Safety control system, method and device and storage medium

A security control and security access technology, applied in computer security devices, instruments, electrical digital data processing, etc., can solve the problems that security policies do not fully meet the requirements of the production environment, are not safe enough, and do not provide data access security control methods, etc., to achieve Language analysis realizes the effect of convenience and access security

Pending Publication Date: 2021-01-05
中移信息技术有限公司 +2
0 Cites 2 Cited by

AI-Extracted Technical Summary

Problems solved by technology

In addition to the security policy of the remote database itself, Zeppelin does not provide more data access security control methods
However, the security policy of the database itself is often relatively single. For example, it can only limit whe...
View more

Method used

In addition, because the language parser corresponding to the database of different classes uses unified parsing call interface, therefore, for the database class of user input, all can realize the parsing to different database operation sentences, thereby make multi-class database language parsing realize More convenient and faster.
In addition, since the language parser corresponding to the database of different categories uses a unified analysis call interface, therefore, for the database category input by the user, the analysis to different database operation sentences can be realized, so that the language analysis of multi-category databases can be realized More convenient and faster.
In addition, since the language parsers corresponding to the databases of different categories use a unified analysis call interface, therefore, for the database category input by the user, the analysis to different database operation sentences can be realized, so that the multi-category database language analysis can be realized More convenient and faster.
The security control system that the embodiment of the present invention provides, described system comprises: rule database, is used for storing the safe access rule of setting; The input database operation statement is used to obtain the operation unit list; the security controller is used to extract the security access rules in the rule database; the operation unit list parsed by the database language parser is matched with the security access rules to obtain the matching result; based on the matching As a result, the access security control of the database is carried out; among them, the language parsers corresponding to different types of databases use a unified parsing call interface, and the parsing call interface is used to match the security access rules. In this way, through the s...
View more

Abstract

The invention discloses a safety control system, method and device and a storage medium, and the system comprises: a rule database which is used for storing set safety access rules; a database language parser which is used for analyzing a database operation statement input by a user based on a database category selected when the user accesses the database to obtain an operation unit list; a security controller which is used for extracting security access rules in the rule database, matching the operation unit list analyzed by the database language analyzer with the security access rule to obtain a matching result; and performing access security control of the database based on the matching result, wherein the language parsers corresponding to different types of databases use a unified analyzing calling interface, and the analyzing calling interface is used for matching a security access rule. Thus, security control can be performed on access of the multi-category database through the security controller, and besides, analysis of different database operation statements can be realized for the database categories input by the user.

Application Domain

Digital data protection

Technology Topic

EngineeringOperating system +4

Image

  • Safety control system, method and device and storage medium
  • Safety control system, method and device and storage medium
  • Safety control system, method and device and storage medium

Examples

  • Experimental program(1)

Example Embodiment

[0048]In order to understand the characteristics and technical content of the embodiments of the present invention in more detail, the implementation of the embodiments of the present invention will be described in detail below with reference to the accompanying drawings. The accompanying drawings are for reference and explanation purposes only, and are not used to limit the present invention.
[0049]figure 1 Is a schematic structural diagram of a safety control system provided by an embodiment of the present invention;figure 1 As shown, the safety control system includes a rule database 101, a database language parser 102, and a safety controller 103.
[0050]Specifically, the rule database 101 is used to store set security access rules.
[0051]Here, the administrator can define security access rules according to actual needs, and store the defined security access rules in the rule database. Security access rules can be added to the outer layer of the database according to actual environmental requirements, and are not restricted by the database itself. For example, you can limit the specification of tables and column names in the database, the number of data rows that can be inserted, etc., so as to achieve a finer granularity and more Fit the control of the actual production environment.
[0052]In an example, the security access rules defined by the administrator can be:
[0053]1) When creating a table, the field name cannot be less than 3 characters.
[0054]2) The user cannot access the ID3 field in the table X3 in the database DM4.
[0055]At the same time, when there are a large number of databases in the actual production environment, security access rules can be defined at one time and applied to these databases, thus eliminating the cumbersome repetition of definitions for each database, and achieving the effect of applying one definition everywhere. .
[0056]In addition, security access rules have modifiable attributes. The rule database can be located on the periphery of the security controller. The two are not coupled together. When the rule database is not needed or the security access rule needs to be updated, only the rule database needs to be deleted or updated, instead of going to each actual database. operating.
[0057]The database language parser 102 is configured to parse the database operation sentence input by the user based on the database category selected when the user accesses the database to obtain a list of operation units.
[0058]The following mainly describes the operation process of the database language parser, such asfigure 2 As shown, including the following steps (also refer toimage 3 The specific operation process of the database language parser in ):
[0059]Step 201: For different types of databases, corresponding lexical files and grammar files of specific formats are respectively set.
[0060]In the actual production environment, multiple types of databases will be involved, and the types of databases actually used can be listed, such as GBase, Oracle, Mysql, Hive, etc.
[0061]For each type of database, set corresponding lexical files and grammar files in specific formats. Here, the official grammar files can be queried separately for the databases of each category; the lexical files of a specific format are set, and the lexical files at least include: the operation information in the official grammar files; the grammar files of a specific format are set based on the lexical files. The grammar files include at least: Grammar information in the official grammar file.
[0062]In an example, take the database GBase as an example, query the official grammar file of GBase, and use the official grammar file of GBase to ensure that the database operation statements and lexical rules entered by the user are correct and complete. Create a new GBaseLexer.g4 lexical file and view GBase The operation information in the official grammar file, such as reserved words and operators, is added to the lexical file in a form that conforms to the ANTLR4 format. Using regular grammar, list the separator of GBase and the comment part.
[0063]According to the defined lexical file, the grammar file with a complete specific format is defined. Still taking the database GBase as an example, create a new GBaseParser.g4 grammar file, view the grammatical information in the official GBase grammar file, and add it to the grammar file in a form that conforms to the ANTLR4 format.
[0064]By setting up lexical files and grammar files of multiple types of databases, the database language parser can correctly parse all supported grammars of the database, so that all database operations of the user can be correctly identified. In addition, according to the database used in the actual production environment, the database category can be added to the database language parser autonomously to realize the scalability of the security control database. This scalability makes the security control system applicable to various Different actual production environments.
[0065]Step 202: Based on the lexical file and the grammar file, a specific language analysis strategy corresponding to each category database is generated.
[0066]Specifically, ANTLR4 can be used to analyze lexical files and grammar files to generate lexical and grammatical analysis classes.
[0067]Here, ANTLR4 is an open source tool that will automatically compile the pre-defined g4 files to generate the corresponding language analysis strategy.
[0068]The parsing strategy can be understood as a piece of source code. For example, my program is written in JAVA language, then ANTLR4 will compile the g4 file and generate the code file corresponding to the JAVA language. The specific compilation process only needs to execute a command, refer to the following code:
[0069]$antlr4Hello.g4#Use the previously defined antlr4 command to generate a syntax analyzer and a lexical analyzer.
[0070]
[0071]The HelloLexer.java and HelloParser.java in the above code are automatically generated parsing strategies. Put these two parsing strategies into the code to run, and then the database operation statement can be parsed.
[0072]Step 203: Analyze database operation sentences based on a specific language analysis strategy to obtain a list of operation units.
[0073]Specifically, the database operation sentence can be converted into a tree structure; the tree structure can be parsed to obtain the operation type and operation object. Here, the tree structure can be a syntax tree. The process of parsing the syntax tree is as follows, still taking the database GBase as an example:
[0074]a. Define the data structure of the operation unit, each operation unit can include at least: operation type, operation database name, operation table name, operation column name, operation column type, etc.
[0075]b. Use depth first to traverse the syntax tree from left to right.
[0076]c. Mark the current database as NULL.
[0077]d. Encounter a USE statement and record the current database name as the USE database name.
[0078]e. Use Stack to record the visited operation type nodes (createTable, insert, select, etc.). Push the operation type into Stack every time you pass the operation type node. When exiting the subtree with this operation node as the root node, pop the operation type from the Stack. The top operation type in the Stack is the current operation type.
[0079]f. For each subtree with the operation type as the node, establish the table alias and table actual name mapping TABLE_ALIAS_MAP, and the column alias and column actual name mapping COL_ALIAS_MAP.
[0080]g.GBase sub-query statement will use table alias instead of sub-query result, record this table alias in TABLE_ALIAS_MAP, key is table alias, value is NULL. Because this table and its corresponding columns have already been recorded in the subquery, there will be no duplicate records in the external query.
[0081]h. When exiting each operation subtree, record the operation units encountered in this subtree and compare with TABLE_ALIAS_MAP and COL_ALIAS_MAP. Find TABLE_ALIAS_MAP and COL_ALIAS_MAP using table name and column name respectively.
[0082]If there is a corresponding record in the MAP, and the value is not NULL, replace the table name or column name with the actual name of the value in the MAP.
[0083]If there is a corresponding record in the MAP and the value is NULL, this operation is not recorded.
[0084]If there is no corresponding record in the MAP, the table name or column name is not an alias.
[0085]i. Traverse the complete tree to get a list of operation units.
[0086]It should be noted that language parsers corresponding to different types of databases use a unified parsing call interface, that is, users only need to select the database type to analyze different database operation statements. The parsing call interface is used to match security access rules, so that when matching security rules, there is no need to pay attention to the implementation details of a specific database.
[0087]In an example, the user dev1094 enters the Inform SQL operation statement as follows:
[0088]CREATE TABLE T7(A INT,B DECIMAL);
[0089]INSERT INTO T7VALUES(1,2);
[0090]CREATE TABLE T8SELECT*FROM T9;
[0091]USE`DM4`;
[0092]SELECT COUNT(*)FROM X1WHERE EXISTS
(
[0093]SELECT 1FROM X2WHERE X2.ID2=X1.ID2
[0094]AND EXISTS
(
[0095]SELECT 1FROM X3WHERE X3.ID3=X1.ID3
)
);
[0096]The database language parser analyzes the above-mentioned user's operation statements to obtain the following list of operation units in Table 1:
[0097]
[0098]
[0099]Table 1 Gbase syntax analysis results
[0100]The security controller 103 is used for extracting security access rules in the rule database; matching the operating unit list parsed by the database language parser with the security access rules to obtain a matching result; and performing database access security control based on the matching result.
[0101]The security controller 103 is also used for querying the current database name when it is determined that there is an anonymous database access based on the operating unit list; replacing the anonymous database with the current database name to obtain the updated operating unit list; where the updated operating unit list is used For matching with security access rules.
[0102]The security controller 103 is also configured to execute the user's database access request when the matching result is that the operating unit list meets the security access rules; when the matching result is that the operating unit list does not meet the security access rules, reject the user's database access request and send The user returns a security check error prompt.
[0103]In an example, extract the security access rules in the rule database:
[0104]1) When creating a table, the field name cannot be less than 3 characters.
[0105]2) The user cannot access the ID3 field in the table X3 in the database DM4.
[0106]Query the operating unit list in Table 1 to confirm that there is anonymous database access, that is, there is an anonymous database in rows 1-5 in Table 1, and the anonymous database name is DM2 by querying the current database. Replace the anonymous database with the current database name DM2, and update From the operating unit list in Table 1, the updated operating unit list is obtained, as shown in Table 2.
[0107]
[0108]
[0109]Table 2 Results after updating the anonymous database
[0110]Match the updated operating unit list in the above table 2 with the above security access rules to obtain the matching result. The matching result shows that the operating unit in the first row does not meet the security access rules (when creating the table, the field name cannot be less than 3 characters) , And the operating unit on line 8 does not comply with the security access rules (the user cannot access the ID3 field in the table X3 in the database DM4), the user’s database access request is rejected, and a security detection error prompt is returned to the user. Understandably, if The matching result indicates that the operating unit list complies with the security access rules, and the user's database access request is executed.
[0111]The security control system provided by the embodiment of the present invention includes: a rule database for storing set security access rules; a database language parser for parsing the database input by the user based on the database category selected when the user accesses the database Operation statement to obtain the operating unit list; security controller to extract the security access rules in the rule database; match the operating unit list parsed by the database language parser with the security access rules to obtain the matching result; perform the database based on the matching result Access security control; among them, language parsers corresponding to different types of databases use a unified analysis call interface, which is used to match security access rules. In this way, the access to multi-category databases can be securely controlled by the security controller. In addition to the database's own security policy, a layer of access protection is constructed to make database access more secure.
[0112]In addition, because the language parsers corresponding to different types of databases use a unified parsing call interface, it is possible to parse different database operation sentences for the database types input by the user, which makes the implementation of multi-category database language analysis more convenient, Fast.
[0113]Such asFigure 4 As shown, the implementation process of the security control method in the embodiment of the present invention includes the following steps:
[0114]Step 401: Store the set security access rules.
[0115]Here, the administrator can define security access rules according to actual needs, and store the defined security access rules in the rule database. Security access rules can be added to the outer layer of the database according to actual environmental requirements, and are not restricted by the database itself. For example, you can limit the specification of tables and column names in the database, the number of data rows that can be inserted, etc., so as to achieve a finer granularity and more Fit the control of the actual production environment.
[0116]In an example, the security access rules defined by the administrator can be:
[0117]1) When creating a table, the field name cannot be less than 3 characters.
[0118]2) The user cannot access the ID3 field in the table X3 in the database DM4.
[0119]At the same time, when there are a large number of databases in the actual production environment, security access rules can be defined at one time and applied to these databases, thus eliminating the cumbersome repetition of definitions for each database, and achieving the effect of applying one definition everywhere. .
[0120]In addition, security access rules have modifiable attributes. The rule database can be located on the periphery of the security controller. The two are not coupled together. When the rule database is not needed or the security access rule needs to be updated, only the rule database needs to be deleted or updated, instead of going to each actual database. operating.
[0121]Step 402: Based on the database category selected when the user accesses the database, analyze the database operation sentence input by the user to obtain a list of operation units.
[0122]In some embodiments, based on the database category selected when the user accesses the database, parsing the database operation sentence input by the user to obtain a list of operation units may include: setting corresponding lexical files and grammar files in specific formats for different types of databases. ; Based on lexical files and grammar files, generate specific language analysis strategies corresponding to each category of database; analyze database operation sentences based on specific language analysis strategies to obtain a list of operation units.
[0123]For different types of databases, set corresponding lexical files and grammar files in specific formats, which can include: query official grammar files for each category of databases; set lexical files in specific formats, lexical files include at least: official grammar files The operation information of the grammar file; the grammar file with a specific format is set based on the lexical file. The grammar file includes at least: the grammar information in the official grammar file.
[0124]Parsing database operation sentences based on a specific language parsing strategy to obtain a list of operation units may include: converting the database operation sentences into a tree structure; analyzing the tree structure to obtain the operation type and the operation object.
[0125]In the actual production environment, multiple types of databases are involved, and the types of databases actually used can be listed, such as GBase, Oracle, Mysql, Hive, etc.
[0126]In an example, take the database GBase as an example, query the official grammar file of GBase, and use the official grammar file of GBase to ensure that the database operation statements and lexical rules entered by the user are correct and complete. Create a new GBaseLexer.g4 lexical file and view GBase The operation information in the official grammar file, such as reserved words and operators, is added to the lexical file in a form that conforms to the ANTLR4 format. Using regular grammar, list the separator of GBase and the comment part.
[0127]According to the defined lexical file, the grammar file with a complete specific format is defined. Still taking the database GBase as an example, create a new GBaseParser.g4 grammar file, view the grammatical information in the official GBase grammar file, and add it to the grammar file in a form that conforms to the ANTLR4 format.
[0128]Specifically, ANTLR4 can be used to analyze lexical files and grammar files to generate lexical and grammatical analysis classes.
[0129]Here, ANTLR4 is an open source tool that will automatically compile the pre-defined g4 files to generate the corresponding language analysis strategy.
[0130]The parsing strategy can be understood as a piece of source code. For example, my program is written in JAVA language, then ANTLR4 will compile the g4 file and generate the code file corresponding to the JAVA language. The specific compilation process only needs to execute a command, refer to the following code:
[0131]$antlr4Hello.g4#Use the previously defined antlr4 command to generate a syntax analyzer and a lexical analyzer.
[0132]
[0133]The HelloLexer.java and HelloParser.java in the above code are automatically generated parsing strategies. Put these two parsing strategies into the code to run, and then the database operation statement can be parsed.
[0134]Here, the tree structure can be a syntax tree. The process of parsing the syntax tree is as follows, still taking the database GBase as an example:
[0135]a. Define the data structure of the operation unit, each operation unit can include at least: operation type, operation database name, operation table name, operation column name, operation column type, etc.
[0136]b. Use depth first to traverse the syntax tree from left to right.
[0137]c. Mark the current database as NULL.
[0138]d. Encounter a USE statement and record the current database name as the USE database name.
[0139]e. Use Stack to record the visited operation type nodes (createTable, insert, select, etc.). Push the operation type into Stack every time you pass the operation type node. When exiting the subtree with this operation node as the root node, pop the operation type from the Stack. The top operation type in the Stack is the current operation type.
[0140]f. For each subtree with the operation type as the node, establish the table alias and table actual name mapping TABLE_ALIAS_MAP, and the column alias and column actual name mapping COL_ALIAS_MAP.
[0141]g.GBase sub-query statement will use table alias instead of sub-query result, record this table alias in TABLE_ALIAS_MAP, key is table alias, value is NULL. Because this table and its corresponding columns have already been recorded in the subquery, there will be no duplicate records in the external query.
[0142]h. When exiting each operation subtree, record the operation units encountered in this subtree and compare with TABLE_ALIAS_MAP and COL_ALIAS_MAP. Find TABLE_ALIAS_MAP and COL_ALIAS_MAP using table name and column name respectively.
[0143]If there is a corresponding record in the MAP, and the value is not NULL, replace the table name or column name with the actual name of the value in the MAP.
[0144]If there is a corresponding record in the MAP and the value is NULL, this operation is not recorded.
[0145]If there is no corresponding record in the MAP, the table name or column name is not an alias.
[0146]i. Traverse the complete tree to get a list of operation units.
[0147]Step 403: Extract the security access rules; match the operating unit list parsed by the database language parser with the security access rules to obtain a matching result; perform database access security control based on the matching result; among them, language analysis corresponding to different types of databases The server uses a unified analysis call interface, which is used to match security access rules.
[0148]It should be noted that the language parsers corresponding to different types of databases use a unified parsing call interface, that is, users only need to select the database type to parse different database operation sentences. The parsing call interface is used to match security access rules, so that when matching security rules, there is no need to pay attention to the implementation details of a specific database.
[0149]In an example, extract the security access rules in the rule database:
[0150]1) When creating a table, the field name cannot be less than 3 characters.
[0151]2) The user cannot access the ID3 field in the table X3 in the database DM4.
[0152]Query the operating unit list in Table 1 to confirm that there is anonymous database access, that is, there is an anonymous database in rows 1-5 in Table 1, and the anonymous database name is DM2 by querying the current database. Replace the anonymous database with the current database name DM2, and update From the operating unit list in Table 1, the updated operating unit list is obtained, as shown in Table 2.
[0153]Match the updated operating unit list in the above table 2 with the above security access rules to obtain the matching result. The matching result shows that the operating unit in the first row does not meet the security access rules (when creating the table, the field name cannot be less than 3 characters) , And the operating unit on line 8 does not comply with the security access rules (the user cannot access the ID3 field in the table X3 in the database DM4), the user’s database access request is rejected, and a security detection error prompt is returned to the user. Understandably, if The matching result indicates that the operating unit list complies with the security access rules, and the user's database access request is executed.
[0154]The security control method provided by the embodiment of the present invention stores the set security access rules; analyzes the database operation sentences input by the user based on the database category selected when the user accesses the database to obtain a list of operation units; extracts the security access rules; The operating unit list parsed by the parser is matched with the security access rules to obtain the matching result; database access security control is performed based on the matching result; among them, language parsers corresponding to different types of databases use a unified analysis call interface, and the analysis call interface Used to match security access rules. In this way, the access to multi-category databases can be safely controlled. In addition to the database's own security policy, a layer of access protection is constructed to make database access more secure.
[0155]In addition, because the language parsers corresponding to different types of databases use a unified parsing call interface, it is possible to parse different database operation sentences for the database types input by the user, which makes the implementation of multi-category database language analysis more convenient, Fast.
[0156]The specific implementation process of the security control method in the embodiment of the present invention will be described in further detail below.
[0157]Figure 5 A specific implementation flow diagram of the security control method of the embodiment of the present invention is given, such asFigure 5 As shown, including the following steps:
[0158]Step 501: Store the set security access rules.
[0159]Here, the administrator can define security access rules according to actual needs, and store the defined security access rules in the rule database. Security access rules can be added to the outer layer of the database according to actual environmental requirements, and are not restricted by the database itself. For example, you can limit the specification of tables and column names in the database, the number of data rows that can be inserted, etc., so as to achieve a finer granularity and more Fit the control of the actual production environment.
[0160]At the same time, when there are a large number of databases in the actual production environment, security access rules can be defined at one time and applied to these databases, thus eliminating the cumbersome repetition of definitions for each database, and achieving the effect of applying one definition everywhere. .
[0161]In addition, security access rules have modifiable attributes. The rule database can be located on the periphery of the security controller. The two are not coupled together. When the rule database is not needed or the security access rule needs to be updated, only the rule database needs to be deleted or updated, instead of going to each actual database. operating.
[0162]Step 502: Detect the database category selected when the user accesses the database.
[0163]In the actual production environment, multiple types of databases are involved, such as GBase, Oracle, Mysql, Hive, etc.
[0164]Step 503: Detect the database operation sentence input by the user.
[0165]Step 504: Based on the database category selected when the user accesses the database, parse the database operation sentence input by the user to obtain a list of operation units.
[0166]In some embodiments, based on the database category selected when the user accesses the database, parsing the database operation sentence input by the user to obtain a list of operation units may include: setting corresponding lexical files and grammar files in specific formats for different types of databases. ; Based on lexical files and grammar files, generate specific language analysis strategies corresponding to each category of database; analyze database operation sentences based on specific language analysis strategies to obtain a list of operation units.
[0167]For different types of databases, set corresponding lexical files and grammar files in specific formats, which can include: query official grammar files for each category of databases; set lexical files in specific formats, lexical files include at least: official grammar files The operation information of the grammar file; the grammar file with a specific format is set based on the lexical file. The grammar file includes at least: the grammar information in the official grammar file.
[0168]Parsing database operation sentences based on a specific language parsing strategy to obtain a list of operation units may include: converting the database operation sentence into a tree structure; analyzing the tree structure to obtain the operation type and the operation object.
[0169]Step 505: Query whether there is anonymous database access in the operating unit list.
[0170]When there is anonymous database access in the operating unit list, step 506 is executed; when there is no anonymous database access in the operating unit list, step 507 is directly executed.
[0171]Step 506: Query the current database name, replace the anonymous database with the current database name, and obtain the updated operating unit list.
[0172]Step 507: Extract security access rules.
[0173]Step 508: Determine whether the operating unit list matches the security access rule.
[0174]When the operating unit list does not meet the security access rule, step 509 is executed; when the operating unit list meets the security access rule, step 510 is executed.
[0175]Step 509: Reject the user's database access request, and return a security detection error prompt to the user.
[0176]Step 510: Execute the user's database access request.
[0177]To implement the above method, an embodiment of the present invention provides a safety control device, such asFigure 6 As shown, the device includes a storage module 601, an analysis module 602, and a control module 603; among them,
[0178]The storage module 601 is used to store the set security access rules.
[0179]The parsing module 602 is used to analyze the database operation sentence input by the user based on the database category selected when the user accesses the database to obtain a list of operation units.
[0180]The parsing module 602 is specifically used to set corresponding lexical files and grammatical files in specific formats for different types of databases; based on the lexical files and grammatical files, generate specific language analysis strategies corresponding to each type of database; based on the specific The language analysis strategy parses the database operation statement and obtains a list of operation units.
[0181]The parsing module 602 is specifically configured to query the official grammar files for each category of databases; set the lexical file in the specific format, the lexical file at least including: operation information in the official grammar file; based on the lexical file The grammar file of the specific format is set, and the grammar file at least includes: grammar information in the official grammar file.
[0182]The parsing module 602 is specifically used to convert the database operation sentence into a tree structure; to parse the tree structure to obtain the operation type and the operation object.
[0183]The control module 603 is configured to extract the security access rules; match the operation unit list parsed by the database language parser with the security access rules to obtain a matching result; perform database access security control based on the matching result .
[0184]The control module 603 is further configured to query the current database name when it is determined that there is an anonymous database access based on the operating unit list; replace the anonymous database with the current database name to obtain the updated operating unit list; wherein, after the update The operating unit list of is used to match the security access rule.
[0185]The control module 603 is further configured to execute the database access request of the user when the matching result is that the operating unit list meets the security access rule; when the matching result is that the operating unit list does not meet the When the security access rule is used, the database access request of the user is rejected, and a security detection error prompt is returned to the user.
[0186]In practical applications, the storage module 601, the analysis module 602, and the control module 603 can be composed of a central processing unit (CPU, Central Processing Unit), a microprocessor (MPU, Micro Processor Unit), and a digital signal processor ( DSP, Digital Signal Processor), or Field Programmable Gate Array (FPGA, Field Programmable Gate Array) and other implementations.
[0187]It should be noted that when the security control device provided in the foregoing embodiment performs security control, only the division of the foregoing program modules is used as an example. In actual applications, the foregoing processing can be allocated by different program modules as needed. That is, the internal structure of the device is divided into different program modules to complete all or part of the processing described above. In addition, the security control device provided by the foregoing embodiment and the security control method embodiment belong to the same concept. For the specific implementation process, please refer to the method embodiment, which will not be repeated here.
[0188]In order to implement the above method, the embodiment of the present invention also provides another security control device. The device includes a memory, a processor, and an executable program stored in the memory and capable of being run by the processor. The processor runs the When describing the executable program, perform the following operations:
[0189]Store the set security access rules; parse the database operation sentence input by the user based on the database category selected when the user accesses the database to obtain a list of operation units; extract the security access rules; parse the operation from the database language parser The unit list is matched with the security access rule to obtain a matching result; database access security control is performed based on the matching result; wherein, language parsers corresponding to different types of databases use a unified analysis call interface, and the analysis call interface Used to match the security access rule.
[0190]The processor is further configured to perform the following operations when running the executable program:
[0191]For different types of databases, set corresponding lexical files and grammar files in specific formats; based on the lexical files and grammar files, generate specific language parsing strategies for each type of database; analyze database operation sentences based on the specific language parsing strategies To get a list of operating units.
[0192]The processor is further configured to perform the following operations when running the executable program:
[0193]For the databases of each category, query the official grammar files separately; set the lexical file of the specific format, the lexical file including at least: operation information in the official grammar file; set the grammar of the specific format based on the lexical file The grammar file at least includes: grammar information in the official grammar file.
[0194]The processor is further configured to perform the following operations when running the executable program:
[0195]The database operation sentence is converted into a tree structure; the tree structure is parsed to obtain the operation type and the operation object.
[0196]The processor is further configured to perform the following operations when running the executable program:
[0197]When it is determined that there is an anonymous database access based on the operating unit list, query the current database name;
[0198]Replace the anonymous database with the current database name to obtain an updated operating unit list; wherein, the updated operating unit list is used to match the security access rule.
[0199]The processor is further configured to perform the following operations when running the executable program:
[0200]When the matching result is that the operating unit list meets the security access rule, execute the user's database access request; when the matching result is that the operating unit list does not meet the security access rule, reject all According to the user's database access request, a security detection error prompt is returned to the user.
[0201]In the following, the hardware structure of the safety control device is further described by taking the implementation of the safety control device as a server for safety control as an example.
[0202]Figure 7 A schematic diagram of the hardware structure of the safety control device of the embodiment of the present invention is given,Figure 7 The illustrated security control device 700 includes: at least one processor 701, a memory 702, a user interface 703, and at least one network interface 704. The various components in the safety control device 700 are coupled together through the bus system 705. It can be understood that the bus system 705 is used to implement connection and communication between these components. In addition to the data bus, the bus system 705 also includes a power bus, a control bus, and a status signal bus. But for the sake of clarity, inFigure 7 The various buses are marked as bus system 705 in this section.
[0203]Wherein, the user interface 703 may include a display, a keyboard, a mouse, a trackball, a click wheel, keys, buttons, a touch panel, or a touch screen, etc.
[0204]It can be understood that the memory 702 may be a volatile memory or a non-volatile memory, and may also include both volatile and non-volatile memory.
[0205]The memory 702 in the embodiment of the present invention is used to store various types of data to support the operation of the security control device 700. Examples of these data include: any computer program used to operate on the safety control device 700, such as the executable program 7021, and the program for implementing the method of the embodiment of the present invention may be included in the executable program 7021.
[0206]The method disclosed in the foregoing embodiment of the present invention may be applied to the processor 701 or implemented by the processor 701. The processor 701 may be an integrated circuit chip with signal processing capabilities. In the implementation process, the steps of the foregoing method can be completed by an integrated logic circuit of hardware in the processor 701 or instructions in the form of software. The aforementioned processor 701 may be a general-purpose processor, a DSP, or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, and the like. The processor 701 may implement or execute various methods, steps, and logical block diagrams disclosed in the embodiments of the present invention. The general-purpose processor may be a microprocessor or any conventional processor. The steps of the method disclosed in the embodiments of the present invention may be directly embodied as being executed and completed by a hardware decoding processor, or executed and completed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the memory 702. The processor 701 reads the information in the memory 702 and completes the steps of the foregoing method in combination with its hardware.
[0207]In an exemplary embodiment, the embodiment of the present invention also provides a storage medium on which an executable program is stored, and the executable program is executed by the processor 701 of the safety control device 700 to execute the above safety control method.
[0208]The security control system, method, device, and storage medium provided by the embodiments of the present invention include: a rule database for storing set security access rules; a database language parser for database selection based on user access to the database Category, parse the database operation sentence input by the user to obtain the operation unit list; the security controller is used to extract the security access rules in the rule database; match the operation unit list parsed by the database language parser with the security access rules to obtain the match Result: Based on the matching result, the database access security control is performed; among them, the language parsers corresponding to different types of databases use a unified analysis call interface, and the analysis call interface is used to match the security access rules. In this way, the access to multi-category databases can be securely controlled by the security controller. In addition to the database's own security policy, a layer of access protection is constructed to make database access more secure.
[0209]In addition, because the language parsers corresponding to different types of databases use a unified parsing call interface, it is possible to parse different database operation sentences for the database types input by the user, which makes the implementation of multi-category database language analysis more convenient, Fast.
[0210]Those skilled in the art should understand that the embodiments of the present invention can be provided as methods, systems, or executable program products. Therefore, the present invention may adopt the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may be in the form of executable program products implemented on one or more computer-usable storage media (including but not limited to disk storage, optical storage, etc.) containing computer-usable program codes.
[0211]The present invention is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and executable program products according to embodiments of the present invention. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be implemented by executable program instructions. These executable program instructions can be provided to a general-purpose computer, a special-purpose computer, an embedded processor, or the processor of a reference programmable data processing device to generate a machine, so that the instructions executed by the computer or the processor of the reference programmable data processing device are generated Used to achieve in the processFigure oneProcess or multiple processes and/or boxesFigure oneA device with functions specified in a block or multiple blocks.
[0212]These executable program instructions can also be stored in a computer-readable memory that can guide a computer or refer to a programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The instruction device is implemented in the processFigure oneProcess or multiple processes and/or boxesFigure oneFunctions specified in a box or multiple boxes.
[0213]These executable program instructions can also be loaded on a computer or a reference programmable data processing device, so that a series of operation steps are executed on the computer or a reference programmable device to produce computer-implemented processing, which can be executed on the computer or a reference programmable device. The instructions provided are used to implement the processFigure oneProcess or multiple processes and/or boxesFigure oneSteps of functions specified in a box or multiple boxes.
[0214]The above are only preferred embodiments of the present invention and are not intended to limit the scope of protection of the present invention. Any modification, equivalent replacement and improvement made within the spirit and principle of the present invention shall be included in Within the protection scope of the present invention.

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.

Similar technology patents

Data harvesting method and device for decentralization of scientific data sharing platform

PendingCN112783822AImprove efficiencyaccess security
Owner:上海云教信息技术有限公司

Classification and recommendation of technical efficacy words

  • access security

Data harvesting method and device for decentralization of scientific data sharing platform

PendingCN112783822AImprove efficiencyaccess security
Owner:上海云教信息技术有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products