Data correlation method based on J2EE platform and correlation plug-in

A data association and plug-in technology, applied in electrical components, program control devices, transmission systems, etc., can solve problems such as unsafe events, difficult correlation of correlation models, and performance degradation of security audit products.

Active Publication Date: 2014-03-19
BEIJING VENUS INFORMATION SECURITY TECH +1
3 Cites 19 Cited by

AI-Extracted Technical Summary

Problems solved by technology

These association models are based on timestamps, probability statistics, association rules, or sql template learning. From a technical point of view, it is difficult for these association models to achieve 100% association,...
View more

Method used

As can be seen from the foregoing embodiments, the technical solution of the present application realizes accurate business auditing based on the J2EE platform, and mainly associates three types of information of the user at the browser end, the business event triggered by the user, and the sql event triggered by the business event, And achieve 100% accurate correlation. The associated data mainly includes: login user name, login user IP, URL, business event trigger time, sql statement, table name, field name, sql response time, sql response time, number of returned rows, command, database name, Web server IP, database server IP, resource account, etc. Moreover, the technical solution of the present application basically does not cause performance degradation to the database audit server.
Specifically, in the association plug-in, the user information probe unit obtains and stores user information (at least including source IP, user name) and business information (including at least business URL, etc.) when WEB m...
View more

Abstract

The invention discloses a data correlation method based on a J2EE platform and a correlation plug-in, and relates to security audit technology. The method disclosed by the invention comprises the steps that when a WEB application server receives a service request triggered by a login user, a correlation plug-in obtains and stores the correlation information of the service request, wherein the correlation information comprises user information and service information corresponding to the service request; when the WEB application server requests data from a database according to the service request, the correlation plug-in correlates the correlation information of the stored service request in an SQL (Structured Query Language) sentence in an annotation manner and transmits the SQL sentence containing the correlation information to a switch in a database protocol packet manner. The invention also discloses the correlation plug-in. The technical scheme of the application is accurate service audit technology based on J2EE platform, which is used for accurately correlating the application user login information with service action information, and the accuracy of correlation degree reaches 100%.

Application Domain

TransmissionSpecific program execution arrangements

Technology Topic

Protocol for Carrying Authentication for Network AccessAnnotation +8

Image

  • Data correlation method based on J2EE platform and correlation plug-in
  • Data correlation method based on J2EE platform and correlation plug-in

Examples

  • Experimental program(2)

Example Embodiment

[0026] Example 1
[0027] The applicant proposes that a plug-in can be deployed on the We application server. The plug-in adds a user information probe to the class that processes http requests, and adds a sql information probe to the class that processes sql statements. The user information probe will be responsible for obtaining user information and business information, the sql information probe is responsible for associating user information, business information and sql statements triggered by the business. The associated sql statement will carry user information and business information. The associated information will appear in the sql statement in the form of a comment in the form of a feature string. Deploy the database audit system to audit the database protocol traffic at the entrance switch of the database server, analyze the characteristic string in it to form a complete sql event associated with user information and business information, and record it in the database audit log. Afterwards, as long as the database audit logs are analyzed, the security incidents can be accurately located and traced to the source, and a variety of business-based analysis reports can be formed on this basis.
[0028] Based on the above ideas, this embodiment provides an association plug-in, which can be applied to a WEB server, and at least includes the following parts.
[0029] The user information probe unit acquires and stores associated information of the service request when the WEB application server receives the service request triggered by the logged-in user, and the associated information includes user information and service information corresponding to the service request;
[0030] The SQL information probe unit, when the WEB application server requests data from the database according to the business request, associates the stored association information of the business request into the SQL statement in the form of comments.
[0031] In practical applications, the above-mentioned association plug-ins can be located in the WEB server to realize data association based on the J2EE platform. At this time, the entire data association system is as follows: figure 1 shown. Among them, an associated plug-in part is added to the WEB application server, and the associated plug-in will be used as a part of the middleware instance and can run in the JVM java virtual machine instance at the same time. The database audit server is deployed on the bypass mirror port of the entrance switch of the database server. Since it is a bypass device, the database audit server will not have any impact on the database server.
[0032] Specifically, the user information probe unit in the association plug-in acquires and stores user information (including at least source IP, user name) and business information (including at least business URL, etc.) when the WEB middleware processes user requests; and the SQL information probe The unit adds the obtained current user information and business information in the comment of the SQL statement in the form of a characteristic string before the WEB application requests data from the database. In this way, when the SQL statement with associated information passes through the switch in the form of a packet, it is sent from the bypass mirror port to the database audit server for processing. The database will automatically ignore the comment part for the SQL sent to the database server, so it will not be processed. No impact on the normal operation of the database. Preferably, before the WEB middleware returns the response data to the user, the user information probe unit can release the stored user information and business information of the current user, so as to reduce memory consumption of the associated plug-in. Since the user request and the response are all run in the same java thread, 100% accurate correlation can be achieved.
[0033] Combine below figure 2 , which illustrates the main process of implementing a user's business operation by the system using the above-mentioned associated plug-in.
[0034] First, the user client completes the login and triggers business requests (including http requests and https requests).
[0035] The Web middleware added with the user information probe unit obtains and stores user information and business information. When the Web application added with the SQL information probe unit executes the Sql operation, the stored user information and business information are associated with the SQL statement in the form of comments, and then the database protocol TCP packet flow is sent to the switch.
[0036] The switch bypasses the database traffic to the database audit server for auditing, and at the same time sends the database traffic to the database server only.
[0037] The database server executes SQL statements and returns execution results.
[0038]The execution result of the Web application processing with the SQL information probe unit added, and the execution result of the Web middleware processing with the user information probe unit form the response data to the user request. At this time, the stored user information and business information can be deleted, and finally Return the response data to the client user.
[0039] Specifically, an interception code can be added to the class of the web middleware processing the request, through which the user information and business information can be obtained from the http request, and the user information can be deleted from the plug-in before the request ends.
[0040] Similarly, interception code can be added to the class that processes sql statements in the web application, through which user information and business information can be obtained from the associated plug-in, and added to the sql comment in the form of a feature string, thereby forming an association.
[0041] In this embodiment, the interception code added in the associated plug-in adopts java bytecode operation technology, directly performs bytecode operation when related classes are loaded, and adopts the proxy mode in java mode to obtain user information and business information , associated with sql requirements. In this embodiment, the interception code fully considers various abnormal situations, even if an exception occurs in the interception code, it can ensure that the user's business operations can be executed normally without any impact. The interception code is added to the installation log and operation log (the log level can be configured) to meet the operation requirements of the actual environment.
[0042] In this embodiment, the associated plug-in has two models drelate15 and drelate14.
[0043] Drelate15 is suitable for Web middleware servers running on JDK1.5, JDK1.6, and JDK1.7.
[0044] drelate14 is suitable for web middleware servers running on JDK1.3 and JDK1.4.
[0045] Drelate15 and drelate14 plug-ins currently only support four middlewares: tomcat, jboss, weblogic, and websphere; if you need to support other middleware, you can customize them.
[0046] Drelate15 and drelate14 plug-ins currently only support four databases: oracle, sqlserver, mysql, and db2; if you need to support other databases, you can customize them.
[0047] Drelate15 and drelate14 plug-ins can run on all operating systems that the corresponding JDK can run on.
[0048] In addition, the business audit system of the J2EE platform using the above-mentioned associated plug-in has carried out a stress test of 80 users on a large-scale e-commerce platform.
[0049] Some parameter indicators of the Web middleware server are: Red Hat Enterprise Linux Server release5.5(64bit), Weblogic10.2, Weblogic JVM_OPTION:-server–Xms2048M–Xmx2048MaxPermSize512M.
[0050] The database server is oracle10g.
[0051] Plug-in disabled: 80 concurrent user business execution time is 13.565 seconds
[0052] Enable the plug-in: 80 concurrent user business execution time is 14.148 seconds
[0053] The average time consumption per user increases by 0.0072 seconds, which is basically negligible.
[0054] From the perspective of technical implementation, the class that uses the technical solution of this application to process requests and the class that processes sql needs to dynamically add interception codes during loading to achieve the effect of user probes and sql probes, which will increase the time of class loading, but based on java The loading performance of the virtual machine and the execution performance of the server cpu, the increased loading time is basically negligible. And once the code is loaded, it stays in memory and does not need to be loaded repeatedly. During operation, user probes and sql probes have a small amount of code to execute, which will also increase the total execution time of the code; the record of the operation log will also increase the execution time a little, and the log record can be selected according to the actual situation. Judging from the actual operation effect, after adding the plug-in, the various indicators of the Web middleware server are basically the same as before adding the plug-in, and there is no obvious change.
[0055] It should also be noted that in this embodiment, the associated plug-in mainly appears as an independent jar file, which needs to be placed in the CLASSPATH parameter of the middleware, and the startup script of the middleware should be modified to start the plug-in in the form of -javaagent or -Xrun .
[0056] In order to facilitate troubleshooting during the deployment phase, the middleware script needs to have two copies, one is the original non-plug-in startup script, and the other is a copy of the original startup script with parameter configuration for loading plugins. When the problem is cleared and resolved, the user can choose to start with a plug-in or non-plug-in.

Example Embodiment

[0057] Example 2
[0058] This embodiment provides a precise data association method based on the J2EE platform, which can be realized by the association plug-in in the first embodiment above. The method includes the following operations:
[0059] When the WEB application server receives a service request triggered by a logged-in user, the associated plug-in acquires and stores the associated information of the service request, which includes the user information and service information corresponding to the service request;
[0060] When the WEB application server requests data from the database according to the business request, the association plug-in associates the stored association information of the business request with the SQL statement in the form of comments, and then sends the SQL statement carrying the association information in the form of a database protocol packet to the switch.
[0061] In this way, the switch sends the database protocol packet to the database audit server for audit through the bypass mirror port, and at the same time sends the database protocol packet to the database server. After receiving the database protocol packet, the database server executes the SQL statement and returns the execution result to the WEB application server That's it.
[0062] Specifically, the above-mentioned association plug-in can add an interception code using java bytecode to the request processing class of the WEB middleware of the WEB application server to obtain the association information of the http request.
[0063] The association plug-in can also add interception code using java bytecode in the WEB application server's WEB application processing SQL statement class, so as to associate the association information with the SQL statement according to the annotation mode of the characteristic string.
[0064] Preferably, after the WEB application server processes the execution result returned by the database server and generates the response data of the service request, the association plug-in can delete the stored association information of the service request.
[0065] The database audit server involved in the above method audits the database protocol package, including: the database audit server obtains the associated information of the business request and the database event information from the database protocol package, and combines the user information and business information in the associated information with the database Associated operations are performed on the event information, wherein the database event information at least includes SQL statements.
[0066] In addition, the user information involved in this embodiment includes at least a source Internet Protocol (IP) and a user name. The service information includes at least a service uniform resource locator (URL).
[0067] For the specific implementation process of the above method, please refer to the corresponding content of the above Embodiment 1, which will not be repeated here.
[0068] As can be seen from the above embodiments, the technical solution of the present application is based on the J2EE platform to realize accurate business auditing, mainly associating three types of information, namely, the user at the browser end, the business event triggered by the user, and the sql event triggered by the business event, and reach 100 % of the exact correlation. The associated data mainly includes: login user name, login user IP, URL, business event trigger time, sql statement, table name, field name, sql response time, sql response time, number of returned rows, command, database name, Web server IP, database server IP, resource account, etc. Moreover, the technical solution of the present application basically does not cause performance degradation to the database audit server.

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products