CN105912945A - Safety reinforcing device and operation method of operating system - Google Patents
Safety reinforcing device and operation method of operating system Download PDFInfo
- Publication number
- CN105912945A CN105912945A CN201610204386.7A CN201610204386A CN105912945A CN 105912945 A CN105912945 A CN 105912945A CN 201610204386 A CN201610204386 A CN 201610204386A CN 105912945 A CN105912945 A CN 105912945A
- Authority
- CN
- China
- Prior art keywords
- file
- configuration file
- protection
- module
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention provides a safety reinforcing device and an operation method of an operating system. A device comprises a file access rule chain list used for storing an access rule between internally-configured files of a server operating system and a user, a file protection module, and a detection module. The file protection module is used for intercepting a business request of a target configuration file for a target user and sending a detection instruction to a detection module when the target user and the access rule of a target file are allowed access, forwarding the business request to a processing device when indication information is received such that the processing device is used for processing corresponding business of the target configuration file. The detection module is used for storing first characteristic value corresponding to each configuration file, calculating second characteristic value of the target configuration file and sending indication information to the file sending module when the first characteristic value and the second characteristic value of the target configuration file are the same. The indication information is described in that integrity of files representing object configuration files is not damaged. The technical scheme of the safety reinforcing device and the operation method of the operating system can help improve safety of a server.
Description
Technical field
The present invention relates to field of computer technology, particularly to a kind of operating system security bracing means and fortune
Row method.
Background technology
Along with the development of information technology, complete the peace that data process the server of business and operational data storage
Full property is the most increasingly important.
At present, in order to prevent invader from invading server to steal or to destroy the business datum in server,
Generally utilize server one shielded network of establishment, with the form of fire wall in server operation
Corresponding security hardening software is installed in system, only anti-through authorizing the application protocol allowed to pass through
Wall with flues, can forbid that NFS (Network File System, NFS) agreement turnover such as is protected
In the network protected and refusal IP (Internet Protocol, the agreement of interconnection between network) option
Source routing is attacked and ICMP (Internet Control Message Protocol, Internet Control Message Protocol) weight
The message of the various attacks types such as orientation path attack, can notify firewall management time under attack in time
Member.
But, in technique scheme, owing to the user of server OS possesses higher management
Authority, once invader steals user account number and password, i.e. can obtain server operation with user identity
The use right of configuration file in system, by the configuration literary composition of malicious modification or deletion server OS
The technological means such as part threaten server security.
Summary of the invention
Embodiments provide a kind of operating system security bracing means and operation method, clothes can be improved
Business device safety.
First aspect, the invention provides a kind of operating system security bracing means, including:
File access regulation linked, be used for storing in server OS at least one configuration file with extremely
Access rule the most corresponding between a few user;
File protection module, for intercepting and capturing targeted customer's service request for target configuration file, inquiry
Described file access regulation linked, when described targeted customer corresponding in described file access regulation linked and institute
When stating the access rule of file destination for allowing to access, send corresponding target configuration file to detection module
Detection instruction;After receiving the instruction information that detection module sends, the service request of intercepting and capturing is transmitted to
External process devices so that external process devices carries out phase according to described service request to target configuration file
The Business Processing answered;
Detection module, for storing the First Eigenvalue that each described configuration file is the most corresponding;Connecing
After receiving the detection instruction of corresponding target configuration file, calculate the Second Eigenvalue of target configuration file, when
When the First Eigenvalue of target configuration file is identical with Second Eigenvalue, to described file protection module
Send and characterize the instruction information that target configuration file integrity is not affected by destroying.
Further,
Business Processing corresponding to described service request includes: delete target configuration file or amendment target configuration
File;
And/or,
Described eigenvalue, including: cryptographic Hash.
Further, also include: application rule chained list and application program protection module;
Described application rule chained list, for storing the executing rule of at least one application program;
Described application program protection module, for intercepting and capturing the request that performs for destination application, inquiry
Described application rule chained list, when described destination application corresponding in described application rule chained list
Executing rule for allow perform time, to detection module send corresponding described destination application detection refer to
Order;After receiving the executable instruction that detection module sends, ask to be transmitted to outside by the execution of intercepting and capturing
Processing means so that external process devices completes corresponding Business Processing according to described execution request;
Described detection module, is further used for storing the 3rd spy that each described application program is the most corresponding
Value indicative;After the detection receiving corresponding described destination application instructs, calculate described intended application journey
The fourth feature value of sequence, when the third feature value of described destination application is identical with fourth feature value
Time, to described application program protection module send characterize destination application integrity be not affected by destroy can
Perform instruction.
Further, also include: authorization module and customer protection module;
Described authorization module, at least one user's authorization user information, wherein, described user believes
Breath includes user's name, cryptographic parameter and general-purpose serial bus USB parameters for authentication;And, authorize each
One or more in the following protection option that individual user is the most corresponding:
Add User information, deletion user profile and amendment user profile;
Described customer protection module, for intercepting and capturing the logging request of corresponding targeted customer, detects described login
Whether the user profile carried of request is the user profile of described authorization module mandate, if it is, by institute
State logging request and be transmitted to external process devices, so that external process devices allows described targeted customer to step on
Record;Intercept and capture the operational order for targeted customer, detect at least one protection that described targeted customer is corresponding
Whether option exists the protection option of corresponding described operational order, if it does not exist, then the behaviour that will intercept and capture
It is transmitted to external process devices so that external process devices completes according to described operational order accordingly as instruction
Business Processing.
Further, also include: process protection chained list and process protection module;
Described process protection chained list, for storing the identification information that at least one business process is the most corresponding;
Described process protection module, performs instruction for intercepting and capturing the termination for target service process, inquiry
Described process protection chained list, when the mark that there is corresponding described target service process in described process protection chained list
During knowledge information, described termination is performed instruction and is transmitted to external process devices, so that external process devices
Terminate described target service process.
Second aspect, the invention provides a kind of operating system security as described in arbitrary in above-mentioned first aspect
The operation method of bracing means, including:
S0: pre-set file access regulation linked, utilizes file access regulation linked to store at least one
Access rule the most corresponding between configuration file with at least one user;
S1: utilize detection module to store the First Eigenvalue that each described configuration file is the most corresponding;
S2: utilize file protection module intercepting and capturing targeted customer for the service request of target configuration file, look into
Ask described file access regulation linked, as described targeted customer corresponding in described file access regulation linked and
When the access rule of described file destination is for allowing to access, send corresponding target configuration file to detection module
Detection instruction;
S3: utilize detection module after the detection instruction receiving corresponding target configuration file, calculate target
The Second Eigenvalue of configuration file, when the First Eigenvalue and the complete phase of Second Eigenvalue of target configuration file
Meanwhile, send, to described file protection module, the instruction that sign target configuration file integrity is not affected by destroying
Information;
S4: utilize file protection module receive detection module send instruction information after, by intercept and capture
Service request is transmitted to external process devices so that external process devices according to described service request to target
Configuration file carries out corresponding Business Processing.
Further,
Business Processing corresponding to described service request includes: delete target configuration file or amendment target configuration
File;
And/or,
Described eigenvalue, including: cryptographic Hash.
Further, also include:
Pre-set application rule chained list, utilize at least one application of application rule storage of linked list
The executing rule of program;And, utilize detection module to store each described application program correspondence respectively
Third feature value;
Utilizing application program protection module to intercept and capture the request that performs for destination application, inquiry is described should
Use rules of order chained list, when the execution of described destination application corresponding in described application rule chained list
When rule is for allowing to perform, send the detection instruction of corresponding described destination application to detection module;
Utilize detection module after the detection receiving corresponding described destination application instructs, calculate described
The fourth feature value of destination application, when third feature value and the fourth feature of described destination application
When being worth identical, send sign destination application integrity to described application program protection module and be not subject to
To the executable instruction destroyed;
Utilize application program protection module after receiving the executable instruction that detection module sends, will intercept and capture
Execution request be transmitted to external process devices so that external process devices completes according to described execution request
Corresponding Business Processing.
Further, also include:
Utilizing authorization module at least one user's authorization user information, wherein, described user profile includes
User's name, cryptographic parameter and general-purpose serial bus USB parameters for authentication;And, authorize each user
One or more in the most corresponding following protection option:
Add User information, deletion user profile and amendment user profile;
Utilize customer protection module to intercept and capture the logging request of corresponding targeted customer, detect described logging request and take
Whether the user profile of band is the user profile of described authorization module mandate, if it is, by described login
Request is transmitted to external process devices, so that external process devices allows described targeted customer to log in;Cut
Obtain the operational order for targeted customer, detect at least one protection option that described targeted customer is corresponding
Whether there is the protection option of corresponding described operational order, if it does not exist, then the operational order that will intercept and capture
It is transmitted to external process devices so that external process devices completes corresponding business according to described operational order
Process.
Further, also include:
Pre-set process protective chain table, utilize at least one business process of process protection storage of linked list respectively
Corresponding identification information;
Utilize process protection module to intercept and capture the termination for target service process and perform instruction, enter described in inquiry
Journey protection chained list, when the identification information that there is corresponding described target service process in described process protection chained list
Time, described termination is performed instruction and is transmitted to external process devices, so that external process devices terminates institute
State target service process.
Embodiments provide a kind of operating system security bracing means and operation method, utilize file
Access regulation linked storage server OS interior between at least one configuration file and at least one user
The most corresponding access rule, and utilize file protection module to intercept and capture targeted customer for target configuration literary composition
The service request of part, it is achieved the accessed authority of configuration file is defined;And, determining target
On the premise of user possesses access target configuration file, in addition it is also necessary to guarantee the integrity of target configuration file not
Destroyed, the service request of intercepting and capturing could be transmitted to processing means, so that processing means is according to industry
Business request carries out corresponding Business Processing to target configuration file;Visible, by technical scheme,
Invader can be avoided with the configuration file of the identity malicious access server OS of targeted customer and evil
Meaning accesses the configuration file distorted, and improves the safety of server.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to reality
Execute the required accompanying drawing used in example or description of the prior art to be briefly described, it should be apparent that below,
Accompanying drawing in description is some embodiments of the present invention, for those of ordinary skill in the art, not
On the premise of paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the structure chart of a kind of operating system security bracing means that one embodiment of the invention provides;
Fig. 2 is the structure chart of the another kind of operating system security bracing means that one embodiment of the invention provides;
Fig. 3 is the operation method stream of a kind of operating system security bracing means that one embodiment of the invention provides
Cheng Tu.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with this
Accompanying drawing in bright embodiment, is clearly and completely described the technical scheme in the embodiment of the present invention,
Obviously, described embodiment is a part of embodiment of the present invention rather than whole embodiments, based on
Embodiment in the present invention, those of ordinary skill in the art are institute on the premise of not making creative work
The every other embodiment obtained, broadly falls into the scope of protection of the invention.
As it is shown in figure 1, embodiments provide a kind of operating system security bracing means, including:
File access regulation linked 101, is used for storing at least one configuration file in server OS
The access rule the most corresponding with between at least one user;
File protection module 102, for intercepting and capturing targeted customer's service request for target configuration file,
Inquire about described file access regulation linked 101, when corresponding described in described file access regulation linked 101
When the access rule of targeted customer and described file destination is for allowing to access, it is right to send to detection module 103
The detection answering target configuration file instructs;After receiving the instruction information that detection module 103 sends, will
The service request intercepted and captured is transmitted to external process devices so that external process devices is according to described service request
Target configuration file is carried out corresponding Business Processing;
Detection module 103, for storing the First Eigenvalue that each described configuration file is the most corresponding;
After the detection instruction receiving corresponding target configuration file, calculate the Second Eigenvalue of target configuration file,
When the First Eigenvalue of target configuration file is identical with Second Eigenvalue, protect mould to described file
Block 102 sends and characterizes the instruction information that target configuration file integrity is not affected by destroying.
In one embodiment of the invention, utilize file access regulation linked storage server OS at least
Access rule the most corresponding between one configuration file and at least one user, and utilize file to protect
Module intercepts and captures targeted customer's service request for target configuration file, it is achieved be accessed configuration file
Authority is defined;And, on the premise of determining that targeted customer possesses access target configuration file, also
It is necessary to ensure that the integrity of target configuration file is not affected by destroying, the service request of intercepting and capturing could be transmitted to
Processing means, so that target configuration file is carried out at corresponding business by processing means according to service request
Reason;Visible, by technical scheme, invader can be avoided to visit with the identity malice of targeted customer
Ask the configuration file that the configuration file of server OS and malicious access have been distorted, improve clothes
The safety of business device.
Specifically, in a preferred embodiment of the invention, Business Processing corresponding to described service request includes:
Delete target configuration file or amendment target configuration file;
And/or,
Described eigenvalue, including: cryptographic Hash.
In one embodiment of the invention, can grasp by rebuilding server at the inner nuclear layer of server OS
Make the authority Access Model of system, i.e. increase the operation described in the embodiment of the present invention at operating system nucleus layer
Security of system bracing means, during operating system initialization, dynamic to file access regulation linked
The access rule added or delete between each configuration file and at least one user, specifically, accesses
Rule includes at least one user that each configuration file is the most corresponding, and each configuration file is
No at least one user allowing correspondence accesses;So, it is achieved to server OS configuration file
Accessed authority is defined, and guarantees that being accessed for configuration integrity is not affected by destroying, and prevents invasion simultaneously
In person's malice calls configuration file and malice invoking server, integrity occurs the configuration file destroyed with prestige
Side of body server security.
Further, in order to prevent invader by complete in loading malicious application and load server
The application program that property has been destroyed, to steal or to destroy the business datum in server, as in figure 2 it is shown,
In a preferred embodiment of the invention, also include: application rule chained list 201 and application program protection
Module 202;
Described application rule chained list 201, for storing the executing rule of at least one application program;
Described application program protection module 202, performs request for intercepting and capturing for destination application,
Inquire about described application rule chained list 201, when corresponding described in described application rule chained list 201
When the executing rule of destination application is for allowing to perform, send corresponding described target to detection module 103
The detection instruction of application program;After receiving the executable instruction that detection module 103 sends, will intercept and capture
Execution request be transmitted to external process devices so that external process devices completes according to described execution request
Corresponding Business Processing;
Described detection module 103, is further used for storing that each described application program is the most corresponding the
Three eigenvalues;After the detection receiving corresponding described destination application instructs, calculating described target should
By the fourth feature value of program, when third feature value and the fourth feature value of described destination application are complete
Time identical, send sign destination application integrity to described application program protection module 202 and be not affected by
The executable instruction destroyed.
Further, in order to improve the safety of user account number, as in figure 2 it is shown, the present invention one is preferred
In embodiment, also include: authorization module 203 and customer protection module 204;
Described authorization module 203, at least one user's authorization user information, wherein, described use
Family information includes user's name, cryptographic parameter and USB, and (Universal Serial Bus, general serial is total
Line) parameters for authentication;And, authorize the one in the respectively corresponding following protection option of each user or
Multiple:
Add User information, deletion user profile and amendment user profile;
Described customer protection module 204, for intercepting and capturing the logging request of corresponding targeted customer, detection is described
Whether the user profile that logging request is carried is the user profile of described authorization module mandate, if it is,
Described logging request is transmitted to external process devices, so that external process devices allows described target to use
Family logs in;Intercept and capture for the operational order of targeted customer, detect corresponding at least one of described targeted customer
Whether protection option exists the protection option of corresponding described operational order, if it does not exist, then will intercept and capture
Operational order be transmitted to external process devices so that external process devices completes according to described operational order
Corresponding Business Processing.
In one embodiment of the invention, add additional parameter (such as, USB certification ginseng by arranging cryptographic parameter
Number) or the form of double code parameter, login user is carried out multiple authentication, prevents invader from stealing
Direct login service device operating system after user cipher;Moreover, it is also possible to different user is arranged difference
Protection option, prevent user profile by malicious modification.
Further, in order to prevent the business process being currently running from maliciously being terminated, as in figure 2 it is shown, this
Invent in a preferred embodiment, also include: process protection chained list 206 and process protection module 205;
Described process protection chained list 206, for storing the mark letter that at least one business process is the most corresponding
Breath;
Described process protection module 205, performs instruction for intercepting and capturing the termination for target service process,
Inquire about described process protection chained list 206, when described process protection chained list 206 exists corresponding described target
During the identification information of business process, terminate performing instruction be transmitted to external process devices by described, so that
External process devices terminates described target service process.
In one embodiment of the invention, the identification information of business process can include the process of current business process
Number.
It should be noted that relevant technical staff in the field it should be appreciated that customer protection module for
The time of user login services device operating system is monitored and manages, and process protection module, file are anti-
Protect module and application program protection module is required to guaranteeing that targeted customer has logged in current server operation and has been
On the premise of system, just can carry out corresponding business, therefore, in one embodiment of the invention, as in figure 2 it is shown,
Customer protection module should distinguish connection process protection module, file protection module, application program protection module
And authorization module.
As it is shown on figure 3, embodiments provide a kind of operation as described in arbitrary in above-described embodiment
The operation method of security of system bracing means, the method may include steps of:
S0: pre-set file access regulation linked, utilizes file access regulation linked to store at least one
Access rule the most corresponding between configuration file with at least one user;
S1: utilize detection module to store the First Eigenvalue that each described configuration file is the most corresponding;
S2: utilize file protection module intercepting and capturing targeted customer for the service request of target configuration file, look into
Ask described file access regulation linked, as described targeted customer corresponding in described file access regulation linked and
When the access rule of described file destination is for allowing to access, send corresponding target configuration file to detection module
Detection instruction;
S3: utilize detection module after the detection instruction receiving corresponding target configuration file, calculate target
The Second Eigenvalue of configuration file, when the First Eigenvalue and the complete phase of Second Eigenvalue of target configuration file
Meanwhile, send, to described file protection module, the instruction that sign target configuration file integrity is not affected by destroying
Information;
S4: utilize file protection module receive detection module send instruction information after, by intercept and capture
Service request is transmitted to external process devices so that external process devices according to described service request to target
Configuration file carries out corresponding Business Processing.
In one embodiment of the invention, can grasp by rebuilding server at the inner nuclear layer of server OS
Make the authority Access Model of system, i.e. increase the operation described in the embodiment of the present invention at operating system nucleus layer
Security of system bracing means, during operating system initialization, dynamic to file access regulation linked
The access rule added or delete between each configuration file and at least one user, specifically, accesses
Rule includes at least one user that each configuration file is the most corresponding, and each configuration file is
No at least one user allowing correspondence accesses;So, it is achieved to server OS configuration file
Accessed authority is defined, and guarantees that being accessed for configuration integrity is not affected by destroying, and prevents invasion simultaneously
In person's malice calls configuration file and malice invoking server, integrity occurs the configuration file destroyed with prestige
Side of body server security.
Further, in order to prevent invader by loading in malicious application or malice load server
The application program that integrity has been destroyed, and then steal or destroy the business datum in server, this
In a bright preferred embodiment, also include: pre-set application rule chained list, utilize application program
Regulation linked stores the executing rule of at least one application program;And, utilize detection module storage each
The third feature value that individual described application program is the most corresponding;
Utilizing application program protection module to intercept and capture the request that performs for destination application, inquiry is described should
Use rules of order chained list, when the execution of described destination application corresponding in described application rule chained list
When rule is for allowing to perform, send the detection instruction of corresponding described destination application to detection module;
Utilize detection module after the detection receiving corresponding described destination application instructs, calculate described
The fourth feature value of destination application, when third feature value and the fourth feature of described destination application
When being worth identical, send sign destination application integrity to described application program protection module and be not subject to
To the executable instruction destroyed;
Utilize application program protection module after receiving the executable instruction that detection module sends, will intercept and capture
Execution request be transmitted to external process devices so that external process devices completes according to described execution request
Corresponding Business Processing.
Further, in order to improve the safety of user account number, in a preferred embodiment of the invention, also
Including:
Utilizing authorization module at least one user's authorization user information, wherein, described user profile includes
User's name, cryptographic parameter and USB parameters for authentication;And, authorize each user respectively corresponding as
One or more in lower protection option:
Add User information, deletion user profile and amendment user profile;
Utilize customer protection module to intercept and capture the logging request of corresponding targeted customer, detect described logging request and take
Whether the user profile of band is the user profile of described authorization module mandate, if it is, by described login
Request is transmitted to external process devices, so that external process devices allows described targeted customer to log in;Cut
Obtain the operational order for targeted customer, detect at least one protection option that described targeted customer is corresponding
Whether there is the protection option of corresponding described operational order, if it does not exist, then the operational order that will intercept and capture
It is transmitted to external process devices so that external process devices completes corresponding business according to described operational order
Process.
Further, in order to prevent the business process being currently running from maliciously being terminated, the present invention one is preferred
In embodiment, also include:
Pre-set process protective chain table, utilize at least one business process of process protection storage of linked list respectively
Corresponding identification information;
Utilize process protection module to intercept and capture the termination for target service process and perform instruction, enter described in inquiry
Journey protection chained list, when the identification information that there is corresponding described target service process in described process protection chained list
Time, described termination is performed instruction and is transmitted to external process devices, so that external process devices terminates institute
State target service process.
It should be noted that the eigenvalue described in the embodiment of the present invention can include cryptographic Hash, business please
The business operation asking corresponding includes but not limited to delete target configuration file, amendment target configuration file.
Each embodiment of the present invention at least has the advantages that
1, utilize file access regulation linked storage server OS at least one configuration file with extremely
Access rule the most corresponding between a few user, and utilize file protection module to intercept and capture targeted customer
Service request for target configuration file, it is achieved the accessed authority of configuration file is defined;And
And, on the premise of determining that targeted customer possesses access target configuration file, in addition it is also necessary to guarantee that target configures
The integrity of file is not affected by destroying, and the service request of intercepting and capturing could be transmitted to processing means, so that
Processing means carries out corresponding Business Processing according to service request to target configuration file;Visible, by this
The technical scheme of invention, can avoid invader with the identity malicious access server OS of targeted customer
Configuration file and the configuration file distorted of malicious access, improve the safety of server.
2, application rule chained list and application program protection module, the right of execution of defining application are utilized
Limit, prevents invader from loading malicious application in the server, meanwhile, can perform authority to possessing
Application program carries out integrity verification again, prevents invader's malice from performing integrity in server further
The application program destroyed.
3, authorization module and customer protection module, authorized user's multiple-enciphered parameters for authentication or password is utilized to recognize
Card parameter adds the additional parameters such as USB parameters for authentication, the log-on message of user is carried out multiple-authentication, prevents
User is direct login service device operating system after stealing user login code;Accordingly, each is authorized
At least one protection option that user is the most corresponding, it is to avoid user profile is by invader's malicious modification.
4, utilize process protection chained list and process protection module, carry out by force for needing business process to be protected
System accesses and controls, and in process protection chained list, protected business process will not be terminated by invader's malice.
It should be noted that in this article, the relational terms of such as first and second etc be used merely to by
One entity or operation separate with another entity or operating space, and not necessarily require or imply this
Relation or the order of any this reality is there is between a little entities or operation.And, term " includes ",
" comprise " or its any other variant is intended to comprising of nonexcludability, so that include that one is
The process of row key element, method, article or equipment not only include those key elements, but also include the brightest
Other key elements really listed, or also include intrinsic for this process, method, article or equipment
Key element.In the case of there is no more restriction, statement " include a 〃 " and limit
Key element, it is not excluded that there is also another in including the process of described key element, method, article or equipment
Outer same factor.
One of ordinary skill in the art will appreciate that: realize all or part of step of said method embodiment
Can be completed by the hardware that programmed instruction is relevant, aforesaid program can be stored in embodied on computer readable
Storage medium in, this program upon execution, performs to include the step of said method embodiment;And it is aforementioned
Storage medium include: various Jie that can store program code such as ROM, RAM, magnetic disc or CD
In matter.
Last it should be understood that the foregoing is only presently preferred embodiments of the present invention, it is merely to illustrate this
The technical scheme of invention, is not intended to limit protection scope of the present invention.All spirit in the present invention and former
Any modification, equivalent substitution and improvement etc. done within then, are all contained in protection scope of the present invention.
Claims (10)
1. an operating system security bracing means, it is characterised in that including:
File access regulation linked, be used for storing in server OS at least one configuration file with extremely
Access rule the most corresponding between a few user;
File protection module, for intercepting and capturing targeted customer's service request for target configuration file, inquiry
Described file access regulation linked, when described targeted customer corresponding in described file access regulation linked and institute
When stating the access rule of file destination for allowing to access, send corresponding target configuration file to detection module
Detection instruction;After receiving the instruction information that detection module sends, the service request of intercepting and capturing is transmitted to
External process devices so that external process devices carries out phase according to described service request to target configuration file
The Business Processing answered;
Detection module, for storing the First Eigenvalue that each described configuration file is the most corresponding;Connecing
After receiving the detection instruction of corresponding target configuration file, calculate the Second Eigenvalue of target configuration file, when
When the First Eigenvalue of target configuration file is identical with Second Eigenvalue, to described file protection module
Send and characterize the instruction information that target configuration file integrity is not affected by destroying.
Operating system security bracing means the most according to claim 1, it is characterised in that
Business Processing corresponding to described service request includes: delete target configuration file or amendment target configuration
File;
And/or,
Described eigenvalue, including: cryptographic Hash.
Operating system security bracing means the most according to claim 1, it is characterised in that also include:
Application rule chained list and application program protection module;
Described application rule chained list, for storing the executing rule of at least one application program;
Described application program protection module, for intercepting and capturing the request that performs for destination application, inquiry
Described application rule chained list, when described destination application corresponding in described application rule chained list
Executing rule for allow perform time, to detection module send corresponding described destination application detection refer to
Order;After receiving the executable instruction that detection module sends, ask to be transmitted to outside by the execution of intercepting and capturing
Processing means so that external process devices completes corresponding Business Processing according to described execution request;
Described detection module, is further used for storing the 3rd spy that each described application program is the most corresponding
Value indicative;After the detection receiving corresponding described destination application instructs, calculate described intended application journey
The fourth feature value of sequence, when the third feature value of described destination application is identical with fourth feature value
Time, to described application program protection module send characterize destination application integrity be not affected by destroy can
Perform instruction.
Operating system security bracing means the most according to claim 1, it is characterised in that also include:
Authorization module and customer protection module;
Described authorization module, at least one user's authorization user information, wherein, described user believes
Breath includes user's name, cryptographic parameter and general-purpose serial bus USB parameters for authentication;And, authorize each
One or more in the following protection option that individual user is the most corresponding:
Add User information, deletion user profile and amendment user profile;
Described customer protection module, for intercepting and capturing the logging request of corresponding targeted customer, detects described login
Whether the user profile carried of request is the user profile of described authorization module mandate, if it is, by institute
State logging request and be transmitted to external process devices, so that external process devices allows described targeted customer to step on
Record;Intercept and capture the operational order for targeted customer, detect at least one protection that described targeted customer is corresponding
Whether option exists the protection option of corresponding described operational order, if it does not exist, then the behaviour that will intercept and capture
It is transmitted to external process devices so that external process devices completes according to described operational order accordingly as instruction
Business Processing.
5., according to described operating system security bracing means arbitrary in Claims 1-4, its feature exists
In, also include: process protection chained list and process protection module;
Described process protection chained list, for storing the identification information that at least one business process is the most corresponding;
Described process protection module, performs instruction for intercepting and capturing the termination for target service process, inquiry
Described process protection chained list, when the mark that there is corresponding described target service process in described process protection chained list
During knowledge information, described termination is performed instruction and is transmitted to external process devices, so that external process devices
Terminate described target service process.
6. the operation of operating system security bracing means as described in arbitrary in the claims 1 to 5
Method, it is characterised in that including:
Pre-set file access regulation linked, utilize file access regulation linked to store at least one configuration
Access rule the most corresponding between file with at least one user;
Detection module is utilized to store the First Eigenvalue that each described configuration file is the most corresponding;
Utilize file protection module to intercept and capture targeted customer's service request for target configuration file, inquire about institute
State file access regulation linked, as described targeted customer corresponding in described file access regulation linked and described
When the access rule of file destination is for allowing to access, send the inspection of corresponding target configuration file to detection module
Survey instruction;
Utilize detection module after the detection instruction receiving corresponding target configuration file, calculate target configuration
The Second Eigenvalue of file, when the First Eigenvalue of target configuration file is identical with Second Eigenvalue,
Send to described file protection module and characterize the instruction information that target configuration file integrity is not affected by destroying;
Utilize file protection module receive detection module send instruction information after, will intercept and capture business
Request is transmitted to external process devices so that target is configured by external process devices according to described service request
File carries out corresponding Business Processing.
Method the most according to claim 6, it is characterised in that
Business Processing corresponding to described service request includes: delete target configuration file or amendment target configuration
File;
And/or,
Described eigenvalue, including: cryptographic Hash.
Method the most according to claim 6, it is characterised in that also include:
Pre-set application rule chained list, utilize at least one application of application rule storage of linked list
The executing rule of program;And, utilize detection module to store each described application program correspondence respectively
Third feature value;
Utilizing application program protection module to intercept and capture the request that performs for destination application, inquiry is described should
Use rules of order chained list, when the execution of described destination application corresponding in described application rule chained list
When rule is for allowing to perform, send the detection instruction of corresponding described destination application to detection module;
Utilize detection module after the detection receiving corresponding described destination application instructs, calculate described
The fourth feature value of destination application, when third feature value and the fourth feature of described destination application
When being worth identical, send sign destination application integrity to described application program protection module and be not subject to
To the executable instruction destroyed;
Utilize application program protection module after receiving the executable instruction that detection module sends, will intercept and capture
Execution request be transmitted to external process devices so that external process devices completes according to described execution request
Corresponding Business Processing.
Method the most according to claim 6, it is characterised in that also include:
Utilizing authorization module at least one user's authorization user information, wherein, described user profile includes
User's name, cryptographic parameter and general-purpose serial bus USB parameters for authentication;And, authorize each user
One or more in the most corresponding following protection option:
Add User information, deletion user profile and amendment user profile;
Utilize customer protection module to intercept and capture the logging request of corresponding targeted customer, detect described logging request and take
Whether the user profile of band is the user profile of described authorization module mandate, if it is, by described login
Request is transmitted to external process devices, so that external process devices allows described targeted customer to log in;Cut
Obtain the operational order for targeted customer, detect at least one protection option that described targeted customer is corresponding
Whether there is the protection option of corresponding described operational order, if it does not exist, then the operational order that will intercept and capture
It is transmitted to external process devices so that external process devices completes corresponding business according to described operational order
Process.
10. according to described method arbitrary in claim 6 to 9, it is characterised in that also include:
Pre-set process protective chain table, utilize at least one business process of process protection storage of linked list respectively
Corresponding identification information;
Utilize process protection module to intercept and capture the termination for target service process and perform instruction, enter described in inquiry
Journey protection chained list, when the identification information that there is corresponding described target service process in described process protection chained list
Time, described termination is performed instruction and is transmitted to external process devices, so that external process devices terminates institute
State target service process.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610204386.7A CN105912945A (en) | 2016-04-05 | 2016-04-05 | Safety reinforcing device and operation method of operating system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610204386.7A CN105912945A (en) | 2016-04-05 | 2016-04-05 | Safety reinforcing device and operation method of operating system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105912945A true CN105912945A (en) | 2016-08-31 |
Family
ID=56744520
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610204386.7A Pending CN105912945A (en) | 2016-04-05 | 2016-04-05 | Safety reinforcing device and operation method of operating system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105912945A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110619209A (en) * | 2019-08-27 | 2019-12-27 | 苏州浪潮智能科技有限公司 | Method and system for analyzing and judging web intrusion event |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007036089A1 (en) * | 2005-09-30 | 2007-04-05 | Lenovo (Beijing) Limited | A computer system and a security enhancing method thereof |
CN103246849A (en) * | 2013-05-30 | 2013-08-14 | 浪潮集团有限公司 | Safe running method based on ROST under Windows |
CN104573530A (en) * | 2015-02-26 | 2015-04-29 | 浪潮电子信息产业股份有限公司 | Security reinforcing system for server |
CN104732149A (en) * | 2013-12-18 | 2015-06-24 | 国家电网公司 | Method and device for reinforcing operating system |
CN105224867A (en) * | 2015-10-27 | 2016-01-06 | 成都卫士通信息产业股份有限公司 | A kind of based on the Host Security reinforcement means under virtualized environment |
-
2016
- 2016-04-05 CN CN201610204386.7A patent/CN105912945A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007036089A1 (en) * | 2005-09-30 | 2007-04-05 | Lenovo (Beijing) Limited | A computer system and a security enhancing method thereof |
CN103246849A (en) * | 2013-05-30 | 2013-08-14 | 浪潮集团有限公司 | Safe running method based on ROST under Windows |
CN104732149A (en) * | 2013-12-18 | 2015-06-24 | 国家电网公司 | Method and device for reinforcing operating system |
CN104573530A (en) * | 2015-02-26 | 2015-04-29 | 浪潮电子信息产业股份有限公司 | Security reinforcing system for server |
CN105224867A (en) * | 2015-10-27 | 2016-01-06 | 成都卫士通信息产业股份有限公司 | A kind of based on the Host Security reinforcement means under virtualized environment |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110619209A (en) * | 2019-08-27 | 2019-12-27 | 苏州浪潮智能科技有限公司 | Method and system for analyzing and judging web intrusion event |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Barona et al. | A survey on data breach challenges in cloud computing security: Issues and threats | |
EP3029593B1 (en) | System and method of limiting the operation of trusted applications in the presence of suspicious programs | |
CN110233817B (en) | Container safety system based on cloud computing | |
US20150121532A1 (en) | Systems and methods for defending against cyber attacks at the software level | |
Butt et al. | Cloud security threats and solutions: A survey | |
Rani et al. | Cyber security techniques, architectures, and design | |
CN109936555A (en) | A kind of date storage method based on cloud platform, apparatus and system | |
Anand et al. | Vulnerability-based security pattern categorization in search of missing patterns | |
CN111901348A (en) | Method and system for active network threat awareness and mimicry defense | |
CN102098313A (en) | Waterproof wall system and authentication method thereof | |
KR101265474B1 (en) | Security service providing method for mobile virtualization service | |
Shajan et al. | Survey of security threats and countermeasures in cloud computing | |
CN108429746B (en) | Privacy data protection method and system for cloud tenants | |
CN106685912A (en) | Secure access method of application system | |
CN105912945A (en) | Safety reinforcing device and operation method of operating system | |
Zlatanov | Computer security and mobile security challenges | |
Hutchings et al. | Criminals in the cloud: Crime, security threats, and prevention measures | |
Gandhi | Active cyber defense certainty: A digital self-defense in the modern age | |
Muttoo et al. | Analysing security checkpoints for an integrated utility-based information system | |
Derhab et al. | Spam Trapping System: Novel security framework to fight against spam botnets | |
Cho et al. | User credential cloning attacks in android applications: exploiting automatic login on android apps and mitigating strategies | |
US10419480B1 (en) | System, method, and computer program for real-time cyber intrusion detection and intruder identity analysis | |
Kaur et al. | Exploring the Potential of Blockchain Technology in Enhancing Security of smart systems | |
Sijan et al. | A review on e-banking security in Bangladesh: An empirical study | |
Goyal et al. | Cloud Computing and Security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160831 |