CN115310139A - File monitoring and early warning system, method, computing equipment and computer storage medium - Google Patents

File monitoring and early warning system, method, computing equipment and computer storage medium Download PDF

Info

Publication number
CN115310139A
CN115310139A CN202110489825.4A CN202110489825A CN115310139A CN 115310139 A CN115310139 A CN 115310139A CN 202110489825 A CN202110489825 A CN 202110489825A CN 115310139 A CN115310139 A CN 115310139A
Authority
CN
China
Prior art keywords
file
module
risk
tampered
early warning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110489825.4A
Other languages
Chinese (zh)
Inventor
姜书敏
殷旭
赵培
向中秋
周兴围
蒲伯巍
刘立卫
周胜
高鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Design Institute Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Design Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Design Institute Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202110489825.4A priority Critical patent/CN115310139A/en
Publication of CN115310139A publication Critical patent/CN115310139A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1448Management of the data involved in backup or backup restore
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/178Techniques for file synchronisation in file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Abstract

The invention discloses a file monitoring and early warning system, a method, a computing device and a computer storage medium, wherein the system comprises: the index acquisition module is suitable for acquiring file tampering risk early warning indexes of multiple levels; the machine learning module is suitable for training according to the file tampering risk early warning indexes of multiple levels to obtain a risk prediction model, the risk prediction model is used for evaluating a tampered risk value of the file, and if the tampered risk value of the file exceeds a preset value, an early warning trigger instruction is sent to the early warning module; the early warning module is suitable for carrying out file backup on the file with the tampered risk value exceeding the preset value and calling the anti-tampering module to monitor the file according to the first monitoring rule. By the method, the risk value of the file being tampered can be evaluated in advance, the file with the high tampered risk value is backed up in time to deal with the condition that the file is tampered, and the file with the high tampered risk value is monitored in a key mode so that whether the file triggers abnormal operation or not can be found in time.

Description

File monitoring and early warning system, method, computing equipment and computer storage medium
Technical Field
The invention relates to the technical field of data processing, in particular to a file monitoring and early warning system, a file monitoring and early warning method, computing equipment and a computer storage medium.
Background
With the rapid development of information science and internet technology, security problems become more and more serious, and the security of file contents is particularly important. File tampering operation under a Linux system often occurs, in the prior art, a file monitoring system mostly adopts a passive warning mode, the system sends a warning after files are tampered, operation and maintenance personnel adopt a corresponding solution scheme, which files can not be analyzed in advance to have risks of being tampered, and with the improvement of the file information safety requirements, the passive monitoring warning processing mode is difficult to meet the requirements of file data integrity and accuracy.
Disclosure of Invention
In view of the above, the present invention has been developed to provide a file monitoring and forewarning system, method, computing device and computer storage medium that overcome or at least partially address the above-identified problems.
According to one aspect of the invention, a file monitoring and early warning system is provided, which comprises: the system comprises an index acquisition module, a machine learning module, an early warning module and an anti-tampering module;
the index acquisition module is suitable for acquiring file tampering risk early warning indexes of multiple levels from historical log information, wherein the multiple levels comprise a server level, a file level and an encryption level;
the machine learning module is suitable for training to obtain a risk prediction model according to the file tampering risk early warning indexes of multiple levels, the risk prediction model is used for evaluating a tampered risk value of the file, and if the tampered risk value of the file exceeds a preset value, an early warning trigger instruction is sent to the early warning module;
and the early warning module is suitable for performing file backup on the files with the tampered risk values exceeding the preset value after receiving the early warning trigger instruction, and calling the anti-tampering module to monitor the files with the tampered risk values exceeding the preset value according to the first monitoring rule.
Optionally, the server-level file tampering risk pre-warning indicators include one or more of:
creating user information of the file, security information of a server where the file is located, network information of the server where the file is located, information of an operating system of the server where the file is located, remote login mode information of the server, information of whether the server has a weak password problem or not, and size information of the file;
the file level file tampering risk pre-warning indicators include one or more of:
file type information, file basic attribute information, the number of times of modifying the history of the file and the latest time of modifying the file;
the file tampering risk pre-warning indicators at the encryption level include one or more of the following:
whether the file is encrypted information, whether the file access is right control information.
Optionally, the system further comprises: the device comprises a file backup module, a log module, a monitoring module and a rollback module;
the tamper-resistant module is further adapted to: monitoring abnormal operation of the files in the appointed directory according to a second monitoring rule, recording abnormal operation logs of the files when the abnormal operation is monitored, and providing the abnormal operation logs to a log module;
the file backup module is suitable for synchronously backing up files in the server through a timing task;
the log module is suitable for recording all newly added file logs under the specified directory, abnormal operation logs provided by the tamper-resistant module and early warning logs provided by the machine learning module; identifying abnormal keywords in the recorded log, and sending abnormal log information corresponding to the abnormal keywords to the monitoring module;
the monitoring module is suitable for receiving the abnormal log information sent by the log module and sending a rollback triggering instruction carrying the abnormal log information to the rollback module;
and the rollback module is suitable for analyzing the abnormal log information to determine a tampered file list after receiving a rollback triggering instruction sent by the monitoring module, acquiring a backup file backed up by the file backup module and corresponding to the tampered file list, and recovering the tampered file according to the acquired backup file.
Optionally, the system further comprises: an alarm module;
the monitoring module is further adapted to: sending an alarm triggering instruction carrying abnormal log information to an alarm module according to an alarm mechanism;
and the alarm module is suitable for sending an abnormal notice to the management terminal after receiving the alarm triggering instruction sent by the monitoring module.
Optionally, the file backup module is further adapted to: at least two different versions of the file backup are maintained for the file.
Optionally, the tamper-resistant module is further adapted to: determining a designated directory to be monitored in response to file monitoring requirement information
According to another aspect of the invention, a file monitoring and early warning method is provided, which comprises the following steps:
acquiring file tampering risk early warning indexes of multiple levels from historical log information, wherein the multiple levels comprise a server level, a file level and an encryption level;
training to obtain a risk prediction model according to the file tampering risk early warning indexes of multiple levels, and evaluating a tampered risk value of the file by using the risk prediction model;
if the tampered risk value of the file exceeds the preset value, the file with the tampered risk value exceeding the preset value is backed up, and the file with the tampered risk value exceeding the preset value is monitored according to the first monitoring rule.
Optionally, the server-level file tampering risk pre-warning indicators include one or more of:
creating user information of the file, security information of a server where the file is located, network information of the server where the file is located, information of an operating system of the server where the file is located, remote login mode information of the server, information of whether the server has a weak password problem or not, and size information of the file;
the file level file tampering risk pre-warning indicators include one or more of:
file type information, file basic attribute information, the number of times of modifying the history of the file and the latest time of modifying the file;
the file tampering risk pre-warning indicators at the encryption level include one or more of the following:
whether the file is encrypted information, whether the file access is right control information.
Optionally, the method further comprises:
monitoring abnormal operation of the files in the appointed directory according to a second monitoring rule, and recording abnormal operation logs of the files when the abnormal operation is monitored;
synchronously backing up files in a server through a timing task;
recording all newly added file logs, abnormal operation logs and early warning logs under an appointed directory, and identifying abnormal keywords in the recorded logs;
analyzing abnormal log information corresponding to the abnormal keywords, determining a tampered file list, acquiring a backup file corresponding to the tampered file list, and recovering the tampered file according to the acquired backup file.
Optionally, the method further comprises: and after the abnormal log information corresponding to the abnormal keyword is determined, an abnormal notice is sent to the management terminal.
Optionally, the performing synchronous backup on the file in the server through the timing task further includes: at least two different versions of the file backup are maintained for the file.
Optionally, the method further comprises: and determining the specified directory to be monitored in response to the file monitoring requirement information.
According to yet another aspect of the present invention, there is provided a computing device comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is suitable for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the file monitoring and early warning method.
According to still another aspect of the present invention, a computer storage medium is provided, where at least one executable instruction is stored in the storage medium, and the executable instruction causes a processor to perform an operation corresponding to the file monitoring and early warning method.
The file monitoring and early warning system comprises: the system comprises an index acquisition module, a machine learning module, an early warning module and an anti-tampering module; the index acquisition module is suitable for acquiring file tampering risk early warning indexes of multiple levels from historical log information, wherein the multiple levels comprise a server level, a file level and an encryption level; the machine learning module is suitable for training to obtain a risk prediction model according to the file tampering risk early warning indexes of multiple levels, the risk prediction model is used for evaluating a tampered risk value of the file, and if the tampered risk value of the file exceeds a preset value, an early warning trigger instruction is sent to the early warning module; and the early warning module is suitable for performing file backup on the files with the tampered risk values exceeding the preset value after receiving the early warning trigger instruction, and calling the anti-tampering module to monitor the files with the tampered risk values exceeding the preset value according to the first monitoring rule. By the method, the risk value of the file being tampered can be evaluated in advance by establishing the file tampering risk early warning analysis index system and conducting machine learning to construct the prediction model based on the indexes, the file with the high tampered risk value is backed up in time to deal with the condition that the file is tampered, and the file with the high tampered risk value is monitored in a key mode so that whether the file triggers abnormal operation or not can be found in time.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 shows a schematic structural diagram of a document monitoring and early warning system provided in an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a document monitoring and warning system according to another embodiment of the present invention;
FIG. 3 is a flowchart illustrating a document monitoring and warning method according to another embodiment of the present invention;
FIG. 4 is a schematic diagram showing a neural network in the embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computing device provided by an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 shows a schematic structural diagram of a document monitoring and early warning system provided in an embodiment of the present invention, and as shown in fig. 1, the apparatus includes: the system comprises an index acquisition module 11, a machine learning module 12, an early warning module 13 and an anti-tampering module 14.
The index obtaining module 11 is adapted to obtain multiple levels of file tampering risk early warning indexes from the historical log information, where the multiple levels include a server level index, a file level index, and an encryption level index.
The multiple levels are equivalent to multiple dimensions, specifically, an index system is established from a server level, a file level and an encryption level, the server-level file tampering risk early warning index is mainly used for considering the risk of file tampering from the security of a server, the file-level file tampering risk early warning index is mainly used for considering the risk of file tampering from the attribute of the file and the historical tampering condition, and the encryption-level file tampering risk early warning index is mainly used for considering the risk of file tampering from the aspects of file encryption and whether the file access is right controlled. In the obtained indexes, part of the indexes are positively correlated with the file tampering risk, for example, the index of whether the file is encrypted is the more difficult the encryption algorithm is to break, the higher the security of the file is, and the lower the possibility that the file is tampered under the index is; some indicators are negatively correlated to the risk of file tampering, such as a server weak password, and the simpler the server login password, the greater the likelihood that the file will be tampered with at that indicator.
The machine learning module 12 is adapted to train to obtain a risk prediction model according to the multiple levels of file tampering risk early warning indicators, evaluate a tampered risk value of the file by using the risk prediction model, and send an early warning trigger instruction to the early warning module 13 if the tampered risk value of the file exceeds a predetermined value.
Based on a neural network, the obtained file tampering risk early warning indexes of multiple levels are used as training samples, and a risk prediction model for evaluating the possibility of file tampering is obtained through training. And then, acquiring related index data of the file to be predicted, and inputting the related index data into a risk prediction model, wherein the risk prediction model outputs a tampered risk value of the file through calculation. And if the risk value of the file being tampered exceeds the preset value, sending an early warning trigger instruction to the early warning module 13.
The early warning module 13 is adapted to backup files with tampered risk values exceeding a predetermined value after receiving the early warning trigger instruction, and call the tamper-resistant module 14 to monitor the files with tampered risk values exceeding the predetermined value according to the first monitoring rule.
After receiving the warning trigger instruction sent by the machine learning module 12, the warning module 13 performs warning processing on a file with a tampered risk value exceeding a predetermined value, on one hand, performs synchronous backup on the warning file (that is, the file with the tampered risk value exceeding the predetermined value), and in the subsequent process, if the file with the tampered risk value exceeds the predetermined value, the original file can be retrieved through backup, and on the other hand, calls the tamper-proof module 14 to perform key monitoring on the warning file, and monitor abnormal operation of the warning file, wherein the first monitoring rule is a monitoring rule for the file with a higher tampered risk, and compared with a conventional monitoring rule, the monitoring on the file with a higher tampered risk is more intensive, more detailed, and more timely.
According to the file monitoring and early warning system provided by the embodiment, the index acquisition module acquires file tampering risk early warning indexes at a server level, a file level and an encryption level from historical log information, the machine learning module trains to obtain a risk prediction model according to the file tampering risk early warning indexes at multiple levels, the risk prediction model is used for evaluating a tampered risk value of a file, and if the tampered risk value of the file exceeds a preset value, an early warning trigger instruction is sent to the early warning module; after the early warning module receives the early warning trigger instruction, file backup is carried out on the files with the tampered risk values exceeding the preset value, and the anti-tampering module is called to monitor the files with the tampered risk values exceeding the preset value. By the method, the risk value of the file being tampered can be evaluated in advance by establishing the file tampering risk early warning analysis index system and conducting machine learning to construct the prediction model based on the indexes, the file with the high tampered risk value is backed up in time to deal with the situation that the file is tampered, and the file with the high tampered risk value is monitored in a key mode so that whether the file triggers abnormal operation or not can be found in time.
Fig. 2 shows a schematic structural diagram of a document monitoring and warning system according to another embodiment of the present invention, and as shown in fig. 2, the apparatus includes: the system comprises a tamper-proof module 21, a file backup module 22, a log module 23, a monitoring module 24, a rollback module 25, an alarm module 26, an index acquisition module 27, a machine learning module 28 and an early warning module 29.
The file monitoring and early warning system of the embodiment provides a file monitoring function and a file rollback function, and is specifically realized through the following modules:
and the tamper-proof module 21 is suitable for monitoring abnormal operation of the file in the specified directory according to a second monitoring rule, recording an abnormal operation log of the file when the abnormal operation is monitored, and providing the abnormal operation log to the log module.
The tamper-resistant module determines the specified directory to be monitored in response to the file monitoring requirement information, where the file monitoring requirement information may be configured by a user or may be configured automatically by a system, which is not limited in the present invention.
In an optional mode, the tamper-resistant module is implemented by using a file monitoring service general component, and is used for monitoring abnormal operations of adding, deleting and changing files under a specified directory. When the abnormal operation is monitored, the abnormal operation of the file is logged, and the log data is synchronized to the log module in real time, so that the log module can read and analyze the abnormal operation log. The first monitoring rule and the second monitoring rule are different, and in comparison, the monitoring strength of the first monitoring rule is larger, more detailed and more timely, so that abnormal operation of the file can be monitored timely. Therefore, the anti-tampering module can monitor files with different granularities respectively.
And the file backup module 22 is suitable for synchronously backing up the files in the server through a timing task.
In order to restore a tampered file in time after the file is tampered, synchronous backup of the file on a server is required. In an alternative mode, the file backup module uses a timing task to monitor the general-purpose components to perform synchronous backup of files at regular time.
Specifically, at least two different versions of file backups are reserved for the files, and the files which are newly and synchronously backed up are prevented from being tampered.
The log module 23 is adapted to record all newly added file logs under the specified directory, abnormal operation logs provided by the tamper-resistant module and early warning logs provided by the machine learning module; and identifying abnormal keywords in the recorded log, and sending abnormal log information corresponding to the abnormal keywords to the monitoring module.
The log module records different types of logs, including all newly added file operation logs under a specified directory, abnormal operation logs recorded by the tamper-resistant module and early warning logs recorded by the machine learning module. Then, identifying abnormal keywords in the recorded log, wherein the abnormal keywords comprise keywords related to file modification operation, deletion operation and other tampering operations, and then sending abnormal log information corresponding to the abnormal keywords, namely the abnormal log information containing the abnormal keywords to the monitoring module.
In an optional mode, the log module further comprises a log audit general submodule, which has reading and filtering functions and can filter out abnormal keywords in the log, specifically, the log can be filtered by an elk to monitor the tampering operation of the file; the monitoring module is used for monitoring the abnormal log information of the abnormal log, and the monitoring module is used for monitoring the abnormal log information of the abnormal log.
The monitoring module 24 is adapted to receive the abnormal log information sent by the log module and send a rollback triggering instruction carrying the abnormal log information to the rollback module; and issuing an alarm triggering instruction carrying abnormal log information to an alarm module according to an alarm mechanism.
After receiving the abnormal log information sent by the log module, the monitoring module triggers the rollback module to execute file rollback processing, and simultaneously triggers the alarm module to execute alarm processing, specifically, zabbix can be used for initiating an alarm and triggering the alarm module.
The rollback module 25 is adapted to, after receiving the rollback trigger instruction sent by the monitoring module, analyze the abnormal log information to determine the tampered file list, obtain a backup file backed up by the file backup module and corresponding to the tampered file list, and restore the tampered file according to the obtained backup file.
After receiving a rollback triggering instruction sent by the monitoring module, the rollback module analyzes the abnormal log information, determines a tampered file list, then acquires a related backup file of the tampered file list from the file backup module, and performs file recovery according to the acquired backup file. Therefore, the system of the embodiment can restore the tampered file in time according to the backed-up file by backing up the file in advance and monitoring that the file is tampered.
And the alarm module 26 is suitable for sending an exception notification to the management terminal after receiving the alarm triggering instruction sent by the monitoring module. And after receiving the alarm triggering instruction sent by the monitoring module, the alarm module notifies the operation and maintenance personnel or the administrator of abnormal information in communication modes such as mails and short messages. Therefore, the system of the embodiment can inform the manager of the abnormal condition in time.
The system of the embodiment also provides a file risk early warning function, and is specifically realized through the following modules:
the index obtaining module 27 is adapted to obtain multiple levels of file tampering risk early warning indexes from the historical log information, where the multiple levels include a server level, a file level, and an encryption level.
The server-level file tampering risk early warning index is mainly used for considering the risk of file tampering from the security of a server, and comprises one or more of the following: the method comprises the steps of creating user information of a file, safety information of a server where the file is located, network information of the server where the file is located, information of an operating system of the server where the file is located, remote login mode information of the server, information of whether the server has a weak password problem or not and file size information.
The file level file tampering risk early warning index is mainly used for considering the risk of file tampering from the attributes of the file and the historical tampering situation, and comprises one or more of the following: file type information, file basic attribute information, the times of modifying the history of the file and the last time of modifying the file.
The file tampering risk early warning index at the encryption level is mainly used for considering the risk of tampering the file in the aspects of file encryption and whether the file access is subjected to authority control, namely, the file tampering risk early warning index comprises one or more of the following: whether the file is encrypted information, whether the file access is right control information.
The machine learning module 28 is adapted to train to obtain a risk prediction model according to the multiple levels of file tampering risk early warning indicators, evaluate a tampered risk value of the file by using the risk prediction model, and send an early warning trigger instruction to the early warning module 29 if the tampered risk value of the file exceeds a predetermined value.
Based on a neural network, the obtained file tampering risk early warning indexes of multiple levels are used as training samples, and a risk prediction model for evaluating the possibility of file tampering is obtained through training. And then, acquiring real-time related index data of the file to be predicted, and inputting the data into a risk prediction model, wherein the risk prediction model outputs a tampered risk value of the file through calculation. And if the tampered risk value of the file exceeds a preset value, sending an early warning trigger instruction to the early warning module 29.
Fig. 4 shows a schematic diagram of a neural network in an embodiment of the present invention, and as shown in fig. 4, an input layer is obtained multiple levels of file tampering risk early warning indicators, and an output layer is a tampered risk value of a file.
The output of the hidden layer and the output layer is:
Figure BDA0003051874090000101
the inputs and outputs of the hidden layer nodes are:
Figure BDA0003051874090000102
Boutput f =Output(Binput f ),f=1,2,3,...,r
setting weights from the input layer to the hidden layer and from the hidden layer to the output layer, continuously adjusting the weights according to the calculated result error and the gradient descending direction of the error Exp, and training an optimal model to evaluate the risk value of the file.
And the early warning module 29 is suitable for backing up files with tampered risk values exceeding the preset value after receiving the early warning trigger instruction, and calling the anti-tampering module to monitor the files with tampered risk values exceeding the preset value according to the first monitoring rule.
After the early warning module 29 receives the early warning trigger instruction sent by the machine learning module 28, it performs early warning processing on the file whose tampered risk value exceeds the predetermined value, on one hand, the early warning file is synchronously backed up, and if the early warning file is tampered in the subsequent process, the original file can be retrieved through backup, on the other hand, the anti-tampering module 21 is called to perform key monitoring on the early warning file, the anti-tampering module is used for monitoring abnormal operation of the file, so that it is clear that the anti-tampering module can monitor files with different granularities, including monitoring a specified file directory based on user setting, and also can perform special monitoring on the file with a higher risk value.
In some prior art, although the file abnormality can be monitored, the file monitoring and early warning system does not involve remedial measures after the file is tampered, however, the file monitoring and early warning system of the embodiment backs up the file and monitors abnormal operation of the file, when the abnormal operation is triggered, on one hand, the warning module sends an abnormal notification to a manager to play a role in abnormal warning, and on the other hand, the rollback module acquires the backed-up file to timely recover the tampered file, so that the safety of the file is ensured. Secondly, the file monitoring and early warning system of the embodiment establishes a risk index system and a risk value algorithm in a machine learning mode to train a risk early warning model, the risk early warning model can estimate a tampered risk value of a file in advance, and when the tampered risk value of the file exceeds a preset value, the file is subjected to key monitoring, so that the abnormal condition of the file with a high tampered risk can be monitored in time.
Fig. 3 is a flowchart of a file monitoring and early warning method according to another embodiment of the present invention, which may be executed by any device having data processing capability, as shown in fig. 3, and includes the following steps:
step S310, obtaining file tampering risk early warning indexes of multiple levels from historical log information, wherein the multiple levels comprise a server level, a file level and an encryption level.
Step S320, training to obtain a risk prediction model according to the file tampering risk early warning indexes of multiple levels, and evaluating a tampered risk value of the file by using the risk prediction model.
Step S330, if the tampered risk value of the file exceeds the predetermined value, file backup is carried out on the file of which the tampered risk value exceeds the predetermined value, and the file of which the tampered risk value exceeds the predetermined value is monitored according to the first monitoring rule.
Optionally, the server-level file tampering risk pre-warning indicators include one or more of:
creating user information of the file, security information of a server where the file is located, network information of the server where the file is located, information of an operating system of the server where the file is located, remote login mode information of the server, information of whether the server has a weak password problem or not, and size information of the file;
the file level file tampering risk pre-warning indicators include one or more of:
file type information, file basic attribute information, the number of times of modifying the history of the file and the latest time of modifying the file;
the file tampering risk pre-warning indicators at the encryption level include one or more of the following:
whether the file is encrypted information, whether the file access is right control information.
Optionally, the method further comprises:
monitoring abnormal operation of the files in the appointed directory according to a second monitoring rule, and recording abnormal operation logs of the files when the abnormal operation is monitored;
synchronously backing up files in a server through a timing task;
recording all newly added file logs, abnormal operation logs and early warning logs under an appointed directory, and identifying abnormal keywords in the recorded logs;
analyzing abnormal log information corresponding to the abnormal keywords, determining a tampered file list, acquiring a backup file corresponding to the tampered file list, and recovering the tampered file according to the acquired backup file.
Optionally, the method further comprises: and after the abnormal log information corresponding to the abnormal keyword is determined, an abnormal notice is sent to the management terminal.
Optionally, the performing synchronous backup on the file in the server through the timing task further includes: at least two different versions of the file backup are maintained for the file.
Optionally, the method further comprises: and determining the specified directory to be monitored in response to the file monitoring requirement information.
According to the file monitoring and early warning method, the file is backed up and abnormal operation of the file is monitored, when the abnormal operation is triggered, on one hand, an abnormal notification is sent to a manager through the warning module, so that an abnormal warning effect can be achieved, on the other hand, the backed-up file is obtained through the rollback module, the tampered file is timely restored, and the safety of the file is guaranteed. Secondly, the file monitoring and early warning method of the embodiment establishes a risk index system and a risk value algorithm in a machine learning mode to train a risk early warning model, the risk early warning model can estimate a tampered risk value of the file in advance, and when the tampered risk value of the file exceeds a preset value, the file is subjected to key monitoring, so that the abnormal condition of the file with a higher tampered risk can be monitored in time.
The embodiment of the invention provides a nonvolatile computer storage medium, wherein at least one executable instruction is stored in the computer storage medium, and the computer executable instruction can execute the file monitoring and early warning method in any method embodiment.
The executable instructions may be specifically adapted to cause the processor to perform the following operations:
acquiring file tampering risk early warning indexes of multiple levels from historical log information, wherein the multiple levels comprise a server level, a file level and an encryption level;
training to obtain a risk prediction model according to the file tampering risk early warning indexes of the multiple levels, and evaluating a tampered risk value of the file by using the risk prediction model;
if the tampered risk value of the file exceeds the preset value, the file with the tampered risk value exceeding the preset value is backed up, and the file with the tampered risk value exceeding the preset value is monitored according to a first monitoring rule.
In an alternative approach, the server-level file tampering risk warning indicators include one or more of the following:
creating user information of the file, security information of a server where the file is located, network information of the server where the file is located, information of an operating system of the server where the file is located, remote login mode information of the server, information of whether the server has a weak password problem or not, and size information of the file;
the file level file tampering risk pre-warning indicators include one or more of:
file type information, file basic attribute information, the number of times of modifying the history of the file and the latest time of modifying the file;
the file tampering risk pre-warning indicators at the encryption level include one or more of the following:
whether the file is encrypted information, whether the file access is right control information.
In an alternative, the executable instructions cause the processor to:
monitoring abnormal operation of the files in the appointed directory according to a second monitoring rule, and recording abnormal operation logs of the files when the abnormal operation is monitored;
synchronously backing up files in a server through a timing task;
recording all newly added file logs, abnormal operation logs and early warning logs under an appointed directory, and identifying abnormal keywords in the recorded logs;
analyzing abnormal log information corresponding to the abnormal keywords, determining a tampered file list, acquiring a backup file corresponding to the tampered file list, and recovering the tampered file according to the acquired backup file.
In an alternative, the executable instructions cause the processor to: and after the abnormal log information corresponding to the abnormal keyword is determined, an abnormal notice is sent to the management terminal.
In an alternative, the executable instructions cause the processor to: at least two different versions of the file backup are maintained for the file.
In an alternative form, the executable instructions cause the processor to: and determining the specified directory to be monitored in response to the file monitoring requirement information.
In the method of this embodiment, the file is backed up and abnormal operation of the file is monitored, when the abnormal operation is triggered, on one hand, an abnormal notification is sent to a manager through the alarm module, so that an abnormal alarm effect can be achieved, and on the other hand, the backed-up file is acquired through the rollback module to timely recover the tampered file, so that the security of the file is ensured. Secondly, a risk value algorithm is established through establishing a risk index system and through a machine learning mode and used for training a risk early warning model, the risk early warning model can estimate a tampered risk value of the file in advance, when the tampered risk value of the file exceeds a preset value, the file is subjected to key monitoring, and therefore the abnormal condition of the file with a high tampered risk can be monitored in time.
Fig. 5 is a schematic structural diagram of an embodiment of the computing device according to the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device.
As shown in fig. 5, the computing device may include: a processor (processor) 502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein: the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508. A communication interface 504 adapted to communicate with network elements of other devices, such as clients or other servers. The processor 502 is adapted to execute the program 510, and may specifically execute the relevant steps in the above-described embodiment of the file monitoring and warning method for a computing device.
In particular, program 510 may include program code comprising computer operating instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit ASIC (Application Specific Integrated Circuit), or one or more Integrated circuits configured to implement an embodiment of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
A memory 506 adapted to store a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may be specifically adapted to cause the processor 502 to perform the following operations:
acquiring file tampering risk early warning indexes of multiple levels from historical log information, wherein the multiple levels comprise a server level, a file level and an encryption level;
training to obtain a risk prediction model according to the file tampering risk early warning indexes of the multiple levels, and evaluating a tampered risk value of the file by using the risk prediction model;
if the tampered risk value of the file exceeds the preset value, the file with the tampered risk value exceeding the preset value is backed up, and the file with the tampered risk value exceeding the preset value is monitored according to a first monitoring rule.
In an optional manner, the server-level file tampering risk pre-warning indicators include one or more of the following:
creating user information of the file, security information of a server where the file is located, network information of the server where the file is located, information of an operating system of the server where the file is located, remote login mode information of the server, information of whether the server has a weak password problem or not, and size information of the file;
the file level file tampering risk pre-warning indicators include one or more of:
file type information, file basic attribute information, the number of times of modifying the history of the file and the latest time of modifying the file;
the file tampering risk pre-warning indicators at the encryption level include one or more of the following:
whether the file is encrypted information, whether the file access is right control information.
In an alternative, the program 510 causes the processor 502 to:
monitoring abnormal operation of the files in the appointed directory according to a second monitoring rule, and recording abnormal operation logs of the files when the abnormal operation is monitored;
synchronously backing up files in a server through a timing task;
recording all newly added file logs, abnormal operation logs and early warning logs under an appointed directory, and identifying abnormal keywords in the recorded logs;
analyzing abnormal log information corresponding to the abnormal keywords, determining a tampered file list, acquiring a backup file corresponding to the tampered file list, and recovering the tampered file according to the acquired backup file.
In an alternative, the program 510 causes the processor 502 to: and after the abnormal log information corresponding to the abnormal keyword is determined, an abnormal notice is sent to the management terminal.
In an alternative, the program 510 causes the processor 502 to: the file retains at least two different versions of the backup of the file.
In an alternative, the program 510 causes the processor 502 to: and determining the specified directory to be monitored according to the file monitoring requirement information.
In the method of this embodiment, the file is backed up and abnormal operation of the file is monitored, when the abnormal operation is triggered, on one hand, an abnormal notification is sent to a manager through the alarm module, so that an abnormal alarm effect can be achieved, and on the other hand, the backed-up file is acquired through the rollback module to timely recover the tampered file, so that the security of the file is ensured. Secondly, a risk value algorithm is established through establishing a risk index system and through a machine learning mode and used for training a risk early warning model, the risk early warning model can estimate a tampered risk value of the file in advance, when the tampered risk value of the file exceeds a preset value, the file is subjected to key monitoring, and therefore the abnormal condition of the file with a high tampered risk can be monitored in time.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed to reflect the intent: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) adapted to perform a part or all of the methods described herein. Such programs implementing the present invention may be stored on a computer readable medium or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form. It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.

Claims (10)

1. A document monitoring and forewarning system comprising: the system comprises an index acquisition module, a machine learning module, an early warning module and an anti-tampering module;
the index acquisition module is suitable for acquiring file tampering risk early warning indexes of multiple levels from historical log information, wherein the multiple levels comprise a server level, a file level and an encryption level;
the machine learning module is suitable for training to obtain a risk prediction model according to the file tampering risk early warning indexes of the multiple levels, the risk prediction model is used for evaluating a tampered risk value of the file, and if the tampered risk value of the file exceeds a preset value, an early warning trigger instruction is sent to the early warning module;
the early warning module is suitable for performing file backup on the files with the tampered risk values exceeding the preset value after receiving the early warning trigger instruction, and calling the anti-tampering module to monitor the files with the tampered risk values exceeding the preset value according to a first monitoring rule.
2. The system of claim 1, wherein the server-level file tampering risk pre-warning indicators comprise one or more of:
creating user information of the file, security information of a server where the file is located, network information of the server where the file is located, information of an operating system of the server where the file is located, remote login mode information of the server, information of whether the server has a weak password problem or not, and size information of the file;
the file level file tampering risk pre-warning indicators include one or more of:
file type information, file basic attribute information, the number of times of modifying the history of the file and the latest time of modifying the file;
the encryption-level file tampering risk pre-warning indicators include one or more of:
whether the file is encrypted information, whether the file access is right control information.
3. The system of claim 1 or 2, wherein the system further comprises: the system comprises a file backup module, a log module, a monitoring module and a rollback module;
the tamper-resistant module is further adapted to: monitoring abnormal operation of the files in the appointed directory according to a second monitoring rule, recording abnormal operation logs of the files when the abnormal operation is monitored, and providing the abnormal operation logs to a log module;
the file backup module is suitable for synchronously backing up files in the server through a timing task;
the log module is suitable for recording all newly added file logs under the specified directory, abnormal operation logs provided by the tamper-resistant module and early warning logs provided by the machine learning module; identifying abnormal keywords in the recorded log, and sending abnormal log information corresponding to the abnormal keywords to a monitoring module;
the monitoring module is suitable for receiving the abnormal log information sent by the log module and sending a rollback triggering instruction carrying the abnormal log information to the rollback module;
and the rollback module is suitable for analyzing the abnormal log information to determine a tampered file list after receiving a rollback triggering instruction sent by the monitoring module, acquiring a backup file backed up by the file backup module and corresponding to the tampered file list, and recovering the tampered file according to the acquired backup file.
4. The system of claim 3, wherein the system further comprises: an alarm module;
the monitoring module is further adapted to: sending an alarm trigger instruction carrying abnormal log information to an alarm module according to an alarm mechanism;
and the alarm module is suitable for sending an abnormal notice to the management terminal after receiving the alarm triggering instruction sent by the monitoring module.
5. The system of claim 3, wherein the file backup module is further adapted to: at least two different versions of the file backup are maintained for the file.
6. The system of claim 3, wherein the tamper-resistant module is further adapted to: and determining the specified directory to be monitored in response to the file monitoring requirement information.
7. A file monitoring and early warning method comprises the following steps:
acquiring file tampering risk early warning indexes of multiple levels from historical log information, wherein the multiple levels comprise a server level, a file level and an encryption level;
training to obtain a risk prediction model according to the file tampering risk early warning indexes of the multiple levels, and evaluating a tampered risk value of the file by using the risk prediction model;
if the tampered risk value of the file exceeds the preset value, the file with the tampered risk value exceeding the preset value is backed up, and the file with the tampered risk value exceeding the preset value is monitored according to a first monitoring rule.
8. The method of claim 7, wherein the method further comprises:
monitoring abnormal operation of the files in the designated directory according to a second monitoring rule, and recording abnormal operation logs of the files when the abnormal operation is monitored;
synchronously backing up files in a server through a timing task;
recording all newly added file logs, abnormal operation logs and early warning logs under the specified directory, and identifying abnormal keywords in the recorded logs;
and analyzing abnormal log information corresponding to the abnormal keywords, determining a tampered file list, acquiring a backup file corresponding to the tampered file list, and recovering the tampered file according to the acquired backup file.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is suitable for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the file monitoring and early warning method in claim 7 or 8.
10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the file monitoring and warning method of claim 7 or 8.
CN202110489825.4A 2021-05-06 2021-05-06 File monitoring and early warning system, method, computing equipment and computer storage medium Pending CN115310139A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110489825.4A CN115310139A (en) 2021-05-06 2021-05-06 File monitoring and early warning system, method, computing equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110489825.4A CN115310139A (en) 2021-05-06 2021-05-06 File monitoring and early warning system, method, computing equipment and computer storage medium

Publications (1)

Publication Number Publication Date
CN115310139A true CN115310139A (en) 2022-11-08

Family

ID=83853675

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110489825.4A Pending CN115310139A (en) 2021-05-06 2021-05-06 File monitoring and early warning system, method, computing equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN115310139A (en)

Similar Documents

Publication Publication Date Title
US10417072B2 (en) Scalable predictive early warning system for data backup event log
JP6048038B2 (en) Information processing apparatus, program, and information processing method
CN110830483B (en) Webpage log attack information detection method, system, equipment and readable storage medium
CN114968959A (en) Log processing method, log processing device and storage medium
WO2019074687A1 (en) Method for replicating production behaviours in a development environment
CN109284331B (en) Certificate making information acquisition method based on service data resources, terminal equipment and medium
CN116389148B (en) Network security situation prediction system based on artificial intelligence
CN112650180A (en) Safety warning method, device, terminal equipment and storage medium
CN115310139A (en) File monitoring and early warning system, method, computing equipment and computer storage medium
CN113726779B (en) Rule false alarm testing method and device, electronic equipment and computer storage medium
CN112219175A (en) Method and system for managing technical installations
CN113378239B (en) Data content right confirming method and system
US20220058745A1 (en) System and method for crowdsensing-based insurance premiums
CN112131090B (en) Service system performance monitoring method, device, equipment and medium
CN114756850A (en) Data acquisition method, device, equipment and storage medium
EP3816782B1 (en) Data reconstruction method, apparatus and storage medium
CN109583204B (en) Method for monitoring static object tampering in mixed environment
CN113312320A (en) Method and system for acquiring user operation database behavior
CA3172788A1 (en) Endpoint security using an action prediction model
CN113138872A (en) Abnormal processing device and method for database system
CN113421109A (en) Service checking method, device, electronic equipment and storage medium
WO2021055964A1 (en) System and method for crowd-sourced refinement of natural phenomenon for risk management and contract validation
CN114268460B (en) Network security anomaly detection method and device, storage medium and computing equipment
CN114826717B (en) Abnormal access detection method and device, electronic equipment and storage medium
CN110263585B (en) Test supervision method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination