CN101539880A - Window Vista-oriented computer peripheral equipment safety monitoring method - Google Patents
Window Vista-oriented computer peripheral equipment safety monitoring method Download PDFInfo
- Publication number
- CN101539880A CN101539880A CN200910022088A CN200910022088A CN101539880A CN 101539880 A CN101539880 A CN 101539880A CN 200910022088 A CN200910022088 A CN 200910022088A CN 200910022088 A CN200910022088 A CN 200910022088A CN 101539880 A CN101539880 A CN 101539880A
- Authority
- CN
- China
- Prior art keywords
- equipment
- irp
- request
- external unit
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a Window Vista-oriented computer peripheral equipment safety monitoring method, and a filtering equipment object Fido is set according to a WDF driving model and embedded between a destination equipment object Fdo and a lower equipment object; peripheral equipment needing no monitoring and peripheral equipment needing monitoring are determined, and an equipment authority mark of each peripheral equipment needing monitoring is set according to a security policy; and the destination equipment object Fdo sends IRP generated by the peripheral equipment to the corresponding filtering equipment object Fido for filtration driving and security inspection after receiving the IRP. The method does not need to call the function of system internal functions, and has better system compatibility, less influence on system performance, high execution efficiency as well as reliable and stable work.
Description
Technical field
The invention belongs to information security field, especially a kind of method for safety monitoring of computer peripheral usage behavior.
Background technology
In general computer system, it is random that the user uses external units such as USB dish, portable hard drive, CD, printer, and its security strategy belongs to from principal mode.In the computer system of need to be keep secret, thisly cause divulging a secret of classified information easily from the principal mode security strategy, produce serious consequence.Therefore, in the computer system of need to be keep secret, generally adopt distributed external unit monitoring administration method to strengthen the security of computer system.At first stipulate that by system console each relating computer uses the global safety strategy (promptly allow or ban use of) of external unit, and send on the corresponding relating computer, all move a monitoring agent program on each relating computer, use the external unit behavior to monitor in real time according to the global safety strategy to the user, user behavior for breach of security strategy is blocked in real time, simultaneously send warning message to system console, and unlawful practice is recorded in the journal file, so that inquire about and audit.So just promoting from the principal mode security strategy of computer system is pressure type security strategy, improved the security assurance information ability of relating computer system greatly.
In this technology, its core technology is external unit security monitoring model and the method that is adopted in the monitoring agent program.Because the monitoring agent program run is on computer operating system, the built-in function function and the device drives interface that need utilize operating system to provide are realized the external unit security monitoring function, so its implementation and OS Type and version are closely related.
Prior art mainly adopts the driving method for implanting, its know-why is to utilize operating system built-in function function that the device driver entry address is replaced and changed, and the pointer of original sensing equipment driver is pointed to self-defining monitoring of tools driver instead.Like this, in the computer system operational process, the interrupt request of being sent when an equipment uses (IRP) is at first tackled by the monitoring of tools driver, IRP is carried out safety inspection, if meet safety rule, again IRP is passed to original drivers and go to handle, rather than directly handle IRP by original drivers; If the safety rule of not meeting is then directly returned an error message, no longer pass to original drivers, so just realized monitoring to the equipment usage behavior.In this method, need match with low layer device drives interface by high-level applications, and the built-in function function that high-level applications mainly adopts operating systems such as Windows XP, Windows 2000 and Windows NT to provide is realized.
In new Windows Vista operating system, version has bigger difference before its system architecture and inner structure and the Windows operating system, this implementation method of injecting based on driving can't be used on Windows Vista operating system, must propose new external unit method for safety monitoring according to Windows Vista system's characteristics and inner structure.
Summary of the invention
Not compatible mutually in order to overcome prior art with Windows Vista operating system, can't realize the deficiency of security monitoring, the invention provides the external unit method for safety monitoring that a kind of Windows of being adapted at Vista operating system is used, realize effective monitoring external unit usage behavior on the Windows Vista operating system.
The present invention is based upon on the basis of WDF (Windows Driver Foundation) driving model, adopt the filtration drive method, realization is to the effective monitoring of external unit on the Windows Vista operating system, and monitored external unit comprises various movable storage devices, CD-ROM drive and jaws equipment, serial equipments etc. such as USB dish, portable hard drive.The technical solution adopted for the present invention to solve the technical problems may further comprise the steps:
(1) in the WDF driving model, equipment I RP is at first received by target device object Fdo, submits to lower floor's device object after treatment again and goes to carry out.The present invention at first sets a filter plant object Fido according to the WDF driving model and is embedded between target device object Fdo and the lower floor's device object, realizes equipment I RP is carried out safety inspection.
(2) definite external unit that does not need monitored external unit (as keyboard, Genius mouse etc.) and needs monitoring, according to security strategy, the equipment authority mark of each external unit that need monitor is set, if equipment is to allow to use, the equipment authority mark of this equipment is read-write, if equipment is forbidden, then the equipment authority mark of this this equipment is not read-write.
(3) during the external unit on the user uses a computer, can corresponding IRP of triggering for generating.After target device object Fdo receives this IRP, not directly to give lower floor's device object, but give corresponding filter plant object Fido filtration drive earlier, carry out safety inspection.
Described filtration drive may further comprise the steps:
1) receives the IRP request that this equipment produces.
2) function of tonic chord sign indicating number and the slave function sign indicating number by IRP judges whether to ask into the IRP of needs interception.If not, illustrate that this equipment is not monitored equipment, directly this IRP request is passed to other distribution routine and carry out normal process.
3) if need the IRP request of interception, illustrate that then this equipment is monitored device, need check the equipment authority mark, judge whether this equipment has operating right.
4) if this equipment has operating right, be to allow to use, represent that then security strategy allows this equipment to carry out read-write operation, directly the IRP request is passed to lower floor's device object, normally finish the read-write operation of this equipment.
5) if this equipment does not have operating right, forbid, represent that then security strategy forbids this equipment, the I/O request that this IRP request system of passing to is carried is finished routine and is carried out end process.
6) I/O request is finished routine and is at first obtained control to this IRP request, and the return state of this IRP request is set to completion status then, directly enters end process.
Judge that by above-mentioned steps meet safety rule if this equipment uses, Fido gives lower floor's device object with this IRP again and handles; If the safety rule of not meeting, Fido falls IRP with direct filtration, no longer passes to lower floor's device object.Like this, just on device drive layer, realized monitoring to the external unit usage behavior.
For dissimilar equipment such as USB dish, portable hard drive etc., CD-ROM drive and jaws equipment, serial equipments, need set up filter plant object Fido, and be embedded between target device object Fdo and the lower floor's device object according to the diverse location of WDF model regulation, the corresponding apparatus usage behavior is monitored.
The invention has the beneficial effects as follows: the present invention drives to filter by the corresponding filter plant object Fido of embedding on device drive layer and realizes security monitoring, rather than by replacing and the mode of change device driver entry address realizes, do not need calling system built-in function function, therefore have better system compatibility.The present invention mainly realizes on device drive layer, does not relate to high-level applications and calls, and is smaller to the influence of system performance, carries out the efficient height, reliable and stable work.
The monitoring of tools Agent that with the present invention is foundational development has carried out functional test repeatedly, performance test and reliability testing on Windows Vista operating system.From test result, this method reaches following effect:
(1) the monitoring of tools Agent can move on Windows Vista operating system reliable and stablely, can monitor the external unit usage behavior according to safety rule, use request for disabled external unit, can block in real time and provide and use warning message in violation of rules and regulations.
(2) the monitoring of tools Agent can be discerned automatically, check and control external units such as various movable storage devices, CD-ROM drive and jaws equipment, serial equipments.
(3) the monitoring of tools Agent is smaller to the influence of system performance, carries out the efficient height, reliable and stable work.
The present invention has solved the external unit security monitoring problem on the Windows Vista operating system effectively.Can operate in reliably on the Windows Vista operating system based on the monitoring agent program that the present invention was developed, can correctly discern the external unit of new access, and according to the security strategy external unit use request disabled to real-time blocking-up, simultaneously at length write down the unlawful practice log information, controllability and security based on the external unit of Windows Vista operating system are effectively ensured.Through test shows, system works is reliable and stable, and system performance is good, has reached the set goal and good effect.
The present invention is further described below in conjunction with drawings and Examples.
Description of drawings
Fig. 1 is a principle of work synoptic diagram of the present invention.
Fig. 2 is the process flow diagram of filtration drive method of the present invention.
Embodiment
The present invention can adopt following method to implement:
(1) in the WDF driving model, equipment I RP is at first received by target device object Fdo, submits to lower floor's device object after treatment again and goes to carry out.The present invention is at first according to the WDF driving model, adopt the filter plant object Fido of equipment such as senior programming language exploitation such as VC or C++ USB dish, portable hard drive, CD-ROM drive and jaws equipment, serial equipment, be embedded between target device object Fdo and the lower floor's device object, realize equipment I RP is carried out safety inspection.
(2) definite external unit that does not need monitored external unit (as keyboard, Genius mouse etc.) and needs monitoring, according to security strategy, the equipment authority mark of each external unit that need monitor is set, if equipment is to allow to use, the equipment authority mark of this equipment is read-write, if equipment is forbidden, then the equipment authority mark of this this equipment is not read-write.
(3) during the external unit on the user uses a computer, can corresponding IRP of triggering for generating.After target device object Fdo receives this IRP, not directly to give lower floor's device object, but give corresponding filter plant object Fido filtration drive earlier, carry out safety inspection.
Described filtration drive may further comprise the steps:
1) receives the IRP request that this equipment produces.
2) function of tonic chord sign indicating number and the slave function sign indicating number by IRP judges whether to ask into the IRP of needs interception.If not, illustrate that this equipment is not monitored equipment, directly this IRP request is passed to other distribution routine and carry out normal process.
3) if need the IRP request of interception, illustrate that then this equipment is monitored device, need check the equipment authority mark, judge whether this equipment has operating right.
4) if this equipment has operating right, be to allow to use, represent that then security strategy allows this equipment to carry out read-write operation, directly the IRP request is passed to lower floor's device object, normally finish the read-write operation of this equipment.
5) if this equipment does not have operating right, forbid, represent that then security strategy forbids this equipment, the I/O request that this IRP request system of passing to is carried is finished routine and is carried out end process.
6) I/O request is finished routine and is at first obtained control to this IRP request, and the return state of this IRP request is set to completion status then, directly enters end process.
Filtration drive is the Core Feature of monitoring agent program, in addition, the monitoring agent program should also provide log record and upload function, security strategy download and update functions, in violation of rules and regulations use warning function, with the subsidiary functions such as communication function of control desk, can adopt senior programming languages such as VC or C++ to develop, make the function of monitoring agent program more complete.
Claims (2)
1, towards the computer peripheral method for safety monitoring of Windows Vista, it is characterized in that comprising the steps:
(1) setting a filter plant object Fido according to the WDF driving model is embedded between target device object Fdo and the lower floor's device object;
(2) definite external unit that does not need monitored external unit and needs monitoring, according to security strategy, the equipment authority mark of each external unit that need monitor is set, if equipment is to allow to use, the equipment authority mark of this equipment is read-write, if equipment is forbidden, then the equipment authority mark of this this equipment is not read-write;
(3) after target device object Fdo receives the IRP of external unit generation, give corresponding filter plant object Fido filtration drive, carry out safety inspection;
Described filtration drive may further comprise the steps:
1) receives the IRP request that this equipment produces;
2) function of tonic chord sign indicating number and the slave function sign indicating number by IRP judges whether to ask into the IRP of needs interception; If not, directly this IRP request is passed to other distribution routine and carry out normal process;
3) if need the IRP request of interception, check the equipment authority mark, judge whether this equipment has operating right;
4) if this equipment has operating right, be to allow to use, directly the IRP request is passed to lower floor's device object, normally finish the read-write operation of this equipment;
5) if this equipment does not have operating right, forbid, the I/O request that this IRP request system of passing to is carried is finished routine and is carried out end process;
6) I/O request is finished routine and is at first obtained control to this IRP request, and the return state of this IRP request is set to completion status then, directly enters end process.
2, the computer peripheral method for safety monitoring towards Windows Vista according to claim 1, it is characterized in that: described filter plant object Fido, dissimilar according to external unit, diverse location according to WDF model regulation is embedded between target device object Fdo and the lower floor's device object, and the corresponding apparatus usage behavior is monitored.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910022088A CN101539880A (en) | 2009-04-20 | 2009-04-20 | Window Vista-oriented computer peripheral equipment safety monitoring method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910022088A CN101539880A (en) | 2009-04-20 | 2009-04-20 | Window Vista-oriented computer peripheral equipment safety monitoring method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101539880A true CN101539880A (en) | 2009-09-23 |
Family
ID=41123079
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910022088A Pending CN101539880A (en) | 2009-04-20 | 2009-04-20 | Window Vista-oriented computer peripheral equipment safety monitoring method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101539880A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104821943A (en) * | 2015-04-27 | 2015-08-05 | 西北工业大学 | Method for enhancing security of access of Linux hosts to network system |
| CN105657468A (en) * | 2015-12-30 | 2016-06-08 | 深圳数字电视国家工程实验室股份有限公司 | FIDO remote controller, television payment system and television payment method |
| CN106169047A (en) * | 2016-07-11 | 2016-11-30 | 北京金山安全软件有限公司 | Method and device for opening monitoring camera and electronic equipment |
| CN108959876A (en) * | 2017-05-24 | 2018-12-07 | 佳能株式会社 | Image processing apparatus, system and method related with image processing apparatus |
| CN108985027A (en) * | 2017-05-31 | 2018-12-11 | 佳能株式会社 | Image processing apparatus, method, system and storage medium |
| TWI672613B (en) * | 2018-04-17 | 2019-09-21 | 宏碁股份有限公司 | User behavior recording method and electronic apparatus using the same |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007265300A (en) * | 2006-03-29 | 2007-10-11 | Brother Ind Ltd | Communication system and peripheral equipment to be used for the same |
| US20080115208A1 (en) * | 2006-10-25 | 2008-05-15 | Arachnoid Biometrics Identification Group Corp. | Multi-Factor Authentication System and a Logon Method of a Windows Operating System |
| CN101373452A (en) * | 2007-08-24 | 2009-02-25 | 英业达股份有限公司 | Method for testing hard disk read-write operations |
-
2009
- 2009-04-20 CN CN200910022088A patent/CN101539880A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007265300A (en) * | 2006-03-29 | 2007-10-11 | Brother Ind Ltd | Communication system and peripheral equipment to be used for the same |
| US20080115208A1 (en) * | 2006-10-25 | 2008-05-15 | Arachnoid Biometrics Identification Group Corp. | Multi-Factor Authentication System and a Logon Method of a Windows Operating System |
| CN101373452A (en) * | 2007-08-24 | 2009-02-25 | 英业达股份有限公司 | Method for testing hard disk read-write operations |
Non-Patent Citations (1)
| Title |
|---|
| 王玥,蔡皖东,张赟: "基于驱动注入的分布式USB设备监控系统", 计算机工程 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104821943A (en) * | 2015-04-27 | 2015-08-05 | 西北工业大学 | Method for enhancing security of access of Linux hosts to network system |
| CN105657468A (en) * | 2015-12-30 | 2016-06-08 | 深圳数字电视国家工程实验室股份有限公司 | FIDO remote controller, television payment system and television payment method |
| CN106169047A (en) * | 2016-07-11 | 2016-11-30 | 北京金山安全软件有限公司 | Method and device for opening monitoring camera and electronic equipment |
| CN108959876A (en) * | 2017-05-24 | 2018-12-07 | 佳能株式会社 | Image processing apparatus, system and method related with image processing apparatus |
| CN108985027A (en) * | 2017-05-31 | 2018-12-11 | 佳能株式会社 | Image processing apparatus, method, system and storage medium |
| CN108985027B (en) * | 2017-05-31 | 2022-07-12 | 佳能株式会社 | Image processing apparatus, method, system, and storage medium |
| TWI672613B (en) * | 2018-04-17 | 2019-09-21 | 宏碁股份有限公司 | User behavior recording method and electronic apparatus using the same |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101539880A (en) | Window Vista-oriented computer peripheral equipment safety monitoring method | |
| EP3274825B1 (en) | Method and execution environment for the secure execution of program instructions | |
| DE102018113625A1 (en) | ERROR INJECTION TESTING DEVICE AND METHOD | |
| ES2307954T3 (en) | METHOD AND DEVICE FOR GENERATING LOGIC CONTROL UNITS FOR ESSENTIAL COMPUTER APPLIANCES BASED ON RAILWAY STATIONS. | |
| CN105224454B (en) | A kind of adjustment method, polycaryon processor and commissioning device | |
| KR102003663B1 (en) | Controlling generation of debug exceptions | |
| CN101251821B (en) | Selective disabling of diagnostic functions within a data processing system | |
| CN103268277B (en) | A kind of method and system of output journal information | |
| CN101989242A (en) | Bus monitor for improving safety of SOC (System on a Chip) as well as realizing method thereof | |
| US9984193B1 (en) | System to combat design-time vulnerability | |
| CN101887393A (en) | Equipment fault reproduction method and system based on para-virtualization technique | |
| CN103164643A (en) | Method and device using hardware to debug | |
| DE19847677C2 (en) | Computers, methods and devices for preventing unauthorized access to a computer program | |
| EP2565790A1 (en) | Method and system for injecting simulated errors | |
| CN105404559A (en) | Debugging in a data processing apparatus | |
| CN105528264A (en) | Anti-misoperation data recovery method and system | |
| CN100538644C (en) | The method of computer program, computing equipment | |
| CN101685420B (en) | Multithreading debugging method and device | |
| CN109446799A (en) | Internal storage data guard method, security component and computer equipment and storage medium | |
| CN105487971A (en) | Method and system for recording and reproducing operation steps in software testing | |
| CN107045605A (en) | A kind of real-time metrics method and device | |
| CN102866951B (en) | Rapid positioning method of internal storage boundary crossing errors of embedded system | |
| DE102014002302B4 (en) | System and method for determining the operational robustness of a system on a chip | |
| EP3599567A1 (en) | Device and method for an integrity check for one or more equipment components | |
| EP2494488B1 (en) | Method for executing security-relevant and non-security-relevant software components on a hardware platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20090923 |