eSurfing Cloud’s Database Audit can be divided into four parts from the bottom up based on the product deployment architecture: data collection, protocol parsing, risk identification, and data storage. In terms of management and control, it can be divided into log query, dashboard and report, data development, and distributed central management.

l The function of the data collection layer is to ingest the traffic information that needs to be audited, parse Layer 2 and Layer 3 network protocols and TCP layer protocols of the traffic, extract the IP address, port and other information, and then remove the traffic that does not need to be audited according to the filtering rules.

l The function of the protocol parsing layer is to parse the valid information contained in data packets based on the transmission protocols of various databases, and extract information such as the database name, SQL statements, and client tools. eSurfing Cloud has accumulated thirteen years of experience in protocol parsing with a deep insight into database protocols, and thus can parse protocols accurately and comprehensively.

l The risk identification function matches the parsed SQL statements with the security rules to detect suspicious risks in the SQL statements; the rule matching adopts the AC algorithm based on the DFA state machine so that multiple security rules need to be matched only once, achieving efficient rule matching. If no risk is found during the rule-matching process, the SQL statement fields need to be standardized into an audit log. If a risk is found, a standardized alarm log will be generated based on the risk level. The audit logs and alarm logs need to be stored to be traceable, so the import program stores the generated logs on the disk.

l When you need to query the audit logs and risk logs, the data output module of Database Audit provides a Web-based query function and can send these logs to a third-party platform via Syslog, Kafka, etc. In addition, the system management module of Database Audit provides rich management functions, including rule management, software upgrades and so on.