CN106991301A - Methods, devices and systems for anti-tamper rights management - Google Patents
Methods, devices and systems for anti-tamper rights management Download PDFInfo
- Publication number
- CN106991301A CN106991301A CN201610035296.XA CN201610035296A CN106991301A CN 106991301 A CN106991301 A CN 106991301A CN 201610035296 A CN201610035296 A CN 201610035296A CN 106991301 A CN106991301 A CN 106991301A
- Authority
- CN
- China
- Prior art keywords
- module
- tamper
- updates
- processing business
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The present invention discloses a kind of methods, devices and systems for anti-tamper rights management.This method includes:Processing business and updates module sends processing business and updates to authority management module and notified when receiving processing business and updates triggering message;Authority management module indicates that tamper-resist module opens anti-tamper rights management when receiving processing business and updates notice;After tamper-resist module opens anti-tamper rights management, processing business and updates module carries out processing business and updates flow.The present invention can effectively solve the problem that the problem of current tamper-resistance techniques are weak related to business by the way that anti-tamper rights management function is combined with operation flow, by anti-tamper authority and processing business and updates flow reasonable combination, and then realize the anti-tamper requirement of more high safety rank.
Description
Technical field
The present invention relates to information security field, more particularly to a kind of side for anti-tamper rights management
Method, device and system.
Background technology
With the development of Internet technology, WEB application more and more extensively and profoundly arrives every field,
The contact of enterprises is more and more closer, the value more and more higher of data, the frequency of network safety event
Hair, causes people enterprise and people also increasingly to pay attention to network security, especially WEB application safety.
Although having the safety precaution means such as fire wall, intrusion detection at present, WEB application system
Complexity and diversity cause system vulnerability to emerge in an endless stream, hard to guard against, hacker attacks and distorts page
The event in face happens occasionally.For these situations, webpage tamper resistant systems are arisen at the historic moment, through excessive
Year development, the technology that webpage tamper resistant systems are used also in continuous development and updates, to current
Untill, webpage tamper-resistance techniques have had evolved to the third generation.
Third generation tamper-resistance techniques have original excellent in terms of security, execution efficiency and ease for use
Gesture.Page tamper-resist module is using operating system layer filter Driver on FSD level protection technique, to any
File is monitored, and performs accuracy rate high.So do and prevented that the poll scan-type page is anti-to usurp completely
The possibility that content is accessed by the user is tampered in the sweep spacing for changing software, be it is a kind of simple, efficiently,
Security and a kind of high tamper-resistance techniques.
But, existing tamper-resistance techniques are isolated in protective survey flow with business, relatively independent,
I.e. tamper-resistance techniques are weak related to business.Under the frequent scene of processing business and updates can to tamper-resistance techniques with
Business closely requires to be unable to reach, and is increasingly not suitable with the growth requirement of business.
The content of the invention
In view of above technical problem, the invention provides a kind of method for anti-tamper rights management,
Device and system, can effectively solve the problem that the problem of current tamper-resistance techniques are weak related to business, will be anti-
Distort authority and carry out reasonable combination with processing business and updates flow.
According to an aspect of the present invention there is provided a kind of method for anti-tamper rights management,
Including:
Processing business and updates module is sent out when receiving processing business and updates triggering message to authority management module
Processing business and updates are sent to notify;
Authority management module indicates that tamper-resist module is opened anti-when receiving processing business and updates notice
Distort rights management;
After tamper-resist module opens anti-tamper rights management, processing business and updates module carries out business more
New technological process.
In one embodiment of the invention, methods described also includes:
When processing business and updates module carries out processing business and updates flow, tamper-resist module monitoring processing business and updates
Modification of the module to file is operated.
In one embodiment of the invention, the step of the modification operation of tamper-resist module monitoring file
Suddenly include:
Tamper-resist module judge the current modification process of processing business and updates module whether belong to it is legal enter
Journey;
If current modification process belongs to legitimate processes, current modification process is allowed to change protected
File;
If current modification process is not belonging to legitimate processes, refuses current modification process modification and protected
Protect file.
In one embodiment of the invention, when processing business and updates module carries out processing business and updates flow,
Methods described also includes:
Command processing module is when processing business and updates module needs to operate file, according to grasping
The file of work, forms file request order;
After file request order is encrypted command processing module, the command request of encryption is sent
To anti-tamper authority management module;
The command request that authority management module resolve command processing module is sent, and to command request
It is decrypted;
Authority management module is verified to the command request after decryption;
Command request after decryption is converted to and currently repaiied after verification passes through by authority management module
The data message of journey is improved, so as to tamper-resist module repairing according to current modification monitoring the process file
Change operation.
In one embodiment of the invention, methods described also includes:
Processing business and updates module sends to authority management module and updated after processing business and updates flow terminates
End notification;
Authority management module indicates that tamper-resist module is closed anti-when receiving renewal end notification
Distort rights management.
According to another aspect of the present invention there is provided a kind of device for anti-tamper rights management, bag
Processing business and updates module, authority management module and tamper-resist module are included, wherein:
Processing business and updates module, for receiving during processing business and updates triggering message, to rights management mould
Block sends processing business and updates and notified;
Authority management module, for when receiving processing business and updates notice, being sent out to tamper-resist module
Open command is sent, to indicate that tamper-resist module opens anti-tamper rights management;
Tamper-resist module, for the open command according to authority management module, opens anti-tamper power
Limit management;And after anti-tamper rights management is opened, indicate that processing business and updates module carries out business more
New operation.
In one embodiment of the invention, tamper-resist module is additionally operable to enter in processing business and updates module
During row processing business and updates flow, modification of the monitoring processing business and updates module to file is operated.
In one embodiment of the invention, tamper-resist module includes recognition unit and protection location,
Wherein:
Recognition unit, for judging whether the current modification process of processing business and updates module belongs to legal
Process;
Protection location, for the judged result according to recognition unit, if current modification process belongs to
Legitimate processes, then allow current modification process to change agent-protected file;If currently modification process is not
Belong to legitimate processes, then refuse current modification process modification agent-protected file.
In one embodiment of the invention, described device also includes command processing module, wherein:
Command processing module, for when processing business and updates module needs to operate file, root
According to the file to be operated, file request order is formed;And file request order is encrypted
Afterwards, the command request of encryption is sent to anti-tamper authority management module;
Authority management module is additionally operable to the command request of resolve command processing module transmission, and to life
Request is made to be decrypted;Command request after decryption is verified;And after verification passes through,
Command request after decryption is converted to the data message of current modification process, so as to anti-tamper mould
Root tuber is operated according to current modification monitoring the process processing business and updates module to the modification of file.
In one embodiment of the invention, processing business and updates module is additionally operable in processing business and updates flow
After end, sent to authority management module and update end notification;Authority management module is additionally operable to
When receiving renewal end notification, indicate that tamper-resist module closes anti-tamper rights management.
According to another aspect of the present invention there is provided a kind of system for anti-tamper rights management, bag
Tamper resistant device, anti-tamper management equipment and service management device are included, wherein:
Tamper resistant device, is the dress for anti-tamper rights management described in any of the above-described embodiment
Put;
Anti-tamper management equipment, for configuring prevention policies to tamper resistant device;
Service management device, renewal and maintenance for management business file.
In one embodiment of the invention, the tamper resistant device is arranged on objective of defense equipment
On.
The present invention, can be effective by the way that anti-tamper rights management function is combined with operation flow
The problem of current tamper-resistance techniques are weak related to business is solved, by anti-tamper authority and business more
New technological process reasonable combination, and then realize the anti-tamper requirement of more high safety rank.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will
The required accompanying drawing used in embodiment or description of the prior art is briefly described, it is clear that
Ground, drawings in the following description are only some embodiments of the present invention, for the common skill in this area
For art personnel, without having to pay creative labor, it can also be obtained according to these accompanying drawings
Obtain other accompanying drawings.
Schematic diagrames of the Fig. 1 for the present invention for system one embodiment of anti-tamper rights management.
Schematic diagrames of the Fig. 2 for the present invention for device one embodiment of anti-tamper rights management.
Fig. 3 is the schematic diagram of tamper-resist module in one embodiment of the invention.
Schematic diagrames of the Fig. 4 for the present invention for another embodiment of device of anti-tamper rights management.
Schematic diagrames of the Fig. 5 for the present invention for method one embodiment of anti-tamper rights management.
Schematic diagrames of the Fig. 6 for the present invention for another embodiment of method of anti-tamper rights management.
Schematic diagrames of the Fig. 7 for the present invention for the another embodiment of method of anti-tamper rights management..
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, to the technical scheme in the embodiment of the present invention
It is clearly and completely described, it is clear that described embodiment is only that a part of the invention is real
Apply example, rather than whole embodiments.Description below at least one exemplary embodiment is actual
On be merely illustrative, never as to the present invention and its application or any limitation for using.Base
Embodiment in the present invention, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, belongs to the scope of protection of the invention.
Unless specifically stated otherwise, the part that otherwise illustrates in these embodiments and step it is relative
Arrangement, numerical expression and numerical value are not limited the scope of the invention.
Simultaneously, it should be appreciated that for the ease of description, the size of the various pieces shown in accompanying drawing
It is not to be drawn according to actual proportionate relationship.
It may not make in detail for technology, method and apparatus known to person of ordinary skill in the relevant
Discuss, but in the appropriate case, the technology, method and apparatus should be considered as authorizing specification
A part.
In shown here and discussion all examples, any occurrence, which should be construed as merely, to be shown
Example property, not as limitation.Therefore, the other examples of exemplary embodiment can have not
Same value.
It should be noted that:Similar label and letter represents similar terms in following accompanying drawing, therefore,
Once being defined in a certain Xiang Yi accompanying drawing, then it need not be entered to advance in subsequent accompanying drawing
One step discussion.
Schematic diagrames of the Fig. 1 for the present invention for system one embodiment of anti-tamper rights management.Such as
Shown in Fig. 1, the present invention for anti-tamper rights management system can include tamper resistant device 1,
Anti-tamper management equipment 2 and service management device 3, wherein:
Anti-tamper management equipment 2, for before processing business and updates, configuring anti-to tamper resistant device 1
Shield strategy, i.e. configuration agent-protected file or catalogue and the process white list of permission file operation (are closed
Method process).
Service management device 3, for manage in objective of defense equipment 4 renewal of service scripts and
Safeguard.
Tamper resistant device 1, for being needed in service management device 3 to objective of defense equipment 4
Service scripts when being updated, open anti-tamper authority;Processing business and updates flow is monitored to file
Modification operation, allow in monitoring process legitimate processes to change agent-protected file, refusal illegally enters
Journey (the not process in the process white list of configuration) changes agent-protected file.
In one embodiment of the invention, the tamper resistant device 1 can be arranged on anti-eye protection
On marking device 4.
In one embodiment of the invention, objective of defense equipment 4 can be user terminal or clothes
Business device.
In one particular embodiment of the present invention, objective of defense equipment 4 can regard for IPTV
Interrogate platform EPG (Electronic Program Guide, electronic program guides) server.
In one embodiment of the invention, tamper resistant device 1 can be also used for processing business and updates stream
At the end of journey, anti-tamper rights management is closed, forbids any process modification agent-protected file.
It is based on what the present invention that the above embodiment of the present invention is provided was used for anti-tamper rights management
System, anti-tamper rights management function is combined with operation flow, realized in processing business and updates stream
Forbid any process modification agent-protected file during journey not enabled;It can realize in processing business and updates flow
At the beginning and end of the anti-tamper rights management of circular document open and close;Updated in operation flow
During, it is allowed to legitimate processes change agent-protected file, are broken through the short time even if hacker can be achieved
System also because that can not be distorted can not findding out the concrete operations time of business to file, from
And the need for meeting the protection of carrier class service security.
In one embodiment of the invention, tamper resistant device 1 can be also used for the scheduled time
It is spaced to anti-tamper management equipment 2 and uploads protection daily record;And attempt to repair in the illegal process of discovery
When changing agent-protected file, alarm information is sent to anti-tamper management equipment 2.
Anti-tamper management equipment 2 can be also used for collecting daily record and the announcement that tamper resistant device 1 is uploaded
Alert message.
The anti-tamper management equipment 2 of the above embodiment of the present invention can collect tamper resistant device 1 and upload
Daily record and alarm information, thus user can easily inquire about tamper resistant device to the objective of defense
The protection effect of equipment, and illegal process can also be found in time according to alarm information and performed
Corresponding safeguard measure.
It is used for device (i.e. Fig. 1 of anti-tamper rights management to the present invention below by specific embodiment
Tamper resistant device 1 in embodiment) 26S Proteasome Structure and Function and the present invention be used for anti-tamper power
The method of limit management describes in detail.
Schematic diagrames of the Fig. 2 for the present invention for device one embodiment of anti-tamper rights management.Such as
Shown in Fig. 2, the tamper resistant device 1 in Fig. 1 embodiments can specifically include processing business and updates module
11st, authority management module 12 and tamper-resist module 13, wherein:
Processing business and updates module 11, for receiving during processing business and updates triggering message, to rights management
Module 12 sends processing business and updates and notified, the processing business and updates triggering message includes needs renewal
Fileinfo and modification process.
In one embodiment of the invention, the processing business and updates triggering message can actively be touched
Hair, i.e., the triggering message produced for the device itself of anti-tamper rights management.For example:For
The device of anti-tamper rights management could be arranged to carry out the active of processing business and updates with predetermined time interval
Triggering.
In another embodiment of the invention, the processing business and updates triggering message can be business pipe
Manage what equipment 3 was sent, device the touching according to service management device 3 for anti-tamper rights management
Send out message and carry out processing business and updates.It is a kind of i.e. for the device for anti-tamper rights management
Passive triggering.
Authority management module 12, for when receiving processing business and updates notice, to tamper-resist module
13 send open command, to indicate that tamper-resist module 13 opens anti-tamper rights management.
Tamper-resist module 13, for the open command according to authority management module 12, opens anti-
Distort rights management;And after anti-tamper rights management is opened, indicate processing business and updates module 11
Carry out processing business and updates operation.
In one embodiment of the invention, the installation form of tamper-resist module 13 can be using such as
Corn module is installed, the forms such as driving, process are installed.
In one embodiment of the invention, processing business and updates module 11 can provide such as WEB
Using etc. specific business function renewal.
In one embodiment of the invention, the processing business and updates operation can be related to the objective of defense
The modification of file in equipment 4, the modification includes renewal, deletion etc..
In one embodiment of the invention, processing business and updates module 11 can be also used for entering industry
During business more new technological process, it will currently change process (currently updating process) and be sent to tamper-resist module
13.Tamper-resist module 13 can be also used for carrying out processing business and updates flow in processing business and updates module 11
When, the modification according to current modification monitoring the process processing business and updates module 11 to file is operated.
In one embodiment of the invention, processing business and updates module 11 can be also used in business more
After new technological process terminates, sent to authority management module 12 and update end notification;Authority management module
12 can be also used for, when receiving renewal end notification, indicating that tamper-resist module 13 is closed anti-
Distort rights management.
In one embodiment of the invention, tamper-resist module 13 can be also used in processing business and updates
Module 11 is carried out before processing business and updates, receives and configure the protection plan that anti-tamper management equipment 2 is sent
Slightly, wherein the prevention policies include agent-protected file or catalogue and allow entering for file operation
Journey white list (i.e. legitimate processes).
Fig. 3 is the schematic diagram of tamper-resist module in one embodiment of the invention.As shown in figure 3, figure
Tamper-resist module 13 in 2 embodiments can include recognition unit 131 and protection location 132,
Wherein:
Recognition unit 131, for judging whether the current modification process of processing business and updates module 11 belongs to
In legitimate processes.
Protection location 132, for the judged result according to recognition unit 131, if current modification
Process belongs to legitimate processes, then allows current modification process to change agent-protected file;If currently repairing
Improve journey and be not belonging to legitimate processes, then refuse current modification process modification agent-protected file.
The above embodiment of the present invention combination processing business and updates flow proposition one is anti-tamper based on the third generation
The enhanced tamper resistant device of function, can effectively solve the problem that current tamper-resistance techniques and the weak phase of business
The problem of pass, anti-tamper authority and processing business and updates flow reasonable combination compared with prior art can
Enough anti-tamper requirements that more high safety rank is provided in carrier class business.
For the relatively existing tamper-resistance techniques of the above embodiment of the present invention, have the following advantages:
1st, when processing business and updates flow is not triggered, forbid all process modification agent-protected files, improve
Security.
2nd, unlatching and the pass of anti-tamper rights management are notified at the beginning and end of processing business and updates flow
Close, only in processing business and updates flow, legal modifications operation can be carried out to agent-protected file, this
Broken through the short time even if hacker under the conditions of kind system also concrete operations because business can not be found out when
Between and file is distorted.
In one particular embodiment of the present invention, carry out business is needed in service management device 3
During renewal, such as when needing modification a.jsp files, the operation for changing a.jsp files is issued
To processing business and updates module 11, and notify authority management module 12;Authority management module 12
Notify and open anti-tamper authority, if the modification process is legitimate processes, in tamper-resist module
The lower processing business and updates module 11 of 13 monitorings completes regular traffic and updated.
Schematic diagrames of the Fig. 4 for the present invention for another embodiment of device of anti-tamper rights management.With
Embodiment illustrated in fig. 2 is compared, in the embodiment shown in fig. 4, and described device can also include order
Processing module 14, wherein:
Command processing module (processing business and updates interface command processing module) 14, in business more
New module 11 is carried out in processing business and updates flow, it is necessary to when being operated to file, according to operating
File, formed file request order;And after file request order is encrypted, send
The command request of encryption gives anti-tamper authority management module 12.
The order that authority management module 12 can be also used for the transmission of resolve command processing module 14 please
Ask, and command request is decrypted;Command request after decryption is verified;And
After verification passes through, the command request after decryption is converted to the data message of current modification process,
The data structure of wherein current modification process is the data structure that tamper-resist module 13 can be recognized,
So as to tamper-resist module 13 according to current modification monitoring the process processing business and updates module 11 to file
Modification operation.
The present invention passes through the command process for the processing business and updates interface for being arranged on processing business and updates module 11
Processing and encryption and authority pipe of the module 14 to the Chinese part operational order of file more new technological process
The parsing, decryption and translation conversion of 12 pairs of orders of module are managed, command request biography is improved
Defeated security, so as to further increase the security of agent-protected file.
In one embodiment of the invention, tamper-resist module 13 can be also used for kidnapping file
Operation, obtains the process context of operation file, to the rule of correspondence in the order of lighting module,
Judge the legitimacy of the access of file, once file operation is judged not in the data structure of permission,
Then refuse, make the protection to file.
In one embodiment of the invention, as shown in figure 4, described device can also include industry
Business processing module 15, wherein:
Service Processing Module 15, for the processing business and updates notice of processing business management equipment 3, and
When receiving the processing business and updates notice, sent to processing business and updates module 11 and update triggering message.
In another embodiment of the invention, Service Processing Module 15 can be also used for pre- timing
Between be spaced to processing business and updates module 11 send actively triggering renewal trigger message.
The above embodiment of the present invention can actively or passively trigger processing business and updates module and carry out business more
New technological process.
In one embodiment of the invention, as shown in figure 4, described device can also include preventing
Client 16 and uploading module 17 are distorted, wherein:
Tamper-resist module 13 is additionally operable to, when finding that illegal process attempts to change agent-protected file, refer to
Show that uploading module 17 sends alarm information to anti-tamper management equipment 2, and indicate anti-tamper client
Outwards alarmed by type of alarms such as sound, light, electricity at end 16.
Uploading module 17, for being uploaded with predetermined time interval to anti-tamper management equipment 2 is uploaded
Protect daily record.
The above embodiment of the present invention allows user easily to inquire about tamper resistant device to anti-eye protection
The protection effect of marking device, it is possible to find illegal process in time according to alarm information and perform phase
The safeguard measure answered.
In one embodiment of the invention, anti-tamper client 16 can be also used for receiving user
The agent-protected file information and legitimate processes information of setting, and by agent-protected file information and legal
Progress information is configured to tamper-resist module 13.
Thus user can also be configured by anti-tamper client 16 in the above embodiment of the present invention
Agent-protected file information and legitimate processes information, so as to be convenient for users to operate.
In a specific embodiment of the invention, shown in Fig. 1 is for anti-tamper rights management
System and Fig. 2-Fig. 4 any one of the device for anti-tamper rights management be deployed in
On IPTV video signal platform EPG servers, tried out by wearing to survey in detail with existing network, in the present invention
State embodiment trial effect good, electricity can be provided for magnanimity dynamic more new file in EPG server
Believe level security protection.
Schematic diagrames of the Fig. 5 for the present invention for method one embodiment of anti-tamper rights management.It is excellent
Choosing, the present embodiment can be as being used for anti-tamper authority pipe described in any of the above-described embodiment of the invention
The device of reason is performed.This method comprises the following steps:
Step 501, processing business and updates module 11 is when receiving processing business and updates triggering message, Xiang Quan
Limit management module 12 and send processing business and updates notice.
In one embodiment of the invention, the processing business and updates triggering message can be by anti-tamper
The device of rights management itself actively triggering or the passively triggering of service management device 3 by the external world
's.
Step 502, authority management module 12 indicates anti-usurps when receiving processing business and updates notice
Change module 13 and open anti-tamper rights management.
Step 503, after tamper-resist module 13 opens anti-tamper rights management, processing business and updates mould
Block 11 carries out processing business and updates flow.
In one embodiment of the invention, methods described can also include:Processing business and updates module
11 after processing business and updates flow terminates, and is sent to authority management module 12 and updates end notification;
Authority management module 12 indicates that tamper-resist module 13 is closed when receiving renewal end notification
Anti-tamper rights management.
The method for anti-tamper rights management provided based on the above embodiment of the present invention,
During processing business and updates flow not enabled, forbid any process modification agent-protected file, in business more
The anti-tamper rights management of circular document is opened and closed at the beginning and end of new technological process, only in industry
In flow renewal process of being engaged in, it is allowed to which legitimate processes change agent-protected file.
Schematic diagrames of the Fig. 6 for the present invention for another embodiment of method of anti-tamper rights management.It is excellent
Choosing, the present embodiment can be as being used for anti-tamper authority pipe described in any of the above-described embodiment of the invention
The device of reason is performed.This method comprises the following steps:
Step 601, processing business and updates module 11 is receiving processing business and updates triggering message (for example more
New a.jsp) when, send processing business and updates to authority management module 12 and notify.
Step 602, authority management module 12 indicates anti-usurps when receiving processing business and updates notice
Change module 13 and open anti-tamper rights management.
Step 603, tamper-resist module 13 opens anti-tamper rights management.
Step 604, after tamper-resist module 13 opens anti-tamper rights management, tamper-resist module
13 instruction processing business and updates modules 11 proceed by processing business and updates flow.
Step 605, processing business and updates module 11 carries out processing business and updates flow.
Step 606, when processing business and updates module 11 carries out processing business and updates flow, anti-tamper mould
Block 13 is according to current 11 pairs of the modification monitoring the process processing business and updates module of processing business and updates module 11
The modification operation of file.
Step 607, processing business and updates module 11 is after processing business and updates flow terminates, to rights management
Module 12, which is sent, updates end notification.
Step 608, authority management module 12 indicates anti-usurps when receiving renewal end notification
Change module 13 and close anti-tamper rights management.
Step 609, tamper-resist module 13 closes anti-tamper rights management.
Schematic diagrames of the Fig. 7 for the present invention for the another embodiment of method of anti-tamper rights management.
As shown in fig. 7, methods described can include:
Step 701, in the processing business and updates flow of processing business and updates module 11, processing business and updates module
11, when needing to operate the file of objective of defense equipment, send out to command processing module 14
Send the fileinfo for needing to operate.
Step 702, command processing module 14 is formed according to the fileinfo for needing to operate
File request order.
Step 703, file request order is encrypted command processing module 14.
Step 704, command processing module 14 sends the command request of encryption to anti-tamper authority pipe
Manage module 12.
Step 705, the order that the resolve command processing module 14 of authority management module 12 is sent please
Ask, and command request is decrypted.
Step 706, the command request after 12 pairs of decryption of authority management module, which is verified, (sentences
It is disconnected whether legal).
Step 707, authority management module 12 will be solved after verification passes through (it is legal to judge)
Command request after close is converted to the data message of current modification process, wherein currently modification process
Data structure be the data structure that can recognize of tamper-resist module 13, so as to tamper-resist module
13 operate according to the modification of current modification monitoring the process file.
Step 708, current modification process is sent to tamper-resist module 13 by authority management module 12.
Step 709, tamper-resist module 13 judge processing business and updates module current modification process whether
Belong to legitimate processes.
Step 710, if current modification process belongs to legitimate processes, tamper-resist module 13 allows
Current modification process modification agent-protected file;If current modification process is not belonging to legitimate processes,
Tamper-resist module 13 refuses current modification process modification agent-protected file.
In one embodiment of the invention, it is additionally operable in tamper-resist module 13 in processing business and updates mould
Block 11 is carried out before processing business and updates, and methods described can also include:Receive and configure anti-tamper management
The prevention policies that equipment is sent, wherein the prevention policies include agent-protected file or catalogue and
Allow the process white list (i.e. legitimate processes) of file operation.
In one embodiment of the invention, the configuration process of the prevention policies both can be in letter
Appoint to match somebody with somebody to postpone in equipment (such as anti-tamper management equipment) and anti-usurp is pushed under trusted devices active
Change module 13;It can also be entered at predetermined intervals from trusted devices by tamper-resist module 13
Row is actively downloaded and updated.
The above embodiment of the present invention under common procedure, service management device related service update into
Journey is configured in the white list strategy of tamper-resist module, and tamper-resist module is deployed in the objective of defense and set
It is standby upper, when occurring processing business and updates, the generation of tamper-resist module Monitoring and Update process, and effectively hinder
The generation only illegally distorted.
The above embodiment of the present invention employs the anti-tamper right management method based on informing mechanism,
When achievable processing business and updates flow is not triggered, forbid all processes modification agent-protected files, so that
Improve security;It may be implemented at the beginning and end of processing business and updates flow and notify anti-tamper authority
The opening and closing of management;Realize in processing business and updates flow, it is allowed to and only allow legitimate processes
Agent-protected file is modified operation, even if hacker has broken through system the short time under the conditions of such a
Also file is distorted because the concrete operations time of business can not be found out;In addition, of the invention
Disposed on IPTV video signal platforms EPG, and carried out detailed wear and survey on probation with existing network,
Trial effect is good, can provide carrier class peace for magnanimity dynamic more new file in EPG server
Full protection.
In one embodiment of the invention, in step 710, if current modification process is not belonging to
Legitimate processes, then methods described also include:Indicate uploading module 17 to anti-tamper management equipment 2
Send alarm information, and indicate anti-tamper client 16 by the type of alarms such as sound, light, electricity to
Outer alarm.
In one embodiment of the invention, methods described can also include uploading module 17 with pre-
Fix time to be spaced to the anti-tamper management equipment 2 of upload and upload protection daily record.
The above embodiment of the present invention allows user easily to inquire about tamper resistant device to anti-eye protection
The protection effect of marking device, it is possible to find illegal process in time according to alarm information and perform phase
The safeguard measure answered.
Processing business and updates module 11, authority management module 12 and anti-tamper mould described above
The functional units such as block 13, command processing module 14, Service Processing Module 15 can be implemented as using
In perform the general processor of function described herein, programmable logic controller (PLC) (PLC),
Digital signal processor (DSP), application specific integrated circuit (ASIC), field-programmable gate array
Arrange (FPGA) or other PLDs, discrete gate or transistor logic,
Discrete hardware components or it is any appropriately combined.
So far, the present invention is described in detail.In order to avoid the design of the masking present invention, do not have
Description some details known in the field.Those skilled in the art as described above, completely
It can be appreciated how implementing technical scheme disclosed herein.
One of ordinary skill in the art will appreciate that realizing all or part of step of above-described embodiment
It can be completed by hardware, the hardware of correlation can also be instructed to complete by program, it is described
Program can be stored in a kind of computer-readable recording medium, and storage medium mentioned above can be with
It is read-only storage, disk or CD etc..
Description of the invention is provided for the sake of example and description, and is not exhaustively
Or limit the invention to disclosed form.Common skill of many modifications and variations for this area
It is obvious for art personnel.Selection and description embodiment be in order to more preferably illustrate the present invention principle
And practical application, and make one of ordinary skill in the art it will be appreciated that the present invention is so as to design suitable
In the various embodiments with various modifications of special-purpose.
Claims (12)
1. a kind of method for anti-tamper rights management, it is characterised in that including:
Processing business and updates module is sent out when receiving processing business and updates triggering message to authority management module
Processing business and updates are sent to notify;
Authority management module indicates that tamper-resist module is opened anti-when receiving processing business and updates notice
Distort rights management;
After tamper-resist module opens anti-tamper rights management, processing business and updates module carries out business more
New technological process.
2. according to the method described in claim 1, it is characterised in that also include:
When processing business and updates module carries out processing business and updates flow, tamper-resist module monitoring processing business and updates
Modification of the module to file is operated.
3. method according to claim 2, it is characterised in that tamper-resist module monitoring text
The step of modification of part is operated includes:
Tamper-resist module judge the current modification process of processing business and updates module whether belong to it is legal enter
Journey;
If current modification process belongs to legitimate processes, current modification process is allowed to change protected
File;
If current modification process is not belonging to legitimate processes, refuses current modification process modification and protected
Protect file.
4. according to the method in claim 2 or 3, it is characterised in that in processing business and updates mould
When block carries out processing business and updates flow, in addition to:
Command processing module is when processing business and updates module needs to operate file, according to grasping
The file of work, forms file request order;
After file request order is encrypted command processing module, the command request of encryption is sent
To anti-tamper authority management module;
The command request that authority management module resolve command processing module is sent, and to command request
It is decrypted;
Authority management module is verified to the command request after decryption;
Command request after decryption is converted to and currently repaiied after verification passes through by authority management module
The data message of journey is improved, so as to tamper-resist module repairing according to current modification monitoring the process file
Change operation.
5. the method according to any one of claim 1-3, it is characterised in that also include:
Processing business and updates module sends to authority management module and updated after processing business and updates flow terminates
End notification;
Authority management module indicates that tamper-resist module is closed anti-when receiving renewal end notification
Distort rights management.
6. a kind of device for anti-tamper rights management, it is characterised in that including processing business and updates
Module, authority management module and tamper-resist module, wherein:
Processing business and updates module, for receiving during processing business and updates triggering message, to rights management mould
Block sends processing business and updates and notified;
Authority management module, for when receiving processing business and updates notice, being sent out to tamper-resist module
Open command is sent, to indicate that tamper-resist module opens anti-tamper rights management;
Tamper-resist module, for the open command according to authority management module, opens anti-tamper power
Limit management;And after anti-tamper rights management is opened, indicate that processing business and updates module carries out business more
New operation.
7. device according to claim 6, it is characterised in that
Tamper-resist module is additionally operable to, when processing business and updates module carries out processing business and updates flow, monitor industry
Modification of the update module of being engaged in file is operated.
8. device according to claim 7, it is characterised in that tamper-resist module includes knowing
Other unit and protection location, wherein:
Recognition unit, for judging whether the current modification process of processing business and updates module belongs to legal
Process;
Protection location, for the judged result according to recognition unit, if current modification process belongs to
Legitimate processes, then allow current modification process to change agent-protected file;If currently modification process is not
Belong to legitimate processes, then refuse current modification process modification agent-protected file.
9. the device according to claim 7 or 8, it is characterised in that at also including order
Module is managed, wherein:
Command processing module, for when processing business and updates module needs to operate file, root
According to the file to be operated, file request order is formed;And file request order is encrypted
Afterwards, the command request of encryption is sent to anti-tamper authority management module;
Authority management module is additionally operable to the command request of resolve command processing module transmission, and to life
Request is made to be decrypted;Command request after decryption is verified;And after verification passes through,
Command request after decryption is converted to the data message of current modification process, so as to anti-tamper mould
Root tuber is operated according to current modification monitoring the process processing business and updates module to the modification of file.
10. the device according to any one of claim 6-8, it is characterised in that
Processing business and updates module is additionally operable to after processing business and updates flow terminates, and is sent out to authority management module
Send renewal end notification;
Authority management module is additionally operable to, when receiving renewal end notification, indicate tamper-resist module
Close anti-tamper rights management.
11. a kind of system for anti-tamper rights management, it is characterised in that including anti-tamper
Device, anti-tamper management equipment and service management device, wherein:
Tamper resistant device, is to be used for anti-tamper authority as any one of claim 6-10
The device of management;
Anti-tamper management equipment, for configuring prevention policies to tamper resistant device;
Service management device, renewal and maintenance for management business file.
12. system according to claim 11, it is characterised in that the tamper resistant device
It is arranged in objective of defense equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610035296.XA CN106991301A (en) | 2016-01-20 | 2016-01-20 | Methods, devices and systems for anti-tamper rights management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610035296.XA CN106991301A (en) | 2016-01-20 | 2016-01-20 | Methods, devices and systems for anti-tamper rights management |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106991301A true CN106991301A (en) | 2017-07-28 |
Family
ID=59414256
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610035296.XA Pending CN106991301A (en) | 2016-01-20 | 2016-01-20 | Methods, devices and systems for anti-tamper rights management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106991301A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111355993A (en) * | 2018-12-20 | 2020-06-30 | 中国电信股份有限公司 | Picture display method and device, set top box and computer readable storage medium |
| CN111967058A (en) * | 2020-07-28 | 2020-11-20 | 浙江军盾信息科技有限公司 | Tamper-proof method supporting user white list, electronic device and storage medium |
| CN112135165A (en) * | 2020-08-06 | 2020-12-25 | 河北广电无线传媒有限公司 | Method and system for preventing IPTV template file from being tampered |
| CN113595962A (en) * | 2020-04-30 | 2021-11-02 | 华为技术有限公司 | Safety control method and device and safety control equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102902926A (en) * | 2012-10-11 | 2013-01-30 | 长春理工大学 | Website file anti-tampering method based on distributed file synchronization technology |
| CN103236932A (en) * | 2013-05-07 | 2013-08-07 | 安徽海加网络科技有限公司 | Webpage tamper-proofing device and method based on access control and directory protection |
| CN104348914A (en) * | 2014-10-31 | 2015-02-11 | 福建六壬网安股份有限公司 | Tamper-proofing system file synchronizing system and tamper-proofing system file synchronizing method |
-
2016
- 2016-01-20 CN CN201610035296.XA patent/CN106991301A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102902926A (en) * | 2012-10-11 | 2013-01-30 | 长春理工大学 | Website file anti-tampering method based on distributed file synchronization technology |
| CN103236932A (en) * | 2013-05-07 | 2013-08-07 | 安徽海加网络科技有限公司 | Webpage tamper-proofing device and method based on access control and directory protection |
| CN104348914A (en) * | 2014-10-31 | 2015-02-11 | 福建六壬网安股份有限公司 | Tamper-proofing system file synchronizing system and tamper-proofing system file synchronizing method |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111355993A (en) * | 2018-12-20 | 2020-06-30 | 中国电信股份有限公司 | Picture display method and device, set top box and computer readable storage medium |
| CN111355993B (en) * | 2018-12-20 | 2021-12-21 | 中国电信股份有限公司 | Picture display method and device, set top box and computer readable storage medium |
| CN113595962A (en) * | 2020-04-30 | 2021-11-02 | 华为技术有限公司 | Safety control method and device and safety control equipment |
| CN111967058A (en) * | 2020-07-28 | 2020-11-20 | 浙江军盾信息科技有限公司 | Tamper-proof method supporting user white list, electronic device and storage medium |
| CN112135165A (en) * | 2020-08-06 | 2020-12-25 | 河北广电无线传媒有限公司 | Method and system for preventing IPTV template file from being tampered |
| CN112135165B (en) * | 2020-08-06 | 2022-07-12 | 河北广电无线传媒有限公司 | Method and system for preventing IPTV template file from being tampered |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Petrenko et al. | Protection model of PCS of subway from attacks type «wanna cry»,«petya» and «bad rabbit» IoT | |
| Miller et al. | Looking back to look forward: Lessons learnt from cyber-attacks on industrial control systems | |
| CN110691064B (en) | Safety access protection and detection system for field operation terminal | |
| US9503470B2 (en) | Distributed agent based model for security monitoring and response | |
| US9197652B2 (en) | Method for detecting anomalies in a control network | |
| US11689544B2 (en) | Intrusion detection via semantic fuzzing and message provenance | |
| KR100838799B1 (en) | System and operating method of detecting hacking happening for complementary security management system | |
| Ogie | Cyber security incidents on critical infrastructure and industrial networks | |
| CN106991301A (en) | Methods, devices and systems for anti-tamper rights management | |
| CN109088848A (en) | A kind of intelligent network connection automobile information method for security protection | |
| CN110099060A (en) | A kind of network information security guard method and system | |
| CN103236932A (en) | Webpage tamper-proofing device and method based on access control and directory protection | |
| CN115314286A (en) | Safety guarantee system | |
| CN110677415A (en) | Network information safety protection system | |
| Rekik et al. | A cyber-physical threat analysis for microgrids | |
| CN106027476A (en) | Identity card cloud authentication system and card reading system | |
| Rekik et al. | Cyber-physical security risk assessment for train control and monitoring systems | |
| Kovacevic et al. | Cyber attacks on critical infrastructure: Review and challenges | |
| He | RETRACTED: Analysis of Network Intrusion Detection Technology Based on Computer Information Security Technology | |
| Stoytcheva et al. | Security Threats and Models in the Field of Renewable Energy Systems | |
| Beretas | Industrial control systems: The biggest cyber threat | |
| CN115225415B (en) | Password application platform for new energy centralized control system and monitoring and early warning method | |
| CN114338166A (en) | Edge device risk processing method, device, equipment and cloud server | |
| Aziminejad | A Cyber-Physical Security Framework for Rail Transportation Data Systems | |
| Chakraborty | Digital defense: Verification of security intelligence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170728 |
|
| RJ01 | Rejection of invention patent application after publication |