CN1352428A - Bypass access control system based on SQL statement - Google Patents
Bypass access control system based on SQL statement Download PDFInfo
- Publication number
- CN1352428A CN1352428A CN 01132338 CN01132338A CN1352428A CN 1352428 A CN1352428 A CN 1352428A CN 01132338 CN01132338 CN 01132338 CN 01132338 A CN01132338 A CN 01132338A CN 1352428 A CN1352428 A CN 1352428A
- Authority
- CN
- China
- Prior art keywords
- database
- access control
- data
- control system
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a bypass type of access control system based on SQL statement. It includes probe hed/blockout unit, analysis center, auditing record database and console. The bypass type of visiting control system analyses, coordinates and sorts the SQL statement accessing database. So it solves the safety and control issue related to each database accessing link such as connecting database, logging-on database, operating database and describing operation of database as well as user's need.
Description
Technical field
Native system relates to a kind of monitoring of network data base and the control technology of safety, especially a kind of bypass type database access control system based on SQL statement.
Background technology
The data of data base organization's form are owing to its sharing, independence, consistance, integrality and the addressable controlled principal mode that becomes the Computer Storage data, and data base set is unified, and other softwares are the same also to need safeguard protection.Because depositing mass data in the database, to share by the user, each user's responsibility and authority have nothing in common with each other; Data redudancy is little in the database, and database is in case to destroying, and originally Cun Chu numerical value is just destroyed; Database is general supports that a plurality of users carry out access simultaneously, and the destruction of data integrity may be brought very serious consequence.
Database security is meant and prevents to utilize soft, hardware technology unauthorized access, modification and the destruction to data that it relates to the problem of many aspects, such as the Security Control Problem of different stage.The general operation system does not have special safeguard measure to the data library file, and database security must be realized by other safety precautions such as data base management system (DBMS)s.Therefore necessary limited subscriber, carry out database access control at the different stage user, each user can only be visited and the corresponding data of own authority, rather than the data of entire database, forbid the unauthorized data of user capture, and the data in the strict control user's modification database, in order to avoid be not intended to or adverse consequences that the malicious modification data cause.
Database access control has limited the operation that visitor and executive routine can carry out, and can prevent security breaches hidden danger by database access control like this.The purpose of database access control is exactly to want the user can only pass through the relevant data storehouse operation of mandate.
Existing database access control is generally provided by database product self.The database access of comparative maturity now control has two types: autonomous access control (Discretionary Access Control, DAC) and force access control (Mandatory Access Control, MAC).Also have and improving (the Role Based Access Control of the access control mechanisms based on the role in stage now, RBAC), the thought core of RBAC is that security certificate (permission) and role (role) interrelate, the user at first will become corresponding role's member, could obtain the authority of this role's correspondence.This has simplified empowerment management, and the role can create according to work different in the tissue, and responsibility and the qualification according to the user distributes the role then.The user can carry out role transforming, and along with new application and the increase of system newly, the role can distribute more authority, also can cancel corresponding authority as required.The most databases of practical application are based on DAC and MAC, or with two kinds of machine-processed combinations.DAC has left the information spinner of the information that produces for visiting power to make decision, and MAC then requires all users to observe the rule of being set up by the data base administrator.
But still there is following defective in above these database access controlling mechanisms:
1. just because of DAC allows the user under the situation that does not have the system manager to interfere the object that they controlled to be carried out the authority modification, this just makes DAC under attack easily; May duplicate or distort confidential data by indirect approach such as the assailant;
2. after attacking generation, because a plurality of users may use same the user name and password login, even the assailant also is difficult to accurate location in different place logins;
3. autonomous completely access control can not provide thinner access control granularity, therefore combines with other mechanism such as forcing access control usually, so that finer control granularity to be provided;
4. the security of access control depends on the data integrity of access control list.Data base administrator and have the user of certain access rights can be selectively, authorize other users access rights dynamically.And in needs, regain this right.When the user registers, can distribute password, and authorize the right of user capture corresponding system resource via data base administrator or database owner approval.If the assailant obtains illegal mandate, revised relevant user information, when he logins, system is only checked according to the information such as access control list of database storing, even having been distorted also, control table information can't know, more can't interrupt attended operation, thereby stop the further destructive procedure of assailant.
5. database internal auditing meeting takies the database own resources, is that what its effect could embody comes out under the prerequisite of method of collection information needed of the easiest, the quickest, least interference at it only.And information that its is collected and the measure that can take are also very limited.
Therefore, rely on only access control mechanisms by database itself problem that can not effectively guarantee data security, even fire wall can not effectively prevent from the enterprises personnel to the destruction of data with security hidden trouble such as distort, and the personnel of network internal are more familiar for the network of oneself, and certain authority is arranged, invade or destroy being more prone to go smoothly.Therefore access control must with other safety practices, such as security mechanism collaborative works such as authentication, audits.The safety database audit can be carried out comprehensive safety guarantee and maintenance to infosystem.The safety database audit is at Database Intrusion, reaches the safety product of monitoring, discern, write down, report to the police, responding with security-related key activities in violation of rules and regulations, and it is the security means that higher application level, higher intelligence can be provided.
Summary of the invention
The objective of the invention is to propose a kind of bypass access control system based on SQL statement, can be applied to the database auditing system, can be used for existing disparate databases product, no matter the database access controlling mechanism that this database product uses is autonomous access control mechanisms DAC, force access control mechanisms MAC, still introduced Role Management, or DAC combined with MAC, this system is physically to be independent of the mode of database, implement database access control monitoring on the network, for database access control provides more reliable guarantee.
The object of the present invention is achieved like this:
Described bypass access control system comprises probe/block device, analytic centre, the record of the audit storehouse, four modules of control desk, this bypass access control system is analyzed the SQL statement of accessing database, put in order, sort out, and carries out database description and operates each database access link and carry out and the corresponding control of user's request connecting database, log database, operating database to reach.
The data transfer relationship of above-mentioned four intermodules is probe/block device and analytic centre's data interaction, and divert one's attention center and record of the audit database data are mutual, record of the audit storehouse and control desk data interaction, and control desk is unidirectional to transmit data to probe/block device.
In bypass access control system, the data processing of probe/block device is divided into four parts, ICP/IP protocol analysis part, concrete protocal analysis of database and reduction part, access control screening, internal communication part.
Aforesaid analytic centre unpacks the packet of described specific format, and according to the described packet information of security configuration rule judgment, utilize the Visitor Logs table historical information in the described record of the audit storehouse to carry out the context Conjoint Analysis in case of necessity, data are kept in the described record of the audit storehouse with warning or non-alarm logging.
The order of connection number of connection mark number, the database access of tie-time that database of record visit initiates, database access is responsible in above-mentioned record of the audit storehouse, data such as the rule that the statement of NIC address, IP address and the port numbers of the database user login name of database access, the user of database access and database, the statement type of database access, database access, database access are violated number.
Preceding described control desk carries out rule setting to described database access, and rule is provided with the different response mode of regulation, can view the data of depositing in the described record of the audit storehouse.
Described rule setting can be carried out database login username, database access statement action type, database client IP address, the related tables of data of database access, these objects of database access statement key word.
Aforementioned different response mode comprises, reports to the police, writes down, interrupts and ignore.
By above scheme, do not increasing the weight of database burden, do not take database resource, do not change under the condition of network physical, effective audit, security control have been realized to database access, to each database manipulation of each connection, to every operational order, all in the enterprising line data database safety access control of finer granularity.
Because access control function realizes it being to realize in probe, even the safety of database itself is on the hazard, do not influence the existing configuration of independently pop one's head in analyzer and analytic centre's access control intelligent analysis module.Even if be modified in the database, still can effectively block and control visit.
Access control analyzer in the probe has alleviated mass data greatly to the burden that analytic centre brings, and has improved the auditing system reaction velocity, and valuable time has been saved in suspicious or illegal operation for block device blocking-up in time.
Therefore the intelligent analysis system of analytic centre can effectively prevent the weakness of autonomous access control owing to the historical information of utilizing user and database data record is carried out the context Conjoint Analysis.And can recombinate, sort out the access control behavior based on the bypass access control system of SQL, therefore by the series of operations of certain user in a period of time analyzed, can unite judgement, have an opportunity database to be carried out just this time connected disconnection before the destructiveness attack the user.
Description of drawings Fig. 1 is based on the bypass access control system workflow diagram of SQL statement
Embodiment
Further specify the present invention below in conjunction with embodiment.
With reference to Fig. 1,100,000,000 net spy equipment (probe/block device) 3 are furnished with two hundred Broadcoms, network interface card one no IP address wherein, and be set to promiscuous mode and listen to packet in the network.Network interface card two links to each other with nt server.
Be equipped with on the nt server as the audit center software of analytic centre 4 with as the data management software of control desk 5, and a MS SQL SERVER database is housed carries out the Audit data access as record of the audit storehouse 6.
When 1 pair of ORACLE database server 2 of database user conducts interviews, 100,000,000 nets are visited net spy equipment 3 is heard its transmission from network interface card one packet, 100,000,000 net spy equipment 3 will connect coupling to packet, seek the connection table of this connection, when this packet is initiated bag for connecting, net spy equipment 3 will be set up new connection table according to this packet, if do not have original table then set up new connection table, also can be stored in this connection table the subsequent operation information of database.Described connection table is an information such as existing IP address that is used for storing the TCP/IP bag and port in described probe/block device, such as connecting the time of initiating, database user name, the client information of login, consult the protocol information that adopts and the historical summary form of the journal file that connects with accessed database host information, database and database user.
Database user 1 sends a link information bag, when net spy equipment 3 obtains this packet, will wrap data analysis to this.From this packet, probe can obtain its TNS data type by parsing ORACLE database protocol TNS protocol header, comprising the TNS version that TNS protocol client software uses, with current some attributes that will adopt that are connected, bag is big or small as connecting, maximum can be accepted data length etc.Respond in the bag at server 2, we can know whether server accepts this request, if accept then can obtain connecting the TNS version of actual employings and the attributive character word of reality employing.We are with the analysis with the packet that makes things convenient for the back in the connection table of these attribute records.
Behind the table that connects, database user 1 sends own acceptable all software version informations to server 2, and server 2 will select the acceptable software version of both sides to connect according to own spendable software version.Obtain in this packet at net spy equipment 3, can obtain this TNS protocol type, database user 1 carries out protocol negotiation with server 2, and the acquisition host information is kept in the connection table.
After protocol negotiation, database user begins to send the log-on message of oneself to database server 2.Net spy equipment 3 can be according to its TNS type, the basic operation type, and function type is judged its type and is obtained the database login user name according to its actual packet structure, and writes down this information and show in connection.
After user login information obtained the affirmation of database server 2 and returns success, database user 1 can begin a series of database access operations.Its data structure operable can obtain according to three types in its TNS agreement, i.e. TNS type, basic operation type, function type.According to described type, net spy equipment 3 carries out the parsing of packet, can obtain SQL statement from packet.
After described SQL analysis, obtain database table and database manipulation type that this statement relates to, it is being carried out the simple rule coupling.Judge whether to blocking type immediately or ignore type,, and a blocking-up result is sent to record of the audit storehouse 6 notes if for the blocking-up type then block at once.The database manipulation message of all the other types all is converted to the internal system communication format, is sent to analytic centre 4.
The data that analytic centre's 4 pairs of net spies equipment 3 sends unpack, and are configured into line discipline coupling or context Conjoint Analysis according to the rule of analytic centre 4.If this packet satisfies certain bar rule that analytic centre 4 is provided with, analytic centre 4 will send different processing commands to net spy equipment 3.Be blocking-up as matching result rule response, 4 of analytic centres send the blocking-up order to net spy equipment 3, and analytic centre 4 sends to audit database 6 with this time processing procedure and result simultaneously and carries out record; If, then report to the police according to the mode of setting for reporting to the police; If for ignoring, all packets that then will connect are let pass, and do not carry out record of the audit and warning.Control desk 5 will be obtained up-to-date data and show from record of the audit storehouse 6.Control desk 5 can also carry out the inquiry of historical record and the setting of type of alarm.
The user can see NIC address, IP address and the port information that should be connected of ORACLE database 2 and calling party from control desk 5, can see rule name and this rule responsive measures of this connection coupling.Other information such as database access connect the initiation time, the statement of database access user login name and database access matched rule all will directly be presented in the warning message, and the user can also view the operation of doing behind this connection matched rule from the detailed content of warning message.
Claims (8)
1. bypass access control system based on SQL statement, it is characterized in that, described bypass access control system comprises probe/block device, analytic centre, the record of the audit storehouse, four modules of control desk, described bypass access control system is analyzed the SQL statement of accessing database, put in order, sort out, and to reach each database access link that connects database, log database, operating database is carried out and the corresponding control of user's request.
2. bypass access control system as claimed in claim 1, it is characterized in that, the data transfer relationship of described four intermodules is probe/block device and analytic centre's data interaction, analytic centre and record of the audit database data are mutual, record of the audit storehouse and control desk data interaction, control desk is unidirectional to transmit data to probe/block device.
3. bypass access control system as claimed in claim 1, it is characterized in that, probe/block device in the described bypass access control system comprises an access control analyzer, its data processing is divided into four parts, the ICP/IP protocol analysis part, concrete protocal analysis of database and reduction part, simple preliminary interview analysis part, internal communication part.
4. bypass access control system as claimed in claim 1, it is characterized in that, described analytic centre unpacks the packet of described specific format, and according to the described packet information of security configuration rule judgment, utilize the Visitor Logs table historical information in the described record of the audit storehouse to carry out the context Conjoint Analysis in case of necessity, data to report to the police or non-alarm triage, are sent warning or non-alarm command to probe/block device simultaneously, and with the data analysis recorded and stored in described record of the audit storehouse.
5. bypass access control system as claimed in claim 1, it is characterized in that, the order of connection number of connection mark number, the database access of tie-time that database of record visit initiates, database access, rule number these data that the statement of NIC address, IP address and the port numbers of the database user login name of database access, the user of database access and database, the statement type of database access, database access, database access are violated are responsible in described record of the audit storehouse.
6. bypass access control system as claimed in claim 1 is characterized in that, described control desk carries out rule setting to described database access, and described rule is provided with the different response mode of regulation, checks the data of depositing in the described record of the audit storehouse.
7. bypass access control system as claimed in claim 6, it is characterized in that described rule setting can be carried out database login username, database access statement action type, database client IP address, the related tables of data of database access, these objects of database access statement key word.
8. bypass access control system as claimed in claim 6 is characterized in that, described different response mode comprises, reports to the police, writes down, interrupts and ignore.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011323388A CN1170229C (en) | 2001-11-29 | 2001-11-29 | Bypass access control system based on SQL statement |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011323388A CN1170229C (en) | 2001-11-29 | 2001-11-29 | Bypass access control system based on SQL statement |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1352428A true CN1352428A (en) | 2002-06-05 |
| CN1170229C CN1170229C (en) | 2004-10-06 |
Family
ID=4671370
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB011323388A Expired - Fee Related CN1170229C (en) | 2001-11-29 | 2001-11-29 | Bypass access control system based on SQL statement |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1170229C (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1329852C (en) * | 2003-09-09 | 2007-08-01 | 华为技术有限公司 | A method for implementing database access |
| CN100403308C (en) * | 2005-10-31 | 2008-07-16 | 北京神舟航天软件技术有限公司 | SQL load mining-based automatic design method for physical database |
| US7831621B1 (en) | 2007-09-27 | 2010-11-09 | Crossroads Systems, Inc. | System and method for summarizing and reporting impact of database statements |
| CN101930434A (en) * | 2009-06-19 | 2010-12-29 | 深圳市守望网络技术有限公司 | Cell security mode based database access security method and system |
| CN101217537B (en) * | 2007-12-28 | 2011-04-20 | 董韶瑜 | A network attacking prevention method |
| CN102801714A (en) * | 2012-07-26 | 2012-11-28 | 杭州电子科技大学 | Method for analyzing and reducing SQL (Structured Query Language) command in TNS (Transparent Network Substrate) protocol in by-pass manner |
| CN103269343A (en) * | 2013-05-21 | 2013-08-28 | 福建畅云安鼎信息科技有限公司 | Business data safety control platform |
| CN101739422B (en) * | 2008-11-05 | 2013-12-18 | 深圳迪贝守望信息技术有限公司 | Method and system for controlling access to front-end database based on database protocol proxy |
| CN105635046A (en) * | 2014-10-28 | 2016-06-01 | 北京启明星辰信息安全技术有限公司 | Database command line filtering and audit blocking method and device |
| CN113377615A (en) * | 2021-06-08 | 2021-09-10 | 上海天旦网络科技发展有限公司 | Bypass database monitoring method and system |
-
2001
- 2001-11-29 CN CNB011323388A patent/CN1170229C/en not_active Expired - Fee Related
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1329852C (en) * | 2003-09-09 | 2007-08-01 | 华为技术有限公司 | A method for implementing database access |
| CN100403308C (en) * | 2005-10-31 | 2008-07-16 | 北京神舟航天软件技术有限公司 | SQL load mining-based automatic design method for physical database |
| US7831621B1 (en) | 2007-09-27 | 2010-11-09 | Crossroads Systems, Inc. | System and method for summarizing and reporting impact of database statements |
| CN101217537B (en) * | 2007-12-28 | 2011-04-20 | 董韶瑜 | A network attacking prevention method |
| CN101739422B (en) * | 2008-11-05 | 2013-12-18 | 深圳迪贝守望信息技术有限公司 | Method and system for controlling access to front-end database based on database protocol proxy |
| CN101930434A (en) * | 2009-06-19 | 2010-12-29 | 深圳市守望网络技术有限公司 | Cell security mode based database access security method and system |
| CN102801714B (en) * | 2012-07-26 | 2015-03-11 | 杭州电子科技大学 | Method for analyzing and reducing SQL (Structured Query Language) command in TNS (Transparent Network Substrate) protocol in by-pass manner |
| CN102801714A (en) * | 2012-07-26 | 2012-11-28 | 杭州电子科技大学 | Method for analyzing and reducing SQL (Structured Query Language) command in TNS (Transparent Network Substrate) protocol in by-pass manner |
| CN103269343A (en) * | 2013-05-21 | 2013-08-28 | 福建畅云安鼎信息科技有限公司 | Business data safety control platform |
| CN103269343B (en) * | 2013-05-21 | 2017-08-25 | 福建畅云安鼎信息科技有限公司 | Business datum safety control platform |
| CN105635046A (en) * | 2014-10-28 | 2016-06-01 | 北京启明星辰信息安全技术有限公司 | Database command line filtering and audit blocking method and device |
| CN105635046B (en) * | 2014-10-28 | 2019-05-17 | 北京启明星辰信息安全技术有限公司 | A kind of filtering of database command row blocks auditing method and device |
| CN113377615A (en) * | 2021-06-08 | 2021-09-10 | 上海天旦网络科技发展有限公司 | Bypass database monitoring method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1170229C (en) | 2004-10-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6070244A (en) | Computer network security management system | |
| CN104063473B (en) | A kind of database audit monitoring system and its method | |
| EP1315065B1 (en) | Method for intrusion detection in a database system | |
| US6134664A (en) | Method and system for reducing the volume of audit data and normalizing the audit data received from heterogeneous sources | |
| Lunt | Automated audit trail analysis and intrusion detection: A survey | |
| US7814021B2 (en) | Managed distribution of digital assets | |
| US8880893B2 (en) | Enterprise information asset protection through insider attack specification, monitoring and mitigation | |
| Ngo Higgins | Corporate system security: towards an integrated management approach | |
| CN113032710A (en) | Comprehensive audit supervisory system | |
| CN108416225A (en) | Data Audit method, apparatus, computer equipment and storage medium | |
| CN102195991A (en) | Terminal security management and authentication method and system | |
| JP2005526311A (en) | Method and apparatus for monitoring a database system | |
| CN1170229C (en) | Bypass access control system based on SQL statement | |
| CN103413088A (en) | Computer document operational safety audit system | |
| US8572744B2 (en) | Information security auditing and incident investigation system | |
| Shulman et al. | Top ten database security threats | |
| CN109600395A (en) | A kind of device and implementation method of terminal network access control system | |
| US20030131261A1 (en) | Second storage system equipped with security system and a method of controlling the second storage system | |
| KR20020012855A (en) | Integrated log analysis and management system and method thereof | |
| Lunt | Using statistics to track intruders | |
| Qu | Database security in assets of companies | |
| CN117061156A (en) | Data security monitoring system with interception function | |
| CN112861125A (en) | Security detection method, device, equipment and storage medium based on open platform | |
| Schell | Intrusion detection: Emerging network security systems | |
| Kochmar et al. | Preparing to Detect Signs of Intrusion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20041006 Termination date: 20131129 |