TW201351171A - Network packet and database packet audit system and correlation auditing apparatus and method - Google Patents
Network packet and database packet audit system and correlation auditing apparatus and method Download PDFInfo
- Publication number
- TW201351171A TW201351171A TW101120622A TW101120622A TW201351171A TW 201351171 A TW201351171 A TW 201351171A TW 101120622 A TW101120622 A TW 101120622A TW 101120622 A TW101120622 A TW 101120622A TW 201351171 A TW201351171 A TW 201351171A
- Authority
- TW
- Taiwan
- Prior art keywords
- sql database
- various
- packet
- addressing information
- sql
- Prior art date
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
本發明係關於一種網路封包暨資料庫封包稽核系統及其關聯性稽核裝置與方法,尤指一種以統計數值運算之網路封包暨資料庫封包稽核系統及關聯性稽核裝置與方法,其不需進行大量的封包內容剖析及比對,以提升運算效能且節省封包儲存空間。 The invention relates to a network packet and database packet auditing system and a related auditing device and method thereof, in particular to a network packet and database packet auditing system and a related auditing device and method for statistical numerical calculation, which are not A large amount of packet content analysis and comparison is needed to improve the computing performance and save the storage space of the package.
鑒於網路的普及性及便利性之發展快速,網際網路已成為現今傳遞資訊的主流媒介,各種公司行號、大型醫院等也都建立了屬於自己的區域網路。 In view of the rapid development of the popularity and convenience of the Internet, the Internet has become the mainstream medium for transmitting information today. Various company lines and large hospitals have also established their own regional networks.
普及且便利的網際網路也延伸出了資訊安全的問題,由於每個人都有可能透過網路存取、修改資料,因此,衍伸出不少透過網際網路以不合法的手段存取或修改資料的行為,為此,上述透過網際網路存取資料的行為必須被紀錄,以作為資安責任的追究依據,然而,現有的網際網路中,係以一網路伺服器(Web server)供用戶連結,用戶透過對網路伺服器傳送HTTP網路封包(HTTP request)而存取網路資料,而該網路伺服器提供的網路資料,並不是儲存在該網路伺服器中,而是儲存於一資料伺服器中(Data Base sever,簡稱DB server),並由該網路伺服器連結至該資料伺服器,並對資料伺服器傳送SQL資料庫封包(SQL request)以取得要提供給用戶的網路資料,但由於網路伺服器需供眾多個用戶連結,因此網路伺服器提 供給用戶連結的連接埠(port)多,而連結資料伺服器的連接埠則相對於給用戶連結的連接埠少,讓多個用戶共用連接埠來存取資料伺服器的資料,因此並無法透過連接埠來判斷實際上是哪個用戶對資料庫進行了哪些存取行為。 The popular and convenient Internet has also extended the issue of information security. Since everyone has the possibility to access and modify data through the Internet, it has been extended through the Internet to illegally access or To modify the behavior of the data, the above-mentioned access to the data through the Internet must be recorded as a basis for the investigation of the responsibility of the security. However, in the existing Internet, a web server (Web server) is used. ) for the user to connect, the user accesses the network data by transmitting an HTTP network packet (HTTP request) to the network server, and the network data provided by the network server is not stored in the network server. Instead, it is stored in a data server (Data Base sever, referred to as DB server), and is connected to the data server by the network server, and transmits a SQL database packet (SQL request) to the data server to obtain The network data to be provided to the user, but since the web server needs to be connected by many users, the web server mentions There are many ports for the user to connect, and the link to the data server is less than the connection to the user, so that multiple users share the connection to access the data server, so it is not possible. The connection is used to determine which user actually accessed the database.
為此,現有一種網路封包暨資料庫封包稽核系統,其主要係以建立HTTP網路封包與SQL資料庫封包的關聯性,以達到安全稽核的目的,請參閱圖9,上述網路封包暨資料庫封包稽核系統包含有: 一網路封包監聽器61(HTTP Sniffer),係連結於一用戶端51及一網路伺服器52之間,以擷取用戶端51傳輸給該網路伺服器52的複數HTTP網路封包,並輸出該複數HTTP網路封包,且各HTTP網路封包包含一全球資源定址資訊(uniform resource locator,URL)及至少一網頁變數; 一SQL資料庫封包監聽器62(SQL Sniffer),係連結於該網路伺服器52與一資料伺服器53之間,以擷取網路伺服器52傳輸給該資料伺服器53的複數SQL資料庫封包,並輸出該複數SQL資料庫封包,且各SQL資料庫封包包含一SQL資料庫述句(SQL query); 一關聯性稽核裝置63(Secure Device),係與該網路封包監聽器61及該SQL資料庫封包監聽器62連接,且內建有一關聯性建立程序、一稽核程序及一知識庫,並交替執行該關聯性建立程序及該稽核程序,於該關聯性建立程序執行期間,持續接收該複數HTTP網路封包及SQL資料庫封包,並以所擷取HTTP網路封包中的全球資源定址資訊(URL A-D)與SQL資料庫封包中的SQL資料庫述句 (SQL A-C)建立如圖10所示之關係矩陣,並預設複數HTTP網路封包所分別對應的全球資源定址資訊(URL A-D)與SQL資料庫述句(SQL A-C)的相關性計分值為0,並依據此後接收到的複數HTTP網路封包及複數SQL資料庫封包的相似程度(如剖析HTML文本,判斷是否包含相同的述句或使用者ID等變數)分別加減各全球資源定址資訊對應各SQL資料庫述句的相關性計分值,例如接收一個包含有URL A的HTTP網路封包,而該HTTP網路封包包含有與SQL B相似的變數,則將URL A對應SQL B欄位中的相關性計分值加分,完全不同者則減分,且於結束該關聯性建立程序前,將該關係矩陣存入該知識庫中;於執行該稽核程序期間,係持續接收複數HTTP網路封包及SQL資料庫封包,並以該知識庫中關係矩陣的相關性計分值作為判斷HTTP網路封包與SQL資料庫封包是否相關的依據,以將HTTP網路封包與對應相關的SQL資料庫封包建立一組稽核資料表,供稽核人員查詢。 To this end, there is a network packet and database packet auditing system, which mainly establishes the association between the HTTP network packet and the SQL database packet to achieve the purpose of security auditing. Please refer to Figure 9, the above network packet cum The database packet auditing system includes: A network packet listener 61 (HTTP Sniffer) is connected between a client terminal 51 and a network server 52 to capture a plurality of HTTP network packets transmitted by the client terminal 51 to the network server 52. And outputting the complex HTTP network packet, and each HTTP network packet includes a global resource locator (URL) and at least one webpage variable; An SQL database packet listener 62 (SQL Sniffer) is connected between the network server 52 and a data server 53 to retrieve the plurality of SQL data transmitted by the network server 52 to the data server 53. The library encapsulates the package and outputs the complex SQL database package, and each SQL database package includes a SQL database statement (SQL query); An association device 63 is connected to the network packet listener 61 and the SQL database packet listener 62, and has an association establishment program, an audit program, and a knowledge base, and alternates Executing the association establishing program and the auditing program, continuously receiving the complex HTTP network packet and the SQL database packet during the execution of the association establishing program, and acquiring the global resource addressing information in the HTTP network packet ( URL AD) and SQL database description in the SQL database package (SQL AC) establishes the relationship matrix as shown in FIG. 10, and presets the correlation scores of the global resource addressing information (URL AD) and the SQL database statement (SQL AC) corresponding to the plurality of HTTP network packets respectively. 0, and according to the degree of similarity of the complex HTTP network packet and the complex SQL database packet received thereafter (such as parsing the HTML text, determining whether the same statement or user ID is included), respectively, adding and subtracting global resource addressing information Corresponding to the score score of each SQL database statement, for example, receiving an HTTP network packet containing URL A, and the HTTP network packet contains a variable similar to SQL B, then the URL A corresponds to the SQL B column. The correlation score in the bit is added, and if it is completely different, the score is reduced, and the relationship matrix is stored in the knowledge base before the association establishment procedure is ended; during the execution of the audit procedure, the plural is continuously received. HTTP network packet and SQL database packet, and the correlation score of the relation matrix in the knowledge base is used as a basis for judging whether the HTTP network packet is related to the SQL database packet, so as to associate the HTTP network packet with the corresponding SQL capital Library packet establishing a set of audit data tables, queries for auditors.
上述關聯性稽核裝置63執行關聯性建立程序及稽核程序後,產生的稽核資料表可得知哪個HTTP網路封包對應到哪個SQL資料庫封包,由於HTTP網路封包中通常會有用戶的IP位址或ID等資訊,而SQL資料庫封包中則會有存取SQL資料庫的指令語言,能找到與HTTP網路封包對應的SQL資料庫封包,便可知道哪個用戶端對應了哪一筆SQL資料庫存取行為。 After the association auditing device 63 executes the association establishment procedure and the auditing procedure, the generated auditing data table can know which HTTP network packet corresponds to which SQL database packet, since the HTTP network packet usually has the user's IP address. Information such as address or ID, and the SQL database package will have an instruction language for accessing the SQL database. You can find the SQL database package corresponding to the HTTP network packet, and you can know which client corresponds to which SQL data. Inventory take action.
然而,由於上述關聯性稽核裝置63設定的相關性評分值係藉由各全球資源定址資訊對應的HTTP網路封包內容 (其所包含的述句、變數等)與SQL資料庫述句對應SQL資料庫封包包含的內容(其所包含的述句、變數等)比對而計算出,因此需要大量的儲存空間來儲存網路及SQL資料庫封包所包含的內容,且須從SQL資料庫封包中HTML本文剖析SQL語法,進行複雜的內容比對程序,使關聯性稽核裝置63需執行大量運算;且,現有的關聯性稽核裝置63之最大運算負荷量通常只能負荷關聯性建立程序,難以同時執行稽核程序,使得關聯性建立程序及稽核程序只能交替執行,於稽核程序停止期間則無法產生稽核資料表,存在資安漏洞,需有所改良。 However, since the correlation score value set by the above-mentioned correlation auditing device 63 is the HTTP network packet content corresponding to each global resource addressing information. (The sentences, variables, etc. contained in it) are calculated by comparing the contents of the SQL database package corresponding to the contents of the SQL database (including the sentences, variables, etc.), so a large amount of storage space is required for storage. The content contained in the network and SQL database package, and the SQL syntax must be parsed from the HTML document in the SQL database package, and the complex content comparison program is executed, so that the correlation auditing device 63 needs to perform a large number of operations; and the existing association The maximum computational load of the sexual auditing device 63 is usually only a load-related establishment procedure, and it is difficult to execute the auditing procedure at the same time, so that the association establishing procedure and the auditing procedure can only be executed alternately, and the auditing data table cannot be generated during the period in which the auditing procedure is stopped. The security loophole needs to be improved.
有鑑於上述網路封包暨資料庫封包稽核系統效能不佳之技術缺陷,本發明的主要目的係提出一種網路封包暨資料庫封包稽核系統及其關聯性稽核方法。 In view of the technical defects of the above-mentioned network packet and database packet auditing system, the main purpose of the present invention is to provide a network packet and database packet auditing system and its associated auditing method.
欲達上述目的所使用的主要技術手段係令該網路封包暨資料庫封包稽核系統包含有:一網路封包監聽器,係擷取複數HTTP網路封包,並輸出該複數HTTP網路封包,且各HTTP網路封包至少包含一全球資源定址資訊(URL);一SQL資料庫封包監聽器,係擷取複數SQL資料庫封包,並輸出該複數SQL資料庫封包,且各SQL資料庫封包至少包含一SQL資料庫述句(SQL);一關聯性稽核裝置,係與該網路封包監聽器及該SQL資料庫封包監聽器連接,且內建有一關聯性學習分析程序 及一稽核程序,該關聯性學習分析程序係於執行時,將接收該複數HTTP網路封包及SQL資料庫封包的時間區分成複數時間區間,且將各種全球資源定址資訊分布於複數個區間內的數量作為一組全球資源定址資訊的統計樣本S(Xi),而將各種SQL資料庫述句分布於複數時間區間內的數量作為一組SQL資料庫述句的統計樣本S(Yi),並評估且儲存該二組統計樣本中數量分布的相關程度之高低,以作為判斷各種全球資訊定址資訊與各種SQL資料庫述句間是否相關之依據;該稽核程序係依據關聯性學習分析程序中所儲存該二組統計樣本中數量分部的相關程度之高低,而判斷各種全球資訊定址資訊與各種SQL資料庫述句間是否相關,以建立一組稽核資料表,供稽核人員查詢全球資源定址資訊與SQL資料庫述句間之相關程度。 The main technical means used to achieve the above purpose is that the network packet and database packet auditing system includes: a network packet listener, which extracts a plurality of HTTP network packets and outputs the complex HTTP network packet. And each HTTP network packet includes at least one global resource addressing information (URL); a SQL database packet packet listener captures the complex SQL database packet, and outputs the complex SQL database packet, and each SQL database packet is at least Include a SQL database statement (SQL); an associated auditing device is connected to the network packet listener and the SQL database packet listener, and has an associated learning analysis program and an auditing program. The association learning analysis program is configured to divide the time of receiving the complex HTTP network packet and the SQL database packet into a complex time interval, and distribute the global resource addressing information in a plurality of intervals as a group of global the number of statistical samples S (X i) resource addressing information, and various SQL databases Shuju distributed in the complex time interval as a set of SQL database Shuju statistical sample S (Y i), and to assess the level of relevance and store the two groups in the number of statistical sample distribution, as a basis for determining whether the relevant information addressing various global information and various SQL databases Shuju room; the audit process in accordance with the Department The correlation between the number of segments in the two sets of statistical samples stored in the correlation learning analysis program, and whether the various global information addressing information is related to various SQL database statements to establish a set of audit information tables for The auditor inquires about the degree of relevance between the global resource location information and the SQL database statement.
現有網路架構中,SQL資料庫封包係因網路伺服器接收到HTTP網路封包而輸出的,故關聯性稽核裝置通常會在擷取到該HTTP網路封包後,會於短時間內擷取到與該種HTTP網路封包相關聯的SQL資料庫封包,因此,相關聯的全球資源定址資訊及SQL資料庫述句的統計樣本S(Xi)、S(Yi)相對於時間區間的分布情況會相近似,故本發明得以用包含各種全球資源定址資訊的HTTP網路封包及包含各種SQL資料庫述句的SQL資料庫封包,其兩者於時間區間的分布相關程度,找到與全球資源定址資訊對應的SQL資料庫述句,以達到安全稽核之目的。 In the existing network architecture, the SQL database packet is outputted by the network server receiving the HTTP network packet, so the associated auditing device usually takes a short time after extracting the HTTP network packet. Get the SQL database packet associated with the HTTP network packet, so the associated global resource addressing information and the statistical sample S(X i ), S(Y i ) of the SQL database statement relative to the time interval The distribution of the situation will be similar, so the present invention can use HTTP network packets containing various global resource addressing information and SQL database packages containing various SQL database statements, and the degree of correlation between the two in the time interval is found and The SQL database description corresponding to the global resource addressing information is used for the purpose of security audit.
而由於上述關聯性稽核裝置係以計數全球資源定址資訊及SQL資料庫述句分別分布於複數時間區間內的數量, 進而以統計出的統計樣本分布相關程度作為判斷HTTP網路封包與是否相關的依據,因此僅需計算及出現的個數,作數值運算即可,不需儲存HTTP網路封包及SQL資料庫封包的內容,也不需進行其內容之比對,節省儲存空間且減少運算複雜度,提升系統效能。 And because the above-mentioned related auditing device counts the number of global resource addressing information and the SQL database statement respectively in a plurality of time intervals, Furthermore, the statistical correlation of the statistical sample distribution is used as a basis for judging whether the HTTP network packet is related or not. Therefore, only the number of calculations and the number of occurrences can be calculated, and the numerical operation can be performed without storing the HTTP network packet and the SQL database packet. The content does not need to be compared with its content, saving storage space and reducing computational complexity and improving system performance.
有鑑於上述網路封包暨資料庫封包稽核系統存在資安漏洞之技術缺陷,本發明的次要目的係避免其關聯性學習分析程序及稽核程序交替執行所產生的資安漏洞,係進一步令該關聯性稽核裝置執行該稽核程序時,係持續且同時執行該關聯性學習分析程序,以持續更新各種全球資源定址資訊與各種SQL資料庫述句間的相關程度資料,使稽核程序即時更新判斷各種全球資源定址資訊與各種SQL資料庫述句間是否相關之依據標準,而因為本發明所提之關聯性學習分析建立程序僅需作數值計算,且運算量小,故同時執行關聯性學習分析建立程序及稽核程序亦不易超過關聯性稽核裝置的運算負荷量。 In view of the technical defects of the above-mentioned network packet and database packet auditing system, the secondary objective of the present invention is to avoid the vulnerability of the related learning analysis program and the auditing program, which is further caused by When the correlation auditing device executes the auditing program, the related learning analysis program is continuously and simultaneously executed to continuously update the correlation data between various global resource addressing information and various SQL database statements, so that the auditing program can update and judge various kinds in real time. The basis of whether the global resource addressing information is related to the various SQL database statements, and because the related learning analysis establishment procedure proposed by the present invention only needs to be numerically calculated, and the amount of calculation is small, the association learning analysis is also performed at the same time. The program and audit procedures are also less likely to exceed the computational load of the associated audit device.
又,欲達上述目的所使用的主要技術手段係令該網路封包暨資料庫封包稽核系統的關聯性稽核方法包含有:擷取複數HTTP網路封包及複數SQL資料庫封包,且各HTTP網路封包中包含有一全球資源定址資訊,各SQL資料庫封包中包含有一SQL資料庫述句;將擷取該複數HTTP網路封包的時間區分成複數時間區間,且將各種全球資源定址資訊分布於複數個區間內的數量作為一組全球資源定址資訊的統計樣本S(Xi),而將各種SQL資料庫述句分布於複數時間區間內的數量作為一 組SQL資料庫述句的統計樣本S(Yi);評估且儲存該二組統計樣本中數量分布的相關程度之高低,以作為判斷各種全球資訊定址資訊與各種SQL資料庫述句間是否相關之依據;依據關聯性學習分析程序中所儲存該二組統計樣本中數量分布的相關程度之高低,而判斷包含各種全球資訊定址資訊與包含各種SQL資料庫述句間是否相關,以建立一組稽核資料表。 Moreover, the main technical means used to achieve the above purpose is to make the network packet and database packet auditing system related auditing method include: capturing multiple HTTP network packets and complex SQL database packets, and each HTTP network The road packet includes a global resource addressing information, and each SQL database packet includes a SQL database statement; the time for capturing the complex HTTP network packet is divided into multiple time intervals, and various global resource addressing information is distributed. The number of multiple intervals is used as a statistical sample S(X i ) of a set of global resource addressing information, and the number of various SQL database statements distributed in a complex time interval is used as a statistical sample of a set of SQL database statements. (Y i ); evaluating and storing the degree of correlation of the quantity distribution in the two sets of statistical samples as a basis for judging whether the various global information addressing information is related to various SQL database statements; The degree of correlation of the quantity distribution in the two sets of statistical samples stored, and the judgment includes various global information addressing information and various SQL Whether the correlation between material libraries Shuju to establish a set of audit data table.
以下配合圖式及本發明之較佳實施例,進一步闡述本發明為達成預定發明目的所採取的技術手段。 The technical means adopted by the present invention for achieving the intended purpose of the invention are further described below in conjunction with the drawings and preferred embodiments of the invention.
請參閱圖1,本發明網路封包暨資料庫封包稽核系統係包含有:一網路封包監聽器10,係持續擷取複數HTTP網路封包,並輸出該複數HTTP網路封包,且各HTTP網路封包至少包含一全球資源定址資訊(uniform resource locator,URL);一SQL資料庫封包監聽器20,係持續擷取複數SQL資料庫封包,並輸出該複數SQL資料庫封包,且各SQL資料庫封包至少包含一SQL資料庫述句(SQL query);一關聯性稽核裝置30,係與該網路封包監聽器及該SQL資料庫封包監聽器連接,且內建有一關聯性學習分析程序及一稽核程序,該關聯性學習分析程序係於執行時,將接收該複數HTTP網路封包及SQL資料庫封包的時間區 分成複數時間區間,且計數各種全球資源定址資訊分布於複數個區間內的數量,以作為一組全球資源定址資訊的統計樣本S(Xi),而計數各種SQL資料庫述句分布於複數時間區間內的數量,以作為一組SQL資料庫述句的統計樣本S(Yi),並評估且儲存該二組統計樣本S(Xi)、S(Yi)中數量分布的相關程度之高低,以作為判斷各種全球資訊定址資訊與各種SQL資料庫述句間是否相關之依據,使得隨時間依所接收之最新HTTP及SQL資料庫封包,可即時更新此關聯分析判斷之依據標準;該稽核程序則係依據關聯性學習分析程序中所儲存該二組統計樣本S(Xi)、S(Yi)中數量分布的相關程度之高低,而判斷各種全球資訊定址資訊與各種SQL資料庫述句是否相關,以建立一組稽核資料表,於本實施例中,該關聯性學習分析程序係計算該二組統計樣本S(Xi)、S(Yi)分布於各時間區間之相關係數r(correlation coefficient),即 ,以該相關係數作為評估該二 組統計樣S(Xi)、S(Yi)的相關程度之依據,並儲存計算出的相關係數及相關係數對應的全球資源定址資訊及SQL資料庫述句;該稽核程序則依據已儲存的相關係數值高低,以判斷各種全球資訊定址資訊與各種SQL資料庫述句間是否相關,以下僅配合圖式進一步說明。 Referring to FIG. 1, the network packet and database packet auditing system of the present invention includes: a network packet listener 10, which continuously captures a plurality of HTTP network packets, and outputs the complex HTTP network packet, and each HTTP The network packet includes at least one global resource locator (URL); a SQL database packet listener 20 continuously extracts the complex SQL database packet, and outputs the complex SQL database packet, and each SQL data The library packet includes at least one SQL database statement (SQL query); an association auditing device 30 is connected to the network packet listener and the SQL database packet listener, and has an associated learning analysis program and An auditing program, the correlation learning analysis program is configured to divide the time of receiving the complex HTTP network packet and the SQL database packet into a complex time interval, and counting various global resource addressing information distributed in a plurality of intervals Quantity, as a statistical sample S(X i ) of a set of global resource addressing information, and count the number of various SQL database statements distributed in a complex time interval for A statistical sample S(Y i ) for a set of SQL databases, and evaluates and stores the degree of correlation of the quantity distributions in the two sets of statistical samples S(X i ) and S(Y i ). Whether the global information addressing information and the basis of various SQL database statements are related, so that the latest HTTP and SQL database packets received over time can update the basis of the correlation analysis and judgment according to the time; the auditing procedure is based on the association. The degree of correlation between the quantity distributions of the two sets of statistical samples S(X i ) and S(Y i ) stored in the sexual learning analysis program, and whether the various global information addressing information is related to various SQL database statements, A set of audit data tables is established. In this embodiment, the correlation learning analysis program calculates a correlation coefficient r (correlation coefficient) of the two sets of statistical samples S(X i ) and S(Y i ) distributed in each time interval. , which is The correlation coefficient is used as a basis for evaluating the correlation degree between the two sets of statistical samples S(X i ) and S(Y i ), and the calculated correlation coefficient and the correlation coefficient corresponding to the global resource addressing information and the SQL data library are stored. The auditing procedure determines whether the various global information addressing information is related to various SQL database statements based on the stored correlation coefficient values. The following is only further explained with the schema.
請參閱圖2,所述之關聯性學習分析程序係包含以下步 驟:持續接收HTTP網路封包及SQL資料庫封包S11;計數目前時間區間(TbN)內,各種全球資源定址資訊之 數量XN及其平方X N 2,並累加至一數量和及一 平方和,再將各種全球資源定址資訊及其對 應於各時間區內的數量(TbN,XN)、數量和、數量平方和 及採計的樣本個數|X|(樣本個數|X|即各種全球資源定 址資訊所對應分布的時間區間個數)存入一HTTP網路封包雜湊表(HTTP hash table)內S12,於本實施例中,請參閱圖3之Tb1~Tb4,該關聯性稽核裝置30於執行此步驟前,係由該網路封包監聽器10持續接收HTTP網路封包,並於接收滿一個時間區間後匯出HTTP網路封包予關聯性稽核裝置30,該關聯性稽核裝置則依據接收HTTP網路封包所屬的時間區間,設定此HTTP網路封包一區間編號(batch ID),如圖4所示,若網路封包監聽器10於第一個時間區間內擷取到URL2、URL3的全球資源定址資訊,則關聯性稽核裝置30將此URL2、URL3的全球資源定址資訊設定一編號為Tb1的區間編號;再計數目前時間編號中,各種全球資源定址資訊的數量Xi及其平方Xi 2,以進行加總,而該HTTP網路封包雜湊表則如圖5所示,包含有一定址資訊欄位、一數量和欄位、一數量平方和欄位、一樣本數欄位及一樣本分布欄位,該樣本分布欄位中儲存有對應全球資源定址資訊分布於各個時間區間的數量(Tbi,Xi),如(Tb2,2)表示於包含有該全球資源定址資訊在區間Tb2 中出現2次,該樣本數欄位則儲存所採計之各種全球資源定址資訊的樣本數; 計數目前時間區間(TbN)內,各種SQL資料庫述句之數 量YN及其平方YN2,並累加至一數量和及一平 方和,再將各種SQL資料庫封包及其對應於 各時間區間內的數量(TbN,YN)、數量和、數量平方和 及採計的樣本個數|Y|,即各種SQL資料庫述句所對應分布的時間區間個數,存入一SQL資料庫封包雜湊表(SQL hash table)內S13,於本實施例中,如圖3所示之Tb1~Tb4,該關聯性稽核裝置30於執行此步驟前,係由SQL資料庫封包監聽器20持續接收SQL資料庫封包,並於接收滿一個時間區間後匯出SQL資料庫封包予關聯性稽核裝置30,該關聯性稽核裝置30則依據接收SQL資料庫封包時所屬的時間區間,設定SQL資料庫述句一區間編號(batch ID),同樣如圖4中,若SQL資料庫封包監聽器20於第一個時間區間內擷取到SQL1、SQL2、SQL3的SQL資料庫述句,則關聯性稽核裝置30將此SQL1、SQL2、SQL3的SQL資料庫述句設定一編號為Tb1的區間編號;再計數目前區間編號中,各種SQL資料庫述句的SQL資料庫封包之數量Yi及其平方Yi 2,以進行加總,且該SQL資料庫封包雜湊表如圖6所示包含一SQL資料庫述句欄位、一數量和欄位、一數量平方和欄位、一樣本數欄位(改名稱與前述的”樣本數”對應)及一樣本分布欄位,該樣本分布欄位中儲存有對應SQL資料庫述句的SQL資料庫封包分布於各個時間 區間的數量(Tbi,Yi),如(Tb1,1)表示於包含有該SQL資料庫述句在時間區間1中出現1次,SQL資料庫封包雜湊表的樣本數欄位則儲存所採計之各種SQL資料庫述句的樣本數;計算目前時間區間內,各種全球資源定址資訊與各種SQL資料庫述句的數量乘積XN×YN,並累加至一乘積和 ,再將各種全球資源定址資訊、各種SQL資料庫述句、 相對應的數量乘積和及全球資源定址資訊與SQL資料庫述句採計樣本的交集個數|XY|存入一述句對定址資源雜湊表(SQL-HTTP hash table)S14,如圖7所示; 分別計算各種全球資訊定址資訊的統計樣本S(Xi)與各種SQL資料庫述句間的統計樣本S(Yi)間之相關係數r, ,且其中樣本數 U=|X|+|Y|-|XY|,樣本數U會隨著|X|、|Y|及|XY|的數量不同而有所改變,並將各種全球資訊定址資訊、各種SQL資料庫述句及對應的相關係數儲存S15後,回到持續接收HTTP網路封包及SQL資料庫封包之步驟S11,且上述步 驟中已分別計算出,故於此 步驟中,僅需將上述數值作乘、除、平方及開根號之數值運算即可;上述關聯性學習分析程序係以全球資源定址資訊與SQL資料庫述句分布於時間區間的相關係數r來判定全球 資源定址資訊與SQL資料庫述句間的相關性,由於相關係數r越高者,表示該種全球資源定址資訊出現時間的分布與該種SQL資料庫述句出現的時間分布相似度越高,故可依此判定網路架構中的網路伺服器是因為接收了包含該種全球資源定址資訊的HTTP網路封包而送出了包含該種SQL資料庫述句的SQL資料庫封包。 Referring to FIG. 2, the related learning analysis program includes the following steps: continuously receiving an HTTP network packet and a SQL database packet S11; and counting the number of global resource addressing information in the current time interval (Tb N ) X N And its square X N 2 , and accumulate to a quantity sum And a square sum And then map various global resources and their corresponding numbers (Tb N , X N ), quantity and time in each time zone. Square sum And the number of samples taken by the test|X|(the number of samples|X| is the number of time intervals corresponding to the distribution of various global resource addressing information) is stored in an HTTP hash table (Ssh), S12, In this embodiment, referring to Tb1~Tb4 of FIG. 3, the association auditing device 30 continues to receive the HTTP network packet by the network packet listener 10 before performing this step, and after receiving a full time interval. The HTTP network packet is sent out to the association auditing device 30, and the correlation auditing device sets a batch ID of the HTTP network packet according to the time interval in which the HTTP network packet is received, as shown in FIG. If the network packet listener 10 retrieves the global resource addressing information of the URL 2 and the URL 3 in the first time interval, the association auditing device 30 sets the global resource addressing information of the URL 2 and the URL 3 to the interval number of the Tb1. Re-counting the current time number, the number of global resource addressing information X i and its square X i 2 for summing, and the HTTP network packet hash table is as shown in Figure 5, including the address information bar Bit, quantity and field, The number of squares and the fields, the same number field and the same distribution field, the sample distribution field stores the number of global resource addressing information distributed in each time interval (Tbi, Xi), such as (Tb2, 2) The information indicating that the global resource address information is included in the interval Tb2 is 2 times, and the sample number field stores the sample number of the various global resource addressing information collected; Counting the current time interval (Tb N ), various SQL data The number of statements in the library, Y N and its square Y N 2, are added to a quantity sum And a square sum , then packetize various SQL databases and their corresponding numbers (Tb N , Y N ), quantity and time in each time interval Square sum And the number of samples taken by the test |Y|, that is, the number of time intervals corresponding to the distribution of the various SQL database statements, is stored in a SQL data library hash table (S9), in this embodiment, As shown in FIG. 3, Tb1~Tb4, the correlation auditing device 30 continues to receive the SQL database packet by the SQL database packet listener 20 before performing this step, and remits the SQL data after receiving a full time interval. The library packet is sent to the association auditing device 30, and the correlation auditing device 30 sets the batch ID of the SQL database according to the time interval to which the SQL database is received, as shown in FIG. 4, if SQL The database packet listener 20 retrieves the SQL database statement of SQL1, SQL2, and SQL3 in the first time interval, and the correlation auditing device 30 sets the SQL database description of the SQL1, SQL2, and SQL3 to a number. For the interval number of Tb1; recount the current interval number, the number of SQL database envelopes Y i and its square Y i 2 of various SQL database statements for summation, and the SQL database package hash table is as shown in the figure 6 shows a SQL database statement field, The number and field, a quantity squared field, the same number field (renamed corresponding to the aforementioned "sample number") and the same distribution field, the sample distribution field stores the corresponding SQL database statement The SQL database packet is distributed in the number of time intervals (Tb i , Y i ), such as (Tb1, 1) is expressed in the SQL database containing the statement in the time interval 1 appears once, the SQL database packet hash The sample number field of the table stores the number of samples of the various SQL database statements; the current product time interval, the number of global resource addressing information and the number of various SQL database statements X N × Y N , and Accumulate to a product and , then the various global resource addressing information, various SQL database statements, the corresponding number product and the global resource addressing information and the number of intersections of the SQL database description samples | X Y|Save a sentence to the SQL-HTTP hash table S14, as shown in Figure 7; separately calculate the statistical sample S(X i ) of various global information addressing information and various SQL database statements Correlation coefficient r between the statistical samples S(Y i ), And the number of samples U=|X|+|Y|-|X Y|, the number of samples U will follow |X|, |Y|, and |X The number of Y| is changed differently, and various global information addressing information, various SQL database statements and corresponding correlation coefficients are stored in S15, and then return to step S11 of continuously receiving HTTP network packet and SQL database packet, And the above steps have been calculated separately Therefore, in this step, it is only necessary to multiply, divide, square, and open the numerical value of the above numerical values; the above-mentioned related learning analysis program is distributed in the time interval by global resource addressing information and SQL database description sentences. The correlation coefficient r is used to determine the correlation between the global resource addressing information and the SQL database statement. The higher the correlation coefficient r, the distribution of the occurrence time of the global resource addressing information and the occurrence of the SQL database statement. The higher the similarity of time distribution, the reason is that the network server in the network architecture can send the SQL containing the SQL database statement by receiving the HTTP network packet containing the global resource addressing information. Database package.
又,由於計算相關係數時,僅需保留各個數量和、數量平方和及數量乘積和即可,HTTP網路封包及SQL資料庫封包雜湊表中的樣本分布欄位本質上並不需保留,而保留的目的在於日後刪除過時的關聯性,故可於關聯性學習分析程序中預設一保留資料臨界值,並於將各種資料存入HTTP網路封包雜湊表及各種資料存入SQL資料庫雜湊表之後,依據該保留資料臨界值,刪除所屬時間區間最早的資料,如:以時間值作依據,則設定該保留資料臨界值為一時間區間臨界值,且該關聯性學習分析程序係刪除時間區間早於該時間區間臨界值的所有資料,而以資料量為依據者,設定該保留資料臨界值為一資料量值,且該關聯性學習分析程序係修先刪除時間區間較早的資料,直至所有資料量小於該資料量值為止,用以遺忘時間臨界值之前所學習的關聯性。 Moreover, since the correlation coefficient is calculated, only the sum of the quantity sum, the sum of squares and the product of the quantity need to be retained, and the sample distribution field in the HTTP network packet and the SQL database packet hash table does not need to be retained in essence. The purpose of reservation is to delete outdated relevance in the future, so a reserved data threshold can be preset in the association learning analysis program, and various data can be stored in the HTTP network packet hash table and various data stored in the SQL database. After the table, according to the threshold value of the reserved data, the earliest data of the time interval is deleted, for example, based on the time value, the threshold value of the reserved data is set to a time interval critical value, and the associated learning analysis program is the deletion time. The interval is earlier than all the data of the critical value of the time interval, and based on the data amount, the threshold value of the reserved data is set to a data amount value, and the related learning analysis program is to first delete the data with an earlier time interval. The relevance learned until the time threshold is forgotten until all data is less than the data amount.
再請進一步參閱圖8,所述之稽核程序係包含以下步驟:持續接收HTTP網路封包及SQL資料庫封包S21;判讀HTTP網路封包中包含的全球資源定址資訊及SQL資料庫述句包含的SQL資料庫述句S22; 選出各種全球資源定址資訊對各種SQL資料庫述句的相關係數大於一預設值者(如:可將該預設值設定為0.5),將其分別對應的HTTP網路封包與SQL資料庫封包設為相關聯S23,以建立該稽核資料表S24。 Referring to FIG. 8 again, the auditing process includes the following steps: continuously receiving an HTTP network packet and a SQL database packet S21; and interpreting the global resource addressing information included in the HTTP network packet and the SQL database description. SQL database statement S22; Selecting various global resource addressing information for the correlation coefficient of various SQL database statements is greater than a preset value (for example, the preset value can be set to 0.5), and respectively corresponding HTTP network packet and SQL database packet Set to the associated S23 to establish the audit information table S24.
藉此,便可稽核該稽核資料表,稽核哪個HTTP網路封包之全球資源定址資訊對應哪個SQL資料庫封包之SQL資料庫述句,以得知哪個使用者編號的使用者讓網路伺服器對SQL資料庫下達了哪些指令。 In this way, the audit data sheet can be audited, and the global resource address information of the HTTP network packet is audited corresponding to which SQL database package SQL database statement to know which user number user to use the network server. What instructions are issued to the SQL database.
由於本發明係以全球資源定址資訊及SQL資料庫述句分布時間點的相關性來判定其全球資源定址資訊及SQL資料庫述句是否相關,除可免除比對內容、HTML文本剖析等複雜運算動作,以及免除儲存大量封包的內容,且由於本發明計算相關係數的過程中,只需保留各種數量和、平方和及乘積和,因此,持續執行關聯性學習分析程序時,後計算出的數值(執行一次步驟S17重回到步驟S11後計算出的數值)即可加到先前計算出的各數值上,而算出新的相關係數;例如,在擷取到Tb1~Tb4的時間區間之後,我們已儲存了N=4的各數值,在時間區間Tb5計數各數值時, 由於,故只需算出時間區間5的各數值X 5、 、Y 5、Y5 2及X 5 Y 5與先前N=4時算出的各數值加總後,即可算出N=5時的各數值,從而計算相關係數;同理,要計算N=200時,已儲存了N=199時的各數值,關聯性稽核裝置30同樣只需算出N=200的各數值即可,並不多增加儲存空間及運算量,可於經多次計算後,使得到的相關係數反映 了從關聯性學習分析程序自開始執行以來所接收的全球資源定址資訊及SQL資料庫述句的關聯性;相較於先前技術以比對封包內容者,則會因封包數量的儲存量及最大運算負荷量的限制,而無法將所有封包都儲存並進行內容比對,故本發明亦能有較高的準確度。 Since the present invention determines whether the global resource addressing information and the SQL database statement are related by the correlation between the global resource addressing information and the distribution time point of the SQL database, in addition to the complex operations such as comparison content and HTML text parsing can be eliminated. Actions, as well as exempting the contents of storing a large number of packets, and since the present invention calculates the correlation coefficient, it is only necessary to retain various sums, sums of squares, and product sums. Therefore, when the correlation learning analysis program is continuously executed, the calculated values are calculated. (Performing the value calculated after step S17 and returning to step S11) can be added to each previously calculated value to calculate a new correlation coefficient; for example, after the time interval from Tb1 to Tb4 is captured, Each value of N=4 has been stored, and when each value is counted in the time interval Tb5, Therefore, it is only necessary to calculate the values X 5 of the time interval 5 , When Y 5 , Y 5 2 and X 5 Y 5 are summed up with the values calculated by the previous N=4, the values of N=5 can be calculated to calculate the correlation coefficient; similarly, N=200 is calculated. When the value of N=199 has been stored, the correlation auditing device 30 only needs to calculate the values of N=200, and does not increase the storage space and the amount of calculation, and can be made after multiple calculations. The correlation coefficient obtained reflects the relevance of the global resource addressing information and the SQL database statement received since the beginning of the association learning analysis program; compared to the prior art to compare the contents of the packet, the number of packets will be The storage capacity and the maximum computational load limit cannot store all the packets and compare the contents, so the invention can also have higher accuracy.
綜上所述,本發明的關聯性稽核裝置可藉由計算全球資源定址資訊與SQL資料庫述句於各時間區間分布的統計樣本,算出相關係數作為判斷全球資源定址資訊與SQL資料庫述句是否相關的依據,得以以數值計算代替複雜且運算量高的內容比對步驟,以大幅減少運算量並免去儲存大量封包內容,使關聯性學習分析程序可與稽核程序一起執行,又可進一步避免資安漏洞的產生,且於執行一段時間後(多個時間區間後)仍可於不增加儲存空間及運算量前提下,將最初接收的全球資源定址資訊及SQL資料庫述句相對於時間區間分布都反應於新算出的相關係數中,可在不增加運算量的前提下提高判斷的準確度。 In summary, the correlation auditing apparatus of the present invention can calculate the correlation coefficient by calculating the global resource allocation information and the statistical sample of the SQL database for each time interval, and determine the global resource addressing information and the SQL database. Whether or not the relevant basis can replace the complicated and computationally high content comparison steps by numerical calculation, so as to greatly reduce the amount of calculation and avoid storing a large amount of package contents, so that the related learning analysis program can be executed together with the audit program, and further Avoid the occurrence of security loopholes, and after the implementation for a period of time (after multiple time intervals), the initial received global resource addressing information and SQL database statement can be compared with time without increasing the storage space and the amount of computation. The interval distribution is reflected in the newly calculated correlation coefficient, and the accuracy of the judgment can be improved without increasing the amount of calculation.
10‧‧‧網路封包監聽器 10‧‧‧Network Packet Listener
20‧‧‧SQL資料庫封包監聽器 20‧‧‧SQL database packet listener
30‧‧‧關聯性稽核裝置 30‧‧‧Related auditing device
51‧‧‧用戶端 51‧‧‧User
52‧‧‧網路伺服器 52‧‧‧Web server
53‧‧‧資料庫伺服器 53‧‧‧Database Server
61‧‧‧網路封包監聽器 61‧‧‧Network Packet Listener
62‧‧‧SQL資料庫封包監聽器 62‧‧‧SQL database packet listener
63‧‧‧關聯性稽核裝置 63‧‧‧Related auditing device
圖1:為本發明網路封包暨資料庫封包稽核系統之方塊示意圖。 FIG. 1 is a block diagram of a network packet and database packet auditing system of the present invention.
圖2:為圖1的關聯性稽核裝置中關聯性學習分析程序之流程圖。 2 is a flow chart of the association learning analysis program in the correlation auditing apparatus of FIG. 1.
圖3:為圖1關聯性稽核裝置接收網路封包流及SQL資料庫封包流之時間區間分布示意圖。 FIG. 3 is a schematic diagram showing the time interval distribution of the network packet flow and the SQL data packet flow of the correlation auditing apparatus of FIG. 1 .
圖4:為圖1關聯性稽核裝置將HTTP網路封包及SQL資料庫封包區分成複數時間區間的區間編號表。 FIG. 4 is a section number table for dividing the HTTP network packet and the SQL database packet into a complex time interval for the associative auditing apparatus of FIG. 1.
圖5:為圖2將計數數量存入HTTP網路封包雜湊表步驟所建立之HTTP網路封包雜湊表。 Figure 5: The HTTP network packet hash table established by the step of storing the count number into the HTTP network packet hash table in Figure 2.
圖6:為圖2將計數數量存入SQL資料庫封包雜湊表步驟所建立之SQL資料庫封包雜湊表。 Figure 6: The SQL database packet hash table created by the step of storing the count quantity into the SQL database packet hash table in Figure 2.
圖7:為圖2將計算出的數量乘積和存入述句對定址資訊雜湊表之步驟所建立的述句對定址資訊雜湊表。 Fig. 7 is a hash table of the address-to-address information established for the step of calculating the calculated quantity product and storing the sentence into the address information hash table.
圖8:為圖1關聯性稽核裝置中稽核程序之流程圖。 Figure 8 is a flow chart of the auditing procedure in the associated auditing apparatus of Figure 1.
圖9:為現有網路封包暨資料庫封包稽核系統架設於現有網路架構中之方塊示意圖。 Figure 9 is a block diagram showing the existing network packet and database packet auditing system installed in the existing network architecture.
圖10:為現有關聯性稽核裝置建立之關係矩陣表格。 Figure 10: Relationship matrix table established for an existing correlation audit device.
Claims (27)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW101120622A TW201351171A (en) | 2012-06-08 | 2012-06-08 | Network packet and database packet audit system and correlation auditing apparatus and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW101120622A TW201351171A (en) | 2012-06-08 | 2012-06-08 | Network packet and database packet audit system and correlation auditing apparatus and method |
Publications (2)
Publication Number | Publication Date |
---|---|
TW201351171A true TW201351171A (en) | 2013-12-16 |
TWI457774B TWI457774B (en) | 2014-10-21 |
Family
ID=50158021
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW101120622A TW201351171A (en) | 2012-06-08 | 2012-06-08 | Network packet and database packet audit system and correlation auditing apparatus and method |
Country Status (1)
Country | Link |
---|---|
TW (1) | TW201351171A (en) |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7650634B2 (en) * | 2002-02-08 | 2010-01-19 | Juniper Networks, Inc. | Intelligent integrated network security device |
US7017186B2 (en) * | 2002-07-30 | 2006-03-21 | Steelcloud, Inc. | Intrusion detection system using self-organizing clusters |
TWI389504B (en) * | 2009-07-28 | 2013-03-11 | Chunghwa Telecom Co Ltd | IP network traffic error detection and analysis system |
-
2012
- 2012-06-08 TW TW101120622A patent/TW201351171A/en unknown
Also Published As
Publication number | Publication date |
---|---|
TWI457774B (en) | 2014-10-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11775501B2 (en) | Trace and span sampling and analysis for instrumented software | |
CN108712426B (en) | Crawler identification method and system based on user behavior buried points | |
US8595369B2 (en) | Method and system for correlating front-end and back-end transactions in a data center | |
US20150012519A1 (en) | Recommendation search method for search engine, device and computer readable storage medium | |
US20100153431A1 (en) | Alert triggered statistics collections | |
US8751184B2 (en) | Transaction based workload modeling for effective performance test strategies | |
WO2010012170A1 (en) | Database security monitoring method, device and system | |
US20180285184A1 (en) | Apparatus, system, and method for analyzing logs | |
TW201737072A (en) | Application program project evaluation method and system | |
WO2012083874A1 (en) | Webpage information detection method and system | |
US20090248803A1 (en) | Apparatus and method of analyzing service processing status | |
JP6031597B2 (en) | Specific device, specific method, and specific program | |
CN112491784A (en) | Request processing method and device of Web site and computer readable storage medium | |
CN107835132B (en) | Method and device for tracking flow source | |
US20180336248A1 (en) | Distributed in-memory-based complex data processing system and method | |
WO2019142391A1 (en) | Data analysis assistance system and data analysis assistance method | |
KR100481130B1 (en) | Database System Monitoring Method Without Connecting The Database System | |
US8732323B2 (en) | Recording medium storing transaction model generation support program, transaction model generation support computer, and transaction model generation support method | |
CN108337100B (en) | Cloud platform monitoring method and device | |
CN115333966A (en) | Nginx log analysis method, system and equipment based on topology | |
KR20040058415A (en) | System and method for measuring network traffic, and storage media having program thereof | |
CN106445968B (en) | Data merging method and device | |
CN105303430A (en) | Transaction indicator acquisition method and device | |
CN103902725A (en) | Method and device for acquiring search engine optimization information | |
Menezes et al. | UX-Log: understanding website usability through recreating users’ experiences in logfiles |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
GD4A | Issue of patent certificate for granted invention patent |