CN109783316A - The recognition methods and device, storage medium, computer equipment of system security log tampering - Google Patents
The recognition methods and device, storage medium, computer equipment of system security log tampering Download PDFInfo
- Publication number
- CN109783316A CN109783316A CN201811646160.8A CN201811646160A CN109783316A CN 109783316 A CN109783316 A CN 109783316A CN 201811646160 A CN201811646160 A CN 201811646160A CN 109783316 A CN109783316 A CN 109783316A
- Authority
- CN
- China
- Prior art keywords
- act
- revision
- information
- system security
- security log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
This application discloses the recognition methods of system security log tampering and device, storage medium, computer equipments, this method comprises: carrying out real-time monitoring to system security log using the small filtration drive of file system in kernel, and the act of revision of the system security log monitored is intercepted;According to the act of revision for the system security log intercepted, the routing information and storehouse recalls information of the corresponding act of revision are obtained;According to the routing information of the act of revision and storehouse recalls information, judge whether the act of revision is system security log tampering.The application can realize the real-time monitoring to the system security incident record malice tampering inside operating system using the small filtration drive of file system in kernel, simultaneously, reduce the professional requirement to operation maintenance personnel, personnel cost is reduced, and higher to the recognition accuracy of the system security incident record malice tampering inside operating system.
Description
Technical field
This application involves operating system security technical fields, particularly with regard to the identification of system security log tampering
Method and device, storage medium, computer equipment.
Background technique
With the development of internet technology, operating system security is particularly important, and operating system can be remembered during operation
Various system security incidents are recorded, for example, system start-up time, runing time, shut-in time, service start/terminate, are
It is under unified central planning to set, network configuration, filesystem information etc., but in existing security protection system, when operating system is by virus, wooden horse
After equal rogue programs utilizes, system security incident record is maliciously distorted, causes to steal filesystem information, distorts network configuration,
Even achieve the purpose that infection, destroy system.
With the continuous decline of hacker attack cost, the feelings for causing operating system to be utilized by rogue programs such as virus, wooden horses
Condition is continuously increased, and in existing security protection system, there are no record to dislike for the system security incident inside operating system
The monitoring means of meaning tampering cannot achieve the reality to the system security incident record malice tampering inside operating system
When monitor, meanwhile, need profession operation maintenance personnel manually searched, have higher requirement, people to the professional of operation maintenance personnel
Member's higher cost, and it is lower to the recognition accuracy of the system security incident record malice tampering inside operating system.
Summary of the invention
In view of this, this application provides the recognition methods of system security log tampering and device, storage medium, meters
Machine equipment is calculated, using the small filtration drive of file system in kernel, is realized to the system security log malice inside operating system
The real-time monitoring of tampering prevents determining system security log malice tampering with realizing, and is to determining
Security log legal modifications behavior of uniting is let pass, so that operating system be avoided to be utilized by rogue programs such as virus, wooden horses.
According to the one aspect of the application, a kind of recognition methods of system security log tampering is provided, comprising:
Real-time monitoring carried out to system security log using file system small filtration drive in kernel, and to monitoring
The act of revision of the system security log is intercepted;
According to the act of revision for the system security log intercepted, the routing information of the corresponding act of revision is obtained
With storehouse recalls information;
According to the routing information of the act of revision and storehouse recalls information, judge whether the act of revision is system peace
Full-time will tampering.
According to the another aspect of the application, a kind of identification device of system security log tampering is provided, comprising:
Monitoring modular, for being supervised in real time using the small filtration drive of file system in kernel to system security log
It surveys;
Blocking module intercepts for the act of revision to the system security log monitored, and obtains correspondence
The routing information and storehouse recalls information of the act of revision;
Judgment module judges the modification row for the routing information and storehouse recalls information according to the act of revision
Whether to be system security log tampering.
According to the application another aspect, a kind of storage medium is provided, computer program, described program are stored thereon with
The recognition methods of above system security log tampering is realized when being executed by processor.
According to the application another aspect, a kind of computer equipment is provided, including storage medium, processor and be stored in
On storage medium and the computer program that can run on a processor, the processor realize above system when executing described program
The recognition methods of security log tampering.
By above-mentioned technical proposal, the recognition methods of system security log tampering provided by the present application and device are deposited
Storage media, computer equipment carry out real-time monitoring to system security log using the small filtration drive of file system in kernel, right
The act of revision of the system security log monitored is intercepted, and according to the act of revision for the system security log intercepted, is obtained
The routing information and storehouse recalls information of the corresponding act of revision are taken, and is called according to the routing information of the act of revision and storehouse
Information judges whether the act of revision is system security log tampering.The application can utilize the file system in kernel
Small filtration drive realizes the real-time monitoring to the system security incident record malice tampering inside operating system, meanwhile, drop
The low professional requirement to operation maintenance personnel reduces personnel cost, and records to the system security incident inside operating system
The recognition accuracy of malice tampering is higher.
Above description is only the general introduction of technical scheme, in order to better understand the technological means of the application,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects, features and advantages of the application can
It is clearer and more comprehensible, below the special specific embodiment for lifting the application.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present application, constitutes part of this application, this Shen
Illustrative embodiments and their description please are not constituted an undue limitation on the present application for explaining the application.In the accompanying drawings:
The process that Fig. 1 shows a kind of recognition methods of system security log tampering provided by the embodiments of the present application is shown
It is intended to;
Fig. 2 shows the processes of the recognition methods of another system security log tampering provided by the embodiments of the present application
Schematic diagram;
The structure that Fig. 3 shows a kind of identification device of system security log tampering provided by the embodiments of the present application is shown
It is intended to;
Fig. 4 shows the structure of the identification device of another system security log tampering provided by the embodiments of the present application
Schematic diagram.
Specific embodiment
The application is described in detail below with reference to attached drawing and in conjunction with the embodiments.It should be noted that not conflicting
In the case of, the features in the embodiments and the embodiments of the present application can be combined with each other.
A kind of recognition methods of system security log tampering is provided in the present embodiment, as shown in Figure 1, this method
Include:
Step 101, real-time monitoring is carried out to system security log using the file system small filtration drive in kernel, and right
The act of revision of the system security log monitored is intercepted.
Using the small filtration drive of file system in kernel, by carrying out real-time monitoring to system security log file, with
The real-time monitoring to the act of revision of system security log in system security log file is realized, specifically, if system safe day
System security log in will file does not receive modification request, then does not carry out any processing to system security log;If system
System security log in security log file receives modification request, then requests to generate according to the modification to system security log
Act of revision intercepted.
Wherein, by document debugging it is found that system security log be generally held in system security log file Windows
System32 winevt Logs in System.evtx.
Step 102, according to the act of revision for the system security log intercepted, the corresponding act of revision is obtained
Routing information and storehouse recalls information.
The act of revision for the system security log intercepted is parsed, according to the act of revision class of system security log
Type, determines the routing information acquisition modes and storehouse recalls information acquisition modes of the corresponding act of revision type, and according to really
Fixed routing information acquisition modes and storehouse recalls information acquisition modes, obtain respectively the corresponding act of revision routing information and
Storehouse recalls information.
Wherein, act of revision type, which is included in system security log, increases data, modification data and deletion data.
Step 103, according to the routing information of the act of revision and storehouse recalls information, whether judge the act of revision
For system security log tampering.
The routing information and storehouse recalls information for the act of revision that will acquire are corresponding with preset rule base respectively should
The standard routes information and standard storehouse recalls information of act of revision compare, if the routing information of the act of revision and storehouse tune
It is called with the standard routes information and standard storehouse for corresponding to the act of revision at least one of information and preset rule base
Information is inconsistent, then the act of revision system security log tampering, conversely, if the routing information and storehouse of the act of revision
Standard routes information and the standard storehouse recalls information that the act of revision is corresponded in recalls information and preset rule base are consistent, then
The act of revision is not system security log tampering.
Technical solution by applying this embodiment, using the small filtration drive of file system in kernel to system safe day
Will carries out real-time monitoring, intercepts to the act of revision of the system security log monitored, according to the system safety intercepted
The act of revision of log obtains the routing information and storehouse recalls information of the corresponding act of revision, and according to the act of revision
Routing information and storehouse recalls information judge whether the act of revision is system security log tampering.The application being capable of benefit
It is realized with the small filtration drive of file system in kernel and malice tampering is recorded to the system security incident inside operating system
Real-time monitoring, meanwhile, reduce the professional requirement to operation maintenance personnel, reduce personnel cost, and to operating system inside
System security incident record malice tampering recognition accuracy it is higher.
Further, as the refinement and extension of above-described embodiment specific embodiment, in order to completely illustrate the present embodiment
Specific implementation process, the recognition methods of another system security log tampering is provided, as shown in Fig. 2, this method packet
It includes:
Step 201, real-time monitoring is carried out to system security log using the file system small filtration drive in kernel, and right
The act of revision of the system security log monitored is intercepted.
Step 202, the profile information of the act of revision is obtained;And according in the profile information
Security protection information, IRQ level information, file name information, file size information, clearance system security log is legal to be repaired
Change one's profession for.
Profile information by obtaining act of revision judges whether the act of revision is that system security log distorts row
To determine that the act of revision is the legal modifications behavior of system security log, realizing that is, according to the profile information of act of revision
Clearance to the system security log act of revision that legal procedure carries out, and the system security log to be determined that do not let pass is repaired
It changes one's profession to effectively prevent being monitored malicious modification behavior according only to programs categories or Program path to do further judgement,
Its monitoring granularity is larger, and monitoring precision is lower, specifically, when dynamic link library is for injecting legal procedure to realize disk
When direct read/write, attacker is attacked using Brix with loophole, and above-mentioned monitoring means will carry out part malicious modification behavior
It lets pass, causes operating system by malicious exploitation or malicious attack.
In embodiments herein, using the call back function in Windows kernel in the small filtration drive of file system, obtain
The profile information of act of revision is taken, and judges whether the act of revision is system peace according to the profile information got
Full-time will legal modifications behavior.Wherein, when receiving write request IRP_MJ_WRITE, call back function is called, and according to this time
The profile information of letter of transfer number acquisition act of revision.
It should be noted that according to the demand of practical application scene, it can be to the configuration file of the act of revision got
Information carries out different restrictions, according to the profile information of act of revision, obtains security protection information, IRQ level letter
Breath, the creation source-information of modification request, I/O operation status information, product parameters information, file name information, file size letter
One or more of breath.
For example, determining whether security protection opens according to security protection information, for example, whether firewall is opened, in
Disconnected request level information determines whether IRQ level is lowest level
PASSIVE_LEVEL, according to modification request creation source-information determine the modification request sender whether be
Application layer determines whether the I/O operation state is the I/O operation IRP_ for executing page according to I/O operation status information
PAGING_IO determines whether to determine whether file according to file name information for the operation of preset product according to product parameters information
Name whether be it is empty, according to file size information determine whether for Windows System32 winevt Logs
System.evtx。
In embodiments herein, however, it is determined that act of revision is the legal modifications behavior of system security log, then directly puts
The row act of revision, however, it is determined that act of revision is not system security log legal modifications behavior, then continues to intercept the act of revision,
And further judgement is done to the act of revision, enter step 203.Wherein, act of revision includes increase behavior, change behavior and deletes
Except behavior.
Step 203, the act of revision intercepted is parsed, obtains the progress information of the act of revision.
In the above-described embodiments, specifically, the act of revision intercepted is parsed, obtains the act of revision
Progress information the step of it is as follows:
Step 2031, if the act of revision is increase behavior, according to the dynamic of application programming interface API Calls
Chained library obtains the progress information of the increase behavior.
The act of revision is determined according to the act of revision to be requested after increase behavior according to the increase of the corresponding increase behavior
The application programming interface API for determining corresponding increase request, according to the application programming interface of corresponding increase request
API Calls correspond to the dynamic link library of increase request, the determining service for executing corresponding increase request, to obtain corresponding be somebody's turn to do
The progress information of increase behavior.
Step 2032, if the act of revision is change or deleting act, according to the system of evtx file format safety
Journal file obtains the progress information of the change or deleting act.
After determining the act of revision for change or deleting act according to the act of revision, pass through resolution system security log text
Part Windows System32 winevt Logs System.evtx file format, determine the change or deleting act into
Journey information.
Step 204, according to the progress information of the act of revision, the routing information of the corresponding act of revision is obtained.
When the act of revision is determined as increase behavior, the corresponding increase row is obtained according to the progress information of the increase behavior
For multiple progress informations, obtain the routing information of the increase behavior;When the act of revision is determined as change or deleting act,
According to system security log file Windows System32 winevt Logs change in System.evtx or deleting act
Progress information, obtain the routing information of the change or deleting act.
Step 205, using preset rule base, routing information and storehouse recalls information to the act of revision are looked into
It askes.
According to act of revision, the storehouse recalls information for obtaining the corresponding act of revision, the storehouse tune are recalled using kernel stack
It include thread stacks address sequence with information, whether to determine the act of revision according to the storehouse recalls information of the act of revision
For system security log tampering.
It is corresponding using preset regular library inquiry according to the routing information of the act of revision got and storehouse recalls information
The standard routes information and standard storehouse recalls information of the act of revision determine whether the act of revision is that system security log is usurped
It changes one's profession to be carried out to the tampering of system security log so that the legal modifications behavior to system security log is let pass
It prevents.
Step 206, if the routing information of the act of revision and storehouse recalls information are corresponding with preset rule base
Standard routes information is consistent with standard storehouse recalls information, then the act of revision is system security log to be determined modification row
For the execution for sending the corresponding system security log act of revision to be determined is requested to application layer, and enters step 208.
It should be noted that the stability in order to guarantee operating system, is sent to the correspondence system peace to be determined of application layer
The execution request of full-time will act of revision include corresponding system security log act of revision to be determined progress information (for example, into
Journey number mark), thread information (for example, thread number mark) and file path information.
Step 207, if at least one of the routing information of the act of revision and storehouse recalls information and preset rule
Then corresponding standard routes information and standard storehouse recalls information are inconsistent in library, then the act of revision system security log is usurped
It changes one's profession to be sent to via application layer using bed boundary, entering step 209.
It should be noted that the corresponding system safety to be determined can also be sent according to the demand of practical application scene
The execution request of log tampering is sent to application layer, enters step 208, is not specifically limited herein.
Step 208, application layer corresponds to the user behaviors log for executing request according to the execution request received;With
And if the signing messages in the user behaviors log is consistent with preset signing messages, the act of revision is system safe day
Will legal modifications behavior;It is described to repair and if signing messages and preset signing messages in the user behaviors log are inconsistent
Change system of behavior security log tampering, and enters step 209.
It should be noted that the signing messages in user behaviors log can be using label according to the demand of practical application scene
Name information or digital signature information, by taking application signature information as an example, application layer executes request to corresponding this according to software action
User behaviors log parsed, be applied signing messages, by obtained application signature information and preset application signature information
It is compared, if obtained application signature information is consistent with preset application signature information, which is system safety
Log legal modifications behavior, and the system security log legal modifications behavior of letting pass;If obtained application signature information with it is preset
Application signature information it is inconsistent, then act of revision system security log tampering, and be sent to application layer interface.
Step 209, it according to mode selection command from the user, lets pass to the system security log tampering
Processing or intercept process;Wherein, the mode selection command is that synchronous mode instructs or asynchronous mode instructs.
For synchronous mode, instruction is instructed or intercepted according to the clearance from the user for the act of revision to the system
Security log tampering is let pass or is intercepted, and refers to if not receiving clearance instruction from the user within a preset time or intercepting
It enables, then default treatment is carried out to the system security log tampering, default treatment can be clearance processing or intercept process, lead to
It is often intercept process.
For asynchronous mode, do not need to receive the clearance instruction from the user for the act of revision or intercept to instruct,
When system security log tampering is confirmed as in the act of revision, directly the system security log tampering is defaulted
Processing, default treatment can be clearance processing or intercept process, usually intercept process, and in the application layer interface display system
Security log tampering information, the system security log tampering information include the corresponding system security log tampering
Process name, distort time, filename etc..
It should be noted that the application is suitable for the operating system being deployed under x86 the and x64 environment of win7 and win10,
Hardware, which at least meets win7, smooth to be run, and the main modular of the application is in kernel-driven layer, the definition side of Applied layer interface
Formula is stored in header file, by utilizing defined Applied layer interface, realizes Seamless integration- with client application layer.In addition,
It can be realized the perfect combination with Related product, good compatibility, operation using the frame process of the test program of corresponding the application
Stablize, controlled by real time monitoring, reduce rate of false alarm, interactivity is good, easy to operate, and to record behavior in detail controllable for log.
Technical solution by applying this embodiment, using the small filtration drive of file system in kernel to system safe day
Will carries out real-time monitoring, intercepts to the act of revision of the system security log monitored, according to the system safety intercepted
The act of revision of log obtains the routing information and storehouse recalls information of the corresponding act of revision, and according to the act of revision
Routing information and storehouse recalls information judge whether the act of revision is system security log tampering, that is, are based on file system
File object name in small filtration drive of uniting, and the storehouse recalls information based on kernel stack backtracking judge system security log
Whether act of revision is illegal, to prevent it from carrying out distorting operation, and legal act of revision of letting pass, to realize to behaviour
Make the real-time monitoring of the system security incident record malice tampering of internal system, meanwhile, it reduces to the special of operation maintenance personnel
Industry requirement reduces personnel cost, and the identification to the system security incident record malice tampering inside operating system
Accuracy is higher.
Further, the specific implementation as Fig. 1 method, the embodiment of the present application provide a kind of system security log and distort
The identification device of behavior, as shown in figure 3, the device includes: monitoring modular 31, obtains module 32, judgment module 33.
Monitoring modular 31, for being supervised in real time using the small filtration drive of file system in kernel to system security log
It surveys, and the act of revision of the system security log monitored is intercepted;
Module 32 is obtained, according to the act of revision for the system security log intercepted, obtains the corresponding modification row
For routing information and storehouse recalls information;
Judgment module 33 judges the modification for the routing information and storehouse recalls information according to the act of revision
Whether behavior is system security log tampering.
In specific application scenarios, as shown in figure 4, the device further include: configuration module 34.
Configuration module 34, for obtaining the profile information of the act of revision;And
For according in the profile information security protection information, IRQ level information, file name information,
File size information, clearance system security log legal modifications behavior.
In specific application scenarios, as shown in figure 4, obtaining module 32, specifically include: resolution unit 321, path unit
322。
Resolution unit 321 obtains the process of the act of revision for parsing to the act of revision intercepted
Information.
Path unit 322 obtains the path of the corresponding act of revision for the progress information according to the act of revision
Information.
In specific application scenarios, as shown in figure 4, resolution unit 321, specifically includes:
Resolution unit 321, if being specifically used for the act of revision is increase behavior, according to application programming interface
The dynamic link library of API Calls obtains the progress information of the increase behavior;And
If being change or deleting act specifically for the act of revision, according to the system of evtx file format safe day
Will file obtains the progress information of the change or deleting act.
In specific application scenarios, as shown in figure 4, judgment module 33, specifically includes: query unit 331, list to be determined
Member 332 distorts confirmation unit 333.
Query unit 331, specifically for utilizing preset rule base, routing information and storehouse tune to the act of revision
It is inquired with information;
Unit 332 to be determined, if routing information and storehouse recalls information specifically for the act of revision and preset
Corresponding standard routes information is consistent with standard storehouse recalls information in rule base, then the act of revision is system to be determined peace
Full-time will act of revision, and the execution for sending the corresponding system security log legal modifications behavior to be determined is requested to application
Layer;
Confirmation unit 333 is distorted, if in the routing information and storehouse recalls information specifically for the act of revision extremely
Few one inconsistent with standard routes information corresponding in preset rule base and standard storehouse recalls information, then the modification row
For system security log tampering.
In specific application scenarios, as shown in figure 4, the device further include: application layer module 35, processing module 36.
Application layer module 35 corresponds to the behavior for executing request according to the execution request received for application layer
Log;And
If the signing messages in the user behaviors log is consistent with preset signing messages, the act of revision is to be
System security log legal modifications behavior;And
If in the user behaviors log signing messages and preset signing messages it is inconsistent, the act of revision system
System security log tampering.
Processing module 36 is used for according to mode selection command from the user, to the system security log tampering
Carry out clearance processing or intercept process;Wherein, the mode selection command is that synchronous mode instructs or asynchronous mode instructs.
It should be noted that involved by a kind of identification device of system security log tampering provided by the embodiments of the present application
And other corresponding descriptions of each functional unit, it can be with reference to the corresponding description in Fig. 1 and Fig. 2, details are not described herein.
Based on above-mentioned method as depicted in figs. 1 and 2, correspondingly, the embodiment of the present application also provides a kind of storage medium,
On be stored with computer program, which realizes that above-mentioned system security log as depicted in figs. 1 and 2 is usurped when being executed by processor
Change one's profession for recognition methods.
Based on this understanding, the technical solution of the application can be embodied in the form of software products, which produces
Product can store in a non-volatile memory medium (can be CD-ROM, USB flash disk, mobile hard disk etc.), including some instructions
With so that computer equipment (can be personal computer, server or the network equipment an etc.) execution the application is each
Method described in implement scene.
Based on above-mentioned method as shown in Figure 1 and Figure 2 and Fig. 3, virtual bench embodiment shown in Fig. 4, in order to realize
Above-mentioned purpose, the embodiment of the present application also provides a kind of computer equipments, are specifically as follows personal computer, server, network
Equipment etc., the computer equipment include storage medium and processor;Storage medium, for storing computer program;Processor is used
The recognition methods of above-mentioned system security log tampering as depicted in figs. 1 and 2 is realized in execution computer program.
Optionally, which can also include user interface, network interface, camera, radio frequency (Radio
Frequency, RF) circuit, sensor, voicefrequency circuit, WI-FI module etc..User interface may include display screen
(Display), input unit such as keyboard (Keyboard) etc., optional user interface can also connect including USB interface, card reader
Mouthful etc..Network interface optionally may include standard wireline interface and wireless interface (such as blue tooth interface, WI-FI interface).
It will be understood by those skilled in the art that a kind of computer equipment structure provided in this embodiment is not constituted to the meter
The restriction for calculating machine equipment, may include more or fewer components, perhaps combine certain components or different component layouts.
It can also include operating system, network communication module in storage medium.Operating system is management and preservation computer
The program of device hardware and software resource supports the operation of message handling program and other softwares and/or program.Network communication
Module is for realizing the communication between each component in storage medium inside, and between other hardware and softwares in the entity device
Communication.
Through the above description of the embodiments, those skilled in the art can be understood that the application can borrow
It helps software that the mode of necessary general hardware platform is added to realize, the file system in kernel can also be utilized by hardware realization
Small filtration drive carries out real-time monitoring to system security log, blocks to the act of revision of the system security log monitored
It cuts, according to the act of revision for the system security log intercepted, the routing information and storehouse for obtaining the corresponding act of revision are called
Information, and according to the routing information of the act of revision and storehouse recalls information, judge whether the act of revision is system safe day
Will tampering.The application can be realized using the small filtration drive of file system in kernel pacifies the system inside operating system
Total event records the real-time monitoring of malice tampering, meanwhile, the professional requirement to operation maintenance personnel is reduced, personnel are reduced
Cost, and it is higher to the recognition accuracy of the system security incident record malice tampering inside operating system.
The embodiment of the invention provides following technical schemes:
A1, a kind of recognition methods of system security log tampering characterized by comprising
Real-time monitoring carried out to system security log using file system small filtration drive in kernel, and to monitoring
The act of revision of the system security log is intercepted;
According to the act of revision for the system security log intercepted, the routing information of the corresponding act of revision is obtained
With storehouse recalls information;
According to the routing information of the act of revision and storehouse recalls information, judge whether the act of revision is system peace
Full-time will tampering.
A2, the method according to claim A1, which is characterized in that the system safe day that the basis is intercepted
The act of revision of will, before obtaining the routing information for corresponding to the act of revision and storehouse recalls information, the method also includes:
Obtain the profile information of the act of revision;
According to the security protection information in the profile information, IRQ level information, file name information, file
Length information, clearance system security log legal modifications behavior.
A3, the method according to claim A1, which is characterized in that the system safe day that the basis is intercepted
The act of revision of will obtains the routing information and storehouse recalls information of the corresponding act of revision, specifically includes:
The act of revision intercepted is parsed, the progress information of the act of revision is obtained;
According to the progress information of the act of revision, the routing information of the corresponding act of revision is obtained.
A4, the method according to claim A3, which is characterized in that the described pair of act of revision intercepted carries out
Parsing, obtains the progress information of the act of revision, specifically includes:
If the act of revision is increase behavior, obtained according to the dynamic link library of application programming interface API Calls
To the progress information of the increase behavior;
If the act of revision is change or deleting act, obtained according to the system security log file of evtx file format
To the change or the progress information of deleting act.
A5, the method according to claim A1, which is characterized in that the routing information according to the act of revision
With storehouse recalls information, judge whether the act of revision is system security log tampering, is specifically included:
Using preset rule base, routing information and storehouse recalls information to the act of revision are inquired;
If the routing information of the act of revision and storehouse recalls information and corresponding standard routes in preset rule base
Information is consistent with standard storehouse recalls information, then the act of revision is system security log act of revision to be determined, and is sent
The execution of the corresponding system security log act of revision to be determined is requested to application layer;
If at least one of the routing information of the act of revision and storehouse recalls information with it is right in preset rule base
The standard routes information and standard storehouse recalls information answered are inconsistent, then the act of revision system security log tampering.
A6, the method according to claim A5, which is characterized in that if the routing information of the act of revision and
Storehouse recalls information is consistent with corresponding routing information in preset rule base and storehouse recalls information, then the act of revision is
System security log act of revision to be determined, and send the corresponding system security log act of revision to be determined executes request
After application layer, the method also includes:
Application layer corresponds to the user behaviors log for executing request according to the execution request received;
If the signing messages in the user behaviors log is consistent with preset signing messages, the act of revision is system peace
Full-time will legal modifications behavior;
If the signing messages and preset signing messages in the user behaviors log are inconsistent, the act of revision system peace
Full-time will tampering.
A7, the method according to claim A4 or A6, which is characterized in that the method also includes:
According to mode selection command from the user, clearance processing is carried out to the system security log tampering or is blocked
Cut processing;
Wherein, the mode selection command is that synchronous mode instructs or asynchronous mode instructs.
B8, a kind of identification device of system security log tampering characterized by comprising
Monitoring modular, for being supervised in real time using the small filtration drive of file system in kernel to system security log
It surveys, and the act of revision of the system security log monitored is intercepted;
Module is obtained, for the act of revision according to the system security log intercepted, obtains the corresponding modification
The routing information and storehouse recalls information of behavior;
Judgment module judges the modification row for the routing information and storehouse recalls information according to the act of revision
Whether to be system security log tampering.
B9, the device according to claim B8, which is characterized in that described device further include:
Configuration module, for obtaining the profile information of the act of revision;And
For according in the profile information security protection information, IRQ level information, file name information,
File size information, clearance system security log legal modifications behavior.
B10, the device according to claim B8, which is characterized in that the acquisition module specifically includes:
Resolution unit obtains the process letter of the act of revision for parsing to the act of revision intercepted
Breath;
Path unit obtains the path letter of the corresponding act of revision for the progress information according to the act of revision
Breath.
B11, the device according to claim B10, which is characterized in that the resolution unit specifically includes:
Resolution unit, if being increase behavior for the act of revision, according to application programming interface API Calls
Dynamic link library obtains the progress information of the increase behavior;And
If being change or deleting act for the act of revision, according to the system security log text of evtx file format
Part obtains the progress information of the change or deleting act.
B12, the device according to claim B8, which is characterized in that the judgment module specifically includes:
Query unit, for utilizing preset rule base, routing information and storehouse recalls information to the act of revision
It is inquired;
Unit to be determined, if in the routing information and storehouse recalls information and preset rule base of the act of revision
Corresponding standard routes information is consistent with standard storehouse recalls information, then the act of revision is that system security log to be determined is repaired
It changes one's profession as and the execution for sending the corresponding system security log act of revision to be determined is requested to application layer;
Distort confirmation unit, if at least one of the routing information of the act of revision and storehouse recalls information with
Corresponding standard routes information and standard storehouse recalls information are inconsistent in preset rule base, then the act of revision system peace
Full-time will tampering.
B13, the device according to claim B12, which is characterized in that described device further include:
Application layer module corresponds to the behavior day for executing request according to the execution request received for application layer
Will;And
If the signing messages in the user behaviors log is consistent with preset signing messages, the act of revision is to be
System security log legal modifications behavior;And
If in the user behaviors log signing messages and preset signing messages it is inconsistent, the act of revision system
System security log tampering.
B14, the device according to claim B11 or B13, which is characterized in that described device further include:
Processing module, for according to mode selection command from the user, to the system security log tampering into
Row clearance processing or intercept process;
Wherein, the mode selection command is that synchronous mode instructs or asynchronous mode instructs.
C15, a kind of storage medium, are stored thereon with computer program, which is characterized in that described program is executed by processor
The recognition methods of system security log tampering described in any one of Shi Shixian claim A1 to A7.
D16, a kind of computer equipment, including storage medium, processor and storage are on a storage medium and can be in processor
The computer program of upper operation, which is characterized in that the processor realizes that claim A1 appoints into A7 when executing described program
The recognition methods of system security log tampering described in one.
It will be appreciated by those skilled in the art that the accompanying drawings are only schematic diagrams of a preferred implementation scenario, module in attached drawing or
Process is not necessarily implemented necessary to the application.It will be appreciated by those skilled in the art that the mould in device in implement scene
Block can according to implement scene describe be distributed in the device of implement scene, can also carry out corresponding change be located at be different from
In one or more devices of this implement scene.The module of above-mentioned implement scene can be merged into a module, can also be into one
Step splits into multiple submodule.
Above-mentioned the application serial number is for illustration only, does not represent the superiority and inferiority of implement scene.Disclosed above is only the application
Several specific implementation scenes, still, the application is not limited to this, and the changes that any person skilled in the art can think of is all
The protection scope of the application should be fallen into.
Claims (10)
1. a kind of recognition methods of system security log tampering characterized by comprising
Real-time monitoring is carried out to system security log using the file system small filtration drive in kernel, and to described in monitoring
The act of revision of system security log is intercepted;
According to the act of revision for the system security log intercepted, the routing information and heap of the corresponding act of revision are obtained
Stack recalls information;
According to the routing information of the act of revision and storehouse recalls information, judge whether the act of revision is system safe day
Will tampering.
2. the method according to claim 1, wherein the system security log that the basis is intercepted is repaired
Change one's profession for, before the routing information and the storehouse recalls information that obtain the corresponding act of revision, the method also includes:
Obtain the profile information of the act of revision;
According to the security protection information in the profile information, IRQ level information, file name information, file size
Information, clearance system security log legal modifications behavior.
3. the method according to claim 1, wherein the system security log that the basis is intercepted is repaired
It changes one's profession to obtain the routing information and storehouse recalls information of the corresponding act of revision, specifically including:
The act of revision intercepted is parsed, the progress information of the act of revision is obtained;
According to the progress information of the act of revision, the routing information of the corresponding act of revision is obtained.
4. according to the method described in claim 3, it is characterized in that, the described pair of act of revision intercepted parses,
The progress information of the act of revision is obtained, is specifically included:
If the act of revision is increase behavior, institute is obtained according to the dynamic link library of application programming interface API Calls
State the progress information of increase behavior;
If the act of revision is change or deleting act, institute is obtained according to the system security log file of evtx file format
State the progress information of change or deleting act.
5. the method according to claim 1, wherein the routing information and storehouse according to the act of revision
Recalls information judges whether the act of revision is system security log tampering, is specifically included:
Using preset rule base, routing information and storehouse recalls information to the act of revision are inquired;
If the routing information of the act of revision and storehouse recalls information and standard routes information corresponding in preset rule base
Consistent with standard storehouse recalls information, then the act of revision is system security log act of revision to be determined, and sends correspondence
The execution of the system security log act of revision to be determined is requested to application layer;
If at least one of the routing information of the act of revision and storehouse recalls information are corresponding with preset rule base
Standard routes information and standard storehouse recalls information are inconsistent, then the act of revision system security log tampering.
6. if according to the method described in claim 5, it is characterized in that, the routing information and storehouse tune of the act of revision
Consistent with corresponding routing information in preset rule base and storehouse recalls information with information, then the act of revision is to be determined
System security log act of revision, and the execution for sending the corresponding system security log act of revision to be determined is requested to application
After layer, the method also includes:
Application layer corresponds to the user behaviors log for executing request according to the execution request received;
If the signing messages in the user behaviors log is consistent with preset signing messages, the act of revision is system safe day
Will legal modifications behavior;
If the signing messages and preset signing messages in the user behaviors log are inconsistent, the act of revision system safe day
Will tampering.
7. the method according to claim 4 or 6, which is characterized in that the method also includes:
According to mode selection command from the user, the system security log tampering is carried out at clearance processing or interception
Reason;
Wherein, the mode selection command is that synchronous mode instructs or asynchronous mode instructs.
8. a kind of identification device of system security log tampering characterized by comprising
Monitoring modular, for carrying out real-time monitoring to system security log using the small filtration drive of file system in kernel, and
The act of revision of the system security log monitored is intercepted;
Module is obtained, for the act of revision according to the system security log intercepted, obtains the corresponding act of revision
Routing information and storehouse recalls information;
Judgment module judges that the act of revision is for the routing information and storehouse recalls information according to the act of revision
No is the tampering of system security log.
9. a kind of storage medium, is stored thereon with computer program, which is characterized in that realization when described program is executed by processor
The recognition methods of system security log tampering described in any one of claims 1 to 7.
10. a kind of computer equipment, including storage medium, processor and storage can be run on a storage medium and on a processor
Computer program, which is characterized in that the processor is realized described in any one of claims 1 to 7 when executing described program
System security log tampering recognition methods.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811646160.8A CN109783316B (en) | 2018-12-29 | 2018-12-29 | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811646160.8A CN109783316B (en) | 2018-12-29 | 2018-12-29 | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109783316A true CN109783316A (en) | 2019-05-21 |
| CN109783316B CN109783316B (en) | 2022-07-05 |
Family
ID=66499675
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811646160.8A Active CN109783316B (en) | 2018-12-29 | 2018-12-29 | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109783316B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111885088A (en) * | 2020-08-06 | 2020-11-03 | 中国银行股份有限公司 | Log monitoring method and device based on block chain |
| CN113239350A (en) * | 2021-06-11 | 2021-08-10 | 杭州安恒信息技术股份有限公司 | Method and device for preventing shear plate from being illegally tampered and electronic device |
| CN113722190A (en) * | 2021-11-02 | 2021-11-30 | 浙江中控技术股份有限公司 | Log processing method, system, electronic device and storage medium |
| CN115373965A (en) * | 2022-10-25 | 2022-11-22 | 中汽信息科技(天津)有限公司 | User label identification method and device based on stack technology |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8055613B1 (en) * | 2008-04-29 | 2011-11-08 | Netapp, Inc. | Method and apparatus for efficiently detecting and logging file system changes |
| CN104766009A (en) * | 2015-03-18 | 2015-07-08 | 杭州安恒信息技术有限公司 | System for preventing webpage document tampering based on operating system bottom layer |
| CN105224862A (en) * | 2015-09-25 | 2016-01-06 | 北京北信源软件股份有限公司 | A kind of hold-up interception method of office shear plate and device |
| CN106127050A (en) * | 2016-06-29 | 2016-11-16 | 北京金山安全软件有限公司 | Method and device for preventing system cursor from being maliciously modified and electronic equipment |
| CN107634968A (en) * | 2017-10-19 | 2018-01-26 | 杭州安恒信息技术有限公司 | Tamper recovery method and system based on Rsync |
-
2018
- 2018-12-29 CN CN201811646160.8A patent/CN109783316B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8055613B1 (en) * | 2008-04-29 | 2011-11-08 | Netapp, Inc. | Method and apparatus for efficiently detecting and logging file system changes |
| CN104766009A (en) * | 2015-03-18 | 2015-07-08 | 杭州安恒信息技术有限公司 | System for preventing webpage document tampering based on operating system bottom layer |
| CN105224862A (en) * | 2015-09-25 | 2016-01-06 | 北京北信源软件股份有限公司 | A kind of hold-up interception method of office shear plate and device |
| CN106127050A (en) * | 2016-06-29 | 2016-11-16 | 北京金山安全软件有限公司 | Method and device for preventing system cursor from being maliciously modified and electronic equipment |
| CN107634968A (en) * | 2017-10-19 | 2018-01-26 | 杭州安恒信息技术有限公司 | Tamper recovery method and system based on Rsync |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111885088A (en) * | 2020-08-06 | 2020-11-03 | 中国银行股份有限公司 | Log monitoring method and device based on block chain |
| CN113239350A (en) * | 2021-06-11 | 2021-08-10 | 杭州安恒信息技术股份有限公司 | Method and device for preventing shear plate from being illegally tampered and electronic device |
| CN113722190A (en) * | 2021-11-02 | 2021-11-30 | 浙江中控技术股份有限公司 | Log processing method, system, electronic device and storage medium |
| CN115373965A (en) * | 2022-10-25 | 2022-11-22 | 中汽信息科技(天津)有限公司 | User label identification method and device based on stack technology |
| CN115373965B (en) * | 2022-10-25 | 2023-01-10 | 中汽信息科技(天津)有限公司 | User tag identification method and device based on stack technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109783316B (en) | 2022-07-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220229886A1 (en) | Methods and systems for generating history data of system use and replay mode for identifying security events showing data and user bindings | |
| US9348984B2 (en) | Method and system for protecting confidential information | |
| CN109783316A (en) | The recognition methods and device, storage medium, computer equipment of system security log tampering | |
| CN109831420B (en) | Method and device for determining kernel process permission | |
| US20230376453A1 (en) | Method and system for applying data retention policies in a computing platform | |
| CN106789964B (en) | Cloud resource pool data security detection method and system | |
| US10445495B2 (en) | Buffer overflow exploit detection | |
| KR20190090037A (en) | Systems and methods for cloud-based operating system event and data access monitoring | |
| CN109871691A (en) | Process management method, system, equipment and readable storage medium storing program for executing based on permission | |
| CN108268354A (en) | Data safety monitoring method, background server, terminal and system | |
| CN109155774B (en) | System and method for detecting security threats | |
| CN106687971A (en) | Automated code lockdown to reduce attack surface for software | |
| US20100138656A1 (en) | Shielding a Sensitive File | |
| US10652255B2 (en) | Forensic analysis | |
| CN110414258A (en) | Document handling method and system, data processing method | |
| CN107786551B (en) | Method for accessing intranet server and device for controlling access to intranet server | |
| CN109688145B (en) | Method and device for protecting privacy information | |
| CN109600387A (en) | The retroactive method and device of attack, storage medium, computer equipment | |
| CN111259382A (en) | Malicious behavior identification method, device and system and storage medium | |
| CN113469866A (en) | Data processing method and device and server | |
| CN103430153B (en) | Inoculator and antibody for computer security | |
| CN109802955A (en) | Authority control method and device, storage medium, computer equipment | |
| US20090222876A1 (en) | Positive multi-subsystems security monitoring (pms-sm) | |
| CN115828256A (en) | Unauthorized and unauthorized logic vulnerability detection method | |
| CN116611058A (en) | Lexovirus detection method and related system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Applicant after: Qianxin Safety Technology (Zhuhai) Co.,Ltd. Applicant after: Qianxin Technology Group Co., Ltd Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Applicant before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd. Applicant before: Beijing Qianxin Technology Co., Ltd |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |