CN115964693A - Method, equipment and system for quickly identifying trusted program in industrial host environment - Google Patents
Method, equipment and system for quickly identifying trusted program in industrial host environment Download PDFInfo
- Publication number
- CN115964693A CN115964693A CN202211514348.3A CN202211514348A CN115964693A CN 115964693 A CN115964693 A CN 115964693A CN 202211514348 A CN202211514348 A CN 202211514348A CN 115964693 A CN115964693 A CN 115964693A
- Authority
- CN
- China
- Prior art keywords
- digital signature
- executable program
- program
- new digital
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Stored Programmes (AREA)
Abstract
The invention relates to the technical field of trusted program judgment, and discloses a method, equipment and a system for quickly identifying a trusted program in an industrial host environment, wherein the method comprises the steps of opening a handle of an executable program, judging whether an existing digital signature exists in the executable program, and judging whether the executable program is trusted according to the existing digital signature if the existing digital signature exists; if the size of the executable program is not larger than a preset value a, judging whether the size of the executable program is larger than a, if the size of the executable program is not larger than a, reading complete data of the executable program and calculating a new digital signature, if the size of the executable program is larger than a, reading data with the head and tail sizes of b of the executable program and calculating a new digital signature, and judging whether the executable program is credible according to the new digital signature; the apparatus includes a memory, a processor, and a computer program stored on the memory and executable on the processor; the system comprises modules for implementing the steps of the method. The invention can accelerate the judgment speed of whether the executable program is credible or not and effectively reduce the consumption of the CPU and the disk I/O.
Description
Technical Field
The invention relates to the technical field of trusted program judgment, in particular to a method, equipment and a system for quickly identifying a trusted program in an industrial host environment.
Background
A trusted program is a program whose trustworthiness can meet the user's expectations, and needs to be identified before using the program. The method for identifying the trusted program in the prior art generally comprises the following steps: firstly, scanning all executable programs of a target host; secondly, extracting the digital signature data of the executable programs one by one, and writing the digital signature data into a database to form a white list program library, wherein the programs recorded in the library are defined as trusted programs; and step three, capturing a process starting event, extracting a digital signature of the current starting process, searching the digital signature in a white list database, allowing the current process to continue to execute if the digital signature exists, and stopping the execution of the current process if the digital signature does not exist.
However, the prior art solutions also present some problems in project implementation. The executable module of the industrial control program in the industrial control host environment occupies a large space, and usually has hundreds of megabytes; the industrial control host environment usually runs industrial control equipment control and monitoring programs, and the CPU occupancy rate is very high and is usually more than 80%; the industrial control host computer industry software system needs to be realized by a plurality of processes, and a blind executable program can be frequently started in the service control process. The traditional method for extracting the digital signature of the trusted program is to read all data of the whole executable program and then calculate the digital signature, and the method has the characteristics of large disk I/O data volume and large calculation amount. These characteristics can cause a great performance loss of the target industrial control host in the environment of the industrial host, especially in some industrial control hosts with high performance requirements, and even cause the phenomena of execution exception, data error and software crash of the control program.
Disclosure of Invention
Therefore, the technical problem to be solved by the present invention is to overcome the defects in the prior art, and provide a method, a device and a system for quickly identifying a trusted program in an industrial host environment, which can accelerate the speed of judging whether an executable program is trusted, and effectively reduce the consumption of CPU and disk I/O.
In order to solve the technical problem, the invention provides a method for quickly identifying a trusted program in an industrial host environment, which comprises the following steps:
opening a handle of the executable program, and judging whether the existing digital signature exists in the executable program;
if yes, judging whether the executable program is credible according to the existing digital signature, if not, judging whether the size of the executable program is larger than a preset value a,
and if the size of the executable program is not larger than the preset value a, reading the complete data of the executable program and calculating a new digital signature, if the size of the executable program is larger than the preset value a, reading the data with the head and tail sizes of b of the executable program and calculating a new digital signature, and judging whether the executable program is credible according to the new digital signature.
In an embodiment of the present invention, the determining whether the executable program is trusted according to the existing digital signature specifically includes:
and checking whether the existing digital signature is legal or not by using the public key, if so, trusting the executable program, and if not, trusting the executable program.
In an embodiment of the present invention, the preset value a ranges from 5M to 15M.
In an embodiment of the present invention, the value range of b is 1M to 5M.
In an embodiment of the present invention, the reading of the complete data of the executable program and the calculation of the new digital signature specifically include:
and carrying out Hash operation on the complete data of the executable program to obtain a digital abstract, and encrypting the digital abstract by using an asymmetric RSA encryption algorithm to obtain a new digital signature.
In an embodiment of the present invention, the reading data with the size of head and tail b of the executable program and calculating a new digital signature specifically include:
and carrying out hash operation on the data with the head and tail sizes respectively being b of the executable program to obtain a digital abstract, splicing the data with the head and tail sizes respectively being b of the executable program and the digital abstract to obtain spliced data, and encrypting the spliced data by using an asymmetric RSA encryption algorithm to obtain a new digital signature.
In an embodiment of the present invention, determining whether the executable program is trusted according to the new digital signature specifically includes:
and matching the new digital signature with the digital signature in the white list library, wherein if the new digital signature is successfully matched, the executable program is trusted, and if the new digital signature is unsuccessfully matched, the executable program is not trusted.
In one embodiment of the invention, if the new digital signature is successfully matched, the current new digital signature is added into the white list library for updating, and the updated white list library is used when the new digital signature of the next executable program is matched.
The invention also provides equipment for quickly identifying the trusted program in the industrial host environment, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the steps of the method for quickly identifying the trusted program in the industrial host environment when executing the computer program.
The invention also provides a system for quickly identifying the trusted program in the industrial host environment, which comprises a program acquisition module, an existing digital signature judgment module, a new digital signature generation module and a new digital signature judgment module,
the program acquisition module opens a handle of the executable program and transmits the executable program to the existing digital signature judgment module;
the existing digital signature judging module judges whether an existing digital signature exists in the executable program, if so, judges whether the executable program is credible according to the existing digital signature, and if not, transmits the executable program to the new digital signature generating module;
the new digital signature generation module judges whether the size of the executable program is larger than a preset value a, if the size of the executable program is not larger than the preset value a, the complete data of the executable program is read and a new digital signature is calculated, if the size of the executable program is larger than the preset value a, the data with the head and tail sizes of b of the executable program is read and a new digital signature is calculated, and the new digital signature is transmitted to the new digital signature judgment module;
and the new digital signature judging module judges whether the executable program is credible according to the new digital signature.
Compared with the prior art, the technical scheme of the invention has the following advantages:
the invention firstly checks whether the executable program has the existing digital signature, and if so, quickly judges whether the executable program is credible according to the existing digital signature, thereby effectively reducing the consumption of CPU and disk I/O; if the existing digital signature does not exist, selecting whole or partial data to calculate a new digital signature according to the size of the current executable program, and effectively reducing the consumption of the CPU and the disk I/O again; the size of the executable program is fully considered to reduce the data which is necessary to be acquired when the executable program is judged to be credible, the judgment speed of whether the executable program is credible can be accelerated, and the consumption of a CPU (Central processing Unit) and a disk I/O (input/output) is effectively reduced, so that the effect of not influencing the execution of the main service system of the industrial control host is achieved.
Drawings
In order that the present disclosure may be more readily and clearly understood, reference is now made to the following detailed description of the present disclosure taken in conjunction with the accompanying drawings, in which:
figure 1 is a flow chart of the method of the invention,
FIG. 2 is a step-by-step flowchart of a method in an embodiment of the present invention.
Detailed Description
The present invention is further described below in conjunction with the following figures and specific examples so that those skilled in the art may better understand the present invention and practice it, but the examples are not intended to limit the present invention.
Referring to fig. 1-2, the invention discloses a method for quickly identifying a trusted program in an industrial host environment, which comprises the following steps:
s1: opening a handle of the executable program, and judging whether the existing digital signature exists in the executable program; if the signal exists, executing S2, and if the signal does not exist, executing S3.
S2: and (3) quickly judging whether the executable program is credible according to the existing digital signature: and checking whether the existing digital signature is legal or not by using the public key, if so, trusting the executable program, and if not, ending the identification.
S3: and judging whether the size of the executable program is larger than a preset value a or not, if the size of the executable program is not larger than the preset value a, executing S4, and if the size of the executable program is larger than the preset value a, executing S5.
The value range of the preset value a is 5M-15M, and a =10M in this embodiment.
S4: the complete data of the executable program is read and a new digital signature is calculated, S6 is performed.
The reading of the complete data of the executable program and the calculation of the new digital signature specifically include: and carrying out Hash operation on the complete data of the executable program to obtain a digital abstract, and encrypting the digital abstract by using an asymmetric RSA encryption algorithm to obtain a new digital signature.
S5: and reading data with the head and tail sizes of the executable program being b respectively and calculating a new digital signature, and executing S6.
The value range of b is 1M-5M, and b =1M in this embodiment. The method comprises the following steps of reading data with the head and tail sizes of the executable program being b respectively and calculating a new digital signature, and specifically comprises the following steps: and carrying out hash operation on the data with the head and tail sizes respectively being b of the executable program to obtain a digital abstract, splicing the data with the head and tail sizes respectively being b of the executable program and the digital abstract to obtain spliced data, and encrypting the spliced data by using an asymmetric RSA encryption algorithm to obtain a new digital signature. When the data with the head and tail size b of the executable program and the digital abstract are spliced, the splicing sequence can be any arrangement and combination of the data with the head size b of the executable program, the data with the tail size b of the executable program and the digital abstract.
S6: and judging whether the executable program is credible according to the new digital signature, and finishing the identification.
Judging whether the executable program is credible according to the new digital signature, specifically: and matching the new digital signature with the digital signature in the white list library, wherein if the new digital signature is successfully matched, the executable program is credible, and if the new digital signature is unsuccessfully matched, the executable program is not credible.
And if the new digital signature is successfully matched, adding the current new digital signature into the white list library for updating, and using the updated white list library when matching the new digital signature of the next executable program. The initial white list library is a series of initial digital signatures generated for new digital signatures and is continuously updated in the trusted judgment of the executable program.
The invention also discloses equipment for quickly identifying the trusted program in the industrial host environment, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the processor executes the computer program, the steps of the method for quickly identifying the trusted program in the industrial host environment are realized.
The invention also discloses a system for quickly identifying the trusted program in the industrial host environment, which comprises a program acquisition module, an existing digital signature judgment module, a new digital signature generation module and a new digital signature judgment module. And the program acquisition module opens a handle of the executable program and transmits the executable program to the existing digital signature judgment module. The existing digital signature judging module judges whether an existing digital signature exists in the executable program, if so, judges whether the executable program is credible according to the existing digital signature, and if not, transmits the executable program to the new digital signature generating module. The new digital signature generation module judges whether the size of the executable program is larger than a preset value a, if the size of the executable program is not larger than the preset value a, the complete data of the executable program is read and a new digital signature is calculated, if the size of the executable program is larger than the preset value a, the data with the head and tail sizes of b of the executable program is read and a new digital signature is calculated, and the new digital signature is transmitted to the new digital signature judgment module. And the new digital signature judging module judges whether the executable program is credible according to the new digital signature.
The invention firstly checks whether the executable program has the existing digital signature, and if so, the executable program is quickly judged whether to be credible according to the existing digital signature, thereby effectively reducing the I/O consumption of a CPU and a disk; if the existing digital signature does not exist, the whole or partial data is selected according to the size of the current executable program to calculate the new digital signature, and the consumption of the CPU and the disk I/O is effectively reduced again. Compared with the traditional method that the whole data needs to be read when the digital signature of the executable program is extracted and judged, the method and the device fully consider the size of the executable program to reduce the data which needs to be acquired when the executable program is judged to be credible, flexibly calculate the new digital signature, can accelerate the judgment speed of whether the executable program is credible and effectively reduce the consumption of a CPU (Central processing Unit) and a disk I/O (input/output), thereby achieving the effect of not influencing the execution of a main service system of an industrial control host.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. This need not be, nor should it be exhaustive of all embodiments. And obvious variations or modifications of the invention may be made without departing from the spirit or scope of the invention.
Claims (10)
1. A method for quickly identifying a trusted program in an industrial host environment is characterized by comprising the following steps:
opening a handle of the executable program, and judging whether the executable program has the existing digital signature;
if yes, judging whether the executable program is credible according to the existing digital signature, if not, judging whether the size of the executable program is larger than a preset value a,
and if the size of the executable program is not larger than a preset value a, reading complete data of the executable program and calculating a new digital signature, if the size of the executable program is larger than the preset value a, reading data with the head and tail sizes of the executable program being b respectively and calculating a new digital signature, and judging whether the executable program is credible according to the new digital signature.
2. The method for quickly identifying the trusted program in the industrial host environment according to claim 1, wherein: the judging whether the executable program is credible according to the existing digital signature specifically comprises the following steps:
and checking whether the existing digital signature is legal or not by using the public key, if so, trusting the executable program, and if not, trusting the executable program.
3. The method for quickly identifying the trusted program in the industrial host environment according to claim 1, wherein: the value range of the preset value a is 5M-15M.
4. The method for quickly identifying the trusted program in the industrial host environment according to claim 1, wherein: the value range of b is 1M-5M.
5. The method for quickly identifying the trusted program in the industrial host environment according to claim 1, wherein: reading the complete data of the executable program and calculating a new digital signature, specifically:
and carrying out Hash operation on the complete data of the executable program to obtain a digital abstract, and encrypting the digital abstract by using an asymmetric RSA encryption algorithm to obtain a new digital signature.
6. The method for quickly identifying the trusted program in the industrial host environment according to claim 1, wherein: the method comprises the following steps of reading data with the head and tail sizes of the executable program being b respectively and calculating a new digital signature, and specifically comprises the following steps:
and performing hash operation on the data with the head and tail sizes of b positioned in the executable program to obtain a digital abstract, splicing the data with the head and tail sizes of b positioned in the executable program and the digital abstract to obtain spliced data, and encrypting the spliced data by using an asymmetric RSA encryption algorithm to obtain a new digital signature.
7. The method for quickly identifying the trusted program in the industrial host environment according to any one of claims 1 to 6, wherein: judging whether the executable program is credible according to the new digital signature, specifically:
and matching the new digital signature with the digital signature in the white list library, wherein if the new digital signature is successfully matched, the executable program is credible, and if the new digital signature is unsuccessfully matched, the executable program is not credible.
8. The method for quickly identifying the trusted program in the industrial host environment according to claim 7, wherein: and if the new digital signature is successfully matched, adding the current new digital signature into the white list library for updating, and using the updated white list library when matching the new digital signature of the next executable program.
9. A device for quickly identifying a trusted program in an industrial host environment, comprising: comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method for fast identification of trusted programs in an industrial host environment as claimed in any one of claims 1 to 8 when executing the computer program.
10. A trusted program rapid identification system in an industrial host environment, characterized in that: comprises a program acquisition module, an existing digital signature judgment module, a new digital signature generation module and a new digital signature judgment module,
the program acquisition module opens a handle of the executable program and transmits the executable program to the existing digital signature judgment module;
the existing digital signature judging module judges whether an existing digital signature exists in the executable program, if so, the existing digital signature judges whether the executable program is credible according to the existing digital signature, and if not, the executable program is transmitted to the new digital signature generating module;
the new digital signature generation module judges whether the size of the executable program is larger than a preset value a, if the size of the executable program is not larger than the preset value a, the complete data of the executable program is read and a new digital signature is calculated, if the size of the executable program is larger than the preset value a, the data with the head and tail sizes of b of the executable program is read and a new digital signature is calculated, and the new digital signature is transmitted to the new digital signature judgment module;
and the new digital signature judging module judges whether the executable program is credible according to the new digital signature.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211514348.3A CN115964693A (en) | 2022-11-29 | 2022-11-29 | Method, equipment and system for quickly identifying trusted program in industrial host environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211514348.3A CN115964693A (en) | 2022-11-29 | 2022-11-29 | Method, equipment and system for quickly identifying trusted program in industrial host environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115964693A true CN115964693A (en) | 2023-04-14 |
Family
ID=87362454
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211514348.3A Pending CN115964693A (en) | 2022-11-29 | 2022-11-29 | Method, equipment and system for quickly identifying trusted program in industrial host environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115964693A (en) |
-
2022
- 2022-11-29 CN CN202211514348.3A patent/CN115964693A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2589348C2 (en) | Entropy pools for virtual machines | |
| JP4488074B2 (en) | Pattern detection device, pattern detection system, pattern detection program, and pattern detection method | |
| CN113452710B (en) | Unauthorized vulnerability detection method, device, equipment and computer program product | |
| CN105022678A (en) | Data backup method and apparatus for virtual machine | |
| US20080127043A1 (en) | Automatic Extraction of Programming Rules | |
| EP3798883A1 (en) | System and method for generating and storing forensics-specific metadata | |
| TW201939337A (en) | Behavior recognition, data processing method and apparatus | |
| CN111984421B (en) | Data processing method, device and storage medium | |
| TWI656453B (en) | Detection system and detection method | |
| US20220405184A1 (en) | Method, electronic device, and computer program product for data processing | |
| US8990575B2 (en) | Apparatus and method for electronic signature verification | |
| CN117492670A (en) | Log printing sequence determining method and device and electronic equipment | |
| CN115964693A (en) | Method, equipment and system for quickly identifying trusted program in industrial host environment | |
| US20200036737A1 (en) | Identification of deviant engineering modifications to programmable logic controllers | |
| CN114936187A (en) | Data file processing method, device, equipment and storage medium | |
| EP3848835B1 (en) | Systems and methods for protecting against unauthorized memory dump modification | |
| US11513884B2 (en) | Information processing apparatus, control method, and program for flexibly managing event history | |
| CN115586920B (en) | Fragile code segment clone detection method and device, electronic equipment and storage medium | |
| CN110324150B (en) | Data storage method and device, computer readable storage medium and electronic equipment | |
| JP7020384B2 (en) | Application operation control device, application operation control method, and application operation control program | |
| US10078586B2 (en) | Out-of-range reference detection device, method, and recording medium | |
| CN114329488A (en) | Kernel function credibility verification method and device, electronic equipment and storage medium | |
| CN115248918A (en) | File detection method and device, equipment and storage medium | |
| CN111310174A (en) | Safe computer system and method based on cloud architecture | |
| EP3973470A1 (en) | Sub-field identification system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |