Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
In this embodiment, a method for identifying tampering behavior of a system security log is provided, as shown in fig. 1, the method includes:
step 101, utilizing a file system small filter driver in a kernel to monitor a system security log in real time, and intercepting the modification behavior of the monitored system security log.
The method comprises the steps that a small filtering drive of a file system in a kernel is utilized, and a system security log file is monitored in real time, so that the modification behavior of the system security log in the system security log file is monitored in real time, and specifically, if the system security log in the system security log file does not receive a modification request, the system security log is not processed; and if the system security log in the system security log file receives the modification request, intercepting a modification behavior generated by the system security log according to the modification request.
As can be known from document debugging, the System security log is usually stored in a System security log file Windows \ System32\ Winevt \ Logs \ System.
And step 102, acquiring path information and stack call information corresponding to the modification behavior according to the intercepted modification behavior of the system security log.
Analyzing the intercepted modification behavior of the system security log, determining a path information acquisition mode and a stack call information acquisition mode corresponding to the modification behavior type according to the modification behavior type of the system security log, and respectively acquiring path information and stack call information corresponding to the modification behavior according to the determined path information acquisition mode and stack call information acquisition mode.
Wherein modifying the behavior type includes adding data, modifying data, and deleting data in a system security log.
And 103, judging whether the modification behavior is a system security log tampering behavior or not according to the path information and the stack calling information of the modification behavior.
And comparing the acquired path information and stack call information of the modified behavior with standard path information and standard stack call information corresponding to the modified behavior in a preset rule base respectively, if at least one of the path information and the stack call information of the modified behavior is inconsistent with the standard path information and the standard stack call information corresponding to the modified behavior in the preset rule base, performing system security log tampering behavior on the modified behavior, otherwise, if the path information and the stack call information of the modified behavior are consistent with the standard path information and the standard stack call information corresponding to the modified behavior in the preset rule base, determining that the modified behavior is not the system security log tampering behavior.
By applying the technical scheme of the embodiment, the file system small filter driver in the kernel is utilized to monitor the system security log in real time, the modification behavior of the monitored system security log is intercepted, the path information and the stack call information corresponding to the modification behavior are obtained according to the intercepted modification behavior of the system security log, and whether the modification behavior is the system security log tampering behavior is judged according to the path information and the stack call information of the modification behavior. According to the method and the device, the real-time monitoring of the malicious tampering behaviors of the system security event record in the operating system can be realized by utilizing the file system small filter driver in the kernel, meanwhile, the professional requirements on operation and maintenance personnel are reduced, the personnel cost is reduced, and the recognition accuracy of the malicious tampering behaviors of the system security event record in the operating system is higher.
Further, as a refinement and an extension of the specific implementation of the foregoing embodiment, in order to fully describe the specific implementation process of this embodiment, another method for identifying a tampering behavior of a system security log is provided, as shown in fig. 2, the method includes:
step 201, a file system small filter driver in a kernel is used for monitoring a system security log in real time, and intercepting the monitored modification behavior of the system security log.
Step 202, obtaining configuration file information of the modification behavior; and releasing the legal modification behavior of the system security log according to the security protection information, the interrupt request level information, the file name information and the file length information in the configuration file information.
Whether the modification behavior is a system security log tampering behavior is judged by obtaining the configuration file information of the modification behavior, namely, the modification behavior is determined to be a system security log legal modification behavior according to the configuration file information of the modification behavior, the system security log modification behavior of a legal program is released, the unreleased system security log modification behavior to be determined is further judged, monitoring of malicious modification behavior only according to program types or program paths is effectively prevented, the monitoring granularity is large, the monitoring accuracy is low, specifically, when a dynamic link library is used for injecting the legal program to achieve direct reading and writing of a disk, an attacker utilizes a flaw for attack, the monitoring means releases partial malicious modification behavior, and an operating system is maliciously utilized or maliciously attacked.
In the embodiment of the application, the callback function in the small filtering driver of the file system in the Windows kernel is used for acquiring the configuration file information of the modification behavior, and whether the modification behavior is the legal modification behavior of the system security log is judged according to the acquired configuration file information. When a WRITE request IRP _ MJ _ WRITE is received, a callback function is called, and configuration file information of a modification behavior is acquired according to the callback function.
It should be noted that, according to the requirements of the actual application scenario, different restrictions may be applied to the obtained configuration file information of the modification behavior, and according to the configuration file information of the modification behavior, one or more of security protection information, interrupt request level information, creation source information of the modification request, I/O operation state information, product parameter information, file name information, and file length information are obtained.
For example, whether security protection is on is determined based on the security protection information, e.g., whether a firewall is on, and whether the interrupt request level is the lowest level is determined based on the interrupt request level information
PASSIVE _ LEVEL, determining whether a sender of a modification request is an application layer according to creation source information of the modification request, determining whether an I/O operation state is I/O operation IRP _ PAGING _ IO of an execution memory page according to I/O operation state information, determining whether the I/O operation state is operation of a preset product according to product parameter information, determining whether a file name is null according to file name information, and determining whether the file name is Windows \ System32\ Winevt \ Logs \ System.
In the embodiment of the present application, if it is determined that the modification behavior is a legal modification behavior of the system security log, the modification behavior is directly released, and if it is determined that the modification behavior is not a legal modification behavior of the system security log, the modification behavior is continuously intercepted, and further determination is made on the modification behavior, and step 203 is entered. Wherein the modification behavior comprises an addition behavior, a change behavior and a deletion behavior.
Step 203, analyzing the intercepted modification behavior to obtain the process information of the modification behavior.
In the above embodiment, specifically, the step of analyzing the intercepted modification behavior to obtain the process information of the modification behavior includes:
step 2031, if the modification behavior is an addition behavior, obtaining the process information of the addition behavior according to a dynamic link library called by an application programming interface API.
After the modification behavior is determined to be the addition behavior according to the modification behavior, determining an Application Programming Interface (API) corresponding to the addition request according to the addition request corresponding to the addition behavior, calling a dynamic link library corresponding to the addition request according to the API corresponding to the addition request, and determining to execute the service corresponding to the addition request, so that the process information corresponding to the addition behavior is obtained.
Step 2032, if the modification action is a change or deletion action, obtaining the process information of the change or deletion action according to the system security log file in the evtx file format.
After determining that the modification behavior is a change or deletion behavior according to the modification behavior, determining the process information of the change or deletion behavior by analyzing the file format of a System security log file Windows \ System32\ Winevt \ Logs \ System.
And 204, acquiring path information corresponding to the modification behavior according to the process information of the modification behavior.
When the modification behavior is determined to be an addition behavior, acquiring a plurality of process information corresponding to the addition behavior according to the process information of the addition behavior to obtain path information of the addition behavior; when the modification behavior is determined to be a change or deletion behavior, the path information of the change or deletion behavior is obtained according to the process information of the change or deletion behavior in the System security log file Windows \ System32\ Winevt \ Logs \ System.
Step 205, using a preset rule base to query the path information and stack call information of the modification behavior.
And according to the modification behavior, utilizing the kernel stack to backtrack and acquire stack calling information corresponding to the modification behavior, wherein the stack calling information comprises a thread stack address sequence, so that whether the modification behavior is a system security log tampering behavior is determined according to the stack calling information of the modification behavior.
According to the acquired path information and stack call information of the modification behavior, the preset rule base is used for inquiring the standard path information and the standard stack call information corresponding to the modification behavior, and whether the modification behavior is the tampering behavior of the system security log is determined, so that the legal modification behavior of the system security log is released, and the tampering behavior of the system security log is prevented.
In step 206, if the path information and the stack call information of the modification behavior are consistent with the corresponding standard path information and standard stack call information in the preset rule base, the modification behavior is a to-be-determined system security log modification behavior, an execution request corresponding to the to-be-determined system security log modification behavior is sent to the application layer, and the process proceeds to step 208.
It should be noted that, in order to ensure the stability of the operating system, the execution request corresponding to the to-be-determined system security log modification behavior sent to the application layer includes process information (e.g., a process number identifier), thread information (e.g., a thread number identifier), and file path information corresponding to the to-be-determined system security log modification behavior.
Step 207, if at least one of the path information and the stack call information of the modification behavior is inconsistent with the corresponding standard path information and standard stack call information in the preset rule base, the modification behavior system security log tampering behavior is sent to the application layer interface through the application layer, and the process goes to step 209.
It should be noted that, according to the requirement of the actual application scenario, an execution request corresponding to the system security log tampering behavior to be determined may also be sent to the application layer, and step 208 is entered, which is not specifically limited herein.
Step 208, the application layer obtains a behavior log corresponding to the execution request according to the received execution request; if the signature information in the behavior log is consistent with the preset signature information, the modification behavior is a legal modification behavior of the system security log; and if the signature information in the behavior log is not consistent with the preset signature information, the modifying behavior system security log tamper behavior, and step 209 is entered.
It should be noted that, according to the requirement of the actual application scenario, the signature information in the behavior log may be application signature information or digital signature information, taking the application signature information as an example, the application layer analyzes the behavior log corresponding to the execution request according to the software behavior to obtain application signature information, compares the obtained application signature information with preset application signature information, and if the obtained application signature information is consistent with the preset application signature information, the modification behavior is a legal modification behavior of the system security log and releases the legal modification behavior of the system security log; and if the obtained application signature information is inconsistent with the preset application signature information, the modification behavior system security log tamper behavior is sent to an application layer interface.
Step 209, performing release processing or interception processing on the system security log tampering behavior according to a mode selection instruction from a user; wherein the mode selection instruction is a synchronous mode instruction or an asynchronous mode instruction.
And for the synchronization mode, the system security log tampering behavior is released or intercepted according to a release instruction or an interception instruction from the user for the modification behavior, if the release instruction or the interception instruction from the user is not received within the preset time, default processing is performed on the system security log tampering behavior, and the default processing can be release processing or interception processing, and is usually interception processing.
For the asynchronous mode, a release instruction or an interception instruction aiming at the modification behavior from a user is not required to be received, when the modification behavior is confirmed to be the system security log tampering behavior, default processing is directly carried out on the system security log tampering behavior, the default processing can be release processing or interception processing, usually interception processing, and system security log tampering behavior information is displayed on an application layer interface and comprises a process name, tampering time, a file name and the like corresponding to the system security log tampering behavior.
It should be noted that the present application is applicable to an operating system deployed in the x86 and x64 environments of win7 and win10, hardware at least satisfies that win7 can run smoothly, and main modules of the present application are stored in a header file in a kernel driver layer and an application layer interface definition mode, and are seamlessly integrated with a client application layer by using the defined application layer interface. In addition, the frame process corresponding to the test program can be perfectly combined with related products, the compatibility is good, the running is stable, the false alarm rate is reduced through real-time monitoring control, the interactivity is good, the operation is convenient, and the detailed log recording behavior is controllable.
By applying the technical scheme of the embodiment, the system security log is monitored in real time by using the file system small filter driver in the kernel, the modification behavior of the monitored system security log is intercepted, the path information and the stack call information corresponding to the modification behavior are obtained according to the intercepted modification behavior of the system security log, and whether the modification behavior is the system security log tampering behavior or not is judged according to the path information and the stack call information of the modification behavior, namely whether the modification behavior of the system security log is illegal or not is judged based on the file object name in the file system small filter driver and the stack call information traced back by the kernel stack, so that the tampering operation is prevented, the legal modification behavior is released, and the real-time monitoring of the malicious tampering behavior of the system security event record in the operating system is realized, meanwhile, the professional requirements on operation and maintenance personnel are reduced, the personnel cost is reduced, and the recognition accuracy of the malicious tampering behaviors of the system security event records in the operating system is higher.
Further, as a specific implementation of the method in fig. 1, an embodiment of the present application provides an apparatus for identifying a tampering behavior of a system security log, as shown in fig. 3, the apparatus includes: the device comprises a monitoring module 31, an acquisition module 32 and a judgment module 33.
The monitoring module 31 is configured to monitor a system security log in real time by using a file system small filter driver in a kernel, and intercept a monitored modification behavior of the system security log;
the obtaining module 32 is configured to obtain path information and stack call information corresponding to the modification behavior according to the intercepted modification behavior of the system security log;
and the judging module 33 is configured to judge whether the modification behavior is a system security log tampering behavior according to the path information and the stack call information of the modification behavior.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: a configuration module 34.
A configuration module 34, configured to obtain configuration file information of the modification behavior; and the number of the first and second groups,
and the system is used for releasing the legal modification behavior of the system security log according to the security protection information, the interrupt request level information, the file name information and the file length information in the configuration file information.
In a specific application scenario, as shown in fig. 4, the obtaining module 32 specifically includes: analysis section 321, and path section 322.
The analyzing unit 321 is configured to analyze the intercepted modification behavior to obtain process information of the modification behavior.
A path unit 322, configured to obtain path information corresponding to the modification behavior according to the process information of the modification behavior.
In a specific application scenario, as shown in fig. 4, the parsing unit 321 specifically includes:
an analyzing unit 321, configured to obtain, if the modification behavior is an addition behavior, process information of the addition behavior according to a dynamic link library called by an application programming interface API; and (c) a second step of,
specifically, if the modification behavior is a change or deletion behavior, the process information of the change or deletion behavior is obtained according to the system security log file in the evtx file format.
In a specific application scenario, as shown in fig. 4, the determining module 33 specifically includes: an inquiry unit 331, a unit to be determined 332, and a tamper confirmation unit 333.
The querying unit 331 is specifically configured to query, by using a preset rule base, the path information and the stack call information of the modification behavior;
a unit to be determined 332, configured to specifically determine, if the path information and the stack call information of the modification behavior are consistent with the corresponding standard path information and standard stack call information in a preset rule base, that the modification behavior is a modification behavior of a system security log to be determined, and send an execution request corresponding to a legal modification behavior of the system security log to be determined to an application layer;
the tampering confirming unit 333 is specifically configured to, if at least one of the path information and the stack call information of the modification behavior is inconsistent with the standard path information and the standard stack call information corresponding to the preset rule base, tamper the system security log of the modification behavior.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: an application layer module 35 and a processing module 36.
The application layer module 35 is configured to, by the application layer, obtain a behavior log corresponding to the received execution request according to the received execution request; and the number of the first and second groups,
the modification behavior is a legal modification behavior of the system security log if the signature information in the behavior log is consistent with preset signature information; and the number of the first and second groups,
and the behavior modification system is used for modifying the behavior of the security log of the behavior modification system if the signature information in the behavior log is inconsistent with the preset signature information.
The processing module 36 is configured to perform release processing or interception processing on the system security log tampering behavior according to a mode selection instruction from a user; wherein the mode selection instruction is a synchronous mode instruction or an asynchronous mode instruction.
It should be noted that, in the embodiment of the present application, other corresponding descriptions of the functional units related to the identification apparatus for tampering behavior of a system security log may refer to corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Based on the above methods shown in fig. 1 and fig. 2, correspondingly, an embodiment of the present application further provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for identifying tampering behavior of a system security log shown in fig. 1 and fig. 2 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 3 and fig. 4, in order to achieve the above object, an embodiment of the present application further provides a computer device, which may specifically be a personal computer, a server, a network device, and the like, where the computer device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the method for identifying tampering behavior of the system security log as shown in fig. 1 and 2.
Optionally, the computer device may also include a user interface, a network interface, a camera, Radio Frequency (RF) circuitry, sensors, audio circuitry, a WI-FI module, and so forth. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., a bluetooth interface, WI-FI interface), etc.
It will be appreciated by those skilled in the art that the present embodiment provides a computer device architecture that is not limiting of the computer device, and that may include more or fewer components, or some components in combination, or a different arrangement of components.
The storage medium may further include an operating system and a network communication module. An operating system is a program that manages and maintains the hardware and software resources of a computer device, supporting the operation of information handling programs, as well as other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and other hardware and software in the entity device.
Through the description of the above embodiment, those skilled in the art can clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and also can implement real-time monitoring on a system security log by using a file system small filter driver in a kernel through hardware, intercept a modification behavior of the monitored system security log, obtain path information and stack call information corresponding to the modification behavior according to the intercepted modification behavior of the system security log, and judge whether the modification behavior is a system security log tampering behavior according to the path information and stack call information of the modification behavior. According to the method and the device, the real-time monitoring of the malicious tampering behaviors of the system security event record in the operating system can be realized by utilizing the file system small filter driver in the kernel, meanwhile, the professional requirements on operation and maintenance personnel are reduced, the personnel cost is reduced, and the recognition accuracy of the malicious tampering behaviors of the system security event record in the operating system is higher.
The embodiment of the invention provides the following technical scheme:
a1, an identification method for system security log tampering behavior, comprising:
monitoring a system security log in real time by using a file system small filter driver in a kernel, and intercepting the modification behavior of the monitored system security log;
according to the intercepted modification behavior of the system security log, acquiring path information and stack call information corresponding to the modification behavior;
and judging whether the modification behavior is a system security log tampering behavior or not according to the path information and stack calling information of the modification behavior.
A2, before the method according to claim A1, wherein before the modified behavior of the intercepted system security log is obtained, the method further comprises:
acquiring configuration file information of the modification behavior;
and releasing the legal modification behavior of the system security log according to the security protection information, the interrupt request level information, the file name information and the file length information in the configuration file information.
The method according to claim a1 and A3, wherein the obtaining, according to the intercepted modification behavior of the system security log, path information and stack call information corresponding to the modification behavior specifically includes:
analyzing the intercepted modification behavior to obtain the process information of the modification behavior;
and acquiring path information corresponding to the modification behavior according to the process information of the modification behavior.
A4, the method according to claim A3, wherein the analyzing the intercepted modification behavior to obtain the process information of the modification behavior specifically includes:
if the modification behavior is an increase behavior, obtaining the process information of the increase behavior according to a dynamic link library called by an Application Programming Interface (API);
and if the modification behavior is a change or deletion behavior, obtaining the process information of the change or deletion behavior according to the system security log file in the evtx file format.
A5, the method according to claim a1, wherein the determining whether the modification behavior is a system security log tampering behavior according to the path information and the stack call information of the modification behavior specifically includes:
inquiring the path information and stack calling information of the modification behavior by using a preset rule base;
if the path information and the stack calling information of the modification behavior are consistent with the corresponding standard path information and standard stack calling information in a preset rule base, the modification behavior is a modification behavior of a system security log to be determined, and an execution request corresponding to the modification behavior of the system security log to be determined is sent to an application layer;
and if at least one of the path information and the stack calling information of the modification behavior is inconsistent with the corresponding standard path information and standard stack calling information in a preset rule base, tampering the behavior of the security log of the modification behavior system.
The method according to claim a5, as denoted by a6, wherein if the path information and the stack call information of the modification action are consistent with the corresponding path information and stack call information in a preset rule base, the modification action is a to-be-determined system security log modification action, and after sending an execution request corresponding to the to-be-determined system security log modification action to an application layer, the method further includes:
the application layer acquires a behavior log corresponding to the execution request according to the received execution request;
if the signature information in the behavior log is consistent with the preset signature information, the modification behavior is a legal modification behavior of the system security log;
and if the signature information in the behavior log is inconsistent with the preset signature information, the behavior is tampered by the security log of the modified behavior system.
A7, the method of claim A4 or A6, wherein the method further comprises:
according to a mode selection instruction from a user, performing release processing or interception processing on the system security log tampering behavior;
wherein the mode selection instruction is a synchronous mode instruction or an asynchronous mode instruction.
B8, an apparatus for identifying a tampering action of a system security log, comprising:
the monitoring module is used for monitoring the system security log in real time by using a file system small filter driver in the kernel and intercepting the modification behavior of the monitored system security log;
the acquisition module is used for acquiring path information and stack calling information corresponding to the modification behavior according to the intercepted modification behavior of the system security log;
and the judging module is used for judging whether the modification behavior is a system security log tampering behavior according to the path information and the stack calling information of the modification behavior.
B9, the device according to claim B8, further comprising:
the configuration module is used for acquiring the configuration file information of the modification behavior; and the number of the first and second groups,
and the system is used for releasing the legal modification behavior of the system security log according to the security protection information, the interrupt request level information, the file name information and the file length information in the configuration file information.
B10, the apparatus according to claim B8, wherein the obtaining module specifically includes:
the analysis unit is used for analyzing the intercepted modification behavior to obtain the process information of the modification behavior;
and the path unit is used for acquiring the path information corresponding to the modification behavior according to the process information of the modification behavior.
B11, the apparatus according to claim B10, wherein the parsing unit specifically includes:
the analysis unit is used for obtaining the process information of the added behavior according to a dynamic link library called by an Application Programming Interface (API) if the modification behavior is the added behavior; and the number of the first and second groups,
and if the modification behavior is a change or deletion behavior, obtaining the process information of the change or deletion behavior according to the system security log file in the evtx file format.
B12, the apparatus according to claim B8, wherein the determining module specifically includes:
the query unit is used for querying the path information and the stack calling information of the modification behavior by using a preset rule base;
the unit to be determined is used for determining the modification behavior of the system security log to be determined if the path information and the stack calling information of the modification behavior are consistent with the corresponding standard path information and standard stack calling information in a preset rule base, and sending an execution request corresponding to the modification behavior of the system security log to be determined to an application layer;
and the tampering confirmation unit is used for tampering the system security log of the modification behavior if at least one of the path information and the stack calling information of the modification behavior is inconsistent with the corresponding standard path information and standard stack calling information in a preset rule base.
B13, the device according to claim B12, further comprising:
the application layer module is used for acquiring a behavior log corresponding to the execution request according to the received execution request by the application layer; and the number of the first and second groups,
the modification behavior is a legal modification behavior of the system security log if the signature information in the behavior log is consistent with preset signature information; and the number of the first and second groups,
and the behavior modification system is used for modifying the behavior of the security log of the behavior modification system if the signature information in the behavior log is inconsistent with the preset signature information.
B14, the apparatus of claim B11 or B13, further comprising:
the processing module is used for performing release processing or interception processing on the system security log tampering behavior according to a mode selection instruction from a user;
wherein the mode selection instruction is a synchronous mode instruction or an asynchronous mode instruction.
C15, a storage medium on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method for identifying tampering behaviour of a system security log according to any of claims a1 to a 7.
D16, a computer device comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the method for identifying tampering behavior of a system security log according to any of claims a1 to a7 when executing the program.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.