1 Introduction
With the rapid development of computer technology, the database is widely used, and in-depth areas, but there is a security issue for data. A large amount of data in the database of various application systems, the anti-tamper and tampering issues of sensitive data are increasingly attached. The database system is a aggregate of information. It is the core component of the computer information system. Its security is critical. It is related to the rise and fall of the company, national security. Therefore, how to effectively ensure the safety of the database system, the confidentiality, integrity and effectiveness of the data has become one of the important topics of the exploration research of industry people. This article provides a brief discussion on security intrusion technology.
In addition to the safety mechanism of the database system, the database system is also related to the external network environment, application environment, employee quality and other factors. Therefore, from a broad sense, the security framework of the database system can be divided into three levels:
(1) Network system level;
(2) Hiener operating system level;
(3) Database management system level.
These three hierarchical buildings into a security system of a database system, and the relationship between data security is gradually close, and the importance of prevention is also strengthened layer-by-layer, from outside to the table, and in the form of data. The following is discussed on the three levels of the safety framework.
2. Network System Hierarchical Security Technology
In general, the security of the database is relied on the network system. With the popularization of the Internet, more and more companies will transfer their core business to the Internet, and various network-based database applications are emerging, providing a variety of information services for network users. It can be said that the network system is the external environment and foundation of the database application. The database system must exert its powerful role to the support of the network system, the user of the database system (such as a different site user, distributed user) can access the database through the network. . The security of the network system is the first barrier of database security, and external invasion first begins with the intrusion network system. Network intrusion attempts to destroy the integrity, confidentiality or trusted network activity of the information system, with the following characteristics [1]:
a) There is no limit to the region and time, and the attack across the national border is just as convenient in the scene;
b) Attacks through the network tend to mix in a large number of normal network activities, hidden;
c) Invasion, more hidden and complicated.
The threats of computer network systems open environment have the following types [2]: a) spoofing (b) replay; c) Movification of message; d) Denary ( Deny of service); e) Trapdoor; f) Trojan Horse; g) Attack such as a Tunneling Attack, Application Software Attack, etc. These security threats are timeless, ubiquitous, so effective measures must be taken to ensure the safety of the system.
From a technical perspective, there are many kinds of security technology in network system levels, which can be roughly divided into firewall, intrusion detection, collaborative intrusion detection technology, etc.
(1) firewall. Firewall is a broadest type of prevention technology. As the first line of defense of the system, its main function is to monitor access channels between trusted networks and untrusted networks, which can form a protective barrier between internal and external networks, intercept from external illegal access and block internal information. Exhausted, but it can't block illegal operations from the interior of the network. It determines whether to intercept the information flow in accordance with the rules set, but cannot dynamically identify or adaptively adjust the rules, so its intelligence is limited. There are three main types of firewall technology: packet filter, proxy, and stateful inspection. Modern firewall products typically mix these technologies. (2) Intrusion detection. Intrusion Detection (IDS-- Instrusion Detection System) is a kind of prevention technology that has developed in recent years. Comprehensive adoption of statistical technology, rule, network communication technology, artificial intelligence, cryptography, reasoning, etc. Whether the network and computer system have an indications of intrusion or abuse. In 1987, Derothy Denning has first proposed a test invasion. It has continuously developed and improved, as a standard solution for monitoring and identifying attacks, and IDS systems have become an important part of the security defense system.
Analytical techniques adopted by intrusion detection can be divided into three categories: signature, statistics, and data integrity analysis.
1 signature analysis method. Mainly used to monitor the behavior of the known weaknesses of the system. People summarize its signatures from the attack mode, write to the code of the IDS system. The signature analysis is actually a template matching operation.
2 statistical analysis. Based on the statistical basis, the action mode observed under normal use is based on whether an action is deviated from the normal track.
3 Data Integrity Analysis. Based on cryptography as the theoretical basis, you can verify that the file or object is modified by others.
The types of IDs include network and host-based intrusion monitoring systems, based on feature-based and non-normal intrusion monitoring systems, real-time and non-real-time intrusion monitoring systems [1].
(3) Collaborative invasion monitoring technology
Independent intrusion monitoring systems are unable to make effective monitoring and reactions to extensive invasive activities. In order to make up for the lack of independent operation, people have proposed the idea of collaborative intrusion monitoring systems. In a collaborative intrusion monitoring system, IDS is based on a unified specification, and the intrusion monitoring component is automatically exchanged between the invasive monitoring components, and the effective monitoring of intrusion is obtained by exchange of information, which can be applied to different network environments [3].
3. Host operating system hierarchical security technology
The operating system is a running platform for large database systems to provide a certain degree of security for the database system. At present, most of the operating system platforms are concentrated in Windows NT and UNIX, and the security level is usually C1 and C2. The main security technology has operating system security strategies, safety management strategies, data security, etc.
Operating System Security Policy Used to configure the security settings of local computers, including password policies, account lock policies, audit policies, IP security policies, user rights assignment, encrypted data recovery agents, and other security options [7]. Specifically, it can be embodied in user accounts, passwords, access rights, audits, etc.
User Account: User Access System's "ID", only legal users have accounts.
Password: The user's password provides a verification for the user access system.
Access Permissions: Specify the user's permissions.
Audit: Track and record the behavior of users, facilitating the access situation of the system administrator analysis system and afterwards.
Safety management strategies are methods and strategies taken by network administrators to implement security management. Aiming at different operating systems, the security management strategy that needs to be taken in the network environment is generally different, and its core is to ensure the security of the server and allocate various types of users.
Data security is mainly reflected in the following aspects: data encryption technology, data backup, data storage security, security of data transmission, etc. There are many technologies that can be used, mainly Kerberos certification, IPSEC, SSL, TLS, VPN (PPTP, L2TP).
4. Database Management System Hierarchical Security Technology
The security of the database system is largely dependent on the database management system. If the database management system security mechanism is very powerful, the security performance of the database system is better. At present, the market is popular in the relational database management system, which has weak security features, which leads to a certain threat to the security of the database system. Since the database system is managed under the operating system, the intruder can directly use the vulnerability of the operating system to steal the database file, or directly use the OS tool to illegally fake, tamper the contents of the database file. This hidden danger general database user is difficult to detect, analyze and block this vulnerability is considered to be B2-level safety technical measures [4].
The database management system hierarchical security technology is mainly used to solve this problem, that is, when the front two hierarchies have been broken, it can safeguard the security of database data, which requires the database management system to have a powerful security mechanism. One of the effective ways to solve this problem is that the database management system encrypts the database file so that even if the data is unfortunately leaked or lost, it is difficult to be deciphered and read.
We can consider encryption of database data in three different levels, which are OS layers, DBMS core and DBMS outer layers, respectively.
(1) Encryption in OS layer. In the OS layer, the data relationship in the database file cannot be identified, so that a reasonable key cannot be generated, it is difficult to manage and use rationally. Therefore, for large databases, it is difficult to encrypt database files on the OS layer.
(2) Encryption in the DBMS core layer. This encryption means that the data is completed before physical access. This advantage of this encryption method is that the encryption is strong, and the encryption feature does not have the function of the DBMS, which can achieve seamless coupling between the encryption function and the database management system. Its disadvantage is that encryption operations are performed on the server side, and the server's load is increased, and the interface between the DBMS and the encrypsers requires the support of the DBMS developer.
Define encryption requirements
DBMS
Database application
Encryptor
(Software or hardware)
(3) Encryption is achieved outside the DBMS. A more practical approach is to make a database encryption system into an outer tool for DBMS, automatically complete the addition / detachment of database data according to encryption requirements:
Define Encryption Requirements Tool Enterprise
(Software or hardware)
DBMS
Database application
Using this encryption method, encryption, plus / detachment can be performed at the client, it has the advantage that the encryption of the database server is not aggravated and the encryption of online transmission is that the encryption function will be subject to some restrictions, and database management The coupling between the system is slightly poor.
Below we will further explain the principle of encrypting the functionality in the outer layer of DBMS:
The database encryption system is divided into two main components: one is an encrypted dictionary management program and the other is a database plus / off engine. The database encryption system stores the user's specific encryption requirements and basic information in the encrypted dictionary, and implements the encryption, detachment and data conversion of the database table by calling the data plus / off engine. Database information is completed in the background, which is transparent to the database server.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions. The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions. The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions. The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions. The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
(3) Collaborative invasion monitoring technology
Independent intrusion monitoring systems are unable to make effective monitoring and reactions to extensive invasive activities. In order to make up for the lack of independent operation, people have proposed the idea of collaborative intrusion monitoring systems. In a collaborative intrusion monitoring system, IDS is based on a unified specification, and the intrusion monitoring component is automatically exchanged between the invasive monitoring components, and the effective monitoring of intrusion is obtained by exchange of information, which can be applied to different network environments [3].
3. Host operating system hierarchical security technology
The operating system is a running platform for large database systems to provide a certain degree of security for the database system. At present, most of the operating system platforms are concentrated in Windows NT and UNIX, and the security level is usually C1 and C2. The main security technology has operating system security strategies, safety management strategies, data security, etc.
Operating System Security Policy Used to configure the security settings of local computers, including password policies, account lock policies, audit policies, IP security policies, user rights assignment, encrypted data recovery agents, and other security options [7]. Specifically, it can be embodied in user accounts, passwords, access rights, audits, etc. User Account: User Access System's "ID", only legal users have accounts.
Password: The user's password provides a verification for the user access system.
Access Permissions: Specify the user's permissions.
Audit: Track and record the behavior of users, facilitating the access situation of the system administrator analysis system and afterwards.
Safety management strategies are methods and strategies taken by network administrators to implement security management. Aiming at different operating systems, the security management strategy that needs to be taken in the network environment is generally different, and its core is to ensure the security of the server and allocate various types of users.
Data security is mainly reflected in the following aspects: data encryption technology, data backup, data storage security, security of data transmission, etc. There are many technologies that can be used, mainly Kerberos certification, IPSEC, SSL, TLS, VPN (PPTP, L2TP).
4. Database Management System Hierarchical Security Technology
The security of the database system is largely dependent on the database management system. If the database management system security mechanism is very powerful, the security performance of the database system is better. At present, the market is popular in the relational database management system, which has weak security features, which leads to a certain threat to the security of the database system.
Since the database system is managed under the operating system, the intruder can directly use the vulnerability of the operating system to steal the database file, or directly use the OS tool to illegally fake, tamper the contents of the database file. This hidden danger general database user is difficult to detect, analyze and block this vulnerability is considered to be B2-level safety technical measures [4].
The database management system hierarchical security technology is mainly used to solve this problem, that is, when the front two hierarchies have been broken, it can safeguard the security of database data, which requires the database management system to have a powerful security mechanism. One of the effective ways to solve this problem is that the database management system encrypts the database file so that even if the data is unfortunately leaked or lost, it is difficult to be deciphered and read.
We can consider encryption of database data in three different levels, which are OS layers, DBMS core and DBMS outer layers, respectively.
(1) Encryption in OS layer. In the OS layer, the data relationship in the database file cannot be identified, so that a reasonable key cannot be generated, it is difficult to manage and use rationally. Therefore, for large databases, it is difficult to encrypt database files on the OS layer.
(2) Encryption in the DBMS core layer. This encryption means that the data is completed before physical access. This advantage of this encryption method is that the encryption is strong, and the encryption feature does not have the function of the DBMS, which can achieve seamless coupling between the encryption function and the database management system. Its disadvantage is that encryption operations are performed on the server side, and the server's load is increased, and the interface between the DBMS and the encrypsers requires the support of the DBMS developer.
Define encryption requirements
DBMS
Database application
Encryptor
(Software or hardware)
(3) Encryption is achieved outside the DBMS. A more practical approach is to make a database encryption system into an outer tool for DBMS, automatically complete the addition / detachment of database data according to encryption requirements:
Define Encryption Requirements Tool Enterprise
(Software or hardware)
DBMS
Database application
Using this encryption method, encryption, plus / detachment can be performed at the client, it has the advantage that the encryption of the database server is not aggravated and the encryption of online transmission is that the encryption function will be subject to some restrictions, and database management The coupling between the system is slightly poor.
Below we will further explain the principle of encrypting the functionality in the outer layer of DBMS:
The database encryption system is divided into two main components: one is an encrypted dictionary management program and the other is a database plus / off engine. The database encryption system stores the user's specific encryption requirements and basic information in the encrypted dictionary, and implements the encryption, detachment and data conversion of the database table by calling the data plus / off engine. Database information is completed in the background, which is transparent to the database server. Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
Application Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system; The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
(3) Collaborative invasion monitoring technology
Independent intrusion monitoring systems are unable to make effective monitoring and reactions to extensive invasive activities. In order to make up for the lack of independent operation, people have proposed the idea of collaborative intrusion monitoring systems. In a collaborative intrusion monitoring system, IDS is based on a unified specification, and the intrusion monitoring component is automatically exchanged between the invasive monitoring components, and the effective monitoring of intrusion is obtained by exchange of information, which can be applied to different network environments [3].
3. Host operating system hierarchical security technology
The operating system is a running platform for large database systems to provide a certain degree of security for the database system. At present, most of the operating system platforms are concentrated in Windows NT and UNIX, and the security level is usually C1 and C2. The main security technology has operating system security strategies, safety management strategies, data security, etc.
Operating System Security Policy Used to configure the security settings of local computers, including password policies, account lock policies, audit policies, IP security policies, user rights assignment, encrypted data recovery agents, and other security options [7]. Specifically, it can be embodied in user accounts, passwords, access rights, audits, etc. User Account: User Access System's "ID", only legal users have accounts.
Password: The user's password provides a verification for the user access system.
Access Permissions: Specify the user's permissions.
Audit: Track and record the behavior of users, facilitating the access situation of the system administrator analysis system and afterwards.
Safety management strategies are methods and strategies taken by network administrators to implement security management. Aiming at different operating systems, the security management strategy that needs to be taken in the network environment is generally different, and its core is to ensure the security of the server and allocate various types of users.
Data security is mainly reflected in the following aspects: data encryption technology, data backup, data storage security, security of data transmission, etc. There are many technologies that can be used, mainly Kerberos certification, IPSEC, SSL, TLS, VPN (PPTP, L2TP).
4. Database Management System Hierarchical Security Technology
The security of the database system is largely dependent on the database management system. If the database management system security mechanism is very powerful, the security performance of the database system is better. At present, the market is popular in the relational database management system, which has weak security features, which leads to a certain threat to the security of the database system.
Since the database system is managed under the operating system, the intruder can directly use the vulnerability of the operating system to steal the database file, or directly use the OS tool to illegally fake, tamper the contents of the database file. This hidden danger general database user is difficult to detect, analyze and block this vulnerability is considered to be B2-level safety technical measures [4].
The database management system hierarchical security technology is mainly used to solve this problem, that is, when the front two hierarchies have been broken, it can safeguard the security of database data, which requires the database management system to have a powerful security mechanism. One of the effective ways to solve this problem is that the database management system encrypts the database file so that even if the data is unfortunately leaked or lost, it is difficult to be deciphered and read.
We can consider encryption of database data in three different levels, which are OS layers, DBMS core and DBMS outer layers, respectively.
(1) Encryption in OS layer. In the OS layer, the data relationship in the database file cannot be identified, so that a reasonable key cannot be generated, it is difficult to manage and use rationally. Therefore, for large databases, it is difficult to encrypt database files on the OS layer.
(2) Encryption in the DBMS core layer. This encryption means that the data is completed before physical access. This advantage of this encryption method is that the encryption is strong, and the encryption feature does not have the function of the DBMS, which can achieve seamless coupling between the encryption function and the database management system. Its disadvantage is that encryption operations are performed on the server side, and the server's load is increased, and the interface between the DBMS and the encrypsers requires the support of the DBMS developer.
Define encryption requirements
DBMS
Database application
Encryptor
(Software or hardware)
(3) Encryption is achieved outside the DBMS. A more practical approach is to make a database encryption system into an outer tool for DBMS, automatically complete the addition / detachment of database data according to encryption requirements:
Define Encryption Requirements Tool Enterprise
(Software or hardware)
DBMS
Database application
Using this encryption method, encryption, plus / detachment can be performed at the client, it has the advantage that the encryption of the database server is not aggravated and the encryption of online transmission is that the encryption function will be subject to some restrictions, and database management The coupling between the system is slightly poor.
Below we will further explain the principle of encrypting the functionality in the outer layer of DBMS:
The database encryption system is divided into two main components: one is an encrypted dictionary management program and the other is a database plus / off engine. The database encryption system stores the user's specific encryption requirements and basic information in the encrypted dictionary, and implements the encryption, detachment and data conversion of the database table by calling the data plus / off engine. Database information is completed in the background, which is transparent to the database server. Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
Application Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system; The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
(3) Collaborative invasion monitoring technology
Independent intrusion monitoring systems are unable to make effective monitoring and reactions to extensive invasive activities. In order to make up for the lack of independent operation, people have proposed the idea of collaborative intrusion monitoring systems. In a collaborative intrusion monitoring system, IDS is based on a unified specification, and the intrusion monitoring component is automatically exchanged between the invasive monitoring components, and the effective monitoring of intrusion is obtained by exchange of information, which can be applied to different network environments [3].
3. Host operating system hierarchical security technology
The operating system is a running platform for large database systems to provide a certain degree of security for the database system. At present, most of the operating system platforms are concentrated in Windows NT and UNIX, and the security level is usually C1 and C2. The main security technology has operating system security strategies, safety management strategies, data security, etc.
Operating System Security Policy Used to configure the security settings of local computers, including password policies, account lock policies, audit policies, IP security policies, user rights assignment, encrypted data recovery agents, and other security options [7]. Specifically, it can be embodied in user accounts, passwords, access rights, audits, etc. User Account: User Access System's "ID", only legal users have accounts.
Password: The user's password provides a verification for the user access system.
Access Permissions: Specify the user's permissions.
Audit: Track and record the behavior of users, facilitating the access situation of the system administrator analysis system and afterwards.
Safety management strategies are methods and strategies taken by network administrators to implement security management. Aiming at different operating systems, the security management strategy that needs to be taken in the network environment is generally different, and its core is to ensure the security of the server and allocate various types of users.
Data security is mainly reflected in the following aspects: data encryption technology, data backup, data storage security, security of data transmission, etc. There are many technologies that can be used, mainly Kerberos certification, IPSEC, SSL, TLS, VPN (PPTP, L2TP).
4. Database Management System Hierarchical Security Technology
The security of the database system is largely dependent on the database management system. If the database management system security mechanism is very powerful, the security performance of the database system is better. At present, the market is popular in the relational database management system, which has weak security features, which leads to a certain threat to the security of the database system.
Since the database system is managed under the operating system, the intruder can directly use the vulnerability of the operating system to steal the database file, or directly use the OS tool to illegally fake, tamper the contents of the database file. This hidden danger general database user is difficult to detect, analyze and block this vulnerability is considered to be B2-level safety technical measures [4].
The database management system hierarchical security technology is mainly used to solve this problem, that is, when the front two hierarchies have been broken, it can safeguard the security of database data, which requires the database management system to have a powerful security mechanism. One of the effective ways to solve this problem is that the database management system encrypts the database file so that even if the data is unfortunately leaked or lost, it is difficult to be deciphered and read.
We can consider encryption of database data in three different levels, which are OS layers, DBMS core and DBMS outer layers, respectively.
(1) Encryption in OS layer. In the OS layer, the data relationship in the database file cannot be identified, so that a reasonable key cannot be generated, it is difficult to manage and use rationally. Therefore, for large databases, it is difficult to encrypt database files on the OS layer.
(2) Encryption in the DBMS core layer. This encryption means that the data is completed before physical access. This advantage of this encryption method is that the encryption is strong, and the encryption feature does not have the function of the DBMS, which can achieve seamless coupling between the encryption function and the database management system. Its disadvantage is that encryption operations are performed on the server side, and the server's load is increased, and the interface between the DBMS and the encrypsers requires the support of the DBMS developer.
Define encryption requirements
DBMS
Database application
Encryptor
(Software or hardware)
(3) Encryption is achieved outside the DBMS. A more practical approach is to make a database encryption system into an outer tool for DBMS, automatically complete the addition / detachment of database data according to encryption requirements:
Define Encryption Requirements Tool Enterprise
(Software or hardware)
DBMS
Database application
Using this encryption method, encryption, plus / detachment can be performed at the client, it has the advantage that the encryption of the database server is not aggravated and the encryption of online transmission is that the encryption function will be subject to some restrictions, and database management The coupling between the system is slightly poor.
Below we will further explain the principle of encrypting the functionality in the outer layer of DBMS:
The database encryption system is divided into two main components: one is an encrypted dictionary management program and the other is a database plus / off engine. The database encryption system stores the user's specific encryption requirements and basic information in the encrypted dictionary, and implements the encryption, detachment and data conversion of the database table by calling the data plus / off engine. Database information is completed in the background, which is transparent to the database server. Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
Application Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system; The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
1 Introduction
With the rapid development of computer technology, the database is widely used, and in-depth areas, but there is a security issue for data. A large amount of data in the database of various application systems, the anti-tamper and tampering issues of sensitive data are increasingly attached. The database system is a aggregate of information. It is the core component of the computer information system. Its security is critical. It is related to the rise and fall of the company, national security. Therefore, how to effectively ensure the safety of the database system, the confidentiality, integrity and effectiveness of the data has become one of the important topics of the exploration research of industry people. This article provides a brief discussion on security intrusion technology.
In addition to the safety mechanism of the database system, the database system is also related to the external network environment, application environment, employee quality and other factors. Therefore, from a broad sense, the security framework of the database system can be divided into three levels:
(1) Network system level;
(2) Host operating system level; (3) Database management system level.
These three hierarchical buildings into a security system of a database system, and the relationship between data security is gradually close, and the importance of prevention is also strengthened layer-by-layer, from outside to the table, and in the form of data. The following is discussed on the three levels of the safety framework.
2. Network System Hierarchical Security Technology
In general, the security of the database is relied on the network system. With the popularization of the Internet, more and more companies will transfer their core business to the Internet, and various network-based database applications are emerging, providing a variety of information services for network users. It can be said that the network system is the external environment and foundation of the database application. The database system must exert its powerful role to the support of the network system, the user of the database system (such as a different site user, distributed user) can access the database through the network. . The security of the network system is the first barrier of database security, and external invasion first begins with the intrusion network system. Network intrusion attempts to destroy the integrity, confidentiality or trusted network activity of the information system, with the following characteristics [1]:
a) There is no limit to the region and time, and the attack across the national border is just as convenient in the scene;
b) Attacks through the network tend to mix in a large number of normal network activities, hidden;
c) Invasion, more hidden and complicated.
The threats of computer network systems open environment have the following types [2]: a) spoofing (b) replay; c) Movification of message; d) Denary ( Deny of service); e) Trapdoor; f) Trojan Horse; g) Attack such as a Tunneling Attack, Application Software Attack, etc. These security threats are timeless, ubiquitous, so effective measures must be taken to ensure the safety of the system.
From a technical perspective, there are many kinds of security technology in network system levels, which can be roughly divided into firewall, intrusion detection, collaborative intrusion detection technology, etc.
(1) firewall. Firewall is a broadest type of prevention technology. As the first line of defense of the system, its main function is to monitor access channels between trusted networks and untrusted networks, which can form a protective barrier between internal and external networks, intercept from external illegal access and block internal information. Exhausted, but it can't block illegal operations from the interior of the network. It determines whether to intercept the information flow in accordance with the rules set, but cannot dynamically identify or adaptively adjust the rules, so its intelligence is limited. There are three main types of firewall technology: packet filter, proxy, and stateful inspection. Modern firewall products typically mix these technologies.
(2) Intrusion detection. Intrusion Detection (IDS-- Instrusion Detection System) is a kind of prevention technology that has developed in recent years. Comprehensive adoption of statistical technology, rule, network communication technology, artificial intelligence, cryptography, reasoning, etc. Whether the network and computer system have an indications of intrusion or abuse. In 1987, Derothy Denning has first proposed a test invasion. It has continuously developed and improved, as a standard solution for monitoring and identifying attacks, and IDS systems have become an important part of the security defense system.
Analytical techniques adopted by intrusion detection can be divided into three categories: signature, statistics, and data integrity analysis.
1 signature analysis method. Mainly used to monitor the behavior of the known weaknesses of the system. People summarize its signatures from the attack mode, write to the code of the IDS system. The signature analysis is actually a template matching operation.
2 statistical analysis. Based on the statistical basis, the action mode observed under normal use is based on whether an action is deviated from the normal track. 3 Data Integrity Analysis. Based on cryptography as the theoretical basis, you can verify that the file or object is modified by others.
The types of IDs include network and host-based intrusion monitoring systems, based on feature-based and non-normal intrusion monitoring systems, real-time and non-real-time intrusion monitoring systems [1].
(3) Collaborative invasion monitoring technology
Independent intrusion monitoring systems are unable to make effective monitoring and reactions to extensive invasive activities. In order to make up for the lack of independent operation, people have proposed the idea of collaborative intrusion monitoring systems. In a collaborative intrusion monitoring system, IDS is based on a unified specification, and the intrusion monitoring component is automatically exchanged between the invasive monitoring components, and the effective monitoring of intrusion is obtained by exchange of information, which can be applied to different network environments [3].
3. Host operating system hierarchical security technology
The operating system is a running platform for large database systems to provide a certain degree of security for the database system. At present, most of the operating system platforms are concentrated in Windows NT and UNIX, and the security level is usually C1 and C2. The main security technology has operating system security strategies, safety management strategies, data security, etc.
Operating System Security Policy Used to configure the security settings of local computers, including password policies, account lock policies, audit policies, IP security policies, user rights assignment, encrypted data recovery agents, and other security options [7]. Specifically, it can be embodied in user accounts, passwords, access rights, audits, etc.
User Account: User Access System's "ID", only legal users have accounts.
Password: The user's password provides a verification for the user access system.
Access Permissions: Specify the user's permissions.
Audit: Track and record the behavior of users, facilitating the access situation of the system administrator analysis system and afterwards.
Safety management strategies are methods and strategies taken by network administrators to implement security management. Aiming at different operating systems, the security management strategy that needs to be taken in the network environment is generally different, and its core is to ensure the security of the server and allocate various types of users.
Data security is mainly reflected in the following aspects: data encryption technology, data backup, data storage security, security of data transmission, etc. There are many technologies that can be used, mainly Kerberos certification, IPSEC, SSL, TLS, VPN (PPTP, L2TP).
4. Database Management System Hierarchical Security Technology
The security of the database system is largely dependent on the database management system. If the database management system security mechanism is very powerful, the security performance of the database system is better. At present, the market is popular in the relational database management system, which has weak security features, which leads to a certain threat to the security of the database system.
Since the database system is managed under the operating system, the intruder can directly use the vulnerability of the operating system to steal the database file, or directly use the OS tool to illegally fake, tamper the contents of the database file. This hidden danger general database user is difficult to detect, analyze and block this vulnerability is considered to be B2-level safety technical measures [4].
The database management system hierarchical security technology is mainly used to solve this problem, that is, when the front two hierarchies have been broken, it can safeguard the security of database data, which requires the database management system to have a powerful security mechanism. One of the effective ways to solve this problem is that the database management system encrypts the database file so that even if the data is unfortunately leaked or lost, it is difficult to be deciphered and read.
We can consider encryption of database data in three different levels, which are OS layers, DBMS core and DBMS outer layers, respectively.
(1) Encryption in OS layer. In the OS layer, the data relationship in the database file cannot be identified, so that a reasonable key cannot be generated, it is difficult to manage and use rationally. Therefore, for large databases, it is difficult to encrypt database files on the OS layer.
(2) Encryption in the DBMS core layer. This encryption means that the data is completed before physical access. This advantage of this encryption method is that the encryption is strong, and the encryption feature does not have the function of the DBMS, which can achieve seamless coupling between the encryption function and the database management system. Its disadvantage is that encryption operations are performed on the server side, and the server's load is increased, and the interface between the DBMS and the encrypsers requires the support of the DBMS developer. Define encryption requirements
DBMS
Database application
Encryptor
(Software or hardware)
(3) Encryption is achieved outside the DBMS. A more practical approach is to make a database encryption system into an outer tool for DBMS, automatically complete the addition / detachment of database data according to encryption requirements:
Define Encryption Requirements Tool Enterprise
(Software or hardware)
DBMS
Database application
Using this encryption method, encryption, plus / detachment can be performed at the client, it has the advantage that the encryption of the database server is not aggravated and the encryption of online transmission is that the encryption function will be subject to some restrictions, and database management The coupling between the system is slightly poor.
Below we will further explain the principle of encrypting the functionality in the outer layer of DBMS:
The database encryption system is divided into two main components: one is an encrypted dictionary management program and the other is a database plus / off engine. The database encryption system stores the user's specific encryption requirements and basic information in the encrypted dictionary, and implements the encryption, detachment and data conversion of the database table by calling the data plus / off engine. Database information is completed in the background, which is transparent to the database server.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down. 4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step. 6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data. (3) Collaborative invasion monitoring technology
Independent intrusion monitoring systems are unable to make effective monitoring and reactions to extensive invasive activities. In order to make up for the lack of independent operation, people have proposed the idea of collaborative intrusion monitoring systems. In a collaborative intrusion monitoring system, IDS is based on a unified specification, and the intrusion monitoring component is automatically exchanged between the invasive monitoring components, and the effective monitoring of intrusion is obtained by exchange of information, which can be applied to different network environments [3].
3. Host operating system hierarchical security technology
The operating system is a running platform for large database systems to provide a certain degree of security for the database system. At present, most of the operating system platforms are concentrated in Windows NT and UNIX, and the security level is usually C1 and C2. The main security technology has operating system security strategies, safety management strategies, data security, etc.
Operating System Security Policy Used to configure the security settings of local computers, including password policies, account lock policies, audit policies, IP security policies, user rights assignment, encrypted data recovery agents, and other security options [7]. Specifically, it can be embodied in user accounts, passwords, access rights, audits, etc.
User Account: User Access System's "ID", only legal users have accounts.
Password: The user's password provides a verification for the user access system.
Access Permissions: Specify the user's permissions.
Audit: Track and record the behavior of users, facilitating the access situation of the system administrator analysis system and afterwards.
Safety management strategies are methods and strategies taken by network administrators to implement security management. Aiming at different operating systems, the security management strategy that needs to be taken in the network environment is generally different, and its core is to ensure the security of the server and allocate various types of users.
Data security is mainly reflected in the following aspects: data encryption technology, data backup, data storage security, security of data transmission, etc. There are many technologies that can be used, mainly Kerberos certification, IPSEC, SSL, TLS, VPN (PPTP, L2TP).
4. Database Management System Hierarchical Security Technology
The security of the database system is largely dependent on the database management system. If the database management system security mechanism is very powerful, the security performance of the database system is better. At present, the market is popular in the relational database management system, which has weak security features, which leads to a certain threat to the security of the database system.
Since the database system is managed under the operating system, the intruder can directly use the vulnerability of the operating system to steal the database file, or directly use the OS tool to illegally fake, tamper the contents of the database file. This hidden danger general database user is difficult to detect, analyze and block this vulnerability is considered to be B2-level safety technical measures [4].
The database management system hierarchical security technology is mainly used to solve this problem, that is, when the front two hierarchies have been broken, it can safeguard the security of database data, which requires the database management system to have a powerful security mechanism. One of the effective ways to solve this problem is that the database management system encrypts the database file so that even if the data is unfortunately leaked or lost, it is difficult to be deciphered and read.
We can consider encryption of database data in three different levels, which are OS layers, DBMS core and DBMS outer layers, respectively.
(1) Encryption in OS layer. In the OS layer, the data relationship in the database file cannot be identified, so that a reasonable key cannot be generated, it is difficult to manage and use rationally. Therefore, for large databases, it is difficult to encrypt database files on the OS layer.
(2) Encryption in the DBMS core layer. This encryption means that the data is completed before physical access. This advantage of this encryption method is that the encryption is strong, and the encryption feature does not have the function of the DBMS, which can achieve seamless coupling between the encryption function and the database management system. Its disadvantage is that encryption operations are performed on the server side, and the server's load is increased, and the interface between the DBMS and the encrypsers requires the support of the DBMS developer. Define encryption requirements
DBMS
Database application
Encryptor
(Software or hardware)
(3) Encryption is achieved outside the DBMS. A more practical approach is to make a database encryption system into an outer tool for DBMS, automatically complete the addition / detachment of database data according to encryption requirements:
Define Encryption Requirements Tool Enterprise
(Software or hardware)
DBMS
Database application
Using this encryption method, encryption, plus / detachment can be performed at the client, it has the advantage that the encryption of the database server is not aggravated and the encryption of online transmission is that the encryption function will be subject to some restrictions, and database management The coupling between the system is slightly poor.
Below we will further explain the principle of encrypting the functionality in the outer layer of DBMS:
The database encryption system is divided into two main components: one is an encrypted dictionary management program and the other is a database plus / off engine. The database encryption system stores the user's specific encryption requirements and basic information in the encrypted dictionary, and implements the encryption, detachment and data conversion of the database table by calling the data plus / off engine. Database information is completed in the background, which is transparent to the database server.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down. 4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step. 6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data. (3) Collaborative invasion monitoring technology
Independent intrusion monitoring systems are unable to make effective monitoring and reactions to extensive invasive activities. In order to make up for the lack of independent operation, people have proposed the idea of collaborative intrusion monitoring systems. In a collaborative intrusion monitoring system, IDS is based on a unified specification, and the intrusion monitoring component is automatically exchanged between the invasive monitoring components, and the effective monitoring of intrusion is obtained by exchange of information, which can be applied to different network environments [3].
3. Host operating system hierarchical security technology
The operating system is a running platform for large database systems to provide a certain degree of security for the database system. At present, most of the operating system platforms are concentrated in Windows NT and UNIX, and the security level is usually C1 and C2. The main security technology has operating system security strategies, safety management strategies, data security, etc.
Operating System Security Policy Used to configure the security settings of local computers, including password policies, account lock policies, audit policies, IP security policies, user rights assignment, encrypted data recovery agents, and other security options [7]. Specifically, it can be embodied in user accounts, passwords, access rights, audits, etc.
User Account: User Access System's "ID", only legal users have accounts.
Password: The user's password provides a verification for the user access system.
Access Permissions: Specify the user's permissions.
Audit: Track and record the behavior of users, facilitating the access situation of the system administrator analysis system and afterwards.
Safety management strategies are methods and strategies taken by network administrators to implement security management. Aiming at different operating systems, the security management strategy that needs to be taken in the network environment is generally different, and its core is to ensure the security of the server and allocate various types of users.
Data security is mainly reflected in the following aspects: data encryption technology, data backup, data storage security, security of data transmission, etc. There are many technologies that can be used, mainly Kerberos certification, IPSEC, SSL, TLS, VPN (PPTP, L2TP).
4. Database Management System Hierarchical Security Technology
The security of the database system is largely dependent on the database management system. If the database management system security mechanism is very powerful, the security performance of the database system is better. At present, the market is popular in the relational database management system, which has weak security features, which leads to a certain threat to the security of the database system.
Since the database system is managed under the operating system, the intruder can directly use the vulnerability of the operating system to steal the database file, or directly use the OS tool to illegally fake, tamper the contents of the database file. This hidden danger general database user is difficult to detect, analyze and block this vulnerability is considered to be B2-level safety technical measures [4].
The database management system hierarchical security technology is mainly used to solve this problem, that is, when the front two hierarchies have been broken, it can safeguard the security of database data, which requires the database management system to have a powerful security mechanism. One of the effective ways to solve this problem is that the database management system encrypts the database file so that even if the data is unfortunately leaked or lost, it is difficult to be deciphered and read.
We can consider encryption of database data in three different levels, which are OS layers, DBMS core and DBMS outer layers, respectively.
(1) Encryption in OS layer. In the OS layer, the data relationship in the database file cannot be identified, so that a reasonable key cannot be generated, it is difficult to manage and use rationally. Therefore, for large databases, it is difficult to encrypt database files on the OS layer.
(2) Encryption in the DBMS core layer. This encryption means that the data is completed before physical access. This advantage of this encryption method is that the encryption is strong, and the encryption feature does not have the function of the DBMS, which can achieve seamless coupling between the encryption function and the database management system. Its disadvantage is that encryption operations are performed on the server side, and the server's load is increased, and the interface between the DBMS and the encrypsers requires the support of the DBMS developer. Define encryption requirements
DBMS
Database application
Encryptor
(Software or hardware)
(3) Encryption is achieved outside the DBMS. A more practical approach is to make a database encryption system into an outer tool for DBMS, automatically complete the addition / detachment of database data according to encryption requirements:
Define Encryption Requirements Tool Enterprise
(Software or hardware)
DBMS
Database application
Using this encryption method, encryption, plus / detachment can be performed at the client, it has the advantage that the encryption of the database server is not aggravated and the encryption of online transmission is that the encryption function will be subject to some restrictions, and database management The coupling between the system is slightly poor.
Below we will further explain the principle of encrypting the functionality in the outer layer of DBMS:
The database encryption system is divided into two main components: one is an encrypted dictionary management program and the other is a database plus / off engine. The database encryption system stores the user's specific encryption requirements and basic information in the encrypted dictionary, and implements the encryption, detachment and data conversion of the database table by calling the data plus / off engine. Database information is completed in the background, which is transparent to the database server.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down. 4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step. 6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data. (3) Collaborative invasion monitoring technology
Independent intrusion monitoring systems are unable to make effective monitoring and reactions to extensive invasive activities. In order to make up for the lack of independent operation, people have proposed the idea of collaborative intrusion monitoring systems. In a collaborative intrusion monitoring system, IDS is based on a unified specification, and the intrusion monitoring component is automatically exchanged between the invasive monitoring components, and the effective monitoring of intrusion is obtained by exchange of information, which can be applied to different network environments [3].
3. Host operating system hierarchical security technology
The operating system is a running platform for large database systems to provide a certain degree of security for the database system. At present, most of the operating system platforms are concentrated in Windows NT and UNIX, and the security level is usually C1 and C2. The main security technology has operating system security strategies, safety management strategies, data security, etc.
Operating System Security Policy Used to configure the security settings of local computers, including password policies, account lock policies, audit policies, IP security policies, user rights assignment, encrypted data recovery agents, and other security options [7]. Specifically, it can be embodied in user accounts, passwords, access rights, audits, etc.
User Account: User Access System's "ID", only legal users have accounts.
Password: The user's password provides a verification for the user access system.
Access Permissions: Specify the user's permissions.
Audit: Track and record the behavior of users, facilitating the access situation of the system administrator analysis system and afterwards.
Safety management strategies are methods and strategies taken by network administrators to implement security management. Aiming at different operating systems, the security management strategy that needs to be taken in the network environment is generally different, and its core is to ensure the security of the server and allocate various types of users.
Data security is mainly reflected in the following aspects: data encryption technology, data backup, data storage security, security of data transmission, etc. There are many technologies that can be used, mainly Kerberos certification, IPSEC, SSL, TLS, VPN (PPTP, L2TP).
4. Database Management System Hierarchical Security Technology
The security of the database system is largely dependent on the database management system. If the database management system security mechanism is very powerful, the security performance of the database system is better. At present, the market is popular in the relational database management system, which has weak security features, which leads to a certain threat to the security of the database system.
Since the database system is managed under the operating system, the intruder can directly use the vulnerability of the operating system to steal the database file, or directly use the OS tool to illegally fake, tamper the contents of the database file. This hidden danger general database user is difficult to detect, analyze and block this vulnerability is considered to be B2-level safety technical measures [4].
The database management system hierarchical security technology is mainly used to solve this problem, that is, when the front two hierarchies have been broken, it can safeguard the security of database data, which requires the database management system to have a powerful security mechanism. One of the effective ways to solve this problem is that the database management system encrypts the database file so that even if the data is unfortunately leaked or lost, it is difficult to be deciphered and read.
We can consider encryption of database data in three different levels, which are OS layers, DBMS core and DBMS outer layers, respectively.
(1) Encryption in OS layer. In the OS layer, the data relationship in the database file cannot be identified, so that a reasonable key cannot be generated, it is difficult to manage and use rationally. Therefore, for large databases, it is difficult to encrypt database files on the OS layer.
(2) Encryption in the DBMS core layer. This encryption means that the data is completed before physical access. This advantage of this encryption method is that the encryption is strong, and the encryption feature does not have the function of the DBMS, which can achieve seamless coupling between the encryption function and the database management system. Its disadvantage is that encryption operations are performed on the server side, and the server's load is increased, and the interface between the DBMS and the encrypsers requires the support of the DBMS developer. Define encryption requirements
DBMS
Database application
Encryptor
(Software or hardware)
(3) Encryption is achieved outside the DBMS. A more practical approach is to make a database encryption system into an outer tool for DBMS, automatically complete the addition / detachment of database data according to encryption requirements:
Define Encryption Requirements Tool Enterprise
(Software or hardware)
DBMS
Database application
Using this encryption method, encryption, plus / detachment can be performed at the client, it has the advantage that the encryption of the database server is not aggravated and the encryption of online transmission is that the encryption function will be subject to some restrictions, and database management The coupling between the system is slightly poor.
Below we will further explain the principle of encrypting the functionality in the outer layer of DBMS:
The database encryption system is divided into two main components: one is an encrypted dictionary management program and the other is a database plus / off engine. The database encryption system stores the user's specific encryption requirements and basic information in the encrypted dictionary, and implements the encryption, detachment and data conversion of the database table by calling the data plus / off engine. Database information is completed in the background, which is transparent to the database server.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down. 4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step. 6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
The three levels of the database system security framework are complementary, and the key points of the level and the technical means taken are not the same. A good security system must consider the nuclear use of these technologies to ensure the safety of data.
Encryption Dictionary
Encryption system
application
Database plus officer
Database server
Encrypted dictionary
User data
The database encryption system implemented in the above manner has many advantages: First, the system is completely transparent to the end user of the database, and the administrator can perform clear text and ciphertic conversion work as needed; secondly, the encryption system is completely independent of the database application system. Data encryption function can be implemented without changing the database application system;
The database plus / debut engine is the core component of the database encryption system. It is located between the application and the database server, which is responsible for completing the addition / detachment processing of database information in the background, which is transparent to applicants and operators. The data plus / debut engine does not have an operation interface, which is automatically loaded by the operating system when needed, and resides in memory, communicating with the encrypted dictionary manager and user application through internal interface. The database plus / outstanding engine consists of three major modules: plus / detachment module, user interface module, and database interface module, as shown in Figure 4. Where the "Database Interface Module" is to accept the user's operational request and passed to the "Plus / Dip Processing Module", but also replace the "Plus / Dip Process Module" to access the database server, and complete the external interface The conversion between the parameters and the internal data structure of the plus / detachment engine. "Plus / Dip Process Module" completes the initialization of the database plus / detachment engine, the processing of internal dedicated commands, retrieval of encrypted dictionary information, management of encrypted dictionary buffers, encryption transformation of SQL commands, detachment results of query results and Adding dense algorithm implementation, but also some common auxiliary functions.
The main flow of data plus / detachment processing is as follows:
1) Syntax analysis of the SQL command, if the syntax is correct, turn the next step; if not correct, turn 6), directly handle the SQL command to the database server.
2) Whether is the internal control command for the database plus / detachment engine? If so, process the internal control command, then turn 7); if it is not to turn a step.
3) Check if the database plus / off engine is in a closed state or whether the SQL command only needs to be compiled. If you turn 6), otherwise it will step down.
4) Retrieve the encrypted dictionary, and the SQL command is cleaved in accordance with the encryption definition.
5) Does the SQL command need to encrypt? If so, encrypt the SQL command, replace the original SQL command, then turn a step; otherwise directly to step.
6) Transfer the SQL command to the database server processing.
7) The SQL command is executed, clear the SQL command buffer.
The above explains the principle of encryption function in the outer layer of the DBMS in an example.
5. Conclusion
This paper reviews database system security intrusion technology, proposes three levels of levels of security systems for database systems, and describes three levels of technical means. The text is also the principle of encrypting function in the DBMS outer layer as an example, and how to apply security technologies for the application of database management system levels.
