CN101901219A - Detection method for injection attack of database and system - Google Patents
Detection method for injection attack of database and systemDownload PDFInfo
- Publication number
- CN101901219A CN101901219ACN200910085026XACN200910085026ACN101901219ACN 101901219 ACN101901219 ACN 101901219ACN 200910085026X ACN200910085026X ACN 200910085026XACN 200910085026 ACN200910085026 ACN 200910085026ACN 101901219 ACN101901219 ACN 101901219A
- Authority
- CN
- China
- Prior art keywords
- database
- access
- real time
- record
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002347injectionMethods0.000titleclaimsabstractdescription55
- 239000007924injectionSubstances0.000titleclaimsabstractdescription55
- 238000001514detection methodMethods0.000titleclaimsabstractdescription15
- 238000000034methodMethods0.000claimsabstractdescription39
- 230000004044responseEffects0.000claimsabstractdescription7
- 230000006399behaviorEffects0.000claimsdescription109
- 239000000284extractSubstances0.000claimsdescription14
- 230000000694effectsEffects0.000abstractdescription5
- 230000008569processEffects0.000description15
- 230000009471actionEffects0.000description9
- 238000010586diagramMethods0.000description6
- 238000005516engineering processMethods0.000description5
- 239000000047productSubstances0.000description4
- 238000012550auditMethods0.000description3
- 238000004458analytical methodMethods0.000description2
- 238000000605extractionMethods0.000description2
- 239000000203mixtureSubstances0.000description2
- 238000012545processingMethods0.000description2
- 238000011897real-time detectionMethods0.000description2
- 238000012360testing methodMethods0.000description2
- 230000002159abnormal effectEffects0.000description1
- 230000007812deficiencyEffects0.000description1
- 238000011161developmentMethods0.000description1
- 239000012467final productSubstances0.000description1
- 230000008676importEffects0.000description1
- 230000003993interactionEffects0.000description1
- 230000004048modificationEffects0.000description1
- 238000012986modificationMethods0.000description1
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
Description
Technical field
The present invention relates to information security field, relate in particular to a kind of detection method for injection attack of database and system.
Background technology
Along with the development of Internet, client/server (B/S) pattern has obtained application more and more widely.The situation of carrying out data interaction between user and the background data base server often appears in the B/S pattern, be that the user imports and the submission data by list on the webpage of client, the data configuration SQL statement that the application program of service end is submitted to according to the user, be submitted to database server and handle, and return result to the user.When the application program of exploitation B/S pattern, many developers have ignored the legitimacy of user input data have been judged, make application program have potential safety hazard.The assailant can submit one piece of data library inquiry code to, according to the result that program is returned, steals that some he wants the data learnt, and database injection attacks technology that Here it is also claims SQL to inject (SQL Injection) and attacks.
To database server implementation protection, the network security audit product has obtained using widely for better.It can be monitored and the visit information of recording user to database in real time, generates the database access record, and according to the rule of setting to user access activity report to the police, operation such as blocking-up.But from database access behavior itself, no matter be user's normal visit, or assailant's injection attacks, all show as to database server and submit to and the operation SQL statement, though this just cause the network security audit product can recording user to the visit information of database, the visit behavior that the product itself of auditing can't be distinguished a database access record representative is the normal visit or the injection attacks of malice.When the assailant implemented injection attacks, the behavior that the audit product can only write down the assailant can't in time detect to attack and implement and block, and can only discern attack by the mode of ex-post analysis like this.In addition, assailant's Visitor Logs is submerged in a large amount of Visitor Logs, and the safety manager can only discern by experience, has brought great inconvenience to ex-post analysis.
Therefore, industry demands proposing a kind of new database injection attacks detection technique urgently, with real-time detection database access behavior, avoids database to suffer the SQL injection attacks.
Summary of the invention
Technical matters to be solved by this invention is to be a kind of detection method for injection attack of database and system need be provided, with real-time detection database access behavior.
In order to solve the problems of the technologies described above, the invention provides a kind of detection method for injection attack of database, comprising:
By the database history access record is carried out self study, set up database access behavior pattern storehouse;
Receive the database real time access,, judge whether described real time access is injection attacks, obtain judged result according to described visit behavior library;
According to described judged result and default response mode, described real time access is responded.
Preferably, the step to described history access record is carried out self study comprises:
Described history access record is set;
Every record in the described history access record is carried out SQL statement resolve, extract the SQL template;
According to described SQL template, set up described visit behavior library.
Preferably, described SQL template comprises field name in database manipulation type, database-name, tables of data title, operation field title, the if-clause and the relational operator in the if-clause.
Preferably,, judge whether described real time access is injection attacks, obtain the step of judged result, comprising according to described visit behavior library:
Described real time access is carried out SQL statement resolve, extract the SQL template of described real time access;
By the SQL template and the described visit behavior library of described real time access are compared, obtain described judged result.
Preferably, by described self study is carried out in the normal visit behavior in the described history access record, set up the normal visit behavior library that is used to confirm the visit of normal data storehouse.
Preferably, this method further comprises:
By described self study is carried out in the injection attacks behavior of confirming in the described history access record, set up the attack access behavior pattern storehouse that is used to confirm the database injection attacks.
In order to solve the problems of the technologies described above, the present invention also provides a kind of database injection attack detection system, comprising:
Memory module is used for the stored data base history access record;
Receiver module is used to receive the database real time access;
Parsing module links to each other with described memory module and receiver module, is used for described history access record and real time access are carried out the SQL statement parsing, extracts the SQL template;
Self-learning module links to each other with described parsing module, is used for the SQL template according to described history access record, sets up database access behavior pattern storehouse;
Judge module links to each other with described parsing module and self-learning module, is used for the SQL template according to described visit behavior library and described real time access, judges whether described real time access is the database injection attacks, obtains judged result;
Respond module links to each other with describedjudge module 650, is used for according to default response mode and described judged result described real time access being responded.
Preferably, the described SQL template that described parsing module extracts comprises field name in database manipulation type, database-name, tables of data title, operation field title, the if-clause and the relational operator in the if-clause.
Preferably, described self-learning module by described self study is carried out in the normal visit behavior in the described history access record, is set up the normal visit behavior library that is used to confirm the visit of normal data storehouse.
Preferably, this system further comprises:
Described self-learning module by described self study is carried out in the injection attacks behavior of confirming in the described history access record, is set up the attack access behavior pattern storehouse that is used to confirm the database injection attacks.
Compared with prior art; the present invention is by the study to history access record; set up visit behavior library; and according to the behavior of visit behavior library detection database injection attacks; can realize discerning automatically visit of normal data storehouse and injection attacks; and injection attacks blocked, thereby protected the safety of database server.In addition, in testing process, need not safety manager's intervention, reduced the workload of safety manager's log processing.
Description of drawings
Fig. 1 is the schematic flow sheet of the inventive method;
Fig. 2 is the self study process synoptic diagram of process step S110 shown in Figure 1;
Fig. 3 is the deterministic process synoptic diagram of process step S120 shown in Figure 1;
Fig. 4 is the schematic flow sheet of the inventive method first embodiment;
Fig. 5 is the schematic flow sheet of the inventive method second embodiment;
Fig. 6 is the composition synoptic diagram of system embodiment of the present invention.
Embodiment
Describe embodiments of the present invention in detail below with reference to drawings and Examples, how the application technology means solve technical matters to the present invention whereby, and the implementation procedure of reaching technique effect can fully understand and implements according to this.
The present invention is at first by carrying out self study to history access record, set up visit behavior library, according to this visit behavior library, directly real time access is detected then, can block the behavior of database injection attacks in real time, avoid database to suffer the SQL injection attacks.
Fig. 1 is the schematic flow sheet of the inventive method.As shown in Figure 1, this method mainly comprises the steps:
Step S110 by the database history access record is carried out self study, sets up database access behavior pattern storehouse;
Visit behavior library by self study foundation, can be the normal visit behavior library of being set up according to the normal visit behavior in the history access record, also can be according to having confirmed as the attack access behavior pattern storehouse that the injection attacks behavior is set up in the history access record; This normal visit behavior library is used for confirming normal (perhaps being referred to as safe) database real time access, and this attack access behavior pattern storehouse is used for confirming injection attacks;
Step S120 receives the database real time access, according to the visit behavior library of being set up, judges whether this real time access is injection attacks, obtains judged result;
Step S130, response mode and this judged result according to default respond this real time access.
Fig. 2 is the self study process synoptic diagram of above-mentioned steps S110.As shown in Figure 2, set up the self study process of visit behavior library, mainly comprise the steps: according to history access record
Step S210 is provided for the database history access record of self study;
Step S220 carries out SQL statement to every history access record and resolves, and extracts the SQL template of every history access record;
Step S230 according to the SQL template of the history access record of being extracted, sets up this visit behavior library.
Some SQL templates of being extracted among the above-mentioned steps S220, identify by unique id number each other, its content is including, but not limited to the field name in database manipulation type, database-name, tables of data title, operation field title, the if-clause and the relational operator in the if-clause;
When setting up this visit behavior library among the above-mentioned steps S230, can merge with the extraction operation of step S220, the SQL template of extracting among the step S220 is put in storage modeling, do not need to set up visit behavior library again after all history access record extraction SQL templates.
If had same SQL template in the visit behavior library, then it is not deposited in the visit behavior library, and next bar history access record is resolved in continuation, if do not have same SQL template in the visit behavior library, then it is a new SQL template, it is deposited in the visit behavior library, continue to resolve next bar history access record again.That is to say,, only keep one in the visit behavior library, and for the SQL template that repeats, remove and get final product for same SQL template.
Among the above-mentioned steps S230, set up this normal visit behavior library, set up attack access behavior pattern storehouse according to the SQL template of attack access behavior according to the SQL template of normal visit behavior.
According to self study process shown in Figure 2, Fig. 3 is the deterministic process synoptic diagram of above-mentioned steps S120.As shown in Figure 3, judge that according to the visit behavior library of being set up whether this real time access is injection attacks and the process that obtains judged result, mainly comprises the steps:
Step S310 carries out SQL statement to the database real time access that is received and resolves, and extracts the SQL template of this real time access;
Step S320 compares by the visit behavior library that the SQL template and the self study process of this real time access are set up, and judges whether this real time access is the database injection attacks, obtains judged result;
If the SQL template of this real time access is included in the normal visit behavior library, then this real time access is normal visit behavior, and this real time access is let pass;
If the SQL template of this real time access is included in the attack access behavior pattern storehouse, then this real time access is the behavior of database injection attacks, and this real time access is blocked;
If the SQL template of this real time access is not promptly in normal visit behavior library, also not in attack access behavior pattern storehouse, then this real time access temporarily can't determine that it is normal visit behavior or be the behavior of database injection attacks, need further discern, block this real time access and report to the police to finish further identification this moment.
Fig. 4 is the schematic flow sheet of the inventive method first embodiment.As shown in Figure 4, this method first embodiment mainly comprises the steps:
Step S41 0, the zero-time of setting data storehouse history access record is 12 o'clock on the 1st January in 2009, and the concluding time is 13 o'clock on the 1st January in 2009, observes three database access records altogether in during this period, these three database access records are normal Visitor Logs, are respectively:
Record 1:select value from table 1 where username=' Alice ';
Record 2:insert into table 1 valus (' Jack ', 80);
Record 3:select value from table 1 where username=' Bob ';
Step S420 carries out SQL statement to this three database accesss record and resolves, and extracts the SQL template of every history access record, and according to the SQL template of the history access record of being extracted, sets up normal visit behavior library;
Carry out the SQL statement parsing to writing down 1, the SQL template of extracting record 1 is: action type is " select ", and tables of data is " table 1 ", and operation field is " value ", and field, relational operator are { " username ", "=" } in the if-clause; This moment, database was normally visited the behavior library for empty, this SQL template was joined database normally visit in the behavior library;
Carry out the SQL statement parsing to writing down 2, the SQL template of extracting record 2 is: action type is " insert ", and tables of data is " table 1 ", and operation field is NULL, and field, relational operator are NULL in the if-clause; Because it is inequality that this SQL template and database are normally visited existing template in the behavior library (promptly writing down 1 SQL template), so will write down 2 SQL module and join database and normally visit in the behavior library;
Carry out the SQL statement parsing to writing down 3, the SQL template of extracting record 3 is: action type is " select ", and tables of data is " table 1 ", and operation field is " value ", and field, relational operator are { " username ", "=" } in the if-clause; Because this SQL template has appeared at database and has normally visited in the behavior library, therefore directly delete this SQL template, because this record has been the last item record of setting that is used for self study, so the self study process finishes;
Step S430 receives the database real time access, and its Visitor Logs is:
select?value?form?table?1?where?username=’Tom’or?1>=1--;
Step S440, this real time access record is carried out SQL statement resolves, obtaining its SQL template is: action type is " select ", tables of data is " table 1 ", operation field is " value ", and field, relational operator are { (" username ", "=") in the if-clause, (" 1 ", ">=") };
Step S450 by the SQL template of this real time access is compared with normal visit behavior library, finds that it does not appear in the normal visit behavior library of being made up of two SQL templates, and therefore judging this real time access is the abnormal access behavior;
Step S460 reports to the police to treat that managerial personnel handle to this real time access, writes down this real time access, and blocks its operation to database, thereby has guaranteed the safety of database server.
Fig. 5 is the schematic flow sheet of the inventive method second embodiment.As shown in Figure 5, this method second embodiment mainly comprises the steps:
Step S510, the zero-time of setting data storehouse history access record is 12 o'clock on the 2nd January in 2009, concluding time is 13 o'clock on the 2nd January in 2009, observe four database access records during this period altogether, wherein first three bar database access is recorded as normal Visitor Logs, article four, the database access record is injection attacks through identification, and these four Visitor Logs are respectively:
Record 1:select value from table 1 where username=' Alice ';
Record 2:insert into table 1 valus (' Jack ', 80);
Record 3:select value from table 1 where username=' Bob ';
Record 4:select value form table 1 where username=' Tom ' or 1>=1--;
Step S520 carries out SQL statement to this four database accesss record and resolves, and extracts the SQL template of every history access record, and according to the SQL template of the history access record of being extracted, sets up normal visit behavior library and attack access behavior pattern storehouse;
Carry out the SQL statement parsing to writing down 1, the SQL template of extracting record 1 is: action type is " select ", and tables of data is " table 1 ", and operation field is " value ", and field, relational operator are { " username ", "=" } in the if-clause; Because record 1 is normal visit behavior, and this moment, database was normally visited the behavior library for empty, therefore this SQL template was joined database and normally visited in the behavior library;
Carry out the SQL statement parsing to writing down 2, the SQL template of extracting record 2 is: action type is " inset ", and tables of data is " table 1 ", and operation field is NULL, and field, relational operator are NULL in the if-clause; Because record 2 be normal visit behavior, and this SQL template and database normally to visit existing template in the behavior library (promptly writing down 1 SQL template) inequality, so will write down 2 SQL module and join database and normally visit in the behavior library;
Carry out the SQL statement parsing to writing down 3, the SQL template of extracting record 3 is: action type is " select ", and tables of data is " table 1 ", and operation field is " value ", and field, relational operator are { " username ", "=" } in the if-clause; Because record 3 be normal visit behavior, and this SQL template appeared at database and normally visited in the behavior library, therefore directly deletes this SQL template;
Carry out the SQL statement parsing to writing down 4, the SQL template of extracting record 4 is: action type is " select ", and tables of data is " table 1 ", operation field is " value ", and field, relational operator are { (" username ", "=") in the if-clause, (" 1 ", ">=") }; Because record 4 is attack, and this moment, database attack access behavior pattern storehouse was empty, therefore this SQL template was joined in the database attack access behavior pattern storehouse; Writing down 4 in addition has been the last item record of setting that is used for self study, so the self study process finishes;
Step S530 receives the database real time access, and its Visitor Logs is:
select?value?form?table?1?where?username=’Tom’or?1>=0--;
Step S540, this real time access record is carried out SQL statement resolves, obtaining its SQL template is: action type is " select ", tables of data is " table 1 ", operation field is " value ", and field, relational operator are { (" username ", "=") in the if-clause, (" 1 ", ">=") };
Step S550 by the SQL template of this real time access is compared with normal visit behavior library and attack access behavior pattern storehouse, finds that it appears in the attack access behavior pattern storehouse, and therefore judging this real time access is the attack access behavior;
Step S560 writes down this real time access, blocks its operation to database, thereby has guaranteed the safety of database server.
Fig. 6 is the composition synoptic diagram of detection system embodiment of the present invention.With reference to the flow process of the inventive method shown in Figure 1, self study process shown in Figure 2, deterministic process shown in Figure 3, the inventive method first embodiment shown in Figure 4 and the inventive method second embodiment shown in Figure 5, system embodiment shown in Figure 6 mainly comprisesmemory module 610,receiver module 620, parsingmodule 630, self-learning module 640,judge module 650 and respondmodule 660, wherein:
Parsingmodule 630, link to each other with thismemory module 610 andreceiver module 620, be used for this database history access record and database real time access are carried out the SQL statement parsing, extract the SQL template of every visit, comprise the SQL template of historical visit and the SQL template of real time access;
Self-learning module 640 links to each other with thisparsing module 630, is used for the SQL template of the history access record extracted according to parsingmodule 630, sets up database access behavior pattern storehouse;
Respondmodule 660 links to each other with thisreceiver module 620 andjudge module 650, is used for according to default response mode and this judged result this real time access being responded.
This SQL template that above-mentionedparsing module 630 extracts includes but not limited to field name in database manipulation type, database-name, tables of data title, operation field title, the if-clause and the relational operator in the if-clause.
Above-mentioned self-learning module is by carrying out self study to the normal visit behavior in the database history access record, can set up being used to confirm the normal visit behavior library of normal data storehouse visit.Can also set up the attack access behavior pattern storehouse that is used to confirm the database injection attacks by self study is carried out in the injection attacks behavior of confirming in the database history access record.
Detection method for injection attack of database and system that the present invention proposes, at the deficiencies in the prior art, by study to history access record, set up visit behavior library, and, can realize discerning automatically visit of normal data storehouse and injection attacks according to the behavior of visit behavior library detection database injection attacks.
Compared with prior art; the present invention is by setting up database access behavior pattern storehouse at learning phase; can real-time judge database access behavior be normal visit or injection attacks, can in time detect the database injection attacks and, thereby protect the safety of database server its blocking-up.In addition, detection method for injection attack of database and system that the present invention proposes need not safety manager's intervention in testing process, reduced the workload of safety manager's log processing.
Though the disclosed embodiment of the present invention as above, the embodiment that described content just adopts for the ease of understanding the present invention is not in order to limit the present invention.Technician in any the technical field of the invention; under the prerequisite that does not break away from the disclosed spirit and scope of the present invention; can do any modification and variation what implement in form and on the details; but scope of patent protection of the present invention still must be as the criterion with the scope that appending claims was defined.
Claims (10)
1. a detection method for injection attack of database is characterized in that, comprising:
By the database history access record is carried out self study, set up database access behavior pattern storehouse;
Receive the database real time access,, judge whether described real time access is injection attacks, obtain judged result according to described visit behavior library;
According to described judged result and default response mode, described real time access is responded.
2. the method for claim 1 is characterized in that, the step to described history access record is carried out self study comprises:
Described history access record is set;
Every record in the described history access record is carried out SQL statement resolve, extract the SQL template;
According to described SQL template, set up described visit behavior library.
3. method as claimed in claim 2 is characterized in that:
Described SQL template comprises field name in database manipulation type, database-name, tables of data title, operation field title, the if-clause and the relational operator in the if-clause.
4. method as claimed in claim 2 is characterized in that, according to described visit behavior library, judges whether described real time access is injection attacks, obtains the step of judged result, comprising:
Described real time access is carried out SQL statement resolve, extract the SQL template of described real time access;
By the SQL template and the described visit behavior library of described real time access are compared, obtain described judged result.
5. the method for claim 1 is characterized in that:
By described self study is carried out in the normal visit behavior in the described history access record, set up the normal visit behavior library that is used to confirm the visit of normal data storehouse.
6. method as claimed in claim 4 is characterized in that, this method further comprises:
By described self study is carried out in the injection attacks behavior of confirming in the described history access record, set up the attack access behavior pattern storehouse that is used to confirm the database injection attacks.
7. a database injection attack detection system is characterized in that, comprising:
Memory module is used for the stored data base history access record;
Receiver module is used to receive the database real time access;
Parsing module links to each other with described memory module and receiver module, is used for described history access record and real time access are carried out the SQL statement parsing, extracts the SQL template;
Self-learning module links to each other with described parsing module, is used for the SQL template according to described history access record, sets up database access behavior pattern storehouse;
Judge module links to each other with described parsing module and self-learning module, is used for the SQL template according to described visit behavior library and described real time access, judges whether described real time access is the database injection attacks, obtains judged result;
Respond module links to each other with described judge module 650, is used for according to default response mode and described judged result described real time access being responded.
8. system as claimed in claim 7 is characterized in that:
The described SQL template that described parsing module extracts comprises field name in database manipulation type, database-name, tables of data title, operation field title, the if-clause and the relational operator in the if-clause.
9. system as claimed in claim 7 is characterized in that:
Described self-learning module by described self study is carried out in the normal visit behavior in the described history access record, is set up the normal visit behavior library that is used to confirm the visit of normal data storehouse.
10. system as claimed in claim 9 is characterized in that, this system further comprises:
Described self-learning module by described self study is carried out in the injection attacks behavior of confirming in the described history access record, is set up the attack access behavior pattern storehouse that is used to confirm the database injection attacks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910085026XACN101901219A (en) | 2009-05-27 | 2009-05-27 | Detection method for injection attack of database and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910085026XACN101901219A (en) | 2009-05-27 | 2009-05-27 | Detection method for injection attack of database and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101901219Atrue CN101901219A (en) | 2010-12-01 |
Family
ID=43226762
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910085026XAPendingCN101901219A (en) | 2009-05-27 | 2009-05-27 | Detection method for injection attack of database and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101901219A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103077356A (en)* | 2013-01-11 | 2013-05-01 | 中国地质大学(武汉) | Protecting and tracking method for primary information of mobile terminal based on user behavior pattern |
| CN103118035A (en)* | 2013-03-07 | 2013-05-22 | 星云融创(北京)信息技术有限公司 | Website access request parameter legal range analysis method and device |
| CN103294966A (en)* | 2013-03-12 | 2013-09-11 | 中国工商银行股份有限公司 | Security access control method and system of database |
| CN104008349A (en)* | 2014-04-28 | 2014-08-27 | 国家电网公司 | Database security access control method and system |
| CN104077530A (en)* | 2013-03-27 | 2014-10-01 | 国际商业机器公司 | Method and device used for evaluating safety of data access sentence |
| CN104090941A (en)* | 2014-06-30 | 2014-10-08 | 江苏华大天益电力科技有限公司 | Database auditing system and database auditing method |
| CN106302498A (en)* | 2016-08-25 | 2017-01-04 | 杭州汉领信息科技有限公司 | A kind of data base's access firewall system based on login parameters |
| WO2017016422A1 (en)* | 2015-07-29 | 2017-02-02 | 阿里巴巴集团控股有限公司 | Cloud-based database detection method and device |
| CN107122658A (en)* | 2017-05-08 | 2017-09-01 | 四川长虹电器股份有限公司 | Database system of defense and method with autolearn feature |
| CN107203718A (en)* | 2017-06-15 | 2017-09-26 | 深信服科技股份有限公司 | A kind of detection method and system of sql command injection |
| CN107347047A (en)* | 2016-05-04 | 2017-11-14 | 阿里巴巴集团控股有限公司 | Attack guarding method and device |
| CN107784228A (en)* | 2016-08-31 | 2018-03-09 | 百度在线网络技术(北京)有限公司 | SQL injection attack detection and device |
| CN107832618A (en)* | 2017-09-20 | 2018-03-23 | 武汉虹旭信息技术有限责任公司 | A kind of SQL injection detecting system and its method based on fine granularity control of authority |
| CN108259482A (en)* | 2018-01-04 | 2018-07-06 | 平安科技(深圳)有限公司 | Network Abnormal data detection method, device, computer equipment and storage medium |
| CN112765156A (en)* | 2020-12-29 | 2021-05-07 | 中国人寿保险股份有限公司上海数据中心 | Data modification method, system and storage medium based on data modification rule |
| CN115913707A (en)* | 2022-11-15 | 2023-04-04 | 中国工商银行股份有限公司 | Application access request identification method and device and computer equipment |
| CN116702146A (en)* | 2023-08-07 | 2023-09-05 | 北京理想乡网络技术有限公司 | Injection vulnerability scanning method and system of Web server |
- 2009
- 2009-05-27CNCN200910085026XApatent/CN101901219A/enactivePending
Cited By (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103077356B (en)* | 2013-01-11 | 2015-06-24 | 中国地质大学(武汉) | Protecting and tracking method for primary information of mobile terminal based on user behavior pattern |
| CN103077356A (en)* | 2013-01-11 | 2013-05-01 | 中国地质大学(武汉) | Protecting and tracking method for primary information of mobile terminal based on user behavior pattern |
| CN103118035A (en)* | 2013-03-07 | 2013-05-22 | 星云融创(北京)信息技术有限公司 | Website access request parameter legal range analysis method and device |
| CN103118035B (en)* | 2013-03-07 | 2016-05-04 | 星云融创(北京)科技有限公司 | Method and the device of analyzing web site access request parameters legal range |
| CN103294966A (en)* | 2013-03-12 | 2013-09-11 | 中国工商银行股份有限公司 | Security access control method and system of database |
| CN103294966B (en)* | 2013-03-12 | 2016-02-24 | 中国工商银行股份有限公司 | A kind of safety access control method of database and system |
| US11228595B2 (en) | 2013-03-27 | 2022-01-18 | International Business Machines Corporation | Evaluating security of data access statements |
| CN104077530A (en)* | 2013-03-27 | 2014-10-01 | 国际商业机器公司 | Method and device used for evaluating safety of data access sentence |
| US9680830B2 (en) | 2013-03-27 | 2017-06-13 | International Business Machines Corporation | Evaluating security of data access statements |
| US10693877B2 (en) | 2013-03-27 | 2020-06-23 | International Business Machines Corporation | Evaluating security of data access statements |
| CN104008349A (en)* | 2014-04-28 | 2014-08-27 | 国家电网公司 | Database security access control method and system |
| CN104090941A (en)* | 2014-06-30 | 2014-10-08 | 江苏华大天益电力科技有限公司 | Database auditing system and database auditing method |
| CN104090941B (en)* | 2014-06-30 | 2017-08-25 | 北京华电天益信息科技有限公司 | A kind of database audit system and its auditing method |
| WO2017016422A1 (en)* | 2015-07-29 | 2017-02-02 | 阿里巴巴集团控股有限公司 | Cloud-based database detection method and device |
| CN106407830A (en)* | 2015-07-29 | 2017-02-15 | 阿里巴巴集团控股有限公司 | Detection method and device of cloud-based database |
| CN107347047A (en)* | 2016-05-04 | 2017-11-14 | 阿里巴巴集团控股有限公司 | Attack guarding method and device |
| CN107347047B (en)* | 2016-05-04 | 2021-10-22 | 阿里巴巴集团控股有限公司 | Attack protection method and device |
| CN106302498A (en)* | 2016-08-25 | 2017-01-04 | 杭州汉领信息科技有限公司 | A kind of data base's access firewall system based on login parameters |
| CN106302498B (en)* | 2016-08-25 | 2019-05-14 | 杭州汉领信息科技有限公司 | A kind of database access firewall system based on login parameters |
| CN107784228A (en)* | 2016-08-31 | 2018-03-09 | 百度在线网络技术(北京)有限公司 | SQL injection attack detection and device |
| CN107122658A (en)* | 2017-05-08 | 2017-09-01 | 四川长虹电器股份有限公司 | Database system of defense and method with autolearn feature |
| CN107203718B (en)* | 2017-06-15 | 2021-05-04 | 深信服科技股份有限公司 | Detection method and system for SQL command injection |
| CN107203718A (en)* | 2017-06-15 | 2017-09-26 | 深信服科技股份有限公司 | A kind of detection method and system of sql command injection |
| CN107832618B (en)* | 2017-09-20 | 2019-12-24 | 武汉虹旭信息技术有限责任公司 | SQL injection detection system and method based on fine-grained authority control |
| CN107832618A (en)* | 2017-09-20 | 2018-03-23 | 武汉虹旭信息技术有限责任公司 | A kind of SQL injection detecting system and its method based on fine granularity control of authority |
| CN108259482B (en)* | 2018-01-04 | 2019-05-28 | 平安科技(深圳)有限公司 | Network Abnormal data detection method, device, computer equipment and storage medium |
| CN108259482A (en)* | 2018-01-04 | 2018-07-06 | 平安科技(深圳)有限公司 | Network Abnormal data detection method, device, computer equipment and storage medium |
| CN112765156A (en)* | 2020-12-29 | 2021-05-07 | 中国人寿保险股份有限公司上海数据中心 | Data modification method, system and storage medium based on data modification rule |
| CN112765156B (en)* | 2020-12-29 | 2024-08-13 | 中国人寿保险股份有限公司上海数据中心 | Data modification method, system and storage medium based on data modification rule |
| CN115913707A (en)* | 2022-11-15 | 2023-04-04 | 中国工商银行股份有限公司 | Application access request identification method and device and computer equipment |
| CN116702146A (en)* | 2023-08-07 | 2023-09-05 | 北京理想乡网络技术有限公司 | Injection vulnerability scanning method and system of Web server |
| CN116702146B (en)* | 2023-08-07 | 2024-03-22 | 天翼安全科技有限公司 | Injection vulnerability scanning method and system of Web server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101901219A (en) | Detection method for injection attack of database and system | |
| CN112787992B (en) | Method, device, equipment and medium for detecting and protecting sensitive data | |
| CN101902366B (en) | Method and system for detecting abnormal service behaviors | |
| JP5941149B2 (en) | System and method for evaluating an event according to a temporal position in an event sequence based on a reference baseline | |
| CN103825774A (en) | Method and apparatus for generating privacy profiles | |
| CN107016298B (en) | Webpage tampering monitoring method and device | |
| CN101610265B (en) | Service workflow process recognition method | |
| CN101272286B (en) | Network inbreak event association detecting method | |
| CN110442582B (en) | Scene detection method, device, equipment and medium | |
| CN103294950A (en) | High-power secret information stealing malicious code detection method and system based on backward tracing | |
| CN109347808B (en) | Safety analysis method based on user group behavior activity | |
| CN105204922A (en) | Collecting method of client terminal of data collecting platform | |
| Singh et al. | Sql injection detection and correction using machine learning techniques | |
| CN107302586A (en) | A kind of Webshell detection methods and device, computer installation, readable storage medium storing program for executing | |
| KR20200035614A (en) | Web-based brute force attack blocking device and method using machine learning | |
| US20210075812A1 (en) | A system and a method for sequential anomaly revealing in a computer network | |
| CN109727027A (en) | Account recognition methods, device, equipment and storage medium | |
| CN115883124A (en) | Distributed website tampering detection system and method | |
| CN104901962A (en) | Method and device for detecting webpage attack data | |
| CN1333553C (en) | Program grade invasion detecting system and method based on sequency mode evacuation | |
| CN102253948A (en) | Method and device for searching information in multi-source information system | |
| CN108804920A (en) | A method of based on striding course behavior monitoring malicious code homology analysis | |
| Freeman et al. | Host-based intrusion detection using user signatures | |
| CN102946400B (en) | The magnanimity short message content safety filtering method and system that a kind of Behavior-based control is analyzed | |
| CN116185785A (en) | Early warning method and device for file abnormal change |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication | Application publication date:20101201 |