CN111597382A - Network security auditing method and system - Google Patents
Network security auditing method and system Download PDFInfo
- Publication number
- CN111597382A CN111597382A CN202010425094.2A CN202010425094A CN111597382A CN 111597382 A CN111597382 A CN 111597382A CN 202010425094 A CN202010425094 A CN 202010425094A CN 111597382 A CN111597382 A CN 111597382A
- Authority
- CN
- China
- Prior art keywords
- video
- text
- screen
- user
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 136
- 238000012550 audit Methods 0.000 claims abstract description 80
- 230000000007 visual effect Effects 0.000 claims abstract description 30
- 230000000694 effects Effects 0.000 claims abstract description 17
- 238000012544 monitoring process Methods 0.000 claims abstract description 11
- 230000006399 behavior Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000026676 system process Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/70—Information retrieval; Database structures therefor; File system structures therefor of video data
- G06F16/78—Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually
- G06F16/7867—Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually using information manually generated, e.g. tags, keywords, comments, title and artist information, manually generated time, location and usage information, user ratings
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/70—Information retrieval; Database structures therefor; File system structures therefor of video data
- G06F16/73—Querying
- G06F16/738—Presentation of query results
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Library & Information Science (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present disclosure describes a network security audit method, comprising: recording a screen of a user of the terminal through a screen recording program in the operation process of the user of the terminal to obtain a video file of the recorded screen, wherein the video file is stored in a video storage node; in the screen recording process, monitoring the text output of a terminal screen, acquiring text interception information when the text output changes, and storing the text interception information in a video retrieval database; searching the text interception information in the video search database at the audit end, and outputting corresponding text interception information when the text interception information meeting the searching condition is found; and the video storage node searches a corresponding video file based on the corresponding text interception information, locates the initial moment of the text information in the retrieval condition, and feeds back the video file and the initial moment to the auditing end. Therefore, the illegal operation and the unauthorized access process of the user can be played back through an intuitive visual method, and the network security audit capability and effect are improved.
Description
The application is filed as13/07/2018The invention is named as 201810766522.0Visible view Network security auditing method and systemDivisional application of the patent application.
Technical Field
The present disclosure generally relates to the field of information security technologies, and in particular, to a network security audit method and system.
Background
Computer network security Audit (audio) refers to a process of finding system bugs, intrusion behavior or improving system performance by checking, examining and verifying the environment and activities of operational events according to a certain security policy by using information such as records, system activities and user activities.
The computer network security audit can be referred to as security audit for short, is actually a process of recording and reviewing activities of a user operating a computer and a network system, and is an important measure for improving the system security. System activities include operating system activities and activities of application processes. User activities include activities of the user in the operating system and applications, such as resources used by the user, time of use, operations performed, and the like.
The existing text auditing method has limitations, such as large log quantity, poor readability, difficulty in associating security events and the like. In addition, the existing screen recording audit records the screen of the terminal and obtains related files of screen recording results, and an auditor retrieves the related files. The simple screen recording audit also has weaknesses of the simple screen recording audit in practice, for example, when an event is tracked, the time is consumed, the details of the event are easily missed, and related files need to be stored continuously, so that the resource consumption is caused.
Disclosure of Invention
The present disclosure has been made in view of the above-mentioned state of the art, and an object of the present disclosure is to provide a network security audit method and system, which can quickly retrieve screen recording results and help an audit administrator to improve security event analysis and tracking capabilities.
Therefore, a first aspect of the present disclosure provides a network security auditing method, which is a security auditing method for a visual network including a terminal and an auditing end, and is characterized by including: recording a screen of a user of a terminal through a screen recording program in the operation process of the user, and acquiring a video file in the screen recording process, wherein the video file is stored in a video storage node; in the screen recording process, monitoring the text output of a screen of the terminal, and acquiring text interception information when the text output changes, wherein the text interception information is stored in a video retrieval database; inputting a retrieval condition at an auditing end, retrieving the text interception information in the video retrieval database, outputting corresponding text interception information to the video storage node by the video retrieval database when the text interception information meeting the retrieval condition is found in the video retrieval database, searching a corresponding video file by the video storage node based on the corresponding text interception information, positioning the starting moment of the text information in the retrieval condition in the video file, and feeding back the video file and the starting moment to the auditing end so as to perform safety auditing at the auditing end.
In the method, a screen is recorded in the operation process of a user of a terminal to obtain a video file, the text output of a screen of the terminal is monitored, when the text output changes, text interception information is intercepted, the video file and the text interception information are respectively stored in a video storage node and a video retrieval database, retrieval conditions are input at an auditing end, the intercepted text interception information meeting the retrieval conditions is found from the video retrieval database, the video storage node obtains the corresponding video file and the starting time of the text information in the retrieval conditions in the video file based on the intercepted text interception information, and the video file and the starting time are fed back to the auditing end so as to carry out safety auditing at the auditing end. Therefore, the screen recording result can be quickly retrieved, an audit administrator can be helped to effectively audit and quickly track the illegal operation and the unauthorized access of the user of the terminal, the illegal operation and the unauthorized access process of the user are played back through an intuitive visual method, and the network security audit capability and effect are improved.
In the network security audit method according to the first aspect of the present disclosure, optionally, when the screen recording program is an independent process, a process monitoring and security protection mechanism is used to prevent the screen recording program from being uninstalled or from being terminated. Therefore, the user can be prevented from avoiding the screen being recorded.
In the network security audit method related to the first aspect of the present disclosure, optionally, the method for obtaining and storing a video file includes: judging whether the user exits the operating environment or not; if the user does not exit the operating environment, continuing to record the screen; judging whether time slice interruption occurs or not in the screen recording process; if a time slice interrupt signal is received, creating a sub-process to run a time slice interrupt handler, and then continuing to record a screen; if the time slice interrupt signal is not received, continuing to record the screen, and if the user already exits the operating environment, terminating screen recording activity; and sending to the video storage node a local screen recording file that the user has not sent to the video storage node; and then deleting the local screen recording file in the screen recording process. Thereby, a video file can be acquired and stored.
In the network security audit method related to the first aspect of the present disclosure, optionally, the time slice interrupt handler includes: dumping the local screen recording file to a temporary file, and emptying the local screen recording file; sending the temporary file to the video storage node; and emptying the temporary file. Therefore, normal operation can be guaranteed when time slice interruption occurs in the screen recording process.
In the network security audit method related to the first aspect of the present disclosure, optionally, the screen recording program includes a hook program for intercepting the text interception information when the text output changes, where the text interception information includes text information, an interception time, and a file identifier associated with the video file, and the method for acquiring and storing the text interception information includes: writing the text information into a screen at the terminal; entering the hook program, wherein the hook program comprises: acquiring or intercepting the text information to be written from the parameters of the screen text writing function; then collecting the information of the current time of the system, the IP address of the system, the user name, the identifier of the user video file and the like; merging the video retrieval records to generate video retrieval records; and sending the video retrieval record to the video retrieval database for storage. This can reduce the influence on the overall performance of the network system.
In the network security audit method according to the first aspect of the present disclosure, optionally, one video file is obtained by the terminal by recording a screen during one continuous operation process of each user, where the one video file includes a plurality of video units. Therefore, the video file is stored in one continuous operation process, and an audit manager can conveniently and effectively audit and quickly track the video file.
In the network security audit method related to the first aspect of the present disclosure, optionally, the screen recording program sends the video unit of the time slice to the video storage node every set time slice, the video unit of the time slice is merged with the video unit of the same saved continuous operation process until the user exits, after the user exits from the current operation environment, the terminal sends the last video unit to the video storage node, and the last video unit is merged with the other video units of the same saved continuous operation process, so as to generate a complete video file of the current continuous operation process of the user. Therefore, the real-time performance of audit retrieval can be ensured, and the occupation of resources is reduced.
In the network security auditing method according to the first aspect of the present disclosure, optionally, the video retrieval database supports storage and retrieval of the video files of a plurality of the terminals. Therefore, visual auditing of the operation behaviors of the multi-terminal user can be supported.
In the network security audit method according to the first aspect of the present disclosure, optionally, the video storage node and the video search database use the same physical server.
A second aspect of the present disclosure provides a security audit system for a network, including: the user device is used for recording a screen in the operation process of a user through a screen recording program, acquiring a video file in the screen recording process, monitoring text output of a screen of the user device in the screen recording process, and acquiring text interception information when the text output changes; a video storage node for storing the video file; a video retrieval database for storing the text interception information; and the auditing device is used for inputting retrieval conditions, retrieving the text interception information in the video retrieval database, outputting corresponding text interception information to the video storage node by the video retrieval database when the text interception information meeting the retrieval conditions is found in the video retrieval database, searching a corresponding video file by the video storage node based on the corresponding text interception information, positioning the starting moment of the text information in the retrieval conditions in the video file, and feeding back the video file and the starting moment to the auditing device so as to perform safety auditing in the auditing device.
In the method, a screen is recorded in the operation process of a user device to obtain a video file, text output of a screen of the user device is monitored, when the text output changes, text interception information is intercepted, the video file and the text interception information are respectively stored in a video storage node and a video retrieval database, retrieval conditions are input in an auditing device, the intercepted text interception information meeting the retrieval conditions is found from the video retrieval database, the video storage node obtains corresponding video files and the initial moments of the text information in the retrieval conditions in the video files based on the intercepted text interception information, and the video files and the initial moments are fed back to the auditing device, so that safety auditing can be carried out in the auditing device. Therefore, the screen recording result can be quickly retrieved, an audit administrator can be helped to effectively audit and quickly track the illegal operation and unauthorized access of the user device, the illegal operation and unauthorized access process of the user is replayed through an intuitive visual method, and the network security audit capability and effect are improved.
Drawings
Embodiments of the present disclosure will now be explained in further detail, by way of example only, with reference to the accompanying drawings, in which:
fig. 1 is a schematic flow chart of a security audit method of a visual network according to the present disclosure.
Fig. 2 is a schematic flow diagram of the acquisition and storage of the video file of fig. 1.
FIG. 3 is a flowchart of the slice interrupt handler of FIG. 2.
Fig. 4 is a schematic flow chart of video file storage and merged storage according to the present disclosure.
Fig. 5 is a schematic diagram of the process of intercepting and storing text interception information according to the present disclosure.
Fig. 6 is a schematic structural diagram of a visual network security audit system according to the present disclosure.
Detailed Description
Hereinafter, preferred embodiments of the present disclosure will be described in detail with reference to the accompanying drawings. In the following description, the same components are denoted by the same reference numerals, and redundant description thereof is omitted. The drawings are schematic and the ratio of the dimensions of the components and the shapes of the components may be different from the actual ones. Unless defined otherwise, technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. Those skilled in the art will recognize many methods similar or equivalent to those described in this disclosure that can be used in the practice of this disclosure. Indeed, the present disclosure is by no means limited to the described methods.
Fig. 1 is a schematic flow chart of a visual network security audit method according to the present disclosure. The visual network security auditing method related by the disclosure is a visual network security auditing method comprising a terminal and an auditing end.
In some examples, as shown in fig. 1, the visual network security audit method includes recording a screen of an operation process of a user of a terminal, and acquiring a plurality of video files during the screen recording process, where the plurality of video files are stored in a video storage node (step S100).
In step S100, the terminal may be one of a conventional computer system or a virtual computer. In addition, the terminal can also be mobile equipment such as a mobile phone, a tablet computer, a notebook computer, a vehicle-mounted computer and the like. Therefore, the application range of the visual network security audit can be improved.
In particular, a conventional computer system may be composed of a hardware (sub) system and a software (sub) system. A hardware (sub) system may be an organic combination of various physical components, constructed by means of electrical, magnetic, optical, mechanical, etc. principles, and is the entity on which the system works. The software (sub) system can be various programs and files for directing the whole system to work according to the specified requirements. For example, a conventional computer system may include, but is not limited to, a PC or notebook, etc. A virtual computer may be a complete computer system with complete hardware system functionality, emulated by software, running in a completely isolated environment. For example, computers based on KVM, VMware, etc. virtualization platforms.
In step S100, a screen may be recorded during an operation process of a user of the terminal, and a plurality of video files during the screen recording process may be acquired. In some examples, the terminal may record the operation process of the user through a screen recording program. For example, the terminal may start screen recording through the screen recording program, for example, after the user logs in successfully, and if the user logs out, the screen recording program terminates the screen recording process.
Wherein the screen recording program can be installed in the computing program. The screen recording program can run in a kernel module or system process mode. In some examples, the screen recording program can be used as a dynamic link library of the kernel program of the operating system through a code injection mode. Additionally, in some examples, the screen capture program may be a separate process. In such a case, the screen recording process is generally required to be protected by the operating system kernel to prevent the interruption of its operation. In order to prevent the user from circumventing the screen recording, a process monitoring and security protection mechanism can be adopted to prevent the screen recording program from being uninstalled or being terminated.
In some examples, when the terminal is a virtual computer, taking the secure virtual desktop as a starting point, the user may perform a series of operations on the object on the secure virtual desktop and record a screen. Objects may include, but are not limited to, databases, network devices, servers, windows systems.
In some examples, the terminal may obtain a plurality of video files in the screen recording process through the screen recording. A plurality of video files may be stored in a video storage node over a network. The terminal records a screen in one continuous operation process of each user to obtain a video file. The continuous operation process may refer to the user starting operation to exit the current operating environment. In this case, one continuous operation process is stored as one video file, which is convenient for an audit manager to effectively audit and quickly track.
In some examples, one video file in a video storage node may include a plurality of video units. That is, a plurality of video units may be stored as one video file in the video storage node during one continuous operation by the user of the terminal. The video file name may be named in a format such as "user name date start time".
In addition, in order to reduce the occupation of temporary files generated when the terminal records the screen to the terminal storage resources, reduce the network resource consumption caused by uninterrupted network transmission of the video files and ensure the real-time performance of audit retrieval, the screen recording program can send the video units of the time slices to the video storage nodes at set time slices. The set time slice may be 30s to 100s, for example, the set time slice may be 60 s. The video units of the time slice can be merged with the video units of the same continuous operation process which are already stored until the user exits. And after the user exits the current operating environment, the terminal sends the last video unit to the video storage node, and the last video unit can be combined with other stored video units in the same continuous operating process to generate a complete video file of the user in the current continuous operating process. Therefore, the real-time performance of audit retrieval can be ensured, and the occupation of resources is reduced.
Additionally, in some examples, the video storage node may comprise a server. The server can be a local server or a server in the cloud.
In some examples, video files for all terminals may be stored in a centralized manner. The centralized mode can support the visual audit of a plurality of terminal user operation behaviors, and provides a uniform platform for an audit manager to retrieve the user operation behaviors, so that the tracking of security events is faster and simpler.
Fig. 2 is a schematic flow diagram of the acquisition and storage of the video file of fig. 1. FIG. 3 is a flowchart of the slice interrupt handler of FIG. 2. Fig. 4 is a schematic flow chart of video file storage and merged storage according to the present disclosure.
In some examples, as shown in fig. 2, the screen recording program may be executed on a terminal operated by a user, and perform screen recording on a user operation process, so as to obtain a plurality of video files, and store the video files in the video storage node.
Specifically, as shown in fig. 2, step S100 may include determining whether the user exits the operating environment (step S110). If the user does not exit the operating environment, the screen recording is continued (step S120). And judging whether the time slice interruption occurs or not in the screen recording process (step S130). If a slice interrupt signal is received, a sub-process is created to run the slice interrupt handler, and then screen recording continues (step S140). And if the time slice interrupt signal is not received, continuing to record the screen. If the user has exited the operating environment, the screen recording activity is terminated (step S150). And transmits the local screen recording file, which has not been transmitted to the video storage node by the user, to the video storage node (step S160). And then deletes the video file local in the screen recording process (step S170). The local video file may be a video file acquired during screen recording and stored locally, and may also be referred to as a "local screen recording file".
In step S140, as shown in fig. 3, the slice interrupt handler may include dumping the local screen file to the temporary file, clearing the local screen file (step S141), sending the temporary file to the video storage node (step S142), and clearing the temporary file (step S143).
In addition, in step S160 or step S142, as shown in fig. 4, at the video storage node, the video file storage and merge storage may include the following steps: and merging the received temporary file with the current video file of the corresponding user (step S180), that is, merging the received temporary file with the video file of the current continuous operation process of the corresponding user. The video file is then closed (step S190).
In some examples, as shown in fig. 1, the visual network security audit method may further include monitoring a text output of a screen of the terminal during screen recording, and when the text output changes, acquiring text interception information including text information, an interception time, and a file identifier associated with a video file, where the text interception information may be stored in a video retrieval database (step S200).
In step S200, during screen recording, a text output of a screen of the terminal may be monitored. In some examples, the text output of the screen of the terminal may be monitored by a screen recording program. When the text output changes, text interception information including text information, an interception time, and a file identifier associated with the video file may be acquired.
In some examples, the screen capture program may include a hook program for intercepting text capture information when a change in text output occurs. That is, when the text output changes, the hook program in the screen recording program can intercept the text interception information. This can reduce the influence on the overall performance of the network system. In addition, the terminal can intercept and capture the screen text change part only at the moment when the text information changes, thereby avoiding continuously monitoring and collecting the text information on the screen.
In some examples, the flow of the hook program intercepting the text interception information is as follows. Fig. 5 is a schematic diagram of the process of intercepting and storing text interception information according to the present disclosure. In some examples, as shown in fig. 5, the text capture information and video retrieval record of the terminal screen may be performed by a hook program injected into the original screen text writing program of the terminal.
In some examples, as shown in fig. 5, the method for acquiring and storing the text interception information may include writing the text information on the screen at the terminal (step S210), and entering the hook procedure in fig. 5 (step S220). The hook procedure (step S220) may include acquiring or intercepting text information to be written from parameters of the screen writing text function (step S221), then collecting information such as the current time of the system, the system IP address user name, and the user video file identifier (step S222), combining the information to generate a video retrieval record (step S223), and sending the record to a video retrieval database for saving (step S224).
In some examples, the text interception information may further include, but is not limited to, at least one of text information, an interception time, text interception information of a file identifier associated with the video file, a user name, a system IP address, an operation command, an operation instruction, a video file name. Therefore, the method provides a basis for text-based retrieval of screen recording results (namely video files) by an audit administrator. Wherein the text information may be text information that changes on the terminal screen. The interception time may be time information when the text changes.
In some examples, the text interception information may be sent over a network and stored in a video retrieval database. In addition, each intercepted text interception information can be saved as a record of the database in the video retrieval database.
In some examples, the video retrieval database may be located at a network node accessible to the terminal network. Therefore, a large amount of text interception information can be stored.
In some examples, the video retrieval database may also support storage and retrieval of video files for multiple terminals. That is, a centralized video search database may be employed to maintain records for all terminals. Therefore, visual audit of operation behaviors of multiple terminal users can be supported, a unified platform is provided for an audit manager to retrieve text interception information obtained by screen recording based on text information of a screen, database query is faster and simpler, and security event tracking is faster and simpler.
In some examples, the video storage node and the video retrieval database may use the same physical server or may be stored separately, but should be accessible to each other via a network connection.
In other examples, the text interception information may also be stored in log files of other formats.
In some examples, during screen recording, intercepted and changed text information can be further identified; and when the changed text information belongs to the preset sensitive information, the auditing end sends out an alarm. Therefore, the illegal operation of the user can be timely known. Where the sensitive information may include, but is not limited to, words that violate laws and regulations. The alarm mode may include at least one of a voice mode, a short message mode, and the like.
In some examples, as shown in fig. 1, the visual network security auditing method may further include inputting a retrieval condition at the auditing end, retrieving text interception information in the video retrieval database, and when the text interception information meeting the retrieval condition is found in the video retrieval database, the video retrieval database outputting a corresponding file identifier and interception time to the video storage node, where the retrieval condition includes at least one of text information or a time range (step S300).
In step S300, the search condition may include text information and a time range. Specifically, the retrieval condition may include, but is not limited to, "user name", "time range", and "text information". The type of the retrieval condition may be selected from the type of the text interception information.
In some examples, the audit end can search the text interception information in the video search database according to the search condition. When the text interception information meeting the retrieval condition is found in the video retrieval database, the video retrieval database can output the corresponding file identifier and the interception time to the video storage node. In addition, because the intercepted text interception information of each time is stored in the video retrieval database in a record form, the video retrieval database finds the record meeting the retrieval condition and outputs the corresponding file identifier and the interception time.
In some examples, as shown in fig. 1, the visual network security audit method may further include the video storage node searching for a corresponding video file based on the file identifier and the interception time, locating a start time at which text information in the retrieval condition appears in the video file, and feeding back the video file and the start time to the audit end, so as to perform security audit at the audit end (step S400).
In step S400, the video storage node may receive the file identifier and the interception time output from the video search database in step S300.
In some examples, the video storage node may look up a corresponding video file based on the file identifier and the capture time, locating a starting time at which text information in the retrieval condition occurs in the video file. In particular, the video storage node may look up the corresponding video file based on the file identifier and the interception time. After the video file is found, the initial moment of the searched text information in the video file is positioned according to the text information and the interception time in the searching condition. That is, the video playing position offset of the text information which is searched in the video file is calculated.
In some examples, the video storage node may feed back the video file and the start time to the auditing end for security auditing at the auditing end.
In some examples, at the auditing end, the auditing manager can play the relevant video clip according to the retrieval return result fixed point.
In addition, the B/S mode may be employed in step S300 and step S400.
In the method and the device, the video file can be obtained by recording the screen of the operation process of the user of the terminal, and the text output of the screen of the terminal can be monitored. When the text output is changed, the text interception information can be intercepted, and the video file and the text interception information can be respectively stored in a video storage node and a video retrieval database. The search condition can be input at the auditing end, and the file identifier and the interception time which accord with the search condition can be found from the video search database. The video storage node can obtain the corresponding video file and the starting time of the text information in the retrieval condition in the video file based on the file identifier and the interception time, and feed back the video file and the starting time to the auditing end so as to carry out safety audit at the auditing end. Therefore, the screen recording result can be quickly retrieved, an audit administrator can be helped to effectively audit and quickly track the illegal operation and the unauthorized access of the user of the terminal, the illegal operation and the unauthorized access process of the user are played back through an intuitive visual method, and the network security audit capability and effect are improved.
In this case, the operation process of the user at the terminal is automatically recorded and monitored, so that the tracking and evidence obtaining of the security event can be supported, and the network security protection intensity is enhanced. The audit manager can position the corresponding video clip based on the text information in the text interception information, improve the performance of tracking and evidence obtaining of the security event, automatically identify the illegal operation and the unauthorized access behavior of the user, and support real-time alarm. In conclusion, the visual network security audit method enables an audit manager to intuitively retrieve and reproduce the security event occurrence process and helps to quickly track and obtain evidence of the security event.
A visual network security audit system is described below with reference to FIG. 6, which may be a visual network security audit system including a user device and an audit device. The user device has the same concept as the terminal, and the auditing device has the same concept as the auditing end. Fig. 6 is a schematic structural diagram of a visual network security audit system according to the present disclosure.
In some examples, as shown in fig. 6, visual network security audit system 1 includes a user device 10. The user device 10 may be configured to record a screen during a user operation, and obtain a plurality of video files during the screen recording. During screen recording, the text output of the screen of the user device 10 may be monitored. When the text output changes, text interception information including text information, interception time, and a file identifier associated with the video file is acquired.
In some examples, the user device 10 may comprise one of a PC, a notebook, a virtual computer with complete hardware system functionality, emulated by software, running in a completely isolated environment. Therefore, the application range of the visual network security audit can be improved. The user device 10 may be one of a conventional computer system or a virtual computer, and may be specifically referred to as a terminal in step S100.
In some examples, the user device 10 may record the operation process of the user through a screen recording program. The screen recording program can be operated in a kernel module or system process mode. Thus, the screen recording program can be prevented from being uninstalled or from being terminated.
In some examples, when the user device 10 is a virtual computer, the user may perform a series of operations on an object on the secure virtual desktop and record a screen, starting with the secure virtual desktop. Objects may include, but are not limited to, databases, network devices, servers, windows systems.
In some examples, multiple video files during the screen recording may be obtained while the user device 10 is recording the screen. Wherein a video file is obtained by recording a screen of the user device 10 for one continuous operation of each user. The continuous operation process may refer to the user starting operation to exit the current operating environment.
In addition, in some examples, the screen recording program may send the video units of a set time slice to the video storage node 20 every time slice is set. Therefore, the real-time performance of audit retrieval can be ensured, and the occupation of resources is reduced.
In other examples, user device 10 may monitor the text output of the screen of user device 10 via a screen recording program. When the text output changes, text interception information including text information, an interception time, and a file identifier associated with the video file may be acquired.
In some examples, the screen capture program may include a hook program for intercepting text capture information when a change in text output occurs. That is, when the text output changes, the hook program can intercept the text interception information. This can reduce the influence on the overall performance of the network system. In addition, the user device 10 may intercept the screen text change part only at the time when the text information changes, so as to avoid continuously monitoring and collecting the text information on the screen.
In some examples, the text interception information may further include, but is not limited to, at least one of text information, an interception time, text interception information of a file identifier associated with the video file, a user name, a system IP address, an operation command, an operation instruction, a video file name. Therefore, a basis is provided for the audit administrator to search the screen recording result based on the text. The text information may be, among other things, text information that changes on the screen of the user device 10. The interception time may be time information when the text changes.
In some examples, the text interception information may be sent over a network to and stored in the video retrieval database 30.
In some examples, during screen recording, intercepted and changed text information can be further identified; when the changed text information belongs to the preset sensitive information, the auditing device 40 sends out an alarm. Therefore, the illegal operation of the user can be timely known.
In some examples, as shown in fig. 6, visual network security audit system 1 may also include video storage node 20. The video storage node 20 may be used to store a plurality of video files.
In some examples, one video file in video storage node 20 may include multiple video units. That is, a plurality of video units may be stored as one video file in the video storage node 20 during one continuous operation by the user of the user device 10. The video file name may be named in a format of "user name | | date | | | | start time". The continuous operation process may start operation for the user to exit the current operating environment. Therefore, the video file is stored in one continuous operation process, and an audit manager can conveniently and effectively audit and quickly track the video file.
In some examples, video storage node 20 may merge each video unit received with the same video unit of the continuous operation process that has been saved until the user logs off. After the user exits the current operating environment, the user device 10 sends the last video unit to the video storage node 20, and the last video unit may be merged with other video units of the same stored continuous operation process to generate a complete video file of the current continuous operation process of the user. Therefore, the real-time performance of audit retrieval can be ensured, and the occupation of resources is reduced.
Additionally, in some examples, video storage node 20 may comprise a server.
In some examples, as shown in fig. 6, visual network security audit system 1 may also include video retrieval database 30. The video search database 30 may be used to store text interception information.
In some examples, in the video retrieval database 30, each intercepted text interception information may be saved as one record of the database.
In some examples, the video retrieval database 30 may be located at a network node that is network-accessible to the user device 10. Therefore, a large amount of text interception information can be stored.
In some examples, video retrieval database 30 may also support the storage and retrieval of video files for multiple user devices 10. Thereby, visual auditing of user operational behavior of the multi-user apparatus 10 can be supported.
In some examples, the video storage node 20 and the video retrieval database 30 may use the same physical server or may be stored separately, but should be accessible over a network.
In some examples, as shown in fig. 6, visual network security audit system 1 may further include an audit device 40. The auditing means 40 may be used to input search criteria for searching text interception information in the video search database 30. When the text interception information meeting the retrieval condition is found in the video retrieval database 30, the video retrieval database 30 may output the corresponding file identifier and the interception time to the video storage node 20. The retrieval condition may include text information and a time range. Specifically, the retrieval condition may include, but is not limited to, "user name", "time range", and "text information". The type of the retrieval condition may be selected from the type of the text interception information.
In addition, in some examples, video storage node 20 may, based on the file identifier and the capture time, look up the corresponding video file, locate a start time at which text information in the search condition occurs in the video file, and feed back the video file and the start time to auditing apparatus 40 for security auditing at auditing apparatus 40. In particular, the video storage node 20 may look up the corresponding video file based on the file identifier and the intercept time. After the video file is found, the initial moment of the searched text information in the video file can be positioned according to the text information and the interception time in the searching condition. That is, the video playing position offset of the text information which is searched in the video file is calculated.
In some examples, video storage node 20 may feed back video files and start times to audit device 40 for security auditing at audit device 40. The audit manager can retrieve the returned result and play the related video clip at the fixed point through the audit device 40.
In the present disclosure, the video file may be obtained by recording the operation procedure of the user device 10. The text output of the screen of the user device 10 may be monitored. When the text output changes, the text interception information can be intercepted, and the video file and the text interception information are respectively stored in the video storage node 20 and the video retrieval database 30. The retrieval conditions are input into the auditing device 40, the file identifier and the interception time which meet the retrieval conditions are found from the video retrieval database 30, the video storage node 20 obtains the corresponding video file and the starting moment of the text information in the retrieval conditions in the video file based on the file identifier and the interception time, and feeds the video file and the starting moment back to the auditing device 40, so that the safety audit is carried out by the auditing device 40. Therefore, the screen recording result can be quickly retrieved, an audit administrator can be helped to effectively audit and quickly track the illegal operation and unauthorized access of the user device 10, the illegal operation and unauthorized access process of the user is replayed through an intuitive visual method, and the network security audit capability and effect are improved.
While the invention has been described in detail in connection with the drawings and the embodiments, it is to be understood that the above description is not intended to limit the invention in any way. Those skilled in the art can make modifications and variations to the present invention as needed without departing from the true spirit and scope of the invention, and such modifications and variations are within the scope of the invention.
Claims (10)
1. A network security auditing method is a security auditing method of a visual network comprising a terminal and an auditing end, and is characterized in that,
the method comprises the following steps:
recording a screen of a user of a terminal through a screen recording program in the operation process of the user, and acquiring a video file in the screen recording process, wherein the video file is stored in a video storage node;
in the screen recording process, monitoring the text output of a screen of the terminal, and acquiring text interception information when the text output changes, wherein the text interception information is stored in a video retrieval database;
inputting a retrieval condition at an auditing end, retrieving the text interception information in the video retrieval database, outputting corresponding text interception information to the video storage node by the video retrieval database when the text interception information meeting the retrieval condition is found in the video retrieval database, and outputting the corresponding text interception information to the video storage node by the video retrieval database
And the video storage node searches a corresponding video file based on the corresponding text interception information, locates the starting moment of the text information in the retrieval condition in the video file, and feeds back the video file and the starting moment to the auditing end so as to carry out safety auditing at the auditing end.
2. An auditing method according to claim 1,
when the screen recording program is an independent process, a process monitoring and safety protection mechanism is adopted to prevent the screen recording program from being uninstalled or being stopped to run.
3. An auditing method according to claim 1,
the video file acquisition and storage method comprises the following steps:
judging whether the user exits the operating environment or not;
if the user does not exit the operating environment, continuing to record the screen;
judging whether time slice interruption occurs or not in the screen recording process;
if a time slice interrupt signal is received, creating a sub-process to run a time slice interrupt handler, and then continuing to record a screen;
if the time slice interrupt signal is not received, continuing to record the screen, and if the user already exits the operating environment, terminating screen recording activity;
sending a local screen recording file which is not sent to the video storage node by the user to the video storage node; and is
And then deleting the local screen recording file in the screen recording process.
4. An auditing method according to claim 3,
the slice interrupt handler includes:
dumping the local screen recording file to a temporary file, and emptying the local screen recording file;
sending the temporary file to the video storage node; and is
And emptying the temporary file.
5. An auditing method according to claim 1,
the screen recording program comprises a hook program used for intercepting the text interception information when the text output changes, the text interception information comprises text information, interception time and a file identifier associated with the video file, and the method for acquiring and storing the text interception information comprises the following steps:
writing the text information into a screen at the terminal;
the hook procedure is entered into the hook procedure,
wherein the hook program comprises:
acquiring or intercepting the text information to be written from the parameters of the screen text writing function;
then collecting the information of the current time of the system, the IP address of the system, the user name, the identifier of the user video file and the like;
merging the video retrieval records to generate video retrieval records; and is
And sending the video retrieval record to the video retrieval database for storage.
6. An auditing method according to claim 1,
and recording a screen by the terminal in one continuous operation process of each user to obtain a video file, wherein the video file comprises a plurality of video units.
7. An auditing method according to claim 6,
the screen recording program sends the video units of the time slice to the video storage node at intervals of a set time slice, the video units of the time slice are combined with the stored video units in the same continuous operation process until the user exits,
and after the user exits from the current operating environment, the terminal sends the last video unit to the video storage node, and the last video unit is combined with other stored video units in the same continuous operating process to generate a complete video file of the user in the current continuous operating process.
8. An auditing method according to claim 1,
the video retrieval database supports storage and retrieval of the video files for a plurality of the terminals.
9. An auditing method according to claim 1,
the video storage node and the video retrieval database use the same physical server.
10. A network security audit system is characterized in that,
the method comprises the following steps:
the user device is used for recording a screen in the operation process of a user through a screen recording program, acquiring a video file in the screen recording process, monitoring text output of a screen of the user device in the screen recording process, and acquiring text interception information when the text output changes;
a video storage node for storing the video file;
a video retrieval database for storing the text interception information; and
and the auditing device is used for inputting retrieval conditions, retrieving the text interception information in the video retrieval database, outputting corresponding text interception information to the video storage node by the video retrieval database when the text interception information meeting the retrieval conditions is found in the video retrieval database, searching a corresponding video file by the video storage node based on the corresponding text interception information, positioning the starting moment of the text information in the retrieval conditions in the video file, and feeding back the video file and the starting moment to the auditing device so as to perform safety auditing in the auditing device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010425094.2A CN111597382A (en) | 2018-07-13 | 2018-07-13 | Network security auditing method and system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810766522.0A CN108920690B (en) | 2018-07-13 | 2018-07-13 | Visual network security audit method and system |
CN202010425094.2A CN111597382A (en) | 2018-07-13 | 2018-07-13 | Network security auditing method and system |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810766522.0A Division CN108920690B (en) | 2018-07-13 | 2018-07-13 | Visual network security audit method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111597382A true CN111597382A (en) | 2020-08-28 |
Family
ID=64410900
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010425094.2A Pending CN111597382A (en) | 2018-07-13 | 2018-07-13 | Network security auditing method and system |
CN201810766522.0A Active CN108920690B (en) | 2018-07-13 | 2018-07-13 | Visual network security audit method and system |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810766522.0A Active CN108920690B (en) | 2018-07-13 | 2018-07-13 | Visual network security audit method and system |
Country Status (1)
Country | Link |
---|---|
CN (2) | CN111597382A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114285761A (en) * | 2021-12-27 | 2022-04-05 | 北京邮电大学 | Video recording and OCR technology-based board jumper illegal operation detection method |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110046297B (en) * | 2019-03-28 | 2023-04-07 | 广州视源电子科技股份有限公司 | Operation and maintenance violation identification method and device and storage medium |
CN110442507A (en) * | 2019-08-16 | 2019-11-12 | 第四范式(北京)技术有限公司 | The method and system of behavior auditing is carried out in machine learning platform |
CN110719334B (en) * | 2019-10-18 | 2021-10-26 | 上海华讯网络系统有限公司 | Auditing system and method suitable for cloud desktop behaviors |
TWI742463B (en) * | 2019-11-13 | 2021-10-11 | 宏正自動科技股份有限公司 | Surveillance system |
CN110866017A (en) * | 2019-11-27 | 2020-03-06 | 郭学森 | Tax handling operation mark leaving system for visual retrieval and implementation method thereof |
CN113596402B (en) * | 2021-07-29 | 2024-10-01 | 上海浦东发展银行股份有限公司 | Method, device, equipment, system and storage medium for monitoring in event |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101739450A (en) * | 2009-11-26 | 2010-06-16 | 北京网梯科技发展有限公司 | Method and system for retrieving information appeared in video |
CN102609637A (en) * | 2011-12-20 | 2012-07-25 | 北京友维科软件科技有限公司 | Audit protection system for data leakage |
US20130275579A1 (en) * | 2012-04-13 | 2013-10-17 | International Business Machines Corporation | Service compliance enforcement using user activity monitoring and work request verification |
CN103873811A (en) * | 2012-12-10 | 2014-06-18 | 株式会社理光 | Information processing apparatus, information processing method, and information processing system |
CN104125304A (en) * | 2014-08-13 | 2014-10-29 | 北京华夏威科软件技术有限公司 | Session-level application auditing method and system |
CN105025345A (en) * | 2015-07-28 | 2015-11-04 | 无锡天脉聚源传媒科技有限公司 | Method and device for recording live program |
CN106126401A (en) * | 2016-05-19 | 2016-11-16 | 北京朋创天地科技有限公司 | A kind of video retrieval method based on secure virtual desktop |
CN106708859A (en) * | 2015-11-13 | 2017-05-24 | 北京神州泰岳信息安全技术有限公司 | Auditing method for resource access behaviors and device |
CN107483409A (en) * | 2017-07-21 | 2017-12-15 | 南京南瑞集团公司 | A kind of method that operational order towards industry control operating system monitors echo in real time |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080030797A1 (en) * | 2006-08-04 | 2008-02-07 | Eric Circlaeys | Automated Content Capture and Processing |
US9462238B1 (en) * | 2009-10-30 | 2016-10-04 | Verint Americas Inc. | Remote agent capture and monitoring |
CN104850407A (en) * | 2015-05-28 | 2015-08-19 | 深圳市云舒网络技术有限公司 | Desktop screen capture system and method |
CN106598973B (en) * | 2015-10-14 | 2019-07-09 | 杭州海康威视数字技术股份有限公司 | A kind of method and system of the intelligent retrieval based on cloud storage management |
-
2018
- 2018-07-13 CN CN202010425094.2A patent/CN111597382A/en active Pending
- 2018-07-13 CN CN201810766522.0A patent/CN108920690B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101739450A (en) * | 2009-11-26 | 2010-06-16 | 北京网梯科技发展有限公司 | Method and system for retrieving information appeared in video |
CN102609637A (en) * | 2011-12-20 | 2012-07-25 | 北京友维科软件科技有限公司 | Audit protection system for data leakage |
US20130275579A1 (en) * | 2012-04-13 | 2013-10-17 | International Business Machines Corporation | Service compliance enforcement using user activity monitoring and work request verification |
CN103873811A (en) * | 2012-12-10 | 2014-06-18 | 株式会社理光 | Information processing apparatus, information processing method, and information processing system |
CN104125304A (en) * | 2014-08-13 | 2014-10-29 | 北京华夏威科软件技术有限公司 | Session-level application auditing method and system |
CN105025345A (en) * | 2015-07-28 | 2015-11-04 | 无锡天脉聚源传媒科技有限公司 | Method and device for recording live program |
CN106708859A (en) * | 2015-11-13 | 2017-05-24 | 北京神州泰岳信息安全技术有限公司 | Auditing method for resource access behaviors and device |
CN106126401A (en) * | 2016-05-19 | 2016-11-16 | 北京朋创天地科技有限公司 | A kind of video retrieval method based on secure virtual desktop |
CN107483409A (en) * | 2017-07-21 | 2017-12-15 | 南京南瑞集团公司 | A kind of method that operational order towards industry control operating system monitors echo in real time |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114285761A (en) * | 2021-12-27 | 2022-04-05 | 北京邮电大学 | Video recording and OCR technology-based board jumper illegal operation detection method |
Also Published As
Publication number | Publication date |
---|---|
CN108920690B (en) | 2020-06-19 |
CN108920690A (en) | 2018-11-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108920690B (en) | Visual network security audit method and system | |
US11665183B2 (en) | Secure incident investigation event capture | |
CN106294176B (en) | The method and system that application failure positions in Mac OS systems | |
US20060010337A1 (en) | Management system and management method | |
CN109992454B (en) | Method, device and storage medium for fault location | |
WO2020237877A1 (en) | Log monitoring method and apparatus, terminal, and storage medium | |
CN112035354B (en) | Positioning method, device and equipment of risk codes and storage medium | |
CN114077525A (en) | Abnormal log processing method and device, terminal equipment, cloud server and system | |
CN111930703A (en) | Automatic log file capturing method and device and computer equipment | |
US6708211B1 (en) | Windows frame, dialog box, keyboard, device access and user environment real time ASC file signal tracking and control system based upon user activity | |
CN114020893A (en) | Log retrieval method and device based on distributed storage and storage medium | |
CN113282458A (en) | Anti-flash-back method and device for application program, electronic equipment and storage medium | |
CN110515803B (en) | Processing method and device for log message and electronic equipment | |
CN110717130A (en) | Dotting method, dotting device, dotting terminal and storage medium | |
CN115328742B (en) | Container information monitoring method and device, storage medium and electronic equipment | |
CN112182581A (en) | Application testing method and device, application testing equipment and storage medium | |
US12020039B2 (en) | Compute instance warmup operations | |
CN116089427A (en) | Management method and system for multi-medium fusion storage of electronic files | |
CN115758359A (en) | API abnormal call detection method, device, equipment and storage medium | |
CN112162954B (en) | User operation log generation and path positioning method, device, equipment and medium | |
CN111368039B (en) | Data management system | |
JP2002312205A (en) | Saving processing method for access log information, saving processing device for the same and processing program for the same | |
CN113312320A (en) | Method and system for acquiring user operation database behavior | |
CN113420003A (en) | Method, device, equipment and medium for processing data interaction log | |
CN112416655A (en) | Storage disaster recovery system based on enterprise service portal and data copying method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20200828 |
|
WD01 | Invention patent application deemed withdrawn after publication |