CN114221798A - Computer attack information storage method and device and electronic equipment - Google Patents
Computer attack information storage method and device and electronic equipment Download PDFInfo
- Publication number
- CN114221798A CN114221798A CN202111487935.3A CN202111487935A CN114221798A CN 114221798 A CN114221798 A CN 114221798A CN 202111487935 A CN202111487935 A CN 202111487935A CN 114221798 A CN114221798 A CN 114221798A
- Authority
- CN
- China
- Prior art keywords
- log
- block
- storage
- encrypted
- storage area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 63
- 238000012544 monitoring process Methods 0.000 claims abstract description 13
- 238000012217 deletion Methods 0.000 claims description 34
- 230000037430 deletion Effects 0.000 claims description 34
- 238000012986 modification Methods 0.000 claims description 30
- 230000004048 modification Effects 0.000 claims description 30
- 238000012795 verification Methods 0.000 claims description 10
- 238000012546 transfer Methods 0.000 claims description 4
- 238000010200 validation analysis Methods 0.000 claims 1
- 230000006399 behavior Effects 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 3
- 238000005192 partition Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000000638 solvent extraction Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention discloses a computer attack information storage method, a computer attack information storage device and electronic equipment, and relates to the technical field of network security. The invention aims to solve the problem that the attack method cannot be reproduced because the target log file is deleted. The computer attack information storage method comprises the following steps: monitoring a target log file stored in a local first storage area; acquiring a first log newly generated in the target log file; and encrypting the acquired first log by adopting a first encryption algorithm, and synchronizing the encrypted first log to a local second storage area for storage. The method is suitable for application scenes for storing computer attack information.
Description
Technical Field
The invention relates to the technical field of network security. In particular to a computer attack information storage method, a computer attack information storage device and electronic equipment.
Background
Network security attack events may occur locally on the computer, with some disruptive activity being performed locally on the computer. After a network security attack event occurs locally on a computer, in order to discover an unknown novel network attack behavior and know the intention of an attacker, a targeted countermeasure is adopted to determine the priority of a large number of events, and the network security attack event needs to be tracked and traced, and the behaviors such as an attack technique need to be reproduced. However, when a network security attack event occurs in the computer, some log files, process behaviors and other information in the local computer may be deleted by a hacker, so that the attack source cannot be tracked, and the attack method cannot be reproduced.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, and an electronic device for storing computer attack information, which reduce the possibility that an attack technique cannot be reproduced because a target log file is deleted.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, an embodiment of the present invention provides a computer attack information storage method, including: monitoring a target log file stored in a local first storage area; acquiring a first log newly generated in the target log file; and encrypting the acquired first log by adopting a first encryption algorithm, and synchronizing the encrypted first log to a local second storage area for storage.
According to a specific implementation manner of the embodiment of the present invention, synchronizing the encrypted first log to the local second storage area for storage includes: synchronizing the encrypted first log to a first block in a local second storage area for storage; the first block is a block in a data link list.
According to a specific implementation manner of the embodiment of the present invention, after synchronizing the encrypted first log to the first block in the local second storage area for saving, the method further includes: judging whether the data volume stored in the first block is larger than a preset threshold value or not; if the data volume stored in the first block is larger than a preset threshold value, encrypting the first block by adopting a second encryption algorithm, establishing a second block in the data chain table of the second storage area, and storing a hash value formed after the first block is encrypted by adopting the second encryption algorithm in a head area of the second block; acquiring a second log newly generated in the target log file; and encrypting the acquired second log by adopting the first encryption algorithm, and synchronizing the encrypted second log to the second block for storage.
According to a specific implementation manner of the embodiment of the present invention, after acquiring the first log newly generated in the target log file, the method further includes: synchronizing the encrypted first log to a preset storage area of at least one neighbor computer in a local area network where the local computer is located for storage; and/or synchronizing the encrypted first log to a remote server for storage.
According to a specific implementation manner of the embodiment of the present invention, after synchronizing the encrypted first log to the local second storage area for saving, the method further includes: sending a modification or deletion operation instruction of the first log stored in the second storage area to a remote server so that the remote server verifies the modification or deletion operation instruction; and receiving verification failure information returned by the remote server, and rejecting the modification operation or the deletion operation of the modification or deletion operation instruction.
In a second aspect, an embodiment of the present invention provides a computer attack information storage apparatus, including: the log file monitoring module is used for monitoring a target log file stored in a local first storage area; the log file acquisition module is used for acquiring a first log newly generated in the target log file; and the log file encryption module is used for encrypting the acquired first log by adopting a first encryption algorithm and synchronizing the encrypted first log to a local second storage area for storage.
According to a specific implementation manner of the embodiment of the present invention, the log file encryption module is specifically configured to synchronize the encrypted first log to a first block in a local second storage area for storage; the first block is a block in a data link list.
According to a specific implementation manner of the embodiment of the present invention, the log file encryption module is further specifically configured to: judging whether the data volume stored in the first block is larger than a preset threshold value or not; if the data volume stored in the first block is larger than a preset threshold value, encrypting the first block by adopting a second encryption algorithm, establishing a second block in the data chain table of the second storage area, and storing a hash value formed after the first block is encrypted by adopting the second encryption algorithm in a head area of the second block; acquiring a second log newly generated in the target log file; and encrypting the acquired second log by adopting the first encryption algorithm, and synchronizing the encrypted second log to the second block for storage.
According to a specific implementation manner of the embodiment of the present invention, the apparatus further includes a log file synchronization module, which is specifically configured to: synchronizing the encrypted first log to a preset storage area of at least one neighbor computer in a local area network where the local computer is located for storage; and/or synchronizing the encrypted first log to a remote server for storage.
According to a specific implementation manner of the embodiment of the present invention, the apparatus further includes a remote confirmation module, which is specifically configured to: sending a modification or deletion operation instruction of the first log stored in the second storage area to a remote server so that the remote server verifies the modification or deletion operation instruction; and receiving verification failure information returned by the remote server, and rejecting the modification operation or the deletion operation of the modification or deletion operation instruction.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the electronic equipment comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, the processor and the memory are arranged on the circuit board, and the power circuit is used for supplying power to each circuit or device of the electronic equipment; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for executing the data transfer method of any one of the foregoing first aspects.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, which stores one or more programs that are executable by one or more processors to implement the data transmission method according to any one of the first aspects.
According to the computer attack information storage method, the computer attack information storage device, the electronic equipment and the computer attack information storage medium, the first log of the target log file stored in the first storage area is encrypted, the identification difficulty of the target log file is increased, the encrypted first log is synchronized to the second storage area for storage, the second storage area has a bypass monitoring function, the difficulty of destroying all target log files is increased, and the possibility that an attack method cannot be reproduced due to the fact that the target log files are deleted is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart illustrating a computer attack information storage method according to an embodiment of the present invention;
FIG. 2 is a block diagram of an information storage device according to an embodiment of the present invention;
fig. 3 is a block diagram of an electronic device according to an embodiment of the invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example one
Referring to fig. 1, an embodiment of the present invention provides a computer attack information storage method, including:
and S01, monitoring the target log file stored in the local first storage area.
Local refers to the computer local (or client computer).
The first storage area is a preset storage area of the local storage hard disk.
A log file refers to a file that records events that occur during the operation of an operating system or other software or messages between different users of the communication software. The target log file is a log file which can be used for tracking an attack source and reproducing an attack method after a network security attack event occurs locally, such as a local system, a process behavior and the like.
And S02, acquiring a first log newly generated in the target log file.
And S03, encrypting the acquired first log by adopting a first encryption algorithm, and synchronizing the encrypted first log to a local second storage area for storage.
Encrypting by adopting a first encryption algorithm, namely encrypting the first log to increase the difficulty of identifying a target log file; the first log may be encrypted together with a local feature, so that the encrypted first log includes the local feature, and when the encrypted first log is recognized, the encrypted first log may be recognized as a local system file, thereby further increasing the difficulty in recognizing the target log file.
The encryption by the first encryption algorithm may be compression encryption, and one local characteristic may be a storage address, a system file, a common application file, or the like.
The embodiment of the invention provides a computer attack information storage method, which increases the identification difficulty of a target log file by encrypting a first log of the target log file stored in a first storage area, enables a second storage area to have a bypass monitoring function by synchronizing the encrypted first log to a second storage area for storage, increases the difficulty of destroying all target log files, and reduces the possibility that an attack method cannot be reproduced because the target log files are deleted.
In an embodiment, the synchronizing the encrypted first log to the local second storage area for saving includes: synchronizing the encrypted first log to a first block in a local second storage area for storage; the first block is a block in a data link list.
The specific process of synchronizing the encrypted first log to the first block in the local second storage area is as follows: after an operating system is deployed, manually configuring a key log file copy mapping and writing the key log file copy into a second storage area (the attribute of the copy file is automatically undeletable, undetailable and only addable); when the operating system runs, system logs are written into the common partition, meanwhile, the copy file is compressed and encrypted, and then the copy file is automatically written into the data linked list partition for storage.
The second storage area is a data linked list obtained by partitioning the hard disk by a rewriting partitioning tool and integrating a block chain technology. Because the block chain has the characteristics of transparency, readability, undeletability and only update operation, the second storage area of the data chain table which is essentially of the application block chain structure can also have the characteristics of transparency, readability, undeletability and only update operation, and the possibility that the attack method cannot be reproduced because the target log file is deleted is reduced.
In an embodiment, after synchronizing the encrypted first log to the first block in the local second storage area for saving, the method further includes: judging whether the data volume stored in the first block is larger than a preset threshold value or not; if the data volume stored in the first block is larger than a preset threshold value, encrypting the first block by adopting a second encryption algorithm, establishing a second block in the data chain table of the second storage area, and storing a hash value formed after the first block is encrypted by adopting the second encryption algorithm in a head area of the second block; acquiring a second log newly generated in the target log file; and encrypting the acquired second log by adopting the first encryption algorithm, and synchronizing the encrypted second log to the second block for storage.
The second log and the first log are both newly generated log files in the target log file, the first log is a newly generated log file in the target log file stored in the first block of the second storage area, and the second log is a newly generated log file in the target log file stored in the second block of the second storage area. The preset threshold may be set manually.
The first block is encrypted by using a second encryption algorithm, which may be encrypting the first block itself to increase the difficulty of identifying the first block. Furthermore, the first block and a local feature may be encrypted together, so that the encrypted first block includes the local feature, and when the encrypted first block is identified, the encrypted first block may be identified as a local system file, thereby further increasing the difficulty in identifying the first block.
The encryption using the second encryption algorithm may be compression encryption, and one local feature may be a storage address or a system file or a common application file, etc.
The multiple blocks that make up the data linked list may be non-contiguous and non-sequential in physical storage structure; one hash value can be regarded as the digital fingerprint of the corresponding file, and a corresponding file can be uniquely determined through the hash value; therefore, by storing the encrypted hash value of the first block in the header area of the second block, the second block which is non-sequential and non-sequential in physical storage structure and the first block can form a chain in order, so that a plurality of blocks form the second storage area.
In an embodiment, after acquiring the first log newly generated in the target log file, the method further includes: synchronizing the encrypted first log to a preset storage area of at least one neighbor computer in a local area network where the local computer is located for storage; and/or synchronizing the encrypted first log to a remote server for storage. Therefore, after the first log newly generated in the local target log file and the encrypted first log stored in the second storage area are deleted, the method for tracing the source and reappearing the attack on the network security attack can be carried out through the preset storage area of at least one neighbor computer in the local area network where the local computer is located and/or the encrypted first log on the remote server, and the possibility that the attack method cannot reappear due to the deletion of the target log file is reduced.
The preset storage area and the second storage area have the same structure and are data linked lists formed by a plurality of blocks. The data link table may be constructed by using a block link technology.
In an embodiment, after synchronizing the encrypted first log to the local second storage area for saving, the method further includes: sending a modification or deletion operation instruction of the first log stored in the second storage area to a remote server so that the remote server verifies the modification or deletion operation instruction; and receiving verification failure information returned by the remote server, and rejecting the modification operation or the deletion operation of the modification or deletion operation instruction.
By sending the modified or deleted operation instruction to the remote server for verification, the difficulty of modifying or deleting the first log stored in the second storage area can be increased, so that the possibility that the attack method cannot be reproduced due to the deletion of the target log file is further reduced.
In addition, by sending a specific request, the remote server may also perform verification success information on the modification or deletion operation, allow the modification or deletion operation of the modification or deletion operation instruction, and generally be used to clear up the redundant file and release the storage space when it is determined that the target log file does not contain the information of the network security attack behavior.
In an embodiment, after synchronizing the encrypted first log to the local second storage area for saving, the method further includes: acquiring the encrypted first log from the second storage area, and decrypting the first log; and determining the behavior characteristics of the computer under attack based on the decrypted first log. Therefore, by determining the behavior characteristics of the computer under attack, unknown novel network attack behavior can be discovered, the intention of an attacker can be known, and a targeted countermeasure can be adopted to determine the priority of a mass of events.
Example two
Referring to fig. 2, an embodiment of the present invention provides a computer attack information storage apparatus, including: a log file monitoring module 201, configured to monitor a target log file stored in a local first storage area; a log file obtaining module 202, configured to obtain a first log newly generated in the target log file; and the log file encryption module 203 is configured to encrypt the acquired first log by using a first encryption algorithm, and synchronize the encrypted first log to a local second storage area for storage.
The embodiment of the invention provides a computer attack information storage device, wherein a first log of a target log file stored in a first storage area is encrypted through a log file encryption module 203, so that the identification difficulty of the target log file is increased, the encrypted first log is synchronized to a second storage area for storage, so that the second storage area has a bypass monitoring function, the difficulty of destroying all target log files is increased, and the possibility that an attack method cannot be reproduced due to the fact that the target log files are deleted is reduced.
In an embodiment, the log file encryption module 203 is specifically configured to synchronize the encrypted first log to a first block in a local second storage area for storage; the first block is a block in a data link list.
The second storage area is a data link list composed of a plurality of blocks. The data link table may be constructed by using a block link technology. Because the block chain has the characteristics of non-deletable, non-modifiable content and only update operation, the second storage area of the data chain table which is essentially in the application block chain structure can also have the characteristics of non-deletable, non-modifiable content and only update operation, thereby reducing the possibility that the attack method cannot be reproduced because the target log file is deleted.
In an embodiment, the log file encryption module 203 is further specifically configured to: judging whether the data volume stored in the first block is larger than a preset threshold value or not; if the data volume stored in the first block is larger than a preset threshold value, encrypting the first block by adopting a second encryption algorithm, establishing a second block in the data chain table of the second storage area, and storing a hash value formed after the first block is encrypted by adopting the second encryption algorithm in a head area of the second block; acquiring a second log newly generated in the target log file; and encrypting the acquired second log by adopting the first encryption algorithm, and synchronizing the encrypted second log to the second block for storage.
The multiple blocks that make up the data linked list may be non-contiguous and non-sequential in physical storage structure; one hash value can be regarded as the digital fingerprint of the corresponding file, and a corresponding file can be uniquely determined through the hash value; therefore, by storing the encrypted hash value of the first block in the header area of the second block, the second block and the first block can be made to form a chain in order, so that a plurality of blocks constitute the second storage area.
In an embodiment, the system further includes a log file synchronization module, specifically configured to: synchronizing the encrypted first log to a preset storage area of at least one neighbor computer in a local area network where the local computer is located for storage; and/or synchronizing the encrypted first log to a remote server for storage.
Therefore, after the first log newly generated in the local target log file and the encrypted first log stored in the second storage area are deleted, the method for tracing the source and reappearing the attack on the network security attack can be carried out through the preset storage area of at least one neighbor computer in the local area network where the local computer is located and/or the encrypted first log on the remote server, and the possibility that the attack method cannot reappear due to the deletion of the target log file is reduced.
In an embodiment, the system further includes a remote confirmation module, specifically configured to: sending a modification or deletion operation instruction of the first log stored in the second storage area to a remote server so that the remote server verifies the modification or deletion operation instruction; and receiving verification failure information returned by the remote server, and rejecting the modification operation or the deletion operation of the modification or deletion operation instruction.
By sending the modified or deleted operation instruction to the remote server for verification, the difficulty of modifying or deleting the first log stored in the second storage area can be increased, so that the possibility that the attack method cannot be reproduced due to the deletion of the target log file is further reduced. In addition, by sending a specific request, the remote server may also perform verification success information on the modification or deletion operation, allow the modification or deletion operation of the modification or deletion operation instruction, and generally be used to clear up the redundant file and release the storage space when it is determined that the target log file does not contain the information of the network security attack behavior.
EXAMPLE III
Referring to fig. 3, an embodiment of the present invention provides an electronic device, including: the electronic equipment comprises a shell 301, a processor 302, a memory 303, a circuit board 304 and a power circuit 305, wherein the circuit board 304 is arranged inside a space enclosed by the shell 301, the processor 302 and the memory 303 are arranged on the circuit board 304, and the power circuit 305 is used for supplying power to each circuit or device of the electronic equipment; memory 303 is used to store executable program code; the processor 302 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 303 for performing the data transfer method according to any of the preceding first aspects.
Example four
An embodiment of the present invention provides a computer-readable storage medium, which stores one or more programs, where the one or more programs are executable by one or more processors to implement the data transmission method described in any one of the first aspects.
The embodiment of the invention provides a computer attack information storage method, a computer attack information storage device and electronic equipment. Even if the operating system crashes and the hard disk is formatted, the log information to be protected cannot be deleted. Since the target log file is stored in the hard disk independent space in the form of a block chain, the target log file cannot be tampered even if the hard disk is lost. When a security event occurs, the target log file can play a role in tracking and tracing
Wherein, the block chain: blockchains are a term of art in information technology. In essence, the system is a shared database, and the data or information stored in the shared database has the characteristics of 'unforgeability', 'whole-course trace', 'traceability', 'public transparency', 'collective maintenance', and the like. Based on these characteristics, blockchain technology lays a solid "trust" foundation. Black box: is commonly known as an electronic flight recorder. An instrument for recording aircraft flight and performance parameters. The information recorded by the flight recorder can be used for analyzing the flight accident, and people can send the processed data and voice records into a flight simulator according to the data and voice records recorded before the plane crashes, so that the accident process is reproduced, and the accident reason is analyzed vividly. The storage device adopting the block chain architecture can realize the trace retaining in the whole process, and the generated data can be highly compressed and stored in a linked list form no matter the computer is in a local operation process or network communication. Even if the operating system crashes and the hard disk is formatted, the log will not be lost. In addition, the block chain architecture can be made data transparent, even if a hacker knows the storage path of the log file, the log cannot be deleted, and only data can be added to the log file. Therefore, the system, the process and other key log files do not need to be backed up in real time, and the network bandwidth can be saved.
Further, by redesigning the storage partition, the created storage area can automatically map the files with monitoring in the system.
It should be noted that, in this document, the emphasis points of the solutions described in the embodiments are different, but there is a certain correlation between the embodiments, and in understanding the solution of the present invention, the embodiments may be referred to each other; moreover, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (12)
1. A computer attack information storage method, comprising: monitoring a target log file stored in a local first storage area;
acquiring a first log newly generated in the target log file;
and encrypting the acquired first log by adopting a first encryption algorithm, and synchronizing the encrypted first log to a local second storage area for storage.
2. The computer attack information storage method according to claim 1, wherein the synchronizing the encrypted first log to a local second storage area for storage includes:
synchronizing the encrypted first log to a first block in a local second storage area for storage; the first block is a block in a data link list.
3. The computer attack information storage method according to claim 2, wherein after synchronizing the encrypted first log to the first block in the local second storage area for saving, the method further comprises:
judging whether the data volume stored in the first block is larger than a preset threshold value or not;
if the data volume stored in the first block is larger than a preset threshold value, encrypting the first block by adopting a second encryption algorithm, establishing a second block in the data chain table of the second storage area, and storing a hash value formed after the first block is encrypted by adopting the second encryption algorithm in a head area of the second block;
acquiring a second log newly generated in the target log file;
and encrypting the acquired second log by adopting the first encryption algorithm, and synchronizing the encrypted second log to the second block for storage.
4. The computer attack information storage method according to claim 1, wherein after acquiring the first log newly generated in the target log file, the method further comprises:
synchronizing the encrypted first log to a preset storage area of at least one neighbor computer in a local area network where the local computer is located for storage; and/or the presence of a gas in the gas,
and synchronizing the encrypted first log to a remote server for storage.
5. The computer attack information storage method according to claim 1, wherein after synchronizing the encrypted first log to a local second storage area for saving, the method further comprises:
sending a modification or deletion operation instruction of the first log stored in the second storage area to a remote server so that the remote server verifies the modification or deletion operation instruction;
and receiving verification failure information returned by the remote server, and rejecting the modification operation or the deletion operation of the modification or deletion operation instruction.
6. A computer attack information storage apparatus, comprising:
the log file monitoring module is used for monitoring a target log file stored in a local first storage area;
the log file acquisition module is used for acquiring a first log newly generated in the target log file;
and the log file encryption module is used for encrypting the acquired first log by adopting a first encryption algorithm and synchronizing the encrypted first log to a local second storage area for storage.
7. The computer attack information storage device according to claim 6, wherein the log file encryption module is specifically configured to synchronize the encrypted first log to a first block in a local second storage area for storage; the first block is a block in a data link list.
8. The computer attack information storage apparatus according to claim 7, wherein the log file encryption module is further configured to:
judging whether the data volume stored in the first block is larger than a preset threshold value or not;
if the data volume stored in the first block is larger than a preset threshold value, encrypting the first block by adopting a second encryption algorithm, establishing a second block in the data chain table of the second storage area, and storing a hash value formed after the first block is encrypted by adopting the second encryption algorithm in a head area of the second block;
acquiring a second log newly generated in the target log file;
and encrypting the acquired second log by adopting the first encryption algorithm, and synchronizing the encrypted second log to the second block for storage.
9. The computer attack information storage apparatus according to claim 1, further comprising a log file synchronization module, specifically configured to:
synchronizing the encrypted first log to a preset storage area of at least one neighbor computer in a local area network where the local computer is located for storage; and/or the presence of a gas in the gas,
and synchronizing the encrypted first log to a remote server for storage.
10. The computer-supplied information storage device of claim 1, further comprising a remote validation module, specifically configured to:
sending a modification or deletion operation instruction of the first log stored in the second storage area to a remote server so that the remote server verifies the modification or deletion operation instruction;
and receiving verification failure information returned by the remote server, and rejecting the modification operation or the deletion operation of the modification or deletion operation instruction.
11. An electronic device, characterized in that the electronic device comprises: the electronic equipment comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, the processor and the memory are arranged on the circuit board, and the power circuit is used for supplying power to each circuit or device of the electronic equipment; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory for performing the data transfer method of any one of the preceding claims 1-5.
12. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the data transfer method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111487935.3A CN114221798A (en) | 2021-12-07 | 2021-12-07 | Computer attack information storage method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111487935.3A CN114221798A (en) | 2021-12-07 | 2021-12-07 | Computer attack information storage method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114221798A true CN114221798A (en) | 2022-03-22 |
Family
ID=80700255
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111487935.3A Pending CN114221798A (en) | 2021-12-07 | 2021-12-07 | Computer attack information storage method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114221798A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112131237A (en) * | 2020-09-28 | 2020-12-25 | 京东数字科技控股股份有限公司 | Data synchronization method, device, equipment and computer readable medium |
| US20210012591A1 (en) * | 2019-07-08 | 2021-01-14 | Denso Corporation | Data storage device and non-transitory tangible computer readable storage medium |
| CN112287336A (en) * | 2019-11-21 | 2021-01-29 | 北京京东乾石科技有限公司 | Host security monitoring method, device, medium and electronic equipment based on block chain |
| CN112989404A (en) * | 2019-12-18 | 2021-06-18 | 中移雄安信息通信科技有限公司 | Log management method based on block chain and related equipment |
| CN113610527A (en) * | 2021-08-24 | 2021-11-05 | 上海点融信息科技有限责任公司 | Alliance chain transaction method, device, system, terminal device and storage medium |
-
2021
- 2021-12-07 CN CN202111487935.3A patent/CN114221798A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210012591A1 (en) * | 2019-07-08 | 2021-01-14 | Denso Corporation | Data storage device and non-transitory tangible computer readable storage medium |
| CN112287336A (en) * | 2019-11-21 | 2021-01-29 | 北京京东乾石科技有限公司 | Host security monitoring method, device, medium and electronic equipment based on block chain |
| CN112989404A (en) * | 2019-12-18 | 2021-06-18 | 中移雄安信息通信科技有限公司 | Log management method based on block chain and related equipment |
| CN112131237A (en) * | 2020-09-28 | 2020-12-25 | 京东数字科技控股股份有限公司 | Data synchronization method, device, equipment and computer readable medium |
| CN113610527A (en) * | 2021-08-24 | 2021-11-05 | 上海点融信息科技有限责任公司 | Alliance chain transaction method, device, system, terminal device and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| STEPHEN J. BIGELOW: "《计算机网络故障排除与维护实用大全》", 15 January 2006, 中国铁道出版社 , pages: 613 - 614 * |
| 谢金宝: "《中文Windows95从入门到精通》", 15 November 1996, 上海交通大学出版社, pages: 241 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110826111B (en) | Test supervision method, device, equipment and storage medium | |
| CN109543065B (en) | Video active identification method combined with block chain | |
| Zawoad et al. | Cloud Forensics | |
| WO2018032376A1 (en) | Self-securing storage system and method for block chain | |
| CN114372296B (en) | Block chain-based user behavior data auditing method and system | |
| CN110245515B (en) | Protection method and system for HDFS (Hadoop distributed File System) access mode | |
| CN110313147A (en) | Data processing method, device and system | |
| WO2021189201A1 (en) | Flight data processing method and device, recorder, unmanned aerial vehicle, and storage medium | |
| CN110138731B (en) | Network anti-attack method based on big data | |
| CN114564757A (en) | Data auditing method, device and equipment of block chain and readable storage medium | |
| CN111291001B (en) | Method and device for reading computer file, computer system and storage medium | |
| KR20140140974A (en) | Method for data security using secret sharing system in cloud environments | |
| CN116996408A (en) | Data transmission monitoring method and device, electronic equipment and storage medium | |
| CN114221798A (en) | Computer attack information storage method and device and electronic equipment | |
| CN115935414A (en) | Block chain based data verification method and device, electronic equipment and storage medium | |
| CN114189515B (en) | SGX-based server cluster log acquisition method and device | |
| CN115758447A (en) | Information security service processing and cluster generating method, electronic device and storage medium | |
| CN113052729B (en) | Construction platform and method for mobile phone evidence obtaining capability verification sample | |
| CN115033900A (en) | Block chain-based electronic data evidence obtaining method and system | |
| CN111460436B (en) | Unstructured data operation method and system based on blockchain | |
| CN111292082B (en) | Public key management method, device and equipment in block chain type account book | |
| CN113868699A (en) | UKey-based personal information protection method and system | |
| Kayabaş et al. | Cyber wars and cyber threats against mobile devices: Analysis of mobile devices | |
| CN115292257B (en) | Method and system for detecting illegal deletion of file | |
| Schroader et al. | Alternate data storage forensics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |