CN106713494B - Intelligent auditing method and device - Google Patents
Intelligent auditing method and device Download PDFInfo
- Publication number
- CN106713494B CN106713494B CN201710050963.6A CN201710050963A CN106713494B CN 106713494 B CN106713494 B CN 106713494B CN 201710050963 A CN201710050963 A CN 201710050963A CN 106713494 B CN106713494 B CN 106713494B
- Authority
- CN
- China
- Prior art keywords
- request
- user
- information
- code stream
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/08—Protocols specially adapted for terminal emulation, e.g. Telnet
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/451—Execution arrangements for user interfaces
- G06F9/452—Remote windowing, e.g. X-Window System, desktop virtualisation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/543—User-generated data transfer, e.g. clipboards, dynamic data exchange [DDE], object linking and embedding [OLE]
Abstract
The application discloses an intelligent auditing method and device, wherein the method comprises the following steps: receiving an I/O request sent by an RDP client; analyzing a protocol data packet received from an RDP client in the operation and maintenance process, and determining code stream information of an operation action in the protocol data packet; inserting the code stream information of the determined operation action into the received I/O request to form a modified I/O request; sending the modified I/O request to a target machine; and receiving an I/O response made by the target machine to the modified I/O request, and sending the I/O response to the RDP client. According to the method and the device, the corresponding data packets are searched at the proper position of the RDP protocol, and the protocol data packets are integrated, so that the effects of recording operations of a user, such as mouse and keyboard, pasting, copying, opening files and the like are achieved. The method and the device realize the extraction of the graphic protocol content through the RDP operation and maintenance, not only solve the safety control of data transmission, but also facilitate the operation and maintenance management of IT equipment for users.
Description
Technical Field
The application relates to the field of computers, in particular to an intelligent auditing method and device.
Background
With the development of computer and network technologies, the operation and maintenance of IT equipment are increasingly emphasized by governments and enterprises, and the auditing requirements for operation and maintenance are also increasing. The operation and maintenance management system is used as an intermediate layer between a user and a target device, and needs to complete the agent operation and maintenance process of various protocols and realize related control functions.
Remote Desktop Protocol (RDP) is a multi-channel Protocol, which allows a user (client or "local computer") to connect to a computer (server or "Remote computer") providing microsoft terminal services. When proxy operation and maintenance are carried out through an RDP protocol, data exchange between the local desktop and the remote desktop can be recorded by the RDP proxy and recorded and played.
However, the existing RDP protocol agent mainly records desktop I/O operations, and although it can implement local and remote data transmission, it cannot effectively analyze the test performed by the user on the desktop, which is very deficient. For example, when auditing, an auditor cannot check which specific dangerous operations the operator has performed when operating the remote device. Such as what files and their contents were cut \ copied, what contents were clicked or entered on a mouse \ keyboard, and what dangerous files were opened.
Disclosure of Invention
The embodiment of the application provides an intelligent auditing method and device, which are used for solving the problem that in the prior art, an RDP protocol agent only records desktop I/O operation and cannot effectively analyze the test performed by a user on a desktop.
One aspect of the present application provides an intelligent auditing method, including:
receiving an I/O request sent by an RDP client;
analyzing a protocol data packet received from an RDP client in the operation and maintenance process, and determining code stream information of an operation action in the protocol data packet;
inserting the code stream information of the determined operation action into the received I/O request to form a modified I/O request;
sending the modified I/O request to a target machine;
and receiving an I/O response made by the target machine to the modified I/O request, and sending the I/O response to the RDP client.
Further, before inserting the code stream information of the determined operation action into the received I/O request, the method further includes a monitoring step, specifically:
judging whether the user operation belongs to dangerous operation or not according to the determined code stream information of the operation action;
if so, sending the dangerous operation information and the I/O request to the target machine, and receiving a response that the target machine blocks the user operation;
and if not, executing a step of inserting the code stream information of the determined operation action into the received I/O request.
Further, the determining whether the user operation belongs to a dangerous operation specifically includes:
judging whether the user environment information is modified or not through user picture data clicked by a user keyboard or a mouse, modifying a user password, deleting important user information, and sending the important user information to a non-local system, wherein if the important user information is not modified, the user operation is determined to belong to dangerous operation.
Further, the determining code stream information of the operation action in the protocol data packet includes: and determining code stream information of local operation actions and code stream information of remote desktop operation actions in the protocol data packet.
Further, the code stream information of the operation action specifically includes: mouse and keyboard operation information, clipboard operation information and file title content acquisition operation information.
Further, when the protocol data packet is a protocol data packet of a mouse and a keyboard, the data operated by the mouse and the keyboard is transmitted through a first virtual channel.
Further, when the protocol data packet is a protocol data packet of a clipboard, the data of the clipboard operation is transmitted through a second virtual channel.
Further, when the protocol data packet is a protocol data packet of file header content, the file header content is obtained by obtaining the name of the opened file according to the remote desktop operation of the user.
Another aspect of the application provides an intelligent auditing apparatus, including:
the receiving module is used for receiving an I/O request sent by the RDP client;
the protocol analysis module is used for analyzing a protocol data packet received from the RDP client in the operation and maintenance process and determining code stream information of an operation action in the protocol data packet;
the generating module is used for inserting the code stream information of the determined operation action into the received I/O request to form a modified I/O request;
a sending module for sending the modified I/O request to a target machine;
and the transceiver module is used for receiving the I/O response of the target machine to the modified I/O request and then sending the I/O response to the RDP client.
Further, the method also comprises the following steps:
the judging module is used for judging whether the user operation belongs to the dangerous operation or not according to the code stream information of the determined operation action before the code stream information of the determined operation action is inserted into the received I/O request;
if so, sending the dangerous operation information and the I/O request to the target machine, and receiving a response that the target machine blocks the user operation;
and if not, executing a step of inserting the code stream information of the determined operation action into the received I/O request.
Further, the judging module is further configured to judge whether the user environment information is being modified, modify the user password, delete the user important information, and send the user important information to a non-local system through user picture data clicked by a user keyboard or a mouse, and if so, it is determined that the user operation belongs to a dangerous operation.
Further, the method also comprises the following steps:
and the determining module is used for determining the code stream information of the local operation action and the code stream information of the remote desktop operation action in the protocol data packet.
Further, the code stream information of the operation action specifically includes: mouse and keyboard operation information, clipboard operation information and file title content extraction operation information.
Further, the method also comprises the following steps:
and the first virtual channel layer is used for transmitting the data of the mouse and keyboard operation when the protocol data packet is the protocol data packet of the mouse and keyboard.
Further, the method also comprises the following steps:
and the second virtual channel layer is used for transmitting the data of the clipboard operation when the protocol data packet is the protocol data packet of the clipboard.
Further, the method also comprises the following steps:
and the acquisition module is used for acquiring the name of the opened file according to the remote desktop operation of the user when the protocol data packet is the protocol data packet of the file header content.
Compared with the prior art, the method and the device for processing the I/O request receive the I/O request sent by the RDP client through the RDP proxy service, analyze the protocol data packet received from the RDP client in the operation and maintenance process, determine the operation action code stream information for realizing the extraction of the graphic protocol content in the protocol data packet, insert the operation action code stream information into the received I/O request to form the modified I/O request, send the modified I/O request to the target machine, receive the I/O response made by the target machine to the modified I/O request, and then send the I/O response to the RDP client. According to the method and the device, the corresponding data packets are searched at the proper position of the RDP protocol, and the protocol data packets are integrated, so that the effects of recording operations of a user, such as mouse and keyboard, pasting, copying, opening files and the like are achieved. The method and the device realize the extraction of the graphic protocol contents (file title contents, mouse and keyboard operations and cut and paste copy operations) through the RDP operation and maintenance, not only solve the security control of data transmission, but also facilitate the IT equipment operation and maintenance management of a user.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 illustrates a flow diagram of a smart audit method in accordance with an aspect of the subject application;
FIG. 2 illustrates a timing diagram of an intelligent audit RDP broker service model in accordance with an aspect of the subject application;
FIG. 3 illustrates a timing diagram of the operation of an intelligent audit clipboard in accordance with an aspect of the subject application;
FIG. 4 is a schematic diagram of an intelligent audit device according to another aspect of the present application.
The same or similar reference numbers in the drawings identify the same or similar elements.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiments of the present application will be described in further detail with reference to the drawings attached hereto.
The embodiment of the application is applied to an IT basic facility operation and maintenance management system and is used for auditing access and operation of RDP classes.
One aspect of the present application provides an intelligent auditing method, which relates to a core flow of an RDP operation and maintenance management system, and as shown in fig. 1, the method specifically includes the following steps:
step S101, receiving an I/O request sent by an RDP client;
step S102, analyzing a protocol data packet received from an RDP client in the operation and maintenance process, and determining code stream information of the operation action of the protocol data packet;
step S103, inserting the code stream information of the determined operation action into the received I/O request to form a modified I/O request;
step S104, sending the modified I/O request to a target machine;
and step S105, receiving an I/O response made by the target machine to the modified I/O request, and sending the I/O response to the RDP client.
Specifically, the protocol data packets are divided into three types, namely streaming media, images and files. Streaming media packets are divided into stream types: text type (one device pixel per unit), millimeter type (one millimeter per logical unit), etc., X-axis coordinates, Y-axis coordinates, stream content. The image types include: pixel values (red, green, blue, spread values). The file types include: file description (attribute, size, write time, copy progress), file ID, file list, operation type, etc.
In this embodiment of the application, the code stream information of the operation action specifically includes: mouse and keyboard operation information, clipboard operation information and file title content acquisition operation information.
Further, the determining code stream information of the operation action in the protocol data packet includes: and determining code stream information of local operation actions and code stream information of remote desktop operation actions in the protocol data packet.
According to the embodiment of the application, through recording the local operation action and the remote desktop operation action, the safety control of data transmission is achieved, and the local operation and the remote desktop operation can be monitored so as to check the dangerous operation of an operator.
A specific embodiment is described below with reference to fig. 2, which illustrates how the technical solution of the present application implements extraction of graphics protocol content through RDP operation and maintenance.
As shown in fig. 2, the RDP proxy service in the embodiment of the present application is equivalent to an intermediate layer of a system, and is responsible for receiving an I/O request sent by an RDP client (mstsc, rdektop, etc.), and the proxy service is provided with a protocol parsing module, where the protocol parsing module is mainly responsible for parsing a protocol data packet related to operations such as a mouse, a keyboard, a paste, a copy, and a file open during an operation and maintenance process, and parsing specific code stream information, that is, pasting, copying information, and the like of the mouse, the keyboard, and a clipboard, according to a user requirement after completion. And inserting the code stream information into the received I/O request to form a modified I/O request, and then forwarding the modified I/O request to a remote target machine.
In implementation, after the target machine receives the modified I/O request, the RDP agent program receives an I/O response made by the target machine to the modified I/O request, and then forwards the I/O response to the RDP client. Specifically, in response to the I/O response made by the target machine to the modified I/O request, if the client performs a mouse click operation, the target machine returns data information to the client. And (3) a mouse click event is analyzed to obtain a data packet after the RDP self packet process, the data packet also comprises information such as a public control data header and a safety control data header, and mouse operation data comprising operation types, X-direction coordinates, Y-direction coordinates and the like is analyzed according to a corresponding mode in codes.
Further, before inserting the code stream information of the determined operation action into the received I/O request, the method further includes a monitoring step, specifically:
judging whether the user operation belongs to dangerous operation or not according to the determined code stream information of the operation action;
if so, sending the dangerous operation information and the I/O request to the target machine, and receiving a response that the target machine blocks the user operation;
and if not, executing a step of inserting the code stream information of the determined operation action into the received I/O request.
According to the method and the device, in the process of RDP proxy service, whether user operation needs to be blocked or not is judged according to analyzed information such as sticking and copying of a mouse, a keyboard and a clipboard, and if the user operation needs not to be blocked, the determined operation action code stream information is forwarded to a target machine.
Further, the determining whether the user operation belongs to a dangerous operation specifically includes:
judging whether the user environment information is modified or not through user picture data clicked by a user keyboard or a mouse, modifying a user password, deleting important user information, and sending the important user information to a non-local system, wherein if the important user information is not modified, the user operation is determined to belong to dangerous operation.
Further, when the protocol data packet is a protocol data packet of a mouse and a keyboard, the data operated by the mouse and the keyboard is transmitted through a first virtual channel.
In the embodiment of the application, in the RDP protocol, mouse and keyboard operations and user remote desktop operations are fused in a virtual channel for transmission. The mouse operation needs to be obtained from a specific RDP code stream, and the mouse operation comprises the following steps: mouse button attributes (left button, right button, middle button), mouse click operations (click, double click).
Keyboard operations also need to be acquired in a specific RDP codestream. For example, the keystrokes may include flags (the keystroke message includes an extended scan code indicating whether the key is an extended key, such as an enhanced 101 or 102 keyboard, for enhanced 101 and 102 key keyboards, the enhanced keys in the body of the keyboard are the right ALT and CTRL keys, as well as the INS, DEL, HOME, END, PAGE UP, PAGEDOWN and arrow keys on the left side of the numeric keyboard, as well as the slash ("/") and ENTER keys on the numeric keyboard), a keystroke hit corresponding flag (indicating which keystroke character the keystroke hit), and so on.
Further, when the protocol data packet is a protocol data packet of a clipboard, the data of the clipboard operation is transmitted through a second virtual channel.
In the embodiment of the present application, as shown in fig. 3, in the RDP protocol, data of a clipboard is transmitted through a private virtual channel of the clipboard. Local and remote copy and paste operations use the system clipboard at both ends. When the host a performs a copy operation, it first triggers a clipboard update notification. And the clipboard virtual channel end receives the notification and sends a clipboard updating request to the host B, the local clipboard information can be modified according to the format of the request after the request is received by the host B, the actual data is not transmitted at the moment, and a response message can be sent to the host A after the clipboard information is successfully updated by the host B. When the paste operation is performed on the host B, a clipboard data request is triggered, the request is forwarded to the host a through the RDP proxy service, at this time, the host a needs to send the actually stored clipboard data to the host B in a format agreed by a protocol, the host B updates the local clipboard after receiving the data, and at this time, the application program can complete the paste operation of the data by using the local clipboard.
Specifically, analyzing copy and paste operations, first analyzing and extracting the position of the file content or the file name from the code stream, then converting the file content or the file name into a Chinese UTF8 format according to the language (Chinese (UTF16, GBK, GB2312, etc.), english, japanese, russian, etc.) of the remote desktop operating system, and displaying the converted file content or file name into a playback page.
In the embodiment of the application, the paste copy operation of the mouse, the keyboard and the clipboard is transmitted in the virtual channel areas 1003 and 1005 of the RDP protocol respectively, so as to split the data indicating different virtual channels, accelerate the processing speed of the client, and save the time of occupying a network interface. Different virtual channels have respective combination and encryption rules for encrypting and decrypting the functional data.
Further, when the protocol data packet is a protocol data packet of file header content, the file header content is obtained by obtaining the name of the opened file according to the remote desktop operation of the user.
According to the file title content obtaining method and device, the name of the opened file is obtained according to remote desktop operation of a user. The remote desktop operation text is stored in a 256 × 256 cache. Based on the ID, the operating system is accessed from the remote desktop. When the cache is insufficient, the original content can be covered, and the file title content can be timely obtained according to actual conditions.
The method and the device receive an I/O request sent by an RDP client through RDP proxy service, analyze a protocol data packet received from the RDP client in the operation and maintenance process, determine operation action code stream information for realizing graphics protocol content extraction in the protocol data packet, insert the operation action code stream information into the received I/O request to form a modified I/O request, send the modified I/O request to a target machine, receive an I/O response made by the target machine to the modified I/O request, and send the I/O response to the RDP client. According to the method and the device, the corresponding data packets are searched at the proper position of the RDP protocol, and the protocol data packets are integrated, so that the effects of recording operations of a user, such as mouse and keyboard, pasting, copying, opening files and the like are achieved. The method and the device realize the extraction of the graphic protocol content through the RDP operation and maintenance, not only solve the safety control of data transmission, but also monitor the local operation and the remote desktop operation so as to check that the operation personnel specifically carries out dangerous operations.
Based on the same technical concept, the embodiment of the application also provides an intelligent auditing device, which can execute the method embodiment, and as the principle of the device for solving the problem is similar to the intelligent auditing method, the implementation of the device can be referred to the implementation of the method.
Another aspect of the present application provides an intelligent auditing apparatus, as shown in fig. 4, including:
a receiving module 401, configured to receive an I/O request sent by an RDP client;
the protocol analysis module 402 is used for analyzing a protocol data packet received from the RDP client in the operation and maintenance process and determining code stream information of an operation action in the protocol data packet;
a generating module 403, configured to insert the code stream information of the determined operation action into the received I/O request to form a modified I/O request;
a sending module 404, configured to send the modified I/O request to the target machine;
the transceiver module 405 is configured to receive an I/O response made by the target machine to the modified I/O request, and then send the I/O response to the RDP client.
In this embodiment of the application, the code stream information of the operation action specifically includes: mouse and keyboard operation information, clipboard operation information and file title content acquisition operation information.
Further, the method also comprises the following steps:
and the determining module is used for determining the code stream information of the local operation action and the code stream information of the remote desktop operation action in the protocol data packet.
According to the embodiment of the application, through recording the local operation action and the remote desktop operation action, the safety control of data transmission is achieved, and the local operation and the remote desktop operation can be monitored so as to check the dangerous operation of an operator.
The RDP proxy service in the embodiment of the present application is equivalent to an intermediate layer of a system, and is responsible for receiving an I/O request sent by an RDP client (mstsc, rdektop, etc.), and the proxy service is internally provided with a protocol parsing module, which is mainly responsible for parsing a protocol data packet related to operations such as mouse, keyboard, paste, copy, file opening, etc. in an operation and maintenance process, and parsing specific code stream information, i.e., paste, copy information, etc. of the mouse, keyboard, clipboard, etc., according to user requirements after completion. And inserting the code stream information into the received I/O request to form a modified I/O request, and then forwarding the modified I/O request to a remote target machine.
In implementation, after the target machine receives the modified I/O request, the RDP agent program receives an I/O response made by the target machine to the modified I/O request, and then forwards the I/O response to the RDP client. Specifically, in response to the I/O response made by the target machine to the modified I/O request, if the client performs a mouse click operation, the target machine returns data information to the client. And (3) a mouse click event is analyzed to obtain a data packet after the RDP self packet process, the data packet also comprises information such as a public control data header and a safety control data header, and mouse operation data comprising operation types, X-direction coordinates, Y-direction coordinates and the like is analyzed according to a corresponding mode in codes.
Further, the method also comprises the following steps:
a judging module 406, configured to judge whether the user operation belongs to a dangerous operation according to the code stream information of the determined operation action before inserting the code stream information of the determined operation action into the received I/O request;
if so, sending the dangerous operation information and the I/O request to the target machine, and receiving a response that the target machine blocks the user operation;
and if not, executing a step of inserting the code stream information of the determined operation action into the received I/O request.
According to the method and the device, in the process of RDP proxy service, whether user operation needs to be blocked or not is judged according to analyzed information such as sticking and copying of a mouse, a keyboard and a clipboard, and if the user operation needs not to be blocked, the determined operation action code stream information is forwarded to a target machine.
Further, the determining module 406 is further configured to determine whether the user environment information is being modified, the user password is modified, the user important information is deleted, and the user important information is sent to a non-local system through the user picture data clicked by the user keyboard or the mouse, and if so, it is determined that the user operation belongs to a dangerous operation.
Further, the method also comprises the following steps:
the first virtual channel layer 408 is configured to transmit data of a mouse/keyboard operation when the protocol packet is a protocol packet of a mouse/keyboard.
In the embodiment of the application, in the RDP protocol, mouse and keyboard operations and user remote desktop operations are fused in a virtual channel for transmission. The mouse operation needs to be obtained from a specific RDP code stream, and the mouse operation comprises the following steps: mouse button attributes (left button, right button, middle button), mouse click operations (click, double click).
Keyboard operations also need to be acquired in a specific RDP codestream. For example, the keystrokes may include flags (the keystroke message includes an extended scan code indicating whether the key is an extended key, such as an enhanced 101 or 102 keyboard, for enhanced 101 and 102 key keyboards, the enhanced keys in the body of the keyboard are the right ALT and CTRL keys, as well as the INS, DEL, HOME, END, PAGE UP, PAGEDOWN and arrow keys on the left side of the numeric keyboard, as well as the slash ("/") and ENTER keys on the numeric keyboard), a keystroke hit corresponding flag (indicating which keystroke character the keystroke hit), and so on.
Further, the method also comprises the following steps:
the second virtual channel layer 409 is configured to transmit data of a clipboard operation when the protocol packet is a protocol packet of the clipboard.
In the RDP protocol, the data of the clipboard is transmitted through a private virtual channel of the clipboard. Local and remote copy and paste operations use the system clipboard at both ends. When the host a performs a copy operation, it first triggers a clipboard update notification. And the clipboard virtual channel end receives the notification and sends a clipboard updating request to the host B, the local clipboard information can be modified according to the format of the request after the request is received by the host B, the actual data is not transmitted at the moment, and a response message can be sent to the host A after the clipboard information is successfully updated by the host B. When the paste operation is performed on the host B, a clipboard data request is triggered, the request is forwarded to the host a through the RDP proxy service, at this time, the host a needs to send the actually stored clipboard data to the host B in a format agreed by a protocol, the host B updates the local clipboard after receiving the data, and at this time, the application program can complete the paste operation of the data by using the local clipboard.
Specifically, analyzing copy and paste operations, first analyzing and extracting the position of the file content or the file name from the code stream, then converting the file content or the file name into a Chinese UTF8 format according to the language (Chinese (UTF16, GBK, GB2312, etc.), english, japanese, russian, etc.) of the remote desktop operating system, and displaying the converted file content or file name into a playback page.
In the embodiment of the application, the paste copy operation of the mouse, the keyboard and the clipboard is transmitted in the virtual channel areas 1003 and 1005 of the RDP protocol respectively, so as to split the data indicating different virtual channels, accelerate the processing speed of the client, and save the time of occupying a network interface. Different virtual channels have respective combination and encryption rules for encrypting and decrypting the functional data.
Further, the method also comprises the following steps:
an obtaining module 410, configured to obtain, when the protocol data packet is a protocol data packet of a file header content, a name of an opened file according to a remote desktop operation of a user.
According to the file title content obtaining method and device, the name of the opened file is obtained according to remote desktop operation of a user. The remote desktop operation text is stored in a 256 × 256 cache. Based on the ID, the operating system is accessed from the remote desktop. When the cache is insufficient, the original content can be covered, and the file title content can be timely obtained according to actual conditions.
The method and the device receive an I/O request sent by an RDP client through RDP proxy service, analyze a protocol data packet received from the RDP client in the operation and maintenance process, determine operation action code stream information for realizing graphics protocol content extraction in the protocol data packet, insert the operation action code stream information into the received I/O request to form a modified I/O request, send the modified I/O request to a target machine, receive an I/O response made by the target machine to the modified I/O request, and send the I/O response to the RDP client. According to the method and the device, the corresponding data packets are searched at the proper position of the RDP protocol, and the protocol data packets are integrated, so that the effects of recording operations of a user, such as mouse and keyboard, pasting, copying, opening files and the like are achieved. The method and the device realize the extraction of the graphic protocol content through the RDP operation and maintenance, not only solve the safety control of data transmission, but also monitor the local operation and the remote desktop operation so as to check that the operation personnel specifically carries out dangerous operations.
It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (12)
1. An intelligent auditing method, characterized in that the method comprises:
receiving an I/O request sent by an RDP client;
analyzing a protocol data packet received from an RDP client in the operation and maintenance process, and determining code stream information of an operation action in the protocol data packet;
judging whether the user operation belongs to dangerous operation or not according to the determined code stream information of the operation action;
if so, sending the dangerous operation information and the I/O request to the target machine, and receiving a response that the target machine blocks the user operation;
if not, executing a step of inserting the code stream information of the determined operation action into the received I/O request;
inserting the code stream information of the determined operation action into the received I/O request to form a modified I/O request;
sending the modified I/O request to a target machine;
receiving an I/O response made by the target machine to the modified I/O request, and then sending the I/O response to the RDP client;
the judging whether the user operation belongs to a dangerous operation specifically comprises:
judging whether the user environment information is modified or not through user picture data clicked by a user keyboard or a mouse, modifying a user password, deleting important user information, and sending the important user information to a non-local system, wherein if the important user information is not modified, the user operation is determined to belong to dangerous operation.
2. The method of claim 1, wherein the determining codestream information of the operation action in the protocol data packet comprises: and determining code stream information of local operation actions and code stream information of remote desktop operation actions in the protocol data packet.
3. The method according to claim 2, wherein the code stream information of the operation action specifically includes: mouse and keyboard operation information, clipboard operation information and file title content extraction operation information.
4. The method of claim 3, wherein when the protocol packet is a protocol packet of a mouse/keyboard, the data of the mouse/keyboard operation is transmitted through a first virtual channel.
5. The method of claim 3, wherein when the protocol packet is a clipboard protocol packet, data of the clipboard operation is transmitted through a second virtual channel.
6. The method according to claim 3, wherein when the protocol data packet is a protocol data packet of a file header content, the file header content is obtained by obtaining an opened file name according to a remote desktop operation of a user.
7. An intelligent auditing apparatus, the apparatus comprising:
the receiving module is used for receiving an I/O request sent by the RDP client;
the protocol analysis module is used for analyzing a protocol data packet received from the RDP client in the operation and maintenance process and determining code stream information of an operation action in the protocol data packet;
the judging module is used for judging whether the user operation belongs to the dangerous operation or not according to the code stream information of the determined operation action before the code stream information of the determined operation action is inserted into the received I/O request;
if so, sending the dangerous operation information and the I/O request to the target machine, and receiving a response that the target machine blocks the user operation;
if not, executing a step of inserting the code stream information of the determined operation action into the received I/O request;
the generating module is used for inserting the code stream information of the determined operation action into the received I/O request to form a modified I/O request;
a sending module for sending the modified I/O request to a target machine;
the receiving and sending module is used for receiving an I/O response made by the target machine to the modified I/O request and then sending the I/O response to the RDP client;
the judging module is further used for judging whether the user environment information is modified, the user password is modified, the user important information is deleted, and the user important information is sent to a non-local system through the user picture data clicked by a keyboard or a mouse of the user, and if so, the user operation is determined to belong to dangerous operation.
8. The apparatus of claim 7, comprising:
and the determining module is used for determining the code stream information of the local operation action and the code stream information of the remote desktop operation action in the protocol data packet.
9. The apparatus according to claim 8, wherein the code stream information of the operation action specifically includes: mouse and keyboard operation information, clipboard operation information and file title content extraction operation information.
10. The apparatus of claim 9, further comprising:
and the first virtual channel layer is used for transmitting the data of the mouse and keyboard operation when the protocol data packet is the protocol data packet of the mouse and keyboard.
11. The apparatus of claim 10, further comprising:
and the second virtual channel layer is used for transmitting the data of the clipboard operation when the protocol data packet is the protocol data packet of the clipboard.
12. The apparatus of claim 11, further comprising:
and the acquisition module is used for acquiring the name of the opened file according to the remote desktop operation of the user when the protocol data packet is the protocol data packet of the file header content.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710050963.6A CN106713494B (en) | 2017-01-23 | 2017-01-23 | Intelligent auditing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710050963.6A CN106713494B (en) | 2017-01-23 | 2017-01-23 | Intelligent auditing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106713494A CN106713494A (en) | 2017-05-24 |
| CN106713494B true CN106713494B (en) | 2020-05-08 |
Family
ID=58908825
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710050963.6A Active CN106713494B (en) | 2017-01-23 | 2017-01-23 | Intelligent auditing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106713494B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111988373B (en) * | 2020-07-31 | 2024-03-19 | 广州市百果园信息技术有限公司 | Data processing method and device |
| CN111984216B (en) * | 2020-08-26 | 2023-03-31 | 成都安恒信息技术有限公司 | Graphic auditing method and system for character operation and maintenance |
| CN112115437B (en) * | 2020-09-04 | 2023-12-29 | 上海上讯信息技术股份有限公司 | Method and device for remotely modifying Windows device password through Linux device |
| CN112131076A (en) * | 2020-09-17 | 2020-12-25 | 上海上讯信息技术股份有限公司 | Method, equipment and system for acquiring mouse operation event information |
| CN114390355A (en) * | 2021-12-10 | 2022-04-22 | 阿里巴巴(中国)有限公司 | Playback method of protocol data and electronic equipment |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101064713B (en) * | 2006-04-26 | 2011-11-23 | 深圳Tcl新技术有限公司 | Control method for realizing remote tabletop using television set platform |
| CN101827082B (en) * | 2010-02-09 | 2013-04-24 | 蓝盾信息安全技术股份有限公司 | Method and device for recording and playing back desktop operating information of user |
| CN102223368B (en) * | 2011-06-14 | 2014-05-21 | 杭州思福迪信息技术有限公司 | System and method capable of realizing operation identification during monitoring of remote desktop protocol (RDP) |
| CN103226448B (en) * | 2013-03-21 | 2016-09-07 | 华为技术有限公司 | The driving method of solid state hard disc and device |
| CN105578313B (en) * | 2016-01-06 | 2019-07-12 | 上海斐讯数据通信技术有限公司 | Long-range control method, system are remote to control execution method, system and mobile terminal |
| CN105871819B (en) * | 2016-03-23 | 2019-05-14 | 上海上讯信息技术股份有限公司 | Transfer control method and equipment |
-
2017
- 2017-01-23 CN CN201710050963.6A patent/CN106713494B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN106713494A (en) | 2017-05-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106713494B (en) | Intelligent auditing method and device | |
| US10652275B2 (en) | Management of calls to transformed operations and objects | |
| US7343559B1 (en) | Computer-readable recorded medium on which image file is recorded, device for producing the recorded medium, medium on which image file creating program is recorded, device for transmitting image file, device for processing image file, and medium on which image file processing program is recorded | |
| US20170041341A1 (en) | Polymorphic Treatment of Data Entered At Clients | |
| CN111917708B (en) | Multi-target cooperative network security monitoring method, client and system | |
| US20160316020A1 (en) | Web page information presentation method and system | |
| US10652255B2 (en) | Forensic analysis | |
| CN102223368B (en) | System and method capable of realizing operation identification during monitoring of remote desktop protocol (RDP) | |
| CN106911687A (en) | A kind of page makeup control method and device | |
| US11582266B2 (en) | Method and system for protecting privacy of users in session recordings | |
| US10775751B2 (en) | Automatic generation of regular expression based on log line data | |
| US9686163B2 (en) | Determining events by analyzing stored electronic communications | |
| WO2021129335A1 (en) | Operation monitoring method and apparatus, operation analysis method and apparatus | |
| WO2023091206A1 (en) | Automatic generation of security labels to apply encryption | |
| CN117611350A (en) | Synchronous communication method and system applied to insurance scheme | |
| CN113821254A (en) | Interface data processing method, device, storage medium and equipment | |
| CN109710866A (en) | Image display method and device in online document | |
| CN110928706B (en) | Applet interaction method and device, electronic equipment and storage medium | |
| CN113743055A (en) | Text information processing method and device, electronic equipment, server and storage medium | |
| CN117375817A (en) | End-to-end encryption method and device for instant messaging data, electronic equipment and medium | |
| CN114039776B (en) | Method and device for generating flow detection rule, electronic equipment and storage medium | |
| CN112116374A (en) | Advertisement resource access method, device, readable storage medium and terminal equipment | |
| CN115329386A (en) | File management and control method, device, equipment and storage medium | |
| CN113434039A (en) | Intelligent data entry method and processing device for electronic equipment | |
| US20150113382A1 (en) | Web page processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |