1. A system for providing security protection for a database, wherein the system operates in an operating system kernel to implement security protection for the database and a remote access terminal, comprising: admittance module, access control module, database file protection module, encryption and decryption module, prevent hard disk copy module, log record module, wherein:

A. the admission module is deployed on a database server and only allows legal and legal users to inquire the database from legal addresses and legal devices in a legal manner; meanwhile, according to the received blocking instruction, cutting off the network connection;

B. the access control module is deployed on the remote access terminal, controls access to the data application and tool, and only allows a legal user to use a legal database to connect the application and the tool to access the database from a legal address and legal equipment;

C. the database file protection module is deployed on the database server, so that the security of the database file is protected, and the database file is prevented from being deleted, moved and copied;

D. the encryption and decryption module is deployed on the remote access terminal, encrypts legal data access application and tool export/backup database files, decrypts the legal data access application and tool export/backup database files when the database files are imported, and automatically deletes the decrypted database files after the import is finished;

E. the hard disk copy prevention module is deployed on the database server, inhibits the copy operation of the hard disk, and prevents the database information from being stolen by using a hard disk backup tool and the ghost software;

F. the log recording module is deployed on the database server and the remote access terminal and records the time, IP address and access state of legal/illegal equipment accessing the database and the records of database file deletion, movement and copying operations; and on the database server, auditing the operation of accessing the database through the network in real time, and once finding that dangerous query operation exists, sending a blocking instruction to the access module to realize dangerous operation blocking.

2. The system according to claim 1, wherein the admission module allows a valid device to access the database, the valid device being a remote access terminal that deploys the system and identified by a heartbeat and a network packet identifier.

3. The system according to claim 1, wherein the admission module disconnects the network connection with the IP address and port in the log module after receiving a blocking command from the log module, and the blocking command includes the peer IP address and port and the port connected locally.

4. The system for providing security for a database of claim 1, wherein the access control module controls applications and tools connected to the database to allow only legitimate users to connect to the database from legitimate addresses and legitimate devices using the applications and tools of the legitimate database, and other applications and tools to prohibit access to the database, control applications and tools connected to the database to copy and paste data contents, save contents, print contents, screen capture, and control data backup path operations.

5. The system for providing security for a database as claimed in claim 1, wherein the database file protection module protects the database file from deletion, copy, and move operations.

6. The system of claim 1, wherein the encryption/decryption module encrypts database files exported and backed up by the legally connected database application and tool, decrypts the encrypted database files imported, and then imports the database files, and automatically deletes the decrypted database files after importing.

7. The system for providing security protection for the database as claimed in claim 1, wherein the hard disk copy prevention module prevents the database information from being leaked due to the backup of the whole hard disk data by using a disk backup tool and the ghost software.

8. The system for providing security protection for a database according to claim 1, wherein the log recording module records the IP, time and status information of the database which is legally accessed, and records the IP, time and status of the database which is illegally accessed; and recording the operation information of copying, deleting and moving the database file.

9. The system of claim 1, wherein the logging module, deployed on the database server, audits operations accessing the database over the network in real-time, supporting a relational database, a NoSQL database, and a distributed database.

10. The system of claim 1, wherein the logging module, deployed on the database server, audits the operations of accessing the database via the network in real time, and sends blocking instructions to the admission module in case of a dangerous query operation.

11. A method for providing security protection for a database, which is characterized in that the system for providing security protection for the database according to any one of claims 1 to 10 is adopted, only a legal machine and a legal database access tool are allowed to access the database, the database access tool is controlled to perform functions of copying, pasting, screen capturing and printing on the data, the backed-up data is encrypted, operations of copying, deleting and moving the database file are controlled, the backup of the whole hard disk data by a disk backup tool is prohibited, and the security of the database is protected.

Background

With the continuous development of enterprise informatization, an enterprise constructs an informatization system: business systems, office systems, financial systems and the like, and the data of the systems are stored through databases, wherein the sensitive information databases of enterprise clients are not lacked. The database administrator prevents the data leakage through user account management and user authority management. However, these measures cannot prevent illegal computer connection and illegal tool access. The user may export data through a legitimate application or tool, export information from the database to the access terminal for storage, and so on. And therefore the induced database information leakage event occurs frequently.

The existing database security software is realized based on the principles of database audit and discovery afterwards, and the following serious defects exist in the information leakage problem of accessing the database:

1. there is no control over the computer accessing the database. Any computer can be connected to the database, and illegal computer connection cannot be prevented.

2. Any application or tool can be connected to the database, so that an illegal application or tool can acquire data information from the database.

3. Only the data file exported from the database is encrypted, so that information leakage caused by loss can be effectively prevented. However, since the information system cannot be matched with the rights management, the usage rights of the downloader cannot be effectively limited, and information leakage caused by unauthorized use of the downloader may be caused.

4. The database file is not protected, and can be copied, deleted and moved at will. Resulting in no guarantee of the security of the database file.

5. The operation of the database is audited (network level audit, not the audit function provided by the database), however, the audit is only a means afterwards, and timely blocking can not be realized when dangerous operation is found.

Disclosure of Invention

The invention provides a security protection system and a security protection method for a database, which can realize the protection of data in the database through Windows operating system kernel drive, SPI, HOOK and encryption and decryption technologies when an enterprise application system accesses the database so as to avoid the possibility of information leakage through a terminal.

The database security protection system can protect the security of the database from four layers.

1. The access database is managed and controlled. The database is allowed to be accessed by legal users from legal equipment by using legal applications and tools, other databases are forbidden to be illegally connected, and the databases are prevented from being illegally remotely connected.

2. And controlling the database file. Preventing the copying, deleting and moving of the database file; data are prevented from being obtained through hard disk copying, and the safety of database files is guaranteed.

3. Data files downloaded or exported from legitimate applications, database tools, are encrypted and rights managed at the time of use. Prevent information leakage caused by misuse, unauthorized use and the like of users.

4. The database operation is audited in real time, and once dangerous inquiry (which can be defined in advance) operation is found, data leakage prevention can be realized by cutting off network connection.

Fig. 1 is a security protection system of an information system on a terminal according to the present invention, which includes: the system comprises an admission module, an access control module, a database file protection module, an encryption and decryption module, a hard disk copy prevention module and a log recording module.

An admission module: and controlling the computer to connect the database request. The legal user allowed the security permission can access the database from the legal address, by the legal device (the legal device is a remote access terminal which is provided with the system and is identified by heartbeat and a network packet mark) in a legal way, forbid other illegal connection databases and prevent illegal invasion. In addition, the admission module monitors instruction information (the instruction information comprises an opposite IP address and a port connected locally) sent from the logging module in real time, and immediately cuts off the network connection with the IP address and the port in the instruction once receiving the blocking instruction. The module is deployed on a database server and is a module of a server program of the system.

An access control module: controls applications and tools that interface with the database. Applications and tools that only allow legitimate users to use the legitimate database from legitimate addresses, legitimate devices, connect to the database, and other applications and tools prohibit access to the database. And controlling the operations of copying and pasting the data content, saving the content, printing the content, capturing a screen, controlling a data backup path and the like by the application and the tool which are legally connected with the database. The module is deployed on an application end and is a module of a client program of the system.

A database file protection module: and protecting the database file. And forbidding copying, deleting and moving the database file. The security of the database file is guaranteed. The anti-copy of the database file aims to prevent the database file from being copied out in a copy mode, analyze and illegally acquire data in the database by utilizing the file format of the database, prevent the database file from being illegally copied by using a virtual disk technology and a file filtering driving technology, and realize the purpose of using a HOOK API technology under the conditions of common files (non-database files) or low performance requirements. The technology is essentially different from the implementation mode of the redirection drive and the disk encryption drive, the technology of the redirection drive and the disk encryption drive can be applied to access control of common files, but for a database system, the frequency and the reaction efficiency of IO operation are far higher than those of the common files, so that the technical route of using the redirection drive and the disk encryption drive cannot meet the operation requirement of the database system. The module provides a mode of adopting file filtering drive to realize access control on a database file level, and the access control is neither redirection nor encryption and decryption. In addition, for a server (database service) and a client (client tool of the database) of the database system in the application process, different technical routes are adopted for protection. The database server is protected, and meanwhile, the efficiency and the stability are better considered; the client side is protected and is more comprehensive. The module is deployed on a database server and is a module of a server program of the system.

An encryption and decryption module: data files downloaded, backed up, and exported by the designated application and tool are encrypted. The encrypted file can be normally opened and modified in the security environment in which the system is installed. Cannot be opened away from the secure environment. When the encrypted file needs to be imported into the database, the encrypted file is automatically decrypted into a plaintext before the encrypted file is imported, and the plaintext file is deleted after the file is imported. The module is deployed on an application end and is a module of a client program of the system.

Prevent hard disk copy module: the method prevents the database information from being leaked due to the integral backup of the hard disk data by using a disk backup tool (such as ghost). The hard disk copy prevention aims to prevent a database and an environment where the database runs from being copied to form a mirror image environment of the database, more time and opportunities are strived for cracking, and the hard disk copy prevention needs to adopt a technology with a lower layer, such as an MBR (membrane bioreactor) boot technology, even a BIOS (basic input/output system) technology and the like, so that the copy of the whole hard disk can be carried out at any time node (mostly before the loading of an operating system, and the copy of a file is carried out after the loading of the operating system), and the complexity of the hard disk copy prevention is greatly different from the file copy operation. In addition, the hard disk copy prevention method is essentially different from the method for setting the login password in the BIOS, and the password setting is not used for protecting the copy process but is used for ensuring that the hard disk copy cannot be used after being copied; but preventing hard disk copying is a deterrent to copying action. In the other scenario, at present, cloud computing is rapidly developed, a database system and an application system are both deployed at the cloud end, and a virtualization technology is adopted, so that a hard disk copy module is placed to know that the hard disk copy module runs in a virtual machine by identifying the virtualization attribute of a CPU. The module is deployed on a database server and is a module of a server program of the system.

A log recording module: logs of operations against the database are recorded, including (IP address of permission/prohibition of access to the database, time, permission/prohibition of copying, deletion, login user to move database file, time, application, tool, etc. of permission/prohibition of access to the database) and records of operations (screen-shot, save, copy-paste, print) against the encrypted document to open the encrypted file. The log recording module needs to be linked with other five modules (an access module, an access control module, a database file protection module, an encryption and decryption module and a hard disk copy prevention module) to record dangerous and illegal operation records, and meanwhile, the log recording module needs to audit legal operations. On a database Server, one thread in a log recording module can audit the operation of accessing a database (supporting a relational database: Oracle, MySQL, Microsoft SQL Server, Dameng, Renshan storehouse, etc.; NoSQL database: MangoDB, etc.; and a distributed database: Hive, HBase, etc.) in real time, and once a dangerous query (predefinable) operation is found, the log recording module can send a blocking instruction to an access module to realize the blocking of the dangerous operation. The module is deployed on a database server and an application end, is a module of a server program of the system, and is also a module of a client program.

The system for providing safety protection for the database provided by the invention is used as a system product which must have operability, and cannot meet the working requirements of a real database system in terms of the reliability and performance of the conventional virtual encrypted disk technology, so that an immature technology cannot be used in the system. The system has operability, realizes the safety protection of the database file through the access control technology of the kernel level of the operating system, prevents the risk that the database file is maliciously or unintentionally damaged to cause that the database system cannot provide service, and is a thinking method for solving the information safety Availability (Availability) of the core system.

The encryption and decryption module described in the system is deployed on a terminal for remotely accessing a database server, and in the current practical scene, database maintenance personnel perform database operation in a remote access mode. The encryption and decryption module described in the present claim is to solve the security problem of database data storage downloaded or exported at a terminal, implement automatic encryption and decryption of data, and cooperate with the log recording module to record the operation behavior of a user, implement the objectives of being auditable and traceable.

The invention provides a system and a method for providing security protection for a database.A admittance module controls a computer connected with the database, an access control module controls an application and a tool connected with the database, and an encryption and decryption module encrypts and decrypts files exported/imported by the application and the tool connected with the database. The log recording module records all information records of database operation, control action and the like.

Drawings

FIG. 1 is a schematic diagram of a safety shield system according to the present invention.

The specific implementation mode is as follows:

and a server program is installed on the database service, and the application end is provided with a client.

In addition, the important point for realizing the system of the invention is the setting of the security policy:

the security policy includes the following items:

1) security level setting

In order to meet different safety requirements of various customers, the safety level has three levels: secret, secret.

2) Encryption algorithm setting

Different encryption algorithms, such as DES, 3DES, AES, RC4, etc., may be set by the application.

3) Key setting

Different keys can be set by the application program, and keys of any length can be set.

4) Hazard query operation settings

Defining a query object, comprising: table name, field name.