CN110866278A

Movatterモバイル変換

Info

Publication number: CN110866278A
Application number: CN201911113710.4A
Authority: CN
Inventors: 孙鹏飞; 邹帮山; 秦旭果; 王照文; 王超
Original assignee: Jilin Billion Bank Ltd By Share Ltd
Current assignee: Jilin Billion Bank Ltd By Share Ltd
Priority date: 2019-11-14
Filing date: 2019-11-14
Publication date: 2020-03-06

Abstract

The invention provides a method and a device for blocking real-time intrusion of a database, wherein the method comprises the following steps: monitoring a target database table in real time, wherein the target database table is forged based on a real business scene; when the operation behavior of the target database table is monitored, recording relevant data of the operation behavior; constructing a database blocking mechanism according to the relevant data of the operation behaviors; and blocking the attack behavior aiming at the database in real time by utilizing the database blocking mechanism, thereby realizing the real-time protection of the database.

Description

Method and device for blocking real-time intrusion of database

Technical Field

The invention relates to the technical field of databases, in particular to a method and a device for blocking real-time intrusion of a database.

Background

With the development of database technology, the application range of databases is wider and wider, and database security becomes the focus of research in the field.

The existing database products are mainly classified into vulnerability scanning, database auditing, database honeypots and other types of products. Vulnerability scanning is mainly based on a public vulnerability database, vulnerability of the database is discovered through version comparison and partial POC (full name of Concept in English, Chinese name: verification test), the database is used as a service core part, and stability and compatibility problems may occur in upgrading of a large version. The database audit products are more analyzed by depending on database flow, and the product has the defect of high false alarm in the face of complex business environment. The detection capability of a product such as a database honeypot in the aspects of unknown threats is determined to a certain extent by the design scene, the authenticity of a simulation system and whether a deployed scheme is reasonable.

However, the three products cannot block the attack action aiming at the database in real time, and cannot realize the real-time protection of the database.

Disclosure of Invention

In view of this, the present invention provides a method and an apparatus for blocking real-time intrusion of a database, so as to achieve real-time blocking of an attack behavior against the database.

In order to achieve the above purpose, the invention provides the following specific technical scheme:

a real-time intrusion blocking method for a database comprises the following steps:

monitoring a target database table in real time, wherein the target database table is forged based on a real business scene;

when the operation behavior of the target database table is monitored, recording relevant data of the operation behavior;

constructing a database blocking mechanism according to the relevant data of the operation behaviors;

and blocking the attack behavior aiming at the database in real time by utilizing the database blocking mechanism.

Optionally, the method further includes:

acquiring a database table naming rule of a service system in a real service scene;

and generating the target database table which accords with the database table naming rule of the business system.

Optionally, the data related to the operation behavior includes a source IP address, a source port number, and an operation time.

Optionally, the constructing a database blocking mechanism according to the data related to the operation behavior includes:

and constructing an external public network IP address blocking mechanism and an internal network IP address blocking mechanism according to the source IP address in the relevant data of the operation behavior.

Optionally, the blocking, in real time, an attack action on the database by using the database blocking mechanism includes:

calling an API (application program interface) of a firewall by using the external public network IP address blocking mechanism to realize automatic blocking of the illegal external public network IP address;

and isolating the communication between the database server and the intranet server by using the intranet IP address blocking mechanism.

A database real-time intrusion blocking apparatus, comprising:

the database table monitoring unit is used for monitoring a target database table in real time, and the target database table is forged based on a real business scene;

the operation behavior recording unit is used for recording relevant data of the operation behavior when the operation behavior of the target database table is monitored;

the blocking mechanism constructing unit is used for constructing a database blocking mechanism according to the relevant data of the operation behaviors;

and the attack behavior blocking unit is used for blocking the attack behavior aiming at the database in real time by utilizing the database blocking mechanism.

Optionally, the apparatus further comprises:

the database table generating unit is used for acquiring a database table naming rule of a service system in a real service scene; and generating the target database table which accords with the database table naming rule of the business system.

Optionally, the blocking mechanism constructing unit is specifically configured to construct an external public network IP address blocking mechanism and an internal network IP address blocking mechanism according to the source IP address in the relevant data of the operation behavior.

Optionally, the attack behavior blocking unit is specifically configured to:

Compared with the prior art, the invention has the following beneficial effects:

the invention discloses a real-time intrusion blocking method for a database, which records the operation behavior of an object database table by monitoring the object database forged based on a real service scene in real time, and establishes a database blocking mechanism on the basis that the operation behavior of the object database table is definitely illegal attack operation because the object database is forged based on the real service scene, and blocks the attack behavior aiming at the database in real time by utilizing the database blocking mechanism to realize the real-time protection of the database.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

Fig. 1 is a schematic flowchart of a real-time intrusion blocking method for a database according to an embodiment of the present invention;

fig. 2 is a schematic structural diagram of a real-time database intrusion blocking device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The embodiment discloses a method for blocking real-time intrusion of a database, which is applied to a server deployed with the database, and specifically, referring to fig. 1, the method for blocking real-time intrusion of the database comprises the following steps:

s101: monitoring a target database table in real time;

the target database table is forged based on a real business scene, the real business scene is a business scene corresponding to the database, and the real business scene comprises at least one business system, such as a user login system, a customer information management system, a fund transaction system and the like under a banking business scene.

Forging a target database table, namely firstly acquiring a naming rule of a database table of a business system in a real business scene, wherein the naming rule of the database table of a User Login system is XXX _ User _ Login, the naming rule of the database table of a Customer Information management system is XXX _ Customer _ Information, and the naming rule of the database table of a fund Transaction system is XXX _ Capital _ Transaction.

And then generating a target database table which accords with the database table naming rule of the business system, wherein the target database table can be an empty table or can be randomly filled with data.

S102: when the operation behavior of the target database table is monitored, recording relevant data of the operation behavior;

because the target database table is forged, the operation behavior on the target database table must be an illegal attack behavior that does not know in advance that the target database table is forged.

The relevant data of the operation behavior of the target database table can include data such as a source IP address, a source port number and operation time, and by recording the data, operation and maintenance personnel can trace the relevant data of the illegal attack behavior.

S103: constructing a database blocking mechanism according to the relevant data of the operation behaviors;

the source IP address comprises an external public network IP address and an internal network IP address, and an external public network IP address blocking mechanism and an internal network IP address blocking mechanism are constructed according to the source IP address in the relevant data of the operation behavior, so that illegal attack behaviors from the external public network IP address and the internal IP address are blocked.

S104: and blocking the attack behavior aiming at the database in real time by utilizing the database blocking mechanism.

Specifically, an API (application program interface) of a firewall is called by using an external public network IP address blocking mechanism, so that the illegal external public network IP address is automatically blocked.

And isolating the communication between the database server and the intranet server by utilizing an internal IP address blocking mechanism.

It can be seen that, in the method for blocking real-time intrusion into a database disclosed in this embodiment, an operation behavior of a target database table is recorded by monitoring the target database forged based on a real service scene in real time, and since the target database is forged based on the real service scene, the monitored operation behavior of the target database table is definitely an illegal attack operation, a database blocking mechanism is constructed on the basis, and an attack behavior against the database is blocked in real time by using the database blocking mechanism, so as to implement real-time protection of the database.

Based on the method for blocking real-time intrusion into a database disclosed in the above embodiments, this embodiment correspondingly discloses a device for blocking real-time intrusion into a database, please refer to fig. 2, and the device includes:

a databasetable monitoring unit 201, configured to monitor a target database table in real time, where the target database table is forged based on a real service scene;

an operationbehavior recording unit 202, configured to record, when an operation behavior of the target database table is monitored, relevant data of the operation behavior;

a blockingmechanism constructing unit 203, configured to construct a database blocking mechanism according to the relevant data of the operation behavior;

and the attackbehavior blocking unit 204 is configured to block an attack behavior for the database in real time by using the database blocking mechanism.

Optionally, the apparatus further comprises:

Optionally, the blockingmechanism constructing unit 203 is specifically configured to construct an external public network IP address blocking mechanism and an internal network IP address blocking mechanism according to the source IP address in the relevant data of the operation behavior.

Optionally, the attackbehavior blocking unit 204 is specifically configured to:

The device for blocking real-time intrusion into a database disclosed by the embodiment records the operation behavior of the target database table by monitoring the target database forged based on the real service scene in real time, and because the target database is forged based on the real service scene, the monitored operation behavior of the target database table is certain to be illegal attack operation, a database blocking mechanism is constructed on the basis, and the attack behavior aiming at the database is blocked in real time by utilizing the database blocking mechanism, so that the real-time protection of the database is realized.

The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.

It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. A real-time intrusion blocking method for a database is characterized by comprising the following steps:

2. The method of claim 1, further comprising:

3. The method of claim 1, wherein the data related to the operational behavior comprises a source IP address, a source port number, and an operation time.

4. The method according to claim 3, wherein the constructing a database blocking mechanism according to the data related to the operation behavior comprises:

5. The method of claim 4, wherein blocking, in real time, an attack on the database using the database blocking mechanism comprises:

6. A real-time intrusion blocking device for a database, comprising:

7. The apparatus of claim 6, further comprising:

8. The apparatus of claim 6, wherein the data related to the operational behavior comprises a source IP address, a source port number, and an operation time.

9. The apparatus according to claim 8, wherein the blocking mechanism constructing unit is specifically configured to construct an external public network IP address blocking mechanism and an internal network IP address blocking mechanism according to a source IP address in the relevant data of the operation behavior.

10. The apparatus according to claim 9, wherein the attack behavior blocking unit is specifically configured to: