Disclosure of Invention
The invention provides a database management method and system for dynamic path encryption, which mainly aim to improve the management efficiency of data in a database.
In order to achieve the above object, the present invention provides a database management method for dynamic path encryption, including:
Acquiring a dynamic access path corresponding to a target database, carrying out encryption analysis on the dynamic access path to obtain a path encryption characteristic, and identifying key access nodes in the dynamic access path based on the path encryption characteristic;
identifying an access ciphertext in the dynamic access path based on the key access node, dividing a segmented ciphertext unit corresponding to the access ciphertext, and constructing a dynamic encryption architecture corresponding to the target database based on the segmented ciphertext unit;
Extracting access load data in the dynamic encryption architecture, carrying out security classification marking on the access load data to obtain a classification security queue, calculating a key distribution value corresponding to the classification security queue, and determining an access abnormal point in the target database based on the key distribution value;
Determining a risk area corresponding to the access abnormal point, dynamically marking the risk area to obtain an area encryption tag, carrying out security analysis on the area encryption tag to obtain security analysis data, and calculating a risk threshold corresponding to the security analysis data;
And identifying a redundant encryption mark in the safety analysis data based on the risk threshold, optimally matching the redundant encryption mark with a preset privacy protection standard to obtain an encryption optimization identifier, and formulating a dynamic path management and control strategy corresponding to the target database based on the encryption optimization identifier.
Optionally, the identifying, based on the path encryption feature, a critical access node in the dynamic access path includes:
Analyzing the access track attribute in the path encryption feature;
traversing node access directories in the pre-constructed path topology architecture based on the access track attribute;
extracting a path access log in the node access directory;
Filtering sensitive entry points in the path access log;
and identifying key access nodes in the dynamic access path based on the sensitive entry points.
Optionally, the identifying, based on the key access node, an access ciphertext in the dynamic access path includes:
positioning path segments where the key access nodes are located;
Extracting an encrypted data stream in the path segment;
scanning a ciphertext identification in the encrypted data stream;
Inquiring an identification encryption mode corresponding to the ciphertext identification;
And identifying the access ciphertext in the dynamic access path based on the identification encryption mode.
Optionally, the constructing a dynamic encryption architecture corresponding to the target database based on the segmented ciphertext unit includes:
Identifying a storage position and an access level corresponding to the segmented ciphertext unit;
performing association mapping on the storage position and the access level to generate a ciphertext mapping table;
extracting a core encryption group in the ciphertext mapping table;
dynamically deploying an encryption engine corresponding to the core encryption group;
and constructing a dynamic encryption architecture corresponding to the target database based on the encryption engine.
Optionally, the calculating a key distribution value corresponding to the hierarchical security queue includes:
inquiring a queue security index and a queue risk index in the hierarchical security queue;
Analyzing a safety sensitivity coefficient and a risk amplification coefficient corresponding to the safety index and the risk index;
and calculating a key distribution value corresponding to the hierarchical security queue by using the following formula in combination with the security sensitivity coefficient and the risk amplification coefficient:
Wherein, theRepresenting the key assignment value corresponding to the hierarchical security queue,Representing the total number of elements in the hierarchical security queue,The index of the number of elements is represented,Representing the coefficient of safety sensitivity, the safety factor,Represent the firstA security ranking score for the individual elements,Represent the firstThe frequency decay fraction of the individual elements,Representing the smoothing constant corresponding to the frequency decay fraction,Representing the risk magnification factor(s),Representing a network attack risk score,Representing the security score offset constant,Representing the key strength reference factor,Representing a frequency decay fraction threshold.
Optionally, the determining, based on the key assignment value, an access outlier in the target database includes:
Analyzing the access allocation details corresponding to the key allocation values;
Based on the access allocation details, extracting abnormal access data corresponding to the access units in the target database;
determining a data security baseline corresponding to the abnormal access data;
analyzing the corresponding instantaneous access rate of the data in the target database according to the data security baseline;
An access outlier in the target database is determined based on the instantaneous access rate.
Optionally, the dynamically marking the risk area to obtain an area encryption tag includes:
Extracting abnormal access characteristics in the risk area;
analyzing threat fluctuation frequency corresponding to the abnormal access characteristics;
dividing a risk level interval corresponding to the threat fluctuation frequency;
counting encryption intensity parameters in the risk level interval;
And dynamically marking the risk area based on the encryption intensity parameter to obtain an area encryption tag.
Optionally, the performing security analysis on the local encryption tag to obtain security analysis data includes:
extracting a label strength index in the area encryption label;
inquiring the regional vulnerability level corresponding to the tag strength index;
matching the security protocol standard corresponding to the regional vulnerability level;
And carrying out security analysis on the regional encryption tag based on the security protocol standard to obtain security analysis data.
Optionally, the identifying, based on the risk threshold, a redundant encryption flag in the security analysis data includes:
analyzing a threshold datum line corresponding to the risk threshold;
Based on the threshold datum line, risk marking is carried out on the safety analysis data, and a marked data set is obtained;
determining a data redundancy domain corresponding to the marked data set;
Extracting redundant encryption points in the data redundant domain;
based on the redundant encryption points, redundant encryption marks in the security analysis data are identified.
In order to solve the above problems, the present invention also provides a database management system for dynamic path encryption, the system comprising:
the node identification module is used for acquiring a dynamic access path corresponding to the target database, carrying out encryption analysis on the dynamic access path to obtain a path encryption characteristic, and identifying key access nodes in the dynamic access path based on the path encryption characteristic;
The architecture construction module is used for identifying the access ciphertext in the dynamic access path based on the key access node, dividing a segmented ciphertext unit corresponding to the access ciphertext, and constructing a dynamic encryption architecture corresponding to the target database based on the segmented ciphertext unit;
The abnormal point determining module is used for extracting access load data in the dynamic encryption architecture, carrying out security classification marking on the access load data to obtain a classification security queue, calculating a key distribution value corresponding to the classification security queue, and determining an access abnormal point in the target database based on the key distribution value;
The threshold value calculation module is used for determining a risk area corresponding to the access abnormal point, dynamically marking the risk area to obtain an area encryption tag, carrying out security analysis on the area encryption tag to obtain security analysis data, and calculating a risk threshold value corresponding to the security analysis data;
And the policy making module is used for identifying redundant encryption marks in the security analysis data based on the risk threshold value, optimally matching the redundant encryption marks with a preset privacy protection standard to obtain encryption optimization identifiers, and making a dynamic path management and control policy corresponding to the target database based on the encryption optimization identifiers.
Compared with the prior art, the method and the system can capture the complete link of user and data interaction in real time by acquiring the dynamic access path corresponding to the target database, provide accurate basis for dynamic adjustment of the subsequent encryption strategy, help to realize directional allocation of encryption resources, avoid resource waste caused by indiscriminate encryption, optimize the safety and high efficiency of database management from the source, identify the access ciphertext in the dynamic access path based on the key access node, accurately position the encryption data associated with a core safety link, improve pertinence and efficiency of ciphertext identification, avoid redundant identification of non-key node independent ciphertext, reduce unnecessary computing resource consumption and optimize overall efficiency of ciphertext management while guaranteeing safety analysis precision of data, further, the method and the system can accurately identify high risk load links by extracting access load data in the dynamic encryption architecture and carrying out safety grading marks on the access load data, enable the safety protection resources to incline to critical loads, improve pertinence, realize timely monitoring of the load safety data by managing, facilitate the overall system to respond to the dynamic security control region, and further respond to the dynamic security control region of the dynamic security system by the dynamic security system, and realize effective control of the important risk-important control system, and can be better in response to the dynamic security region, and the dynamic security system can be better in response to the dynamic protection region, and the dynamic protection region is better, the method and the device identify redundant encryption marks in the security analysis data based on the risk threshold, can accurately screen the marks which are excessively encrypted by means of the threshold quantization standard, avoid encryption resource waste, can assist the light weight of a database security architecture, improve the flexibility and response efficiency of an encryption system, and ensure the accurate and efficient security protection. Therefore, the database management method and the system for dynamic path encryption provided by the embodiment of the invention can improve the management efficiency of data in the database.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The embodiment of the application provides a database management method for dynamic path encryption. The execution subject of the database management method for dynamic path encryption includes, but is not limited to, at least one of a server, a terminal, and the like, which can be configured to execute the method provided by the embodiment of the application. In other words, the database management method of dynamic path encryption may be performed by software or hardware installed in a terminal device or a server device. The server side comprises, but is not limited to, a single server, a server cluster, a cloud server or a cloud server cluster and the like.
Referring to fig. 1, a flowchart of a database management method for dynamic path encryption according to an embodiment of the present invention is shown. In this embodiment, the method for managing a database for dynamic path encryption includes:
s1, acquiring a dynamic access path corresponding to a target database, carrying out encryption analysis on the dynamic access path to obtain a path encryption characteristic, and identifying key access nodes in the dynamic access path based on the path encryption characteristic.
According to the method and the system, the complete link of user and data interaction can be captured in real time by acquiring the dynamic access path corresponding to the target database, so that accurate basis is provided for dynamic adjustment of a follow-up encryption strategy, directional allocation of encryption resources is facilitated, resource waste caused by indiscriminate encryption is avoided, and the safety and the high efficiency of database management are optimized from the source.
The target database is a specific database instance which is required to be dynamically path encrypted and managed currently, and comprises a structured data set associated with a service scene, is a direct object of management operations such as dynamic path encryption, and the like, for example, a user transaction database of a certain electronic commerce platform stores 500 ten thousand pieces of data such as user IDs (such as U001-U5000000), transaction amounts (such as single pen 100-50000 metadata), payment time and the like, transaction information safety is ensured through dynamic path encryption, namely the target database in the scene, the dynamic access path is a real-time link formed by following the change of access scene when a user or an application program accesses the target database, and is composed of a series of continuous access nodes, and reflects a complete interaction process of a data request from initiation to response, for example, when the user inquires an order through a mobile phone APP, the path can be a mobile terminal, a CDN node, a Web server, an identity verification node, a database proxy, an order data table, and the like, and when a manager modifies the data through a background, the path becomes a management terminal, a firewall, a verification node, a data modification interface, an order data table, an order data structure, a dynamic database and the like, and a dynamic access frame can be obtained by dynamically inquiring the target database, and the dynamic access path can be realized by the method, such as a user or the like, and the dynamic access frame can be realized by dynamically inquiring the target database.
Further, by conducting encryption analysis on the dynamic access path to obtain path encryption characteristics, the method and the device can accurately extract encryption attributes and interaction rules of all links in the path, provide data support for subsequent key node identification, capture subtle changes of the path encryption state in real time, discover potential encryption loopholes or abnormal tampering in time, and therefore improve the overall encryption effectiveness of database access.
The path encryption feature refers to a key information set extracted after dynamic access path encryption analysis and reflecting path encryption state and interaction characteristics, and covers the encryption algorithm type, key update frequency, inter-node encryption transmission strength, data encryption segment length and other dimensions, which are the core basis for identifying key access nodes, for example, in a certain access path, node A to node B adopt AES-256 encryption (key update every 30 minutes), the transmission data encryption segment length is 1024 bytes, node B to node C adopt RSA-2048 encryption (key update every 2 hours), the encryption segment length is 512 bytes, and the specific parameters together form the encryption feature of the path.
Furthermore, the method and the device identify key access nodes in the dynamic access path based on the path encryption characteristics, can focus encryption weak links or high-risk interaction points, realize accurate release of encryption resources, reduce excessive encryption on non-key nodes, improve overall access efficiency on the premise of ensuring core security, and optimize pertinence and rationality of database encryption management.
The key access node is a core node which is identified from a dynamic access path based on a sensitive input point and plays a decisive role in data security, the nodes are usually key hubs of sensitive information circulation or bear key functions such as encryption key generation, authority verification and the like, the security state of the key access node directly influences the security of the whole access path, for example, a node K responsible for generating an encryption key in a certain path and a node L receiving and verifying user bank card information belong to the key access node.
As one embodiment of the invention, the method for identifying the key access node in the dynamic access path based on the path encryption feature comprises the steps of analyzing access track attributes in the path encryption feature, traversing node access catalogues in a pre-constructed path topology structure based on the access track attributes, extracting path access logs in the node access catalogues, filtering sensitive entry points in the path access logs, and identifying the key access node in the dynamic access path based on the sensitive entry points.
The access track attribute refers to an attribute set reflecting an access behavior circulation rule in a path encryption feature, and comprises information such as a jump sequence of access nodes, stay time of each node, data transmission direction, interaction frequency and the like, which is a key basis for tracing access path circulation logic, for example, in a certain access path, the jump interval from node X to node Y is 2 seconds, the node Y stays for 15 seconds and then transmits data to node Z, the jump pattern appears for 20 times within 1 hour, the information jointly forms the access track attribute, the pre-constructed path topology structure refers to a frame model which is built in advance and reflects the connection relation of each node in a database access path and a hierarchical structure, static basic information such as node type, inter-node association rule, data transmission channel and the like is provided for analysis of a dynamic access path, for example, a pre-constructed path topology structure comprising 'user terminal node-identity verification node-data query node-result return node' four-level structure is adopted, and only one-way data transmission structure can be ensured between the nodes, the node access directory refers to the pre-constructed path topology structure, the pre-constructed path topology structure is used for recording basic information and the node, the access directory is used for recording the user ID (user ID) in a user ID (user ID) of a user ID) and the user ID (user ID) is recorded in a user ID (user ID) and the user ID) of a user ID (user ID) of a user ID) is recorded in a user ID group, the method comprises the steps of including real-time information such as access time, access subject ID, operation type, data interaction amount and access result, and the like, and analyzing the original data of the access behavior, for example, recording 2025-07-10:08:30:00 in a log, wherein the access subject is U12345, the operation is query, the node is N003, the data interaction amount is 2048 bytes, the result is successful, namely a path access log, the sensitive input point is the position of a node related to sensitive information input or processing in the path access log, the node directly receives, verifies or transmits privacy data such as account numbers, identification numbers, bank card information and the like, and is a link with higher security risk in the access path, for example, in a certain access log, the node M receives 6-18-bit passwords input by a user and verifies, the node processes about 5000 password input requests per hour, and the node is the sensitive input point.
Further, the analysis of the access track attribute in the path encryption feature can be achieved through a time sequence pattern mining algorithm, for example, prefixSpan algorithm is adopted to analyze the time sequence feature of the encryption path so as to obtain the access track attribute, the traversing of the node access directory in the pre-constructed path topology structure can be achieved through a graph traversing algorithm, for example, a depth-first search algorithm system is used to scan the connection relation in the topology structure so as to obtain the node access directory, the extracting of the path access log in the node access directory can be achieved through a log analysis technology, for example, a logstar tool is used to collect and convert the structured log in the directory so as to obtain the path access log, the filtering of the sensitive entry points in the path access log can be achieved through a rule matching method, for example, a regular expression engine is used to identify the log entries containing key fields so as to obtain the sensitive entry points, and the identifying of the key access nodes in the dynamic access path can be achieved through network centrality analysis, for example, a PageRank algorithm is used to calculate the importance score of the path nodes so as to obtain the key access nodes.
S2, based on the key access node, identifying an access ciphertext in the dynamic access path, dividing a segmented ciphertext unit corresponding to the access ciphertext, and constructing a dynamic encryption architecture corresponding to the target database based on the segmented ciphertext unit.
The method and the device identify the access ciphertext in the dynamic access path based on the key access node, can accurately position the encrypted data associated with the core security link, improve pertinence and efficiency of ciphertext identification, simultaneously avoid redundant identification of non-key node irrelevant ciphertext, reduce unnecessary computing resource consumption while guaranteeing data security analysis precision, and optimize overall efficiency of ciphertext management.
The access ciphertext refers to the actual data content generated in the process of interaction of the key access nodes in the dynamic access path and subjected to encryption processing, is an encryption form of core sensitive information related to a user or a system when accessing a database, decryption of the key sensitive information depends on a corresponding identification encryption mode, for example, an "Xy7 $kL9..pQ2" character string generated by encrypting a bank card number "6222 x 1234" submitted by the user through the key nodes through AES-256 is an access ciphertext.
The method comprises the steps of identifying access ciphertext in the dynamic access path based on the key access node, locating a path segment where the key access node is located, extracting an encrypted data stream in the path segment, scanning ciphertext identification in the encrypted data stream, inquiring an identification encryption mode corresponding to the ciphertext identification, and identifying the access ciphertext in the dynamic access path based on the identification encryption mode.
The path segments refer to continuous path segments divided by taking key access nodes as boundaries in a dynamic access path, each segment comprises a complete interactive link between a key node and an adjacent node, and reflects the transmission process of data in a specific node section, for example, in a certain dynamic path, a key node A, a preceding node B and a following node C form an interactive link of ' B-A-C ', so that two path segments from ' B to A ' and ' A-C ' are divided, and each segment independently records the start-stop node and the duration of data transmission; the encrypted data stream refers to a continuous data sequence transmitted in a path segment and subjected to encryption processing, and comprises information such as a user request instruction, a data query result, a node interaction instruction and the like, the encryption state of the continuous data sequence dynamically changes along with the security requirement of the path segment, for example, in the path segment from an authentication node to a data query node, a transmitted data stream comprising a user ID (subjected to hash encryption) and a query permission token (subjected to AES encryption) is about 800KB (transmission quantity per 10 seconds), namely the encrypted data stream of the segment, the ciphertext identifier refers to a specific symbol or field used for marking ciphertext attributes in the encrypted data stream, comprises information such as encryption algorithm type, generation time, associated data ID and the like corresponding to ciphertext, and is an important identifier for distinguishing different ciphertext, for example, in a certain encrypted data stream, one section of ciphertext is preceded by an identifier of ' AES-256_2025000900_U789# ', wherein ' AES-256 represents an encryption algorithm, and ' 202507100900 ' is a generation time, and ' U789 ' is an associated user ID, and the identifier refers to an identifier, and the identifier corresponds to an identifier mode (which corresponds to a specific encryption algorithm parameter set such as encryption key length) corresponding to the identifier Filling mode), decryption authority requirements, ciphertext validity period and the like, determines encryption strength and use limitation of the ciphertext, for example, the mode corresponding to the identification of "# AES-256_202507100900_U789#" is an encryption mode of the identification, wherein the mode is formed by filling a key with 256 bits in length and adopting PKCS#7, and only allowing a user U789 to decrypt within 24 hours.
Further, the positioning of the path segments where the key access nodes are located can be achieved through a network segmentation algorithm, for example, a Dijkstra algorithm is adopted to calculate shortest path intervals among the key nodes, so that the path segments are obtained, the extracting of encrypted data streams in the path segments can be achieved through a data packet capturing technology, for example, a Wireshark tool is used to capture network transmission data of a designated path segment, so that the encrypted data streams are obtained, the scanning of ciphertext identification in the encrypted data streams can be achieved through a pattern recognition method, for example, a KMP character string matching algorithm is used to detect specific encryption head marks in the data streams, so that ciphertext identification is obtained, the inquiring of the identification encryption pattern corresponding to the ciphertext identification can be achieved through a hash mapping method, for example, an encryption scheme characteristic corresponding to the identification is quickly searched based on an SHA-256 hash dictionary, so that the identification encryption pattern is obtained, and the identification of the access ciphertext in the dynamic access path can be achieved through a ciphertext characteristic extraction technology, for example, an AES encryption block characteristic analysis algorithm is used to locate the encrypted data segments in the path, so that the access ciphertext is obtained.
The method can disassemble the complex ciphertext into the independent controllable subunits by dividing the segmented ciphertext units corresponding to the access ciphertext, realizes the refinement and modularization of encryption management, and can formulate a targeted encryption strategy according to the security requirement difference of each unit, thereby avoiding the resource waste caused by integral encryption and optimizing the integral management and control capability of a database encryption system.
The segmented ciphertext unit is an independent encryption subunit formed by disassembling an access ciphertext according to preset rules (such as data sensitivity, encryption algorithm, associated service scene and the like), each unit comprises complete ciphertext content, encryption parameters and associated node information, encryption strength adjustment or security control can be independently carried out, for example, a certain piece of access ciphertext comprising a user identity card number (high sensitivity), a mobile phone number (medium sensitivity) and registration time (low sensitivity) is split into 3 segmented ciphertext units, namely, a unit 1 (identity card number ciphertext, AES-256 encryption), a unit 2 (mobile phone number ciphertext, AES-128 encryption) and a unit 3 (registration time ciphertext, DES encryption), each unit can independently update a key and adjust an encryption strategy, and optionally, the segmentation ciphertext unit corresponding to the access ciphertext can be divided by a block encryption segmentation method, for example, the segmented ciphertext units are obtained by segmenting ciphertext data according to a 128-bit size by adopting a PKCS#7 filling standard.
Furthermore, the method and the system construct the dynamic encryption architecture corresponding to the target database based on the segmented ciphertext units, can realize modularized deployment of encryption strategies, enable different ciphertext units to adapt to different encryption intensities as required, improve flexibility of an encryption system, dynamically adjust encryption parameters according to security requirements of each unit, avoid resource redundancy caused by integral encryption, and balance security protection and access efficiency.
The dynamic encryption architecture is an integral framework which is built based on an encryption engine and can adjust encryption strategies in real time according to storage positions, access levels and risk situations of the segmented ciphertext units, and comprises a ciphertext unit management module, an encryption strategy scheduling center, a risk response interface and the like. For example, the architecture may automatically enable a "key update every 5 minutes+access behavior real-time monitoring" mode for a core encryption group, employ a "key daily update+lightweight encryption" mode for low level units, and temporarily boost the encryption strength of the target unit when abnormal access is detected.
The method comprises the steps of identifying a storage position and an access level corresponding to a segmented ciphertext unit, carrying out associated mapping on the storage position and the access level to generate a ciphertext mapping table, extracting a core encryption group in the ciphertext mapping table, dynamically deploying an encryption engine corresponding to the core encryption group, and constructing a dynamic encryption architecture corresponding to the target database based on the encryption engine.
The storage location refers to a physical or logical address actually stored in the target database by the segmented ciphertext unit, and includes information such as a storage server number, a disk partition, a data table name, a row/column index, etc., and is used for accurately positioning a storage path of the ciphertext unit, for example, a certain segmented ciphertext unit is stored in a "D disk partition of a server S05, and the 1200 th-1500 th row and the 8 th column" in a user information table (user_info), where the address is the storage location thereof, and can be directly accessed through a database management system; the access level is an access authority level set by a pointer on a segmented ciphertext unit, the access range and the operation authority of different subjects on the ciphertext unit are determined according to data sensitivity, user roles and operation types, for example, the segmented ciphertext unit is divided into four levels of L1 (public), L2 (internal staff), L3 (administrator) and L4 (system level), wherein the L4 level unit only allows the system administrator to perform reading operation in a specific IP segment (such as 192.168.1.0/24), other subjects have no access authority, the ciphertext mapping table is a structured table for recording the association relation between the storage position and the access level of the segmented ciphertext unit, the ciphertext mapping table comprises fields such as a unit ID, a storage address, an access level code, an association node ID and the like, and is used for rapidly inquiring the storage and authority information of the ciphertext unit, for example, one record is recorded as a unit ID C007 in the table, the storage position S05-D-user_info [1200-1500,8], the access level is L3, the association node is N' represents the storage and the mapping relation of the unit is clear, the core ciphertext is extracted from the encryption table is the encryption table, the encryption engine refers to a software module or a hardware component for realizing operations such as encryption, decryption, key management and the like on the core encryption group, comprises functions such as an encryption algorithm library, a key generator, a permission verification interface and the like, encryption parameters can be adjusted according to dynamic requirements, for example, a certain encryption engine integrates an AES-256 algorithm library and an RSA-2048 algorithm library, supports automatic updating of keys of the core encryption group every 10 minutes, and verifies access qualification through linkage of the interface and the permission system.
Further, the identification of the storage location corresponding to the segmented ciphertext unit may be achieved through a metadata indexing method, for example, a physical address of a ciphertext block in a distributed storage is quickly located through a b+ tree indexing structure, so as to obtain a storage location, the identification of the access level corresponding to the segmented ciphertext unit may be achieved through an attribute-based encryption method, for example, an access policy attribute bound to the ciphertext unit is resolved through a CP-ABE algorithm, so as to obtain an access level, the association mapping of the storage location and the access level may be achieved through a hash table mapping method, for example, a bidirectional indexing relation between a location and a level is established through a dis key value database, so as to obtain a ciphertext mapping table, the extraction of a core encryption group in the ciphertext mapping table may be achieved through a cluster analysis method, for example, a key encryption component is divided according to an access frequency and a security level through a K-means algorithm, the dynamic deployment of an encryption engine corresponding to the core encryption group may be achieved through a containerization technology, for example, an expandable micro service encryption module is quickly deployed based on a Docker container, so as to obtain an encryption target may be achieved, and a security encryption policy may be achieved by a dynamic service configuration, for example, a security encryption architecture may be achieved by a dynamic service architecture, and a security architecture may be achieved.
Specifically, in order to further intuitively understand the relation between the execution logic and the data flow of the dynamic encryption flow of the database in the scheme, fig. 2 can be referred to as a core flow framework of the encryption system of the database, the complete links of storing and processing after the data input from the client are clearly presented, namely, the processing links (such as reading plaintext, hash sub-tables, data smoothing and data encryption) before the data encryption are focused on at the client side, are basic steps for constructing the encrypted data, and the server side only presents the core logic simply through the flow of 'ciphertext table persistent storage → ciphertext table connection (including sub-query expansion, query rewrite, hash Join and the like) → result filtration', so that the storage and the associated query processing of the encrypted data are realized.
S3, extracting access load data in the dynamic encryption architecture, carrying out security classification marking on the access load data to obtain a classification security queue, calculating a key distribution value corresponding to the classification security queue, and determining an access abnormal point in the target database based on the key distribution value.
The method and the system have the advantages that the access load data in the dynamic encryption architecture are extracted, the access load data are subjected to security grading marking to obtain the grading security queue, the high-risk load links can be accurately identified, the security protection resources are inclined towards the key loads, the pertinence of protection is improved, and meanwhile, systematic monitoring of the security state of the load data is realized through queuing management, so that potential risks can be found in time, and the dynamic response capability of database security management and control is optimized.
The access load data refers to a resource consumption and interaction data set related to the segmented ciphertext unit access in a dynamic encryption architecture, and the access load data comprises indexes such as access request frequency, data transmission amount, encryption/decryption time consumption, concurrent access number, node resource occupancy rate and the like, and is basic data for evaluating system load pressure and security risk, for example, in a certain dynamic encryption architecture, a core encryption group receives an access request 300 times within 1 hour, the average data transmission amount is 2048 bytes each time, the encryption processing time consumption is 120 seconds in total, and the concurrent access peak value reaches 15 times/second, and the data together form the access load data, and the hierarchical security queue refers to an ordered queue formed by marking the access load data according to a preset security level standard (such as risk probability and influence range) and comprising load data items, security level labels and associated ciphertext unit information for defining the priority of security protection. For example, the access load data is divided into four stages of 'extremely high (risk probability > 80%), high (50% -80%), medium (30% -50%), low (< 30%)', wherein 10 pieces of extremely high risk load data (such as 50 times of abnormal access within 1 minute of a single node) are arranged at the first queue, 20 pieces of high risk data are arranged immediately after the first high risk data to form a classified security queue, alternatively, the extraction of the access load data in the dynamic encryption architecture can be realized through a flow mirroring technology, such as capturing real-time transmission data packets in the encryption architecture through a port mirror (SPAN), so as to obtain the access load data, and the security classification marking of the access load data can be realized through a data classification algorithm, such as automatically marking a security class label based on data sensitivity by applying a random forest model, so as to obtain the classified security queue.
Furthermore, by calculating the key distribution value corresponding to the hierarchical security queue, the method and the device can match accurate key resources for load data with different security levels, so that the high-risk queue obtains stronger encryption support, the low-risk queue avoids resource redundancy, the rationality of key distribution is improved, key parameters can be dynamically adjusted based on the queue level, real-time adaptation of key strength and security requirements is ensured, and pertinence of encryption protection is enhanced.
The key distribution value refers to a numerical value for quantifying the key distribution requirement of the hierarchical security queue, comprehensively reflecting factors such as security characteristics, risk level, frequency attenuation score and the like of the queue, guiding the key resource distribution strength, for example, if the hierarchical security queue has 5 elements (n=5), mf=8.2 is calculated through a formula, and represents that the queue needs to match a key according to the quantized value, if the MF is high, a more complex key with a longer length is distributed.
As one embodiment of the present invention, the calculating a key allocation value corresponding to the hierarchical security queue includes:
inquiring a queue security index and a queue risk index in the hierarchical security queue;
Analyzing a safety sensitivity coefficient and a risk amplification coefficient corresponding to the safety index and the risk index;
and calculating a key distribution value corresponding to the grading security queue by combining the security sensitivity coefficient and the risk amplification coefficient.
The queue security index refers to the security attribute of each element in the comprehensive grading security queue, and the quantitative index of the overall security degree of the queue is measured to cover factors such as security grading score, operation compliance and the like, for example, a grading security queue has 5 elements, the security grading scores are respectively 8, 7, 9, 6 and 8 (full score 10), the operation compliance rate is over 95%, and the queue security index is 7.8 after weighted calculation to reflect the security situation of the data access of the queue; the queue risk index is an index for evaluating the security threat degree of the queue based on the risk factors of the elements in the classified security queue, and comprises frequency attenuation score abnormality, network attack association degree and the like, for example, in the queue, the element frequency attenuation score fluctuation is large (part of elements are operated for 50 times on a daily basis and are far beyond the daily average value of 20 times), the associated network attack risk score reaches 6 (full score 10), the calculated queue risk index is 6.2, a certain risk hidden danger exists in the queue, the security sensitivity coefficient is used for measuring the security sensitivity degree of data and operation in the classified security queue, the higher the value is, the higher the security requirement is, the stricter encryption protection is required, for example, the queue for processing the user bank card information is preset according to the data type (such as user privacy and transaction data), alpha is set to be 0.8 (common log queue alpha can be set to be 0.3), the requirement of high-sensitivity data on encryption strength is reflected, the risk amplification coefficient is the coefficient for strengthening the influence of network attack on key distribution, the higher the value is, the higher the network attack risk is used for highlighting the encryption risk requirement, for example, when the system detects a phishing attack trend,Temporarily adjusting from default 0.5 to 1.2, so that the high-risk queue key distribution value is amplified more, and the protection is enhanced.
Further, the query of the queue security index in the hierarchical security queue can be achieved through a hierarchical analysis method, for example, a judgment matrix is constructed by using Expert Choice software to calculate a weight score, so that the queue security index is obtained, the query of the queue risk index in the hierarchical security queue can be achieved through a Monte Carlo simulation method, for example, a SimPy library of Python is adopted to perform risk probability simulation calculation, so that the queue risk index is obtained, the analysis of the security sensitivity coefficient corresponding to the security index can be achieved through a Pearson correlation analysis method, for example, the security sensitivity coefficient is obtained through SPSS calculation of the correlation coefficient between the security indexes, and the analysis of the risk amplification coefficient corresponding to the risk index can be achieved through an index smooth prediction method, for example, the risk trend analysis is performed through a forecast packet of R language, so that the risk amplification coefficient is obtained.
As another embodiment of the present invention, the key distribution value corresponding to the hierarchical security queue is calculated by using the following formula in combination with the security sensitivity coefficient and the risk amplification coefficient:
Wherein, theRepresenting the key assignment value corresponding to the hierarchical security queue,Representing the total number of elements in the hierarchical security queue,The index of the number of elements is represented,Representing the coefficient of safety sensitivity, the safety factor,Represent the firstA security ranking score for the individual elements,Represent the firstThe frequency decay fraction of the individual elements,Representing the smoothing constant corresponding to the frequency decay fraction,Representing the risk magnification factor(s),Representing a network attack risk score,Representing the security score offset constant,Representing the key strength reference factor,Representing a frequency decay fraction threshold.
In detail, the security classification score refers to the first of the classified security queuesThe higher the score, the higher the security priority, the higher the encryption requirement, e.g., the "user password modification operation" element in the queue, depending on the security level score rated by the dimensions of data importance, leakage hazard, etc. (e.g., 1-10 minutes), because of the identity authentication involved,General bulletin Access "Reflecting the security risk difference, wherein the frequency attenuation fraction refers to the first in the hierarchical security queueThe number of times an element is accessed and operated in a unit time (such as 1 hour), the data interaction activity degree is reflected, the dynamic adjustment of key distribution is influenced (the high-frequency operation needs more flexible key updating), for example, a certain login verification operation element is called 500 times in 1 hour,The background configuration read operation is invoked 20 times for 1 hour,The smoothing constant is a small constant (e.g. 0.01) set in advance for alleviating the influence of the extreme value of the frequency attenuation fraction (fi) on the calculation of the formula (e.g. avoiding severe fluctuation of the result in case of frequency sudden increase/sudden decrease), and ensuring the calculation stability, for example, if the frequency attenuation fraction of a certain element=0 (Extreme case), addThereafter, in the formulaBecomes as followsThe network attack risk score refers to a quantitative score (such as 1-10 score) for classifying a security queue to face network attack risk based on system security monitoring (such as intrusion detection and abnormal traffic analysis), the higher the score is, the larger the risk is, for example, the higher the queue is, the payment interface is involved, suspicious IP high-frequency access is detected, r=7 (normal scene r can be set to 2) and the risk weighting calculation of key distribution is triggered, and the security score offset constant refers to adjustment of the security classification scoreCalculating a standard constant for correcting the deviation of a scoring system (such as unified score interval and compensating historical scoring loopholes), ensuring that a formula adapts to different scenes, for example, the original safety grading score si is concentrated at 3-7 points, and after delta=2 is added, the formula is provided withBecomes as followsExpanding the difference between calculation intervals to more accurately distinguish the security level, wherein the key strength reference factor refers to a factor related to the key basic strength (such as key length and encryption algorithm complexity) and represents the key parameter (such asThe larger the sameStronger keys to be assigned), preset by the system according to an encryption algorithm, for example, using the AES-256 algorithm,Set to 1.5 (AES-128 algorithm)Can be set to 1) to ensure that the high-security requirement queue is matched with a high-strength key, wherein the frequency attenuation fraction threshold value refers to a decision frequency attenuation fractionWhether the threshold value is "too high" for use in the formulaIn part, the avoidance of the abnormal result caused by too small time denominator with extremely low frequency attenuation fraction is based on the experience value set by the system according to the service scene, for example, the service peak frequency attenuation fraction is about 300 times/hour,200, If a certain element=150 (Lower than) ThenAnd the stability of calculation logic is ensured.
Furthermore, the access abnormal point in the target database is determined based on the key distribution value, the access behavior deviating from the normal key requirement can be accurately captured by means of the quantization logic of the key distribution, so that the abnormal identification is more targeted, the key distribution value can be used as a dynamic reference, the access mode change can be monitored in real time, the assistance is timely in response to the security threat, and the accuracy and timeliness of the database security protection are improved.
The access abnormal point refers to a specific time point, an operating body or a functional module which violates a security policy and deviates from a normal mode in a database access behavior by comparing an instantaneous access rate with a data security base line and combining an abnormal access data characteristic, and is a risk point needing important interception and audit, for example, a user logs in an access unit instantaneous rate at a certain moment (the security base line is less than or equal to 10 times/second), and the access data comprises a 'violent crack password characteristic', and the time point and the high-frequency access behavior of the unit are access abnormal points.
According to one embodiment of the invention, the method for determining the access outlier in the target database based on the key distribution value comprises the steps of analyzing access distribution details corresponding to the key distribution value, extracting abnormal access data corresponding to an access unit in the target database based on the access distribution details, determining a data security base line corresponding to the abnormal access data, analyzing the instantaneous access rate corresponding to the data in the target database according to the data security base line, and determining the access outlier in the target database based on the instantaneous access rate.
The access allocation details refer to a detailed information set related to the allocation of the access resources and the rights of the target database, which is obtained after the key allocation value is analyzed, and contains the contents such as the key strength, the allocation rule, the associated security policy and the like of each access unit, which are the basis for the subsequent analysis of the access behavior, for example, after the key allocation value mf=8.2 is analyzed, the user login unit allocation AES-256 key is obtained, and updated every 5 minutes; the background configuration unit distributes RSA-2048 keys, updates the rules of each hour, namely the access distribution details, wherein the access unit refers to the minimum functional module or data set which can be independently identified and bear access operations in a target database, such as a user login interface, a transaction record inquiry module, an order detail data table and the like, is a basic object for dividing access behaviors, for example, in an electronic commerce database, commodity evaluation submission (module) and a user address information table (data table) are all access units respectively corresponding to operations such as user evaluation submission and address inquiry, the abnormal access data refers to operation records which are screened out from the access behaviors related to the access distribution details and deviate from a normal access mode (such as frequency, data volume and authority), comprise information such as abnormal access time, an access main body, operation type and data interaction volume, and the like, are key data for identifying risks, for example, a certain access unit accesses 10-20 times in normal 1 minute, 100 times of access (operation type is 'batch reading user password') occur within a certain day 1 minute, the time, main body and data of operation occur within a certain day of 100 times, the data security base line is set for the target database access unit, covers indexes such as access frequency upper limit, data transmission quantity standard, authority operation boundary and the like based on historical normal access data and security policy setting, is used for judging whether access behaviors are safe and compliant, for example, the security base line is set for a user transaction record access unit, wherein the access time is less than or equal to 5 times per second, the single transmission data is less than or equal to 10KB, only an administrator can conduct batch derivation, and the abnormality is judged if the access time exceeds the access time, the instantaneous access rate is the number of times the target database access unit is accessed or the data interaction frequency in a very short time interval (such as1 second and 100 milliseconds), the sudden change of the access behaviors is captured, and is a core index for identifying short-time high-frequency attacks, for example, the commodity inventory access unit is monitored, the access time is found to be 20 times (normal instantaneous access rate is less than or equal to 3 times per second) within 1 second, and the abnormality early warning is triggered.
Further, the analysis of the access allocation details corresponding to the key allocation values can be achieved through an attribute analysis algorithm, for example, a JSON Schema verification technology is adopted to analyze a key allocation policy document, so that access allocation details can be obtained, the extraction of abnormal access data corresponding to an access unit in the target database can be achieved through an abnormal detection method, for example, an Isolation Forest algorithm is used to identify access records deviating from a normal mode, so that abnormal access data can be obtained, the determination of a data security baseline corresponding to the abnormal access data can be achieved through a statistical modeling method, for example, a3 sigma principle is adopted to calculate a normal fluctuation range of access parameters, so that a data security baseline is obtained, the analysis of an instantaneous access rate corresponding to data in the target database can be achieved through a time sequence analysis method, for example, an EWMA index weighted moving average algorithm is adopted to calculate a real-time access frequency, so that an instantaneous access rate is obtained, and the determination of an access abnormal point in the target database can be achieved through an outlier detection technology, for example, a DBSCAN clustering algorithm is used to identify a space-time aggregation point of access rate abnormality, so that an abnormal access point is obtained.
S4, determining a risk area corresponding to the access abnormal point, dynamically marking the risk area to obtain an area encryption tag, carrying out security analysis on the area encryption tag to obtain security analysis data, and calculating a risk threshold corresponding to the security analysis data.
According to the method, the database region in the security risk set can be accurately locked by determining the risk region corresponding to the access abnormal point, the region needing important protection can be rapidly identified, the security response efficiency of the database is improved, and the pertinence and the dynamics of the whole security defense system are enhanced.
The risk area refers to a specific data storage or access logic range in a target database, wherein the specific data storage or access logic range is a continuous data table partition, a plurality of associated data table sets or a functional module group divided according to an access path, for example, 1000 th-2000 th row data of a user transaction table in the database, and the specific data storage or access logic range is a risk area which is formed by 200 abnormal high-frequency accesses (normally less than or equal to 20 times) occurring within 1 hour, and the specific data storage or access logic range is a specific data storage or access logic range which is associated with an access abnormal point and has a potential safety hazard.
Furthermore, the method and the system for controlling the security of the database can lock the security weak links in the database in real time by dynamically marking the risk areas to obtain the area encryption tag, so that the encryption protection is more targeted, the risk change can be responded quickly, the invalid consumption of encryption resources is avoided, meanwhile, accurate area orientation is provided for subsequent security analysis, and the flexibility and the high efficiency of the security control of the whole database are improved.
The regional encryption tag refers to dynamic identification of a risk region by combining a risk level interval and encryption intensity parameters, and is used for intuitively presenting the encryption state and the security protection level of the region, so that real-time management and control are facilitated, for example, a certain risk region is in a high risk level interval, a 2048-bit RSA key and 10 encryption iteration parameters are adopted, and the regional encryption tag can be set as 'high risk-RSA 2048-10-encryption-real-time monitoring', so that the risk level and encryption configuration of the regional encryption tag can be clearly identified.
The method for dynamically marking the risk area to obtain the area encryption tag comprises the steps of extracting abnormal access characteristics in the risk area, analyzing threat fluctuation frequencies corresponding to the abnormal access characteristics, dividing risk level intervals corresponding to the threat fluctuation frequencies, counting encryption intensity parameters in the risk level intervals, and dynamically marking the risk area based on the encryption intensity parameters to obtain the area encryption tag.
The abnormal access features refer to key features deviating from a normal access mode in a risk area, and cover dimensions such as access time, frequency, permission request, data operation type and the like, wherein the features can reflect potential security threats, for example, in a certain risk area, a user account initiates 30 times of super permission data downloading requests in a non-working period (1-5 a.m.), the normal access amount is far beyond the daily average of 5 times, the operation types are all sensitive data batch export, and the features are typical abnormal access features; the threat fluctuation frequency refers to the change condition of the occurrence times of threat events (such as abnormal login, malicious attack attempt, illegal data access and the like) suffered by a risk area in unit time, reflects the activity degree and change trend of the threat, for example, the threat area suffers 8 malicious SQL injection attacks for 10 minutes initially within 1 hour, the middle 20 minutes is reduced to 2 times, and the last 30 minutes is increased to 15 times, the threat fluctuation frequency presents the fluctuation change of 'high-low-high', the dynamic fluctuation state of the threat is intuitively reflected, the risk level interval refers to the value range of different levels of the security risk of the risk area according to factors such as the fluctuation frequency, the potential influence range and the like, the severity degree is used for defining the risk, for example, the threat fluctuation frequency is set to be a low risk interval 0-10 times/hour, the threat fluctuation frequency is set to be a medium risk interval 11-30 times/hour, 31 times or more are high risk intervals, the threat fluctuation frequency is set to 25 times within 1 hour, the area is in a stroke level interval, the encryption strength parameter refers to the specific index for measuring the encryption protection capability of the area, the encryption method comprises the steps of encryption algorithm type, key length, encryption iteration number, decryption verification complexity and the like, wherein the higher the parameter value is, the stronger the encryption protection capability is, for example, when an RSA algorithm is adopted, the key length is 1024 bits, the encryption iteration is 5 times as basic parameters, the key length is 2048 bits, the encryption iteration is 10 times as advanced parameters, and the encryption strength parameter of the latter is obviously higher than that of the former, so that the violent cracking can be better resisted.
Further, the extraction of the abnormal access characteristic in the risk area can be achieved through a machine learning algorithm, for example, access log data are trained by using an isolated forest model in a Python scikit-learn library, so that the abnormal access characteristic is obtained, the analysis of threat fluctuation frequency corresponding to the abnormal access characteristic can be achieved through a time sequence analysis method, for example, event time sequences are processed through Fast Fourier Transform (FFT) in MATLAB, so that threat fluctuation frequency is obtained, the division of risk level intervals corresponding to the threat fluctuation frequency can be achieved through a clustering algorithm, for example, automatic box division frequency values of a K-means algorithm in a Python pandas library are adopted, so that risk level intervals are obtained, the statistics of encryption strength parameters in the risk level intervals can be achieved through a network packet analysis method, for example, a Wireshark tool is used for extracting/SSL handshake protocol parameters, so that encryption strength parameters are obtained, the dynamic marking of the risk area can be achieved through a real-time tag system, for example, kibana in an integrated ELK Stack is updated into an area state tag, so that an area encryption tag is obtained.
According to the method, the security analysis is carried out on the regional encryption tag to obtain security analysis data, the encryption state and security holes of the risk region reflected by the tag can be deeply analyzed, data support is provided for encryption policy optimization, meanwhile, the basis is provided for dynamic adjustment of encryption resource allocation through security level change of the data quantification risk region, and the security protection accuracy of the database is improved.
The security analysis data is a quantized data set which is generated after the regional encryption tag is analyzed based on a security protocol standard and reflects the security state of a risk region, and comprises a difference value between the tag strength and the standard, a vulnerability restoration priority, encryption measure optimization suggestions and the like, for example, certain analysis data shows that the tag strength index is 12 minutes lower than the standard (because the key update frequency does not reach the standard), the vulnerability restoration priority is 'medium', and the key update frequency is suggested to be shortened to 5 minutes from 10 minutes, so that a specific direction is provided for subsequent protection adjustment.
The method comprises the steps of extracting tag strength indexes from the regional encryption tags, inquiring regional vulnerability levels corresponding to the tag strength indexes, matching safety protocol standards corresponding to the regional vulnerability levels, and carrying out safety analysis on the regional encryption tags based on the safety protocol standards to obtain safety analysis data.
The tag strength index refers to a value extracted from a regional encryption tag and quantitatively reflects the strength of an encryption measure corresponding to the tag, wherein the value covers the dimensionalities of encryption algorithm complexity, key updating frequency, protection mechanism integrity and the like, the higher the value is, the stronger the encryption strength is indicated, for example, the strength index of the regional encryption tag is 85 (fully divided into 100), the AES-256 algorithm contributes 30 minutes, the key is updated and contributed 25 minutes every 5 minutes, the real-time monitoring mechanism contributes 30 minutes and comprehensively reflects the encryption strength of the tag at a higher level, the regional vulnerability level refers to the level division of security vulnerabilities existing in a risk region corresponding to the tag strength index, the determination is generally divided into low, medium and high levels and extremely high levels according to vulnerability availability, influence range and repair difficulty, for example, the region level corresponding to the tag strength index 85 is "medium", the region is indicated to have the severity degree of the vulnerability such as encryption log unencrypted (availability and the like), the influence about 5% of data (the range limited) and the region needs to be repaired within 24 hours, the security standard refers to the security standard matched with the region vulnerability level, which is applied to the region protection level, is used in the region protection level, the encryption standard, the region is required to be repaired by the encryption standard, and the encryption standard is applied to be explicitly in the region standard, and the database is required to be repaired according to the encryption standard, and the quality standard is about the encryption standard is about the 4, and the level is clearly has been updated in the region, and the quality is required to be analyzed.
Further, the extracting of the tag strength index in the regional encryption tag can be achieved through a frequency domain analysis method, for example, a Fourier transform is applied to calculate the frequency domain energy distribution characteristic of the watermark signal, so as to obtain the tag strength index, the inquiring of the regional vulnerability level corresponding to the tag strength index can be achieved through a vulnerability scoring method, for example, a CVSS scoring system is adopted to map the vulnerability severity according to the strength value, so as to obtain the regional vulnerability level, the matching of the security protocol standard corresponding to the regional vulnerability level can be achieved through a rule engine method, for example, a Drools rule engine is used to perform automatic matching of the vulnerability level and the security protocol, so as to obtain the security protocol standard, the security analysis of the regional encryption tag can be achieved through a threat modeling method, for example, a STRIE threat modeling frame system is used to evaluate the tag security attribute, so as to obtain the security analysis data.
According to the method, by calculating the risk threshold value corresponding to the safety analysis data, a clear quantization limit can be set for the safety state of the risk area, so that the safety risk assessment is changed from qualitative to quantitative, the objectivity and the accuracy of the assessment are improved, meanwhile, a quantization basis is provided for dynamically adjusting the protection strategy, real-time adaptation of the protection measures and the actual risk level is ensured, and the scientificity and the foresight of the safety management and control of the database are enhanced.
Wherein the risk threshold is a critical value for quantitatively determining whether the risk corresponding to the security analysis data is "too high", and when the actual risk index exceeds the threshold, the security response (such as encryption upgrade and bug repair) needs to be triggered, which is a core quantization basis for risk management and control, for example, the security analysis data of a database is calculatedIf the actual risk monitoring value is 8.2 (exceeds the threshold value), it is determined that an "urgent encryption policy adjustment" procedure needs to be started to intercept high risk accesses.
As another embodiment of the present invention, the calculating the risk threshold corresponding to the security analysis data may be calculated by using the following formula:
Wherein, theRepresenting a risk threshold corresponding to the security analysis data,Representing the risk-sensitive coefficient of the person,Representing the total number of security indicators in the security analysis data,A quantity index representing a safety index,An index weight representing the i-th security index,A quantized value representing the i-th security index,Represents the reference mean value of the safety index,The reference standard deviation representing the safety index is used,Representing the base risk offset.
In detail, the risk sensitivity coefficient refers to a sensitivity degree for adjusting the risk threshold to change of the security index, the larger the value is, the more significant the influence of the security index fluctuation to the risk threshold is, the higher the tolerance of the system to the risk is (the high sensitivity scene k takes a large value, such as a financial system; the low sensitivity scene k takes a small value), for example, the financial transaction database (high sensitivity) k=2.5, the common log database (low sensitivity) k=1.2, when the security index fluctuates by 10%, the change of the risk threshold of the financial database is more severe, the risk is responded quickly, the security index refers to specific dimension parameters in the security analysis data for measuring the security state of the database, such as "abnormal access times", "encryption algorithm strength", "vulnerability restoration delay time", etc., are basic elements of risk quantification, for example, a certain security analysis data contains 3 security indexes (m=3): abnormal access times ]=50 Times/hour), encryption key length [ ]256 Bits, vulnerability uncorrected number [The index weight refers to a weight coefficient distributed to each safety index, reflects the influence degree of the index on the overall safety risk (high important index weight and low secondary index weight), and is set by the system according to the safety strategy and the service requirement, for example, the abnormal access times are [ ]=0.6, Large impact), encryption key length=0.3, In influence), number of uncorrected loopholes=0.1 With small impact) representing the critical role of "abnormal access" on risk, the quantized value refers to the concrete numerical representation of the security index, the abstract security state (such as "high encryption strength", "abnormal access number") is converted into a computable number, for example, the security index "encryption algorithm strength" is quantized by algorithm complexity: AES-128 corresponds to=60, Aes-256 corresponds toThe higher the value is, the stronger the encryption is, the higher the value is, the reference mean is the historical average value of the safety index in the normal safety state, which is used as the reference for judging whether the current index is abnormal, and is obtained by the system through long-term safety data statistics, for example, the index of abnormal access times is obtained by taking the average of 10 accesses per hour in the normal state of 3 months in history, namely=10. If it is presentIf the standard deviation is 50, the standard deviation is obviously deviated from the standard to prompt risk, the standard deviation refers to the fluctuation range statistical value of the safety index in the normal safety state, reflects the historical stability of the index, andThe larger the index normal fluctuation range is, the wider the index normal fluctuation range is; Smaller and more stable indicators, e.g. reference mean of "abnormal access times=10, Standard deviation σ=3, then the normal fluctuation range is about 7-13 times/hour (μ±σ), if presentThe basic risk offset refers to a basic offset value used for correcting a risk threshold value, reflects a default basic risk level (such as hardware vulnerability and historical attack residual risk) of a system, ensures that threshold calculation covers inherent risks, for example, a database has inherent risks due to old hardware, and beta=1.5, even if all safety indexes are normal (summation item is 0 in a formula), the risk threshold value is obtainedAnd reserving management and control space of basic risks.
S5, identifying a redundant encryption mark in the security analysis data based on the risk threshold, optimally matching the redundant encryption mark with a preset privacy protection standard to obtain an encryption optimization mark, and formulating a dynamic path management and control strategy corresponding to the target database based on the encryption optimization mark.
The method and the device identify redundant encryption marks in the security analysis data based on the risk threshold, can accurately screen the marks which are excessively encrypted by means of the threshold quantization standard, avoid encryption resource waste, can assist the light weight of a database security architecture, improve the flexibility and response efficiency of an encryption system, and ensure the accurate and efficient security protection.
The redundant encryption mark refers to tag information which is extracted from a mark data set and is stored in an over-encryption database based on a redundant encryption point, and comprises a redundant encryption position, encryption intensity, risk mismatch reasons and the like, and is used for guiding encryption strategy optimization, for example, after a user log table-log query operation is identified as the redundant encryption point, a mark is generated, namely, a redundant encryption mark is a position (log query interface), encryption intensity (double high-level algorithm) and reasons (risk level is low but encryption is excessive), and the system is used for adjusting encryption configuration.
The method comprises the steps of analyzing a threshold datum line corresponding to a risk threshold, carrying out risk marking on safety analysis data based on the threshold datum line to obtain a marked data set, determining a data redundancy domain corresponding to the marked data set, extracting redundant encryption points in the data redundancy domain, and identifying the redundant encryption marks in the safety analysis data based on the redundant encryption points.
Wherein, the the threshold reference line is based on a risk threshold value) A critical reference line generated for determining the risk level of the security analysis data, a risk determination section covering a security index, an encryption strength adaptation standard, etc., and a quantization boundary of "security-risk", for example, a risk threshold valueThe method comprises the steps that (1) 7.5, a corresponding threshold datum line is judged to be risk when the number of abnormal accesses is more than 30 times/hour or the encryption vulnerability level is more than or equal to middle, and risk judgment of the datum line is triggered when the abnormal accesses are 40 times/hour in certain security analysis data; the marked data set refers to a data set which is obtained by carrying out risk marking on safety analysis data according to a threshold datum line, and comprises a 'safety/risk' tag, an index quantized value and a marking rule association, and is a basic data set of subsequent screening redundant encryption, for example, the safety analysis data comprises 5 indexes, after the threshold datum line is marked, a data set is generated, wherein the data set comprises 'abnormal access times', '40 (risk tag),' encryption intensity ',' 256 (safety tag), ', and' forth, each index risk state is clearly distinguished, the data redundant field refers to an index record data set, the indexes or the area set which is not matched with the actual risk due to the excessive configuration (such as repeated encryption and high-level encryption coverage low-risk areas) of an encryption strategy, and represents the invalid investment of encryption resources, for example, the marked data set displays a 'user log table' area, and adopts AES-encryption (high-level), the risk mark is 'low' (abnormal access <5 times/hour), the area and the associated encryption index form a data redundant field, the redundant point refers to a data field, a specific minimum unit of encryption exists in the data field, a specific minimum unit of encryption can be positioned to a specific redundant log, a specific encryption parameter is a specific encryption data, a specific encryption log, a specific encryption parameter is a specific encryption data, it was found that the "log query operation" was re-encrypted (both AES-256 and RSA-2048 enabled) and the risk flag was "low", which is the redundant encryption point.
Further, the analysis of the threshold reference line corresponding to the risk threshold value can be achieved through a statistical bit number method, for example, a normal fluctuation interval of a risk value is calculated through a box diagram four-bit distance, so that a threshold reference line is obtained, the risk marking of the safety analysis data can be achieved through a supervised learning method, for example, an SVM classifier is applied to automatically mark data types based on risk characteristics, so that a marked data set is obtained, the determination of a data redundancy domain corresponding to the marked data set can be achieved through a principal component analysis method, for example, a PCA dimension reduction technology is used for identifying highly relevant characteristic dimensions in the data set, so that a data redundancy domain is obtained, the extraction of redundancy encryption points in the data redundancy domain can be achieved through a pattern matching method, for example, a repeated characteristic sequence in encrypted data is matched based on a regular expression, so that redundancy encryption points are obtained, the identification of redundancy encryption marks in the safety analysis data can be achieved through a characteristic hash method, for example, a SimHash algorithm is used for detecting repeated marks of similar encryption characteristics, so that redundancy encryption marks are obtained.
According to the method, the redundant encryption mark is optimally matched with the preset privacy protection standard to obtain the encryption optimization mark, the redundant encryption processing can be carried out by means of standard specification, so that the encryption strategy meets the privacy requirement, the resource waste is avoided, clear guidance can be provided for subsequent encryption strategy iteration, and a more efficient and compliant database security protection system can be built by assistance.
The preset privacy protection standard is a rule set predefined by a database system and used for standardizing data encryption and privacy protection, and covers encryption intensity requirements, key management standards, access authority limits and the like of different data types (such as user privacy and transaction data), so that data privacy compliance is guaranteed, for example, AES-256 encryption is required to be adopted for standard regulation aiming at user identity card number data, a key is updated every 2 hours, only an authorized manager (less than or equal to 5 persons) can access the key to ensure that the privacy data protection meets the security and compliance requirements, the encryption optimization identification refers to an identification which is generated after a redundant encryption mark is matched with the preset privacy protection standard and used for indicating the optimization direction of an encryption strategy and comprises an encryption area to be adjusted, target encryption intensity, standard clauses of optimization basis and the like, and guides the system to precisely optimize encryption configuration, for example, an identification log optimization area is generated after a certain redundant encryption mark is matched, the target encryption is encrypted, namely, the user is encrypted by using AES-128 (according to 3.2, low-sensitive data is adapted to the intensity), the optimization direction is reduced, a basic encryption is reserved, an encryption optimization operation path is optionally, and the redundancy protection rule can be clearly met, and the privacy protection rule can be calculated by adopting a method similar to the encryption rule, and the privacy protection rule is matched with the privacy protection rule, and the privacy protection rule is optimized.
Furthermore, the invention establishes the dynamic path management and control strategy corresponding to the target database based on the encryption optimization identification, can ensure that the management and control path is accurately matched with the encryption optimization demand, ensures that resources incline towards the core protection path, avoids invalid management and control consumption, and can dynamically adjust the path authority and encryption rules according to the identification, so that the management and control strategy is adapted in real time along with the data security state, and optimizes the efficiency of the whole protection system.
The dynamic path management and control strategy is a management and control rule set which is formulated for an access path (such as a data transmission link, an operation interface and an interaction channel among storage nodes) of a target database and can be adjusted in real time along with a security state based on encryption optimization identification, and covers contents such as path authority distribution, encryption algorithm adaptation, access frequency limitation and the like, for example, a strategy prescribes that when the encryption optimization identification of a user payment path is detected to be 'high risk needing reinforcement', the access authority of the path is automatically reduced from 10 accounts to 5, the encryption algorithm is upgraded from AES-128 to AES-256, the access limitation per second is reduced from 20 times to 10 times, and meanwhile, a real-time audit node is newly added in the path to ensure access security and controllability.
Compared with the prior art, the method and the system can capture the complete link of user and data interaction in real time by acquiring the dynamic access path corresponding to the target database, provide accurate basis for dynamic adjustment of the subsequent encryption strategy, help to realize directional allocation of encryption resources, avoid resource waste caused by indiscriminate encryption, optimize the safety and high efficiency of database management from the source, identify the access ciphertext in the dynamic access path based on the key access node, accurately position the encryption data associated with a core safety link, improve pertinence and efficiency of ciphertext identification, avoid redundant identification of non-key node independent ciphertext, reduce unnecessary computing resource consumption and optimize overall efficiency of ciphertext management while guaranteeing safety analysis precision of data, further, the method and the system can accurately identify high risk load links by extracting access load data in the dynamic encryption architecture and carrying out safety grading marks on the access load data, enable the safety protection resources to incline to critical loads, improve pertinence, realize timely monitoring of the load safety data by managing, facilitate the overall system to respond to the dynamic security control region, and further respond to the dynamic security control region of the dynamic security system by the dynamic security system, and realize effective control of the important risk-important control system, and can be better in response to the dynamic security region, and the dynamic security system can be better in response to the dynamic protection region, and the dynamic protection region is better, the method and the device identify redundant encryption marks in the security analysis data based on the risk threshold, can accurately screen the marks which are excessively encrypted by means of the threshold quantization standard, avoid encryption resource waste, can assist the light weight of a database security architecture, improve the flexibility and response efficiency of an encryption system, and ensure the accurate and efficient security protection. Therefore, the database management method and the system for dynamic path encryption provided by the embodiment of the invention can improve the management efficiency of data in the database.
FIG. 3 is a functional block diagram of a dynamic path encrypted database management system according to the present invention.
The database management system 200 for dynamic path encryption according to the present invention may be installed in an electronic device. Depending on the functions implemented, the dynamic path encrypted database management system may include a node identification module 201, an architecture construction module 202, an outlier determination module 203, a threshold calculation module 204, and a policy formulation module 205. The module of the invention, which may also be referred to as a unit, refers to a series of computer program segments, which are stored in the memory of the electronic device, capable of being executed by the processor of the electronic device and of performing a fixed function.
In the embodiment of the present invention, the functions of each module/unit are as follows:
The node identification module 201 is configured to obtain a dynamic access path corresponding to a target database, and perform encryption analysis on the dynamic access path to obtain a path encryption feature, and identify a key access node in the dynamic access path based on the path encryption feature;
the architecture construction module 202 is configured to identify an access ciphertext in the dynamic access path based on the key access node, divide a segmented ciphertext unit corresponding to the access ciphertext, and construct a dynamic encryption architecture corresponding to the target database based on the segmented ciphertext unit;
The outlier determining module 203 is configured to extract access load data in the dynamic encryption architecture, perform security classification marking on the access load data to obtain a classified security queue, calculate a key allocation value corresponding to the classified security queue, and determine an access outlier in the target database based on the key allocation value;
The threshold calculation module 204 is configured to determine a risk area corresponding to the access abnormal point, dynamically mark the risk area to obtain an area encryption tag, perform security analysis on the area encryption tag to obtain security analysis data, and calculate a risk threshold corresponding to the security analysis data;
the policy formulation module 205 is configured to identify a redundant encryption flag in the security analysis data based on the risk threshold, and perform optimization matching on the redundant encryption flag and a preset privacy protection standard to obtain an encryption optimization identifier, and formulate a dynamic path management policy corresponding to the target database based on the encryption optimization identifier.
In detail, the modules in the dynamic path encrypted database management system 200 in the embodiment of the present invention use the same technical means as the above-mentioned dynamic path encrypted database management method in fig. 1, and can produce the same technical effects, which are not described herein.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof.
Finally, it should be noted that the foregoing embodiments are merely illustrative of the technical solution of the present invention and not limiting, and in the foregoing embodiments, various embodiments may be combined or independent, and any one of them may be deleted without affecting the technical implementation of the other embodiments, although the present invention has been described in detail with reference to the preferred embodiment, it should be understood by those skilled in the art that modifications and equivalents may be made to the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention.