With the rapid development of computer technology, the application of database is very extensive and goes deep into various fields, but it is followed by data security problems. People pay more and more attention to the security of a large number of data in various application system databases, as well as the anti-theft and anti-tampering of sensitive data. As a collection of information, database system is the core component of computer information system, and its security is very important, which is related to the rise and fall of enterprises and national security. Therefore, how to effectively ensure the security of database system and realize the confidentiality, integrity and effectiveness of data has become one of the important topics explored by the industry. This paper briefly discusses the security anti-intrusion technology.
The security of database system depends not only on its own internal security mechanism, but also on external network environment, application environment and staff quality. Therefore, broadly speaking, the security framework of database system can be divided into three levels:
(1) network system level;
(2) Host operating system level;
(3) Database management system level.
These three levels constitute the security system of database system, and the relationship with data security is gradually close, and the importance of prevention is also strengthened step by step, ensuring data security from outside to inside and from outside to inside. The following three levels of security framework are discussed.
2. Network system-level security technology
Broadly speaking, the security of database depends on the network system first. With the development and popularization of the Internet, more and more companies transfer their core business to the Internet, and various database application systems based on the network have sprung up to provide various information services for network users. It can be said that the network system is the external environment and foundation of database application. Database system can not play its powerful role without the support of network system, and users of database system (such as remote users and distributed users) can also access database data through the network. The security of network system is the first barrier of database security, and external invasion begins with the invasion of network system. Network intrusion attempts to destroy the integrity, confidentiality or any group of credible network activities of information systems, and has the following characteristics [1]:
A) There are no geographical and time constraints, and the strike across national boundaries is as convenient as taking local materials;
B) Attacks carried out through the network are often mixed with a large number of normal network activities, which are highly concealed;
C) The invasion means are more subtle and complicated.
The threats to the open environment of computer network system mainly include the following types [2]: a) deception; B) replay; C) message modification; D) denial of service; E) trap door; F) Trojan horse; G) attacks, such as tunnel attacks and application software attacks. These security threats are everywhere, so effective measures must be taken to ensure the security of the system.
From a technical point of view, there are many kinds of security technologies at the network system level, which can be roughly divided into firewall, intrusion detection, collaborative intrusion detection technology and so on.
(1) firewall. Firewall is one of the most widely used prevention technologies. As the first line of defense of the system, its main function is to monitor the access channel between the trusted network and the untrusted network, which can form a protective barrier between the internal and external networks to intercept illegal access from the outside and prevent the leakage of internal information, but it cannot prevent illegal operation from the inside of the network. It decides whether to intercept the information flow according to the preset rules, but it cannot dynamically identify or adaptively adjust the rules, so its intelligence is limited. There are three main firewall technologies: packet filtering, proxy and state detection. Modern firewall products usually use a mixture of these technologies.
(2) Intrusion detection. Intrusion detection system (IDS) is a preventive technology developed in recent years. It comprehensively adopts statistical technology, rule method, network communication technology, artificial intelligence, cryptography, reasoning and other technologies and methods, and its function is to monitor whether the network and computer system are invaded or abused. 1987, Derothy Denning first put forward the idea of intrusion detection. After continuous development and improvement, IDS system, as a standard solution for monitoring and identifying attacks, has become an important part of security defense system.
The analysis techniques used in intrusion detection can be divided into three categories: signature, statistics and data integrity analysis.
① Signature analysis method. It is mainly used to monitor the behavior of attacking the known weaknesses of the system. People infer its characteristics from the attack pattern and write it into the code of IDS system. Signature analysis is actually a template matching operation.
② Statistical analysis method. Based on statistics, we can judge whether an action deviates from the normal trajectory according to the action pattern observed under normal use of the system.
③ Data integrity analysis method. Based on encryption technology, you can verify whether files or objects have been modified by others.
The types of intrusion detection systems include network-based and host-based intrusion detection systems, feature-based and anomaly-based intrusion detection systems, real-time and non-real-time intrusion detection systems, etc. [ 1].
⑶ Collaborative intrusion detection technology
Independent intrusion monitoring system can not effectively monitor and respond to a wide range of intrusion activities. In order to make up for the lack of independent operation, people put forward the idea of collaborative intrusion detection system. In the collaborative intrusion monitoring system, IDS is based on a unified specification, and the intrusion monitoring components automatically exchange information, which can effectively monitor the intrusion and is suitable for different network environments [3].
3. Host operating system-level security technology
Operating system is the running platform of large-scale database system, which provides a certain degree of security protection for database system. At present, most operating system platforms are concentrated on Windows NT and Unix, and the security levels are usually C 1 and C2. The main security technologies include operating system security strategy, security management strategy and data security.
Operating system security policy is used to configure the security settings of the local computer, including password policy, account locking policy, audit policy, IP security policy, user rights allocation, encrypted data recovery agent and other security options [7]. Can be reflected in the user account, password, access rights, audit and so on.
User account number: the user's "ID card" for accessing the system. Only legitimate users have accounts.
Password: The user's password provides authentication for the user to access the system.
Access Rights: Specifies the rights of the user.
Audit: Track and record the user's behavior, which is convenient for the system administrator to analyze the access of the system and track it afterwards.
Security management strategy refers to the methods and strategies adopted by network administrators to realize the security management of the system. The security management strategies for different operating systems and network environments are generally different, and its core is to ensure the security of the server and allocate the rights of various users.
Data security is mainly embodied in the following aspects: data encryption technology, data backup, data storage security, data transmission security and so on. There are many technologies that can be adopted, mainly including Kerberos authentication, IPSec, SSL, TLS, VPN(PPTP, L2TP) and so on.
4. Hierarchical security technology of database management system.
The security of database system depends on database management system to a great extent. If the security mechanism of the database management system is very strong, the security performance of the database system will be better. At present, the security function of the popular relational database management system in the market is very weak, which leads to a certain threat to the security of the database system.
Because the database system is managed in the form of files under the operating system, intruders can directly steal database files by taking advantage of loopholes in the operating system, or directly use OS tools to illegally forge and tamper with the contents of database files. This kind of hidden danger is difficult for database users to detect, and analyzing and plugging this kind of vulnerability is considered as a B2-level security technical measure [4].
The hierarchical security technology of database management system is mainly used to solve this problem, that is, the security of database data can still be guaranteed after the current two levels are broken, which requires the database management system to have a strong security mechanism. One of the effective ways to solve this problem is to encrypt the database files by the database management system, so that even if the data is unfortunately leaked or lost, it is difficult to decipher and read.
We can consider encrypting database data at three different levels, namely OS layer, DBMS kernel layer and DBMS outer layer.
(1) is encrypted at the operating system layer. In the OS layer, it is impossible to identify the data relationship in the database file, so it is impossible to generate a reasonable key, and it is difficult to manage and use the key reasonably. Therefore, for large databases, it is difficult to encrypt database files at the OS layer.
⑵ Implement encryption in DBMS kernel layer. This encryption means that data is encrypted/decrypted before physical access. The advantage of this encryption method is strong encryption function, which hardly affects the function of DBMS, and can realize seamless coupling between encryption function and database management system. Its disadvantage is that the encryption operation is carried out on the server side, which increases the load of the server. The interface between DBMS and encryptor needs the support of DBMS developers.
Define encryption requirements tool
Database Management System (DBMS)
Database application system
Encryption equipment
(software or hardware)
⑶ Implement encryption in the outer layer of database management system. A more practical method is to use the database encryption system as an external tool of DBMS, and automatically complete the encryption/decryption of database data according to the encryption requirements:
Define encryption requirements tool encryptor
(software or hardware)
Database Management System (DBMS)
Database application system
Using this encryption method for encryption, encryption/decryption operations can be performed at the client. Its advantage is that it will not increase the load of database server, and can realize the encryption of online transmission. Its disadvantage is that the encryption function will be limited, and the coupling with the database management system is slightly poor.
Let's further explain the principle of implementing encryption function in the outer layer of DBMS:
Database encryption system is divided into two main parts with independent functions: one is the encryption dictionary management program, and the other is the database encryption/decryption engine. The database encryption system stores the user's specific encryption requirements for database information and basic information in an encryption dictionary, and realizes the functions of database table encryption, decryption and data conversion by calling the data encryption/decryption engine. The encryption/decryption of database information is done in the background and is transparent to the database server.
Encryption dictionary manager
Encryption system
application program
Database encryption and decryption engine
database server
Encrypted dictionary
user data
The database encryption system realized in the above way has many advantages: first, the system is completely transparent to the end users of the database, and administrators can convert plaintext and ciphertext as needed; Secondly, the encryption system is completely independent of the database application system, and the data encryption function can be realized without changing the database application system; Thirdly, the encryption and decryption process is carried out at the client, which will not affect the efficiency of the database server.
Database encryption/decryption engine is the core component of database encryption system. It is located between the application and the database server, and is responsible for the encryption/decryption of database information in the background, which is transparent to application developers and operators. The data encryption/decryption engine has no operation interface, and it is automatically loaded by the operating system and resides in the memory when necessary, and communicates with the encryption dictionary management program and user application program through the internal interface. The database encryption/decryption engine consists of three modules: encryption/decryption processing module, user interface module and database interface module, as shown in Figure 4. Among them, the main job of the "database interface module" is to accept the user's operation request and pass it to the "encryption/decryption processing module". In addition, it will also replace the "encryption/decryption processing module" to access the database server and complete the conversion between external interface parameters and the internal data structure of the encryption/decryption engine. "Encryption and decryption processing module" completes the initialization of database encryption and decryption engine, the processing of internal special commands, the retrieval of encryption dictionary information, the management of encryption dictionary buffer, the encryption conversion of SQL commands, the decryption of query results and the implementation of encryption and decryption algorithms, and also includes some public auxiliary functions.
The main process of data encryption/decryption is as follows:
1) Analyze the syntax of SQL commands. If the grammar is correct, proceed to the next step; If it is not correct, go to 6) and directly submit the SQL command to the database server for processing.
2) Whether to encrypt/decrypt the internal control command of the engine to the database? If yes, process the internal control command, and then go to 7); If not, please continue to the next step.
3) Check whether the database encryption/decryption engine is turned off or whether only SQL commands need to be compiled. If yes, go to 6), otherwise go to the next step.
4) Search the encryption dictionary and analyze the encryption and decryption semantics of the SQL command according to the encryption definition.
Do SQL commands need to be encrypted? If yes, encrypt and convert the SQL command, replace the original SQL command, and then execute the next step; Otherwise, go directly to the next step.
6) transmit the SQL command to the database server for processing.
7) After executing the SQL command, empty the SQL command buffer.
The above example illustrates the principle of realizing encryption function in the outer layer of database management system.
5. Concluding remarks
This paper summarizes the security and anti-intrusion technology of database system, puts forward the three-layer framework of database system security system, and describes the three-layer technical means. Taking the principle of realizing encryption function in the outer layer of database management system as an example, this paper explains in detail how to apply security technology in the layer of database management system.
The three levels of database system security framework complement each other, and the prevention emphasis and technical means adopted at each level are different. A good security system must comprehensively consider the use of these technologies to ensure data security.