A method and system for secure access to a database
By generating terminal identity identifiers and analyzing communication environment risks, dynamically monitoring the credibility coefficient, and generating multi-dimensional risk scenario information, the problem of insufficient comprehensive perception of terminal device characteristics in existing technologies is solved, and the security protection capabilities of the database are improved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- GUANGDONG ZHONGLIN INFORMATION TECHNOLOGY CO LTD
- Filing Date
- 2025-12-16
- Publication Date
- 2026-06-26
AI Technical Summary
Existing database access control methods lack comprehensive perception of the multi-dimensional characteristics of terminal devices and real-time environmental analysis, making it difficult to distinguish between legitimate and abnormal terminals, unable to dynamically assess the true risk of access requests, and unable to effectively cope with complex and ever-changing network threats.
By acquiring the underlying network protocol stack characteristics, hardware information, and virtual context information of terminal devices, terminal identity identifiers are generated. Security risks in the communication environment are analyzed, the trust coefficient is continuously monitored, and maintenance task information and sandbox network traffic information are acquired when the real-time trust coefficient decreases, generating multi-dimensional risk scenario information to adjust access control policies.
It enables dynamic, multi-dimensional risk perception and policy adjustment for terminal devices, proactively adapts to complex and ever-changing network threats, accurately identifies abnormal behavior, and significantly improves the security protection capabilities of the database.
Smart Images

Figure CN121682869B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of data security technology, and in particular to a secure access method and system for databases. Background Technology
[0002] In today's era of rapid information technology development, databases, as the key to carrying and managing core data, are directly related to the security of personal privacy, trade secrets, and even national security. Existing database access control methods mostly rely on relatively fixed authentication methods such as account passwords and IP address filtering. However, these methods are inadequate in the face of increasingly complex and ever-changing network threats, such as the theft of legitimate login credentials, the spoofing of terminal devices, unauthorized operations by internal personnel, and attacks through insecure network channels. Therefore, accurately identifying the terminal devices accessing the database and conducting real-time, flexible assessments of their trustworthiness to establish a proactive and adaptable protection system has become a crucial issue that urgently needs to be addressed to ensure the security of data assets.
[0003] Meanwhile, existing database access control methods often only perform isolated verification of user identity or network layer information, lacking a comprehensive understanding of the multi-dimensional characteristics of the terminal device itself, and failing to fully integrate the security status analysis of the terminal's real-time communication environment. This makes it difficult for the system to effectively distinguish between legitimate and abnormal terminals, and unable to dynamically assess the true risk of access requests. For example, a terminal device that passes verification solely with an account and password may have been maliciously controlled, or may be transmitting data through an insecure network link, thus creating a risk of data leakage or tampering. Therefore, current technology struggles to achieve refined access control based on the overall picture of the terminal device and environmental risks. Summary of the Invention
[0004] The purpose of this invention is to overcome the shortcomings of the prior art. This invention provides a secure access method and system for databases that can proactively adapt to complex and ever-changing network threats, accurately identify and respond to abnormal behaviors, thereby significantly improving the security protection capabilities of databases and effectively safeguarding the security of data assets.
[0005] To address the aforementioned technical problems, this invention provides a secure database access method, the method comprising:
[0006] When a terminal device initiates a connection request to the database, it obtains the underlying network protocol stack characteristics, hardware information, software information, and virtual context information of the terminal device, and generates a terminal identity identifier based on the underlying network protocol stack characteristics, hardware information, software information, and virtual context information.
[0007] Analyze the communication environment security risks of terminal devices, determine the current trust coefficient of terminal devices based on the communication environment security risks and terminal identity identifiers, and determine the access control policy of terminal devices to databases based on the current trust coefficients;
[0008] During the process of the terminal device accessing the database according to the access control policy, the real-time reliability coefficient of the terminal device is continuously monitored and compared with the preset reliability threshold.
[0009] When the real-time reliability coefficient is detected to decrease to a preset reliability threshold, maintenance task information, resource fluctuation information, sandbox network traffic information and scenario event sequence of the terminal device are obtained, and a first risk scenario information is determined based on the maintenance task information and sandbox network traffic information, and a second risk scenario information is determined based on the maintenance task information, resource fluctuation information and sandbox network traffic information.
[0010] The third risk scenario information is determined based on the scenario event sequence, and the target risk scenario information is generated based on the first risk scenario information, the second risk scenario information, and the third risk scenario information.
[0011] The access control policy is adjusted based on the target risk scenario information.
[0012] Optionally, generating a terminal identity identifier based on the underlying network protocol stack features, hardware information, software information, and virtual context information includes:
[0013] A digital signature is generated based on the underlying network protocol stack characteristics, hardware information, software information, and virtual context information.
[0014] The digital signature is validated to obtain a validation result, and a terminal identity identifier is generated based on the validation result using a hash function.
[0015] Optionally, the analysis of communication environment security risks of the terminal device includes:
[0016] Analyze the encryption strength of the terminal device during secure communication connection negotiation to obtain the target encryption strength;
[0017] Perform geographic location deviation analysis on terminal devices to obtain geographic location deviation information;
[0018] Analyze the network hop count of the terminal device, and determine the communication environment security risks of the terminal device based on the target encryption strength, geographical location deviation information, and network hop count.
[0019] Optionally, determining the first risk scenario information based on the maintenance task information and sandbox network traffic information includes:
[0020] The maintenance task information is validated for legality, and the validity validation result is obtained.
[0021] The sandbox network traffic information is analyzed for patterns to obtain traffic pattern information, and abnormal traffic information is determined based on the traffic pattern information using a preset traffic baseline.
[0022] Based on the legality verification results and abnormal traffic information, conflicting information is determined, and the conflicting information is weighted according to preset conflict resolution rules to obtain weighted conflicting information.
[0023] The first risk scenario information is generated based on the weighted contradictory information combined with the continuous data of the decrease in the real-time reliability coefficient of the terminal device.
[0024] Optionally, determining the second risk scenario information based on the maintenance task information, resource fluctuation information, and sandbox network traffic information includes:
[0025] The resource fluctuation information is digitally signed to obtain the digital signature verification result;
[0026] The integrity of the sandbox network traffic information is verified based on preset legitimate test traffic information to obtain the integrity verification result.
[0027] Based on the digital signature verification results and integrity verification results, information on the report source credibility degradation is determined;
[0028] Based on the maintenance task information and the report source credibility degradation information, combined with the continuous data on the decrease in the real-time credibility coefficient of the terminal device, a second risk scenario information is generated.
[0029] Optionally, determining the third risk scenario information based on the scenario event sequence includes:
[0030] Pattern bias analysis is performed on the scenario event sequence based on a preset time window to obtain pattern bias data;
[0031] Anomaly intensity quantization is performed based on the aforementioned mode deviation data to obtain anomaly intensity quantization data.
[0032] Based on the abnormal intensity quantification data, scenario context manipulation attack analysis is performed to obtain scenario context manipulation attack information. Then, based on the scenario context manipulation attack information and the continuous decrease in the real-time credibility coefficient of the terminal device, a third risk scenario information is generated.
[0033] Optionally, the step of performing pattern bias analysis on the scenario event sequence based on a preset time window to obtain pattern bias data includes:
[0034] Based on a preset time window, the scenario event sequence is subjected to deviation feature extraction using a preset normal scenario mode to obtain deviation feature information.
[0035] The similarity between the deviation feature information and the predefined attack mode features is analyzed, and fluctuation mode difference analysis is performed based on the similarity to obtain fluctuation mode difference data.
[0036] Based on the fluctuation pattern difference data and the deviation feature information, pattern deviation analysis is performed to obtain pattern deviation data.
[0037] Optionally, the step of performing volatility pattern difference analysis based on the similarity to obtain volatility pattern difference data includes:
[0038] Select target feature information from the deviation feature information whose similarity does not reach the preset similarity threshold;
[0039] Behavioral composition analysis is performed on the target feature information to obtain atomic operation sequences, operation objects, and operation context.
[0040] Behavioral intent analysis is performed based on the atomic operation sequence, operation object, and operation context to obtain behavioral intent information;
[0041] Based on the behavioral intent information, behavioral evolution path analysis is performed to obtain behavioral evolution path information;
[0042] Based on the behavioral evolution path information, fluctuation pattern difference analysis is performed to obtain fluctuation pattern difference data.
[0043] Optionally, the step of performing behavior evolution path analysis based on the behavioral intent information to obtain behavior evolution path information includes:
[0044] Based on the behavioral intent information, the transmission path of the communication link is analyzed to obtain the transmission path information;
[0045] Based on the transmission path information, covert channel features are extracted to obtain covert channel feature information;
[0046] Based on the aforementioned behavioral intent information, covert channel traffic pattern analysis is performed to obtain covert channel traffic pattern information.
[0047] Based on the transmission path information, covert channel characteristic information, and covert channel traffic pattern information, behavior evolution path analysis is performed to obtain behavior evolution path information.
[0048] In addition, the present invention also provides a secure database access system, the system comprising:
[0049] Identity generation module: When a terminal device initiates a connection request to the database, it obtains the underlying network protocol stack characteristics, hardware information, software information and virtual context information of the terminal device, and generates a terminal identity based on the underlying network protocol stack characteristics, hardware information, software information and virtual context information;
[0050] Policy determination module: used to analyze the communication environment security risks of terminal devices, and determine the current trust coefficient of terminal devices based on the communication environment security risks and terminal identity identifiers, and determine the access control policy of terminal devices to databases based on the current trust coefficients;
[0051] Trustworthiness monitoring module: used to continuously monitor the real-time trustworthiness of the terminal device during the process of the terminal device accessing the database according to the access control policy, and compare the real-time trustworthiness with a preset trustworthiness threshold;
[0052] Risk scenario analysis module: When the real-time reliability coefficient is detected to decrease to a preset reliability threshold, it acquires the maintenance task information, resource fluctuation information, sandbox network traffic information and scenario event sequence of the terminal device, and determines the first risk scenario information based on the maintenance task information and sandbox network traffic information, and determines the second risk scenario information based on the maintenance task information, resource fluctuation information and sandbox network traffic information;
[0053] Target scenario determination module: used to determine third risk scenario information based on the scenario event sequence, and generate target risk scenario information based on the first risk scenario information, the second risk scenario information and the third risk scenario information;
[0054] Policy adjustment module: used to adjust access control policies based on the target risk scenario information.
[0055] In this embodiment of the invention, a terminal identity identifier is generated based on the underlying network protocol stack characteristics, hardware information, software information and virtual context information of the terminal device. The communication environment security risks of the terminal device are analyzed, and the current trust coefficient of the terminal device is determined based on the communication environment security risks and the terminal identity identifier. Based on the current trust coefficient, the access control policy of the terminal device to the database is determined, making the determination of the trust coefficient more comprehensive and objective, thereby enabling the formulation of more targeted access control policies. During the process of a terminal device accessing the database according to the access control policy, the real-time trust coefficient of the terminal device is continuously monitored. When the real-time trust coefficient drops to a preset trust threshold, maintenance task information, resource fluctuation information, sandbox network traffic information, and scenario event sequences of the terminal device are acquired. Based on the maintenance task information and sandbox network traffic information, a first risk scenario is determined; based on the maintenance task information, resource fluctuation information, and sandbox network traffic information, a second risk scenario is determined; based on the scenario event sequences, a third risk scenario is determined; and a target risk scenario is generated based on the first, second, and third risk scenario information. The access control policy is adjusted based on the target risk scenario information. Through this dynamic and multi-dimensional risk perception and policy adjustment mechanism, the problem of insufficient flexibility in access control policies in existing technologies is effectively solved. It can proactively adapt to complex and ever-changing network threats, accurately identify and respond to abnormal behaviors, thereby significantly improving the security protection capability of the database and effectively ensuring the security of data assets. Attached Figure Description
[0056] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0057] Figure 1 This is a flowchart illustrating the secure database access method in an embodiment of the present invention;
[0058] Figure 2 This is a flowchart illustrating a secure database access method according to another embodiment of the present invention;
[0059] Figure 3 This is a schematic diagram of the structural composition of the secure database access system in an embodiment of the present invention. Detailed Implementation
[0060] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0061] Example 1
[0062] Please see Figure 1 , Figure 1 This is a flowchart illustrating a secure database access method according to an embodiment of the present invention, the method comprising:
[0063] S11: When the terminal device initiates a connection request to the database, the underlying network protocol stack characteristics, hardware information, software information and virtual context information of the terminal device are obtained, and a terminal identity identifier is generated based on the underlying network protocol stack characteristics, hardware information, software information and virtual context information.
[0064] In the specific implementation of this invention, when a terminal device initiates a connection request to the database, it obtains the underlying network protocol stack characteristics, hardware information, software information, and virtual context information of the terminal device. A digital signature is generated based on these characteristics. The digital signature is then validated to obtain a validation result. A terminal identity identifier is generated using a hash function based on the validation result. By utilizing the digital signature and the hash function, the uniqueness and immutability of the terminal identity identifier can be ensured, effectively preventing identity forgery and impersonation, and improving the accuracy and security of identity recognition.
[0065] S12: Analyze the communication environment security risks of the terminal device, and determine the current trust coefficient of the terminal device based on the communication environment security risks and the terminal identity identifier, and determine the access control policy of the terminal device to the database based on the current trust coefficient;
[0066] In the specific implementation of this invention, the encryption strength of the terminal device during secure communication connection negotiation is analyzed to obtain the target encryption strength; the geographical location deviation of the terminal device is analyzed to obtain geographical location deviation information; the network hop count of the terminal device is analyzed, and the communication environment security risk of the terminal device is determined based on the target encryption strength, geographical location deviation information, and network hop count. Based on the communication environment security risk and the terminal identity, the current trust coefficient of the terminal device is determined, and based on the current trust coefficient, the access control policy of the terminal device to the database is determined. This allows for a comprehensive assessment of the communication environment security risk of the terminal device and the generation of a more reliable access control policy.
[0067] S13: During the process of the terminal device accessing the database according to the access control policy, the real-time reliability coefficient of the terminal device is continuously monitored, and the real-time reliability coefficient is compared with the preset reliability threshold.
[0068] In the specific implementation of this invention, during the process of the terminal device accessing the database according to the access control policy, the real-time reliability coefficient of the terminal device is continuously monitored, and the real-time reliability coefficient is compared with the preset reliability threshold, so as to monitor whether the terminal encounters any risks when accessing the database.
[0069] S14: When the real-time reliability coefficient is detected to decrease to a preset reliability threshold, the maintenance task information, resource fluctuation information, sandbox network traffic information and scenario event sequence of the terminal device are obtained, and the first risk scenario information is determined based on the maintenance task information and sandbox network traffic information, and the second risk scenario information is determined based on the maintenance task information, resource fluctuation information and sandbox network traffic information.
[0070] In the specific implementation of this invention, when the real-time reliability coefficient is detected to decrease to a preset reliability threshold, maintenance task information, resource fluctuation information, sandbox network traffic information, and scenario event sequences of the terminal device are acquired. The maintenance task information is then validated for legality to obtain a validity verification result. Pattern analysis is performed on the sandbox network traffic information to obtain traffic pattern information, and abnormal traffic information is determined based on the traffic pattern information using a preset traffic baseline. Conflicting information is determined based on the validity verification result and abnormal traffic information, and the conflicting information is weighted according to preset conflict resolution rules to obtain weighted conflicting information. First risk scenario information is generated based on the weighted conflicting information combined with continuous data showing a decrease in the real-time reliability coefficient of the terminal device. By validating the maintenance task's legality and analyzing the abnormal sandbox network traffic, combined with continuous data showing a decrease in the real-time reliability coefficient, potential risks caused by maintenance tasks or abnormal traffic can be effectively identified, improving the accuracy of risk scenario identification. The resource fluctuation information is digitally signed to obtain a digital signature verification result; the sandbox network traffic information is then subjected to integrity verification based on preset legitimate test traffic information to obtain an integrity verification result; based on the digital signature verification result and the integrity verification result, report source credibility degradation information is determined; and based on the maintenance task information and report source credibility degradation information, combined with the continuous decrease in the real-time credibility coefficient of the terminal device, a second risk scenario information is generated. This approach can assess the credibility of the report source and, combined with the continuous decrease in the real-time credibility coefficient, identify risk scenarios caused by the reduction in report source credibility, thus enhancing the comprehensiveness of risk assessment.
[0071] S15: Determine the third risk scenario information based on the scenario event sequence, and generate the target risk scenario information based on the first risk scenario information, the second risk scenario information, and the third risk scenario information;
[0072] In the specific implementation of this invention, pattern bias analysis is performed on the scenario event sequence based on a preset time window to obtain pattern bias data; anomaly intensity quantification is performed based on the pattern bias data to obtain anomaly intensity quantification data; scenario context manipulation attack analysis is performed based on the anomaly intensity quantification data to obtain scenario context manipulation attack information; and a third risk scenario information is generated based on the scenario context manipulation attack information combined with the continuous decrease in the real-time reliability coefficient of the terminal device. Generating target risk scenario information based on the first, second, and third risk scenario information can effectively identify scenario context manipulation attacks, and by combining the continuous decrease in the real-time reliability coefficient data, more targeted risk scenario information is generated, improving the detection capability for complex attacks.
[0073] S16: Adjust the access control policy based on the target risk scenario information.
[0074] In the specific implementation of this invention, the access control policy is adjusted based on the target risk scenario information. The access control policy is adaptively adjusted according to the risk scenario information, which effectively solves the problems of single terminal identification dimension, static trust assessment and insufficient flexibility of access control policy in the prior art, and significantly improves the security protection capability of the database.
[0075] In this embodiment of the invention, a terminal identity identifier is generated based on the underlying network protocol stack characteristics, hardware information, software information and virtual context information of the terminal device. The communication environment security risks of the terminal device are analyzed, and the current trust coefficient of the terminal device is determined based on the communication environment security risks and the terminal identity identifier. Based on the current trust coefficient, the access control policy of the terminal device to the database is determined, making the determination of the trust coefficient more comprehensive and objective, thereby enabling the formulation of more targeted access control policies. During the process of a terminal device accessing the database according to the access control policy, the real-time trust coefficient of the terminal device is continuously monitored. When the real-time trust coefficient drops to a preset trust threshold, maintenance task information, resource fluctuation information, sandbox network traffic information, and scenario event sequences of the terminal device are acquired. Based on the maintenance task information and sandbox network traffic information, a first risk scenario is determined; based on the maintenance task information, resource fluctuation information, and sandbox network traffic information, a second risk scenario is determined; based on the scenario event sequences, a third risk scenario is determined; and a target risk scenario is generated based on the first, second, and third risk scenario information. The access control policy is adjusted based on the target risk scenario information. Through this dynamic and multi-dimensional risk perception and policy adjustment mechanism, the problem of insufficient flexibility in access control policies in existing technologies is effectively solved. It can proactively adapt to complex and ever-changing network threats, accurately identify and respond to abnormal behaviors, thereby significantly improving the security protection capability of the database and effectively ensuring the security of data assets.
[0076] Example 2
[0077] Please see Figure 2 , Figure 2 This is a flowchart illustrating a secure database access method according to another embodiment of the present invention, the method comprising:
[0078] S201: When the terminal device initiates a connection request to the database, the underlying network protocol stack characteristics, hardware information, software information and virtual context information of the terminal device are obtained, and a terminal identity identifier is generated based on the underlying network protocol stack characteristics, hardware information, software information and virtual context information.
[0079] In a specific implementation of this invention, generating a terminal identity identifier based on the underlying network protocol stack features, hardware information, software information, and virtual context information includes: generating a digital signature based on the underlying network protocol stack features, hardware information, software information, and virtual context information; validating the digital signature to obtain a validity verification result; and generating a terminal identity identifier based on the validity verification result using a hash function.
[0080] Specifically, when a terminal device initiates a connection request to the database, it obtains the underlying network protocol stack characteristics, hardware information, software information, and virtual context information of the terminal device. The underlying network protocol stack characteristics refer to the unique behavioral patterns and configuration information exhibited by the terminal device during network communication, related to the operating system and network drivers, such as the fingerprint information of the TCP / IP protocol stack, TTL value, window size, and SYN / ACK packet sequence. These characteristics reflect the terminal device's operating system type, version, and network configuration habits. Hardware information refers to the inherent identification information of the terminal device's physical components, such as CPU serial number, hard drive serial number, MAC address, motherboard information, and device model. This information is usually fixed at the factory and difficult to tamper with. Software information refers to the type, version, configuration, and running status of the operating system, applications, security patches, drivers, and other software installed on the terminal device. This information can reflect the terminal device's software environment and potential vulnerabilities. Virtual context information refers to information related to the virtualization environment or container environment in which the terminal device resides, such as virtual machine ID, virtualization platform type, container ID, and virtual network configuration. This information helps distinguish between physical devices and virtualization instances.
[0081] Digital signatures are generated based on the underlying network protocol stack characteristics, hardware information, software information, and virtual context information. Generating a digital signature involves using asymmetric encryption algorithms, such as RSA or ECC, to encrypt the underlying network protocol stack characteristics, hardware information, software information, and virtual context information of the terminal device to generate a unique digital signature. This digital signature ensures the integrity of this information and the authenticity of its source.
[0082] The digital signature is validated to obtain a validity verification result. Validation of the digital signature involves decrypting and verifying the received digital signature using a preset public key or certificate to confirm whether the digital signature was generated by a legitimate terminal device and whether the corresponding information has been tampered with during transmission. The validity verification result can be a Boolean value indicating whether the signature is valid. Based on the validity verification result, a terminal identity identifier is generated using a hash function. When the digital signature is verified as valid, the original underlying network protocol stack characteristics, hardware information, software information, and virtual context information, or the digital signature itself, are processed using a one-way hash function (such as SHA-256 or SHA-3) to generate a fixed-length, unique terminal identity identifier. The application of the hash function further enhances the security of the identity identifier, making it difficult to reverse-engineer the original information, and any minor modification will cause a significant change in the hash value. This step-by-step verification and encryption mechanism ensures that the generated terminal identity identifier is not only unique but also has high integrity and non-repudiation, thus providing a solid foundation for subsequent communication environment security risk analysis and trust coefficient determination. As a result, the generated terminal identity has higher credibility, providing a more solid and reliable basis for subsequent communication environment security risk assessment and access control policy formulation, thereby improving the robustness and protection capability of the database security access method as a whole.
[0083] S202: Analyze the communication environment security risks of the terminal device, and determine the current trust coefficient of the terminal device based on the communication environment security risks and the terminal identity identifier, and determine the access control policy of the terminal device to the database based on the current trust coefficient;
[0084] In the specific implementation of this invention, the analysis of the communication environment security risks of the terminal device includes: analyzing the encryption strength of the terminal device during secure communication connection negotiation to obtain the target encryption strength; analyzing the geographical location deviation of the terminal device to obtain geographical location deviation information; analyzing the network hop count of the terminal device, and determining the communication environment security risks of the terminal device based on the target encryption strength, geographical location deviation information, and network hop count.
[0085] Specifically, encryption strength analysis is performed on terminal devices during secure communication connection negotiation to obtain the target encryption strength. Encryption strength analysis refers to evaluating the strength of the encryption algorithm and key length used by the terminal device when establishing a secure communication connection with the database. For example, the cipher suite negotiated during the TLS / SSL handshake process can be analyzed to determine whether it meets preset security standards, thereby obtaining the target encryption strength. The target encryption strength can be a quantitative indicator reflecting the communication link's ability to resist eavesdropping and tampering.
[0086] Geographic location deviation analysis of terminal devices yields geographic location deviation information. Encryption strength analysis assesses the strength of the encryption algorithms and key lengths used by the terminal device when establishing a secure communication connection with the database. For example, it analyzes the cipher suites negotiated during the TLS / SSL handshake process to determine if they meet preset security standards, thereby obtaining the target encryption strength. The target encryption strength can be a quantitative indicator reflecting the communication link's ability to resist eavesdropping and tampering.
[0087] Analyzing the network hop count of a terminal device refers to tracking the number of network devices traversed by data packets during transmission between the terminal device and the database. Excessive or abnormally fluctuating network hop counts may indicate that data packets are being routed to unexpected paths or that there is a risk of a man-in-the-middle attack. Based on the target encryption strength, geographical location deviation information, and network hop count, the security risks of the terminal device's communication environment are determined. For example, low encryption strength, large geographical location deviation, and an abnormally high increase in network hop counts may all be considered indicators of a high security risk in the communication environment. By meticulously analyzing the encryption strength, geographical location deviation, and network hop count of the terminal device's secure communication connection negotiation, the security of the communication environment in which the terminal device operates can be comprehensively assessed from multiple dimensions. Encryption strength analysis ensures the confidentiality and integrity of data transmission, preventing sensitive information from being stolen or tampered with during transmission. Geographical location deviation analysis helps identify whether the terminal device is accessing unauthorized areas, effectively preventing geographical spoofing and unauthorized access. Network hop count analysis can reveal anomalies in the communication path, promptly detecting potential routing hijacking or man-in-the-middle attacks. It is precisely because these multi-dimensional security indicators are comprehensively considered that the assessment of security risks in the communication environment becomes more accurate and comprehensive, thus providing a solid foundation for the subsequent determination of trust coefficients and the formulation of access control policies.
[0088] Based on the communication environment security risks and terminal identity, the current trust coefficient of the terminal device is determined. Based on this current trust coefficient, the access control policy for the terminal device to the database is determined. For example, an initial trust coefficient can be set, and then adjusted according to the communication environment security risk score. If the communication environment security risk score is high, the current trust coefficient will decrease accordingly; conversely, it may remain at a high level. Simultaneously, the uniqueness of the terminal identity and historical behavior records can also be used as a basis for adjusting the current trust coefficient. For example, if the terminal identity is appearing for the first time or its historical behavior is abnormal, its current trust coefficient may be assigned a lower value. Based on the current trust coefficient, the access control policy for the terminal device to the database can be determined. For example, if the current trust coefficient is high, the terminal device may be allowed full access (read, write, delete, etc.); if the trust coefficient is medium, only read-only access or access to specific sensitive data may be allowed; if the trust coefficient is low, access may be directly denied or the data may be placed in an isolated area for further verification.
[0089] S203: During the process of the terminal device accessing the database according to the access control policy, the real-time reliability coefficient of the terminal device is continuously monitored, and the real-time reliability coefficient is compared with the preset reliability threshold.
[0090] In the specific implementation of this invention, during the process of the terminal device accessing the database according to the access control policy, the real-time trust coefficient of the terminal device is continuously monitored, and the real-time trust coefficient is compared with a preset trust threshold. This can be achieved by periodically repeating the above process of obtaining terminal information and analyzing communication environment risks, or by dynamically updating the trust coefficient by collecting data such as system logs, network traffic, and user behavior of the terminal device in real time. For example, the CPU utilization, memory usage, network I / O, process activity, and file access patterns of the terminal device can be monitored. Simultaneously, the real-time trust coefficient is compared with the preset trust threshold. The preset trust threshold can be set according to the database's security level, data sensitivity, and the organization's security policy. When the real-time trust coefficient is detected to decrease to the preset trust threshold, this indicates that the terminal device may have potential security risks, requiring further in-depth analysis, and proceeding to step S204. If the real-time trust coefficient does not decrease to the preset trust threshold, its real-time trust coefficient continues to be monitored.
[0091] S204: When the real-time reliability coefficient is detected to decrease to a preset reliability threshold, the maintenance task information, resource fluctuation information, sandbox network traffic information and scenario event sequence of the terminal device are obtained, and the first risk scenario information is determined based on the maintenance task information and sandbox network traffic information, and the second risk scenario information is determined based on the maintenance task information, resource fluctuation information and sandbox network traffic information.
[0092] In a specific implementation of this invention, determining the first risk scenario information based on the maintenance task information and sandbox network traffic information includes: performing a legality verification on the maintenance task information to obtain a legality verification result; performing pattern analysis on the sandbox network traffic information to obtain traffic pattern information, and determining abnormal traffic information based on the traffic pattern information using a preset traffic baseline; determining conflicting information based on the legality verification result and the abnormal traffic information, and performing weighted processing on the conflicting information based on preset conflict resolution rules to obtain weighted conflicting information; and generating the first risk scenario information based on the weighted conflicting information combined with the continuous data of the decrease in the real-time reliability coefficient of the terminal device.
[0093] Specifically, when the real-time reliability coefficient is detected to decrease to a preset reliability threshold, maintenance task information, resource fluctuation information, sandbox network traffic information, and scenario event sequences of the terminal device are acquired. Maintenance task information can be obtained from the terminal device's system logs, task scheduler, or operation and maintenance management platform, such as system updates, patch installations, and software upgrades. Resource fluctuation information can be obtained through real-time monitoring tools, such as instantaneous changes in CPU, memory, disk I / O, and network bandwidth. Sandbox network traffic information can be obtained by performing behavioral analysis on the terminal device in an isolated environment, capturing its generated network traffic, and performing deep packet inspection and behavioral pattern analysis. Scenario event sequences can be obtained from the terminal device's security logs, audit logs, intrusion detection systems, or security information and event management systems, such as failed login attempts, abnormal file access, abnormal process startup, and abnormal network connections.
[0094] The maintenance task information is then validated for legality. This validation involves verifying the source, content, execution permissions, and compliance with pre-defined security policies and procedures of the received maintenance task. For example, it can check whether the maintenance task was initiated by an authorized user or system, whether the task content matches approved change management records, and whether the task execution time is within the allowed range. This validation ensures the authenticity and compliance of maintenance tasks, preventing maliciously disguised maintenance actions from being mistaken for legitimate operations.
[0095] Pattern analysis is performed on the sandbox network traffic information to obtain traffic pattern information. Pattern analysis refers to the in-depth analysis of network traffic data generated by terminal devices in the sandbox environment to identify their behavioral patterns. Traffic pattern information can include multiple dimensions such as traffic volume, protocol type, connection target, and packet frequency. Based on the traffic pattern information, abnormal traffic information is identified using a preset traffic baseline. By comparing with the preset traffic baseline (i.e., typical traffic patterns under normal, risk-free conditions), abnormal traffic information that deviates significantly from normal behavioral patterns can be effectively identified. For example, if traffic in the sandbox environment suddenly surges or traffic similar to the communication patterns of known malware appears, it will be marked as abnormal.
[0096] Determining contradictory information based on the aforementioned legality verification results and abnormal traffic information means that when maintenance task information passes legality verification, but sandbox network traffic information shows abnormalities, or maintenance task information is illegitimate, but sandbox network traffic information appears normal, these inconsistencies are identified as contradictory information. For example, an authorized system maintenance task is in progress, but sandbox network traffic shows a large amount of data flowing to an unknown external IP address, which constitutes a contradiction. The contradictory information is weighted based on preset conflict resolution rules to obtain weighted contradictory information. These rules can assign different weights to different types of contradictions based on predefined priorities, risk levels, or expert experience, thereby obtaining weighted contradictory information. For example, a minor traffic anomaly caused by a legitimate maintenance task performed by a high-privilege user may have a lower weight than a traffic anomaly caused by a maintenance task attempted by an unauthorized user.
[0097] The first risk scenario information is generated by combining weighted contradictory information with data on the continuous decrease in the real-time reliability coefficient of the terminal device. This continuous decrease data reflects the duration or frequency of the terminal device's reliability coefficient's decline, providing a crucial temporal reference for risk assessment. For example, if the weighted contradictory information indicates a medium risk, but the real-time reliability coefficient has been continuously decreasing for a considerable period, the first risk scenario information may be upgraded to high risk; conversely, it may be downgraded. By combining data on the continuous decrease in the terminal device's real-time reliability coefficient, the generation of risk scenarios considers not only the nature of the current event but also the persistence and evolution trend of the risk state. This makes the determination of the first risk scenario information more accurate and dynamic, more precisely reflecting the severity and urgency of the risk. This provides a more solid and dynamic basis for adjusting subsequent access control policies, ultimately improving the overall protection capability and response efficiency of database security access.
[0098] Furthermore, determining the second risk scenario information based on the maintenance task information, resource fluctuation information, and sandbox network traffic information includes: performing digital signature verification on the resource fluctuation information to obtain a digital signature verification result; performing integrity verification on the sandbox network traffic information based on preset legitimate test traffic information to obtain an integrity verification result; determining report source credibility degradation information based on the digital signature verification result and the integrity verification result; and generating the second risk scenario information based on the maintenance task information and the report source credibility degradation information combined with the continuous data of the decrease in the real-time credibility coefficient of the terminal device.
[0099] Specifically, the resource fluctuation information is digitally signed and verified to obtain a digital signature verification result. Digital signature verification of resource fluctuation information means confirming the authenticity of its source and whether it has been tampered with during transmission by verifying the digital signature of the information. The digital signature verification result is used to indicate whether the information is trustworthy. For example, asymmetric encryption algorithms can be used to sign and verify the resource fluctuation information to ensure its integrity and non-repudiation.
[0100] The sandbox network traffic information is subjected to integrity verification based on preset legitimate test traffic information. The purpose of this verification is to detect whether the sandbox network traffic information is complete and whether it contains abnormal or missing data, thus preventing attackers from forging or hiding malicious behavior by injecting or deleting traffic data. The integrity verification result indicates the reliability of the sandbox network traffic information. For example, integrity can be ensured by calculating a hash value and comparing it with an expected hash value, or by inspecting the packet sequence and content.
[0101] The report source credibility degradation information is determined based on the digital signature verification results and integrity verification results. These results are key indicators for assessing the reliability of information sources. Determining report source credibility degradation information based on these two results means that if either verification or validation fails, it indicates that the report source providing this information may have a problem, and its credibility should be reduced. The report source credibility degradation information can be a Boolean value, a score, or a level, used to quantify the degree of untrustworthiness of the report source.
[0102] Based on the maintenance task information and the report source credibility degradation information, combined with the continuous decrease in the real-time credibility coefficient of the terminal device, a second risk scenario information is generated. The maintenance task information provides the legitimate operational background that the terminal device is currently performing, such as system updates or software installations. The report source credibility degradation information corrects the reliability of resource fluctuation information and sandbox network traffic information. By combining the continuous decrease in the real-time credibility coefficient of the terminal device—that is, the duration or frequency of the real-time credibility coefficient being below a preset threshold—the second risk scenario faced by the terminal device can be assessed more comprehensively and accurately. For example, if the resource fluctuation information is tampered with and the real-time credibility coefficient continues to decrease, it may indicate a more serious attack than simple system maintenance. By comprehensively considering the digital signature verification results and integrity verification results, the system can accurately determine the report source credibility degradation information and identify untrusted report sources. This degradation information is then used to correct the risk assessment based on the maintenance task information and the continuous decrease in the real-time credibility coefficient, making the generated second risk scenario information closer to the actual situation, avoiding false alarms or false negatives caused by relying on unreliable data, thereby improving the accuracy and reliability of the risk assessment. By introducing information on the credibility degradation of reporting sources, the system can adaptively adjust the weight and judgment of risk assessment when it detects problems with the data source. This allows for a more accurate identification of potential threats caused by the unreliability of the data source when the real-time credibility coefficient of the terminal device decreases. Consequently, more appropriate and effective access control policies can be formulated, greatly enhancing the security protection capabilities of the database.
[0103] S205: Perform pattern bias analysis on the scenario event sequence based on a preset time window to obtain pattern bias data;
[0104] In a specific implementation of this invention, the step of performing pattern deviation analysis on the scenario event sequence based on a preset time window to obtain pattern deviation data includes: extracting deviation features from the scenario event sequence using a preset normal scenario pattern based on the preset time window to obtain deviation feature information; analyzing the similarity between the deviation feature information and predefined attack pattern features, and performing fluctuation pattern difference analysis based on the similarity to obtain fluctuation pattern difference data; and performing pattern deviation analysis based on the fluctuation pattern difference data combined with the deviation feature information to obtain pattern deviation data.
[0105] Specifically, based on a preset time window and a preset normal scenario pattern, deviation features are extracted from the scenario event sequence to obtain deviation feature information. The preset time window can be understood as a pre-defined time interval, such as several seconds, several minutes, or longer, the purpose of which is to limit the analysis scope of the scenario event sequence. The preset normal scenario pattern is established based on historical data or expert experience and is used to describe the typical behavioral patterns that the scenario event sequence should exhibit under normal, non-threat conditions. Deviation feature extraction refers to identifying the differences or abnormal patterns between the current scenario event sequence and the preset normal scenario pattern, such as deviations in the frequency, order, parameter values, etc. of events. Thus, deviation feature information can be obtained, which quantifies the degree of deviation between the current scenario and the normal pattern.
[0106] The similarity between the aforementioned deviation feature information and predefined attack pattern features is analyzed. These predefined attack pattern features refer to known event sequence patterns associated with various network attacks or malicious behaviors, such as SQL injection, denial-of-service attacks, and privilege escalation. Similarity analysis can be implemented using various similarity measurement algorithms, such as cosine similarity, Jaccard similarity, or machine learning-based classifiers, with the aim of assessing the degree of matching between the current deviation feature information and known attack patterns. Based on this similarity, fluctuation pattern difference analysis is performed to obtain fluctuation pattern difference data. This analysis aims to identify the differences between the dynamic changes of the deviation feature information over time and the fluctuation characteristics of known attack patterns, which helps distinguish between sporadic anomalies and persistent, purposeful attack behaviors.
[0107] Based on the fluctuation pattern difference data and the deviation feature information, pattern deviation analysis is performed to obtain pattern deviation data. This data comprehensively considers the aforementioned static deviation features and dynamic fluctuation pattern differences, resulting in a more comprehensive and accurate pattern deviation dataset. This data not only reflects the deviation of the current scenario from the normal pattern but also includes the specific characteristics of this deviation in behavioral patterns and time series, providing more refined input for subsequent risk assessment. Deviation feature extraction can capture deviations from normal behavior; similarity analysis with predefined attack pattern features helps to associate detected anomalies with known threat types; and fluctuation pattern difference analysis further reveals the dynamic evolution characteristics of abnormal behavior, thus distinguishing between accidental system fluctuations and premeditated attacks. This multi-dimensional, hierarchical analysis method makes the generation of pattern deviation data more accurate and reliable.
[0108] Furthermore, the step of performing fluctuation pattern difference analysis based on the similarity level to obtain fluctuation pattern difference data includes: selecting target feature information whose similarity level does not reach a preset similarity threshold from the deviation feature information; performing behavioral composition analysis on the target feature information to obtain atomic operation sequences, operation objects, and operation context environments; performing behavioral intent analysis based on the atomic operation sequences, operation objects, and operation context environments to obtain behavioral intent information; performing behavioral evolution path analysis based on the behavioral intent information to obtain behavioral evolution path information; and performing fluctuation pattern difference analysis based on the behavioral evolution path information to obtain fluctuation pattern difference data.
[0109] Specifically, target feature information whose similarity to the deviation feature information does not reach a preset similarity threshold is selected. Similarity refers to the degree of matching or correlation between the deviation feature information and predefined attack pattern features. The preset similarity threshold is a critical value used to determine whether the similarity is high enough; it can be set according to actual security needs and experience. Target feature information refers to feature data that has a low similarity to known attack patterns but may still indicate potential anomalous behavior; it is further analyzed to reveal deeper risks.
[0110] Behavioral composition analysis is performed on the target feature information to obtain atomic operation sequences, operation objects, and operation contexts. This analysis aims to decompose the complex behavior represented by the target feature information into more fundamental components. An atomic operation sequence refers to the smallest, indivisible set of actions that constitute a specific behavior, such as file reading / writing, network connection establishment, and process startup. The operation object refers to the entity on which these atomic operations act, such as a specific file, network port, memory region, or user account. The operation context refers to the system state, environmental parameters, and other relevant information at the time the behavior occurs, such as operating system version, network topology, timestamps, and user permissions. This decomposition allows for a clearer understanding of the nature of the behavior.
[0111] Behavioral intent analysis is performed based on the atomic operation sequence, the operation object, and the operation context to obtain behavioral intent information. This analysis aims to infer the potential purpose or motivation of the terminal device or attacker from the decomposed behavioral components. For example, if a series of read and write operations on critical system files are observed, and the operation context indicates an unauthorized user, it may be inferred that the intent is data theft or system sabotage. Behavioral intent information describes this inference result and may include attack type, attack stage, potential impact, etc.
[0112] Based on the aforementioned behavioral intent information, behavioral evolution path analysis is performed to obtain behavioral evolution path information. This analysis aims to predict or reconstruct the possible trajectory or chain of attack behavior. For example, an initial malicious file download behavior (behavioral intent information) may evolve into subsequent steps such as privilege escalation, lateral movement, and data infiltration. Behavioral evolution path information is a description of this prediction or reconstruction result, and it may include a series of potential attack steps arranged chronologically and their interrelationships.
[0113] Based on the behavioral evolution path information, fluctuation pattern difference analysis is performed to obtain fluctuation pattern difference data. In-depth analysis of the behavioral evolution path information can identify fluctuation patterns that significantly differ from normal behavioral patterns or known attack patterns. The fluctuation pattern difference data is a quantitative representation of these differences, which can be used to further assess the severity and urgency of the risk. Behavioral evolution path analysis can predict or reconstruct the possible development trajectory of an attack, enabling security defense to shift from passive response to proactive prediction. It is precisely because of this progressive analysis method that the system can capture those more covert and complex attack patterns that are not easily detected by traditional similarity matching, thereby obtaining more accurate fluctuation pattern difference data.
[0114] Furthermore, the step of performing behavior evolution path analysis based on the behavior intent information to obtain behavior evolution path information includes: performing transmission path analysis of the communication link based on the behavior intent information to obtain transmission path information; extracting covert channel features based on the transmission path information to obtain covert channel feature information; performing covert channel traffic pattern analysis based on the behavior intent information to obtain covert channel traffic pattern information; and performing behavior evolution path analysis based on the transmission path information, covert channel feature information, and covert channel traffic pattern information to obtain behavior evolution path information.
[0115] Specifically, based on the aforementioned behavioral intent information, transmission path analysis of the communication link is performed to obtain transmission path information. This analysis involves in-depth probing and mapping of the data transmission path between the terminal device and the database, or between the terminal device and other relevant entities, to identify all network nodes, routing devices, and possible intermediate proxies through which the data flows. Transmission path information may include, but is not limited to, IP routing information, network topology, hop count, latency, and packet loss rate. Its purpose is to reveal the actual path of data transmission, providing a foundation for subsequent covert channel detection.
[0116] Based on the transmission path information, covert channel feature extraction is performed to obtain covert channel feature information. Covert channel feature extraction refers to identifying abnormal or non-standard features from the obtained transmission path information that may be used to establish a covert communication channel. Covert channel feature information may include, but is not limited to, unconventional port usage, abnormal protocol encapsulation, abnormal patterns of packet size or time intervals, and unexpected data transmission directions. Its purpose is to identify potential covert communication carriers.
[0117] Covert channel traffic pattern analysis is performed based on the aforementioned behavioral intent information to obtain covert channel traffic pattern information. Covert channel traffic pattern analysis refers to the pattern recognition and behavioral analysis of data traffic in a communication link that may exist in a covert channel, based on behavioral intent information. Covert channel traffic pattern information may include, but is not limited to, traffic periodicity, burstiness, data volume, and data content characteristics (such as whether it is encrypted or contains a specific signature). Its purpose is to confirm the activity of the covert channel and its potential malicious payload.
[0118] Behavioral evolution path analysis is performed based on the aforementioned transmission path information, covert channel feature information, and covert channel traffic pattern information to obtain behavioral evolution path information. Behavioral evolution path analysis refers to comprehensively utilizing transmission path information, covert channel feature information, and covert channel traffic pattern information to construct a complete evolution chain from behavioral intent to actual attack behavior. Its purpose is to comprehensively understand how attackers utilize covert channels to achieve their malicious intent and predict their possible next actions. By conducting multi-dimensional analysis of behavioral intent information, the transmission path of the communication link is first analyzed in depth to obtain transmission path information, which helps identify the actual data transmission path and potential vulnerabilities. Based on this, by extracting covert channel features from the transmission path information, non-standard communication modes or carriers that may be maliciously exploited can be identified. Simultaneously, by combining behavioral intent information with analysis of covert channel traffic patterns, the activity of the covert channel and its potential malicious payload can be further confirmed. Finally, by integrating transmission path information, covert channel characteristic information, and covert channel traffic pattern information, behavioral evolution path analysis can be performed. This allows for the construction of a complete evolution chain from attack intent to actual attack behavior, thus enabling a more comprehensive and in-depth understanding of potential threat behaviors.
[0119] S206: Perform anomaly intensity quantization based on the mode deviation data to obtain anomaly intensity quantization data;
[0120] In the specific implementation of this invention, anomaly intensity quantification based on the pattern deviation data refers to the quantitative assessment of the severity or potential threat level of these deviations after obtaining the pattern deviation data. Anomaly intensity quantification can help the system distinguish between minor abnormal fluctuations and severe attack behaviors. For example, different weights can be assigned based on factors such as the type, duration, scope of impact, and similarity to known attack patterns to calculate a comprehensive anomaly intensity value.
[0121] S207: Analyze the scenario context manipulation attack based on the abnormal intensity quantification data to obtain scenario context manipulation attack information, and generate third risk scenario information based on the scenario context manipulation attack information combined with the continuous data of the decrease in the real-time credibility coefficient of the terminal device, and generate target risk scenario information based on the first risk scenario information, the second risk scenario information and the third risk scenario information.
[0122] In the specific implementation of this invention, context manipulation attack analysis based on the aforementioned anomaly intensity quantification data refers to using the quantified anomaly intensity data to deeply analyze whether there are behaviors that manipulate the context to evade detection or launch attacks. Context manipulation attacks typically involve attackers attempting to change the system's understanding or interpretation of events to make their malicious behavior appear normal. By analyzing the anomaly intensity quantification data, seemingly minor but actually carefully planned context manipulation behaviors can be identified, thereby obtaining context manipulation attack information. Based on this context manipulation attack information and the continuous decrease in the real-time credibility coefficient of the terminal device, a third risk scenario information is generated. The identified context manipulation attack information is combined with the continuous decreasing trend of the real-time credibility coefficient of the terminal device to comprehensively judge and generate the third risk scenario information. This combination considers the nature of the attack (context manipulation) and the changes in the overall credibility of the terminal device, enabling a more comprehensive and accurate characterization of risk scenarios. By combining these analysis results with continuous data on the reduction of the real-time reliability coefficient of terminal devices, the resulting third risk scenario information has higher accuracy and comprehensiveness. This provides a more reliable basis for subsequent adjustments to access control strategies based on the target risk scenario information, significantly improving the protection capability and response efficiency of database security access, and providing a reliable basis for subsequent adjustments to access control strategies.
[0123] Based on the first, second, and third risk scenario information, target risk scenario information is generated. This information can be comprehensively evaluated, and through expert systems, machine learning models, or risk scoring algorithms, a comprehensive target risk scenario information describing the threat scenarios currently faced by the terminal device can be generated. By determining the first, second, and third risk scenario information based on this information, and ultimately generating the target risk scenario information, static trust assessment is transformed into dynamic risk perception and scenario analysis. Through real-time monitoring and multi-dimensional risk scenario analysis, abnormal behavior or environmental changes of terminal devices can be detected promptly, such as malware activity or internal personnel misconduct, thus providing a sufficient basis for subsequent strategy adjustments.
[0124] S208: Adjust the access control policy based on the target risk scenario information.
[0125] In the specific implementation of this invention, access control policies are adjusted based on the target risk scenario information. For example, if the target risk scenario information indicates that a terminal device may be infected with malware, the access control policy can be adjusted to immediately disconnect the connection, isolate the terminal device, restrict all database access, and trigger a security alarm. If the target risk scenario information indicates that the terminal device is performing legitimate maintenance operations but exhibits minor anomalies, its access permissions can be temporarily reduced, and further monitoring can be conducted. This dynamic adjustment mechanism enables the database access control policy to adaptively adjust according to the real-time security status and risk scenario of the terminal device, thereby providing more refined and flexible security protection. Traditional methods, once access policies are set, are usually difficult to adjust flexibly according to real-time risks, resulting in a slow response to dynamic threats. Through in-depth analysis of the target risk scenario information, access permissions can be dynamically tightened or loosened, or even the connection can be immediately interrupted or the terminal device isolated, depending on the nature and severity of the threat. For example, when it is detected that a terminal device may be controlled by malware, all its access to the database can be immediately restricted; while when it is found that the fluctuation in the credibility coefficient is caused by normal maintenance tasks, a more lenient strategy can be adopted. This flexibility and adaptability greatly enhances the database's security capabilities, enabling it to proactively adapt to ever-changing cybersecurity threats and effectively reduce the risk of data breaches and misuse.
[0126] In this embodiment of the invention, a terminal identity identifier is generated based on the underlying network protocol stack characteristics, hardware information, software information and virtual context information of the terminal device. The communication environment security risks of the terminal device are analyzed, and the current trust coefficient of the terminal device is determined based on the communication environment security risks and the terminal identity identifier. Based on the current trust coefficient, the access control policy of the terminal device to the database is determined, making the determination of the trust coefficient more comprehensive and objective, thereby enabling the formulation of more targeted access control policies. During the process of a terminal device accessing the database according to the access control policy, the real-time trust coefficient of the terminal device is continuously monitored. When the real-time trust coefficient drops to a preset trust threshold, maintenance task information, resource fluctuation information, sandbox network traffic information, and scenario event sequences of the terminal device are acquired. Based on the maintenance task information and sandbox network traffic information, a first risk scenario is determined; based on the maintenance task information, resource fluctuation information, and sandbox network traffic information, a second risk scenario is determined; based on the scenario event sequences, a third risk scenario is determined; and a target risk scenario is generated based on the first, second, and third risk scenario information. The access control policy is adjusted based on the target risk scenario information. Through this dynamic and multi-dimensional risk perception and policy adjustment mechanism, the problem of insufficient flexibility in access control policies in existing technologies is effectively solved. It can proactively adapt to complex and ever-changing network threats, accurately identify and respond to abnormal behaviors, thereby significantly improving the security protection capability of the database and effectively ensuring the security of data assets.
[0127] Example 3
[0128] Please see Figure 3 , Figure 3 This is a schematic diagram of the structural composition of a secure database access system according to an embodiment of the present invention. The system includes:
[0129] Identity generation module 31: When a terminal device initiates a connection request to the database, it obtains the underlying network protocol stack characteristics, hardware information, software information and virtual context information of the terminal device, and generates a terminal identity based on the underlying network protocol stack characteristics, hardware information, software information and virtual context information.
[0130] Policy determination module 32: used to analyze the communication environment security risks of terminal devices, and determine the current trust coefficient of terminal devices based on the communication environment security risks and terminal identity identifiers, and determine the access control policy of terminal devices to databases based on the current trust coefficients;
[0131] Trust coefficient monitoring module 33: is used to continuously monitor the real-time trust coefficient of the terminal device during the process of the terminal device accessing the database according to the access control policy, and compare the real-time trust coefficient with a preset trust threshold.
[0132] Risk scenario analysis module 34: When the real-time reliability coefficient is detected to decrease to a preset reliability threshold, it acquires the maintenance task information, resource fluctuation information, sandbox network traffic information and scenario event sequence of the terminal device, and determines the first risk scenario information based on the maintenance task information and sandbox network traffic information, and determines the second risk scenario information based on the maintenance task information, resource fluctuation information and sandbox network traffic information;
[0133] Target scenario determination module 35: used to determine third risk scenario information based on the scenario event sequence, and generate target risk scenario information based on the first risk scenario information, the second risk scenario information and the third risk scenario information;
[0134] Policy adjustment module 36: used to adjust access control policies based on the target risk scenario information.
[0135] In the specific implementation of this invention, the specific implementation methods of the system items can be referred to the implementation methods of the above-mentioned method items, and will not be repeated here.
[0136] In this embodiment of the invention, a terminal identity identifier is generated based on the underlying network protocol stack characteristics, hardware information, software information and virtual context information of the terminal device. The communication environment security risks of the terminal device are analyzed, and the current trust coefficient of the terminal device is determined based on the communication environment security risks and the terminal identity identifier. Based on the current trust coefficient, the access control policy of the terminal device to the database is determined, making the determination of the trust coefficient more comprehensive and objective, thereby enabling the formulation of more targeted access control policies. During the process of a terminal device accessing the database according to the access control policy, the real-time trust coefficient of the terminal device is continuously monitored. When the real-time trust coefficient drops to a preset trust threshold, maintenance task information, resource fluctuation information, sandbox network traffic information, and scenario event sequences of the terminal device are acquired. Based on the maintenance task information and sandbox network traffic information, a first risk scenario is determined; based on the maintenance task information, resource fluctuation information, and sandbox network traffic information, a second risk scenario is determined; based on the scenario event sequences, a third risk scenario is determined; and a target risk scenario is generated based on the first, second, and third risk scenario information. The access control policy is adjusted based on the target risk scenario information. Through this dynamic and multi-dimensional risk perception and policy adjustment mechanism, the problem of insufficient flexibility in access control policies in existing technologies is effectively solved. It can proactively adapt to complex and ever-changing network threats, accurately identify and respond to abnormal behaviors, thereby significantly improving the security protection capability of the database and effectively ensuring the security of data assets.
[0137] Those skilled in the art will understand that all or part of the steps in the various methods of the above embodiments can be implemented by a program instructing related hardware. The program can be stored in a computer-readable storage medium, which may include: read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk, etc.
[0138] Furthermore, the above provides a detailed description of a secure database access method and system provided by the embodiments of the present invention. Specific examples have been used to illustrate the principles and implementation methods of the present invention. The description of the above embodiments is only for the purpose of helping to understand the method and core ideas of the present invention. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of the present invention. Therefore, the content of this specification should not be construed as a limitation of the present invention.
Claims
1. A secure access method for a database, characterized in that, The method includes: When a terminal device initiates a connection request to the database, it obtains the underlying network protocol stack characteristics, hardware information, software information, and virtual context information of the terminal device, and generates a terminal identity identifier based on the underlying network protocol stack characteristics, hardware information, software information, and virtual context information. Analyze the communication environment security risks of terminal devices, determine the current trust coefficient of terminal devices based on the communication environment security risks and terminal identity identifiers, and determine the access control policy of terminal devices to databases based on the current trust coefficients; During the process of the terminal device accessing the database according to the access control policy, the real-time reliability coefficient of the terminal device is continuously monitored and compared with the preset reliability threshold. When the real-time reliability coefficient is detected to decrease to a preset reliability threshold, maintenance task information, resource fluctuation information, sandbox network traffic information and scenario event sequence of the terminal device are obtained, and a first risk scenario information is determined based on the maintenance task information and sandbox network traffic information, and a second risk scenario information is determined based on the maintenance task information, resource fluctuation information and sandbox network traffic information. The third risk scenario information is determined based on the scenario event sequence, and the target risk scenario information is generated based on the first risk scenario information, the second risk scenario information, and the third risk scenario information. The access control policy is adjusted based on the target risk scenario information. The step of determining the third risk scenario information based on the scenario event sequence includes: performing pattern bias analysis on the scenario event sequence based on a preset time window to obtain pattern bias data; performing anomaly intensity quantification on the pattern bias data to obtain anomaly intensity quantification data; performing scenario context manipulation attack analysis on the anomaly intensity quantification data to obtain scenario context manipulation attack information; and generating the third risk scenario information based on the scenario context manipulation attack information combined with the continuous decrease in the real-time reliability coefficient of the terminal device.
2. The secure database access method according to claim 1, characterized in that, The generation of terminal identity identifiers based on the underlying network protocol stack features, hardware information, software information, and virtual context information includes: A digital signature is generated based on the underlying network protocol stack characteristics, hardware information, software information, and virtual context information. The digital signature is validated to obtain a validation result, and a terminal identity identifier is generated based on the validation result using a hash function.
3. The secure database access method according to claim 1, characterized in that, The analysis of the communication environment security risks of the terminal device includes: Analyze the encryption strength of the terminal device during secure communication connection negotiation to obtain the target encryption strength; Perform geographic location deviation analysis on terminal devices to obtain geographic location deviation information; Analyze the network hop count of the terminal device, and determine the communication environment security risks of the terminal device based on the target encryption strength, geographical location deviation information, and network hop count.
4. The secure database access method according to claim 1, characterized in that, The determination of the first risk scenario information based on the maintenance task information and sandbox network traffic information includes: The maintenance task information is validated for legality, and the validity validation result is obtained. The sandbox network traffic information is analyzed for patterns to obtain traffic pattern information, and abnormal traffic information is determined based on the traffic pattern information using a preset traffic baseline. Based on the legality verification results and abnormal traffic information, conflicting information is determined, and the conflicting information is weighted according to preset conflict resolution rules to obtain weighted conflicting information. The first risk scenario information is generated based on the weighted contradictory information combined with the continuous data of the decrease in the real-time reliability coefficient of the terminal device.
5. The secure database access method according to claim 1, characterized in that, The determination of the second risk scenario information based on the maintenance task information, resource fluctuation information, and sandbox network traffic information includes: The resource fluctuation information is digitally signed to obtain the digital signature verification result; The integrity of the sandbox network traffic information is verified based on preset legitimate test traffic information to obtain the integrity verification result. Based on the digital signature verification results and integrity verification results, information on the report source credibility degradation is determined; Based on the maintenance task information and the report source credibility degradation information, combined with the continuous data on the decrease in the real-time credibility coefficient of the terminal device, a second risk scenario information is generated.
6. The secure database access method according to claim 1, characterized in that, The step of performing pattern bias analysis on the scenario event sequence based on a preset time window to obtain pattern bias data includes: Based on a preset time window, the scenario event sequence is subjected to deviation feature extraction using a preset normal scenario mode to obtain deviation feature information. The similarity between the deviation feature information and the predefined attack mode features is analyzed, and fluctuation mode difference analysis is performed based on the similarity to obtain fluctuation mode difference data. Based on the fluctuation pattern difference data and the deviation feature information, pattern deviation analysis is performed to obtain pattern deviation data.
7. The secure database access method according to claim 6, characterized in that, The analysis of fluctuation pattern differences based on the similarity level, to obtain fluctuation pattern difference data, includes: Select target feature information from the deviation feature information whose similarity does not reach the preset similarity threshold; Behavioral composition analysis is performed on the target feature information to obtain atomic operation sequences, operation objects, and operation context. Behavioral intent analysis is performed based on the atomic operation sequence, operation object, and operation context to obtain behavioral intent information; Based on the behavioral intent information, behavioral evolution path analysis is performed to obtain behavioral evolution path information; Based on the behavioral evolution path information, fluctuation pattern difference analysis is performed to obtain fluctuation pattern difference data.
8. The secure database access method according to claim 7, characterized in that, The step of analyzing the behavior evolution path based on the behavioral intent information to obtain the behavior evolution path information includes: Based on the behavioral intent information, the transmission path of the communication link is analyzed to obtain the transmission path information; Based on the transmission path information, covert channel features are extracted to obtain covert channel feature information; Based on the aforementioned behavioral intent information, covert channel traffic pattern analysis is performed to obtain covert channel traffic pattern information. Based on the transmission path information, covert channel characteristic information, and covert channel traffic pattern information, behavior evolution path analysis is performed to obtain behavior evolution path information.
9. A secure database access system, characterized in that, The system includes: Identity generation module: When a terminal device initiates a connection request to the database, it obtains the underlying network protocol stack characteristics, hardware information, software information and virtual context information of the terminal device, and generates a terminal identity based on the underlying network protocol stack characteristics, hardware information, software information and virtual context information; Policy determination module: used to analyze the communication environment security risks of terminal devices, and determine the current trust coefficient of terminal devices based on the communication environment security risks and terminal identity identifiers, and determine the access control policy of terminal devices to databases based on the current trust coefficients; Trustworthiness monitoring module: used to continuously monitor the real-time trustworthiness of the terminal device during the process of the terminal device accessing the database according to the access control policy, and compare the real-time trustworthiness with a preset trustworthiness threshold; Risk scenario analysis module: When the real-time reliability coefficient is detected to decrease to a preset reliability threshold, it acquires the maintenance task information, resource fluctuation information, sandbox network traffic information and scenario event sequence of the terminal device, and determines the first risk scenario information based on the maintenance task information and sandbox network traffic information, and determines the second risk scenario information based on the maintenance task information, resource fluctuation information and sandbox network traffic information; Target scenario determination module: used to determine third risk scenario information based on the scenario event sequence, and generate target risk scenario information based on the first risk scenario information, the second risk scenario information and the third risk scenario information; Policy adjustment module: used to adjust access control policies based on the target risk scenario information; The step of determining the third risk scenario information based on the scenario event sequence includes: performing pattern bias analysis on the scenario event sequence based on a preset time window to obtain pattern bias data; performing anomaly intensity quantification on the pattern bias data to obtain anomaly intensity quantification data; performing scenario context manipulation attack analysis on the anomaly intensity quantification data to obtain scenario context manipulation attack information; and generating the third risk scenario information based on the scenario context manipulation attack information combined with the continuous decrease in the real-time reliability coefficient of the terminal device.