[go: up one dir, main page]

CN109614429B - Method for realizing association of application access and database access behaviors based on kernel driver - Google Patents

Method for realizing association of application access and database access behaviors based on kernel driver Download PDF

Info

Publication number
CN109614429B
CN109614429B CN201811463856.7A CN201811463856A CN109614429B CN 109614429 B CN109614429 B CN 109614429B CN 201811463856 A CN201811463856 A CN 201811463856A CN 109614429 B CN109614429 B CN 109614429B
Authority
CN
China
Prior art keywords
application server
access
layer
database
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811463856.7A
Other languages
Chinese (zh)
Other versions
CN109614429A (en
Inventor
杨海峰
潘云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Dbsec Technology Co ltd
Original Assignee
Beijing Dbsec Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Dbsec Technology Co ltd filed Critical Beijing Dbsec Technology Co ltd
Priority to CN201811463856.7A priority Critical patent/CN109614429B/en
Publication of CN109614429A publication Critical patent/CN109614429A/en
Application granted granted Critical
Publication of CN109614429B publication Critical patent/CN109614429B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Debugging And Monitoring (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to a method for realizing association of application access and database access behaviors based on kernel driving, which comprises the following steps: deploying An Huajin and a bypass driver on each application server; configuring An Huajin and a bypass driver; the driver starts to acquire system call of a related process and writes the system call to a kernel buffer area; user mode programs of the multi-layer application servers are associated with the front application server and the rear application server, and then all information is gathered and sent to database auditing equipment; and finally, the database auditing equipment associates the client access behavior with the database access behavior by using all the association information. According to the method, the kernel driver of the operating system is utilized, the system calling information is obtained in a bypass mode of the driver layer, and finally the access behavior of the database is obtained through the incidence relation among the multiple layers of application servers, so that accurate, efficient and universal records applied to the access behavior of the database can be provided, and the problems of inaccurate correlation and incapability of realizing due to different application frameworks are solved.

Description

Method for realizing association of application access and database access behaviors based on kernel driver
Technical Field
The invention belongs to the technical field of data security, and particularly relates to a method for realizing association of application access and database access behaviors based on kernel driving.
Background
In the field of data security, it is very important data to be able to obtain a complete access chain applied to a database, and access tracing can be performed through the data. Under the environment, the method is very important for acquiring the access behavior inside the application server, so that more important access information can be associated, and a data access chain is ensured not to be lost.
However, the technical development of the current application server tends to be diversified, application frameworks are diversified, and development languages are in a variety, so that under the application technology which is rapidly changed and diversified, the need for a precise, efficient and universal access behavior association mode becomes very important and is also a core problem.
The existing correlation techniques are limited by operating systems, development languages, application frameworks and components, and so on, and thus it is difficult to solve the problems encountered at present.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a method for realizing association of application access and database access behaviors based on kernel driving, which is a method for acquiring multithreading and information association of threads in a process by utilizing the kernel driving technology to realize association of the application access and the database access behaviors, solves the problem that the prior association technology is limited by an operating system, a development language, an application framework, components and the like, and can provide accurate, efficient and universal records applied to the database access behaviors.
The technical problem to be solved by the invention is realized by adopting the following technical scheme:
a method for realizing association of application access and database access behaviors based on kernel driving comprises the following steps:
step 1: deploying An Huajin and a bypass driver on each application server, registering a system calling type needing bypass, and triggering bypass information collection through system calling event response;
and 2, step: scanning an application server by a user mode program or manually configuring An Huajin and a bypass driver, and carrying out system call monitoring on a relevant process by An Huajin and the bypass driver;
and step 3: an Huajin and the bypass driver begin to obtain the system call of the related process and write to the kernel buffer;
and 4, step 4: in a first-layer application server, a user mode program reads the content of a buffer area to a user mode, associates client access with the first-layer application server by using a process number, a thread number and socket connection information, associates the connection with the connection of the first-layer application server and the information of a second-layer application server, finally associates the access behavior of the client with the access behavior of the second-layer application server on the first-layer application server, and then summarizes all the information and sends the information to database auditing equipment;
and 5: in the second layer of application server, the user mode program completes the association between the access of the first layer of application server and the access of the third layer of application server by using the same principle, and then the information is gathered and sent to the database auditing equipment;
step 6: in other application servers, all the following application servers repeat the behavior of the first layer of application server, correlate the access from the previous layer of application server to the next layer of application server, finally correlate the access to the database server, and send the data to the database auditing equipment;
and 7: and after receiving the information of all the application servers, the database auditing equipment finally associates the client access behavior with the database access behavior by using all the associated information.
The invention has the advantages and positive effects that:
the method is reasonable in design, the system calling information is acquired in a bypass mode of a driving layer by utilizing the kernel driving of an operating system, the information in the system calling is utilized to carry out accurate application internal threads and information association among processes, the information association comprises client information of access application, and finally access behaviors to the database are achieved through association relations among a plurality of application servers.
Drawings
FIG. 1 is a schematic diagram of an exemplary use scenario of the present invention;
FIG. 2 is a schematic diagram of the present invention for obtaining information via a kernel.
Detailed Description
The embodiments of the present invention will be described in detail with reference to the accompanying drawings.
A method for realizing association of application access and database access behaviors based on kernel driving has a typical application scenario as shown in FIG. 1, but the invention is not limited to this scenario.
As shown in fig. 2, the present invention comprises the steps of:
step 1: and deploying An Huajin and a bypass driver at the application server, registering a system call type needing bypass, and triggering bypass information collection through a system call event response.
Step 2: after An Huajin and the bypass driver are installed and deployed, a user mode program scans a system application server or manually configures the system application server to the driver, and An Huajin and the bypass driver monitor system call of a related process;
and step 3: an Huajin and the bypass driver start to obtain the system call of the relevant process, and write to the kernel buffer;
and 4, step 4: at the first tier application server: and the user mode program reads the content of the buffer area to a user mode, associates the client access with the first layer application server by utilizing the process number, the thread number and the socket connection information, associates the connection with the information of the connection of the first layer application server and the second layer application server, and finally associates the client access behavior with the access behavior of the second layer application server on the first layer application server. All information is then aggregated and sent to a database auditing facility, but not limited to.
And 5: at the second tier application server: and the user mode program completes the association of the access of the first layer of application server and the access of the third layer of application server by using the same principle. The summary of information is also sent to the database auditing device, but is not limited to the database auditing device.
Step 6: other application servers: the latter application servers repeat the action of the first layer application server, and correlate the access from the former layer application server to the latter layer application server, and finally correlate the access to the database server. And send the data to a database auditing facility, but not limited to a database auditing facility. This step is to illustrate, and the implementation does not limit the number of layers of the application server.
And 7: and after receiving the information of all the application servers, the database auditing equipment finally associates the client access behavior with the database access behavior by using all the associated information.
It should be emphasized that the embodiments described herein are illustrative and not restrictive, and thus the present invention includes, but is not limited to, the embodiments described in the detailed description, as well as other embodiments that can be derived by one skilled in the art from the teachings herein.

Claims (1)

1. A method for realizing association of application access and database access behaviors based on kernel driving is characterized by comprising the following steps:
step 1: deploying a bypass driver on each application server, registering a system call type needing bypass, and triggering bypass information collection through system call event response;
step 2: the user mode program scans the application server or manually configures the application server to a bypass driving program, and the bypass driving program carries out system calling monitoring of a related process;
and step 3: the bypass driver starts to acquire system call of a related process and writes the system call to a kernel buffer area;
and 4, step 4: in a first-layer application server, a user mode program reads the content of a kernel buffer area to a user mode, associates client access with the first-layer application server by using a process number, a thread number and socket connection information, associates the association relation with information of the first-layer application server and a second-layer application server, finally associates client access behaviors with access behaviors of the second-layer application server on the first-layer application server, and then collects all information and sends the information to database auditing equipment;
and 5: in the second layer of application server, the user mode program completes the association between the access of the first layer of application server and the access of the third layer of application server by using the same principle, and then the information is gathered and sent to the database auditing equipment;
and 6: in the application servers of other layers, the following application servers repeat the behavior of the application server of the first layer, correlate the access from the application server of the previous layer to the application server of the next layer, finally correlate the access to the database server, and send the data to the database auditing equipment;
and 7: and after receiving the information of all the application servers, the database auditing equipment finally associates the client access behavior with the database access behavior by using all the association information.
CN201811463856.7A 2018-12-03 2018-12-03 Method for realizing association of application access and database access behaviors based on kernel driver Active CN109614429B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811463856.7A CN109614429B (en) 2018-12-03 2018-12-03 Method for realizing association of application access and database access behaviors based on kernel driver

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811463856.7A CN109614429B (en) 2018-12-03 2018-12-03 Method for realizing association of application access and database access behaviors based on kernel driver

Publications (2)

Publication Number Publication Date
CN109614429A CN109614429A (en) 2019-04-12
CN109614429B true CN109614429B (en) 2023-04-07

Family

ID=66005639

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811463856.7A Active CN109614429B (en) 2018-12-03 2018-12-03 Method for realizing association of application access and database access behaviors based on kernel driver

Country Status (1)

Country Link
CN (1) CN109614429B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113641424B (en) * 2021-10-13 2022-02-01 北京安华金和科技有限公司 Database operation processing method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101410803A (en) * 2006-01-24 2009-04-15 思杰系统有限公司 Methods and systems for providing access to a computing environment
CN104166812A (en) * 2014-06-25 2014-11-26 中国航天科工集团第二研究院七〇六所 Database safety access control method based on independent authorization
CN105373603A (en) * 2015-11-09 2016-03-02 杭州安恒信息技术有限公司 Method for improving three-layer correlation accuracy
CN106302404A (en) * 2016-08-01 2017-01-04 华中科技大学 A kind of collection network is traced to the source the method and system of information
CN107026767A (en) * 2017-03-30 2017-08-08 上海七牛信息技术有限公司 Service protocol achievement data collection method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8082294B2 (en) * 2007-06-27 2011-12-20 Concept Solutions, Llc Methods and systems for providing web applications

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101410803A (en) * 2006-01-24 2009-04-15 思杰系统有限公司 Methods and systems for providing access to a computing environment
CN104166812A (en) * 2014-06-25 2014-11-26 中国航天科工集团第二研究院七〇六所 Database safety access control method based on independent authorization
CN105373603A (en) * 2015-11-09 2016-03-02 杭州安恒信息技术有限公司 Method for improving three-layer correlation accuracy
CN106302404A (en) * 2016-08-01 2017-01-04 华中科技大学 A kind of collection network is traced to the source the method and system of information
CN107026767A (en) * 2017-03-30 2017-08-08 上海七牛信息技术有限公司 Service protocol achievement data collection method and system

Also Published As

Publication number Publication date
CN109614429A (en) 2019-04-12

Similar Documents

Publication Publication Date Title
CN101320350B (en) Performance monitoring method and device
US7640459B2 (en) Performing computer application trace with other operations
CN110489699B (en) Asynchronous data acquisition method and system
CN107870933B (en) Method, device and system for counting android application page browsing behaviors
US8028200B2 (en) Tracing operations in multiple computer systems
US9588869B2 (en) Computer implemented system and method of instrumentation for software applications
DE102018113625A1 (en) ERROR INJECTION TESTING DEVICE AND METHOD
US20080098359A1 (en) Manipulation of trace sessions based on address parameters
CN104182288A (en) Method for automatically testing power consumption of server cluster system
US8116179B2 (en) Simultaneous viewing of multiple tool execution results
CN109491860A (en) Method for detecting abnormality, terminal device and the medium of application program
EP2560099A1 (en) Efficiently collecting transaction-separated metrics in a distributed environment
CN107066370A (en) A kind of automatic monitoring and the instrument and method for collecting faulty hard disk daily record
CN104503910A (en) Product test method by monitoring users' using behavior
CN110750458A (en) Big data platform testing method and device, readable storage medium and electronic equipment
US20160274997A1 (en) End user monitoring to automate issue tracking
CN106844204A (en) A kind of utilization mobile terminal generates the method and system of defect report
US20120066558A1 (en) Network fault management in busy periods
JP2017539031A (en) Separation of test verification from test execution
CN101017459A (en) Error capturing plug-in used in information system and method of use thereof
CN109614429B (en) Method for realizing association of application access and database access behaviors based on kernel driver
CN103368762B (en) Big data contrast test method, system and device
CN110750416A (en) A method and device for automatic processing of fault information
CN119088612A (en) A method, system, electronic device and storage medium for analyzing abnormal business request delimitation
CN109491822A (en) A kind of system reboot detection method, device, terminal and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant