CN109783316B - Method and device for identifying tampering behavior of system security log, storage medium and computer equipment - Google Patents
Method and device for identifying tampering behavior of system security log, storage medium and computer equipment Download PDFInfo
- Publication number
- CN109783316B CN109783316B CN201811646160.8A CN201811646160A CN109783316B CN 109783316 B CN109783316 B CN 109783316B CN 201811646160 A CN201811646160 A CN 201811646160A CN 109783316 B CN109783316 B CN 109783316B
- Authority
- CN
- China
- Prior art keywords
- behavior
- information
- modification
- system security
- security log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 89
- 230000006399 behavior Effects 0.000 claims abstract description 401
- 238000012986 modification Methods 0.000 claims abstract description 254
- 230000004048 modification Effects 0.000 claims abstract description 254
- 238000012544 monitoring process Methods 0.000 claims abstract description 27
- 230000008569 process Effects 0.000 claims description 39
- 238000012545 processing Methods 0.000 claims description 26
- 230000008859 change Effects 0.000 claims description 18
- 238000012217 deletion Methods 0.000 claims description 18
- 230000037430 deletion Effects 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 11
- 230000001360 synchronised effect Effects 0.000 claims description 6
- 238000012790 confirmation Methods 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 abstract description 7
- 230000009471 action Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000001914 filtration Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 1
Images
Landscapes
- Debugging And Monitoring (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a method and a device for identifying tampering behaviors of system security logs, a storage medium and computer equipment, wherein the method comprises the following steps: monitoring a system security log in real time by using a file system small filter driver in a kernel, and intercepting the modification behavior of the monitored system security log; according to the intercepted modification behavior of the system security log, acquiring path information and stack call information corresponding to the modification behavior; and judging whether the modification behavior is a system security log tampering behavior or not according to the path information and the stack calling information of the modification behavior. According to the method and the device, the real-time monitoring of the malicious tampering behaviors of the system security event record in the operating system can be realized by utilizing the file system small filter driver in the kernel, meanwhile, the professional requirements on operation and maintenance personnel are reduced, the personnel cost is reduced, and the recognition accuracy of the malicious tampering behaviors of the system security event record in the operating system is higher.
Description
Technical Field
The present application relates to the field of operating system security technologies, and in particular, to a method and an apparatus for identifying a tampering behavior of a system security log, a storage medium, and a computer device.
Background
With the development of internet technology, the security of an operating system is important, and the operating system records various system security events during running, such as system start time, running time, closing time, service start/stop, system configuration, network configuration, file system information, and the like.
With the continuous decrease of the hacker attack cost, the situation that the operating system is utilized by malicious programs such as viruses and trojans is continuously increased, in the existing security protection system, a monitoring means for recording malicious tampering behaviors aiming at system security events inside the operating system does not exist, the real-time monitoring of the malicious tampering behaviors recorded by the system security events inside the operating system cannot be realized, meanwhile, professional operation and maintenance personnel are required to perform manual searching, the professional requirements on the operation and maintenance personnel are high, the personnel cost is high, and the identification accuracy of the malicious tampering behaviors recorded by the system security events inside the operating system is low.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for identifying a system security log tampering behavior, a storage medium, and a computer device, which utilize a small filtering driver of a file system in a kernel to implement real-time monitoring of a system security log malicious tampering behavior inside an operating system, so as to prevent a determined system security log malicious tampering behavior and release a determined system security log legitimate modifying behavior, thereby preventing the operating system from being utilized by malicious programs such as viruses and trojans.
According to one aspect of the application, a method for identifying tampering behaviors of a system security log is provided, which includes:
monitoring a system security log in real time by using a file system small filter driver in a kernel, and intercepting the modification behavior of the monitored system security log;
according to the intercepted modification behavior of the system security log, acquiring path information and stack call information corresponding to the modification behavior;
and judging whether the modification behavior is a system security log tampering behavior or not according to the path information and stack calling information of the modification behavior.
According to another aspect of the present application, there is provided an apparatus for identifying tampering behavior of a system security log, including:
the monitoring module is used for monitoring the system security log in real time by using the file system small filter driver in the kernel;
the intercepting module is used for intercepting the monitored modification behavior of the system security log and acquiring path information and stack calling information corresponding to the modification behavior;
and the judging module is used for judging whether the modification behavior is a system security log tampering behavior according to the path information and the stack calling information of the modification behavior.
According to yet another aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the above method for identifying tampering behaviour of a system security log.
According to yet another aspect of the present application, there is provided a computer device, including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, where the processor implements the method for identifying tampering behavior of a system security log when executing the computer program.
By means of the technical scheme, the method and the device for identifying the tampering behavior of the system security log, the storage medium and the computer equipment provided by the application monitor the system security log in real time by using the file system small filter driver in the kernel, intercept the monitored modification behavior of the system security log, obtain the path information and the stack call information of the corresponding modification behavior according to the intercepted modification behavior of the system security log, and judge whether the modification behavior is the tampering behavior of the system security log according to the path information and the stack call information of the modification behavior. According to the method and the device, the real-time monitoring of the malicious tampering behaviors of the system security event record in the operating system can be realized by utilizing the file system small filter driver in the kernel, meanwhile, the professional requirements on operation and maintenance personnel are reduced, the personnel cost is reduced, and the recognition accuracy of the malicious tampering behaviors of the system security event record in the operating system is higher.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart illustrating a method for identifying tampering behavior of a system security log according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating another method for identifying tampering behavior of a system security log according to an embodiment of the present application;
fig. 3 is a schematic structural diagram illustrating an apparatus for identifying tampering behavior of a system security log according to an embodiment of the present application;
fig. 4 shows a schematic structural diagram of another identification apparatus for system security log tampering behavior provided in an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
In this embodiment, a method for identifying tampering behavior of a system security log is provided, as shown in fig. 1, the method includes:
step 101, utilizing a file system small filter driver in a kernel to monitor a system security log in real time, and intercepting the modification behavior of the monitored system security log.
The method comprises the steps that a small filtering drive of a file system in a kernel is utilized, and a system security log file is monitored in real time, so that the modification behavior of the system security log in the system security log file is monitored in real time, and specifically, if the system security log in the system security log file does not receive a modification request, the system security log is not processed; and if the system security log in the system security log file receives the modification request, intercepting a modification behavior generated by the system security log according to the modification request.
As can be known from document debugging, the System security log is usually stored in a System security log file Windows \ System32\ Winevt \ Logs \ System.
And step 102, acquiring path information and stack call information corresponding to the modification behavior according to the intercepted modification behavior of the system security log.
Analyzing the intercepted modification behavior of the system security log, determining a path information acquisition mode and a stack call information acquisition mode corresponding to the modification behavior type according to the modification behavior type of the system security log, and respectively acquiring path information and stack call information corresponding to the modification behavior according to the determined path information acquisition mode and stack call information acquisition mode.
Wherein modifying the behavior type includes adding data, modifying data, and deleting data in a system security log.
And 103, judging whether the modification behavior is a system security log tampering behavior or not according to the path information and the stack calling information of the modification behavior.
And comparing the acquired path information and stack call information of the modified behavior with standard path information and standard stack call information corresponding to the modified behavior in a preset rule base respectively, if at least one of the path information and the stack call information of the modified behavior is inconsistent with the standard path information and the standard stack call information corresponding to the modified behavior in the preset rule base, performing system security log tampering behavior on the modified behavior, otherwise, if the path information and the stack call information of the modified behavior are consistent with the standard path information and the standard stack call information corresponding to the modified behavior in the preset rule base, determining that the modified behavior is not the system security log tampering behavior.
By applying the technical scheme of the embodiment, the file system small filter driver in the kernel is utilized to monitor the system security log in real time, the modification behavior of the monitored system security log is intercepted, the path information and the stack call information corresponding to the modification behavior are obtained according to the intercepted modification behavior of the system security log, and whether the modification behavior is the system security log tampering behavior is judged according to the path information and the stack call information of the modification behavior. According to the method and the device, the real-time monitoring of the malicious tampering behaviors of the system security event record in the operating system can be realized by utilizing the file system small filter driver in the kernel, meanwhile, the professional requirements on operation and maintenance personnel are reduced, the personnel cost is reduced, and the recognition accuracy of the malicious tampering behaviors of the system security event record in the operating system is higher.
Further, as a refinement and an extension of the specific implementation of the foregoing embodiment, in order to fully describe the specific implementation process of this embodiment, another method for identifying a tampering behavior of a system security log is provided, as shown in fig. 2, the method includes:
Whether the modification behavior is a system security log tampering behavior is judged by obtaining the configuration file information of the modification behavior, namely, the modification behavior is determined to be a system security log legal modification behavior according to the configuration file information of the modification behavior, the system security log modification behavior of a legal program is released, the unreleased system security log modification behavior to be determined is further judged, monitoring of malicious modification behavior only according to program types or program paths is effectively prevented, the monitoring granularity is large, the monitoring accuracy is low, specifically, when a dynamic link library is used for injecting the legal program to achieve direct reading and writing of a disk, an attacker utilizes a flaw for attack, the monitoring means releases partial malicious modification behavior, and an operating system is maliciously utilized or maliciously attacked.
In the embodiment of the application, the callback function in the small filtering driver of the file system in the Windows kernel is used for acquiring the configuration file information of the modification behavior, and whether the modification behavior is the legal modification behavior of the system security log is judged according to the acquired configuration file information. When a WRITE request IRP _ MJ _ WRITE is received, a callback function is called, and configuration file information of a modification behavior is acquired according to the callback function.
It should be noted that, according to the requirements of the actual application scenario, different restrictions may be applied to the obtained configuration file information of the modification behavior, and according to the configuration file information of the modification behavior, one or more of security protection information, interrupt request level information, creation source information of the modification request, I/O operation state information, product parameter information, file name information, and file length information are obtained.
For example, whether security protection is on is determined based on the security protection information, e.g., whether a firewall is on, and whether the interrupt request level is the lowest level is determined based on the interrupt request level information
PASSIVE _ LEVEL, determining whether a sender of a modification request is an application layer according to creation source information of the modification request, determining whether an I/O operation state is I/O operation IRP _ PAGING _ IO of an execution memory page according to I/O operation state information, determining whether the I/O operation state is operation of a preset product according to product parameter information, determining whether a file name is null according to file name information, and determining whether the file name is Windows \ System32\ Winevt \ Logs \ System.
In the embodiment of the present application, if it is determined that the modification behavior is a legal modification behavior of the system security log, the modification behavior is directly released, and if it is determined that the modification behavior is not a legal modification behavior of the system security log, the modification behavior is continuously intercepted, and further determination is made on the modification behavior, and step 203 is entered. Wherein the modification behavior comprises an addition behavior, a change behavior and a deletion behavior.
In the above embodiment, specifically, the step of analyzing the intercepted modification behavior to obtain the process information of the modification behavior includes:
step 2031, if the modification behavior is an addition behavior, obtaining the process information of the addition behavior according to a dynamic link library called by an application programming interface API.
After the modification behavior is determined to be the addition behavior according to the modification behavior, determining an Application Programming Interface (API) corresponding to the addition request according to the addition request corresponding to the addition behavior, calling a dynamic link library corresponding to the addition request according to the API corresponding to the addition request, and determining to execute the service corresponding to the addition request, so that the process information corresponding to the addition behavior is obtained.
Step 2032, if the modification action is a change or deletion action, obtaining the process information of the change or deletion action according to the system security log file in the evtx file format.
After determining that the modification behavior is a change or deletion behavior according to the modification behavior, determining the process information of the change or deletion behavior by analyzing the file format of a System security log file Windows \ System32\ Winevt \ Logs \ System.
And 204, acquiring path information corresponding to the modification behavior according to the process information of the modification behavior.
When the modification behavior is determined to be an addition behavior, acquiring a plurality of process information corresponding to the addition behavior according to the process information of the addition behavior to obtain path information of the addition behavior; when the modification behavior is determined to be a change or deletion behavior, the path information of the change or deletion behavior is obtained according to the process information of the change or deletion behavior in the System security log file Windows \ System32\ Winevt \ Logs \ System.
And according to the modification behavior, utilizing the kernel stack to backtrack and acquire stack calling information corresponding to the modification behavior, wherein the stack calling information comprises a thread stack address sequence, so that whether the modification behavior is a system security log tampering behavior is determined according to the stack calling information of the modification behavior.
According to the acquired path information and stack call information of the modification behavior, the preset rule base is used for inquiring the standard path information and the standard stack call information corresponding to the modification behavior, and whether the modification behavior is the tampering behavior of the system security log is determined, so that the legal modification behavior of the system security log is released, and the tampering behavior of the system security log is prevented.
In step 206, if the path information and the stack call information of the modification behavior are consistent with the corresponding standard path information and standard stack call information in the preset rule base, the modification behavior is a to-be-determined system security log modification behavior, an execution request corresponding to the to-be-determined system security log modification behavior is sent to the application layer, and the process proceeds to step 208.
It should be noted that, in order to ensure the stability of the operating system, the execution request corresponding to the to-be-determined system security log modification behavior sent to the application layer includes process information (e.g., a process number identifier), thread information (e.g., a thread number identifier), and file path information corresponding to the to-be-determined system security log modification behavior.
Step 207, if at least one of the path information and the stack call information of the modification behavior is inconsistent with the corresponding standard path information and standard stack call information in the preset rule base, the modification behavior system security log tampering behavior is sent to the application layer interface through the application layer, and the process goes to step 209.
It should be noted that, according to the requirement of the actual application scenario, an execution request corresponding to the system security log tampering behavior to be determined may also be sent to the application layer, and step 208 is entered, which is not specifically limited herein.
Step 208, the application layer obtains a behavior log corresponding to the execution request according to the received execution request; if the signature information in the behavior log is consistent with the preset signature information, the modification behavior is a legal modification behavior of the system security log; and if the signature information in the behavior log is not consistent with the preset signature information, the modifying behavior system security log tamper behavior, and step 209 is entered.
It should be noted that, according to the requirement of the actual application scenario, the signature information in the behavior log may be application signature information or digital signature information, taking the application signature information as an example, the application layer analyzes the behavior log corresponding to the execution request according to the software behavior to obtain application signature information, compares the obtained application signature information with preset application signature information, and if the obtained application signature information is consistent with the preset application signature information, the modification behavior is a legal modification behavior of the system security log and releases the legal modification behavior of the system security log; and if the obtained application signature information is inconsistent with the preset application signature information, the modification behavior system security log tamper behavior is sent to an application layer interface.
Step 209, performing release processing or interception processing on the system security log tampering behavior according to a mode selection instruction from a user; wherein the mode selection instruction is a synchronous mode instruction or an asynchronous mode instruction.
And for the synchronization mode, the system security log tampering behavior is released or intercepted according to a release instruction or an interception instruction from the user for the modification behavior, if the release instruction or the interception instruction from the user is not received within the preset time, default processing is performed on the system security log tampering behavior, and the default processing can be release processing or interception processing, and is usually interception processing.
For the asynchronous mode, a release instruction or an interception instruction aiming at the modification behavior from a user is not required to be received, when the modification behavior is confirmed to be the system security log tampering behavior, default processing is directly carried out on the system security log tampering behavior, the default processing can be release processing or interception processing, usually interception processing, and system security log tampering behavior information is displayed on an application layer interface and comprises a process name, tampering time, a file name and the like corresponding to the system security log tampering behavior.
It should be noted that the present application is applicable to an operating system deployed in the x86 and x64 environments of win7 and win10, hardware at least satisfies that win7 can run smoothly, and main modules of the present application are stored in a header file in a kernel driver layer and an application layer interface definition mode, and are seamlessly integrated with a client application layer by using the defined application layer interface. In addition, the frame process corresponding to the test program can be perfectly combined with related products, the compatibility is good, the running is stable, the false alarm rate is reduced through real-time monitoring control, the interactivity is good, the operation is convenient, and the detailed log recording behavior is controllable.
By applying the technical scheme of the embodiment, the system security log is monitored in real time by using the file system small filter driver in the kernel, the modification behavior of the monitored system security log is intercepted, the path information and the stack call information corresponding to the modification behavior are obtained according to the intercepted modification behavior of the system security log, and whether the modification behavior is the system security log tampering behavior or not is judged according to the path information and the stack call information of the modification behavior, namely whether the modification behavior of the system security log is illegal or not is judged based on the file object name in the file system small filter driver and the stack call information traced back by the kernel stack, so that the tampering operation is prevented, the legal modification behavior is released, and the real-time monitoring of the malicious tampering behavior of the system security event record in the operating system is realized, meanwhile, the professional requirements on operation and maintenance personnel are reduced, the personnel cost is reduced, and the recognition accuracy of the malicious tampering behaviors of the system security event records in the operating system is higher.
Further, as a specific implementation of the method in fig. 1, an embodiment of the present application provides an apparatus for identifying a tampering behavior of a system security log, as shown in fig. 3, the apparatus includes: the device comprises a monitoring module 31, an acquisition module 32 and a judgment module 33.
The monitoring module 31 is configured to monitor a system security log in real time by using a file system small filter driver in a kernel, and intercept a monitored modification behavior of the system security log;
the obtaining module 32 is configured to obtain path information and stack call information corresponding to the modification behavior according to the intercepted modification behavior of the system security log;
and the judging module 33 is configured to judge whether the modification behavior is a system security log tampering behavior according to the path information and the stack call information of the modification behavior.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: a configuration module 34.
A configuration module 34, configured to obtain configuration file information of the modification behavior; and the number of the first and second groups,
and the system is used for releasing the legal modification behavior of the system security log according to the security protection information, the interrupt request level information, the file name information and the file length information in the configuration file information.
In a specific application scenario, as shown in fig. 4, the obtaining module 32 specifically includes: analysis section 321, and path section 322.
The analyzing unit 321 is configured to analyze the intercepted modification behavior to obtain process information of the modification behavior.
A path unit 322, configured to obtain path information corresponding to the modification behavior according to the process information of the modification behavior.
In a specific application scenario, as shown in fig. 4, the parsing unit 321 specifically includes:
an analyzing unit 321, configured to obtain, if the modification behavior is an addition behavior, process information of the addition behavior according to a dynamic link library called by an application programming interface API; and (c) a second step of,
specifically, if the modification behavior is a change or deletion behavior, the process information of the change or deletion behavior is obtained according to the system security log file in the evtx file format.
In a specific application scenario, as shown in fig. 4, the determining module 33 specifically includes: an inquiry unit 331, a unit to be determined 332, and a tamper confirmation unit 333.
The querying unit 331 is specifically configured to query, by using a preset rule base, the path information and the stack call information of the modification behavior;
a unit to be determined 332, configured to specifically determine, if the path information and the stack call information of the modification behavior are consistent with the corresponding standard path information and standard stack call information in a preset rule base, that the modification behavior is a modification behavior of a system security log to be determined, and send an execution request corresponding to a legal modification behavior of the system security log to be determined to an application layer;
the tampering confirming unit 333 is specifically configured to, if at least one of the path information and the stack call information of the modification behavior is inconsistent with the standard path information and the standard stack call information corresponding to the preset rule base, tamper the system security log of the modification behavior.
In a specific application scenario, as shown in fig. 4, the apparatus further includes: an application layer module 35 and a processing module 36.
The application layer module 35 is configured to, by the application layer, obtain a behavior log corresponding to the received execution request according to the received execution request; and the number of the first and second groups,
the modification behavior is a legal modification behavior of the system security log if the signature information in the behavior log is consistent with preset signature information; and the number of the first and second groups,
and the behavior modification system is used for modifying the behavior of the security log of the behavior modification system if the signature information in the behavior log is inconsistent with the preset signature information.
The processing module 36 is configured to perform release processing or interception processing on the system security log tampering behavior according to a mode selection instruction from a user; wherein the mode selection instruction is a synchronous mode instruction or an asynchronous mode instruction.
It should be noted that, in the embodiment of the present application, other corresponding descriptions of the functional units related to the identification apparatus for tampering behavior of a system security log may refer to corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Based on the above methods shown in fig. 1 and fig. 2, correspondingly, an embodiment of the present application further provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for identifying tampering behavior of a system security log shown in fig. 1 and fig. 2 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 3 and fig. 4, in order to achieve the above object, an embodiment of the present application further provides a computer device, which may specifically be a personal computer, a server, a network device, and the like, where the computer device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the method for identifying tampering behavior of the system security log as shown in fig. 1 and 2.
Optionally, the computer device may also include a user interface, a network interface, a camera, Radio Frequency (RF) circuitry, sensors, audio circuitry, a WI-FI module, and so forth. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., a bluetooth interface, WI-FI interface), etc.
It will be appreciated by those skilled in the art that the present embodiment provides a computer device architecture that is not limiting of the computer device, and that may include more or fewer components, or some components in combination, or a different arrangement of components.
The storage medium may further include an operating system and a network communication module. An operating system is a program that manages and maintains the hardware and software resources of a computer device, supporting the operation of information handling programs, as well as other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and other hardware and software in the entity device.
Through the description of the above embodiment, those skilled in the art can clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and also can implement real-time monitoring on a system security log by using a file system small filter driver in a kernel through hardware, intercept a modification behavior of the monitored system security log, obtain path information and stack call information corresponding to the modification behavior according to the intercepted modification behavior of the system security log, and judge whether the modification behavior is a system security log tampering behavior according to the path information and stack call information of the modification behavior. According to the method and the device, the real-time monitoring of the malicious tampering behaviors of the system security event record in the operating system can be realized by utilizing the file system small filter driver in the kernel, meanwhile, the professional requirements on operation and maintenance personnel are reduced, the personnel cost is reduced, and the recognition accuracy of the malicious tampering behaviors of the system security event record in the operating system is higher.
The embodiment of the invention provides the following technical scheme:
a1, an identification method for system security log tampering behavior, comprising:
monitoring a system security log in real time by using a file system small filter driver in a kernel, and intercepting the modification behavior of the monitored system security log;
according to the intercepted modification behavior of the system security log, acquiring path information and stack call information corresponding to the modification behavior;
and judging whether the modification behavior is a system security log tampering behavior or not according to the path information and stack calling information of the modification behavior.
A2, before the method according to claim A1, wherein before the modified behavior of the intercepted system security log is obtained, the method further comprises:
acquiring configuration file information of the modification behavior;
and releasing the legal modification behavior of the system security log according to the security protection information, the interrupt request level information, the file name information and the file length information in the configuration file information.
The method according to claim a1 and A3, wherein the obtaining, according to the intercepted modification behavior of the system security log, path information and stack call information corresponding to the modification behavior specifically includes:
analyzing the intercepted modification behavior to obtain the process information of the modification behavior;
and acquiring path information corresponding to the modification behavior according to the process information of the modification behavior.
A4, the method according to claim A3, wherein the analyzing the intercepted modification behavior to obtain the process information of the modification behavior specifically includes:
if the modification behavior is an increase behavior, obtaining the process information of the increase behavior according to a dynamic link library called by an Application Programming Interface (API);
and if the modification behavior is a change or deletion behavior, obtaining the process information of the change or deletion behavior according to the system security log file in the evtx file format.
A5, the method according to claim a1, wherein the determining whether the modification behavior is a system security log tampering behavior according to the path information and the stack call information of the modification behavior specifically includes:
inquiring the path information and stack calling information of the modification behavior by using a preset rule base;
if the path information and the stack calling information of the modification behavior are consistent with the corresponding standard path information and standard stack calling information in a preset rule base, the modification behavior is a modification behavior of a system security log to be determined, and an execution request corresponding to the modification behavior of the system security log to be determined is sent to an application layer;
and if at least one of the path information and the stack calling information of the modification behavior is inconsistent with the corresponding standard path information and standard stack calling information in a preset rule base, tampering the behavior of the security log of the modification behavior system.
The method according to claim a5, as denoted by a6, wherein if the path information and the stack call information of the modification action are consistent with the corresponding path information and stack call information in a preset rule base, the modification action is a to-be-determined system security log modification action, and after sending an execution request corresponding to the to-be-determined system security log modification action to an application layer, the method further includes:
the application layer acquires a behavior log corresponding to the execution request according to the received execution request;
if the signature information in the behavior log is consistent with the preset signature information, the modification behavior is a legal modification behavior of the system security log;
and if the signature information in the behavior log is inconsistent with the preset signature information, the behavior is tampered by the security log of the modified behavior system.
A7, the method of claim A4 or A6, wherein the method further comprises:
according to a mode selection instruction from a user, performing release processing or interception processing on the system security log tampering behavior;
wherein the mode selection instruction is a synchronous mode instruction or an asynchronous mode instruction.
B8, an apparatus for identifying a tampering action of a system security log, comprising:
the monitoring module is used for monitoring the system security log in real time by using a file system small filter driver in the kernel and intercepting the modification behavior of the monitored system security log;
the acquisition module is used for acquiring path information and stack calling information corresponding to the modification behavior according to the intercepted modification behavior of the system security log;
and the judging module is used for judging whether the modification behavior is a system security log tampering behavior according to the path information and the stack calling information of the modification behavior.
B9, the device according to claim B8, further comprising:
the configuration module is used for acquiring the configuration file information of the modification behavior; and the number of the first and second groups,
and the system is used for releasing the legal modification behavior of the system security log according to the security protection information, the interrupt request level information, the file name information and the file length information in the configuration file information.
B10, the apparatus according to claim B8, wherein the obtaining module specifically includes:
the analysis unit is used for analyzing the intercepted modification behavior to obtain the process information of the modification behavior;
and the path unit is used for acquiring the path information corresponding to the modification behavior according to the process information of the modification behavior.
B11, the apparatus according to claim B10, wherein the parsing unit specifically includes:
the analysis unit is used for obtaining the process information of the added behavior according to a dynamic link library called by an Application Programming Interface (API) if the modification behavior is the added behavior; and the number of the first and second groups,
and if the modification behavior is a change or deletion behavior, obtaining the process information of the change or deletion behavior according to the system security log file in the evtx file format.
B12, the apparatus according to claim B8, wherein the determining module specifically includes:
the query unit is used for querying the path information and the stack calling information of the modification behavior by using a preset rule base;
the unit to be determined is used for determining the modification behavior of the system security log to be determined if the path information and the stack calling information of the modification behavior are consistent with the corresponding standard path information and standard stack calling information in a preset rule base, and sending an execution request corresponding to the modification behavior of the system security log to be determined to an application layer;
and the tampering confirmation unit is used for tampering the system security log of the modification behavior if at least one of the path information and the stack calling information of the modification behavior is inconsistent with the corresponding standard path information and standard stack calling information in a preset rule base.
B13, the device according to claim B12, further comprising:
the application layer module is used for acquiring a behavior log corresponding to the execution request according to the received execution request by the application layer; and the number of the first and second groups,
the modification behavior is a legal modification behavior of the system security log if the signature information in the behavior log is consistent with preset signature information; and the number of the first and second groups,
and the behavior modification system is used for modifying the behavior of the security log of the behavior modification system if the signature information in the behavior log is inconsistent with the preset signature information.
B14, the apparatus of claim B11 or B13, further comprising:
the processing module is used for performing release processing or interception processing on the system security log tampering behavior according to a mode selection instruction from a user;
wherein the mode selection instruction is a synchronous mode instruction or an asynchronous mode instruction.
C15, a storage medium on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method for identifying tampering behaviour of a system security log according to any of claims a1 to a 7.
D16, a computer device comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the method for identifying tampering behavior of a system security log according to any of claims a1 to a7 when executing the program.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.
Claims (14)
1. A method for identifying tampering behaviors of a system security log is characterized by comprising the following steps:
monitoring a system security log in real time by using a file system small filter driver in a kernel, and intercepting the modification behavior of the monitored system security log;
according to the intercepted modification behavior of the system security log, acquiring path information and stack call information corresponding to the modification behavior;
judging whether the modification behavior is a system security log tampering behavior or not according to the path information and stack calling information of the modification behavior;
wherein, the determining whether the modification behavior is a system security log tampering behavior according to the path information and the stack call information of the modification behavior specifically includes:
inquiring the path information and stack calling information of the modification behavior by using a preset rule base;
if the path information and the stack calling information of the modification behavior are consistent with the corresponding standard path information and standard stack calling information in a preset rule base, the modification behavior is a modification behavior of a system security log to be determined, and an execution request corresponding to the modification behavior of the system security log to be determined is sent to an application layer;
and if at least one of the path information and the stack calling information of the modification behavior is inconsistent with the corresponding standard path information and standard stack calling information in a preset rule base, tampering the behavior of the security log of the modification behavior system.
2. The method according to claim 1, wherein before the obtaining, according to the intercepted modification behavior of the system security log, path information and stack call information corresponding to the modification behavior, the method further comprises:
acquiring configuration file information of the modification behavior;
and releasing the legal modification behavior of the system security log according to the security protection information, the interrupt request level information, the file name information and the file length information in the configuration file information.
3. The method according to claim 1, wherein the obtaining, according to the intercepted modification behavior of the system security log, path information and stack call information corresponding to the modification behavior specifically includes:
analyzing the intercepted modification behavior to obtain the process information of the modification behavior;
and acquiring path information corresponding to the modification behavior according to the process information of the modification behavior.
4. The method according to claim 3, wherein the analyzing the intercepted modification behavior to obtain the process information of the modification behavior specifically includes:
if the modification behavior is an increase behavior, obtaining the process information of the increase behavior according to a dynamic link library called by an Application Programming Interface (API);
and if the modification behavior is a change or deletion behavior, obtaining the process information of the change or deletion behavior according to the system security log file in the evtx file format.
5. The method according to claim 1, wherein if the path information and the stack call information of the modification behavior are consistent with the corresponding path information and stack call information in a preset rule base, the modification behavior is a to-be-determined system security log modification behavior, and after sending an execution request corresponding to the to-be-determined system security log modification behavior to an application layer, the method further comprises:
the application layer acquires a behavior log corresponding to the execution request according to the received execution request;
if the signature information in the behavior log is consistent with the preset signature information, the modification behavior is a legal modification behavior of the system security log;
and if the signature information in the behavior log is inconsistent with the preset signature information, the modification behavior is a system security log tampering behavior.
6. The method according to claim 4 or 5, characterized in that the method further comprises:
according to a mode selection instruction from a user, performing release processing or interception processing on the system security log tampering behavior;
wherein the mode selection instruction is a synchronous mode instruction or an asynchronous mode instruction.
7. An apparatus for identifying tampering behavior of a system security log, comprising:
the monitoring module is used for monitoring the system security log in real time by using a file system small filter driver in the kernel and intercepting the modification behavior of the monitored system security log;
the acquisition module is used for acquiring path information and stack calling information corresponding to the modification behavior according to the intercepted modification behavior of the system security log;
the judging module is used for judging whether the modification behavior is a system security log tampering behavior according to the path information and the stack calling information of the modification behavior;
wherein, the judging module specifically includes:
the query unit is used for querying the path information and the stack calling information of the modification behavior by using a preset rule base;
the unit to be determined is used for determining the modification behavior of the system security log to be determined if the path information and the stack calling information of the modification behavior are consistent with the corresponding standard path information and standard stack calling information in a preset rule base, and sending an execution request corresponding to the modification behavior of the system security log to be determined to an application layer;
and the tampering confirmation unit is used for tampering the system security log of the modification behavior if at least one of the path information and the stack calling information of the modification behavior is inconsistent with the corresponding standard path information and standard stack calling information in a preset rule base.
8. The apparatus of claim 7, further comprising:
the configuration module is used for acquiring the configuration file information of the modification behavior; and (c) a second step of,
and the system is used for releasing the legal modification behavior of the system security log according to the security protection information, the interrupt request level information, the file name information and the file length information in the configuration file information.
9. The apparatus according to claim 7, wherein the obtaining module specifically includes:
the analysis unit is used for analyzing the intercepted modification behavior to obtain the process information of the modification behavior;
and the path unit is used for acquiring the path information corresponding to the modification behavior according to the process information of the modification behavior.
10. The apparatus according to claim 9, wherein the parsing unit specifically includes:
the analysis unit is used for obtaining the process information of the added behavior according to a dynamic link library called by an Application Programming Interface (API) if the modification behavior is the added behavior; and the number of the first and second groups,
and if the modification behavior is a change or deletion behavior, obtaining the process information of the change or deletion behavior according to the system security log file in the evtx file format.
11. The apparatus of claim 7, further comprising:
the application layer module is used for acquiring a behavior log corresponding to the execution request according to the received execution request by the application layer; and the number of the first and second groups,
the signature information used for modifying the behavior log is the legal modification behavior of the system security log if the signature information in the behavior log is consistent with the preset signature information; and the number of the first and second groups,
and if the signature information in the behavior log is inconsistent with preset signature information, the modification behavior is a system security log tampering behavior.
12. The apparatus of claim 10 or 11, further comprising:
the processing module is used for performing release processing or interception processing on the system security log tampering behavior according to a mode selection instruction from a user;
wherein the mode selection instruction is a synchronous mode instruction or an asynchronous mode instruction.
13. A storage medium on which a computer program is stored, which program, when executed by a processor, implements the method of identifying tampering behaviour of a system security log according to any of claims 1 to 6.
14. A computer device comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the method for identifying tampering behaviour of a system security log according to any one of claims 1 to 6 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811646160.8A CN109783316B (en) | 2018-12-29 | 2018-12-29 | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811646160.8A CN109783316B (en) | 2018-12-29 | 2018-12-29 | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109783316A CN109783316A (en) | 2019-05-21 |
| CN109783316B true CN109783316B (en) | 2022-07-05 |
Family
ID=66499675
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811646160.8A Active CN109783316B (en) | 2018-12-29 | 2018-12-29 | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109783316B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111885088A (en) * | 2020-08-06 | 2020-11-03 | 中国银行股份有限公司 | Log monitoring method and device based on block chain |
| CN113239350A (en) * | 2021-06-11 | 2021-08-10 | 杭州安恒信息技术股份有限公司 | Method and device for preventing shear plate from being illegally tampered and electronic device |
| CN113722190B (en) * | 2021-11-02 | 2022-02-11 | 浙江中控技术股份有限公司 | Log processing method, system, electronic device and storage medium |
| CN115373965B (en) * | 2022-10-25 | 2023-01-10 | 中汽信息科技(天津)有限公司 | User tag identification method and device based on stack technology |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8055613B1 (en) * | 2008-04-29 | 2011-11-08 | Netapp, Inc. | Method and apparatus for efficiently detecting and logging file system changes |
| CN104766009A (en) * | 2015-03-18 | 2015-07-08 | 杭州安恒信息技术有限公司 | System for preventing webpage document tampering based on operating system bottom layer |
| CN105224862A (en) * | 2015-09-25 | 2016-01-06 | 北京北信源软件股份有限公司 | A kind of hold-up interception method of office shear plate and device |
| CN106127050A (en) * | 2016-06-29 | 2016-11-16 | 北京金山安全软件有限公司 | Method and device for preventing system cursor from being maliciously modified and electronic equipment |
| CN107634968A (en) * | 2017-10-19 | 2018-01-26 | 杭州安恒信息技术有限公司 | Tamper recovery method and system based on Rsync |
-
2018
- 2018-12-29 CN CN201811646160.8A patent/CN109783316B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8055613B1 (en) * | 2008-04-29 | 2011-11-08 | Netapp, Inc. | Method and apparatus for efficiently detecting and logging file system changes |
| CN104766009A (en) * | 2015-03-18 | 2015-07-08 | 杭州安恒信息技术有限公司 | System for preventing webpage document tampering based on operating system bottom layer |
| CN105224862A (en) * | 2015-09-25 | 2016-01-06 | 北京北信源软件股份有限公司 | A kind of hold-up interception method of office shear plate and device |
| CN106127050A (en) * | 2016-06-29 | 2016-11-16 | 北京金山安全软件有限公司 | Method and device for preventing system cursor from being maliciously modified and electronic equipment |
| CN107634968A (en) * | 2017-10-19 | 2018-01-26 | 杭州安恒信息技术有限公司 | Tamper recovery method and system based on Rsync |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109783316A (en) | 2019-05-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109831420B (en) | Method and device for determining kernel process permission | |
| US11687653B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| CN109783316B (en) | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment | |
| CN109033828B (en) | Trojan horse detection method based on computer memory analysis technology | |
| EP3180732B1 (en) | Method of malware detection and system thereof | |
| US8695090B2 (en) | Data loss protection through application data access classification | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| US12001543B2 (en) | System and method for container assessment using sandboxing | |
| CN111259382A (en) | Malicious behavior identification method, device and system and storage medium | |
| CN109784051B (en) | Information security protection method, device and equipment | |
| WO2020246227A1 (en) | Rule generation device, rule generation method, and computer readable storage medium | |
| CN117032894A (en) | Container security state detection method and device, electronic equipment and storage medium | |
| CN115552401A (en) | Fast application detection method, device, equipment and storage medium | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| US20230315848A1 (en) | Forensic analysis on consistent system footprints | |
| US10503929B2 (en) | Visually configurable privacy enforcement | |
| CN115828256A (en) | Unauthorized and unauthorized logic vulnerability detection method | |
| US11763004B1 (en) | System and method for bootkit detection | |
| CN112398784B (en) | Method and device for defending vulnerability attack, storage medium and computer equipment | |
| CN113779576A (en) | Identification method and device for executable file infected virus and electronic equipment | |
| CN112580038A (en) | Anti-virus data processing method, device and equipment | |
| CN110909349A (en) | detection method and system for rebound shell in docker container | |
| CN112395599B (en) | Attack detection method and device for system kernel data, storage medium and computer equipment | |
| Pan et al. | Defensor: Lightweight and efficient security-enhanced framework for Android | |
| CN109784037B (en) | Security protection method and device for document file, storage medium and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Applicant after: Qianxin Safety Technology (Zhuhai) Co.,Ltd. Applicant after: QAX Technology Group Inc. Address before: 519085 No. 501, 601, building 14, kechuangyuan, Gangwan No. 1, Jintang Road, Tangjiawan Town, high tech Zone, Zhuhai City, Guangdong Province Applicant before: 360 ENTERPRISE SECURITY TECHNOLOGY (ZHUHAI) Co.,Ltd. Applicant before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |