CN113746925B - File transmission behavior auditing method and device, electronic equipment and storage medium - Google Patents
File transmission behavior auditing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN113746925B CN113746925B CN202111040098.XA CN202111040098A CN113746925B CN 113746925 B CN113746925 B CN 113746925B CN 202111040098 A CN202111040098 A CN 202111040098A CN 113746925 B CN113746925 B CN 113746925B
- Authority
- CN
- China
- Prior art keywords
- data message
- ftp
- ssh
- message
- event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The application relates to a file transmission behavior auditing method, a file transmission behavior auditing device, electronic equipment and a storage medium, and belongs to the technical field of network security. The file transmission behavior auditing method is characterized by comprising the following steps: acquiring a designated data message; judging whether the data message is based on a preset file transfer protocol or not based on the message length of the data message, obtaining a judging result, and if the message length of the data message is not smaller than the preset length, obtaining a judging result representing that the data message is based on the preset file transfer protocol; acquiring characteristic information of the data message; and generating an audit log of the data message according to the characteristic information and the judging result. Whether the data message is based on a preset file transmission protocol or not is judged by acquiring the message length of the data message, so that the audit of the file transmission behavior can be efficiently realized without protocol identification and data decryption.
Description
Technical Field
The application belongs to the technical field of network security, and particularly relates to a file transmission behavior auditing method, a file transmission behavior auditing device, electronic equipment and a storage medium.
Background
With the rapid development of network technology, network security meets new challenges while data protection is further enhanced. For example, in the general trend of data encryption, how to effectively identify and audit encrypted network behaviors; after equipment or service clouding, traffic mirror images of public clouds are invisible, and challenges caused by failure of safety monitoring technical means based on traffic mirror images can be solved.
SFTP (Secure File Transfer Protocol ) is a Secure file transfer protocol based on SSH (Secure Shell protocol), and the entire file transfer process is encrypted. Thus, auditing of SFTP file transfer behavior also faces the challenges described above.
At present, the auditing process aiming at SFTP file transmission behavior mainly comprises the following steps: and the auditing of SFTP file transmission is realized by decrypting the SSH ciphertext, for example, an SSH encrypted data packet is obtained based on network traffic mirror image, a transmission key is deduced through an SSH file transmission stage, the SSH ciphertext is decrypted, SFTP plaintext content is extracted and then audited. The method needs to analyze the complete process of SFTP file transmission, thus requiring longer audit time period and more storage space for storing messages.
Disclosure of Invention
In view of this, the present application aims to provide a file transfer behavior auditing method, a device, an electronic apparatus and a storage medium, so as to solve the problems of long auditing time period and more storage space required in the existing auditing method.
Embodiments of the present application are implemented as follows:
in a first aspect, an embodiment of the present application provides a file transfer behavior auditing method, including: acquiring a designated data message; judging whether the data message is based on a preset file transfer protocol or not based on the message length of the data message, obtaining a judging result, and if the message length of the data message is not smaller than the preset length, obtaining a judging result representing that the data message is based on the preset file transfer protocol; acquiring characteristic information of the data message; and generating an audit log of the data message according to the characteristic information and the judging result. In the embodiment of the application, whether the data message is based on the preset file transfer protocol is judged by acquiring the message length of the data message, so that the file transfer behavior can be audited efficiently without protocol identification and data decryption, and the problems of long audit time period and more storage space requirement of the existing audit method can be solved.
With reference to a possible implementation manner of the embodiment of the first aspect, obtaining a specified data packet includes: and determining that the monitored process event meets a preset condition, and capturing a data message related to the process event meeting the preset condition to obtain the designated data message. According to the embodiment of the application, by monitoring the process event, when the process event meeting the preset condition is monitored, the data message related to the process event meeting the preset condition is subjected to packet capturing, so that the designated data message is obtained, and the problem that audit of file transmission behavior under the network architecture of SDN (Software Defined Network ) on the cloud cannot be completed when the data message is obtained based on the flow mirror image by adopting active packet capturing is solved (because the flow mirror image of public cloud is invisible after equipment or service cloudization). With reference to a possible implementation manner of the embodiment of the first aspect, determining that the monitored process event meets a preset condition includes: acquiring a process identifier of a monitored process event; judging whether the process event belongs to an SFTP service event or an SSH login event based on the process identifier; and if the SFTP service event or the SSH login event belongs to, determining that the preset condition is met. In the embodiment of the application, the process identifier of the monitored process event is obtained, and whether the process event meets the preset condition is judged based on the process identifier, so that whether the monitored process event meets the preset condition can be rapidly determined, and the packet capturing of the SSH data message is realized.
With reference to a possible implementation manner of the first aspect embodiment, capturing packets of a data packet related to a process event that meets the preset condition includes: acquiring a protocol and a port number of an SSH service port, and generating a packet grabbing filter based on the protocol and the port number; and capturing packets of the SSH data message based on the message capturing packet filter. According to the embodiment of the application, the protocol and the port number of the service port are acquired to generate the message packet grabbing filter for grabbing only the SSH data message, and the method can achieve grabbing of the designated SSH data message under the condition of no protocol identification.
With reference to a possible implementation manner of the first aspect embodiment, the data packet is an SSH data packet, the preset file transfer protocol is an SFTP file transfer protocol, or the data packet is an FTP data packet, and the preset file transfer protocol is an FTP file transfer protocol.
With reference to a possible implementation manner of the first aspect embodiment, the characteristic information of the data packet includes a source IP of the data packet; generating an audit log of the data message according to the characteristic information and the judging result, wherein the audit log comprises the following steps: and generating an audit log of the data message according to the characteristic information, the login user identification and the judging result, wherein the login user identification is obtained from a login event according to the source IP. In the embodiment of the application, when the audit log is generated, the method further comprises a login user identifier of a login user so as to further perfect audit evidence and further improve the security protection of the data transmitted in and out.
With reference to a possible implementation manner of the first aspect embodiment, the method further includes: counting the number of the messages based on the preset file transfer protocol; when the counted number of the data messages is not smaller than a first preset threshold value, ending the packet grabbing and entering a monitoring state again; or if the duration of the specified data message which is not continuously grabbed is not less than a second preset threshold value, ending the grabbing of the packet, and entering a monitoring state again. In the embodiment of the application, when the packet is grabbed, the active exit mechanism is set to effectively self-limit the performance consumption and the storage consumption of the host resource.
In a second aspect, an embodiment of the present application further provides a file transfer behavior auditing apparatus, including: the device comprises an acquisition module and a processing module; the acquisition module is used for acquiring the appointed data message; the processing module is used for judging whether the data message is based on a message length of the data message or not, obtaining a judging result, and if the message length of the data message is not smaller than the preset length, obtaining a judging result representing that the data message is based on the preset file transfer protocol; and obtaining the characteristic information of the data message, and generating an audit log of the data message according to the characteristic information and the judging result.
In a third aspect, an embodiment of the present application further provides an electronic device, including: the device comprises a memory and a processor, wherein the processor is connected with the memory; the memory is used for storing programs; the processor is configured to invoke the program stored in the memory, so as to perform the foregoing embodiment of the first aspect and/or the method provided in connection with any possible implementation manner of the embodiment of the first aspect.
In a fourth aspect, the embodiments of the present application further provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the method provided by the embodiments of the first aspect and/or any one of the possible implementations of the embodiments of the first aspect.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the embodiments of the application. The objects and other advantages of the present application may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art. The above and other objects, features and advantages of the present application will become more apparent from the accompanying drawings. Like reference numerals refer to like parts throughout the several views of the drawings. The drawings are not intended to be drawn to scale, with emphasis instead being placed upon illustrating the principles of the present application.
Fig. 1 shows a flow chart of a file transfer behavior auditing method according to an embodiment of the present application.
Fig. 2 is a schematic flow chart of another method for auditing file transfer behaviors according to an embodiment of the present application.
Fig. 3 is a schematic block diagram of a file transfer behavior auditing apparatus according to an embodiment of the present application.
Fig. 4 shows a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Also, relational terms such as "first," "second," and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Furthermore, the term "and/or" in this application is merely an association relation describing an association object, and indicates that three relations may exist, for example, a and/or B may indicate: a exists alone, A and B exist together, and B exists alone.
In view of the defects of the existing file transfer behavior auditing method, the embodiment of the application provides a file transfer behavior auditing method, so that the problems of long auditing time period and more storage space requirement of the existing auditing method are solved.
The file transfer behavior auditing method provided in the embodiment of the present application will be described below with reference to fig. 1.
S1: and acquiring the designated data message.
A specified data message is acquired, for example, an SSH (Secure Shell protocol) data message or an FTP (File Transfer Protocol file transfer protocol) data message.
In one embodiment, the specified data message may be obtained in an existing manner, for example, based on a traffic mirror.
Considering that after equipment or service cloudization, traffic mirror images of public cloud are invisible, traffic mirror images under an SDN (Software Defined Network ) network architecture on the cloud cannot be obtained. In order to solve the problem, in one embodiment, the specified data message may be obtained by adopting an active packet capturing manner. By installing Agent software (also called probe) on a cloud host under an SDN network architecture, the Agent can acquire a process event message from a kernel state in real time through a message mechanism (such as Netlink) and grasp a packet of local network communication based on a network data packet capturing function (such as libpcap). In this embodiment, the process of acquiring the specified data packet may be: and determining that the monitored process event meets the preset condition, and capturing the data message related to the process event meeting the preset condition, so as to obtain the designated data message.
The Agent monitors the process event in the local machine, and when the process event meeting the preset condition is monitored, the Agent can grasp the designated data message.
In one embodiment, the determining that the monitored process event meets the preset condition may be: the process identification of the monitored process event is obtained, for example, the process pid (process id) of the monitored process event is obtained, the detailed information (including the process name and the like) of the process can be obtained through the process pid, whether the process event belongs to the SFTP service event or the SSH login event is judged based on the process identification, if the process event belongs to the SFTP service event or the SSH login event, for example, if the process name is SFTP-server, the process event belongs to the SFTP service event, if the process identification represents the SSH login, the process event belongs to the SSH login event, and the preset condition is determined to be met. At this time, the SFTP service is started or the SSH service is started, so that the designated SSH data message can be grabbed.
In one embodiment, the determining that the monitored process event meets the preset condition may be: and acquiring a process identifier of the monitored process event, such as a process pid, judging whether the process event belongs to an FTP service event or an FTP login event based on the process identifier, and if the process event belongs to the FTP service event or the FTP login event, determining that a preset condition is met, and indicating that the FTP service is started at the moment, so that the designated FTP data message can be grabbed.
In one embodiment, the process of capturing the specified SSH data packet may be: the method comprises the steps of obtaining a protocol and a port number of an SSH service port, generating a message packet-grabbing filter based on the protocol and the port number, and then grabbing packets of SSH data messages based on the message packet-grabbing filter, wherein the message packet-grabbing filter can only grab packets of appointed SSH data messages in a network message packet-grabbing process.
By the method, the designated SSH data message can be grabbed under the condition of no protocol identification.
In one embodiment, the process of capturing the specified FTP data packet may be: and acquiring a protocol and a port number of the FTP service port, generating a message packet-grabbing filter based on the protocol and the port number, and then grabbing the FTP data message based on the message packet-grabbing filter, wherein the message packet-grabbing filter can only grab the designated FTP data message in the process of grabbing the network message.
According to the method, the designated FTP data message can be grabbed under the condition of no protocol identification.
S2: judging whether the data message is based on a preset file transfer protocol based message length of the data message, and obtaining a judging result.
After the designated data message is acquired, the acquired data packet is analyzed based on a deep packet flow detection technology, the message length of the data message is acquired from metadata of the data packet, then whether the data message is based on a preset file transfer protocol or not is judged based on the message length of the data message, and a judgment result is obtained, wherein if the message length of the data message is not smaller than the preset length, for example, the preset length can be set according to requirements, for example, the preset length can be greater than or equal to 1000 bytes, a judgment result that the data message is based on the preset file transfer protocol is obtained, and if the message length of the data message is smaller than the preset length, a judgment result that the data message is not based on the preset file transfer protocol is obtained. When the length of the data message is not smaller than the preset length, the occurrence of the preset file transmission behavior can be judged.
The data message is an SSH data message, the preset file transfer protocol is an SFTP file transfer protocol, or the data message is an FTP data message, and the preset file transfer protocol is an FTP file transfer protocol.
The method and the device for judging whether the data message is based on the message length of the data message or not are based on the preset file transfer protocol, so that SSH, SFTP or FTP protocol identification is not needed, decryption is not needed, the message length of the data message can be directly obtained from metadata of the data packet, the auditing time period is greatly shortened, and further, message accumulation needing auditing is not caused, and more storage space is needed for storing the message.
S3: and acquiring the characteristic information of the data message.
After the designated data message is acquired, analyzing the acquired data message data packet based on the deep packet flow detection technology to acquire the characteristic information of the data message, wherein the characteristic information of the data message can comprise: the timestamp of the data message, the source IP, and the destination IP can be included. For example, the timestamp of the data packet is obtained from the metadata of the data packet, and the source IP and the destination IP are obtained from the network layer packet of the data packet. The characteristic information of the data message can be obtained without decrypting the data message, so that the auditing time period is greatly shortened, message accumulation needing auditing is avoided, and more storage space is needed for storing the messages.
S4: and generating an audit log of the data message according to the characteristic information and the judging result.
After the characteristic information of the data message and the judgment result representing whether the data message is based on the preset file transfer protocol are obtained, an audit log of the data message can be generated according to the characteristic information and the judgment result, and the audit of the preset file transfer behavior is completed. For example, the obtained timestamp, the source IP, the destination IP, and the determination result of whether the message is based on the preset file transfer protocol are combined by a specified format (such as json format), and an audit log of the data message including the timestamp, the source IP, the destination IP, and the determination result of whether the message is based on the preset file transfer protocol is generated.
If the judging result represents that the data message is based on the preset file transmission protocol, judging that the preset file transmission behavior occurs, wherein an audit log of the generated data message is equivalent to an audit log of the preset file transmission behavior; if the judging result represents that the data message is not based on the preset file transfer protocol, judging that no preset file transfer behavior occurs, wherein the audit log of the generated data message is equivalent to the audit log of other behaviors.
In one embodiment, according to the feature information and the judgment result, an audit log of the data message is generated, which may be: and generating an audit log of the data message according to the characteristic information, the login user identification and the judgment result. The login user identification is obtained from a login event according to the source IP. At this time, an audit log of the data message including the timestamp, the source IP, the destination IP, the login user identification, and the determination result of whether the message is based on the preset file transfer protocol is generated.
In addition, in order to optimize performance and storage consumption of equipment resources when the packet is grabbed, an active exit mechanism is further used in the embodiment of the present application, for example, the number of messages based on a preset file transfer protocol is counted, and when the counted number of data messages is not smaller than a first preset threshold, for example, the first preset threshold may be 20, the packet grabbing is ended, and the monitoring state is again entered; or if the duration of the continuous data message which is not captured is not less than the second preset threshold, for example, the second preset threshold may be 30 seconds, the capturing of the packet is ended, and the monitoring state is again entered.
In one embodiment, after capturing the specified data message, if the data message is a message based on the preset file transfer protocol, counting the number of the captured message based on the preset file transfer protocol, and when the counted number of the data message is not less than 20, ending the capturing of the packet and entering the monitoring state again. In another embodiment, when the specified data message is grabbed, if the specified data message is not grabbed for 30 seconds, the grabbing of the packet is finished, and the monitoring state is again entered. The active exit mechanism enables the Agent to effectively self-limit the performance consumption and the storage consumption of the host resource when capturing the specified data message.
It should be noted that, the first preset threshold is not limited to example 20, and similarly, the second preset threshold is not limited to example 30, and thus the above example threshold is not to be construed as limiting the application.
An alternative implementation, a flowchart of a file transfer behavior audit method shown in an embodiment of the present application may be shown in fig. 2. In this embodiment, by monitoring a process event, if a process event meeting a preset condition is monitored, a packet capturing filter is generated, a specified data packet is captured, then, whether the data packet is a packet based on a preset file transfer protocol is judged based on a packet length of the data packet, characteristic information of the data packet is obtained, a login user identifier of a login user is obtained from the login event, and then, an audit log of the data packet is generated according to the characteristic information, the login user identifier and a judgment result.
Based on the same inventive concept, the embodiment of the present application further provides a file transmission behavior auditing apparatus 100, as shown in fig. 3, where the file transmission behavior auditing apparatus 100 includes: an acquisition module 110, a processing module 120.
The acquiring module 110 is configured to acquire the specified data packet.
The processing module 120 is configured to determine whether the data packet is based on a packet length of the data packet, to obtain a determination result, and if the packet length of the data packet is not less than the preset length, to obtain a determination result indicating that the data packet is based on the preset file transfer protocol; and obtaining the characteristic information of the data message, and generating an audit log of the data message according to the characteristic information and the judging result.
Optionally, the obtaining module 110 is specifically configured to determine that the monitored process event meets a preset condition, and grab a packet of a data packet related to the process event that meets the preset condition, so as to obtain the specified data packet.
The acquiring module 110 is specifically configured to acquire a process identifier of a monitored process event; judging whether the process event belongs to an SFTP service event or an SSH login event based on the process identifier; and if the SFTP service event or the SSH login event belongs to, determining that the preset condition is met.
The acquiring module 110 is specifically configured to acquire a protocol and a port number of an SSH service port, and generate a packet grabbing filter based on the protocol and the port number; and capturing packets of the SSH data message based on the message capturing packet filter.
The characteristic information of the data message comprises a source IP of the data message; the processing module 120 is specifically configured to generate an audit log of the data packet according to the feature information, the login user identifier, and the determination result, where the login user identifier is obtained from a login event according to the source IP.
In an optional implementation manner, the processing module 120 is further configured to count the number of the messages based on the preset file transfer protocol; when the counted number of the data messages is not smaller than a first preset threshold value, ending the packet grabbing and entering a monitoring state again; or if the duration of the specified data message which is not continuously grabbed is not less than a second preset threshold value, ending the grabbing of the packet, and entering a monitoring state again.
The file transmission behavior auditing device 100 provided in the embodiment of the present application has the same implementation principle and the same technical effects as those of the foregoing method embodiment, and for the sake of brevity, reference may be made to the corresponding content in the foregoing method embodiment where the device embodiment portion is not mentioned.
As shown in fig. 4, fig. 4 shows a block diagram of an electronic device 200 according to an embodiment of the present application. The electronic device 200 includes: a transceiver 210, a memory 220, a communication bus 230, and a processor 240.
The transceiver 210, the memory 220, and the processor 240 are electrically connected directly or indirectly to each other to realize data transmission or interaction. For example, the components may be electrically coupled to each other via one or more communication buses 230 or signal lines. Wherein the transceiver 210 is configured to transmit and receive data. The memory 220 is used for storing a computer program, such as the software functional modules shown in fig. 3, i.e., the file transfer behavior auditing apparatus 100. The file transfer behavior auditing apparatus 100 includes at least one software function module that may be stored in the memory 220 in the form of software or Firmware (Firmware) or cured in an Operating System (OS) of the electronic device 200. The processor 240 is configured to execute executable modules stored in the memory 220, such as software functional modules or computer programs included in the file transfer behavior auditing apparatus 100. For example, the processor 240 is configured to obtain a specified data packet; judging whether the data message is based on a preset file transfer protocol or not based on the message length of the data message, obtaining a judging result, and if the message length of the data message is not smaller than the preset length, obtaining a judging result representing that the data message is based on the preset file transfer protocol; acquiring characteristic information of the data message; and generating an audit log of the data message according to the characteristic information and the judging result.
The Memory 220 may be, but is not limited to, a random access Memory (Random Access Memory, RAM), a Read Only Memory (ROM), a programmable Read Only Memory (Programmable Read-Only Memory, PROM), an erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), an electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc.
The processor 240 may be an integrated circuit chip with signal processing capabilities. The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also Digital signal processors (Digital SignalProcessor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 240 may be any conventional processor or the like.
The electronic device 200 includes, but is not limited to, a computer, for example, a cloud host under an SDN network architecture.
The embodiments of the present application further provide a non-volatile computer readable storage medium (hereinafter referred to as a storage medium) on which a computer program is stored, where the computer program, when executed by a computer such as the electronic device 200 described above, performs the file transfer behavior auditing method described above.
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described as different from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a computer-readable storage medium, including several instructions for causing a computer device (which may be a personal computer, a notebook computer, a server, or an electronic device, etc.) to perform all or part of the steps of the method described in the embodiments of the present application. And the aforementioned computer-readable storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (6)
1. A method for auditing file transfer behavior, comprising:
acquiring an SSH data message or an FTP data message;
judging whether the SSH data message is based on an SFTP file transfer protocol or not based on the message length of the SSH data message, or judging whether the FTP data message is based on the FTP file transfer protocol or not based on the message length of the FTP data message to obtain a judging result, if the message length of the SSH data message is not smaller than a preset length, obtaining a judging result representing that the SSH data message is based on the SFTP file transfer protocol, and if the message length of the FTP data message is not smaller than the preset length, obtaining a judging result representing that the FTP data message is based on the FTP file transfer protocol;
acquiring characteristic information of the SSH data message or the FTP data message;
generating an audit log of the SSH data message or the FTP data message according to the characteristic information and the judging result;
wherein, obtaining the SSH data message comprises:
acquiring a process identifier of a monitored process event, and judging whether the process event belongs to an SFTP service event or an SSH login event based on the process identifier; if the service event belongs to the SFTP service event or the SSH login event, acquiring a protocol and a port number of an SSH service port, and generating a packet grabbing filter based on the protocol and the port number; the SSH data message is grabbed based on the message grabbing filter;
acquiring an FTP data message, including:
acquiring a process identifier of a monitored process event, and judging whether the process event belongs to an FTP service event or an FTP login event based on the process identifier; if the FTP service event or the FTP login event belongs to the FTP service event, a protocol and a port number of an FTP service port are obtained, a packet grabbing filter based on the protocol and the port number is generated, and then the packet grabbing filter is used for grabbing the FTP data message.
2. The method of claim 1, wherein the characteristic information comprises a source IP of the data message; generating an audit log of the SSH data message or the FTP data message according to the characteristic information and the judging result, wherein the audit log comprises the following steps:
and generating an audit log of the SSH data message or the FTP data message according to the characteristic information, the login user identification and the judging result, wherein the login user identification is obtained from a login event according to the source IP.
3. The method according to claim 1, wherein the method further comprises:
counting the number of messages based on a preset file transfer protocol;
when the counted number of the data messages is not smaller than a first preset threshold value, ending the packet grabbing and entering a monitoring state again; or alternatively
If the duration of the SSH data message or the FTP data message which is not continuously grabbed is not less than a second preset threshold value, ending the grabbing of the packet, and entering a monitoring state again.
4. A file transfer behavior auditing apparatus, comprising:
the acquisition module is used for acquiring the SSH data message or the FTP data message;
the processing module is used for judging whether the SSH data message is based on an SFTP file transfer protocol or not based on the message length of the SSH data message, or judging whether the FTP data message is based on the FTP file transfer protocol or not based on the message length of the FTP data message, so as to obtain a judging result, and if the message length of the SSH data message is not less than a preset length, then obtaining a judging result representing that the SSH data message is based on the SFTP file transfer protocol; if the message length of the FTP data message is not less than the preset length, a judgment result that the FTP data message is based on an FTP file transfer protocol is obtained; the characteristic information of the SSH data message or the FTP data message is obtained, and an audit log of the SSH data message or the FTP data message is generated according to the characteristic information and the judging result;
wherein, obtaining the SSH data message comprises:
acquiring a process identifier of a monitored process event, and judging whether the process event belongs to an SFTP service event or an SSH login event based on the process identifier; if the service event belongs to the SFTP service event or the SSH login event, acquiring a protocol and a port number of an SSH service port, and generating a packet grabbing filter based on the protocol and the port number; the SSH data message is grabbed based on the message grabbing filter;
acquiring an FTP data message, including:
acquiring a process identifier of a monitored process event, and judging whether the process event belongs to an FTP service event or an FTP login event based on the process identifier; if the FTP service event or the FTP login event belongs to the FTP service event, a protocol and a port number of an FTP service port are obtained, a packet grabbing filter based on the protocol and the port number is generated, and then the packet grabbing filter is used for grabbing the FTP data message.
5. An electronic device, comprising:
the device comprises a memory and a processor, wherein the processor is connected with the memory;
the memory is used for storing programs;
the processor being operative to invoke a program stored in the memory to perform the method of any of claims 1-3.
6. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, performs the method of any of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111040098.XA CN113746925B (en) | 2021-09-06 | 2021-09-06 | File transmission behavior auditing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111040098.XA CN113746925B (en) | 2021-09-06 | 2021-09-06 | File transmission behavior auditing method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113746925A CN113746925A (en) | 2021-12-03 |
| CN113746925B true CN113746925B (en) | 2023-06-09 |
Family
ID=78736171
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111040098.XA Active CN113746925B (en) | 2021-09-06 | 2021-09-06 | File transmission behavior auditing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113746925B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110099058A (en) * | 2019-05-06 | 2019-08-06 | 江苏亨通工控安全研究院有限公司 | Modbus message detecting method, device, electronic equipment and storage medium |
| CN111786953A (en) * | 2020-06-01 | 2020-10-16 | 杭州迪普科技股份有限公司 | Safety protection method and device and safety management equipment |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106941476B (en) * | 2016-01-05 | 2019-10-22 | 中国科学院声学研究所 | A kind of method and system SFTP data acquisition and audited |
| CN111371774A (en) * | 2020-02-28 | 2020-07-03 | 深信服科技股份有限公司 | Information processing method and device, equipment and storage medium |
| CN112751833B (en) * | 2020-12-23 | 2023-01-10 | 北京天融信网络安全技术有限公司 | RTP message identification method and device, electronic equipment and readable storage medium |
| CN113067810B (en) * | 2021-03-16 | 2023-05-26 | 广州虎牙科技有限公司 | Network packet capturing method, device, equipment and medium |
-
2021
- 2021-09-06 CN CN202111040098.XA patent/CN113746925B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110099058A (en) * | 2019-05-06 | 2019-08-06 | 江苏亨通工控安全研究院有限公司 | Modbus message detecting method, device, electronic equipment and storage medium |
| CN111786953A (en) * | 2020-06-01 | 2020-10-16 | 杭州迪普科技股份有限公司 | Safety protection method and device and safety management equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113746925A (en) | 2021-12-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8819807B2 (en) | Apparatus and method for analyzing and monitoring sap application traffic, and information protection system using the same | |
| US8516586B1 (en) | Classification of unknown computer network traffic | |
| CN106462702B (en) | Method and system for acquiring and analyzing electronic forensic data in a distributed computer infrastructure | |
| US7551073B2 (en) | Method, system and program product for alerting an information technology support organization of a security event | |
| CN113645230B (en) | System and method for analyzing credibility value of node | |
| US10073980B1 (en) | System for assuring security of sensitive data on a host | |
| US10805320B1 (en) | Methods and systems for inspecting encrypted network traffic | |
| US20210329479A1 (en) | Network Analytics | |
| CN111371774A (en) | Information processing method and device, equipment and storage medium | |
| CN110855699A (en) | Flow auditing method and device, server and auditing equipment | |
| CN113746925B (en) | File transmission behavior auditing method and device, electronic equipment and storage medium | |
| KR20180086919A (en) | Cloud security analysing apparatus, apparatus and method for management of security policy based on nsfv | |
| EP3414683B1 (en) | Comparison of behavioral populations for security and compliance monitoring | |
| CN114979109B (en) | Behavior track detection method, behavior track detection device, computer equipment and storage medium | |
| Faria et al. | An advertising overflow attack against android exposure notification system impacting covid-19 contact tracing applications | |
| US11223578B2 (en) | System and control method to direct transmission of event data to one of a plurality of reception queues | |
| CN112929357A (en) | Virtual machine data analysis method, device, equipment and storage medium | |
| Gao et al. | SIEM: policy-based monitoring of SCADA systems | |
| KR100961438B1 (en) | System and method for real-time intrusion detection, and record media recoded program for implement thereof | |
| Rak et al. | Developing secure cloud applications | |
| Benzidane et al. | Toward a cloud-based security intelligence with big data processing | |
| CN113868643B (en) | Security detection method and device for running resources, electronic equipment and storage medium | |
| JP2011113243A (en) | System for monitoring application operating in virtual environment | |
| CN117395082B (en) | Service processing method, electronic device and storage medium | |
| CN116318777A (en) | Password application monitoring method, system, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |