**4.1 Definition of security audit**

Security audit is based on certain security policy, improving system's performance and safety by recording and analyzing historical events and data. Security audit includes all actions and instruments, e.g. testing, assessing and analyzing all of the weak links in the network information system to find the best ways to let the business run normally, based on the maximum guarantee of safety. It is to ensure the safe operation of network systems and prevent confidentiality integrity and availability of the data from being damaged, prevent intentional or unintentional human error and detect criminal activity on the network. The network status and processes can be targeted to recorded, tracked and reviewed by using the audit mechanism, and find safety problems. In addition, the audit can provide the basis of making filtering rules for online information, if the harmful information is found in the website, it will be added into the list of route filtering, to reject all information of IP addresses on the filtering list through information filtering mechanism. Fig.2 gives a brief overview flowchart of security audit.

Fig. 2. Situation of Security Audit System in Network

Database encryption requires that database cryptography changes plaintext into cipher-text, and cipher-text data stored in the database. Cipher-text is decrypted to get clear information when queries, so data will not be leaked even if the hardware store is stolen, thus the database system security is greatly improved, of course, the cost also increases. Response to attacks from the network level, the database mainly uses many ways e.g. installing a firewall, doing intrusion detection etc. to improve its safety performance. Firewall resists the incredible connections from outside. Intrusion detection systems are generally deployed in firewall, and detect abnormalities on the network and the host through Network packet

The audit function records all database's operation in the audit log automatically when the system works, attack detection system analyses and detects attempt of internal and external attackers according to the audit data, and reproduces events which leads to the status of the system, find vulnerabilities of the system by analyzing, and then trace the relevant

Security audit is based on certain security policy, improving system's performance and safety by recording and analyzing historical events and data. Security audit includes all actions and instruments, e.g. testing, assessing and analyzing all of the weak links in the network information system to find the best ways to let the business run normally, based on the maximum guarantee of safety. It is to ensure the safe operation of network systems and prevent confidentiality integrity and availability of the data from being damaged, prevent intentional or unintentional human error and detect criminal activity on the network. The network status and processes can be targeted to recorded, tracked and reviewed by using the audit mechanism, and find safety problems. In addition, the audit can provide the basis of making filtering rules for online information, if the harmful information is found in the website, it will be added into the list of route filtering, to reject all information of IP addresses on the filtering list through information filtering mechanism. Fig.2 gives a brief

**Net work Fi rewal l Server**

**I ntrusi on Detect i on**

**Securi t y Audi t**

g. Database Encryption

responsible person.

**4 Security audit** 

**4.1 Definition of security audit** 

overview flowchart of security audit.

Fig. 2. Situation of Security Audit System in Network

interception analysis or Analysis of log. h. Audit Trail and Attack Detection

Security audit techniques use one or several security testing tools (generally referred to as scanner), first of all, it will scan loopholes and inspects security vulnerabilities of the system, then achieve the inspection report about the weak link of system, at last it will take security protection and emergency measures according to the response strategies.

Traditional security audit has the function of "old records", pay attention to the audit afterwards and emphasize the deterrent of the audit and verification of security incidents. With the change of United States national information security policy, doing the so-called "defense in depth strategy information" in the information infrastructure is put forward by Information Assurance Technical Framework (IATF), this strategy requires security audit system to participate in the active protection and response. In modern time, network security audit is an all-round, distributed, and multiple-level strong audit concept, which breaks the previous concept of "log" and other shallow level security audit, and it's consistent with the requirements of protecting, detecting, replying and recovering (PDRR) dynamic process, which is put forward by IATF. It can protect and response to the information actively on the basis of improving the breadth and depth of audit.


Web and Database Security 13

the communication between audit module and information collection module, we do a dual-channel design, the user can set any ways to communicate, and the system can

Information collection module collects the data which needs to be audited, including network packet, process information, port information, file access information, and modify the registry information, as well as a variety of server logs, such as WWW logs and security logs. In order to process conveniently later, all data is stored in the audit module of the

For security audit system, selection of incoming data is the key problem to be solved, data source of the security audit can be divided into three categories: Based on the host, based on network and other channels. In order to select the appropriate data sources, it analyzes each

Data sources of the network security audit based on the host , including audit records of the operating system, system log, log information of application system and information based

Network data is the most common source of information in the current network security audit system and commercial intrusion detection system. The basic principle is that when the network data stream transmitting in the network, using a special data acquisition technology to collect the data transmitted in network as the data source of security audit

Data source from other safe products mainly refers to log files produced by safe products e.g. firewall, authentication system which are operated independent in the target system.

Data source from network device e.g. a network management system, using information provided by SNMP (Simple Network Management Protocol) as data source. Out-of-band data source refers to data information provided by the artificial way, which is contrived and non-systematic, e.g. recording what happened in system environment manually, including hardware error information, system configuration information, system crash, other kinds of natural hazard events etc. Out-of-band data source may play an important role for later

In general, it will improve the performance of security audit system if active log of the

These data sources also should be considered by security audit system.

network and its safe device are used as audit data source.

2. Functions of Network Security Audit System a. Data Acquisition and Storage Capability

automatically switch to another way when one way can not work normally.

**4.2.2 Key technologies of network security audit system**  1. Analysis of Data Source of Network Security Audit System

class of data source respectively as follows.

a. Data Source Based on the Host

b. Data Source Based on the Network

database.

on the target.

system.

analysis.

c. Other Data Source

