CN115766166B - Log processing method, device and storage medium - Google Patents
Log processing method, device and storage medium Download PDFInfo
- Publication number
- CN115766166B CN115766166B CN202211392462.3A CN202211392462A CN115766166B CN 115766166 B CN115766166 B CN 115766166B CN 202211392462 A CN202211392462 A CN 202211392462A CN 115766166 B CN115766166 B CN 115766166B
- Authority
- CN
- China
- Prior art keywords
- log record
- log
- authentication code
- key
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The application discloses a log processing method, log processing equipment and a storage medium, belonging to the technical field of information security, wherein the method comprises the following steps: acquiring a first log record generated at the current moment, and acquiring a first key and a first identification code corresponding to a second log record generated before the current moment in a log record file; obtaining a corresponding target key according to the first key and the first identification code; obtaining a corresponding target authentication code according to the target key and the first log record; and storing the first log record and the target authentication code in association with the log record file. The application aims to improve the accuracy of the verification effect of log verification.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a log processing method, a log processing device, and a storage medium.
Background
With the development of computer technology and internet technology, advanced persistent threat attacks become complex and variable, and network attacks threatening information security also present a diversified trend. The log information is used as a record set for recording network events and user behaviors, and plays an important role in data analysis and active defense when facing network attacks.
The log information itself is also at risk of being tampered by an attacker, and the current protection method for the log information generally generates a corresponding message authentication code according to each piece of log information, and compares the calculated message authentication code with the message authentication code stored in the database to confirm whether the log information is tampered or not when verification is needed. However, the method can only detect whether the single log information is modified one by one, cannot check the whole log information, and cannot detect other tampering conditions except the modified log information, so that the log checking effect is not ideal.
Disclosure of Invention
The application mainly aims to provide a log processing method, log processing equipment and a storage medium, aiming at improving the accuracy of a checking effect of log checking.
In order to achieve the above object, the present application provides a log processing method, including the steps of:
acquiring a first log record generated at the current moment, and acquiring a first key and a first identification code corresponding to a second log record generated before the current moment in a log record file;
obtaining a corresponding target key according to the first key and the first identification code;
obtaining a corresponding target authentication code according to the target key and the first log record;
and storing the first log record and the target authentication code in association with the log record file.
Optionally, the step of obtaining the corresponding target key according to the first key and the first authentication code includes:
and processing the first identification code according to an HMAC algorithm by using the first key to obtain the target key.
Optionally, the step of obtaining the corresponding target key according to the first key and the first authentication code includes:
acquiring the second log record;
determining that the character string spliced by the second log record and the first identification code is a characteristic character string;
and obtaining the target key according to the first key and the characteristic character string.
Optionally, the step of obtaining a corresponding target authentication code according to the target key processing and the first log record includes:
and processing the first log record according to an HMAC algorithm by using the target key to obtain the target authentication code.
Optionally, the step of obtaining the first key includes:
obtaining a secure key from a secure module, the secure key comprising the first key;
after the step of storing the first log record and the target authentication code in association with the log record file, the method further includes:
and updating the security key in the security module to the target key.
In addition, in order to achieve the above object, the present application also proposes a log processing method, including the steps of:
acquiring a log record file, wherein the log record file comprises a plurality of log records generated at different times and corresponding second identification codes;
determining a log record generated at a target moment in the log record file as a third log record and a fourth log record generated before the third log record;
obtaining a corresponding target detection key according to the first detection key and the corresponding first detection authentication code recorded in the fourth log;
obtaining a corresponding target detection authentication code according to the target detection key and the third log record;
and determining a detection result according to the second authentication code and the target detection authentication code corresponding to the third log record, wherein the detection result comprises whether the log record file is tampered or not.
Optionally, the step of determining a detection result according to the second authentication code and the target detection authentication code corresponding to the third log record includes:
determining the third log record in the log record file and the previously generated set of each log record as a log record set;
when the second authentication code corresponding to the third log record is matched with the target detection authentication code, determining that the detection result comprises that the log record set is not tampered;
when the second authentication code corresponding to the third log record is not matched with the target detection authentication code, determining that the detection result comprises that the log record set is tampered.
Optionally, after the step of determining that the detection result is that the log record set has been tampered when the second authentication code corresponding to the third log record does not match the target detection authentication code, the method further includes:
determining a second detection authentication code corresponding to the fourth log record and each log record generated before in the log record file, wherein each second detection authentication code is generated according to a second detection key and the second detection authentication code of the corresponding log record generated before;
determining that the second authentication codes corresponding to any two log records with adjacent generation time are a third authentication code and a fourth authentication code in sequence;
when the fourth authentication code is not matched with the corresponding second detection authentication code and the third authentication code is matched with the corresponding second detection authentication code, determining that the log record corresponding to the fourth authentication code is a tampered target log record;
determining the detection result further includes the target log record being tampered with.
In addition, in order to achieve the above object, the present application also proposes a log processing apparatus including: a memory, a processor, and a log handler stored on the memory and executable on the processor, the log handler configured to implement the steps of the log handling method as claimed in any one of the above.
In order to achieve the above object, the present application also proposes a storage medium having stored thereon a log processing program which, when executed by a processor, implements the steps of the log processing method according to any one of the above.
According to the log processing method, the first log record generated at the current moment is obtained, and the first authentication code corresponding to the second log record generated before the current moment in the log record file is obtained, so that the log record generated at the current moment, the first authentication code corresponding to the log record generated before and the first key are obtained; then according to the first key and the first authentication code of the previous record, a target key for the first log record is obtained, and then according to the target key and the first log record, a target authentication code of the first log record is obtained, so that the first log record is processed; the first log record and the target authentication code are stored in association to a log record file. Compared with the current log information processing method, the method has the advantages that the first authentication code and the first key of the previous generated log record are utilized to determine the target key of the current generated log record, then the target authentication code is obtained through processing according to the target key and the current generated log record, the authentication codes between the adjacent generated log records can generate relevance, when the previous record changes, the first authentication code and the target authentication code are changed, and therefore whether the log record generated before tracing the target authentication code is tampered or not can be detected, the integrity of log information is detected, whether the log record is modified, added or deleted is determined, and the verification effect accuracy of log verification is improved.
Drawings
FIG. 1 is a schematic diagram of a hardware architecture involved in the operation of an embodiment of a log processing device according to the present application;
FIG. 2 is a flow chart of an embodiment of a log processing method according to the present application;
FIG. 3 is a flowchart illustrating a log processing method according to another embodiment of the present application;
FIG. 4 is a flowchart illustrating a log processing method according to another embodiment of the present application;
FIG. 5 is a flowchart illustrating a log processing method according to another embodiment of the present application.
The achievement of the objects, functional features and advantages of the present application will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The embodiment of the application provides log processing equipment. As shown in fig. 1, the log processing apparatus may include: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display, an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) Memory or a stable nonvolatile Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the structure shown in fig. 1 is not limiting of the log processing device and may include more or fewer components than shown, or may combine certain components, or may be a different arrangement of components.
As shown in fig. 1, a log processing program may be included in a memory 1005 as one storage medium. In the log processing device shown in fig. 1, the network interface 1004 is mainly used for data communication with other devices; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 may be configured to call a log processing program stored in the memory 1005 and execute the log processing method provided by the embodiment of the present application.
The embodiment of the application also provides a log processing method which is applied to the log processing equipment.
Referring to fig. 2, an embodiment of a log processing method according to the present application is provided. In this embodiment, the log processing method includes:
step S10, a first log record generated at the current moment is obtained, and a first key and a first identification code corresponding to a second log record generated before the current moment in a log record file are obtained;
the log record is used for recording information such as events occurring in the running of the system or software or communication interaction with other devices, and the content of the log record is not limited in the embodiment, and the log record can be used for terminal software or script, log record for monitoring access information of the access control system, and the like. After the log record is generated, the log record is required to be processed, a corresponding authentication code is generated by combining the key, and then the log record and the corresponding authentication code are stored in a log record file. The authentication code is a MAC value (Message Authentication Code ) and is generated based on the content of the log record, and can be used to verify whether the log record has been tampered with.
In this embodiment, the first log record is a log record generated at the current time of the system, and the second log record is a log record recorded in a log record file and generated immediately before the first log record. The first authentication code and the first key are authentication codes and keys corresponding to the second log record when the second log record is processed, and the first authentication code is generated according to the first key and the second log record.
Optionally, after the system generates the first log record at the current time, the first log record and the first key are acquired, and a first identification code corresponding to the second log record is acquired from a log record file storing the log record generated before the current time, so that the first log record is processed through the first identification code and the first key.
Step S20, obtaining a corresponding target key according to the first key and the first identification code;
optionally, the target key for processing the first log record is obtained from the first key of the second log record and the first authentication code. In this embodiment, the keys used for each log record processing are different, and the keys used for generating two log records adjacent in time have an association; in two log records with adjacent generation time, the key used in the latter log record is generated according to the key of the former log record and the authentication code thereof, namely, the target key corresponding to the first log record is generated according to the first key of the second log record and the first authentication code of the second log record.
In addition, the key corresponding to the first log record in the log records may be a key randomly generated from the security module, and the key is used as an initial key.
Step S30, obtaining a corresponding target authentication code according to the target key and the first log record;
alternatively, the target authentication code of the first log record is obtained from the target key and the first log record, because the generation of the target key is related to the first key and the first authentication code of the second log record, so that the generation of the target authentication code based on the content of the first log record is equivalent to the generation of the target authentication code based on the content of the second log record.
Step S40, storing the first log record and the target authentication code in association with the log record file.
Alternatively, the log record file may include a plurality of fields for recording a plurality of different kinds of information, and the first log record and the target authentication code are stored in association with corresponding fields in the log record file by identifying other different fields having association relationships with the field association.
According to the log processing method provided by the embodiment of the application, the first identification code and the first key corresponding to the log record generated at the current moment and the log record generated before the current moment are obtained by obtaining the first log record generated at the current moment and the first identification code corresponding to the second log record generated before the current moment in the log record file; then according to the first key and the first authentication code of the previous record, a target key for the first log record is obtained, and then according to the target key and the first log record, a target authentication code of the first log record is obtained, so that the first log record is processed; the first log record and the target authentication code are stored in association to a log record file. Compared with the current log information processing method, the method has the advantages that the first authentication code and the first key of the previous generated log record are utilized to determine the target key of the current generated log record, then the target authentication code is obtained through processing according to the target key and the current generated log record, the authentication codes between the adjacent generated log records can generate relevance, when the previous record is tampered, the first authentication code and the target authentication code are changed, therefore, whether the log record generated before tracing the target authentication code is tampered or not can be detected, the integrity of log information is detected, whether the log record is modified, added or deleted is determined, and the verification effect accuracy of log verification is improved.
Further, in this embodiment, the step of obtaining the first key includes:
obtaining a secure key from a secure module, the secure key comprising the first key;
after the step of storing the first log record and the target authentication code in association with the log record file, the method further includes:
and updating the security key in the security module to the target key.
The security module is a module with security authentication and credibility, and can be a module provided by a corresponding system and software or a third party, and can bear the functions of key generation and storage. The initial key used for the first log record processing in the log record file can be generated and stored and recorded through the security module.
Optionally, when the first log record is processed, the security key is obtained from the security module, and at this time, the security key is the first key, and the first key is a corresponding key when the second log record is processed, and in view of security, the first key cannot be stored in an external environment, so that the security module is used for protecting the first key to prevent leakage of the key. And after the processing of the first log record is completed, updating the security key in the security module to the target key. Besides the initial key, only one security key is stored in the security module for the log record file, and each time a new log record is generated and processed, the security key is updated to be the corresponding key of the new log record, so that protection and leakage prevention are formed for the key of the log record generated before, the updated security key can be provided for the next generated log record for generating the corresponding key, and the security of log record storage is improved.
Further, based on the above embodiment, another embodiment of the log processing method of the present application is provided. In the present embodiment, referring to fig. 3, step S20 includes:
and S21, processing the first identification code by using the first key according to an HMAC algorithm to obtain the target key.
The HMAC algorithm (Hash-based Message Authentication Code, hash operation message authentication code) is a method for performing message authentication based on a Hash function and a secret key, and the algorithm can input the secret key and information to be processed, and in the processing process of the algorithm, a preset process is performed based on the input secret key and the character string of the information to be processed, and a character string with a fixed length is finally generated and output through the Hash function calculation.
The calculation formula of the HMAC is as follows:
in the HMAC calculation formula described above, K represents a key, D represents information to be processed, function H () is a hash function, the type of the hash function is not limited in this embodiment, m represents the length of an output string, and function MSB m () For taking the length of m bits from the left for the string output by the hash function.
Optionally, the first key and the first authentication code are input according to the HMAC algorithm, the first authentication code is used as information to be processed, and a character string output by the HMAC algorithm is used as a target key.
The method and the device have the advantages that the key used for the current time log record is generated by utilizing the key of the previous log record and the authentication code, when the content of the previous log record is changed, the target key corresponding to the current time log record is also changed, the association between the authentication codes of the log records with adjacent generation time is established, and the accuracy of detecting whether the log record is tampered or not is improved.
Further, step S30 includes:
and S31, processing the first log record according to an HMAC algorithm by using the target key to obtain the target authentication code.
Optionally, the target key and the first log record are input according to the HMAC algorithm, the first log record is used as information to be processed, and the character string output by the HMAC algorithm is used as the target authentication code.
Illustratively, let the first key be K i-1 The target key is K i The second log is recorded as D i-1 The first log is recorded as D i The first authentication code is HMAC (K i-1 ,D i-1 ) The target authentication code is HMAC (K i ,D i ) And target key K i =HMAC(K i-1 ,HMAC(K i-1 ,D i-1 ))。
In other embodiments, a CMAC algorithm (Cipher Block Chaining-Message Authentication Code, symmetric key grouping algorithm message authentication code) may alternatively be used, with the target key or target authentication code obtained by CMAC algorithm processing, or may also be used in combination with the HAMC algorithm.
The target authentication code is obtained by utilizing the target key and the first log record according to the HAMC algorithm, so that the target authentication code corresponding to the content of the log record is generated based on the first log record, whether the first log record is tampered or not can be checked through the target authentication code, and the accuracy of detecting whether the log record is tampered or not is improved.
Further, based on the above embodiment, a further embodiment of the log processing method of the present application is provided. In the present embodiment, referring to fig. 4, step S20 includes:
step S201, obtaining the second log record; determining that the character string spliced by the second log record and the first identification code is a characteristic character string;
in addition to obtaining the first key and the first authentication code of the second log record from the log record file, the second log record may also be obtained, and the second log record is also used as a basis for generating the target key, that is, the content of the second log record is also used as a basis for generating the target key.
Optionally, a second log record is obtained from the log record file, and the second log record is spliced with the first identification code corresponding to the second log record to obtain the characteristic character string.
In other embodiments, other string manipulation methods may be applied in addition to stitching, so that the feature string generated based on the second log record and the first authentication code may characterize the content of the second log record and the first authentication code. In addition, in addition to obtaining the feature string using the second log record and the first identification code, the feature string may also be obtained in combination with other content, such as using a plurality of log records generated before the first log record.
Step S202, processing the feature string according to the first key, to obtain the target key.
Optionally, the characteristic character string spliced by the second log record and the first identification code is used as information to be processed, and the target key generated based on the content of the characteristic character string is obtained according to the first key and the information to be processed.
By utilizing the characteristic character string generated by splicing the second log record and the first identification code, the target key for processing the first log record is generated, so that the target key can be directly associated with the log record content of the second log record besides being associated with the first identification code of the second log record, the influence on the target key when the second log record is tampered is improved, whether the log record is tampered or not is reflected by the target identification code, and the accuracy of detecting whether the log record is tampered or not is improved.
Further, based on the above embodiment, still another embodiment of the log processing method of the present application is provided. In this embodiment, referring to fig. 5, the log processing method includes:
step S50, a log record file is obtained, wherein the log record file comprises a plurality of log records generated at different times and corresponding second identification codes;
optionally, when checking the log records, a log record file to be checked is obtained, the log record file includes a plurality of log records with different times that have been generated and recorded, each log record is also recorded with a corresponding second authentication code, and the second authentication code is a target authentication code corresponding to each log record, and is determined when the corresponding log record is generated and is associated and stored when the corresponding log record is stored in the log record file.
Step S60, determining a log record generated at a target moment in the log record file as a third log record and a fourth log record generated before the third log record;
the target time is set by a worker, and whether the log record recorded before and at the target time in the log record file is tampered is characterized and detected. In an actual scenario, the target time is generally designated as the time of the log record generated closest to the current time in the log record file, so as to realize detection of all log records in the log record file.
Optionally, the target time is determined, a corresponding log record generated at the target time in the log record file is set as a third log record, and a log record generated before the third log record is set as a fourth log record.
Step S70, obtaining a corresponding target detection key according to the first detection key and the corresponding first detection authentication code recorded in the fourth log;
and when the log record is detected, the detection key and the detection authentication code are regenerated, so that the detection authentication code is compared with the stored corresponding authentication code, the first detection key and the first detection authentication code are the detection key and the detection authentication code corresponding to the fourth log record, and the first detection key and the first detection authentication code are generated according to the corresponding detection key and the detection authentication code of the log record generated before the fourth log record. For the processing of the first log record, a corresponding initial key may be obtained from the security module, where the initial key and the key utilized when the first log record is generated and processed are the same key.
Alternatively, the target detection key of the third log record is obtained according to the first detection key of the fourth log record and the corresponding first detection authentication code, and this step may refer to step S20.
Step S80, obtaining a corresponding target detection authentication code according to the target detection key and the third log record;
alternatively, the target detection authentication code of the third log record is obtained from the target detection key and the third log record, and this step may refer to step S30.
Step S90, determining a detection result according to the second authentication code and the target detection authentication code corresponding to the third log record, where the detection result includes whether the log record file is tampered.
Optionally, after the target detection identifier of the third log record is generated, the third log record has a corresponding second identifier, a target detection key and a target detection identifier, where the second identifier is related data generated when the third log record is generated, and is stored in a log record file in an associated manner, and the target detection key and the target detection identifier are data generated when the third log record is detected. And determining whether the log record file is tampered according to the second authentication code and the target detection authentication code corresponding to the third log record.
By the second authentication code and the target detection authentication code of the third log record, it may be determined whether the third log record has been tampered with. And because the second authentication code and the target detection authentication code are generated based on the log record before the third log record, the detection result can simultaneously verify the log record before the third log record, and the verification effect accuracy of log verification is improved.
Further, in this embodiment, the step of determining the detection result according to the second authentication code and the target detection authentication code corresponding to the third log record includes:
determining the third log record in the log record file and the previously generated set of each log record as a log record set;
when the second authentication code corresponding to the third log record is matched with the target detection authentication code, determining that the detection result comprises that the log record set is not tampered;
when the second authentication code corresponding to the third log record is not matched with the target detection authentication code, determining that the detection result comprises that the log record set is tampered.
Optionally, determining that the third log record and all previous sets of log records in the log record file are log record sets, and when the second authentication code of the third log record is compared with the target detection authentication code, determining whether tampered log records exist in the check log record sets. When the second authentication code is matched with the target detection authentication code, determining that no log record in the log record set is tampered; and when the second authentication code is not matched with the target detection authentication code, determining that the stored log record in the log record set is tampered.
By comparing the second authentication code of the third log record with the target detection authentication code, whether the third log record and the previous log record in the log record file are tampered or not can be judged, and the accuracy of the verification effect of log verification is improved.
Further, in this embodiment, when the second authentication code corresponding to the third log record does not match the target detection authentication code, the step of determining that the detection result is that the log record set has been tampered further includes:
determining a second detection authentication code corresponding to the fourth log record and each log record generated before in the log record file, wherein each second detection authentication code is generated according to a second detection key and the second detection authentication code of the corresponding log record generated before;
determining that the second authentication codes corresponding to any two log records with adjacent generation time are a third authentication code and a fourth authentication code in sequence;
when the fourth authentication code is not matched with the corresponding second detection authentication code and the third authentication code is matched with the corresponding second detection authentication code, determining that the log record corresponding to the fourth authentication code is a tampered target log record;
determining the detection result further includes the target log record being tampered with.
Optionally, when it is determined that the second authentication code of the third log record and the target detection authentication code do not match, corresponding detection authentication codes of all other log records in the log record set, that is, the above-mentioned second detection authentication codes, are determined. And tracing back from the third log record to the front, and comparing the second authentication code and the second detection authentication code corresponding to each log record in sequence. And determining that the second authentication codes corresponding to any two log records with adjacent generation time are a third authentication code and a fourth authentication code in sequence, and determining that the log record corresponding to the fourth authentication code is a tampered log record when the fourth authentication code is not matched with the corresponding second detection authentication code and the third authentication code is matched with the corresponding second detection authentication code in the two adjacent log records, namely the tampered log record.
By comparing the fourth log record with the second identification code and the second detection identification code of each previous log record, the specific tampered log record can be determined in the log record set, so that the specific tampered log record can be positioned on the basis of detecting that the log record is tampered, and the verification effect accuracy of log verification is improved.
In addition, the embodiment of the application also provides a storage medium, wherein the storage medium is stored with a log processing program, and the log processing program realizes the relevant steps of any embodiment of the log processing method when being executed by a processor.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as described above, comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present application.
The foregoing description is only of the preferred embodiments of the present application, and is not intended to limit the scope of the application, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (8)
1. A log processing method, characterized in that the log processing method comprises the steps of:
acquiring a first log record generated at the current moment, and acquiring a first key and a first authentication code corresponding to a second log record generated before the current moment in a log record file, wherein the first authentication code and the first key are authentication codes and keys corresponding to the second log when the second log is processed, and the first authentication code is generated according to the first key and the second log record;
processing the first identification code by using the first key according to an HMAC algorithm to obtain a target key;
processing the first log record by using the target key according to an HMAC algorithm to obtain a target authentication code;
and storing the first log record and the target authentication code in association with the log record file.
2. The log processing method as claimed in claim 1, wherein the step of obtaining the corresponding target key from the first key and the first authentication code comprises:
acquiring the second log record;
determining that the character string spliced by the second log record and the first identification code is a characteristic character string;
and obtaining the target key according to the first key and the characteristic character string.
3. The log processing method according to any one of claims 1 to 2, wherein the step of acquiring the first key includes:
obtaining a secure key from a secure module, the secure key comprising the first key;
after the step of storing the first log record and the target authentication code in association with the log record file, the method further includes:
and updating the security key in the security module to the target key.
4. A log processing method, characterized in that the log processing method comprises the steps of:
acquiring a log record file, wherein the log record file comprises a plurality of log records generated at different times and corresponding second authentication codes, and the second authentication codes are target authentication codes corresponding to each log record;
determining a log record generated at a target moment in the log record file as a third log record and a fourth log record generated before the third log record;
obtaining a corresponding target detection key according to a first detection key and a corresponding first detection authentication code of the fourth log record, wherein the first detection key and the first detection authentication code are generated according to a detection key and a detection authentication code corresponding to a log record generated before the fourth log record;
processing the third log record according to an HMAC algorithm by using the target detection key to obtain a target detection authentication code;
and determining a detection result according to the second authentication code and the target detection authentication code corresponding to the third log record, wherein the detection result comprises whether the log record file is tampered or not.
5. The log processing method as set forth in claim 4, wherein the step of determining a detection result from the second authentication code and the target detection authentication code corresponding to the third log record comprises:
determining the third log record in the log record file and the previously generated set of each log record as a log record set;
when the second authentication code corresponding to the third log record is matched with the target detection authentication code, determining that the detection result comprises that the log record set is not tampered;
when the second authentication code corresponding to the third log record is not matched with the target detection authentication code, determining that the detection result comprises that the log record set is tampered.
6. The log processing method as set forth in claim 5, wherein when the second authentication code corresponding to the third log record does not match the target detection authentication code, the step of determining that the detection result includes that the log record set has been tampered with further includes, after:
determining the fourth log record and the second detection authentication code corresponding to each log record generated before in the log record file, wherein each second detection authentication code is generated according to the second detection key and the second detection authentication code of the corresponding log record generated before;
determining that the second authentication codes corresponding to any two log records with adjacent generation time are a third authentication code and a fourth authentication code in sequence;
when the fourth authentication code is not matched with the corresponding second detection authentication code and the third authentication code is matched with the corresponding second detection authentication code, determining that the log record corresponding to the fourth authentication code is a tampered target log record;
determining the detection result further includes the target log record being tampered with.
7. A log processing apparatus, characterized in that the log processing apparatus comprises: a memory, a processor and a log handler stored on the memory and executable on the processor, the log handler being configured to implement the steps of the log handling method of any one of claims 1 to 6.
8. A storage medium having stored thereon a log processing program which, when executed by a processor, implements the steps of the log processing method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211392462.3A CN115766166B (en) | 2022-11-08 | 2022-11-08 | Log processing method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211392462.3A CN115766166B (en) | 2022-11-08 | 2022-11-08 | Log processing method, device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115766166A CN115766166A (en) | 2023-03-07 |
| CN115766166B true CN115766166B (en) | 2023-09-19 |
Family
ID=85368063
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211392462.3A Active CN115766166B (en) | 2022-11-08 | 2022-11-08 | Log processing method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115766166B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107609874A (en) * | 2017-10-09 | 2018-01-19 | 恒宝股份有限公司 | A kind of transaction log data verification method and checking system |
| CN112788012A (en) * | 2020-12-30 | 2021-05-11 | 深圳市欢太科技有限公司 | Log file encryption method and device, storage medium and electronic equipment |
| CN114218615A (en) * | 2021-12-20 | 2022-03-22 | 中国农业银行股份有限公司 | Method, device, equipment and medium for preventing log tampering in financial system |
| CN114722387A (en) * | 2022-04-02 | 2022-07-08 | 中南民族大学 | Database abnormal tampering detection method, device, equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8316240B2 (en) * | 2009-02-20 | 2012-11-20 | International Business Machines Corporation | Securing computer log files |
| WO2015187640A2 (en) * | 2014-06-02 | 2015-12-10 | Robert Bosch Gmbh | System and method for secure review of audit logs |
-
2022
- 2022-11-08 CN CN202211392462.3A patent/CN115766166B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107609874A (en) * | 2017-10-09 | 2018-01-19 | 恒宝股份有限公司 | A kind of transaction log data verification method and checking system |
| CN112788012A (en) * | 2020-12-30 | 2021-05-11 | 深圳市欢太科技有限公司 | Log file encryption method and device, storage medium and electronic equipment |
| CN114218615A (en) * | 2021-12-20 | 2022-03-22 | 中国农业银行股份有限公司 | Method, device, equipment and medium for preventing log tampering in financial system |
| CN114722387A (en) * | 2022-04-02 | 2022-07-08 | 中南民族大学 | Database abnormal tampering detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115766166A (en) | 2023-03-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8578174B2 (en) | Event log authentication using secure components | |
| US8086861B2 (en) | Information processing terminal and status notification method | |
| US8190915B2 (en) | Method and apparatus for detecting data tampering within a database | |
| US20110162051A1 (en) | Authentication methods | |
| EP3270318B1 (en) | Dynamic security module terminal device and method for operating same | |
| US20180239927A1 (en) | Rollback protection for login security policy | |
| CN113472774B (en) | Account login-free method, system, device and computer readable storage medium | |
| CN113225324B (en) | Block chain anonymous account creation method, system, device and storage medium | |
| US20170155683A1 (en) | Remedial action for release of threat data | |
| CN114238874A (en) | Digital signature verification method and device, computer equipment and storage medium | |
| CN112506481A (en) | Service data interaction method and device, computer equipment and storage medium | |
| CN114741704A (en) | Privacy protection method, device, equipment and medium based on marriage and love dating | |
| CN112711570A (en) | Log information processing method and device, electronic equipment and storage medium | |
| CN116680673B (en) | Identity verification method and device for display and computer equipment | |
| CN115766166B (en) | Log processing method, device and storage medium | |
| CN112422527A (en) | Safety protection system, method and device of transformer substation electric power monitoring system | |
| CN115766165B (en) | Log processing method, device and storage medium | |
| CN113868628B (en) | Signature verification method, signature verification device, computer equipment and storage medium | |
| CN114401117B (en) | Block chain-based account login verification system | |
| CN115114657A (en) | Data protection method, electronic device and computer storage medium | |
| CN114745173A (en) | Login verification method, login verification device, computer equipment, storage medium and program product | |
| CN114172720A (en) | Ciphertext attack flow detection method and related device | |
| CN109635164B (en) | Number detection method and device | |
| KR101893504B1 (en) | A file integrity test in linux environment device and method | |
| CN113343191B (en) | Network information security protection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |