CN110502930A - A kind of monitoring guard method of system core file integrality and device - Google Patents
A kind of monitoring guard method of system core file integrality and device Download PDFInfo
- Publication number
- CN110502930A CN110502930A CN201910683279.0A CN201910683279A CN110502930A CN 110502930 A CN110502930 A CN 110502930A CN 201910683279 A CN201910683279 A CN 201910683279A CN 110502930 A CN110502930 A CN 110502930A
- Authority
- CN
- China
- Prior art keywords
- file
- monitoring
- integrality
- application layer
- inner nuclear
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Monitoring And Testing Of Nuclear Reactors (AREA)
Abstract
The invention discloses a kind of monitoring guard methods of system core file integrality, comprising the following steps: application layer updates monitoring rules when starting;Inner nuclear layer changes according to the integrality of monitoring rules real-time monitoring system critical file;Application layer collects inner nuclear layer monitoring protection output;The integrality baseline of application layer update critical file.The invention also discloses a kind of monitoring and protecting devices of system core file integrality.This method is to increase kernel-driven module and scan script on an operating system; scan script generates kernel rule file, installation kernel-driven, monitoring and protection result and presents, updates critical file baseline; the destructive movement of kernel-driven module real-time blocking critical file judges whether movement allows, record monitoring and protects result according to regular; the two combines and has both played the light and flexible of script; the real-time, hidden of kernel-driven has been played again and do not can bypass, and the integrality of critical system file is effectively guaranteed.
Description
Technical field
The present invention relates to safety of computer operating system field, the monitoring of especially a kind of system core file integrality is protected
Maintaining method and device.
Background technique
With the development of the new techniques such as cloud computing, big data, the security requirement of cloud host, server and terminal is got over
Come higher.Integrality is one of safe three elements, is the important component of safety.Critical file in sorts of systems is frequent
By the destruction of virus and other rogue programs, system dysfunction and stability is caused not to can guarantee, so how to have in time
The integrality variation of critical file in effect ground discovery system, and be tampered in critical file and unintentional damage in the case where carries out
Protection, it is very important.
For the integrality of system core file, currently a popular way be write integrity detection application program, such as:
The famous Tripwire integrality software of Unix system.Integrity detection application program collection system critical file on startup
Baseline includes the cryptographic Hash of each critical file in baseline, using timer timing scan or manually scans each key
Whether the cryptographic Hash of file changes, and such as changes record log and notifies system manager, while being updated pair with new cryptographic Hash
Answer the base-line data of critical file.Integrity detection application program can play certain monitoring system critical file integrality
Effect, but it also has the disadvantage that.One, integrity detection application program can not be in critical file by being protected when destroying;
Two, the real-time of integrity detection application program is low, only timing cycle to or when manually executing, could find key
File has variation;Three, integrity detection application program occupying system resources are larger, influence the operation of other programs in system;
Four, integrity detection application program causes the maintenance load of system manager, if because of some reasons, integrity detection application
Program is not activated, then the integrality of critical file is not just known where to begin;Five, the modification, upgrading of integrity detection application program
It is relatively slow, using compiled language (such as: integrity detection application modification C++) write, upgrading generally require modification generation
Code, compiling pass through, issue again, could come into force in system.
Summary of the invention
The object of the present invention is to provide a kind of monitoring guard method of system core file integrality and devices, solve current
Integrity detection application program can not provide that protection, real-time are low, it is big to occupy resource, increase maintenance load, the disadvantage that upgrading is slow,
It provides monitoring and protection two kinds of mechanism simultaneously, has fundamentally ensured the integrality and safe enough of system core file.
To achieve the above object, the present invention adopts the following technical solutions:
First aspect present invention provides a kind of monitoring guard method of system core file integrality, including following step
It is rapid:
Application layer updates monitoring rules when starting;
Inner nuclear layer changes according to the integrality of monitoring rules real-time monitoring system critical file;
Application layer collects inner nuclear layer monitoring protection output;
The integrality baseline of application layer update critical file.
With reference to first aspect, in a first possible implementation of that first aspect, prison is updated when the application layer starts
Regulatory control then, specifically includes:
When application layer starts, according to current preset configuration file, the rule file that inner nuclear layer needs is formed.
With reference to first aspect, in a second possible implementation of that first aspect, the inner nuclear layer is according to monitoring rules
The integrality of real-time monitoring system critical file changes, and specifically includes:
Inner nuclear layer judges whether accessed file belongs to monitoring rules list, if not, executing file operation;If so,
Judge whether accessed file allows destructive movement, if not, refusal executes file operation;If so, executing file operation.
With reference to first aspect, in first aspect in the third possible implementation, the inner nuclear layer is according to monitoring rules
The integrality of real-time monitoring system critical file changes, further includes:
Generate protection log and monitoring log, journal queue of throwing to;
Inner nuclear layer monitors journal queue, and log information is written in file system.
With reference to first aspect, in the 4th kind of possible implementation of first aspect, the application layer collects inner nuclear layer prison
Control protection output, specifically includes:
Application layer timing scans the protection log and monitoring log output of inner nuclear layer under specified directory;
Application layer will protect log and monitoring log outputting standard, and show in Command Line Interface.
With reference to first aspect, in the 5th kind of possible implementation of first aspect, the application layer updates critical file
Integrality baseline, specifically include:
Application layer judges that critical file integrality changes according to inner nuclear layer output journal information, and application layer recalculates
Critical file cryptographic Hash updates critical file integrality baseline.
With reference to first aspect, in the 6th kind of possible implementation of first aspect, the application layer updates critical file
Integrality baseline step after, further includes:
When application layer judges that system does not need integrality monitoring and protection, inner nuclear layer respective file is unloaded.
Second aspect of the present invention provides a kind of monitoring and protecting device of system core file integrality, comprising:
Monitoring rules update module, application layer update monitoring rules when starting;
Integrality judgment module, inner nuclear layer change according to the integrality of monitoring rules real-time monitoring system critical file;
Journal output module, application layer collect inner nuclear layer monitoring protection output;
Update module, application layer update the integrality baseline of critical file.
The effect provided in summary of the invention is only the effect of embodiment, rather than invents all whole effects, above-mentioned
A technical solution in technical solution have the following advantages that or the utility model has the advantages that
The present invention operating system kernel layer increase drive module, the destructive behavior of intercepting system critical file, according to
The rule that scan script generates, is monitored and protects.Drive module is integrated in operating system nucleus, starts shipment with operating system one
Row, upper application software perception less than.The prison of the scan script timed collection of application layer and standardization kernel-driven module simultaneously
Control and protection output, safeguard kernel rule file and critical file integrality baseline.It saves after scan script modification and comes into force, foot
This is easy to maintain, and occupying system resources are few.This method has the characteristics that real-time is high, noiseless, easy to maintain.This method is to grasp
Make to increase kernel-driven module and scan script in system, scan script generates kernel rule file, installation kernel-driven, monitoring
It presented with protection result, update critical file baseline, the destructive movement of kernel-driven module real-time blocking critical file, basis
It is regular to judge whether movement allows, record monitoring and protection as a result, the two combination has not only played the light and flexible of script, but also hair
It has waved the real-time, hidden of kernel-driven and not can bypass, the integrality of critical system file is effectively guaranteed.
Detailed description of the invention
Fig. 1 is one flow chart of embodiment of the present invention method;
Fig. 2 is two flow chart of embodiment of the present invention method;
Fig. 3 is apparatus of the present invention embodiment schematic diagram.
Specific embodiment
In order to clarify the technical characteristics of the invention, below by specific embodiment, and its attached drawing is combined, to this hair
It is bright to be described in detail.Following disclosure provides many different embodiments or example is used to realize different knots of the invention
Structure.In order to simplify disclosure of the invention, hereinafter the component of specific examples and setting are described.In addition, the present invention can be with
Repeat reference numerals and/or letter in different examples.This repetition is that for purposes of simplicity and clarity, itself is not indicated
Relationship between various embodiments and/or setting is discussed.It should be noted that illustrated component is not necessarily to scale in the accompanying drawings
It draws.Present invention omits the descriptions to known assemblies and treatment technology and process to avoid the present invention is unnecessarily limiting.
As shown in Figure 1, a kind of monitoring guard method of system core file integrality, comprising the following steps:
Monitoring rules are updated when S1, application layer starting;
S2, inner nuclear layer change according to the integrality of monitoring rules real-time monitoring system critical file;
S3, application layer collect inner nuclear layer monitoring protection output;
S4, application layer update the integrality baseline of critical file.
As shown in Fig. 2, a kind of monitoring guard method of system core file integrality, comprising the following steps:
When S1, application layer starting, according to current preset configuration file, the rule file that inner nuclear layer needs is formed.
S2, inner nuclear layer judge whether accessed file belongs to monitoring rules list, if not, executing file operation;If
It is to judge whether accessed file allows destructive movement, if not, refusal executes file operation;If so, executing file behaviour
Make.
S3, protection log and monitoring log, journal queue of throwing to are generated;
S4, inner nuclear layer monitor journal queue, and log information is written in file system.
S5, application layer timing scan the protection log and monitoring log output of inner nuclear layer under specified directory;
S6, application layer will protect log and monitoring log outputting standard, and show in Command Line Interface.
S7, application layer judge that critical file integrality changes according to inner nuclear layer output journal information, and application layer is again
Critical file cryptographic Hash is calculated, critical file integrality baseline is updated.
When S8, application layer judge that system does not need integrality monitoring and protection, inner nuclear layer respective file is unloaded.
As shown in figure 3, a kind of monitoring and protecting device of system core file integrality, comprising:
Monitoring rules update module 101, application layer update monitoring rules when starting;
Integrality judgment module 102, inner nuclear layer change according to the integrality of monitoring rules real-time monitoring system critical file;
Journal output module 103, application layer collect inner nuclear layer monitoring protection output;
Update module 104, application layer update the integrality baseline of critical file.
Scan script module application layer realize, using lightweight, explanation type scripting language (such as: Python,
Perl, Ruby, bash, cmd etc.) it writes, plan target timing can be set by operating system and called, scripting language can also be passed through
Internal timer mechanism realizes that timing executes.Kernel-driven module is realized in operating system kernel layer, by scan script module
Installation.The rule file that scan script module generates is read when the module initialization, when operation, which intercepts all pairs of files, destruction
Property behavior (such as: modification, delete, renaming).Kernel-driven module is once installed, both made scan script be not intended to or
Malice is deleted, and still can enable monitoring and protective effect to system core file.
The task that scan script module is mainly completed is as follows:
1) when scan script starts, according to current preset configuration file, the rule that kernel module needs is formed
File.
2) when scan script starts, judge whether kernel-driven module has been installed, if be fitted without, install
Kernel-driven module.
3) scan script timing scans the monitoring and protection output of kernel-driven module under specified directory.
4) scan script is shown by the outputting standard of kernel module, and in Command Line Interface.Scan script is to send postal
The modes such as part, instant message notify the variation of system administrator critical file integrality.
5) it changes if any critical file integrality, scan script recalculates file cryptographic Hash, updates critical file
Integrality baseline.
6) when not needing integrality monitoring with protection, kernel-driven module is unloaded by scan script.
After kernel-driven block intercepts to file destroyed behavior, perform the following operation:
1) whether the accessed file of judgement is in list of rules, if (not being not belonging to system core in list of rules
File), then ignore this behavior, then this operation behavior normally executes.
2) if accessed file judges whether this file allows destructive movement, if do not permitted in list of rules
Perhaps destructive movement, then refuse this behavior, this operation behavior executes failure, and system core file is protected.After refusal, generate
Protect log, journal queue of throwing to.It throws to and needs to return immediately after journal queue, do not carry out log I/O operation herein.
If 3) accessed file allows destructive movement, after this movement runs succeeded, monitoring log is generated, is thrown to
Journal queue.It throws to and needs to return immediately after journal queue, do not carry out log I/O operation herein.
4) the low level IO thread of kernel-driven module monitors journal queue, log information is written to file system in time
Under the specified directory of system.
Above-mentioned, although the foregoing specific embodiments of the present invention is described with reference to the accompanying drawings, not protects model to the present invention
The limitation enclosed, those skilled in the art should understand that, based on the technical solutions of the present invention, those skilled in the art are not
Need to make the creative labor the various modifications or changes that can be made still within protection scope of the present invention.
Claims (8)
1. a kind of monitoring guard method of system core file integrality, characterized in that the following steps are included:
Application layer updates monitoring rules when starting;
Inner nuclear layer changes according to the integrality of monitoring rules real-time monitoring system critical file;
Application layer collects inner nuclear layer monitoring protection output;
The integrality baseline of application layer update critical file.
2. the monitoring guard method of the system as claimed in claim 1 critical file integrality, characterized in that the application layer opens
Monitoring rules are updated when dynamic, are specifically included:
When application layer starts, according to current preset configuration file, the rule file that inner nuclear layer needs is formed.
3. the monitoring guard method of system core file integrality as claimed in claim 2, characterized in that the inner nuclear layer root
Change according to the integrality of monitoring rules real-time monitoring system critical file, specifically include:
Inner nuclear layer judges whether accessed file belongs to monitoring rules list, if not, executing file operation;If so, judgement
Whether accessed file allows destructive movement, if not, refusal executes file operation;If so, executing file operation.
4. the monitoring guard method of system core file integrality as claimed in claim 3, characterized in that the inner nuclear layer root
Change according to the integrality of monitoring rules real-time monitoring system critical file, further includes:
Generate protection log and monitoring log, journal queue of throwing to;
Inner nuclear layer monitors journal queue, and log information is written in file system.
5. the monitoring guard method of system core file integrality as claimed in claim 4, characterized in that the application layer is received
Collect inner nuclear layer monitoring protection output, specifically include:
Application layer timing scans the protection log and monitoring log output of inner nuclear layer under specified directory;
Application layer will protect log and monitoring log outputting standard, and show in Command Line Interface.
6. the monitoring guard method of system core file integrality as claimed in claim 5, characterized in that the application layer is more
The integrality baseline of new critical file, specifically includes:
Application layer judges that critical file integrality changes according to inner nuclear layer output journal information, and application layer recalculates key
File cryptographic Hash updates critical file integrality baseline.
7. the monitoring guard method of system core file integrality as claimed in claim 6, characterized in that the application layer is more
After the integrality baseline step of new critical file, further includes:
When application layer judges that system does not need integrality monitoring and protection, inner nuclear layer respective file is unloaded.
8. a kind of monitoring and protecting device of system core file integrality, characterized in that include:
Monitoring rules update module, application layer update monitoring rules when starting;
Integrality judgment module, inner nuclear layer change according to the integrality of monitoring rules real-time monitoring system critical file;
Journal output module, application layer collect inner nuclear layer monitoring protection output;
Update module, application layer update the integrality baseline of critical file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910683279.0A CN110502930A (en) | 2019-07-26 | 2019-07-26 | A kind of monitoring guard method of system core file integrality and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910683279.0A CN110502930A (en) | 2019-07-26 | 2019-07-26 | A kind of monitoring guard method of system core file integrality and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110502930A true CN110502930A (en) | 2019-11-26 |
Family
ID=68587326
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910683279.0A Pending CN110502930A (en) | 2019-07-26 | 2019-07-26 | A kind of monitoring guard method of system core file integrality and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110502930A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115827311A (en) * | 2023-02-13 | 2023-03-21 | 北京天维信通科技有限公司 | Method for protecting core file in common file system by using error correction coding |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104102878A (en) * | 2013-04-10 | 2014-10-15 | 中国科学院计算技术研究所 | Malicious code analysis method and system under Linux platform |
| CN105740729A (en) * | 2016-01-29 | 2016-07-06 | 浪潮电子信息产业股份有限公司 | Method for checking credibility of system service program |
-
2019
- 2019-07-26 CN CN201910683279.0A patent/CN110502930A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104102878A (en) * | 2013-04-10 | 2014-10-15 | 中国科学院计算技术研究所 | Malicious code analysis method and system under Linux platform |
| CN105740729A (en) * | 2016-01-29 | 2016-07-06 | 浪潮电子信息产业股份有限公司 | Method for checking credibility of system service program |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115827311A (en) * | 2023-02-13 | 2023-03-21 | 北京天维信通科技有限公司 | Method for protecting core file in common file system by using error correction coding |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Hossain et al. | Combating dependence explosion in forensic analysis using alternative tag propagation semantics | |
| US10977370B2 (en) | Method of remediating operations performed by a program and system thereof | |
| US11507663B2 (en) | Method of remediating operations performed by a program and system thereof | |
| Joshi et al. | Detecting past and present intrusions through vulnerability-specific predicates | |
| Pohly et al. | Hi-fi: collecting high-fidelity whole-system provenance | |
| Krishnan et al. | Trail of bytes: efficient support for forensic analysis | |
| Ho et al. | PREC: practical root exploit containment for android devices | |
| Tucek et al. | Sweeper: A lightweight end-to-end system for defending against fast worms | |
| EP4095724B1 (en) | Method of remediating operations performed by a program and system thereof | |
| US20130111462A1 (en) | Reactive anti-tampering system | |
| Pennington et al. | Storage-based intrusion detection | |
| Shieh | A pattern-oriented intrusion-detection model and its applications | |
| CN103218561A (en) | Tamper-proof method and device for protecting browser | |
| CN108388793A (en) | A kind of virtual machine escape means of defence based on Initiative Defense | |
| Webster et al. | Fast and Service-preserving Recovery from Malware Infections Using {CRIU} | |
| CN110502930A (en) | A kind of monitoring guard method of system core file integrality and device | |
| CN109376530A (en) | Process coercive action control method and system based on label | |
| Jiang et al. | Auditing frameworks need resource isolation: A systematic study on the super producer threat to system auditing and its mitigation | |
| US12039037B2 (en) | Online command injection attacks identification | |
| Herder et al. | A lightweight method for building reliable operating systems despite unreliable device drivers | |
| CN109902490B (en) | Linux kernel level file system tamper-proof application method | |
| CN112187787A (en) | Digital marketing advertisement page tamper-proof method, device and equipment based on knowledge graph | |
| Krishnan et al. | Trail of bytes: New techniques for supporting data provenance and limiting privacy breaches | |
| Zhang et al. | Cross-layer comprehensive intrusion harm analysis for production workload server systems | |
| CN113076542A (en) | Test management system for trusted computing in artificial intelligence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191126 |