Specific embodiment
The application is described in detail below with reference to attached drawing and in conjunction with the embodiments.It should be noted that not conflicting
In the case of, the features in the embodiments and the embodiments of the present application can be combined with each other.
A kind of recognition methods of system security log tampering is provided in the present embodiment, as shown in Figure 1, this method
Include:
Step 101, real-time monitoring is carried out to system security log using the file system small filtration drive in kernel, and right
The act of revision of the system security log monitored is intercepted.
Using the small filtration drive of file system in kernel, by carrying out real-time monitoring to system security log file, with
The real-time monitoring to the act of revision of system security log in system security log file is realized, specifically, if system safe day
System security log in will file does not receive modification request, then does not carry out any processing to system security log;If system
System security log in security log file receives modification request, then requests to generate according to the modification to system security log
Act of revision intercepted.
Wherein, by document debugging it is found that system security log be generally held in system security log file Windows
System32 winevt Logs in System.evtx.
Step 102, according to the act of revision for the system security log intercepted, the corresponding act of revision is obtained
Routing information and storehouse recalls information.
The act of revision for the system security log intercepted is parsed, according to the act of revision class of system security log
Type, determines the routing information acquisition modes and storehouse recalls information acquisition modes of the corresponding act of revision type, and according to really
Fixed routing information acquisition modes and storehouse recalls information acquisition modes, obtain respectively the corresponding act of revision routing information and
Storehouse recalls information.
Wherein, act of revision type, which is included in system security log, increases data, modification data and deletion data.
Step 103, according to the routing information of the act of revision and storehouse recalls information, whether judge the act of revision
For system security log tampering.
The routing information and storehouse recalls information for the act of revision that will acquire are corresponding with preset rule base respectively should
The standard routes information and standard storehouse recalls information of act of revision compare, if the routing information of the act of revision and storehouse tune
It is called with the standard routes information and standard storehouse for corresponding to the act of revision at least one of information and preset rule base
Information is inconsistent, then the act of revision system security log tampering, conversely, if the routing information and storehouse of the act of revision
Standard routes information and the standard storehouse recalls information that the act of revision is corresponded in recalls information and preset rule base are consistent, then
The act of revision is not system security log tampering.
Technical solution by applying this embodiment, using the small filtration drive of file system in kernel to system safe day
Will carries out real-time monitoring, intercepts to the act of revision of the system security log monitored, according to the system safety intercepted
The act of revision of log obtains the routing information and storehouse recalls information of the corresponding act of revision, and according to the act of revision
Routing information and storehouse recalls information judge whether the act of revision is system security log tampering.The application being capable of benefit
It is realized with the small filtration drive of file system in kernel and malice tampering is recorded to the system security incident inside operating system
Real-time monitoring, meanwhile, reduce the professional requirement to operation maintenance personnel, reduce personnel cost, and to operating system inside
System security incident record malice tampering recognition accuracy it is higher.
Further, as the refinement and extension of above-described embodiment specific embodiment, in order to completely illustrate the present embodiment
Specific implementation process, the recognition methods of another system security log tampering is provided, as shown in Fig. 2, this method packet
It includes:
Step 201, real-time monitoring is carried out to system security log using the file system small filtration drive in kernel, and right
The act of revision of the system security log monitored is intercepted.
Step 202, the profile information of the act of revision is obtained;And according in the profile information
Security protection information, IRQ level information, file name information, file size information, clearance system security log is legal to be repaired
Change one's profession for.
Profile information by obtaining act of revision judges whether the act of revision is that system security log distorts row
To determine that the act of revision is the legal modifications behavior of system security log, realizing that is, according to the profile information of act of revision
Clearance to the system security log act of revision that legal procedure carries out, and the system security log to be determined that do not let pass is repaired
It changes one's profession to effectively prevent being monitored malicious modification behavior according only to programs categories or Program path to do further judgement,
Its monitoring granularity is larger, and monitoring precision is lower, specifically, when dynamic link library is for injecting legal procedure to realize disk
When direct read/write, attacker is attacked using Brix with loophole, and above-mentioned monitoring means will carry out part malicious modification behavior
It lets pass, causes operating system by malicious exploitation or malicious attack.
In embodiments herein, using the call back function in Windows kernel in the small filtration drive of file system, obtain
The profile information of act of revision is taken, and judges whether the act of revision is system peace according to the profile information got
Full-time will legal modifications behavior.Wherein, when receiving write request IRP_MJ_WRITE, call back function is called, and according to this time
The profile information of letter of transfer number acquisition act of revision.
It should be noted that according to the demand of practical application scene, it can be to the configuration file of the act of revision got
Information carries out different restrictions, according to the profile information of act of revision, obtains security protection information, IRQ level letter
Breath, the creation source-information of modification request, I/O operation status information, product parameters information, file name information, file size letter
One or more of breath.
For example, determining whether security protection opens according to security protection information, for example, whether firewall is opened, in
Disconnected request level information determines whether IRQ level is lowest level
PASSIVE_LEVEL, according to modification request creation source-information determine the modification request sender whether be
Application layer determines whether the I/O operation state is the I/O operation IRP_ for executing page according to I/O operation status information
PAGING_IO determines whether to determine whether file according to file name information for the operation of preset product according to product parameters information
Name whether be it is empty, according to file size information determine whether for Windows System32 winevt Logs
System.evtx。
In embodiments herein, however, it is determined that act of revision is the legal modifications behavior of system security log, then directly puts
The row act of revision, however, it is determined that act of revision is not system security log legal modifications behavior, then continues to intercept the act of revision,
And further judgement is done to the act of revision, enter step 203.Wherein, act of revision includes increase behavior, change behavior and deletes
Except behavior.
Step 203, the act of revision intercepted is parsed, obtains the progress information of the act of revision.
In the above-described embodiments, specifically, the act of revision intercepted is parsed, obtains the act of revision
Progress information the step of it is as follows:
Step 2031, if the act of revision is increase behavior, according to the dynamic of application programming interface API Calls
Chained library obtains the progress information of the increase behavior.
The act of revision is determined according to the act of revision to be requested after increase behavior according to the increase of the corresponding increase behavior
The application programming interface API for determining corresponding increase request, according to the application programming interface of corresponding increase request
API Calls correspond to the dynamic link library of increase request, the determining service for executing corresponding increase request, to obtain corresponding be somebody's turn to do
The progress information of increase behavior.
Step 2032, if the act of revision is change or deleting act, according to the system of evtx file format safety
Journal file obtains the progress information of the change or deleting act.
After determining the act of revision for change or deleting act according to the act of revision, pass through resolution system security log text
Part Windows System32 winevt Logs System.evtx file format, determine the change or deleting act into
Journey information.
Step 204, according to the progress information of the act of revision, the routing information of the corresponding act of revision is obtained.
When the act of revision is determined as increase behavior, the corresponding increase row is obtained according to the progress information of the increase behavior
For multiple progress informations, obtain the routing information of the increase behavior;When the act of revision is determined as change or deleting act,
According to system security log file Windows System32 winevt Logs change in System.evtx or deleting act
Progress information, obtain the routing information of the change or deleting act.
Step 205, using preset rule base, routing information and storehouse recalls information to the act of revision are looked into
It askes.
According to act of revision, the storehouse recalls information for obtaining the corresponding act of revision, the storehouse tune are recalled using kernel stack
It include thread stacks address sequence with information, whether to determine the act of revision according to the storehouse recalls information of the act of revision
For system security log tampering.
It is corresponding using preset regular library inquiry according to the routing information of the act of revision got and storehouse recalls information
The standard routes information and standard storehouse recalls information of the act of revision determine whether the act of revision is that system security log is usurped
It changes one's profession to be carried out to the tampering of system security log so that the legal modifications behavior to system security log is let pass
It prevents.
Step 206, if the routing information of the act of revision and storehouse recalls information are corresponding with preset rule base
Standard routes information is consistent with standard storehouse recalls information, then the act of revision is system security log to be determined modification row
For the execution for sending the corresponding system security log act of revision to be determined is requested to application layer, and enters step 208.
It should be noted that the stability in order to guarantee operating system, is sent to the correspondence system peace to be determined of application layer
The execution request of full-time will act of revision include corresponding system security log act of revision to be determined progress information (for example, into
Journey number mark), thread information (for example, thread number mark) and file path information.
Step 207, if at least one of the routing information of the act of revision and storehouse recalls information and preset rule
Then corresponding standard routes information and standard storehouse recalls information are inconsistent in library, then the act of revision system security log is usurped
It changes one's profession to be sent to via application layer using bed boundary, entering step 209.
It should be noted that the corresponding system safety to be determined can also be sent according to the demand of practical application scene
The execution request of log tampering is sent to application layer, enters step 208, is not specifically limited herein.
Step 208, application layer corresponds to the user behaviors log for executing request according to the execution request received;With
And if the signing messages in the user behaviors log is consistent with preset signing messages, the act of revision is system safe day
Will legal modifications behavior;It is described to repair and if signing messages and preset signing messages in the user behaviors log are inconsistent
Change system of behavior security log tampering, and enters step 209.
It should be noted that the signing messages in user behaviors log can be using label according to the demand of practical application scene
Name information or digital signature information, by taking application signature information as an example, application layer executes request to corresponding this according to software action
User behaviors log parsed, be applied signing messages, by obtained application signature information and preset application signature information
It is compared, if obtained application signature information is consistent with preset application signature information, which is system safety
Log legal modifications behavior, and the system security log legal modifications behavior of letting pass;If obtained application signature information with it is preset
Application signature information it is inconsistent, then act of revision system security log tampering, and be sent to application layer interface.
Step 209, it according to mode selection command from the user, lets pass to the system security log tampering
Processing or intercept process;Wherein, the mode selection command is that synchronous mode instructs or asynchronous mode instructs.
For synchronous mode, instruction is instructed or intercepted according to the clearance from the user for the act of revision to the system
Security log tampering is let pass or is intercepted, and refers to if not receiving clearance instruction from the user within a preset time or intercepting
It enables, then default treatment is carried out to the system security log tampering, default treatment can be clearance processing or intercept process, lead to
It is often intercept process.
For asynchronous mode, do not need to receive the clearance instruction from the user for the act of revision or intercept to instruct,
When system security log tampering is confirmed as in the act of revision, directly the system security log tampering is defaulted
Processing, default treatment can be clearance processing or intercept process, usually intercept process, and in the application layer interface display system
Security log tampering information, the system security log tampering information include the corresponding system security log tampering
Process name, distort time, filename etc..
It should be noted that the application is suitable for the operating system being deployed under x86 the and x64 environment of win7 and win10,
Hardware, which at least meets win7, smooth to be run, and the main modular of the application is in kernel-driven layer, the definition side of Applied layer interface
Formula is stored in header file, by utilizing defined Applied layer interface, realizes Seamless integration- with client application layer.In addition,
It can be realized the perfect combination with Related product, good compatibility, operation using the frame process of the test program of corresponding the application
Stablize, controlled by real time monitoring, reduce rate of false alarm, interactivity is good, easy to operate, and to record behavior in detail controllable for log.
Technical solution by applying this embodiment, using the small filtration drive of file system in kernel to system safe day
Will carries out real-time monitoring, intercepts to the act of revision of the system security log monitored, according to the system safety intercepted
The act of revision of log obtains the routing information and storehouse recalls information of the corresponding act of revision, and according to the act of revision
Routing information and storehouse recalls information judge whether the act of revision is system security log tampering, that is, are based on file system
File object name in small filtration drive of uniting, and the storehouse recalls information based on kernel stack backtracking judge system security log
Whether act of revision is illegal, to prevent it from carrying out distorting operation, and legal act of revision of letting pass, to realize to behaviour
Make the real-time monitoring of the system security incident record malice tampering of internal system, meanwhile, it reduces to the special of operation maintenance personnel
Industry requirement reduces personnel cost, and the identification to the system security incident record malice tampering inside operating system
Accuracy is higher.
Further, the specific implementation as Fig. 1 method, the embodiment of the present application provide a kind of system security log and distort
The identification device of behavior, as shown in figure 3, the device includes: monitoring modular 31, obtains module 32, judgment module 33.
Monitoring modular 31, for being supervised in real time using the small filtration drive of file system in kernel to system security log
It surveys, and the act of revision of the system security log monitored is intercepted;
Module 32 is obtained, according to the act of revision for the system security log intercepted, obtains the corresponding modification row
For routing information and storehouse recalls information;
Judgment module 33 judges the modification for the routing information and storehouse recalls information according to the act of revision
Whether behavior is system security log tampering.
In specific application scenarios, as shown in figure 4, the device further include: configuration module 34.
Configuration module 34, for obtaining the profile information of the act of revision;And
For according in the profile information security protection information, IRQ level information, file name information,
File size information, clearance system security log legal modifications behavior.
In specific application scenarios, as shown in figure 4, obtaining module 32, specifically include: resolution unit 321, path unit
322。
Resolution unit 321 obtains the process of the act of revision for parsing to the act of revision intercepted
Information.
Path unit 322 obtains the path of the corresponding act of revision for the progress information according to the act of revision
Information.
In specific application scenarios, as shown in figure 4, resolution unit 321, specifically includes:
Resolution unit 321, if being specifically used for the act of revision is increase behavior, according to application programming interface
The dynamic link library of API Calls obtains the progress information of the increase behavior;And
If being change or deleting act specifically for the act of revision, according to the system of evtx file format safe day
Will file obtains the progress information of the change or deleting act.
In specific application scenarios, as shown in figure 4, judgment module 33, specifically includes: query unit 331, list to be determined
Member 332 distorts confirmation unit 333.
Query unit 331, specifically for utilizing preset rule base, routing information and storehouse tune to the act of revision
It is inquired with information;
Unit 332 to be determined, if routing information and storehouse recalls information specifically for the act of revision and preset
Corresponding standard routes information is consistent with standard storehouse recalls information in rule base, then the act of revision is system to be determined peace
Full-time will act of revision, and the execution for sending the corresponding system security log legal modifications behavior to be determined is requested to application
Layer;
Confirmation unit 333 is distorted, if in the routing information and storehouse recalls information specifically for the act of revision extremely
Few one inconsistent with standard routes information corresponding in preset rule base and standard storehouse recalls information, then the modification row
For system security log tampering.
In specific application scenarios, as shown in figure 4, the device further include: application layer module 35, processing module 36.
Application layer module 35 corresponds to the behavior for executing request according to the execution request received for application layer
Log;And
If the signing messages in the user behaviors log is consistent with preset signing messages, the act of revision is to be
System security log legal modifications behavior;And
If in the user behaviors log signing messages and preset signing messages it is inconsistent, the act of revision system
System security log tampering.
Processing module 36 is used for according to mode selection command from the user, to the system security log tampering
Carry out clearance processing or intercept process;Wherein, the mode selection command is that synchronous mode instructs or asynchronous mode instructs.
It should be noted that involved by a kind of identification device of system security log tampering provided by the embodiments of the present application
And other corresponding descriptions of each functional unit, it can be with reference to the corresponding description in Fig. 1 and Fig. 2, details are not described herein.
Based on above-mentioned method as depicted in figs. 1 and 2, correspondingly, the embodiment of the present application also provides a kind of storage medium,
On be stored with computer program, which realizes that above-mentioned system security log as depicted in figs. 1 and 2 is usurped when being executed by processor
Change one's profession for recognition methods.
Based on this understanding, the technical solution of the application can be embodied in the form of software products, which produces
Product can store in a non-volatile memory medium (can be CD-ROM, USB flash disk, mobile hard disk etc.), including some instructions
With so that computer equipment (can be personal computer, server or the network equipment an etc.) execution the application is each
Method described in implement scene.
Based on above-mentioned method as shown in Figure 1 and Figure 2 and Fig. 3, virtual bench embodiment shown in Fig. 4, in order to realize
Above-mentioned purpose, the embodiment of the present application also provides a kind of computer equipments, are specifically as follows personal computer, server, network
Equipment etc., the computer equipment include storage medium and processor;Storage medium, for storing computer program;Processor is used
The recognition methods of above-mentioned system security log tampering as depicted in figs. 1 and 2 is realized in execution computer program.
Optionally, which can also include user interface, network interface, camera, radio frequency (Radio
Frequency, RF) circuit, sensor, voicefrequency circuit, WI-FI module etc..User interface may include display screen
(Display), input unit such as keyboard (Keyboard) etc., optional user interface can also connect including USB interface, card reader
Mouthful etc..Network interface optionally may include standard wireline interface and wireless interface (such as blue tooth interface, WI-FI interface).
It will be understood by those skilled in the art that a kind of computer equipment structure provided in this embodiment is not constituted to the meter
The restriction for calculating machine equipment, may include more or fewer components, perhaps combine certain components or different component layouts.
It can also include operating system, network communication module in storage medium.Operating system is management and preservation computer
The program of device hardware and software resource supports the operation of message handling program and other softwares and/or program.Network communication
Module is for realizing the communication between each component in storage medium inside, and between other hardware and softwares in the entity device
Communication.
Through the above description of the embodiments, those skilled in the art can be understood that the application can borrow
It helps software that the mode of necessary general hardware platform is added to realize, the file system in kernel can also be utilized by hardware realization
Small filtration drive carries out real-time monitoring to system security log, blocks to the act of revision of the system security log monitored
It cuts, according to the act of revision for the system security log intercepted, the routing information and storehouse for obtaining the corresponding act of revision are called
Information, and according to the routing information of the act of revision and storehouse recalls information, judge whether the act of revision is system safe day
Will tampering.The application can be realized using the small filtration drive of file system in kernel pacifies the system inside operating system
Total event records the real-time monitoring of malice tampering, meanwhile, the professional requirement to operation maintenance personnel is reduced, personnel are reduced
Cost, and it is higher to the recognition accuracy of the system security incident record malice tampering inside operating system.
The embodiment of the invention provides following technical schemes:
A1, a kind of recognition methods of system security log tampering characterized by comprising
Real-time monitoring carried out to system security log using file system small filtration drive in kernel, and to monitoring
The act of revision of the system security log is intercepted;
According to the act of revision for the system security log intercepted, the routing information of the corresponding act of revision is obtained
With storehouse recalls information;
According to the routing information of the act of revision and storehouse recalls information, judge whether the act of revision is system peace
Full-time will tampering.
A2, the method according to claim A1, which is characterized in that the system safe day that the basis is intercepted
The act of revision of will, before obtaining the routing information for corresponding to the act of revision and storehouse recalls information, the method also includes:
Obtain the profile information of the act of revision;
According to the security protection information in the profile information, IRQ level information, file name information, file
Length information, clearance system security log legal modifications behavior.
A3, the method according to claim A1, which is characterized in that the system safe day that the basis is intercepted
The act of revision of will obtains the routing information and storehouse recalls information of the corresponding act of revision, specifically includes:
The act of revision intercepted is parsed, the progress information of the act of revision is obtained;
According to the progress information of the act of revision, the routing information of the corresponding act of revision is obtained.
A4, the method according to claim A3, which is characterized in that the described pair of act of revision intercepted carries out
Parsing, obtains the progress information of the act of revision, specifically includes:
If the act of revision is increase behavior, obtained according to the dynamic link library of application programming interface API Calls
To the progress information of the increase behavior;
If the act of revision is change or deleting act, obtained according to the system security log file of evtx file format
To the change or the progress information of deleting act.
A5, the method according to claim A1, which is characterized in that the routing information according to the act of revision
With storehouse recalls information, judge whether the act of revision is system security log tampering, is specifically included:
Using preset rule base, routing information and storehouse recalls information to the act of revision are inquired;
If the routing information of the act of revision and storehouse recalls information and corresponding standard routes in preset rule base
Information is consistent with standard storehouse recalls information, then the act of revision is system security log act of revision to be determined, and is sent
The execution of the corresponding system security log act of revision to be determined is requested to application layer;
If at least one of the routing information of the act of revision and storehouse recalls information with it is right in preset rule base
The standard routes information and standard storehouse recalls information answered are inconsistent, then the act of revision system security log tampering.
A6, the method according to claim A5, which is characterized in that if the routing information of the act of revision and
Storehouse recalls information is consistent with corresponding routing information in preset rule base and storehouse recalls information, then the act of revision is
System security log act of revision to be determined, and send the corresponding system security log act of revision to be determined executes request
After application layer, the method also includes:
Application layer corresponds to the user behaviors log for executing request according to the execution request received;
If the signing messages in the user behaviors log is consistent with preset signing messages, the act of revision is system peace
Full-time will legal modifications behavior;
If the signing messages and preset signing messages in the user behaviors log are inconsistent, the act of revision system peace
Full-time will tampering.
A7, the method according to claim A4 or A6, which is characterized in that the method also includes:
According to mode selection command from the user, clearance processing is carried out to the system security log tampering or is blocked
Cut processing;
Wherein, the mode selection command is that synchronous mode instructs or asynchronous mode instructs.
B8, a kind of identification device of system security log tampering characterized by comprising
Monitoring modular, for being supervised in real time using the small filtration drive of file system in kernel to system security log
It surveys, and the act of revision of the system security log monitored is intercepted;
Module is obtained, for the act of revision according to the system security log intercepted, obtains the corresponding modification
The routing information and storehouse recalls information of behavior;
Judgment module judges the modification row for the routing information and storehouse recalls information according to the act of revision
Whether to be system security log tampering.
B9, the device according to claim B8, which is characterized in that described device further include:
Configuration module, for obtaining the profile information of the act of revision;And
For according in the profile information security protection information, IRQ level information, file name information,
File size information, clearance system security log legal modifications behavior.
B10, the device according to claim B8, which is characterized in that the acquisition module specifically includes:
Resolution unit obtains the process letter of the act of revision for parsing to the act of revision intercepted
Breath;
Path unit obtains the path letter of the corresponding act of revision for the progress information according to the act of revision
Breath.
B11, the device according to claim B10, which is characterized in that the resolution unit specifically includes:
Resolution unit, if being increase behavior for the act of revision, according to application programming interface API Calls
Dynamic link library obtains the progress information of the increase behavior;And
If being change or deleting act for the act of revision, according to the system security log text of evtx file format
Part obtains the progress information of the change or deleting act.
B12, the device according to claim B8, which is characterized in that the judgment module specifically includes:
Query unit, for utilizing preset rule base, routing information and storehouse recalls information to the act of revision
It is inquired;
Unit to be determined, if in the routing information and storehouse recalls information and preset rule base of the act of revision
Corresponding standard routes information is consistent with standard storehouse recalls information, then the act of revision is that system security log to be determined is repaired
It changes one's profession as and the execution for sending the corresponding system security log act of revision to be determined is requested to application layer;
Distort confirmation unit, if at least one of the routing information of the act of revision and storehouse recalls information with
Corresponding standard routes information and standard storehouse recalls information are inconsistent in preset rule base, then the act of revision system peace
Full-time will tampering.
B13, the device according to claim B12, which is characterized in that described device further include:
Application layer module corresponds to the behavior day for executing request according to the execution request received for application layer
Will;And
If the signing messages in the user behaviors log is consistent with preset signing messages, the act of revision is to be
System security log legal modifications behavior;And
If in the user behaviors log signing messages and preset signing messages it is inconsistent, the act of revision system
System security log tampering.
B14, the device according to claim B11 or B13, which is characterized in that described device further include:
Processing module, for according to mode selection command from the user, to the system security log tampering into
Row clearance processing or intercept process;
Wherein, the mode selection command is that synchronous mode instructs or asynchronous mode instructs.
C15, a kind of storage medium, are stored thereon with computer program, which is characterized in that described program is executed by processor
The recognition methods of system security log tampering described in any one of Shi Shixian claim A1 to A7.
D16, a kind of computer equipment, including storage medium, processor and storage are on a storage medium and can be in processor
The computer program of upper operation, which is characterized in that the processor realizes that claim A1 appoints into A7 when executing described program
The recognition methods of system security log tampering described in one.
It will be appreciated by those skilled in the art that the accompanying drawings are only schematic diagrams of a preferred implementation scenario, module in attached drawing or
Process is not necessarily implemented necessary to the application.It will be appreciated by those skilled in the art that the mould in device in implement scene
Block can according to implement scene describe be distributed in the device of implement scene, can also carry out corresponding change be located at be different from
In one or more devices of this implement scene.The module of above-mentioned implement scene can be merged into a module, can also be into one
Step splits into multiple submodule.
Above-mentioned the application serial number is for illustration only, does not represent the superiority and inferiority of implement scene.Disclosed above is only the application
Several specific implementation scenes, still, the application is not limited to this, and the changes that any person skilled in the art can think of is all
The protection scope of the application should be fallen into.