[go: up one dir, main page]

CN114024764A - Monitoring method, monitoring system, equipment and storage medium for abnormal access of database - Google Patents

Monitoring method, monitoring system, equipment and storage medium for abnormal access of database Download PDF

Info

Publication number
CN114024764A
CN114024764A CN202111338398.6A CN202111338398A CN114024764A CN 114024764 A CN114024764 A CN 114024764A CN 202111338398 A CN202111338398 A CN 202111338398A CN 114024764 A CN114024764 A CN 114024764A
Authority
CN
China
Prior art keywords
information
database
abnormal access
user login
monitoring method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111338398.6A
Other languages
Chinese (zh)
Inventor
杨玲
孔佳俐
王冬梅
林荟卉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202111338398.6A priority Critical patent/CN114024764A/en
Publication of CN114024764A publication Critical patent/CN114024764A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application provides a monitoring method for abnormal access of a database, which can be applied to the technical field of information security. The monitoring method comprises the following steps: acquiring user login information of a database; screening abnormal access information in the user login information; acquiring and analyzing network traffic data of the database based on abnormal access information; and summarizing the abnormal access information and the network flow data, and outputting the abnormal access information and the network flow data in the form of alarm information. According to the monitoring method for the abnormal access of the database, all users accessing the database can be ensured to be brought into a monitoring range by grasping the login information of the users, and then the purpose and the access content of the abnormal users accessing the database are known by specifically analyzing the information of the abnormal access, so that the safety of customer information and business data is ensured, and the leakage risk is reduced. The application also provides a monitoring method, a monitoring system, equipment, a storage medium and a program product for abnormal access of the database.

Description

Monitoring method, monitoring system, equipment and storage medium for abnormal access of database
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method, a system, a device, a storage medium, and a program product for monitoring abnormal access to a database.
Background
The database of the financial enterprise stores a large amount of customer information and business data, and the monitoring model is usually accessed by deploying database exception to find out the data leakage risk in time, wherein the monitoring based on the user is one of the monitoring models. The existing monitoring measures for the abnormal database access based on the users have the problems that the abnormal operation conditions of all the users cannot be comprehensively mastered, and the risk of data leakage exists.
Disclosure of Invention
The present application is directed to solving at least one of the problems in the prior art.
For example, according to the monitoring method for abnormal access of the database, the data information of all users who have access to the database can be acquired by monitoring the local log and the flow log of the database, so that the safety monitoring comprehensiveness of the database is improved, and the risk of information leakage is reduced.
In order to solve the above problem, a first aspect of the present application provides a method for monitoring abnormal access to a database, including the steps of:
acquiring user login information of a database;
screening abnormal access information in the user login information;
acquiring and analyzing network traffic data of the database based on abnormal access information;
and summarizing the abnormal access information and the network flow data, and outputting the abnormal access information and the network flow data in the form of alarm information.
According to the monitoring method for the abnormal access of the database, all users accessing the database can be ensured to be brought into a monitoring range by grasping the login information of the users, and then the purpose and the access content of the abnormal users accessing the database are known by specifically analyzing the abnormal access information, so that the safety of customer information and business data is ensured, and the leakage risk is reduced.
Further, obtaining user login information of the database includes:
setting an information acquisition rule;
and regularly acquiring user login information of the database according to the information acquisition rule.
Further, the information collection rule at least comprises: collecting path, collecting password, collecting frequency and log analysis rule.
Further, screening abnormal access information in the user login information, including:
setting parameters of a monitoring model;
and screening the user login information according to the monitoring model parameters to obtain abnormal access information.
Further, the monitoring model parameters include a continuous logging error frequency.
Further, screening the user login information according to the monitoring model parameters to obtain abnormal access information, including:
and when the continuous login error frequency of the user login information is greater than a first threshold value, determining that the user login information is abnormal access information.
Further, the monitoring model parameters further include at least one of a white list and a black list.
Further, screening the user login information according to the monitoring model parameters to obtain abnormal access information, including:
when the user login information does not hit a white list, determining that the user login information is abnormal access information; or
And when the user login information hits a blacklist, determining that the user login information is abnormal access information.
Further, collecting and analyzing the network traffic data of the database based on the abnormal access information, including:
setting a network flow analysis parameter;
acquiring network traffic data of the database based on abnormal access information;
and analyzing the network flow data of the database according to the network flow analysis parameters to obtain access behaviors.
Further, the network traffic resolution parameter includes: a data parsing time period and/or a data parsing number.
Further, the alarm information at least includes: user ID, access time, access location, and access content.
A second aspect of the present application provides a system for monitoring an abnormal access, including: the acquisition module is used for acquiring user login information of the database; the screening module is used for screening abnormal access information in the user login information; an acquisition module to: acquiring and analyzing network traffic data of the database based on abnormal access information; and an alarm module, the alarm module being configured to: and summarizing the abnormal access information and the network flow data, and outputting the abnormal access information and the network flow data in the form of alarm information.
A third aspect of the present application provides an electronic device comprising: one or more processors; a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the monitoring method described above.
The fourth aspect of the present application also provides a computer-readable storage medium having stored thereon executable instructions, which when executed by a processor, cause the processor to perform the monitoring method described above.
The fifth aspect of the present application also provides a computer program product comprising a computer program which, when executed by a processor, implements the monitoring method described above.
Drawings
The foregoing and other objects, features and advantages of the application will be apparent from the following description of embodiments of the application with reference to the accompanying drawings in which:
FIG. 1 schematically illustrates an application scenario diagram of a method, system, device, medium, and program product for monitoring of database abnormal access according to an embodiment of the present application;
FIG. 2 schematically illustrates a flow chart of an abnormal access monitoring method according to an embodiment of the present application;
FIG. 3 schematically shows a diagram of steps for obtaining all information according to an embodiment of the application;
FIG. 4 is a diagram schematically illustrating the steps of screening anomaly information according to an embodiment of the present application;
FIG. 5 schematically illustrates a diagram of steps for analyzing behavior based on anomaly information, according to an embodiment of the present application;
FIG. 6 is a block diagram schematically illustrating an abnormal access monitoring system according to an embodiment of the present application; and
fig. 7 schematically shows a block diagram of an electronic device adapted to implement the database abnormal access monitoring method according to an embodiment of the present application.
Detailed Description
Hereinafter, embodiments of the present application will be described with reference to the accompanying drawings. It is to be understood that such description is merely illustrative and not intended to limit the scope of the present application. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the application. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In the database of the financial enterprise, a large amount of customer information and business data are stored, and in the face of hacker attacks and illegal disclosure of internal personnel, which are more frequent in recent years, the internal part of the enterprise usually deploys an abnormal access monitoring model of the database, and sometimes discovers the data leakage risk, wherein the monitoring based on users is one of the monitoring models.
Most database audit products on the market are based on analyzing a database communication protocol to obtain an operation log, and in view of resource consumption and network bandwidth consumption of an acquisition end, preliminary filtering is generally performed according to IP (Internet protocol), then, the filtered flow is further analyzed, all the flow cannot be comprehensively analyzed, and therefore, abnormal conditions of all users cannot be found.
In view of the problem that operation of all abnormal users cannot be mastered in database access abnormity monitoring measures in the prior art, the method for monitoring the database access abnormity can acquire data information of all users accessing the database by monitoring local logs and flow logs of the database, so that the safety monitoring comprehensiveness of the database is improved, and the risk of information leakage is reduced.
Fig. 1 schematically shows an application scenario of a user using a database according to an embodiment of the present application.
As shown in FIG. 1, an application scenario 100 according to this embodiment may include a user logging in and viewing the contents of a database. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have various communication client applications installed thereon, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, and social platform software.
The terminal devices 101, 102, 103 may be various electronic devices having display screens and supporting web browsing, including but not limited to smart phones, tablets, laptop portable computers, and desktop computers.
The server 105 may be a server that provides various services, such as a background management server that provides support for websites browsed by users using the terminal devices 101, 102, 103. The background management server can analyze and process the received data such as the user request and feed back the processing result to the terminal equipment.
It should be noted that the monitoring method provided in the embodiment of the present application may be generally executed by the server 105. Accordingly, the monitoring system provided in the embodiment of the present application may be generally disposed in the server 105. The monitoring method provided in the embodiments of the present application may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the monitoring system provided in the embodiment of the present application may also be disposed in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The following describes in detail a monitoring method for abnormal access to a database in the application embodiment with reference to fig. 2 to 5 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flow chart of a monitoring method according to an embodiment of the application.
It should be noted that there are many types of databases, such as: the method for monitoring the database can be applied to all types of databases.
As shown in fig. 2, the embodiment includes steps S210 to S240, and the transaction processing method may be performed by the monitoring system of fig. 6. The method comprises the following steps:
in step S210, user login information of the database is acquired.
And acquiring login information of all users accessing the relevant database from a local log of the database, and ensuring that all the users accessing the database are all included in a monitoring range.
Different types of databases have different record formats, so that for different types of databases, corresponding acquisition rules of the databases need to be adopted. Before the user login information of the databases is acquired in step S210, the manager may set an information acquisition rule corresponding to the relevant database for each database through the user interaction module, and periodically capture the user login information within a specific time period by using the corresponding acquisition rule, so as to monitor the databases in real time. The specific steps are shown in fig. 3.
In step S211, an information collection rule is set.
In this step, the user accesses the user interaction module through the web page, and the user interaction module can set relevant rules and parameters in the monitoring method of the application. And finding out an acquisition module from the user interaction module, modifying or adding an information acquisition rule, and storing the modified or added information acquisition rule. The information acquisition rules at least comprise rules of acquisition paths, rules of acquisition passwords, rules of acquisition frequency and log analysis rules.
The rule of the collection path, the rule of the collection password and the log analysis rule are all required to be set before the user login information of the database is obtained.
In one embodiment, the local log is found through the set acquisition path in the database, then the local log is decrypted and analyzed through the acquisition password and the log analysis rule, and login information of all users accessing the relevant database is acquired from the analyzed local log.
Of course, the collection frequency may be set in advance to periodically acquire and process the user login information of the database.
In step S212, user login information of the database is periodically acquired according to the information acquisition rule.
And according to the formulated information acquisition rule, regularly acquiring the login information of the users in the local log of the database, and providing all the login information of the users for the screening module.
In step S220, the abnormal access information in the user login information is filtered.
Receiving all user login information provided by the acquisition module for accessing the relevant database, screening abnormal access information from the user login information, for example, screening all login failure information from all user login information, and processing all login failure information into abnormal access information.
However, in actual operation, the reason for partial login failure is caused by user misoperation, and all the login failure information is included in the abnormal access information, so that a huge amount of data is left, and subsequent analysis is difficult. Therefore, the screening strength needs to be reduced by setting parameters of the monitoring model.
The above situation can be solved by the way of the error frequency of the user continuously logging in.
In one embodiment, all user login information is filtered through a preset continuous login error frequency, as shown in fig. 4.
In step S221, monitoring model parameters are set.
Not all login failure information needs to be listed as abnormal access information, and monitoring model parameters can be set, wherein the monitoring model parameters comprise continuous login error frequency, a first threshold value of the continuous login error frequency is set, the screening strength is relieved by increasing the first threshold value, and the first threshold value is a positive integer.
In this step, the user accesses the user interaction module through the web page, and can set all the rules and parameters of the monitoring method in the application. And finding out a screening module, and storing after modifying or newly adding the parameters of the monitoring model.
In step S222, the user login information is screened according to the monitoring model parameters, and the abnormal access information is obtained.
Receiving all user login information provided by the acquisition module, judging whether the abnormal user login condition exists according to the established monitoring model parameters, and if so, providing the abnormal user access information to the acquisition module.
It can be understood that, in the screening process, when the frequency of the continuous login errors of the user login information is greater than the first threshold, the user login information is determined to be abnormal access information, and the abnormal access information is provided to the acquisition module.
In another embodiment, the solution can also be solved by setting a white list of the database. And screening all user login information accessing the related database by presetting a white list of the database.
The white list of the database is firstly set, and the white list can be a white list of user IDs which are allowed to access the relevant database, or can also be a white list of access time which is allowed to access the relevant database within a specific time, or can be a white list of other information which can be used for screening and is obtained from user login information.
It should be noted that both the user ID and the access time can be obtained from the user login information.
And when the white list of the relevant database is not hit in the user login information of the relevant database accessed by the user, determining the user login information as abnormal access information.
And searching the user login information accessing the related database in a white list of the database, and checking whether the user login information is listed in the white list, wherein the user login information is listed in the white list as safe access information, and the user login information is not listed in the white list as abnormal access information.
For example, when the user ID in the user login information does not appear in the user ID white list of the database, the user login information is processed into abnormal access information, the abnormal access information is provided to the acquisition module, and the rest information is filtered as normal access information.
For another example, when the access time recorded in the user login information does not appear in the access time white list of the database, that is, the user ID does not allow access to the database in the time period, the user login information is processed into abnormal access information, the abnormal access information is provided to the acquisition module, and the rest information serving as normal access information is filtered.
In yet another embodiment, this can be solved by setting a blacklist of the database. And screening all user login information accessing the related database through a preset blacklist.
The method comprises the steps of firstly setting a blacklist of the database, wherein the blacklist can be a blacklist of user IDs which are forbidden to access the related database, or can also be a blacklist of access time which is forbidden to access the related database in a specific time, or can be a blacklist of other information which is obtained from user login information and can be used for screening.
And when the blacklist of the relevant database is hit in the user login information of the relevant database accessed by the user, determining the user login information as abnormal access information.
And searching all user login information for accessing the relevant database in a blacklist of the database, and checking whether the login information is listed in the blacklist, wherein the login information is listed as abnormal access information, and the login information which is not listed in the blacklist is safe access information.
For example, when the user ID in the user login information appears in the user ID blacklist of the database, the user login information is processed into abnormal access information, the abnormal access information is provided to the acquisition module, and the rest information is filtered as normal access information.
For another example, when the access time recorded in the user login information appears in the access time blacklist of the database, that is, the user ID prohibits access to the database in the time period, the user login information is processed into abnormal access information, the abnormal access information is provided to the acquisition module, and the rest information serving as normal access information is filtered.
In step S230, network traffic data of the database is collected and analyzed based on the abnormal access information.
The database local log is generated based on information such as database accounts and operation, each data packet needs to be analyzed to the application layer data in actual operation, and the stability of the operation of the database can be influenced due to the fact that a large number of resources such as a Central Processing Unit (CPU), a memory and storage are invested in the acquisition end. In order to ensure that the database can stably run, under the condition of weighing the performance of the database system, only part of audit options are often opened, so that all operations of a user in the database cannot be recorded.
In step S230, further tracking analysis is performed on the abnormal access information, and other associated information about the abnormal access information is supplemented to analyze the access position and the access purpose of the user with the access abnormal information.
Fig. 5 is a step diagram for analyzing and obtaining the access position and the access purpose of the user with access abnormal information according to the abnormal information.
In step S231, a network traffic analysis parameter is set.
In this step, the user accesses the user interaction module through the web page, and can set all the rules and parameters of the monitoring method in the application. And finding out the acquisition module from the user interaction module, and storing the acquisition module after modifying or adding the network flow analysis parameters.
The network flow analysis parameters comprise data analysis time periods and/or data analysis numbers.
The essence of analyzing the data of the network traffic is to analyze a network traffic data packet, a plurality of network traffic data packets exist in a segment of network traffic, and the network traffic data packet in a certain period of time can be selectively analyzed, or a part of the network traffic data packets in the plurality of network traffic data packets can be selectively analyzed, or a part of the network traffic data packets in a certain period of time can be selectively analyzed.
For example: the network traffic packets may be selected to be parsed for 1 minute, or the 5 network traffic packets may be selected to be parsed, or the first 5 network traffic packets within 1 minute may be selected to be parsed.
In step S232, network traffic data of the database is collected based on the abnormal access information.
And further tracking the network traffic data of the accessed database based on the screened abnormal access information, so as to acquire detailed operation of the user accessing the database and specific position information of the accessed database.
In step S233, the network traffic data in the database is analyzed according to the network traffic analysis parameter, so as to obtain an access behavior.
The network flow data of the database is analyzed through the network flow analysis parameters, so that detailed operation of a user for accessing the database and specific position information of the database are obtained, the access purpose of the user can be obtained, and the data content which is possibly leaked is presumed.
In step S240, the abnormal access information and the network traffic data are summarized and output in the form of alarm information, where the alarm information at least includes: user ID, access time, access location, and access content.
The operation information of the abnormal user in the relevant database is summarized and is output as alarm information through an alarm module, and the alarm information can comprise the user ID of the user, the database accessed by the user, the specific time for accessing the database, the operation for accessing the database, the checked relevant content and the like. The alarm information integrates the operation of the user in the access database, can predict the content with leakage risk, make subsequent protective measures and remedial schemes in time, and reduce various losses caused by commercial secret leakage or personal information leakage.
According to the monitoring method for the abnormal access of the database, all users accessing the database can be ensured to be brought into a monitoring range by grasping the login information of the users, and then the purpose and the access content of the abnormal users accessing the database are known by specifically analyzing the abnormal access information, so that the safety of customer information and business data is ensured, and the leakage risk is reduced.
Based on the monitoring method, the application also provides a monitoring system for abnormal access. This system will be described in detail below in conjunction with fig. 6.
Fig. 6 schematically shows a block diagram of a monitoring system according to an embodiment of the present application.
As shown in fig. 6, the monitoring system 300 of this embodiment includes an acquisition module 310, a screening module 320, an acquisition module 330, and an alarm module 340.
The obtaining module 310 is used for obtaining user login information of the database. In an embodiment, the obtaining module 310 may be configured to perform the operation S210 described above, which is not described herein again.
The screening module 320 is used for screening abnormal access information in the user login information. In an embodiment, the screening module 320 may be configured to perform the operation S220 described above, which is not described herein again.
The acquisition module 330 is configured to: and collecting and analyzing the network flow data of the database based on the abnormal access information. In an embodiment, the acquisition module 330 may be configured to perform the operation S230 described above, which is not described herein again.
The alarm module 340 is configured to: and summarizing the abnormal access information and the network flow data, and outputting the abnormal access information and the network flow data in the form of alarm information. In one embodiment, the alarm module 340 may be configured to perform the operation S240 described above, which is not described herein again.
According to the monitoring system for the abnormal access, the monitoring method for the abnormal access of the database can be realized, all users accessing the database can be ensured to be brought into a monitoring range by grasping the login information of the users, and the purpose and the access content of the abnormal users accessing the database can be known by specifically analyzing the abnormal access information, so that the safety of client information and business data is ensured, and the leakage risk is reduced.
According to the embodiment of the present application, any multiple modules of the obtaining module 310, the screening module 320, the collecting module 330, and the alarming module 340 may be combined into one module to be implemented, or any one module thereof may be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present application, at least one of the obtaining module 310, the screening module 320, the collecting module 330 and the alarm module 340 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware and firmware, or implemented by a suitable combination of any of the three implementations. Alternatively, at least one of the acquisition module 310, the screening module 320, the acquisition module 330 and the alarm module 340 may be at least partially implemented as a computer program module, which when executed may perform a corresponding function.
Fig. 7 schematically shows a block diagram of an electronic device adapted to implement the monitoring method according to an embodiment of the application.
As shown in fig. 7, an electronic device 400 according to an embodiment of the present application includes a processor 401 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)402 or a program loaded from a storage section 408 into a Random Access Memory (RAM) 403. Processor 401 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 401 may also include onboard memory for caching purposes. Processor 401 may include a single processing unit or multiple processing units for performing the various actions of the method flows in accordance with embodiments of the present application.
In the RAM 403, various programs and data necessary for the operation of the electronic apparatus 400 are stored. The processor 401, ROM 402 and RAM 403 are connected to each other by a bus 404. The processor 401 executes various operations of the method flows according to the embodiments of the present application by executing programs in the ROM 402 and/or the RAM 403. Note that the programs may also be stored in one or more memories other than the ROM 402 and RAM 403. The processor 401 may also perform various operations of the method flows according to embodiments of the present application by executing programs stored in the one or more memories.
According to an embodiment of the application, the electronic device 400 may further comprise an input/output (I/O) interface 405, the input/output (I/O) interface 405 also being connected to the bus 404. Electronic device 400 may also include one or more of the following components connected to I/O interface 405: an input section 406 including a keyboard, a mouse, and the like; an output section 407 including a display device such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 408 including a hard disk and the like; and a communication section 409 including a network interface card such as a LAN card, a modem, or the like. The communication section 409 performs communication processing via a network such as the internet. A driver 410 is also connected to the I/O interface 405 as needed. A removable medium 411 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 410 as necessary, so that a computer program read out therefrom is mounted into the storage section 408 as necessary.
The present application also provides a computer-readable storage medium, which may be embodied in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the present application.
According to embodiments of the present application, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present application, a computer-readable storage medium may include ROM 402 and/or RAM 403 and/or one or more memories other than ROM 402 and RAM 403 described above.
Embodiments of the present application also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the item recommendation method provided in the embodiment of the present application.
Which when executed by the processor 401, performs the above-described functions defined in the system/apparatus of embodiments of the present application. According to embodiments of the present application, the above-described systems, apparatuses, modules, units, etc. may be implemented by computer program modules.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of a signal on a network medium, downloaded and installed through the communication section 409, and/or installed from the removable medium 411. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 409, and/or installed from the removable medium 411. The computer program, when executed by the processor 401, performs the above-described functions defined in the system of the embodiment of the present application. According to embodiments of the present application, the above-described systems, devices, apparatuses, modules, units, etc. may be implemented by computer program modules.
According to embodiments of the present application, program code for executing computer programs provided in embodiments of the present application may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It will be appreciated by a person skilled in the art that various combinations and/or combinations of features described in the various embodiments and/or claims of the present application are possible, even if such combinations or combinations are not explicitly described in the present application. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present application may be made without departing from the spirit and teachings of the present application. All such combinations and/or associations are intended to fall within the scope of this application.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The embodiments of the present application are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present application. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the application is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present application, and such alternatives and modifications are intended to be within the scope of the present application.

Claims (15)

1.一种数据库异常访问的监控方法,其特征在于,包括以下步骤:1. a monitoring method for abnormal database access, is characterized in that, comprises the following steps: 获取数据库的用户登录信息;Get the user login information of the database; 筛选所述用户登录信息中的异常访问信息;Screening abnormal access information in the user login information; 基于异常访问信息,采集并分析所述数据库的网络流量数据;Collect and analyze the network traffic data of the database based on the abnormal access information; 汇总所述异常访问信息和所述网络流量数据,并以报警信息形式输出。The abnormal access information and the network traffic data are aggregated and output in the form of alarm information. 2.根据权利要求1所述的监控方法,其特征在于,获取数据库的用户登录信息,包括:2. monitoring method according to claim 1, is characterized in that, obtaining the user login information of database, comprises: 设置信息采集规则;Set information collection rules; 根据所述信息采集规则定期获取数据库的用户登录信息。The user login information of the database is periodically acquired according to the information collection rules. 3.根据权利要求2所述的监控方法,其特征在于,所述信息采集规则至少包括:采集路径、采集密码、采集频率以及日志解析规则。3 . The monitoring method according to claim 2 , wherein the information collection rules at least include: collection paths, collection passwords, collection frequencies, and log parsing rules. 4 . 4.根据权利要求1所述的监控方法,其特征在于,筛选所述用户登录信息中的异常访问信息,包括:4. The monitoring method according to claim 1, wherein screening abnormal access information in the user login information, comprising: 设置监控模型参数;Set monitor model parameters; 根据所述监控模型参数筛选所述用户登录信息,得到异常访问信息。Screen the user login information according to the monitoring model parameters to obtain abnormal access information. 5.根据权利要求4所述的监控方法,其特征在于,所述监控模型参数包括连续登录错误频率。5 . The monitoring method according to claim 4 , wherein the monitoring model parameters include the frequency of continuous login errors. 6 . 6.根据权利要求5所述的监控方法,其特征在于,根据所述监控模型参数筛选所述用户登录信息,得到异常访问信息,包括:6. The monitoring method according to claim 5, wherein the user login information is screened according to the monitoring model parameters to obtain abnormal access information, comprising: 在所述用户登录信息的连续登录错误频率大于第一阈值时,确定所述用户登录信息为异常访问信息。When the continuous login error frequency of the user login information is greater than the first threshold, it is determined that the user login information is abnormal access information. 7.根据权利要求4所述的监控方法,其特征在于,所述监控模型参数还包括白名单和黑名单中的至少一个。7. The monitoring method according to claim 4, wherein the monitoring model parameter further comprises at least one of a whitelist and a blacklist. 8.根据权利要求7所述的监控方法,其特征在于,根据所述监控模型参数筛选所述用户登录信息,得到异常访问信息,包括:8. The monitoring method according to claim 7, wherein the user login information is screened according to the monitoring model parameters to obtain abnormal access information, comprising: 在所述用户登录信息未命中白名单时,确定所述用户登录信息为异常访问信息;或When the user login information does not hit the whitelist, determine that the user login information is abnormal access information; or 在所述用户登录信息命中黑名单时,确定所述用户登录信息为异常访问信息。When the user login information hits the blacklist, it is determined that the user login information is abnormal access information. 9.根据权利要求1所述的监控方法,其特征在于,基于异常访问信息,采集并分析所述数据库的网络流量数据,包括:9. The monitoring method according to claim 1, wherein, based on abnormal access information, collecting and analyzing the network traffic data of the database, comprising: 设置网络流量解析参数;Set network traffic analysis parameters; 基于异常访问信息,采集所述数据库的网络流量数据;Collect network traffic data of the database based on the abnormal access information; 根据所述网络流量解析参数,分析所述数据库的网络流量数据,得到访问行为。According to the network traffic analysis parameters, the network traffic data of the database is analyzed to obtain the access behavior. 10.根据权利要求9所述的监控方法,其特征在于,所述网络流量解析参数包括:数据解析时间段和/或数据解析个数。10 . The monitoring method according to claim 9 , wherein the network traffic analysis parameters include: data analysis time period and/or data analysis number. 11 . 11.根据权利要求1所述的监控方法,其特征在于,所述报警信息至少包括:用户ID、访问时间、访问位置以及访问内容。11. The monitoring method according to claim 1, wherein the alarm information at least comprises: user ID, access time, access location and access content. 12.一种异常访问的监控系统,包括:12. A monitoring system for abnormal access, comprising: 获取模块,所述获取模块用于获取数据库的用户登录信息;an acquisition module, the acquisition module is used to acquire the user login information of the database; 筛选模块,所述筛选模块用于筛选所述用户登录信息中的异常访问信息;a screening module, which is used for screening abnormal access information in the user login information; 采集模块,所述采集模块用于:基于异常访问信息,采集并分析所述数据库的网络流量数据;以及a collection module, which is used for: collecting and analyzing the network traffic data of the database based on the abnormal access information; and 报警模块,所述报警模块用于:汇总所述异常访问信息和所述网络流量数据,并以报警信息形式输出。An alarm module, the alarm module is used for: summarizing the abnormal access information and the network traffic data, and outputting in the form of alarm information. 13.一种电子设备,包括:13. An electronic device comprising: 一个或多个处理器;one or more processors; 存储装置,用于存储一个或多个程序,storage means for storing one or more programs, 其中,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器执行根据权利要求1~11中任一项所述的监控方法。Wherein, when the one or more programs are executed by the one or more processors, the one or more processors are caused to execute the monitoring method according to any one of claims 1-11. 14.一种计算机可读存储介质,其上存储有可执行指令,该指令被处理器执行时使处理器执行根据权利要求1~11中任一项所述的监控方法。14. A computer-readable storage medium having executable instructions stored thereon, the instructions, when executed by a processor, cause the processor to perform the monitoring method according to any one of claims 1-11. 15.一种计算机程序产品,包括计算机程序,所述计算机程序被处理器执行时实现根据权利要求1~11中任一项所述的监控方法。15. A computer program product, comprising a computer program that, when executed by a processor, implements the monitoring method according to any one of claims 1 to 11.
CN202111338398.6A 2021-11-12 2021-11-12 Monitoring method, monitoring system, equipment and storage medium for abnormal access of database Pending CN114024764A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111338398.6A CN114024764A (en) 2021-11-12 2021-11-12 Monitoring method, monitoring system, equipment and storage medium for abnormal access of database

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111338398.6A CN114024764A (en) 2021-11-12 2021-11-12 Monitoring method, monitoring system, equipment and storage medium for abnormal access of database

Publications (1)

Publication Number Publication Date
CN114024764A true CN114024764A (en) 2022-02-08

Family

ID=80063756

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111338398.6A Pending CN114024764A (en) 2021-11-12 2021-11-12 Monitoring method, monitoring system, equipment and storage medium for abnormal access of database

Country Status (1)

Country Link
CN (1) CN114024764A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114791823A (en) * 2022-05-10 2022-07-26 广州慧思软件科技有限公司 Software engineering database maintenance and early warning method and system based on artificial intelligence
CN114840876A (en) * 2022-04-20 2022-08-02 北京奇艺世纪科技有限公司 Database security access control method, device and system and terminal equipment
CN115879102A (en) * 2022-12-02 2023-03-31 首约科技(北京)有限公司 Database auditing method and device and electronic equipment
CN116112292A (en) * 2023-04-12 2023-05-12 湖南丛茂科技有限公司 Abnormal behavior detection method, system and medium based on network flow big data
CN117424759A (en) * 2023-12-18 2024-01-19 南京思宇电气技术有限公司 Holographic monitoring gateway applied to power distribution room and monitoring system thereof
CN118886001A (en) * 2024-07-09 2024-11-01 易方达基金管理有限公司 A method, device, terminal device and storage medium for identifying abnormal access to a database

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104239197A (en) * 2014-10-10 2014-12-24 浪潮电子信息产业股份有限公司 Method for discovering abnormal behaviors of management user based on big data log analysis
CN111159706A (en) * 2019-12-26 2020-05-15 深信服科技股份有限公司 Database security detection method, device, equipment and storage medium
CN113132311A (en) * 2019-12-31 2021-07-16 中国移动通信集团陕西有限公司 Abnormal access detection method, device and equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104239197A (en) * 2014-10-10 2014-12-24 浪潮电子信息产业股份有限公司 Method for discovering abnormal behaviors of management user based on big data log analysis
CN111159706A (en) * 2019-12-26 2020-05-15 深信服科技股份有限公司 Database security detection method, device, equipment and storage medium
CN113132311A (en) * 2019-12-31 2021-07-16 中国移动通信集团陕西有限公司 Abnormal access detection method, device and equipment

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114840876A (en) * 2022-04-20 2022-08-02 北京奇艺世纪科技有限公司 Database security access control method, device and system and terminal equipment
CN114791823A (en) * 2022-05-10 2022-07-26 广州慧思软件科技有限公司 Software engineering database maintenance and early warning method and system based on artificial intelligence
CN115879102A (en) * 2022-12-02 2023-03-31 首约科技(北京)有限公司 Database auditing method and device and electronic equipment
CN116112292A (en) * 2023-04-12 2023-05-12 湖南丛茂科技有限公司 Abnormal behavior detection method, system and medium based on network flow big data
CN116112292B (en) * 2023-04-12 2023-06-09 湖南丛茂科技有限公司 Abnormal behavior detection method, system and medium based on network flow big data
CN117424759A (en) * 2023-12-18 2024-01-19 南京思宇电气技术有限公司 Holographic monitoring gateway applied to power distribution room and monitoring system thereof
CN117424759B (en) * 2023-12-18 2024-03-22 南京思宇电气技术有限公司 Holographic monitoring gateway applied to power distribution room and monitoring system thereof
CN118886001A (en) * 2024-07-09 2024-11-01 易方达基金管理有限公司 A method, device, terminal device and storage medium for identifying abnormal access to a database

Similar Documents

Publication Publication Date Title
US11924230B2 (en) Individual device response options from the monitoring of multiple devices
US11907366B2 (en) Introspection driven by incidents for controlling infiltration
US20200137097A1 (en) System and method for securing an enterprise computing environment
US10476759B2 (en) Forensic software investigation
US10762206B2 (en) Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security
CN114024764A (en) Monitoring method, monitoring system, equipment and storage medium for abnormal access of database
US11310282B1 (en) Scoring confidence in user compliance with an organization's security policies
US9753796B2 (en) Distributed monitoring, evaluation, and response for multiple devices
US20200067988A1 (en) File system monitoring and auditing via monitor system having user-configured policies
CN114070619A (en) Monitoring method, monitoring system, equipment and storage medium for abnormal access of database
US11481709B1 (en) Calibrating user confidence in compliance with an organization's security policies
US11444951B1 (en) Reducing false detection of anomalous user behavior on a computer network
JP2025023927A (en) System and method for security surveillance processing - Patents.com
US11785036B2 (en) Real-time validation of data transmissions based on security profiles
JP7567070B2 (en) Confidence scoring of user compliance with organizational security policies
CN113162937A (en) Application safety automatic detection method, system, electronic equipment and storage medium
EP3721364A1 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
CN114490264A (en) File monitoring method, device, electronic device and storage medium for application system
US20250061214A1 (en) Intelligent tracing of sensitive data flow and privacy
Lehtinen Technical review setup for Amazon Web Services: assessing Amazon cloud computing service configurations

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20220208

RJ01 Rejection of invention patent application after publication