CN114003559A - Log access method, device and equipment and computer readable storage medium - Google Patents

Log access method, device and equipment and computer readable storage medium Download PDF

Info

Publication number
CN114003559A
CN114003559A CN202010739803.4A CN202010739803A CN114003559A CN 114003559 A CN114003559 A CN 114003559A CN 202010739803 A CN202010739803 A CN 202010739803A CN 114003559 A CN114003559 A CN 114003559A
Authority
CN
China
Prior art keywords
log
information
sub
access
vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010739803.4A
Other languages
Chinese (zh)
Inventor
吕琦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Suzhou Software Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202010739803.4A priority Critical patent/CN114003559A/en
Publication of CN114003559A publication Critical patent/CN114003559A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/1805Append-only file systems, e.g. using logs or journals to store data
    • G06F16/1815Journaling file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/13File access structures, e.g. distributed indices
    • G06F16/134Distributed indices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a log access method, a device, equipment and a computer readable storage medium for ensuring the safety of log information, wherein the method comprises the following steps: obtaining a log access request, wherein the log access request at least comprises search authentication information and keyword information; converting the keyword information to obtain a query vector corresponding to the keyword information; determining an index vector matched with the query vector, and obtaining an encryption log corresponding to the index vector based on a stored first incidence relation; under the condition that the access authority is obtained based on the search authentication information, carrying out decryption processing on the encrypted log to obtain a target log; and the target log is a log matched with the log access request. Compared with the prior art, the log access method disclosed by the invention can improve the safety of log information.

Description

Log access method, device and equipment and computer readable storage medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a log access method, apparatus, device, and computer-readable storage medium.
Background
At present, for the management of the logs, generally, a situation awareness system collects the logs and sends the collected logs to a log server all together, and the log server processes and stores the collected logs. However, when the log management method manages the log, information security problems may exist in the log transmission, storage and access processes, for example, log leakage may occur.
Disclosure of Invention
In view of the above, the present invention provides a log access method, apparatus, device and computer readable storage medium, which can be used to solve the information security problem that may exist in the prior art.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides a log access method, where the method includes:
obtaining a log access request, wherein the log access request at least comprises search authentication information and keyword information;
converting the keyword information to obtain a query vector corresponding to the keyword information;
determining an index vector matched with the query vector, and obtaining an encryption log corresponding to the index vector based on a stored first incidence relation;
under the condition that the access authority is obtained based on the search authentication information, carrying out decryption processing on the encrypted log to obtain a target log; and the target log is a log matched with the log access request.
In the foregoing solution, the transforming the keyword information to obtain a query vector corresponding to the keyword information includes:
performing hash processing on the keyword information respectively based on a plurality of hash functions to obtain each hash value;
and mapping each hash value to a set bloom filter to obtain the query vector corresponding to the keyword information, wherein the number of the hash functions is not more than the bit number of the set bloom filter.
In the above solution, the determining the index vector matching the query vector includes:
determining the matching degree of the query vector and each stored index vector;
and determining the index vector with the matching degree meeting the preset threshold as the index vector matched with the query vector.
In the above solution, the obtaining of the access right based on the search authentication information at least includes:
determining whether the user identification information is set identification information;
under the condition that the user identification information is the set identification information, obtaining authorization credential information corresponding to the encryption log based on a stored second association relation;
determining whether the user key information and the authorization credential information satisfy a set condition;
obtaining the access authority under the condition that the user key information and the authorization certificate information meet set conditions; the access right is used for indicating that the user has the right to access the encrypted log.
In the foregoing solution, the decrypting the encrypted log to obtain a target log includes:
obtaining key information corresponding to the encryption log based on the user key information and the authorization credential information; and carrying out decryption processing on the encrypted log based on the key information to obtain the target log.
In the above solution, the keyword information includes a plurality of sub-keyword information, each of the plurality of sub-keyword information is different, and the method further includes:
under the condition that the access authority is obtained based on the search authentication information, converting each piece of sub-keyword information in the plurality of pieces of sub-keyword information to obtain a sub-query vector corresponding to each piece of sub-keyword information;
determining sub-index vectors matched with each sub-query vector, and determining a sub-encryption log corresponding to each sub-index vector;
and obtaining a target log based on the sub-encryption log corresponding to each sub-index vector.
In the above solution, before obtaining the log access request, the method includes:
receiving the target log sent by the first device, and encrypting the target log according to a set encryption mode to obtain an encrypted log;
identifying the keyword information corresponding to the target log, and determining an index vector corresponding to the keyword information;
and determining the incidence relation between the encryption log and the index vector, and storing the encryption log, the index vector and the incidence relation.
In a second aspect, an embodiment of the present invention further provides a log access apparatus, where the apparatus includes: an obtaining unit, a transforming unit, a determining unit and a decrypting unit, wherein,
the obtaining unit is used for obtaining a log access request, and the log access request at least comprises search authentication information and keyword information;
the conversion unit is used for carrying out conversion processing on the keyword information to obtain a query vector corresponding to the keyword information;
the determining unit is used for determining an index vector matched with the query vector and obtaining an encryption log corresponding to the index vector based on a stored first incidence relation;
the decryption unit is used for decrypting the encrypted log to obtain a target log under the condition that the access authority is obtained based on the search authentication information; and the target log is a log matched with the log access request.
In the foregoing solution, the transformation unit is specifically configured to: performing hash processing on the keyword information respectively based on a plurality of hash functions to obtain each hash value; and mapping each hash value to a set bloom filter to obtain the query vector corresponding to the keyword information, wherein the number of the hash functions is not more than the bit number of the set bloom filter.
In the foregoing solution, the determining unit is specifically configured to: determining the matching degree of the query vector and each stored index vector; and determining the index vector with the matching degree meeting the preset threshold as the index vector matched with the query vector.
In the above solution, the apparatus further comprises: the authentication unit is used for determining whether the user identification information is set identification information or not under the condition that the search authentication information at least comprises user identification information and user key information; under the condition that the user identification information is the set identification information, obtaining authorization credential information corresponding to the encryption log based on a stored second association relation; determining whether the user key information and the authorization credential information satisfy a set condition; obtaining the access authority under the condition that the user key information and the authorization certificate information meet set conditions; the access right is used for indicating that the user has the right to access the encrypted log.
In the foregoing solution, the decryption unit is specifically configured to: obtaining key information corresponding to the encryption log based on the user key information and the authorization credential information; and carrying out decryption processing on the encrypted log based on the key information to obtain the target log.
In the foregoing solution, the transforming unit is further configured to, when the keyword information includes a plurality of pieces of sub-keyword information, where each piece of sub-keyword information is different, transform each piece of sub-keyword information in the plurality of pieces of sub-keyword information to obtain a sub-query vector corresponding to each piece of sub-keyword information, under a condition that access permission is obtained based on the search authentication information;
the determining unit is further configured to determine a sub-index vector matching each sub-query vector, and determine a sub-encryption log corresponding to each sub-index vector; and obtaining a target log based on the sub-encryption log corresponding to each sub-index vector.
In the above solution, the apparatus further comprises: an encryption unit and an identification unit;
the encryption unit is used for receiving the target log sent by the first device and encrypting the target log according to a set encryption mode to obtain the encrypted log;
the identification unit is used for identifying the keyword information corresponding to the target log and determining an index vector corresponding to the keyword information;
the determining unit is further configured to determine an association relationship between the encryption log and the index vector, and store the encryption log, the index vector, and the association relationship.
In a third aspect, the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by at least one processor, performs any of the steps of the method described above.
In a fourth aspect, an embodiment of the present invention further provides a log access device, including: a processor and a memory for storing a computer program operable on the processor, wherein the processor is operable to perform the steps of the method when executing the computer program.
The embodiment of the invention provides a log access method, a device, equipment and a computer readable storage medium, wherein the method comprises the following steps: obtaining a log access request, wherein the log access request at least comprises search authentication information and keyword information; converting the keyword information to obtain a query vector corresponding to the keyword information; determining an index vector matched with the query vector, and obtaining an encryption log corresponding to the index vector based on a stored first incidence relation; under the condition that the access authority is obtained based on the search authentication information, carrying out decryption processing on the encrypted log to obtain a target log; and the target log is a log matched with the log access request. According to the embodiment of the invention, the accessed keyword information is firstly transformed to obtain the query vector and the index vector, the encrypted log is further obtained according to the first association relation, and then the encrypted log can be decrypted to obtain the target log after the access authority is obtained by searching the authentication information, so that the safety of log information can be effectively protected, an unauthorized user is prevented from obtaining the target log, and the problems in the prior art are solved.
Drawings
FIG. 1 is a diagram illustrating a log management method of a situation awareness system in the related art;
fig. 2 is a schematic flowchart of a log access method according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a specific implementation manner provided in an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a log access apparatus according to an embodiment of the present invention;
fig. 5 is a schematic hardware structure diagram of a log access device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the following describes specific technical solutions of the present invention in further detail with reference to the accompanying drawings in the embodiments of the present invention. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
For the convenience of understanding the present invention, a brief description will be given of the related art of the situation awareness system.
According to the twenty-first requirement of the network security Law of the people's republic of China: network operators should take technical measures of monitoring and recording network running states and network security events, and keep related network logs for not less than six months according to regulations.
The situation awareness system realizes discovery and prediction of system security risks by collecting and storing a large amount of log information of network equipment and security equipment in a centralized manner and utilizing a big data analysis technology. The log information needs to be stored for 6 months or more according to the specification, and meanwhile, the search and viewing requirements of a system, a user and auditors on the log information are met.
Based on this, it is necessary to manage these large amounts of log information. At present, a log management method is to collect log information, format the collected log information by a log collection processing module, uniformly send the formatted log information to a log server, analyze and store the log information in a classified manner by the log server, and create a log classified index directory. According to the viewing authority of the user, the user searches and views the log information through the classified index directory on a log display page (also called a portal interface) of the situation awareness system, and the user can export the log information into different forms for downloading, and the specific process is shown in the following fig. 1.
As can be seen from fig. 1, the log information collected in the situation awareness system is uniformly sent to the log server for processing and storage, which can relieve the pressure of analysis and storage of the log information of the system itself, but introduces more security problems of the log information. In the processes of transmission, storage, search and check of the log information, the data confidentiality problem is faced, and the security of the log information is difficult to ensure.
The current situation awareness system log management method mainly has the following defects: the security can not be guaranteed in the log information transmission process. In the existing scheme, the processed formatted log information is transmitted to a log server, the log server analyzes the formatted log information and generates a log classification index directory, and the directory is transmitted to a portal interface for a user to retrieve and use. The transmission channel is extremely fragile, an attacker can capture the formatted log and the classified index catalog through eavesdropping, man-in-the-middle attack and other means, and the plaintext log information is easily restored through analyzing the correlation between the formatted log and the classified index catalog, so that the log information is leaked and tampered.
Based on this, as shown in fig. 2, it is shown that an embodiment of the present invention provides a log access method, where the method includes:
s201: obtaining a log access request, wherein the log access request at least comprises search authentication information and keyword information;
s202: converting the keyword information to obtain a query vector corresponding to the keyword information;
s203: determining an index vector matched with the query vector, and obtaining an encryption log corresponding to the index vector based on a stored first incidence relation;
s204: under the condition that the access authority is obtained based on the search authentication information, carrying out decryption processing on the encrypted log to obtain a target log; and the target log is a log matched with the log access request.
It should be noted that, before obtaining the log access request, the method includes:
receiving the target log sent by the first device, and encrypting the target log according to a set encryption mode to obtain an encrypted log;
identifying the keyword information corresponding to the target log, and determining an index vector corresponding to the keyword information;
and determining the incidence relation between the encryption log and the index vector, and storing the encryption log, the index vector and the incidence relation.
Here, the process is a process in which the target log is stored via the situation awareness system before the user queries the target log. The first device may be a security device in any user system, such as a Web Application level intrusion Firewall (WAF), a D-resistant device, a vulnerability scanning device, a cloud host security protection device, and the like. The Encryption setting mode may be any algorithm capable of encrypting the target log, for example, Advanced Encryption Standard (AES), Data Encryption Standard (DES), and the like, and it should be noted that the Encryption setting algorithm and the decryption algorithm of the subsequent query target log are inverse processes.
In an actual application process, identifying the keyword information corresponding to the target log may refer to extracting key information capable of representing the target log from the target log, for example, the keyword information may be a device type, a source Internet Protocol (IP) address, a source port, a destination IP address, a destination port, a security event type, a collected event, and the like, which are collected by the target log.
In some embodiments, determining the index vector corresponding to the keyword information may refer to performing a transformation process on the keyword information to obtain the index vector corresponding to the keyword information, where the transformation process on the keyword information is the same as a subsequent transformation process on the keyword information to obtain a query vector, and how to perform the transformation process is described in detail below.
In the practical application process, after the encrypted log obtained by encrypting the target log and the index vector corresponding to the keyword information are obtained, the incidence relation between the encrypted log and the index vector is determined, and the encrypted log, the index vector and the incidence relation are stored for later use. It should be noted that the association relationship mentioned here has the same meaning as the aforementioned first association relationship, and is only for convenience of description in different processes, and is not used to limit the present invention.
In the practical application process, the log access method can be used for a situation awareness system. On the basis, obtaining the log access request may include: receiving an input operation; obtaining the log access request based on the input operation.
Here, the input operation may be one of input operations to the situation awareness system, and may be of various types, for example, the input operation may be a key operation, a touch operation, and the like, and may not be limited herein.
As an embodiment, when the input operation is a key operation, correspondingly, obtaining the log access request based on the input operation may be to input, to a situation awareness system, search authentication information and keyword information at least included in the log access request by a user through a key set in the situation awareness system.
In other embodiments, when the input operation is a touch operation, correspondingly, obtaining the log access request based on the input operation may be to input, by a user touching a touch device (e.g., a touch pad) disposed in a situation awareness system, at least search authentication information and keyword information included in the log access request to the situation awareness system.
In other embodiments, the obtaining the log access request may include: and receiving the log access request sent by the user terminal.
Here, a user may trigger Application (APP) software installed in a user terminal, and a communication unit in the user terminal sends a log access request to a situation awareness system, and the communication unit in the situation awareness system receives the log access request, where the user terminal may be any electronic device to be communicated with, such as a mobile phone, a smart band, and the like; the communication unit may be a Wireless Fidelity (WIFI) module, a Global System for Mobile communications (GSM) module, a General Packet Radio Service (GPRS) module, and the like.
In some embodiments, the keyword information is key information for characterizing the target log, for example, the keyword information may be a device type, a source Internet Protocol (IP) address, a source port, a destination IP address, a destination port, a security event type, a collected event, and the like of the target log; the search authentication information is used for obtaining the authority of the user to access the target log.
In some embodiments, for S202, comprising:
performing hash processing on the keyword information respectively based on a plurality of hash functions to obtain each hash value;
and mapping each hash value to a set bloom filter to obtain the query vector corresponding to the keyword information, wherein the number of the hash functions is not more than the bit number of the set bloom filter.
It should be noted that the bloom filter is a Data Structure, which may be called a Probabilistic Data Structure (Probabilistic Data Structure), and is characterized by efficient insertion and query. The data structure for setting the bloom filter is a bit vector or bit array, each element of the bit vector (bit array) only occupies 1 bit space, and each element can only be 0 or 1. Setting the bloom filter also needs to have K (K is any positive integer) hash functions, in this case, when one piece of keyword information is to be stored in the setting bloom filter, K hash values are obtained by performing hash calculation on the keyword information using the K hash functions, and a corresponding lower flag in the setting bloom filter is set to 1 according to the obtained hash values. And subsequently, if the keyword information is judged to be in the set bloom filter, performing hash calculation on the keyword information by using the same K hash functions on the keyword information, judging whether corresponding bits of the obtained K hash values in the set bloom filter are all 1, and if so, indicating that the keyword information is in the set bloom filter.
Here, the length of the bit vector (bit array) for setting the bloom filter directly affects the accuracy of querying information already stored in the set bloom filter, and generally, the longer the length of the set bloom filter is, the higher the accuracy of the query is. In addition, the number of hash functions may affect the efficiency and accuracy of querying the information already stored in the set bloom filter, and in general, the greater the number of hash functions, the higher the accuracy of the query but the lower the efficiency of the query. Therefore, in the actual application process, the length of the bloom filter and the number of the selected hash functions need to be set according to the actual requirements of the user on the query efficiency and the query accuracy.
Here, the query vector corresponding to the keyword information may be a bit vector obtained by hashing the keyword information by a plurality of hash functions to obtain each hash value, and then setting a position 1 corresponding to each hash value in the bloom filter, and the bit vector is substantially a binary vector.
For example, if the length of the bloom filter is set to 8 bits, and hash values obtained after hashing the keyword information by using three hash functions are 1, 4, and 7, respectively, the query vector corresponding to the keyword information is (10010010).
In some embodiments, the determining an index vector that matches the query vector comprises:
determining the matching degree of the query vector and each stored index vector;
and determining the index vector with the matching degree meeting the preset threshold as the index vector matched with the query vector.
It should be noted that each stored index vector referred to herein refers to a vector corresponding to each piece of encrypted log information that has been stored, and the encrypted log information corresponds to the index vector one to one, where the format of the index vector is the same as that of the aforementioned query vector, that is, the index vector is also a binary vector.
Here, the determining the matching degree between the query vector and each stored index vector may be performed by performing inner product calculation on the query vector and each stored index vector, and an inner product value corresponding to each index vector obtained is the matching degree between the query vector and each stored index vector.
It should be noted that the preset threshold may refer to an inner product value of the query vector and itself. Thus, the determination that the index vector with the matching degree satisfying the preset threshold is the index vector matched with the query vector may mean that the inner product value of the query vector and each stored index vector is closer to the preset threshold, and at this time, the corresponding index vector is the index vector matched with the query vector.
In the practical application process, after the index vector matched with the query vector is obtained, the encryption log corresponding to the index vector is obtained based on the stored first incidence relation, wherein the first incidence relation refers to the one-to-one correspondence relation between the index vector and the encryption log.
In some embodiments, the searching authentication information at least includes user identification information and user key information, and the obtaining access right based on the searching authentication information includes:
determining whether the user identification information is set identification information;
under the condition that the user identification information is the set identification information, obtaining authorization credential information corresponding to the encryption log based on a stored second association relation;
determining whether the user key information and the authorization credential information satisfy a set condition;
obtaining the access authority under the condition that the user key information and the authorization certificate information meet set conditions; the access right is used for indicating that a user has the right to access the encrypted log;
wherein determining whether the user key information and the authorization credential information satisfy a set condition includes: substituting the user key information and the authorization credential information into a specific equation, and if the user key information and the authorization credential information enable two sides of the specific equation to be equal, determining that the user key information and the authorization credential information meet set conditions; and if the user key information and the authorization credential information cannot enable the two sides of the specific equation to be equal, determining that the user key information and the authorization credential information do not meet set conditions.
It should be noted that the user identification information is a unique identifier for characterizing the identity of the user, in other words, the user identification information is similar to an identity card of the user and is used for proving the identity of the user. In this case, the determining whether the user identification information is the setting identification information may be determining whether the situation awareness system includes identification information matching the user identification information, and if so, the user identification information is the setting identification information; if not, the user identification information is not the setting identification information.
In an actual application process, when the user identification information is the set identification information, obtaining authorization credential information corresponding to the encryption log based on a second association relationship stored in a situational awareness system, where the second association relationship may be a one-to-one correspondence relationship between the encryption log and the authorization credential information of the user.
In some embodiments, the user key information is generated by the situation awareness system according to an adopted access control policy during log storage, and is sent to the user, so that the user can obtain the right to access the encrypted log based on the key information and subsequent authorization credential information. The authorization credential information may refer to credentials that are retained in the situational awareness system that allow a user to query an encryption log. The setting conditions referred to herein are set according to different access control policies; the specific equations also vary with different access control policies.
As an embodiment, when the access control Policy adopts Ciphertext Policy Based Attribute Encryption (CP-ABE), the basic principle of the CP-ABE operation is: associating an access structure with encrypted data, associating an attribute set with a private key of a user, and realizing access control on the encrypted data, wherein the access structure is used for representing a policy formulated in an access control policy, and secret sharing access control is realized by defining an authorized set and an unauthorized set, and the access structure comprises two types: 1) the access tree is adopted, and the CP-ABE scheme constructed by the access tree is simple in structure and low in safety; 2) A Linear Secret Sharing Scheme (LSSS), in which a CP-ABE Scheme constructed using the LSSS has a high complexity and a high security; the encrypted data may refer to data to be accessed, for example, the encrypted data may refer to log information in the present invention; it may also refer to a key or the like that encrypts the log information of the present invention; the attribute set may refer to a set of attributes according to a user, such as an identification number, a role, and the like.
The invention adopts a mixed encryption mode, combines a set encryption mode and a CP-ABE algorithm, effectively protects the security of a key of the set encryption mode, realizes the authority control of log search, and effectively prevents data leakage.
For example, when log search access rights are obtained based on the AES algorithm and the CP-ABE algorithm:
the system public key and master key may be:
Figure 1
wherein, PK is a system public key, and MSK is a system master key; alpha, beta being random numbers belonging to ZN(ii) a N is the order of the resultant order bilinear group G, G, X1、X3、X4Is a generator of group G, t ═ X1X4(ii) a H is a hash function, H (i) is calculated for any attribute i in the attribute set, and a random number s is selectedH(i)∈ZN
The structure of the user key information may be:
Figure BDA0002606270580000122
SK is user key information; s is a user attribute set; h (x) is a hash value corresponding to any user attribute x and is taken from a system public key; r isxR is a random number belonging to ZN(ii) a R and R' are random numbers and belong to G; g is a generator of the group G; and alpha and beta are random numbers and are taken from a system public key and a system master key.
The authorization credential information of the log information may have a structure of:
Figure BDA0002606270580000131
wherein, CT is authorization certificate information; c0Is an authorization credential component; k is a symmetric encryption key; e (g, g)αIs taken from a system public key; s is a random number; l is an LSSS access control matrix; g is the generator of the group, s is a random number, VxIs a random number, AxIs the x-th row of A, A is an access control matrix of l x n, and the row mapping function is rho: Ax→ ρ (x), ρ (x) ∈ h (u), each ρ (x) corresponding to a user attribute. For any x ∈ l, a random number W is chosenx,VxE is G; u is an n-dimensional vector, the first term of which is alpha, and the other terms are random numbers; x1Is taken from a system public key; t isρ(x)Is taken from a system public key; s is a random number, WxIs a random number.
At this time, the audit of the access authority is calculated by using the authorization certificate CT and the private key SK of the user, H (S) is a hash value of the attribute set S related to the user, and (A, rho) is an access structure and a line mapping function related to the log. If the user access rights satisfy the authorization set of the log, i.e. H (S) can satisfy the access structure A, then the constant ω can be foundxSo that
Figure BDA0002606270580000132
v is a vector where the first term is 1 and the other terms are 0.
Namely: each element in the CT structure and the Sk structure is verified by substituting into the following specific equation,
Figure BDA0002606270580000133
if the specific equation is satisfied, it indicates that the user key information and the authorization credential information satisfy a set condition, that is: the specific verification process of the log indicates that the searching user has the right to access the log, and the verification process in the prior art can be referred to, and is not described herein again.
In some embodiments, the decrypting the encrypted log to obtain a target log includes:
obtaining key information corresponding to the encryption log based on the user key information and the authorization credential information; and carrying out decryption processing on the encrypted log based on the key information to obtain the target log.
Here, after the search user is verified to have the right to access the log, the AES encryption key k may be obtained by calculation according to the situation awareness system by using the calculation result of the right audit and the authorization credential, that is: key information corresponding to the target log:
Figure BDA0002606270580000141
and then, decrypting the encrypted log by using the encryption key to obtain the target log which the user wants to inquire.
In some embodiments, the keyword information includes a plurality of sub-keyword information, each of the plurality of sub-keyword information being different, the method further comprising:
under the condition that the access authority is obtained based on the search authentication information, converting each piece of sub-keyword information in the plurality of pieces of sub-keyword information to obtain a sub-query vector corresponding to each piece of sub-keyword information;
determining sub-index vectors matched with each sub-query vector, and determining a sub-encryption log corresponding to each sub-index vector;
and obtaining a target log based on the sub-encryption log corresponding to each sub-index vector.
It should be noted that, in order to make the query more accurate, a plurality of pieces of sub-keyword information corresponding to the log information may be used, and then each piece of sub-keyword information is transformed as described above to obtain a sub-query vector corresponding to each piece of sub-keyword information, determine a sub-index vector matching each sub-query vector, and determine a sub-encryption log corresponding to each sub-index vector; after the sub-encryption logs corresponding to each sub-index vector are obtained, the target logs are obtained based on the sub-encryption logs corresponding to each sub-index vector.
In some embodiments, obtaining the target log based on the sub-encryption log corresponding to each sub-index vector may refer to counting the largest number of sub-encryption logs that are the same, taking the sub-encryption log as an encryption log to be queried, and then performing decryption on the encryption log in the manner described above to obtain the target log, where the encryption process is the same as described above and is not described herein again.
According to the log access method provided by the embodiment of the invention, firstly, the accessed keyword information is converted to obtain the query vector and the index vector, then the encrypted log is obtained according to the first association relation, and then the encrypted log can be decrypted to obtain the target log after the access authority is obtained by searching the authentication information, so that the log information searching safety can be effectively protected, and the log information is prevented from being accessed by an unauthorized user.
For understanding the present invention, as shown in fig. 3, a flow chart of a specific implementation manner provided by the embodiment of the present invention is shown. In the implementation mode, only a log security processing module is added in the original situation awareness system, original log information is subjected to security processing and then transmitted and uploaded to a log server, and the security of the log information of the situation awareness system is better protected. Meanwhile, extra calculation and storage expenses are not increased, normal service of the situation awareness system is guaranteed, and meanwhile confidentiality and integrity of log information are enhanced. The newly-added log security processing module is mainly responsible for the work of log information encryption, log information decryption, log information index vector generation, query vector generation, access authority audit and the like. In other words, the aforementioned log access method is performed in the secure processing module.
The main process of the log security processing module for realizing the log access method is roughly as follows: and according to the log information keywords extracted by the log acquisition processing module, the log security processing module maps the keywords into the bloom filter to form a log index vector. The bloom filter is a vector type data structure with effective storage, the standard bloom filter is an n-bit array, and the standard bloom filter is used for constructing a log index vector, so that log key word information can be effectively hidden, and the space occupation is small. During searching, the log security processing module generates a query vector in the same way according to the search keywords of the user. The log server only needs to perform inner product operation on the query vector and the log index vector to obtain the index vector containing the keywords, and then the encrypted original log is matched with the root index vector. The log security processing module is also responsible for log encryption and decryption and access authority audit, log information is symmetrically encrypted by AES in a mixed encryption mode, an AES symmetric encryption key is contained in an authorization certificate by a CP-ABE encryption algorithm, a search result can be obtained only by verifying the access authority of a user during searching, log access control is achieved, log data security is protected, meanwhile, unauthorized users are prevented from obtaining original log information, and log leakage is effectively prevented. The process of specifically obtaining the access right is described in detail in the foregoing, and is not described herein again.
Compared with the prior art, the embodiment of the invention has the advantages that:
(1) all log query and matching operations do not need to maintain a log classification index directory, and index vectors and query vectors are introduced to directly perform matching. The vector constructed based on the bloom filter breaks up the frequency distribution information of the original information, is unrecoverable, can effectively avoid the attacks of eavesdropping and the like of an attacker in the transmission process, and can avoid the log server from acquiring the keyword information to further analyze the keyword information, thereby avoiding information leakage.
(2) In order to protect the security of original log data, the embodiment of the invention symmetrically encrypts the log, the operation speed of symmetric encryption is high, the additional calculation overhead of the system cannot be increased, the encryption and decryption processes of the log are all finished in a situation awareness system, and the log exists in a ciphertext mode in transmission and storage of a log server, so that the data privacy of log files can be effectively protected. Whereas in the prior art the formatted log is transmitted directly to the log server,
(3) the embodiment of the invention combines the AES encryption algorithm and the CP-ABE algorithm by using a mixed encryption mode, realizes the authority control of log search while effectively protecting the safety of the AES key, and effectively prevents data leakage.
Based on the same inventive concept, as shown in fig. 4, it illustrates a log access apparatus provided by an embodiment of the present invention, where the apparatus 40 includes: an obtaining unit 401, a transforming unit 402, a determining unit 403 and a decrypting unit 404, wherein,
the obtaining unit 401 is configured to obtain a log access request, where the log access request at least includes search authentication information and keyword information;
the transformation unit 402 is configured to transform the keyword information to obtain a query vector corresponding to the keyword information;
the determining unit 403 is configured to determine an index vector matching the query vector, and obtain an encryption log corresponding to the index vector based on a stored first association relationship;
the decryption unit 404 is configured to, in a case where an access right is obtained based on the search authentication information, perform decryption processing on the encrypted log to obtain a target log; and the target log is a log matched with the log access request.
In some embodiments, the transformation unit 402 is specifically configured to: performing hash processing on the keyword information respectively based on a plurality of hash functions to obtain each hash value; and mapping each hash value to a set bloom filter to obtain the query vector corresponding to the keyword information, wherein the number of the hash functions is not more than the bit number of the set bloom filter.
In some embodiments, the determining unit 403 is specifically configured to: determining the matching degree of the query vector and each stored index vector; and determining the index vector with the matching degree meeting the preset threshold as the index vector matched with the query vector.
In some embodiments, the apparatus 40 further comprises: the authentication unit is used for determining whether the user identification information is set identification information or not under the condition that the search authentication information at least comprises user identification information and user key information; under the condition that the user identification information is the set identification information, obtaining authorization credential information corresponding to the encryption log based on a stored second association relation; determining whether the user key information and the authorization credential information satisfy a set condition; obtaining the access authority under the condition that the user key information and the authorization certificate information meet set conditions; the access right is used for indicating that the user has the right to access the encrypted log.
In some embodiments, the decryption unit 404 is specifically configured to: obtaining key information corresponding to the encryption log based on the user key information and the authorization credential information; and carrying out decryption processing on the encrypted log based on the key information to obtain the target log.
In some embodiments, the transforming unit 402 is further configured to, when the keyword information includes a plurality of pieces of sub-keyword information, each piece of sub-keyword information in the plurality of pieces of sub-keyword information being different, transform each piece of sub-keyword information in the plurality of pieces of sub-keyword information to obtain a sub-query vector corresponding to each piece of sub-keyword information, in a case that access rights are obtained based on the search authentication information;
the determining unit 403 is further configured to determine a sub-index vector matching each sub-query vector, and determine a sub-encryption log corresponding to each sub-index vector; and obtaining a target log based on the sub-encryption log corresponding to each sub-index vector.
In some embodiments, the apparatus 40 further comprises: an encryption unit and an identification unit;
the encryption unit is used for receiving the target log sent by the first device and encrypting the target log according to a set encryption mode to obtain the encrypted log;
the identification unit is used for identifying the keyword information corresponding to the target log and determining an index vector corresponding to the keyword information;
the determining unit 403 is further configured to determine an association relationship between the encryption log and the index vector, and store the encryption log, the index vector, and the association relationship.
It should be noted that, the log access apparatus provided in the embodiment of the present invention and the foregoing method belong to the same inventive concept, and the query vector and the index vector are obtained by transforming the accessed keyword information, the encrypted log is further obtained according to the first association relationship, and then the encrypted log can be decrypted to obtain the target log after obtaining the access right by searching the authentication information, so that the security of log information search can be effectively protected, and the log information is prevented from being accessed by an unauthorized user. The meaning of the nouns appearing in the aforementioned devices is described in detail in the aforementioned log access method, and will not be described herein again.
Embodiments of the present invention further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the foregoing method embodiments, and the foregoing storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
An embodiment of the present invention further provides a log access device, including: a processor and a memory for storing a computer program capable of running on the processor, wherein the processor is configured to execute the steps of the above-described method embodiments stored in the memory when running the computer program.
Fig. 5 is a schematic diagram of a hardware structure of a log access device according to an embodiment of the present invention, where the log access device 5 includes: the at least one processor 501, the memory 502, and optionally the log accessing device 5 may further include at least one communication interface 503, and the various components in the log accessing device 5 are coupled together through a bus system 504, it being understood that the bus system 504 is used to implement the connection communication between these components. The bus system 504 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 504 in fig. 5.
It will be appreciated that the memory 502 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 502 described in connection with the embodiments of the invention is intended to comprise, without being limited to, these and any other suitable types of memory.
The memory 502 in the embodiment of the present invention is used to store various types of data to support the operation of the log access device 5. Examples of such data include: any computer program for operating on the log access device 5, such as transforming the keyword information, obtaining a query vector corresponding to the keyword information, and the like, may be included in the memory 502 to implement the method of the embodiment of the present invention.
The method disclosed by the above-mentioned embodiments of the present invention may be applied to the processor 501, or implemented by the processor 501. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The Processor may be a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium having a memory and a processor reading the information in the memory and combining the hardware to perform the steps of the method.
In an exemplary embodiment, the log access Device 5 may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, Micro Controllers (MCUs), microprocessors (microprocessors), or other electronic components for performing the above-described methods.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms. The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment. In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims (10)

1. A method of log access, the method comprising:
obtaining a log access request, wherein the log access request at least comprises search authentication information and keyword information;
converting the keyword information to obtain a query vector corresponding to the keyword information;
determining an index vector matched with the query vector, and obtaining an encryption log corresponding to the index vector based on a stored first incidence relation;
under the condition that the access authority is obtained based on the search authentication information, carrying out decryption processing on the encrypted log to obtain a target log; and the target log is a log matched with the log access request.
2. The method according to claim 1, wherein the transforming the keyword information to obtain a query vector corresponding to the keyword information comprises:
performing hash processing on the keyword information respectively based on a plurality of hash functions to obtain each hash value;
and mapping each hash value to a set bloom filter to obtain the query vector corresponding to the keyword information, wherein the number of the hash functions is not more than the bit number of the set bloom filter.
3. The method of claim 1, wherein determining the index vector that matches the query vector comprises:
determining the matching degree of the query vector and each stored index vector;
and determining the index vector with the matching degree meeting the preset threshold as the index vector matched with the query vector.
4. The method of claim 1, wherein the search authentication information at least includes user identification information and user key information, and wherein obtaining access rights based on the search authentication information comprises:
determining whether the user identification information is set identification information;
under the condition that the user identification information is the set identification information, obtaining authorization credential information corresponding to the encryption log based on a stored second association relation;
determining whether the user key information and the authorization credential information satisfy a set condition;
obtaining the access authority under the condition that the user key information and the authorization certificate information meet set conditions; the access right is used for indicating that the user has the right to access the encrypted log.
5. The method according to claim 4, wherein the decrypting the encrypted log to obtain a target log comprises:
obtaining key information corresponding to the encryption log based on the user key information and the authorization credential information; and carrying out decryption processing on the encrypted log based on the key information to obtain the target log.
6. The method of claim 1, wherein the keyword information comprises a plurality of sub-keyword information, each of the plurality of sub-keyword information being different, the method further comprising:
under the condition that the access authority is obtained based on the search authentication information, converting each piece of sub-keyword information in the plurality of pieces of sub-keyword information to obtain a sub-query vector corresponding to each piece of sub-keyword information;
determining sub-index vectors matched with each sub-query vector, and determining a sub-encryption log corresponding to each sub-index vector;
and obtaining a target log based on the sub-encryption log corresponding to each sub-index vector.
7. The method of claim 1, prior to obtaining the log access request, the method comprising:
receiving the target log sent by the first device, and encrypting the target log according to a set encryption mode to obtain an encrypted log;
identifying the keyword information corresponding to the target log, and determining an index vector corresponding to the keyword information;
and determining the incidence relation between the encryption log and the index vector, and storing the encryption log, the index vector and the incidence relation.
8. An apparatus for log access, the apparatus comprising: an obtaining unit, a transforming unit, a determining unit and a decrypting unit, wherein,
the obtaining unit is used for obtaining a log access request, and the log access request at least comprises search authentication information and keyword information;
the conversion unit is used for carrying out conversion processing on the keyword information to obtain a query vector corresponding to the keyword information;
the determining unit is used for determining an index vector matched with the query vector and obtaining an encryption log corresponding to the index vector based on a stored first incidence relation;
the decryption unit is used for decrypting the encrypted log to obtain a target log under the condition that the access authority is obtained based on the search authentication information; and the target log is a log matched with the log access request.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
10. A log access device, comprising: a processor and a memory for storing a computer program operable on the processor, wherein the processor is operable to perform the steps of the method of any of claims 1 to 7 when the computer program is executed.
CN202010739803.4A 2020-07-28 2020-07-28 Log access method, device and equipment and computer readable storage medium Pending CN114003559A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010739803.4A CN114003559A (en) 2020-07-28 2020-07-28 Log access method, device and equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010739803.4A CN114003559A (en) 2020-07-28 2020-07-28 Log access method, device and equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN114003559A true CN114003559A (en) 2022-02-01

Family

ID=79920651

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010739803.4A Pending CN114003559A (en) 2020-07-28 2020-07-28 Log access method, device and equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN114003559A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113746673A (en) * 2021-08-24 2021-12-03 济南浪潮数据技术有限公司 Method, device, equipment and medium for deploying bare metal server ipxe
CN114697140A (en) * 2022-05-30 2022-07-01 云账户技术(天津)有限公司 Method and device for acquiring application log, electronic equipment and storage medium
CN116629804A (en) * 2023-06-06 2023-08-22 河北华正信息工程有限公司 Letters, interviews, supervision and tracking management system and management method
CN117112549A (en) * 2023-10-20 2023-11-24 中科星图测控技术股份有限公司 Big data merging method based on bloom filter

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113746673A (en) * 2021-08-24 2021-12-03 济南浪潮数据技术有限公司 Method, device, equipment and medium for deploying bare metal server ipxe
CN113746673B (en) * 2021-08-24 2023-03-24 济南浪潮数据技术有限公司 Method, device, equipment and medium for deploying bare metal server ipxe
CN114697140A (en) * 2022-05-30 2022-07-01 云账户技术(天津)有限公司 Method and device for acquiring application log, electronic equipment and storage medium
CN116629804A (en) * 2023-06-06 2023-08-22 河北华正信息工程有限公司 Letters, interviews, supervision and tracking management system and management method
CN116629804B (en) * 2023-06-06 2024-01-09 河北华正信息工程有限公司 Letters, interviews, supervision and tracking management system and management method
CN117112549A (en) * 2023-10-20 2023-11-24 中科星图测控技术股份有限公司 Big data merging method based on bloom filter
CN117112549B (en) * 2023-10-20 2024-03-26 中科星图测控技术股份有限公司 Big data merging method based on bloom filter

Similar Documents

Publication Publication Date Title
AU2018367363B2 (en) Processing data queries in a logically sharded data store
US20210099287A1 (en) Cryptographic key generation for logically sharded data stores
JP6306077B2 (en) Community-based deduplication of encrypted data
CN114003559A (en) Log access method, device and equipment and computer readable storage medium
Li et al. A hybrid cloud approach for secure authorized deduplication
US9020149B1 (en) Protected storage for cryptographic materials
AU2017440029B2 (en) Cryptographic key generation for logically sharded data stores
US11038692B2 (en) Digital data locker system providing enhanced security and protection for data storage and retrieval
US8909943B1 (en) Verifying identity
JP2012164031A (en) Data processor, data storage device, data processing method, data storage method and program
US20220209945A1 (en) Method and device for storing encrypted data
CN107194273A (en) Can continuous-query data desensitization method and system
CN111507706B (en) Method, device, computer equipment and storage medium for browsing and storing data
Odugu A fine-grained access control survey for the secure big data access
CN112910654B (en) Private key management method, system, equipment and storage medium
Das et al. Cryptolog: A new approach to provide log security for digital forensics
CN112491904B (en) Big data privacy protection sharing method and system
US20230353362A1 (en) Access policy token
Khan et al. Secure and efficient retrieval of video file using bloom filter and hybrid encryption algorithms
US20130036474A1 (en) Method and Apparatus for Secure Data Representation Allowing Efficient Collection, Search and Retrieval
CN115878743A (en) Method and device for querying log
CN116708016A (en) Sensitive data transmission method, server and storage medium
CN113946859A (en) User identifier generation method, device, equipment and storage medium
CN116881516A (en) Method, device, equipment and medium for inquiring enterprise information hiding trace
CN114611137A (en) Data access method, data access device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination