| As a kind of core asset of information system, database has become the main target of invaders. At present, the widely-used database security mechanisms usually deal with unsafe events from the angle of precaution. They lack ability to cope with security incident which has already happened. In case of security problems, it is important to detect and identify illegalities quickly, obtain evidence, and analyze security accident. Therefore study on database security audit and security detection has practical significance.This paper maintains that database security audit and security detection support each other and take advantages of each other in functions as well as goals after analyzing the database security audit mechanism and the security detection technology. On these bases, a type of database security audit and detection system aimed at Oracle database is designed and implemented from the angle of independent audit.Database security audit collects data with the method of bypass monitoring so as to realize independent audit. The main technology relates to the network packet capturing and filtering based on java, network protocol parsing, database communication protocol parsing, and SQL parsing. Database security detection uses a combination of security detection based on user behavior rule and security detection based on SQL structure. Security detection based on user behavior rule generates rules according to the model of database user behavior, and then realizes anomaly detection by matching user operations and rules. Association analysis is used to generate user behavior rules, which the security of training sets is under consideration. SQL parsing is the basis for the realization of security detection based on SQL structure. It fills up the disadvantage of low detection accuracy in security detection based on user behavior rule.The main work is as follows:(1) Parse the TNS protocol (V314) of Oracle Database11g, extract the information of database user operation accurately and efficiently from TNS packet.(2) A model of database user behavior is proposed. This model can not only recognize operation type and operation target of SQL but also the type and target in conditional clause or nested statement. So it can describe the operation behavior of database users overall, and it also has expandability of description precision.(3) Design a algorithm of generating user normal behavior rules based on association analysis under the consideration of security of training sets. After analyzing and comparing several typical correlation metrics, a correlation metrics which applies to the user’s operation data is chosen to generate user behavior rules.(4) Design a method of database security detection that combines user behavior rule and SQL structure. This method improves range and accuracy of security detection. |
PDF Full Text Request