Design On The Storage Scheme Of Threat Tracing System Based On NoSQL Database

With the rapid development of the cloud computing, the mobile Internet market and big data, the application data has a sharp rise and the structure of data tends to more loose, the attacks of network also have big changes. Their scope of the attack is more expansive; their target number is bigger; their technology is improved and their mind of the attack also occurs obvious change:from destroying the network turn to waiting for the value information by hiding themselves. All the above changes have brought big pressure to the defenders of information security. Under this background, this paper starts from analyzing the actual process of tracing information on threats, then puts forward the storage requirements of this process, next to select the right database and make storage scheme with performance verification, the more detailed description from the following aspects:(1) The threats of information are classified according to the way they use to attack and mainly analyzed from network security threats, system security threats and web security threats; Then analysis the tracking process with dynamic packet marking method as an example, from the original path processing, packet marking processing and path reconstruction processing three steps. Through above analysis we can conclusion the storage requirements:it can storage and management the heterogeneous characteristics information of the threats and the massive process data efficiently.(2) Interactive right database according to the storage requirements, the relational database is difficult to storage mass and heterogeneous data、to upgrade itself in high scalability and high availability. Then introduce and contrast NoSQL databases, at last MongoDB database can meet the requirements with the loose storage type、the rich index performance、the efficient dynamic query、the automatic slice to achieve extension as cloud level、the replication and recovery mechanism and so on.(3) Arrangement the features information of each type of threat by distributing field and defining the attribute name. As a comparison to storage these characteristics information by SQL Server, in the press we can find that:it has a big number of tables for the big difference between the threat; it is difficulty to query by joining tables for the low correlation between the threat; it is not easy to increased field for the fixed table structure and other problems.(4) Storage these characteristics information by MongoDB with the form of documents in the collection. It is more flexible in storing, querying and modifying the structure of threats than SQL Server and the effect is displayed on MongoDB VUE. The paper also analysis the situation of inserting a large number of feature information of threats, then use Python connection with MongoDB to achieve by coding. Another problem, With the increase of data quantity the time to insert one document is increased significantly for checking database. Then make and compare the performance of the default index, the unique index, the combined index and the sparse index. Thought the comparing, the combine index of name and performance has best effect.(5) Storage process information by MongoDB with Rootkit as an example.In order to prevent from malicious software attacks or bypassed, the verification was detected in Ubuntu virtual machine.The VMM gets the highest authority of the virtual machine, copies sensitive information and detects the machine; Eric reads the detection log and writes into MongoDB collection, then add security files and xRatt Trojan with detecting the change of the system process, the file name and location, the impact on sensitive kernel and so on. Thought repeated verification, creating the second index under the condition of having index on name can get the best performance.