CN116305290A - System log security detection method and device, electronic equipment and storage medium - Google Patents
System log security detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116305290A CN116305290A CN202310546715.6A CN202310546715A CN116305290A CN 116305290 A CN116305290 A CN 116305290A CN 202310546715 A CN202310546715 A CN 202310546715A CN 116305290 A CN116305290 A CN 116305290A
- Authority
- CN
- China
- Prior art keywords
- data block
- information
- target
- file
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 23
- 238000000034 method Methods 0.000 claims abstract description 31
- 230000008859 change Effects 0.000 claims abstract description 25
- 230000004044 response Effects 0.000 claims abstract description 12
- 238000004422 calculation algorithm Methods 0.000 abstract description 5
- 238000005516 engineering process Methods 0.000 abstract description 3
- 238000012795 verification Methods 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 7
- 230000000694 effects Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 239000012776 electronic material Substances 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000004904 shortening Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1805—Append-only file systems, e.g. using logs or journals to store data
- G06F16/1815—Journaling file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/182—Distributed file systems
- G06F16/184—Distributed file systems implemented as replicated file system
- G06F16/1844—Management specifically adapted to replicated file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention provides a system log security detection method and device, electronic equipment and storage medium, wherein the method comprises the following steps: determining at least one target data block from a plurality of original data blocks contained in the target log file in response to a change in a file checksum in file header information of the target log file; acquiring current abstract information and historical abstract information of target event record information; the target event record information is event record information contained in a target data block; and if the current abstract information and the historical abstract information corresponding to any target event record information are different, outputting an alarm prompt. On the basis of a system log content verification algorithm, the invention detects whether the target log file is tampered or not by comparing the recorded checksum with the abstract information of the target log file, and compared with the existing log tamper-proof technology, the invention can safely detect the target log file while protecting the integrity of the log.
Description
Technical Field
The present invention relates to the field of security detection, and in particular, to a system log security detection method and apparatus, an electronic device, and a storage medium.
Background
The system log is usually stored in a catalogue which is not strictly protected by the system, takes text as a carrier, is stored in a plaintext mode, is not encrypted and verified, and lacks an effective log security protection mechanism, so that the log file is not necessarily safe and reliable, and an attacker can tamper with the log file, so that the system log cannot be regarded as effective electronic evidence.
The existing log tamper-proof technology mainly monitors the system security log service in real time from the file system driving layer and intercepts the monitored modification behavior of the system security log. However, in advanced threat activities, the event log service may be interrupted by technical means, and the event log is subsequently modified based on the file structure and log content verification algorithm of the Windows log, so the integrity of the system log may be damaged by the current log tamper-resistant technology.
Disclosure of Invention
In view of the above, the present invention provides a system log security detection method and apparatus, an electronic device and a storage medium, which at least partially solve the technical problems existing in the prior art, and the technical scheme adopted by the present invention is as follows:
According to one aspect of the present application, there is provided a system log security detection method, including:
determining at least one target data block from a plurality of original data blocks contained in the target log file in response to a change in a file checksum in file header information of the target log file;
acquiring current abstract information and historical abstract information of target event record information; the target event record information is event record information contained in a target data block;
and if the current abstract information and the historical abstract information corresponding to any target event record information are different, outputting an alarm prompt.
In an exemplary embodiment of the present application, the file checksum within the header information of the target log file is changed, including:
acquiring a historical file checksum and a current file checksum of file header information of a target log file every preset acquisition time;
if the historical file checksum of the file header information is different from the current file checksum, the file checksum in the file header information of the target log file is judged to be changed.
In an exemplary embodiment of the present application, determining at least one target data block from a plurality of original data blocks included in a target log file includes:
Acquiring a historical data block checksum and a corresponding current data block checksum of each original data block contained in the target log file;
and if the historical data block checksum of the original data block is different from the corresponding current data block checksum, determining the original data block as a target data block.
In an exemplary embodiment of the present application, before determining at least one target data block from a plurality of original data blocks included in the target log file in response to a change in a file checksum in file header information of the target log file, the system log security detection method further includes:
sequentially obtaining the size of each original data block contained in the target log file, and if the sum of the sizes of at least part of sequentially continuous original data blocks is smaller than or equal to a preset capacity threshold value, merging the part of original data blocks into a log subfile; the log subfiles comprise initial record generation time and cut-off record generation time of each corresponding original data block, the initial record generation time is generation time of first original event record information contained in the corresponding original data block, the cut-off record generation time is generation time of last original event record information contained in the corresponding original data block, and the original event record information is event record information contained in the corresponding original data block;
Copying a plurality of log subfiles contained in the target log file into a preset storage space;
if the target log file has a new added data block, acquiring the sum of the size of the new added data block and the size of the last log sub-file in the preset storage space, and if the sum is smaller than or equal to a preset capacity threshold value, copying the new added data block into the last log sub-file in the preset storage space; if the data block is larger than the preset capacity threshold, a blank log sub-file is newly built in the preset storage space, and the newly added data block is copied into the blank log sub-file.
In an exemplary embodiment of the present application, after outputting the alarm prompt if there is a difference between the current summary information and the historical summary information corresponding to any target event record information, the system log security detection method further includes:
determining target event record information with difference between current abstract information and historical abstract information as change event record information;
and updating the log subfiles where the change event record information in the preset storage space is located according to the change event record information.
In one exemplary embodiment of the present application, obtaining current summary information and historical summary information of target event record information includes:
If the initial record generation time of the original data block and the cut-off record generation time of the target data block are within a preset interval period, determining the original data block as a first data block;
encrypting the first event record information to obtain corresponding current first event abstract information; the first event record information is event record information contained in the first data block;
acquiring historical first event summary information of first event record information;
if the current abstract information and the historical abstract information corresponding to any target event record information are different, outputting an alarm prompt, wherein the alarm prompt comprises:
if the current first event abstract information and the historical first event abstract information of any first event record information are different, outputting an alarm prompt; otherwise, determining the original data block which does not belong to the first data block in the target log file as a second data block;
encrypting the second data block to obtain corresponding current second data block abstract information;
acquiring historical second data block summary information of a second data block;
if the current second data block summary information and the historical second data block summary information of any second data block have differences, encrypting a plurality of pieces of second event record information contained in the second data block summary information to obtain corresponding current second event summary information;
Acquiring historical second event summary information of a plurality of second event record information contained in a second data block with difference between the current second data block summary information and the historical second data block summary information;
and if the current second event summary information and the historical second event summary information of any second event record information are different, outputting an alarm prompt.
In one exemplary embodiment of the present application, the preset interval period is determined by:
if the cut-off record generating time of the target data block belongs to a preset first period, determining the sum of a first preset time length and a preset time difference before the cut-off record generating time of the target data block as a preset interval period;
if the cut-off record generating time of the target data block belongs to a preset second period, determining the sum of a second preset time length before the cut-off record generating time of the target data block and a preset time difference as a preset interval period.
According to one aspect of the present application, there is provided a system log security detection apparatus, including:
the response module is used for determining at least one target data block from a plurality of original data blocks contained in the target log file in response to the change of the file checksum in the file header information of the target log file;
The acquisition module is used for acquiring current abstract information and historical abstract information of the target event record information; the target event record information is event record information contained in a target data block;
and the comparison module is used for outputting an alarm prompt when the current abstract information and the historical abstract information corresponding to any target event record information are different.
According to one aspect of the present application, there is provided a non-transitory computer readable storage medium having stored therein at least one instruction or at least one program loaded and executed by a processor to implement the aforementioned system log security detection method.
According to one aspect of the present application, there is provided an electronic device comprising a processor and the aforementioned non-transitory computer-readable storage medium.
The invention has at least the following beneficial effects:
the invention determines whether the target log file is modified or not by detecting whether the file checksum of the file header information of the target log file is changed or not, and then determines the modified target event record information in the target log file by comparing whether the current abstract information and the historical abstract information of the target event record information are different or not.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a system log security detection method according to an embodiment of the present invention;
fig. 2 is a block diagram of a system log security detection device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
A computer system records a large amount of event information, known as a system log, during its life cycle of operation. From an information security perspective, the system log records information about the activities of specific events in the computer system through which a user can monitor system activity and diagnose problems, commonly used in computer crime evidence-taking surveys to trace and analyze the trace left by an attacker.
The system log comprises a system running log, an application program log and a security log, and the basic content comprises the steps of recording running states, recording program information and recording security events.
