CN113297628A - Modification behavior auditing method, device, equipment and readable storage medium - Google Patents
Modification behavior auditing method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN113297628A CN113297628A CN202110577328.XA CN202110577328A CN113297628A CN 113297628 A CN113297628 A CN 113297628A CN 202110577328 A CN202110577328 A CN 202110577328A CN 113297628 A CN113297628 A CN 113297628A
- Authority
- CN
- China
- Prior art keywords
- modification
- behavior
- audit
- content
- modified
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/958—Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a modification behavior auditing method, a modification behavior auditing device, modification behavior auditing equipment and a readable storage medium, wherein the method comprises the following steps: monitoring modification behaviors of a client in a target website to obtain modification content and modification behavior information; carrying out tamper-proof verification on the modified behavior information; if the verification is successful, performing security audit on the modified content; if the audit fails, executing preset audit failure coping operation; if the check fails, the modify behavior is blocked. Therefore, the method and the device can prevent some illegal or illegal operations performed after a hacker injects the tamper-proof white list process; the problem that a website cannot be accessed due to faults caused by malicious or unintentional operations after a malicious user enters the website server can also be solved. Malicious tampering can be effectively avoided, and normal operation of the website can be guaranteed.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a modification behavior auditing method, apparatus, device, and readable storage medium.
Background
And injecting a tamper-proof white list process by a hacker, and enabling the website not to be accessed by deleting the key files of the website or inserting some illegal sentences and other operations.
The existing webpage tamper-proofing scheme can prevent a hacker from illegally tampering a website to a certain extent, but cannot prevent some illegal or illegal operations performed after the hacker injects a tamper-proofing white list process; and the malicious user cannot be prevented from entering the website server and having some malicious or unintentional operations, so that the website cannot be accessed due to the fault.
In summary, how to effectively solve the problems of website tamper resistance and the like is a technical problem that needs to be solved urgently by those skilled in the art at present.
Disclosure of Invention
The application aims to provide a modification behavior auditing method, a modification behavior auditing device, modification behavior auditing equipment and a readable storage medium, so that malicious modification of a website is prevented, and normal operation of the website is guaranteed.
In order to solve the technical problem, the application provides the following technical scheme:
a behavioral audit method comprising:
monitoring modification behaviors of a client in a target website to obtain modification content and modification behavior information;
carrying out tamper-proof verification on the modification behavior information;
if the verification is successful, performing security audit on the modified content; if the audit is successful, allowing the client to execute the modification behavior;
blocking the modifying action if the checking fails.
Preferably, the tamper-proof verification of the modification behavior information includes:
acquiring a tamper-proof white list;
judging whether the modification behavior information is matched with the anti-tampering white list or not;
if the modified behavior information is matched with the modified behavior information, determining that the modified behavior information is verified successfully;
and if not, determining that the modified behavior information is failed to check.
Preferably, the determining whether the modification behavior information matches the tamper-resistant white list includes:
acquiring a modification process, a modification user and a modification IP from the modification behavior information;
obtaining a legal process, a legal user and a legal IP from the anti-tampering white list;
and under the condition that the modification process is matched with the legal process, the modification IP is matched with the legal IP, and the modification user is matched with the legal user, determining that the modification behavior information is matched with the anti-tampering white list.
Preferably, the security audit of the modified content includes:
if the modified content is the modified file content, acquiring the newly added file content;
judging whether the content of the newly added file comprises at least one of an illegal character, an illegal connection command, an illegal external connection command and an illegal calling command;
if so, determining that the audit fails;
if not, the audit is determined to be successful.
Preferably, the security audit of the modified content includes:
if the modified content is an execution system command or a deletion file, acquiring a command line to be executed;
judging whether the command line comprises at least one of an illegal connecting command and an illegal calling command;
if so, determining that the audit fails;
if not, the audit is determined to be successful.
Preferably, if the audit fails, executing a preset audit failure handling operation.
Preferably, the preset audit failure handling operation is executed, and includes:
blocking the modifying behavior;
or recording a behavior log or allowing the client to execute the modification behavior after the manual review is determined to pass.
A modification behavior auditing apparatus, comprising:
the monitoring module is used for monitoring the modification behavior of the client in the target website to obtain modification content and modification behavior information;
the anti-tampering verification module is used for carrying out anti-tampering verification on the modification behavior information;
the content auditing module is used for carrying out safety audit on the modified content if the verification is successful; if the audit is successful, allowing the client to execute the modification behavior;
and the blocking module is used for blocking the modification behavior if the verification fails.
An electronic device, comprising:
a memory for storing a computer program;
and the processor is used for realizing the steps of the modification behavior auditing method when the computer program is executed.
A readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the above-described modified-behavior auditing method.
The method provided by the embodiment of the application is applied to monitor the modification behavior of the client in the target website to obtain modification content and modification behavior information; carrying out tamper-proof verification on the modified behavior information; if the verification is successful, performing security audit on the modified content; if the audit fails, executing preset audit failure coping operation; if the check fails, the modify behavior is blocked.
In the application, the modification behavior of the client in the target website is monitored, and the modification content and the modification behavior information can be obtained. Carrying out tamper-proof verification on the modification behavior information, if the verification is successful, further carrying out security audit on the modification content, and if the audit is successful, allowing the client to execute the modification behavior; if the check fails, the modify behavior is blocked directly. That is, after the tamper-proof verification is successful, security audit is performed on the modified content, and the client is operated to execute the modification action only under the condition that the audit is successful; and if the tamper-proof check fails, directly blocking the modification behavior. That is, in the present application, not only the tamper-proof verification is performed on the modification behavior information, but also the security audit is performed specifically on the modification content. Therefore, a hacker can be prevented from carrying out some illegal or illegal operations after injecting the tamper-proof white list process; the problem that a website cannot be accessed due to faults caused by malicious or unintentional operations after a malicious user enters the website server can also be solved. Malicious tampering can be effectively avoided, and normal operation of the website can be guaranteed.
Correspondingly, the embodiment of the application further provides a modification behavior auditing device, equipment and a readable storage medium corresponding to the modification behavior auditing method, and the modification behavior auditing device, the equipment and the readable storage medium have the technical effects and are not described again.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments or related technologies of the present application, the drawings needed to be used in the description of the embodiments or related technologies are briefly introduced below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of an implementation of a modification behavior auditing method in an embodiment of the present application;
FIG. 2 is a schematic structural diagram of an audit device of modification behavior in an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device in an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device in an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a modification behavior auditing method in an embodiment of the present application, where the method may be directly applied to a client or applied to a server of a target website, and the following description will be given by taking the application to the client as an example, and for a specific implementation process applied to the server, reference may be made to a specific implementation description applied to the client. The method comprises the following steps:
s101, monitoring the modification behavior of the client in the target website to obtain modification content and modification behavior information.
The target website can be any website which needs to perform security audit on website content modification behaviors.
In this embodiment, server software may be deployed and executed in the server, and the client establishes a connection with the central server according to the client software in the computer that needs to be monitored.
The client can download the behavior audit library built in the center, and the client can also receive the behavior audit library configured by the user in a user-defined way. The content of the audit library mainly comprises: and auditing related information such as the external connection behavior of the white list process, the audit of the content of the inserted file of the white list process, the audit of the command of the white list execution system, the audit of the behavior of the deleted file of the white list process and the like. The user can set a process name allowing the user to submit the website content, white list information such as IP and the like, and a handling mode of behavior audit, such as automatic blocking, releasing or manual audit and the like, in a behavior audit library configured by the user in the client.
In this embodiment, the modification behavior of the client itself may be monitored by using client software in the client, so as to obtain the modification content and the modification behavior information, and the modification content and the modification behavior information may also be reported to the central server for processing.
Wherein, modifying the content means modifying the object/content to be modified; the modification behavior information may specifically correspond to which process, which user, which IP is to perform the modification behavior.
S102, carrying out anti-tampering verification on the modified behavior information.
In this embodiment, a white list may be preset, and the white list specifies a process, an IP, and a user that are allowed to be modified; the white list is also referred to herein as a tamper-resistant white list, and processes, IPs, and users in the tamper-resistant white list correspond to legitimate processes, legitimate IPs, and legitimate users, respectively. Of course, in the present application, a black list may also be set, and the modified processes, IPs, and users are specified in the black list. In practical application, the white list can be used alone, the black list can be used alone, or the white list and the black list can be combined to be applied.
Specifically, when the modification behavior information is matched with the white list, the verification can be determined to be successful; otherwise, the verification is determined to fail. And when the modification behavior information is matched with the blacklist, the verification failure can be determined, otherwise, the verification success is determined.
In a specific embodiment of the present application, performing tamper-proof verification on modification behavior information includes:
step one, acquiring a tamper-proof white list;
step two, judging whether the modification behavior information is matched with the anti-tampering white list;
step three, if the modified behavior information is matched, determining that the modified behavior information is successfully verified;
and step four, if the verification is not matched, determining that the verification of the modification behavior information fails.
For convenience of description, the above four steps will be described in combination.
The tamper-resistant white list can be a white list in a behavior review library downloaded from a central server, and can also be a user-defined white list.
After the anti-tampering white list is obtained, whether the modification behavior information is matched with the anti-tampering white list can be judged, and if the modification behavior information is matched with the anti-tampering white list, the modification behavior corresponding to the modification behavior information is allowed to be executed. That is, if the modification behavior information matches the tamper-resistant white list, it is determined that the modification behavior information verification is successful, and otherwise, the modification behavior information verification fails.
Wherein, the second step of judging whether the modification behavior information is matched with the anti-tampering white list may specifically include:
step 1, acquiring a modification process, a modification user and a modification IP from modification behavior information;
step 2, obtaining a legal process, a legal user and a legal IP from the anti-tampering white list;
and 3, determining that the modification behavior information is matched with the anti-tampering white list under the conditions that the modification process is matched with the legal process, the modification IP is matched with the legal IP and the modification user is matched with the legal user.
It should be noted that, in the present embodiment, the modification behavior information specifically includes a modification process, a modification user, and a modification IP. And only when the modification process is matched with the legal process in the anti-tampering white list, the legal user in the anti-tampering white list of the modification user is matched, and the modification behavior information is determined to be matched with the anti-tampering white list under the condition that the modification IP is matched with the legal IP in the anti-tampering white list. That is, only when the triple check of the modification process, the modification user, and the modification IP is matched, it is determined that the modification behavior information is matched with the tamper-resistant white list.
In the specific implementation process, in order to accelerate the efficiency, the validity matching detection can be simultaneously carried out on the modification process, the modification user and the modification IP, and under the condition of all matching, the modification behavior information is determined to be matched with the anti-tampering white list; or carrying out legality matching detection in sequence, and determining that the modification behavior information is not matched with the anti-tampering white list under the condition that only one item is not matched.
For example, the following steps are carried out: firstly, acquiring a modification process, matching the modification process with a legal process, and entering the next step of IP matching if the matching is successful; if not, directly determining that the modification behavior information is not matched with the anti-tampering white list; acquiring a modified IP, matching the modified IP with a legal IP, entering the next step of user matching if the modified IP is successfully matched, and directly modifying the behavior information to be not matched with the anti-tampering white list if the modified IP is not successfully matched with the legal IP; acquiring a modification user (such as a user name or a user ID), matching with a legal user, and if the matching is successful, determining that the modification behavior information is matched with the anti-tampering white list; and if the matching is unsuccessful, the modified behavior information is not matched with the anti-tampering white list. Only after the triple verification of the IP, the process and the user is successful, the behavior modification information is determined to be matched with the anti-tampering white list, and then the behavior audit of the subsequent modified content is started.
If the verification fails, executing step S103; if the verification is successful, step S104 is performed.
S103, blocking the modification behavior.
When the tamper-proof check fails, the modification behavior can be directly blocked, i.e. the client is prohibited from executing the modification behavior.
And S104, performing security audit on the modified content.
After the anti-tampering verification is determined to be successful, in order to avoid website failure caused by content modification on the website intentionally or unintentionally by hackers and illegal users, security audit needs to be carried out on the modified content.
That is, in the case where it is determined that the modification action itself is legitimate, it is further determined whether or not the content modification by the legitimate modification action is legitimate.
Specifically, the security audit of the modified content can be performed by auditing the audit rule set in the behavior library. Specifically, different auditing rules can be set for different modification items, and the following examples are given for individual modification cases:
the specific process of modified content audit aiming at the file content type comprises the following steps:
step one, if the modified content is the modified file content, acquiring the newly added file content;
judging whether the content of the newly added file comprises at least one of an illegal character, an illegal connection command, an illegal external connection command and an illegal calling command;
and step three, if so, determining that the modified content audit fails.
And step four, if not, determining that the modified content audit is successful.
For convenience of description, the above four steps will be described in combination.
And if the modified content is the modified file content, scanning the newly added file content, and scanning the newly added file content by using a built-in behavior audit library. And scanning whether the newly added content comprises illegal characters, illegal connecting commands, illegal external connection commands, illegal calling commands and the like. Wherein, the illegal character, the illegal connection command, the illegal external connection command and the illegal call command can be preset. And if at least one of the illegal characters, the illegal connecting commands, the illegal external connection commands and the illegal calling commands is found in the content of the newly added file, determining that the modified content has a safety problem, determining that the auditing fails, and determining that the auditing succeeds if the illegal characters, the illegal connecting commands, the illegal external connection commands and the illegal calling commands are not found.
The specific process of modifying content audit for command execution comprises the following steps:
step one, if the modified content is an execution system command or a deletion file, acquiring a command line to be executed;
judging whether the command line comprises at least one of an illegal connecting command and an illegal calling command;
step three, if yes, determining that the modified content audit fails;
and step four, if so, determining that the modified content audit is successful.
For convenience of description, the above four steps will be described in combination.
If the modified content is a relevant modification operation such as executing a system command or deleting a file, obtaining a command line to be executed, scanning whether the command line has an illegal connection command, an illegal call command and the like. And if at least one of the illegal connection command and the illegal call command exists, determining that the audit of the modified content fails, and if not, the audit succeeds.
It should be noted that, during content auditing, matching auditing may be performed by using an auditing rule set by the central server, and then matching auditing may be performed by using an auditing rule set by a user if the auditing rule cannot be matched.
If the security audit is passed, executing step S106; otherwise, step S105 is executed.
And S105, executing preset auditing failure handling operation.
The preset audit failure coping operation can be preset with default operation or can be user-defined. Specifically, the executing of the preset audit failure handling operation includes: blocking the modification behavior; or, after recording the behavior log or determining that the manual review passes, allowing the client to execute the modification behavior. Specifically, the user sets a disposal mode of behavior audit: automatic blocking, passing or manual review.
Namely, if the automatic blocking is carried out, the blocking is directly carried out; if the behavior log is released, the behavior log is recorded and then released; and if the verification is manual verification, the verification is passed and then the verification is released. And if the mismatch is successful, the operation is determined to be legal, and the operation is released, and modification or execution is allowed.
And S106, allowing the client to execute the modification behavior.
That is, the client may perform the modification action normally to modify the file or content in the website.
The method provided by the embodiment of the application is applied to monitor the modification behavior of the client in the target website to obtain modification content and modification behavior information; carrying out tamper-proof verification on the modified behavior information; if the verification is successful, performing security audit on the modified content; if the audit fails, executing preset audit failure coping operation; if the check fails, the modify behavior is blocked.
In the application, the modification behavior of the client in the target website is monitored, and the modification content and the modification behavior information can be obtained. Carrying out tamper-proof verification on the modification behavior information, if the verification is successful, further carrying out security audit on the modification content, and if the audit is successful, allowing the client to execute the modification behavior; if the check fails, the modify behavior is blocked directly. That is, after the tamper-proof verification is successful, security audit is performed on the modified content, and the client is operated to execute the modification action only under the condition that the audit is successful; and if the tamper-proof check fails, directly blocking the modification behavior. That is, in the present application, not only the tamper-proof verification is performed on the modification behavior information, but also the security audit is performed specifically on the modification content. Therefore, a hacker can be prevented from carrying out some illegal or illegal operations after injecting the tamper-proof white list process; the problem that a website cannot be accessed due to faults caused by malicious or unintentional operations after a malicious user enters the website server can also be solved. Malicious tampering can be effectively avoided, and normal operation of the website can be guaranteed.
Corresponding to the above method embodiment, the present application embodiment further provides a modification behavior auditing apparatus, and the modification behavior auditing apparatus described below and the modification behavior auditing method described above may be referred to in correspondence with each other.
Referring to fig. 2, the apparatus includes the following modules:
the monitoring module 101 is configured to monitor a modification behavior of a client in a target website to obtain modification content and modification behavior information;
the tamper-proof verification module 102 is used for performing tamper-proof verification on the modification behavior information;
the content auditing module 103 is used for carrying out safety audit on the modified content if the verification is successful; if the audit is successful, allowing the client to execute the modification action;
a blocking module 104, configured to block the modification behavior if the verification fails.
The device provided by the embodiment of the application is applied to monitor the modification behavior of the client in the target website to obtain modification content and modification behavior information; carrying out tamper-proof verification on the modified behavior information; if the verification is successful, performing security audit on the modified content; if the audit fails, executing preset audit failure coping operation; if the check fails, the modify behavior is blocked.
In the application, the modification behavior of the client in the target website is monitored, and the modification content and the modification behavior information can be obtained. Carrying out tamper-proof verification on the modification behavior information, if the verification is successful, further carrying out security audit on the modification content, and if the audit is successful, allowing the client to execute the modification behavior; if the check fails, the modify behavior is blocked directly. That is, after the tamper-proof verification is successful, security audit is performed on the modified content, and the client is operated to execute the modification action only under the condition that the audit is successful; and if the tamper-proof check fails, directly blocking the modification behavior. That is, in the present application, not only the tamper-proof verification is performed on the modification behavior information, but also the security audit is performed specifically on the modification content. Therefore, a hacker can be prevented from carrying out some illegal or illegal operations after injecting the tamper-proof white list process; the problem that a website cannot be accessed due to faults caused by malicious or unintentional operations after a malicious user enters the website server can also be solved. Malicious tampering can be effectively avoided, and normal operation of the website can be guaranteed.
In a specific embodiment of the present application, the tamper-resistant verification module 102 is specifically configured to obtain a tamper-resistant white list; judging whether the modification behavior information is matched with the anti-tampering white list or not; if the modified behavior information is matched with the modified behavior information, determining that the modified behavior information is successfully verified; and if not, determining that the modified behavior information check fails.
In a specific embodiment of the present application, the tamper-resistant verification module 102 is specifically configured to obtain a modification process, a modification user, and a modification IP from the modification behavior information; obtaining a legal process, a legal user and a legal IP from the anti-tampering white list; and under the conditions that the modification process is matched with the legal process, the modification IP is matched with the legal IP, and the modification user is matched with the legal user, determining that the modification behavior information is matched with the anti-tampering white list.
In a specific embodiment of the present application, the content auditing module 103 is specifically configured to, if the modified content is modified file content, obtain newly added file content; judging whether the content of the newly added file comprises at least one of an illegal character, an illegal connection command, an illegal external connection command and an illegal calling command; if so, determining that the audit fails; if not, the audit is determined to be successful.
In a specific embodiment of the present application, the content auditing module 103 is specifically configured to, if the modified content is an execution system command or a delete file, obtain a command line to be executed; judging whether the command line comprises at least one of an illegal connecting command and an illegal calling command; if so, determining that the audit fails; if not, the audit is determined to be successful.
In a specific embodiment of the present application, the preset operation executing module is configured to execute a preset audit failure handling operation if the audit fails.
In a specific embodiment of the present application, an operation execution module is preset, and specifically configured to block a modification behavior; or, after recording the behavior log or determining that the manual review passes, allowing the client to execute the modification behavior.
Corresponding to the above method embodiment, the present application embodiment further provides an electronic device, and the electronic device described below and the modification behavior auditing method described above may be referred to in correspondence.
Referring to fig. 3, the electronic device includes:
a memory 332 for storing a computer program;
a processor 322, configured to implement the steps of the modification behavior auditing method of the above-described method embodiments when executing the computer program.
Specifically, referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device provided in this embodiment, which may generate relatively large differences due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, where the memory 332 stores one or more computer applications 342 or data 344. Memory 332 may be, among other things, transient or persistent storage. The program stored in memory 332 may include one or more modules (not shown), each of which may include a sequence of instructions operating on a data processing device. Still further, the central processor 322 may be configured to communicate with the memory 332 to execute a series of instruction operations in the memory 332 on the electronic device 301.
The electronic device 301 may also include one or more power sources 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341.
The steps in the modification behavior auditing method described above may be implemented by the structure of the electronic device.
Corresponding to the above method embodiment, the present application embodiment further provides a readable storage medium, and a readable storage medium described below and a modification behavior auditing method described above may be referred to in correspondence with each other.
A readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the modification behaviour auditing method of the above-described method embodiments.
The readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and various other readable storage media capable of storing program codes.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
Claims (10)
1. A modification behavior auditing method, comprising:
monitoring modification behaviors of a client in a target website to obtain modification content and modification behavior information;
carrying out tamper-proof verification on the modification behavior information;
if the verification is successful, performing security audit on the modified content; if the audit is successful, allowing the client to execute the modification behavior;
blocking the modifying action if the checking fails.
2. The modification behavior auditing method of claim 1, where performing tamper-proof verification of the modification behavior information comprises:
acquiring a tamper-proof white list;
judging whether the modification behavior information is matched with the anti-tampering white list or not;
if the modified behavior information is matched with the modified behavior information, determining that the modified behavior information is verified successfully;
and if not, determining that the modified behavior information is failed to check.
3. The modification behavior auditing method of claim 2, where determining whether the modification behavior information matches the tamper-resistant whitelist comprises:
acquiring a modification process, a modification user and a modification IP from the modification behavior information;
obtaining a legal process, a legal user and a legal IP from the anti-tampering white list;
and under the condition that the modification process is matched with the legal process, the modification IP is matched with the legal IP, and the modification user is matched with the legal user, determining that the modification behavior information is matched with the anti-tampering white list.
4. The modification behavior auditing method of claim 1, where security auditing the modification content comprises:
if the modified content is the modified file content, acquiring the newly added file content;
judging whether the content of the newly added file comprises at least one of an illegal character, an illegal connection command, an illegal external connection command and an illegal calling command;
if so, determining that the audit fails;
if not, the audit is determined to be successful.
5. The modification behavior auditing method of claim 1, where security auditing the modification content comprises:
if the modified content is an execution system command or a deletion file, acquiring a command line to be executed;
judging whether the command line comprises at least one of an illegal connecting command and an illegal calling command;
if so, determining that the audit fails;
if not, the audit is determined to be successful.
6. A modification behavior auditing method according to any one of claims 1 to 5 in which a predetermined audit failure handling operation is performed if the audit fails.
7. The modification behavior auditing method of claim 6, where performing a pre-set audit failure handling operation comprises:
blocking the modifying behavior;
or recording a behavior log or allowing the client to execute the modification behavior after the manual review is determined to pass.
8. A modification behavior auditing apparatus, comprising:
the monitoring module is used for monitoring the modification behavior of the client in the target website to obtain modification content and modification behavior information;
the anti-tampering verification module is used for carrying out anti-tampering verification on the modification behavior information;
the content auditing module is used for carrying out safety audit on the modified content if the verification is successful; if the audit is successful, allowing the client to execute the modification behavior;
and the blocking module is used for blocking the modification behavior if the verification fails.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the modified behaviour auditing method of any one of claims 1 to 7 when executing said computer program.
10. A readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the modified behaviour auditing method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110577328.XA CN113297628A (en) | 2021-05-26 | 2021-05-26 | Modification behavior auditing method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110577328.XA CN113297628A (en) | 2021-05-26 | 2021-05-26 | Modification behavior auditing method, device, equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113297628A true CN113297628A (en) | 2021-08-24 |
Family
ID=77325152
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110577328.XA Pending CN113297628A (en) | 2021-05-26 | 2021-05-26 | Modification behavior auditing method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113297628A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113835931A (en) * | 2021-10-11 | 2021-12-24 | 长春嘉诚信息技术股份有限公司 | Data modification discovery method applied to block chain |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106682529A (en) * | 2017-01-04 | 2017-05-17 | 北京国舜科技股份有限公司 | Anti-tampering method and anti-tampering terminal |
| CN110691083A (en) * | 2019-09-26 | 2020-01-14 | 杭州安恒信息技术股份有限公司 | External connection blocking method based on process |
| CN111967058A (en) * | 2020-07-28 | 2020-11-20 | 浙江军盾信息科技有限公司 | Tamper-proof method supporting user white list, electronic device and storage medium |
-
2021
- 2021-05-26 CN CN202110577328.XA patent/CN113297628A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106682529A (en) * | 2017-01-04 | 2017-05-17 | 北京国舜科技股份有限公司 | Anti-tampering method and anti-tampering terminal |
| CN110691083A (en) * | 2019-09-26 | 2020-01-14 | 杭州安恒信息技术股份有限公司 | External connection blocking method based on process |
| CN111967058A (en) * | 2020-07-28 | 2020-11-20 | 浙江军盾信息科技有限公司 | Tamper-proof method supporting user white list, electronic device and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113835931A (en) * | 2021-10-11 | 2021-12-24 | 长春嘉诚信息技术股份有限公司 | Data modification discovery method applied to block chain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100681696B1 (en) | Method for preventing from inventing data of memory in a computer application program | |
| Berthome et al. | Repackaging android applications for auditing access to private data | |
| CN102262574B (en) | Boot protecting method and device of operating system | |
| CN105656860A (en) | Safety management and control method, apparatus and system for Android system | |
| CN113704767A (en) | Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system | |
| CN110968872A (en) | File vulnerability detection processing method and device, electronic equipment and storage medium | |
| CN111191226A (en) | Method, device, equipment and storage medium for determining program by using privilege-offering vulnerability | |
| CN112738094B (en) | Expandable network security vulnerability monitoring method, system, terminal and storage medium | |
| CN113138836A (en) | Escape-proof honeypot system based on Docker container and method thereof | |
| Eriksson et al. | Hardening the security analysis of browser extensions | |
| JP2006330864A (en) | Control method for server computer system | |
| CN113297628A (en) | Modification behavior auditing method, device, equipment and readable storage medium | |
| CN113810431A (en) | Method and system for traffic Internet of things terminal security detection based on Hook | |
| US7620983B1 (en) | Behavior profiling | |
| CN112613011B (en) | USB flash disk system authentication method and device, electronic equipment and storage medium | |
| CN111783087A (en) | Method and device for detecting malicious execution of executable file, terminal and storage medium | |
| CN107818260B (en) | Method and device for guaranteeing system safety | |
| CN109583206B (en) | Method, device, equipment and storage medium for monitoring access process of application program | |
| CN116415300A (en) | File protection method, device, equipment and medium based on eBPF | |
| CN114546420A (en) | Software remote installation protection uninstalling method | |
| CN108052803B (en) | Access control method and device and electronic equipment | |
| CN113987435A (en) | Illegal copyright detection method and device, electronic equipment and storage medium | |
| CN117648100B (en) | Application deployment method, device, equipment and storage medium | |
| CN111538990B (en) | Internet analysis system | |
| CN110647771A (en) | Mysql database storage integrity verification protection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210824 |
|
| RJ01 | Rejection of invention patent application after publication |