order to more clearly illustrate the solution of the present application, the drawings needed for describing the embodiments of the present application will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
FIG. 1 illustrates an exemplary system architecture diagram to which the present application may be applied;
FIG. 2 illustrates a flow diagram of one embodiment of a method of detecting abnormal access to a database in accordance with the present application;
FIG. 3 illustrates a flow diagram of another embodiment of a method of detecting database anomalous access in accordance with the present application;
FIG. 4 illustrates a flow diagram of an Apriori algorithm implementation of a method of detecting database anomalous access in accordance with the present application;
FIG. 5 illustrates a schematic structural diagram of one embodiment of an apparatus for detecting database abnormal access according to the present application;
FIG. 6 shows a schematic block diagram of one embodiment of a computer device according to the present application.
Detailed Description
Unless defined otherwise, it is to be understood that, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "including" and "having," and any variations thereof, in the description and claims of this application and the description of the above figures are intended to cover non-exclusive inclusions. The terms "first," "second," and the like in the description and claims of this application or in the above-described drawings are used for distinguishing between different objects and not for describing a particular order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings.
As shown in fig. 1, the system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have various communication client applications installed thereon, such as a web browser application, a shopping application, a search application, an instant messaging tool, a mailbox client, social platform software, and the like.
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, e-book readers, MP3 players (Moving Picture Experts Group Audio Layer III, motion Picture Experts compression standard Audio Layer 3), MP4 players (Moving Picture Experts Group Audio Layer IV, motion Picture Experts compression standard Audio Layer 4), laptop portable computers, desktop computers, and the like.
The server 105 may be a server that provides various services, for example, a background server that provides support for pages displayed on the terminal devices 101, 102, and 103, and may be an independent server, or a cloud server that provides basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a web service, cloud communication, a middleware service, a domain name service, a security service, a Content Delivery Network (CDN), and a big data and artificial intelligence platform.
It should be noted that the method for detecting abnormal database access provided in the embodiments of the present application is generally executed by a server, and accordingly, the apparatus for detecting abnormal database access is generally disposed in the server.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
With continuing reference to fig. 2 and 3, a flow diagram of an embodiment of a method of detecting database anomalous access in accordance with the present application is shown. The embodiment of the application can acquire and process related data based on an artificial intelligence technology. Among them, artificial Intelligence (AI) is a theory, method, technique and application system that simulates, extends and expands human Intelligence using a digital computer or a machine controlled by a digital computer, senses the environment, acquires knowledge and uses the knowledge to obtain the best result.
The artificial intelligence infrastructure generally includes technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and the like.
The abnormal operation of the user on the database is the greatest compromise of the security of the database, and although the database generally sets access control to ensure that only users with related rights can access data, the access control has certain limitation and seriously affects the user experience. And because of the complexity of the database structure and the uniqueness of semantics, the intrusion detection system for the database has a difficulty that the intrusion detection system is more complicated than the existing intrusion detection system applied to the network or the operating system, and the anomaly detection system applied to the network or the operating system cannot be directly applied to the database. The key steps of the user behavior abnormity detection of the database access are analyzing user behavior data expressed in a database audit log, constructing a user behavior mode and detecting abnormal behaviors by using an effective detection algorithm.
Aiming at the problem that the safety of the database is endangered by the illegal operation of a user at present, the application provides a method, a device, equipment and a storage medium for detecting the abnormal access of the database, wherein the method comprises the steps of preprocessing and characteristic extraction are carried out on audit logs of a historical database of the database, a behavior pattern library is constructed later, when the user accesses the database again, the abnormal access behavior detection is carried out by combining the behavior pattern library, the illegal access operation is monitored in real time, early warning is carried out, and the result is fed back to a database administrator for processing.
The method for detecting the abnormal access of the database comprises the following steps:
s201, extracting user behavior characteristics from an audit log of a historical database to obtain historical behavior characteristic data.
The audit log of the database comprises a plurality of data characteristics capable of directly reflecting the access behavior of the user database, and in order to obtain effective user behavior characteristics, the audit log of the database can be analyzed, and characteristic data capable of representing the user behavior is extracted from the audit log of the database.
In this embodiment, before the server performs user behavior detection, a crawler acquires a historical audit log of a database, that is, a historical database audit log, analyzes the historical database audit log, and extracts user behavior characteristics from the historical database audit log to obtain historical behavior characteristic data.
Further, the user behavior characteristics include user identification, time point, SQL instruction, operation database object and access attribute, and the user behavior characteristics are extracted from the historical database audit log to obtain historical behavior characteristic data, which specifically includes:
analyzing the audit log of the historical database, and acquiring a user identifier, a time point, an SQL instruction, an operation database object and an access attribute recorded in the audit log of the historical database;
and constructing historical behavior characteristic data based on the user identification, the time point, the SQL instruction, the operation database object and the access attribute.
In a specific embodiment of the present application, in combination with a user environment and a database syntax, five features, namely, a user Identifier (ID), a time point (T), an SQL instruction (C), an operation database object (O), and an access attribute (P), are extracted to construct a user behavior feature, which is denoted as V = (ID, T, C, O, P), and each feature is described as follows:
user Identification (ID): to distinguish different access users;
time point (T): refers to a point in time of a user access operation;
SQL instruction (C): specific instructions for data operation, namely, actions actually performed by a user, such as addition, deletion, modification, check and the like, can be analyzed in an SQL statement;
operating database object (O): a database object refers to a database entity to be operated, such as a data table;
access attribute (P): the access attribute refers to the content which is required to be acquired from the database specifically, contains some sensitive data and can be extracted from the SQL statement in a parsing mode.
Further, analyzing the historical database audit log to obtain the user identifier, the time point, the SQL instruction, the operation database object and the access attribute recorded in the historical database audit log, which specifically includes:
analyzing the audit log of the historical database to obtain original data of the audit log;
preprocessing original data of the audit logs, wherein the preprocessing at least comprises data cleaning processing and data normalization processing;
and extracting user identification, time points, SQL instructions, operation database objects and access attributes from the preprocessed original data of the audit logs.
In this embodiment, before obtaining the user identifier, the time point, the SQL instruction, the operation database object, and the access attribute recorded in the audit log of the historical database, the raw data of the audit log of the historical database needs to be preprocessed, where the preprocessing at least includes data cleaning processing and data normalization processing, and the raw data missing one or a combination of the five features is removed through the data cleaning processing and the data normalization processing, so as to ensure validity and completeness of the feature data.
In the embodiment, the data characteristics directly reflecting the access behavior of the user database are obtained from the audit log of the historical database by analyzing the audit log of the historical database, so that the behavior pattern library is constructed in the following process.
S202, performing deep feature synthesis on the historical behavior feature data to generate a behavior feature set.
In this embodiment, the present application performs depth feature Synthesis on historical behavior feature data through a preset Depth Feature Synthesis (DFS) algorithm to generate a behavior feature set. The nodes of the tree are traversed along the depth of the tree, searching for branches of the tree as deep as possible. When all edges of the node v have been searched, the search will go back to the starting node of the edge where the node v is found. This process continues until all nodes reachable from the source node have been discovered. If there are more undiscovered nodes, then one is selected as the source node and the process is repeated, with the entire process being repeated until all nodes have been accessed.
Generally speaking, a large amount of user behavior feature data is needed for constructing the behavior pattern library to ensure the comprehensiveness of the sample pattern library, and a large amount of time and effort are needed for extracting features from entities by a traditional manual method to construct a training data set, so that the efficiency is low. Therefore, in the embodiment, the historical behavior feature data is subjected to deep feature synthesis through the DFS algorithm, so that a behavior feature set containing a large amount of user behavior feature data is obtained.
S203, carrying out user behavior feature analysis on the behavior feature set by using a preset association rule algorithm, and identifying normal access behaviors and abnormal access behaviors in the behavior feature set.
The association rule (Apriori) algorithm is the first association rule mining algorithm, and is also the most classical algorithm, referred to as Apri algorithm for short. It uses iterative method of layer-by-layer search to find out the relation of item set in database to form rule, and its process is formed from connection (class matrix operation) and pruning (removing unnecessary intermediate results). The concept of an item set in the algorithm is a set of items, the set containing K items is a K item set, the frequency of the item set is the number of transactions containing the item set, and is called the frequency of the item set, and if a certain item set meets the minimum support degree, the item set is called a frequent item set.
In this embodiment, a preset Apriori algorithm is used to perform user behavior feature analysis on a behavior feature set, a frequent item set of user behavior features is constructed, and normal access behaviors and abnormal access behaviors in the behavior feature set are identified by calculating the minimum support of all the frequent item sets in the behavior feature set.
Further, a preset association rule algorithm is used for carrying out user behavior feature analysis on the behavior feature set, and normal access behaviors and abnormal access behaviors in the behavior feature set are identified, and the method specifically comprises the following steps:
traversing the behavior feature set, and calculating the minimum support of all frequent item sets in the behavior feature set by using an association rule algorithm, wherein the frequent item set at least comprises one behavior feature;
and comparing the minimum support degree of each frequent item set with a preset support degree threshold value, and identifying normal access behaviors and abnormal access behaviors in the behavior feature set.
In this embodiment, the behavior feature set is traversed, the minimum support of all frequent item sets in the behavior feature set is calculated by using an association rule algorithm, where the frequent item set includes at least one behavior feature, and the minimum support of each frequent item set is compared with a preset support threshold, so as to identify a normal access behavior and an abnormal access behavior in the behavior feature set.
For example, referring to fig. 4, fig. 4 is a flowchart illustrating an Apriori algorithm implementation of the method for detecting abnormal database access according to the present application, in which a set of items satisfying a minimum support degree, i.e., a frequent 1-item set, is first collected by traversing a behavior feature set, and is denoted as L 1 Then using L 1 Calculating a frequent 2 item set L by performing association rules 2 And circularly calculating frequent item sets by using the frequent n-1 item set L n-1 Compute frequent n-term set L n Until no more frequent item sets can be found, it should be noted that the behavior feature set is scanned once each successive association rule calculation is performed.
Further, traversing the behavior feature set, and calculating the minimum support of all frequent item sets in the behavior feature set by using an association rule algorithm, specifically comprising:
traversing the behavior feature set, selecting behavior features in the behavior feature set for combination, and constructing a frequent item set;
and calculating the minimum support degree of all frequent item sets in the behavior characteristic set by using an association rule algorithm.
In this embodiment, the behavior feature set is traversed circularly, the behavior features in the behavior feature set are selected to be combined, a frequent item set is constructed, and the minimum support of all the frequent item sets in the behavior feature set is calculated by using an association rule algorithm.
Further, comparing the minimum support degree of each frequent item set with a preset support degree threshold value, and identifying a normal access behavior and an abnormal access behavior in the behavior feature set, specifically including:
sequentially comparing the minimum support degree of each frequent item set with the support degree threshold value;
if the minimum support degree of the frequent item set is smaller than a preset support degree threshold value, the user access behavior corresponding to the behavior characteristics contained in the frequent item set is a normal access behavior;
and if the minimum support degree of the frequent item set is greater than or equal to a preset support degree threshold value, the user access behavior corresponding to the behavior characteristics contained in the frequent item set is an abnormal access behavior.
In this embodiment, after the minimum support degrees of all frequent item sets in the feature set are obtained through calculation, the minimum support degree of each frequent item set is sequentially compared with the support degree threshold, if the minimum support degree of the frequent item set is smaller than the preset support degree threshold, the user access behavior corresponding to the behavior feature included in the frequent item set is a normal access behavior, and if the minimum support degree of the frequent item set is greater than or equal to the preset support degree threshold, the user access behavior corresponding to the behavior feature included in the frequent item set is an abnormal access behavior.
It should be noted that the frequent item set includes the behavior feature with the strongest user relevance, and after the frequent item set meeting the minimum threshold is obtained, the access state of a certain user access behavior can be obtained, and the behavior pattern library of the user can be constructed according to the access states.
In the embodiment, after crawling the audit log of the historical database to the user behavior feature V of the historical user access behavior by using a crawler, performing behavior feature set construction according to the user behavior feature V by using a DFS algorithm, after constructing the user behavior feature set, analyzing the user behavior feature set by using an Apriori algorithm, and mining a normal access behavior and an abnormal access behavior in the behavior feature set.
And S204, constructing a behavior pattern library based on the normal access behavior and the abnormal access behavior.
In the embodiment, a behavior pattern library is constructed based on the identified normal access behavior and abnormal access behavior in the behavior feature set, and the user behavior pattern mining is performed by combining the depth features and the feature association rules to obtain a behavior rule library of a general user access database so as to judge the compliance of the user access behavior.
S205, extracting user behavior characteristics from the current database audit log to obtain current behavior characteristic data.
In the embodiment, a user access behavior detection instruction is received, a user behavior characteristic user Identifier (ID), a time point (T), an SQL instruction (C), an operation database object (O) and an access attribute (P) extracted from a current database audit log are obtained, and current behavior characteristic data are constructed according to the characteristics.
In this embodiment, the electronic device (for example, the server shown in fig. 1) on which the method for detecting abnormal access to the database is executed may receive a user access behavior detection instruction through a wired connection manner or a wireless connection manner. It is noted that the wireless connection means may include, but is not limited to, a 3G/4G connection, a WiFi connection, a bluetooth connection, a WiMAX connection, a Zigbee connection, a UWB (ultra wideband) connection, and other wireless connection means now known or developed in the future.
And S206, performing correlation matching on the current behavior characteristic data and the access behaviors in the behavior pattern library to obtain a detection result of the current access behaviors.
In this embodiment, the current behavior feature data is associated and matched with the access behavior in the behavior pattern library, and the matching access behavior is determined by mapping the behavior feature data to the same feature space and searching the behavior feature data of the overlapping portion, so as to obtain the detection result of the current access behavior.
Further, the method for obtaining the detection result of the current access behavior by performing correlation matching on the current behavior feature data and the access behavior in the behavior pattern library specifically includes:
performing feature mapping on the current behavior feature data and feature data of each access behavior in the behavior pattern library;
determining an access behavior matched with the current behavior characteristic data in the behavior pattern library to obtain a matched access behavior;
determining the access state of the matched access behavior, and taking the access state of the matched access behavior as the detection result of the current access behavior, wherein the access state of the matched access behavior comprises normal access and abnormal access.
In this embodiment, feature mapping is performed on the current behavior feature data and feature data of each access behavior in the behavior pattern library, the behavior feature data is mapped to the same feature space, and by searching for behavior feature data of an overlapping portion, a matching access behavior corresponding to the current user behavior is determined, then an access state of the matching access behavior is determined, and the access state of the matching access behavior is used as a detection result of the current access behavior, where the access state of the matching access behavior includes normal access and abnormal access. And outputting early warning information when the detection result of the current access behavior is abnormal access.
In the above embodiment, the matching access behavior corresponding to the current user behavior is determined by mapping the behavior feature data to the same feature space, and the detection result of the current access behavior is obtained.
In this embodiment, the application discloses a method for detecting abnormal access to a database, and belongs to the technical field of big data. The method comprises the steps that user behavior characteristics are extracted from audit logs of a historical database, and historical behavior characteristic data are obtained; performing depth feature synthesis on the historical behavior feature data to generate a behavior feature set; performing user behavior characteristic analysis on the behavior characteristic set by using a preset association rule algorithm, and identifying normal access behaviors and abnormal access behaviors in the behavior characteristic set; constructing a behavior pattern library based on normal access behaviors and abnormal access behaviors; extracting user behavior characteristics from the audit log of the current database to obtain current behavior characteristic data; and performing correlation matching on the current behavior characteristic data and the access behaviors in the behavior pattern library to obtain a detection result of the current access behaviors. According to the method and the device, effective user access information is extracted from the audit log of the database, and user behavior pattern mining is performed by combining depth characteristics and characteristic association rules to obtain a behavior rule base of a general user access database so as to judge the compliance of user access behaviors.
It is emphasized that, in order to further ensure the privacy and security of the current behavior feature data, the current behavior feature data may also be stored in a node of a blockchain.
The block chain referred by the application is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a series of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, so as to verify the validity (anti-counterfeiting) of the information and generate a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware associated with computer readable instructions, which can be stored in a computer readable storage medium, and when executed, can include processes of the embodiments of the methods described above. The storage medium may be a non-volatile storage medium such as a magnetic disk, an optical disk, a Read-only Memory (ROM), or a Random Access Memory (RAM).
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless otherwise indicated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
With further reference to fig. 5, as an implementation of the method shown in fig. 2, the present application provides an embodiment of an apparatus for detecting abnormal access to a database, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 2, and the apparatus may be applied to various electronic devices.
As shown in fig. 5, the apparatus 500 for detecting abnormal database access according to this embodiment includes:
a historical feature extraction module 501, configured to extract user behavior features from an audit log of a historical database to obtain historical behavior feature data;
a depth feature synthesis module 502, configured to perform depth feature synthesis on the historical behavior feature data to generate a behavior feature set;
the behavior feature analysis module 503 is configured to perform user behavior feature analysis on the behavior feature set by using a preset association rule algorithm, and identify a normal access behavior and an abnormal access behavior in the behavior feature set;
a behavior pattern library construction module 504, configured to construct a behavior pattern library based on the normal access behavior and the abnormal access behavior;
a current feature extraction module 505, configured to extract user behavior features from a current database audit log to obtain current behavior feature data;
and the feature association matching module 506 is configured to perform association matching on the current behavior feature data and the access behavior in the behavior pattern library to obtain a detection result of the current access behavior.
Further, the user behavior characteristics include a user identifier, a time point, an SQL instruction, an operation database object, and an access attribute, and the history characteristic extraction module 501 specifically includes:
the log analysis unit is used for analyzing the historical database audit log to acquire user identification, time points, SQL instructions, operation database objects and access attributes recorded in the historical database audit log;
and the characteristic construction unit is used for constructing historical behavior characteristic data based on the user identification, the time point, the SQL instruction, the operation database object and the access attribute.
Further, the log parsing unit specifically includes:
the log analysis subunit is used for analyzing the audit logs of the historical database to obtain original data of the audit logs;
the system comprises a preprocessing subunit, a data processing subunit and a data normalization processing subunit, wherein the preprocessing subunit is used for preprocessing the original data of the audit logs, and the preprocessing at least comprises data cleaning processing and data normalization processing;
and the data extraction subunit is used for extracting the user identifier, the time point, the SQL instruction, the operation database object and the access attribute from the preprocessed original data of the audit log.
Further, the behavior feature analysis module 503 specifically includes:
the association rule calculation unit is used for traversing the behavior feature set and calculating the minimum support degree of all frequent item sets in the behavior feature set by utilizing an association rule algorithm, wherein the frequent item set at least comprises one behavior feature;
and the support degree comparison unit is used for comparing the minimum support degree of each frequent item set with a preset support degree threshold value and identifying normal access behaviors and abnormal access behaviors in the behavior feature set.
Further, the association rule calculating unit specifically includes:
the frequent item set subunit is used for traversing the behavior feature set, selecting behavior features in the behavior feature set for combination, and constructing a frequent item set;
and the support degree calculation operator unit is used for calculating the minimum support degree of all frequent item sets in the behavior characteristic set by using an association rule algorithm.
Further, the support degree comparison unit specifically includes:
the support degree comparison subunit is used for sequentially comparing the minimum support degree of each frequent item set with the support degree threshold value;
the first comparison result subunit is configured to, when the minimum support degree of the frequent item set is smaller than a preset support degree threshold value, determine that a user access behavior corresponding to a behavior feature included in the frequent item set is a normal access behavior;
and the first comparison result subunit is used for determining that the user access behavior corresponding to the behavior characteristics contained in the frequent item set is abnormal access behavior when the minimum support degree of the frequent item set is greater than or equal to a preset support degree threshold value.
Further, the feature association matching module 506 specifically includes:
the characteristic mapping unit is used for carrying out characteristic mapping on the current behavior characteristic data and the characteristic data of each access behavior in the behavior pattern library;
the behavior matching unit is used for determining access behaviors matched with the current behavior characteristic data in the behavior pattern library to obtain matched access behaviors;
and the behavior detection unit is used for determining the access state of the matched access behavior and taking the access state of the matched access behavior as the detection result of the current access behavior, wherein the access state of the matched access behavior comprises normal access and abnormal access.
In this embodiment, the application discloses a detection device for abnormal access to a database, and belongs to the technical field of big data. The method comprises the steps that user behavior characteristics are extracted from audit logs of a historical database, and historical behavior characteristic data are obtained; performing depth feature synthesis on the historical behavior feature data to generate a behavior feature set; performing user behavior characteristic analysis on the behavior characteristic set by using a preset association rule algorithm, and identifying normal access behaviors and abnormal access behaviors in the behavior characteristic set; constructing a behavior pattern library based on the normal access behavior and the abnormal access behavior; extracting user behavior characteristics from the audit log of the current database to obtain current behavior characteristic data; and performing correlation matching on the current behavior characteristic data and the access behaviors in the behavior pattern library to obtain a detection result of the current access behaviors. According to the method and the device, effective user access information is extracted from the audit log of the database, and user behavior pattern mining is performed by combining depth characteristics and characteristic association rules to obtain a behavior rule base of a general user access database so as to judge the compliance of user access behaviors.
In order to solve the technical problem, an embodiment of the present application further provides a computer device. Referring to fig. 6 in detail, fig. 6 is a block diagram of a basic structure of a computer device according to the embodiment.
The computer device 6 comprises a memory 61, a processor 62, a network interface 63 communicatively connected to each other via a system bus. It is noted that only the computer device 6 having the components 61-63 is shown in the figure, but it is understood that not all of the shown components are required to be implemented, and that more or less components may be implemented instead. As will be understood by those skilled in the art, the computer device is a device capable of automatically performing numerical calculation and/or information processing according to instructions set or stored in advance, and the hardware thereof includes but is not limited to a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like.
The computer device can be a desktop computer, a notebook, a palm computer, a cloud server and other computing devices. The computer equipment can carry out man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch panel or voice control equipment and the like.
The memory 61 includes at least one type of readable storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, etc. In some embodiments, the memory 61 may be an internal storage unit of the computer device 6, such as a hard disk or a memory of the computer device 6. In other embodiments, the memory 61 may also be an external storage device of the computer device 6, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the computer device 6. Of course, the memory 61 may also comprise both an internal storage unit of the computer device 6 and an external storage device thereof. In this embodiment, the memory 61 is generally used for storing an operating system installed in the computer device 6 and various application software, such as computer readable instructions of a method for detecting abnormal access to a database. Further, the memory 61 may also be used to temporarily store various types of data that have been output or are to be output.
The processor 62 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 62 is typically used to control the overall operation of the computer device 6. In this embodiment, the processor 62 is configured to execute computer readable instructions stored in the memory 61 or process data, for example, execute computer readable instructions of the method for detecting abnormal access to the database.
The network interface 63 may comprise a wireless network interface or a wired network interface, and the network interface 63 is typically used for establishing a communication connection between the computer device 6 and other electronic devices.
The application discloses computer equipment belongs to big data technology field. The method comprises the steps that user behavior characteristics are extracted from audit logs of a historical database, and historical behavior characteristic data are obtained; performing depth feature synthesis on the historical behavior feature data to generate a behavior feature set; performing user behavior characteristic analysis on the behavior characteristic set by using a preset association rule algorithm, and identifying normal access behaviors and abnormal access behaviors in the behavior characteristic set; constructing a behavior pattern library based on the normal access behavior and the abnormal access behavior; extracting user behavior characteristics from an audit log of a current database to obtain current behavior characteristic data; and performing correlation matching on the current behavior characteristic data and the access behaviors in the behavior pattern library to obtain a detection result of the current access behaviors. According to the method and the device, effective user access information is extracted from the audit log of the database, and user behavior pattern mining is performed by combining depth characteristics and characteristic association rules to obtain a behavior rule base of a general user access database so as to judge the compliance of user access behaviors.
The present application further provides another embodiment, which is to provide a computer-readable storage medium storing computer-readable instructions executable by at least one processor to cause the at least one processor to perform the steps of the method for detecting abnormal database access as described above.
The application discloses storage medium belongs to big data technology field. The method comprises the steps that user behavior characteristics are extracted from audit logs of a historical database, and historical behavior characteristic data are obtained; performing depth feature synthesis on the historical behavior feature data to generate a behavior feature set; performing user behavior characteristic analysis on the behavior characteristic set by using a preset association rule algorithm, and identifying normal access behaviors and abnormal access behaviors in the behavior characteristic set; constructing a behavior pattern library based on normal access behaviors and abnormal access behaviors; extracting user behavior characteristics from an audit log of a current database to obtain current behavior characteristic data; and performing correlation matching on the current behavior characteristic data and the access behaviors in the behavior pattern library to obtain a detection result of the current access behaviors. According to the method and the device, effective user access information is extracted from the audit log of the database, and user behavior pattern mining is performed by combining depth characteristics and characteristic association rules to obtain a behavior rule base of a general user access database so as to judge the compliance of user access behaviors.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present application.
The application is operational with numerous general purpose or special purpose computing system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
It is to be understood that the above-described embodiments are merely illustrative of some, but not restrictive, of the broad invention, and that the appended drawings illustrate preferred embodiments of the invention and do not limit the scope of the invention. This application is capable of embodiments in many different forms and is provided for the purpose of enabling a thorough understanding of the disclosure of the application. Although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to one skilled in the art that the present application may be practiced without modification or with equivalents of some of the features described in the foregoing embodiments. All equivalent structures made by using the contents of the specification and the drawings of the present application are directly or indirectly applied to other related technical fields and are within the protection scope of the present application.
Claims (10)
1. A method for detecting abnormal access of a database is characterized by comprising the following steps:
extracting user behavior characteristics from an audit log of a historical database to obtain historical behavior characteristic data;
performing depth feature synthesis on the historical behavior feature data to generate a behavior feature set;
performing user behavior characteristic analysis on the behavior characteristic set by using a preset association rule algorithm, and identifying normal access behaviors and abnormal access behaviors in the behavior characteristic set;
constructing a behavior pattern library based on the normal access behaviors and the abnormal access behaviors;
extracting user behavior characteristics from an audit log of a current database to obtain current behavior characteristic data;
and performing correlation matching on the current behavior characteristic data and the access behaviors in the behavior pattern library to obtain a detection result of the current access behaviors.
2. The method for detecting abnormal access to a database according to claim 1, wherein the user behavior characteristics include a user identifier, a time point, an SQL instruction, an operation database object, and an access attribute, and the extracting the user behavior characteristics from the audit log of the historical database to obtain the historical behavior characteristic data specifically includes:
analyzing the historical database audit log to obtain user identification, time points, SQL instructions, operation database objects and access attributes recorded in the historical database audit log;
and constructing the historical behavior characteristic data based on the user identification, the time point, the SQL instruction, the operation database object and the access attribute.
3. The method for detecting abnormal access to a database according to claim 2, wherein the analyzing the audit log of the historical database to obtain the user identifier, the time point, the SQL instruction, the operation database object, and the access attribute recorded in the audit log of the historical database specifically comprises:
analyzing the audit log of the historical database to obtain original data of the audit log;
preprocessing the original data of the audit log, wherein the preprocessing at least comprises data cleaning processing and data normalization processing;
and extracting the user identification, the time point, the SQL instruction, the operation database object and the access attribute from the preprocessed original data of the audit log.
4. The method for detecting abnormal access to a database according to claim 1, wherein the analyzing the behavior feature set by using a preset association rule algorithm for the user behavior feature to identify a normal access behavior and an abnormal access behavior in the behavior feature set specifically includes:
traversing the behavior feature set, and calculating the minimum support degree of all frequent item sets in the behavior feature set by using the association rule algorithm, wherein the frequent item set at least comprises one behavior feature;
and comparing the minimum support degree of each frequent item set with a preset support degree threshold value, and identifying normal access behaviors and abnormal access behaviors in the behavior feature set.
5. The method for detecting abnormal access to a database according to claim 4, wherein the traversing the behavior feature set and calculating the minimum support of all frequent item sets in the behavior feature set by using the association rule algorithm specifically includes:
traversing the behavior feature set, selecting behavior features in the behavior feature set for combination, and constructing a frequent item set;
and calculating the minimum support degree of all frequent item sets in the behavior feature set by using the association rule algorithm.
6. The method for detecting abnormal access to a database according to claim 4, wherein the comparing the minimum support of each frequent item set with a preset support threshold to identify a normal access behavior and an abnormal access behavior in the behavior feature set specifically includes:
sequentially comparing the minimum support degree of each frequent item set with the support degree threshold value;
if the minimum support degree of the frequent item set is smaller than a preset support degree threshold value, the user access behavior corresponding to the behavior characteristics contained in the frequent item set is a normal access behavior;
and if the minimum support degree of the frequent item set is greater than or equal to a preset support degree threshold value, the user access behavior corresponding to the behavior characteristics contained in the frequent item set is an abnormal access behavior.
7. The method for detecting abnormal access to a database according to any one of claims 1 to 6, wherein the step of performing correlation matching between the current behavior feature data and the access behaviors in the behavior pattern library to obtain a detection result of the current access behavior specifically includes:
performing feature mapping on the current behavior feature data and feature data of each access behavior in the behavior pattern library;
determining an access behavior matched with the current behavior characteristic data in the behavior pattern library to obtain a matched access behavior;
determining the access state of the matching access behavior, and taking the access state of the matching access behavior as the detection result of the current access behavior, wherein the access state of the matching access behavior comprises normal access and abnormal access.
8. An apparatus for detecting abnormal access to a database, comprising:
the historical characteristic extraction module is used for extracting user behavior characteristics from an audit log of a historical database to obtain historical behavior characteristic data;
the depth feature synthesis module is used for performing depth feature synthesis on the historical behavior feature data to generate a behavior feature set;
the behavior feature analysis module is used for carrying out user behavior feature analysis on the behavior feature set by utilizing a preset association rule algorithm and identifying normal access behaviors and abnormal access behaviors in the behavior feature set;
the behavior pattern library construction module is used for constructing a behavior pattern library based on the normal access behavior and the abnormal access behavior;
the current characteristic extraction module is used for extracting user behavior characteristics from the current database audit log to obtain current behavior characteristic data;
and the characteristic association matching module is used for carrying out association matching on the current behavior characteristic data and the access behaviors in the behavior pattern library to obtain a detection result of the current access behaviors.
9. A computer device comprising a memory having computer readable instructions stored therein and a processor which when executed implements the steps of the method of detecting database abnormal access of any one of claims 1 to 7.
10. A computer-readable storage medium, having computer-readable instructions stored thereon, which, when executed by a processor, implement the steps of the method for detecting database abnormal access according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211568709.2A CN115859273A (en) | 2022-12-08 | 2022-12-08 | Method, device and equipment for detecting abnormal access of database and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211568709.2A CN115859273A (en) | 2022-12-08 | 2022-12-08 | Method, device and equipment for detecting abnormal access of database and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115859273A true CN115859273A (en) | 2023-03-28 |
Family
ID=85670972
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211568709.2A Pending CN115859273A (en) | 2022-12-08 | 2022-12-08 | Method, device and equipment for detecting abnormal access of database and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115859273A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117040923A (en) * | 2023-09-28 | 2023-11-10 | 联通(广东)产业互联网有限公司 | User behavior anomaly detection method and system based on Apriori algorithm |
-
2022
- 2022-12-08 CN CN202211568709.2A patent/CN115859273A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117040923A (en) * | 2023-09-28 | 2023-11-10 | 联通(广东)产业互联网有限公司 | User behavior anomaly detection method and system based on Apriori algorithm |
| CN117040923B (en) * | 2023-09-28 | 2024-03-19 | 联通(广东)产业互联网有限公司 | User behavior anomaly detection method and system based on Apriori algorithm |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108090351B (en) | Method and apparatus for processing request message | |
| CN102243647A (en) | Extracting higher-order knowledge from structured data | |
| Zhu et al. | Android malware detection based on multi-head squeeze-and-excitation residual network | |
| CN112035549B (en) | Data mining method, device, computer equipment and storage medium | |
| CN112052138A (en) | Service data quality detection method and device, computer equipment and storage medium | |
| CN113434636B (en) | Semantic-based approximate text searching method, semantic-based approximate text searching device, computer equipment and medium | |
| CN113761577B (en) | Big data desensitization method, device, computer equipment and storage medium | |
| CN113836131A (en) | Big data cleaning method and device, computer equipment and storage medium | |
| CN115859273A (en) | Method, device and equipment for detecting abnormal access of database and storage medium | |
| CN111797297B (en) | Page data processing method and device, computer equipment and storage medium | |
| CN111752958A (en) | Intelligent associated label method, device, computer equipment and storage medium | |
| CN116860311A (en) | Script analysis method, script analysis device, computer equipment and storage medium | |
| CN115238009A (en) | Metadata management method, device and equipment based on blood vessel margin analysis and storage medium | |
| CN115203391A (en) | Information retrieval method and device, computer equipment and storage medium | |
| CN113051900A (en) | Synonym recognition method and device, computer equipment and storage medium | |
| CN113792549B (en) | User intention recognition method, device, computer equipment and storage medium | |
| CN115757837B (en) | Confidence evaluation method and device for knowledge graph, electronic equipment and medium | |
| CN116775889B (en) | Threat information automatic extraction method, system, equipment and storage medium based on natural language processing | |
| CN114254081B (en) | Enterprise big data search system, method and electronic equipment | |
| CN115099710A (en) | Method and system for rapidly evaluating business association influence | |
| CN117349889A (en) | Cloud computing-based access control method, system and terminal for security data | |
| CN112926659A (en) | Example abnormity determination method and device, computer equipment and storage medium | |
| CN117874518A (en) | Insurance fraud prediction method, device, equipment and medium based on artificial intelligence | |
| CN117217684A (en) | Index data processing method and device, computer equipment and storage medium | |
| CN117272256A (en) | Sensitive data detection method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |