数据库安全审计检测系统的设计与实现

发布时间：2018-04-03 16:50

本文选题：数据库安全审计　切入点：数据库安全检测　出处：《北京交通大学》2014年硕士论文

【摘要】：数据库作为信息系统的核心资产已成为入侵者主要的攻击目标。目前广泛应用的数据库安全机制主要是从预防的角度应对非安全事件,它们缺乏非安全事件发生后的应对能力。一旦发生安全问题,快速识别发现非法行为、事后取证和分析安全事故就十分重要。因此关注数据库安全审计与安全检测有着重要的现实意义。论文剖析了数据库安全审计机制和安全检测技术,认为数据库安全审计与安全检测在功能和目标上相互支撑、相互利用。在此基础上,本文从审计独立的角度,针对Oracle数据库设计和实现了一种数据库安全审计检测系统。数据库安全审计采用旁路监听的数据采集方式,实现了审计的独立性。其中的核心技术包括Java网络数据包捕获与过滤、网络协议解析、数据库通信协议解析、SQL语句解析。数据库安全检测采用基于用户行为规则的安全检测和基于SQL语句结构的安全检测相结合的方式。基于用户行为规则的安全检测是在建立数据库用户行为模型的基础上生成用户行为规则,通过用户操作行为与规则的匹配来实现异常检测。生成用户行为规则采用关联分析的方法,并考虑了规则训练集内容安全性的不同。基于SQL语句结构的安全检测是在分析SQL语法结构的基础上实现的,它弥补了基于用户行为规则的安全检测检测颗粒度低的缺点。论文的主要工作如下： (1)解析了Oracle11g数据库的非公开TNS协议(314版本),实现了准确高效的从TNS数据包中提取数据库用户操作信息。 (2)提出了一种数据库用户行为模型。不仅能识别SQL语句的操作类型与操作目标,同时也能提取操作条件或嵌套语句中的操作类型与操作目标,能较全面的描述数据库用户的操作行为,且具有描述精度的扩展能力。 (3)在关联分析的基础上设计了一种用户正常行为规则生成算法,并考虑了训练集内容的安全性。分析对比了几种典型的相关性度量标准,选用了一种适用于数据库用户行为数据特性的相关性度量标准生成用户行为规则。 (4)设计了基于用户行为规则和基于SQL语句结构相结合的安全检测方法,提高了用户行为检测的广度和精度。
[Abstract]:As the core asset of information system, database has become the main target of intruders.At present, the widely used database security mechanism is mainly to deal with non-security events from the perspective of prevention, and they lack the ability of coping after the occurrence of non-security events.Once safety problems occur, it is very important to identify illegal behaviors quickly and analyze safety accidents afterwards.Therefore, it has important practical significance to pay attention to database security audit and security detection.This paper analyzes the mechanism of database security audit and security detection technology, and considers that database security audit and security detection support each other and make use of each other in function and target.On this basis, this paper designs and implements a database security audit inspection system for Oracle database from the point of view of audit independence.The independence of audit is realized by using the data collection method of bypass monitoring in database security audit.The core technologies include Java packet capture and filtering, network protocol parsing and database communication protocol parsing.Database security detection adopts the combination of user behavior rule based security detection and SQL statement structure based security detection.The security detection based on user behavior rules is to generate user behavior rules on the basis of establishing user behavior model in database, and to realize anomaly detection by matching user behavior with rules.The method of association analysis is used to generate user behavior rules, and the difference of content security of rule training set is considered.Security detection based on SQL sentence structure is implemented on the basis of analyzing SQL syntax structure, which makes up for the low granularity of security detection based on user behavior rules.The main work of the thesis is as follows:In this paper, the closed TNS protocol of Oracle11g database is analyzed, and the user operation information is extracted from TNS data packet accurately and efficiently.A database user behavior model is proposed.It can not only identify the operation types and targets of SQL statements, but also extract the operation conditions and operation targets in nested statements. It can comprehensively describe the operation behavior of database users and has the ability to extend the description accuracy.3) based on the association analysis, a normal behavior rule generation algorithm is designed, and the security of the training set is considered.In this paper, several typical correlation metrics are analyzed and compared, and a correlation metric suitable for the characteristics of database user behavior data is selected to generate user behavior rules.The security detection method based on user behavior rule and SQL sentence structure is designed, which improves the breadth and precision of user behavior detection.
【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP311.13;TP393.08

【参考文献】