SQL Server Database Security Monitoring System Design and Implementation

[Paper Keywords] SQLserver Database Security Monitoring System
[Abstract] database access strategies of monitoring Information include: the source database threats, threat characteristics, database audit events, the database operating performance indicators. Through the Research database threats, threats to establish a database repository, the database can understand the attack means of attack signatures to detect sources of Information, thereby providing monitoring Information for policy, to ensure the completeness of database monitoring Information access and reliability. This paper discusses the SQL? Server Database Security Monitoring System.

First, the overall structure of the system
The following article will be from the horizontal, vertical and tangential to the database structure safety monitoring system on the redesign, to improve the structural design of the original system inadequacies, and the results were analyzed by different.

1, the horizontal structure
From the horizontal view, the system in accordance with the Information retrieval system, analysis of machine system, the console system in accordance with different functions were re-classified structure of the system modules and added real-time status query module, increased security threats database security monitoring systems data analysis source, the horizontal structure shown in Figure 1:
a subsystem access to information
b analysis of machine system
c console subsystem
Information acquisition subsystem which is located in the bottom of the whole system is the foundation of system operation. It uses the host for the way the database server in real time data acquisition, and network communication session for the host track, and the second data access second filter, in order to reduce the amount of data transferred between the module and reduce the upper time data analysis module, and then the data transmission channel by specifying the data sent to the top of the machine system for further processing.

Machine system as a whole system of the middle layer, and its role is to receive from the underlying raw data records for further processing. Mainly through the layer analysis module included in the original data collected, in accordance with the existing rule base in rules, pattern matching analysis, the normal behavior of unauthorized access and illegal invasion of separate and store the results of the analysis to the log database. for operations against the police.

Console subsystem as a human-Computer interaction interface for user management, control, configure the system and query interface provides intrusion records. It is responsible for the control, management information and analysis for sub-machine systems, safety rules generate, receive, store alarms and logs information, alarm and log information for statistics, for further analysis and processing alarm events, and an open interface to support higher-level alarm security management platform.

2, the vertical structure
From the vertical perspective, and the difference is that the original system, the new database security monitoring system for an analysis of the adoption of a response to architecture, building object-oriented Development and component-oriented Development techniques, introduced for the new Services Framework thought, to achieve the separation of access and analysis, communications and business separation. The vertical structure shown in Figure 2:
Throughout the system TCP / IP layer, the physical network layer, as the low level present in the system on which to build the communication layer is controlling the overall system managed all the communications work is the system bus, support for asynchronous communication and broken forgotten Ying Chuan. In this video managed layer on top of the business to do all the container business and management platform, the most important functions is to provide information on registration, in order to achieve between information producers and information consumers to communicate. in the business Tuoguan the edge is the information gateway layer, is responsible for transforming business data into the other according to the standard protocol format data, in order to achieve and other systems (including safety equipment, the interconnection between the cascade. the most top is a specific business module, and their role are information producers and information consumers, which make information producers access to information visualization, and analysis is the information consumer, the consumer response is secondary information, and the ultimate consumers.

AAR framework and the traditional combination of service-oriented thinking, making the four-level independent, mutual coupling between the loose, and as hosted platform has been formed, then the response based on this platform will be business Development of plug-ins becomes very convenient, in order to achieve a service-oriented and component-oriented Development of the core concept of on-demand and variable.

But also to achieve the structural design of distributed systems, centralized control and multi-layer management. The system consists of detection systems, analysis systems, control systems, each subsystem using hierarchical design, business logic and communication management layer implementation. A control system can manage multiple analysis system, an analytical system also can support up to fifty different system platforms detection system.

Links to Research Papers Download http://www.hi138.com 3, cut to the structure
If you observe from the aspect of the system, the critical context of the new system becomes more clarity, two key contexts, including: data and commands, but also between each other inside a high polymer, loose coupling, enhance the independence of the module. The data for the narrow data here, including the information producers provide consumers with the information to the information, and the command is the response module for the acquisition and analysis module for configuration, maintenance, management of delivery of information. data (including data and real-time alarm is always the bottom-up information from the database collected from the monitored via IAS, AES, finally to the MTS. The command (control is always top-down, part of the command initiated by the MTS (due to the operation of the user initiated or maintenance need to initiate via AES, finally to IAS, the other part was launched by the AE (due to system maintenance need to launch to reach IAS.

Second, the system works
The system is a host-based real-time automated detection of attack recognition and response system, running on a need to protect sensitive data within the network. By taking the host control the way users access information on database operations. With its own built-in signatures database, identify the violation of user-defined security rules, the Application-level attacks inspection. In looking to the attack mode and other illegal activities, you can make the following reactions: alarm console, recording attacks, real-time blocking the network connection, and also can need to extend the system to achieve security and firewall devices, and other linkage.

Information acquisition, analysis machine and console interaction among the three subsystems include the following:
1 Alarm achieved. Probe started, will automatically probe of the host database for the monitoring, acquisition and database operations related information, including the SQL statement, database operations, landing the user name, database host name, the current system user, the operation The results (success or failure of information and formatting information sent to the analyzer to analyze the information through its own rules for machine analysis system, which separated from the information on database security operations hazardous to the console to send alarm, control Taiwan in the receive alarm message, issued by the administrator to attack the source IP address of the command-line blocking. issued blocking orders transmitted to the probe from the analyzer part of the system itself by the probe part of the API function calls to achieve the specified IP address blocking operation, so as to effectively implement database security for protection against the possibility of being invaded.

2, the command issued. Console and probe for analysis of machine control, maintenance and update them, and by way of inquiry, access to probe and analyze the machine running. Commands issued from the console to the analyzer or by analysis of machine parts to convey information access, and then were obtained by the analysis of machine parts and information to respond to the command module to be realized. where all the console commands issued through the designated port for delivery, and information retrieval system of machine and the command response is up by the same communication port.

3, the data transfer. Probe, analysis of machine and the console between the three through the designated port for data transmission, all data sent to a unified format handling, passing a fixed format.

References:
1, Ma Ying Zhang. SQL Standards Development Overview [J]. Computer Applications and Software ,2003,11:28-32.

2, Valley earthquake off, Dugan far. SQLserver database Applications, database security Research [J]. Computer Engineering and Design, 2007,28 (15:3717 a 3719.

3, Jin Ye, Zhen Fu Cao. A new signature scheme for mobile agents [J]. Computer Engineering, 2006,32 (2,149 for a 150. Links http://www.hi138.com Research Papers Download