The system running log is used for recording events generated by operating system components, and mainly comprises crashes of a driver, system components and application software, data loss errors and the like. The format type of the system log record is predefined by the operating system.
The application program log is used for recording behavior events generated by the application program, and mainly comprises interaction of the program with the computer information system during running and influence of the interaction on the computer information system, for example, a certain system application program can be set to send information such as operation log, exception log and the like to the system every time a state such as start, exit and exception is performed. The format of the records in the application log is defined by the developer of the application and provides a corresponding system interface to assist the user in using the application log.
The security log is used for recording events related to system security, including system authentication, system resource access events, and the like. Unlike system running logs and application logs, security logs are only accessible to system administrators.
In order to maintain the running condition of the system resources, the computer system generally has a corresponding system log to record the date and time stamp information of the related daily events or misoperation alarms of the system, the system log is one of evidence sources reflecting the computer crime process, but the system log generated by the computer system is easily damaged or tampered maliciously, and an attacker can remove the left operation trace by tampering the system log, so that the system log cannot be regarded as effective electronic evidence. In electronic material evidence inspection, the system log evidence obtaining process must follow corresponding log inspection technical specifications and methods, such as Windows operation system log, linux operation system log, database log, etc., and the electronic material evidence inspection should be performed according to relevant industry standards and specifications. Therefore, in order to solve the problem of malicious tampering of the system log by an attacker, a security detection method based on the system log needs to be provided.
As shown in fig. 1, a system log security detection method includes:
step S001, sequentially obtaining the size of each original data block contained in the target log file, and if the sum of the sizes of at least part of sequentially continuous original data blocks is smaller than or equal to a preset capacity threshold value, merging the part of original data blocks into a log sub-file; the log subfiles comprise initial record generation time and cut-off record generation time of each corresponding original data block, the initial record generation time is generation time of first original event record information contained in the corresponding original data block, the cut-off record generation time is generation time of last original event record information contained in the corresponding original data block, and the original event record information is event record information contained in the corresponding original data block;
The system log file comprises a file header, a plurality of data blocks, each data block is provided with a plurality of Event record information, the Event record information is the Event information generated by a computer system when the computer system runs, the capacity of each data block is fixed, when the capacity of the previous data block is full, if new Event record information is generated, a blank data block is newly built in the system log file, the newly generated Event record information is stored in the blank data block, and the like, and each new Event record information is sequentially put into the current data block.
The method comprises the steps that a data block in a target log file is determined to be an original data block, event record information in the original data block is original event record information, the original data block is provided with corresponding initial record generation time and cut-off record generation time, the initial record generation time is the generation time of first original event record information in the corresponding original data block, the cut-off record generation time is the generation time of current last original event record information in the corresponding original data block, and the initial record generation time and the cut-off record generation time are stored for safety detection of the target log file.
Step S002, copying a plurality of log subfiles contained in the target log file into a preset storage space;
splitting the target log file according to the size of each original data block to obtain a plurality of log subfiles, copying the plurality of log subfiles to a preset storage space according to the sequence in the target log file for backup, wherein the log subfiles in the preset storage space are equivalent to backup files of the target log file, so that when malicious tampering of the target log file is detected later, data comparison and updating are carried out through the log subfiles in the preset storage space, and the purposes of ensuring that user data are not destroyed, realizing normal work of users and avoiding property loss are achieved.
Step S003, if the target log file has a new data block, obtaining the sum of the size of the new data block and the size of the last log sub-file in the preset storage space, and if the sum is smaller than or equal to a preset capacity threshold, copying the new data block into the last log sub-file in the preset storage space; if the data block is larger than the preset capacity threshold, a blank log sub-file is newly built in the preset storage space, and the newly added data block is copied into the blank log sub-file;
The new addition method of the log subfiles is the same as that of the original data blocks, if an original data block is newly added in the target log file and is determined to be the new data block, the new data block is required to be copied into a preset storage space for backup, the new data block is summed with the storage size of the current last log subfile in the preset storage space, if the storage size is smaller than or equal to a preset capacity threshold, the current last log subfile in the preset storage space is indicated to have storage allowance, and the new data block is copied into the last log subfile in the preset storage space; if the storage size of each log sub-file is smaller than or equal to the preset capacity threshold, it is ensured that when event record information in the target log file is searched and updated subsequently, the corresponding log sub-file can be found quickly through the initial record generation time and the cut-off record generation time of each original data block in the log sub-file, and when the target log file is updated, only the log sub-file in which the original data block to be updated is needed to be updated, and other log sub-files are not needed to be updated, so that the data processing flow is shortened.
Step S100, determining at least one target data block from a plurality of original data blocks contained in the target log file in response to the change of the file checksum in the file header information of the target log file;
based on the file structure of the Windows system log, corresponding checksums exist in the file header and the data block of the system log file respectively, and if the target log file is modified, the file checksum needs to be recalculated based on the file structure of the Windows log, so that an attacker conceals the key trace of the modified log by modifying the checksum in the system log file. Therefore, whether the target log file is changed or not can be detected by detecting the file checksum corresponding to the file header information of the target log file, and if the file checksum corresponding to the file header information of the target log file is changed, the content of the target log file is changed.
When the file checksum corresponding to the file header information of the target log file is changed, determining the target data block from the target log file, wherein the target data block can be determined by the corresponding initial record generation time and cut-off record generation time, and can also be determined according to the determination condition of the user.
Further, in step S100, the file checksum in the header information of the target log file is changed, including:
step S110, acquiring a historical file checksum and a current file checksum of file header information of a target log file every other preset acquisition time;
and step 120, if the historical file checksum of the file header information is different from the current file checksum, determining that the file checksum in the file header information of the target log file is changed.
When generating file header information, the target log file generates a corresponding file checksum and stores the corresponding file checksum in a computer system, the history file checksum and the current file checksum of the target log file are acquired every preset acquisition time, the history file checksum is the last file checksum of the stored target log file, the acquired history file checksum and the current file checksum are compared, if the acquired history file checksum and the current file checksum are the same, the target log file is not tampered, if the target log file is not tampered, otherwise, the target log file is tampered, and the target data block is determined.
And after the target log file is subjected to security detection and updated, determining the updated file checksum as the historical file checksum.
In step S120, determining at least one target data block from a plurality of original data blocks included in the target log file includes:
step S121, obtaining a historical data block checksum and a corresponding current data block checksum of each original data block contained in the target log file;
step S122, if the historical data block checksum of the original data block is different from the corresponding current data block checksum, the original data block is determined as the target data block.
After confirming that a target log file is tampered, confirming specific tampered original data blocks and event record information, firstly acquiring a historical data block checksum of each original data block and a corresponding current data block checksum, directly calling each historical data block checksum in a computer system, acquiring each current data block checksum through the corresponding original data block of the current target log file, comparing the historical data block checksum corresponding to each original data block with the current data block checksum, if the two checksums are different, indicating that tampered event record information exists in a plurality of event record information contained in the original data block, confirming the original data block as a target data block, and if the two checksums are the same, indicating that tampered event record information does not exist in the event record information contained in the target data block.
Step 200, current abstract information and historical abstract information of target event record information are obtained; the target event record information is event record information contained in a target data block;
after determining the target data block, continuously determining tampered target event record information in the target data block, obtaining historical abstract information of each target event record information stored in the computer system and current abstract information of each target event record information in the current target data block, wherein the current abstract information can be obtained by performing MD5 information abstract Algorithm on the target event record information, and the MD5 information abstract Algorithm (MD 5 Message-Digest Algorithm) is a password hash function and can generate a 128-bit (16-byte) hash value (hash value) for ensuring that information transmission is complete and consistent.
Step S300, if the current abstract information and the historical abstract information corresponding to any target event record information are different, outputting an alarm prompt;
if the current abstract information and the historical abstract information corresponding to the target event record information are different, the target event record information is tampered, and an alarm prompt is output.
Step S400, determining target event record information with difference between current abstract information and historical abstract information as change event record information;
and S500, updating the log subfiles where the change event record information in the preset storage space is located according to the change event record information.
The user checks the change event record information to determine whether the change event record information is tampered maliciously, if so, the log sub-file where the change event record information is located is found from the preset storage space, the change event record information in the preset storage space is compared with the change event record information in the target log file, a malicious operation trace of an attacker is found, the target log file is modified, and correspondingly, the change event record information in the preset storage space is also updated, so that the log sub-file where the change event record information is located is directly updated without modifying other log sub-files in the preset storage space, the data processing flow is simplified, the computer calculation force is saved, and the operation of the user is facilitated.
Unlike the current log tamper-proof means for intercepting the system security log by utilizing the file system filtering driver in the kernel to monitor and modify the system security log in real time, the method starts from protecting the integrity of the log, and the data integrity is one of three basic key points of information security, so that the information or the data is ensured not to be tampered by unauthorized or can be found out quickly after being tampered in the process of transmitting and storing the information or the data. Often confused with confidentiality during use in the field of information security. Digital signatures, hash functions, and the like are typically used to ensure data integrity. Normally, the checksum in the log file is a fixed field, and in advanced threat activities, an attacker completes modification of the system log by modifying the log checksum field, without clearing the log to generate an alarm. According to the invention, on the basis of the check sum of Windows, whether the check sum in the original data block is changed is checked in a polling mode, once the check sum is changed, the suspected of being tampered with the log is indicated, and further, the target log file can be found to be tampered at the first time and an alarm can be timely generated through calculation and comparison of the current abstract information of the event record information.
Further, if the target data block is determined by the user' S determination condition, if the target data block is a new data block, and the security detection of the target log file is ensured, and meanwhile, the purposes of saving the security detection flow and shortening the security detection time can be achieved, so that the second embodiment of the present invention is proposed, in the second embodiment of the present invention, the step S200 and the step S300 of the first embodiment are replaced by:
step S210, if the initial record generation time of the original data block and the cut-off record generation time of the target data block are within a preset interval period, determining the original data block as a first data block;
wherein the preset interval period is determined by:
step S211, if the cut-off record generating time of the target data block belongs to a preset first period, determining the sum of a first preset time length and a preset time difference before the cut-off record generating time of the target data block as a preset interval period;
step S212, if the cut-off record generating time of the target data block belongs to a preset second period, determining the sum of a second preset time length before the cut-off record generating time of the target data block and a preset time difference as a preset interval period.
The preset first period may be the first day of the working week, for example, every monday, because an attacker generally performs intrusion tampering when the user computer does not work, the original data block in the rest day period of the user needs to be acquired, and because different countries around the world have different time differences, in order to make the acquired original data block more accurate, the preset time difference needs to be added to the determined first preset time length as a preset interval period, the first preset time length may be two natural days, i.e. push for two days from monday, and the preset time difference is added, and the preset time difference may be the maximum time difference of the world or the self-timing difference.
The preset second period may be a non-first day working day of the working week, such as friday through friday, and since the user computer is also in a working state the day before the preset second period, only the original data block of the previous day needs to be acquired, that is, the second preset duration is a natural day.
Step S220, encrypting the first event record information to obtain corresponding current first event abstract information; the first event record information is event record information contained in the first data block;
Step S230, acquiring historical first event abstract information of first event record information;
step S310, if the current first event abstract information and the historical first event abstract information of any first event record information have differences, outputting an alarm prompt; otherwise, determining the original data block which does not belong to the first data block in the target log file as a second data block;
step S320, encrypting the second data block to obtain corresponding summary information of the current second data block;
step S330, historical second data block abstract information of a second data block is obtained;
step S340, if the current second data block summary information and the historical second data block summary information of any second data block have differences, encrypting a plurality of pieces of second event record information contained in the second data block summary information to obtain corresponding current second event summary information;
step S350, acquiring historical second event summary information of a plurality of second event record information contained in a second data block with difference between the current second data block summary information and the historical second data block summary information;
step S360, if the current second event summary information and the historical second event summary information of any second event record information are different, an alarm prompt is output.
In the second embodiment, summary information comparison is performed on first event recorded information in the first data block, if current first event summary information and historical first event summary information of the first event recorded information are different, it is indicated that tampered first event recorded information exists in the first data block, and an alarm is sent out, otherwise, if current first event summary information and historical first event summary information of the first event recorded information are the same, it is indicated that tampering situation does not exist in the first event recorded information in the first data block, current second data block summary information and historical second data block summary information of the second data block are continuously detected, if current second data block summary information and historical second data block summary information are different, it is indicated that tampered event recorded information exists in the corresponding second data block, then it is determined that tampered event recorded information exists in the second data block, and an alarm is sent out.
The invention determines whether the target log file is modified or not by detecting whether the file checksum of the file header information of the target log file is changed or not and then comparing whether the current abstract information and the historical abstract information of the target event record information are different or not, so as to determine the modified target event record information in the target log file.
A system log security detection device 100, as shown in fig. 2, includes:
a response module 110, configured to determine at least one target data block from a plurality of original data blocks included in the target log file in response to a change in a file checksum in header information of the target log file;
an obtaining module 120, configured to obtain current summary information and historical summary information of the target event record information; the target event record information is event record information contained in a target data block;
The comparison module 130 is configured to output an alarm prompt when there is a difference between the current summary information and the historical summary information corresponding to any target event record information.
Embodiments of the present invention also provide a computer program product comprising program code for causing an electronic device to carry out the steps of the method according to the various exemplary embodiments of the invention as described in the specification, when said program product is run on the electronic device.
Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
Those skilled in the art will appreciate that the various aspects of the invention may be implemented as a system, method, or program product. Accordingly, aspects of the invention may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device according to this embodiment of the invention. The electronic device is merely an example, and should not impose any limitations on the functionality and scope of use of embodiments of the present invention.
The electronic device is in the form of a general purpose computing device. Components of an electronic device may include, but are not limited to: the at least one processor, the at least one memory, and a bus connecting the various system components, including the memory and the processor.
Wherein the memory stores program code that is executable by the processor to cause the processor to perform steps according to various exemplary embodiments of the invention described in the "exemplary methods" section of this specification.
The storage may include readable media in the form of volatile storage, such as Random Access Memory (RAM) and/or cache memory, and may further include Read Only Memory (ROM).
The storage may also include a program/utility having a set (at least one) of program modules including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The bus may be one or more of several types of bus structures including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures.
The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any device (e.g., router, modem, etc.) that enables the electronic device to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface. And, the electronic device may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through a network adapter. As shown, the network adapter communicates with other modules of the electronic device over a bus. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with an electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the various aspects of the invention may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the invention as described in the "exemplary methods" section of this specification, when said program product is run on the terminal device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
Furthermore, the above-described drawings are only schematic illustrations of processes included in the method according to the exemplary embodiment of the present invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present invention should be included in the present invention. Therefore, the protection scope of the invention is subject to the protection scope of the claims.
Claims (10)
1. A system log security detection method, comprising:
determining at least one target data block from a plurality of original data blocks contained in a target log file in response to a change in a file checksum in file header information of the target log file;
Acquiring current abstract information and historical abstract information of target event record information; the target event record information is event record information contained in the target data block;
and if the current abstract information and the historical abstract information corresponding to any target event record information are different, outputting an alarm prompt.
2. The method of claim 1, wherein the file checksum within the header information of the target log file changes, comprising:
acquiring a historical file checksum and a current file checksum of file header information of a target log file every preset acquisition time;
and if the historical file checksum of the file header information is different from the current file checksum, judging that the file checksum in the file header information of the target log file is changed.
3. The method according to claim 2, wherein said determining at least one target data block from a number of original data blocks contained in said target log file comprises:
acquiring a historical data block checksum and a corresponding current data block checksum of each original data block contained in the target log file;
and if the historical data block checksum of the original data block is different from the corresponding current data block checksum, determining the original data block as a target data block.
4. The method of claim 1, wherein before determining at least one target data block from a number of original data blocks contained in a target log file in response to a change in a file checksum within file header information of the target log file, the method further comprises:
sequentially obtaining the size of each original data block contained in the target log file, and if the sum of the sizes of at least part of sequentially continuous original data blocks is smaller than or equal to a preset capacity threshold value, merging the part of original data blocks into a log subfile; the log subfile comprises a start record generation time and a stop record generation time of each corresponding original data block, wherein the start record generation time is a generation time of first original event record information contained in the corresponding original data block, the stop record generation time is a generation time of last original event record information contained in the corresponding original data block, and the original event record information is event record information contained in the corresponding original data block;
copying a plurality of log subfiles contained in the target log file into a preset storage space;
If the target log file has a new data block, acquiring the sum of the size of the new data block and the size of the last log sub-file in a preset storage space, and if the sum is smaller than or equal to a preset capacity threshold value, copying the new data block into the last log sub-file in the preset storage space; if the new data block is larger than the preset capacity threshold, a blank log sub-file is newly built in the preset storage space, and the new data block is copied into the blank log sub-file.
5. The method of claim 4, wherein after outputting the alarm prompt if there is a difference between the current summary information and the historical summary information corresponding to any of the target event record information, the method further comprises:
determining the target event record information with the difference between the current abstract information and the historical abstract information as change event record information;
and updating the log subfile where the change event record information in the preset storage space is located according to the change event record information.
6. The method of claim 5, wherein the obtaining current summary information and historical summary information of the target event record information comprises:
If the initial record generation time of the original data block and the cut-off record generation time of the target data block are within a preset interval period, determining the original data block as a first data block;
encrypting the first event record information to obtain corresponding current first event abstract information; the first event record information is event record information contained in the first data block;
acquiring historical first event summary information of the first event record information;
if the current summary information and the historical summary information corresponding to any of the target event record information are different, outputting an alarm prompt, wherein the alarm prompt comprises:
if any of the current first event summary information and the historical first event summary information of the first event record information are different, outputting an alarm prompt; otherwise, determining the original data block which does not belong to the first data block in the target log file as a second data block;
encrypting the second data block to obtain corresponding current second data block abstract information;
acquiring historical second data block abstract information of the second data block;
if any of the current second data block summary information and the historical second data block summary information of the second data block have differences, encrypting a plurality of pieces of second event record information contained in the second data block summary information to obtain corresponding current second event summary information;
Acquiring historical second event summary information of a plurality of second event record information contained in a second data block with difference between the current second data block summary information and the historical second data block summary information;
and if any current second event summary information and historical second event summary information of the second event record information are different, outputting an alarm prompt.
7. The method of claim 6, wherein the predetermined interval period is determined by:
if the cut-off record generating time of the target data block belongs to a preset first period, determining the sum of a first preset duration and a preset time difference before the cut-off record generating time of the target data block as a preset interval period;
if the cut-off record generating time of the target data block belongs to a preset second period, determining the sum of a second preset time length before the cut-off record generating time of the target data block and a preset time difference as a preset interval period.
8. A system log security detection device, comprising:
the response module is used for determining at least one target data block from a plurality of original data blocks contained in the target log file in response to the change of the file checksum in the file header information of the target log file;
The acquisition module is used for acquiring current abstract information and historical abstract information of the target event record information; the target event record information is event record information contained in a target data block;
and the comparison module is used for outputting an alarm prompt when the current abstract information and the historical abstract information corresponding to any target event record information are different.
9. A non-transitory computer readable storage medium having stored therein at least one instruction or at least one program, wherein the at least one instruction or the at least one program is loaded and executed by a processor to implement the method of any one of claims 1-7.
10. An electronic device comprising a processor and the non-transitory computer readable storage medium of claim 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310546715.6A CN116305290A (en) | 2023-05-16 | 2023-05-16 | System log security detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310546715.6A CN116305290A (en) | 2023-05-16 | 2023-05-16 | System log security detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116305290A true CN116305290A (en) | 2023-06-23 |
Family
ID=86794435
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310546715.6A Pending CN116305290A (en) | 2023-05-16 | 2023-05-16 | System log security detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116305290A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117150575A (en) * | 2023-10-30 | 2023-12-01 | 西安热工研究院有限公司 | Method, system, equipment and medium for preventing manipulation of operation log of trusted industrial control system |
| CN117472868A (en) * | 2023-09-18 | 2024-01-30 | 北京景安云信科技有限公司 | Method for realizing log integrity assurance based on HMAC algorithm |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE10248542A1 (en) * | 2002-10-14 | 2004-04-22 | Deutsche Telekom Ag | Protecting log files involves data processing system security module providing information for each entry in log file, whereby each entry has associated function value, especially digital signature |
| CN1549135A (en) * | 2003-05-12 | 2004-11-24 | 四川大学 | Digital watermark journal structural method |
| US20080189498A1 (en) * | 2007-02-06 | 2008-08-07 | Vision Solutions, Inc. | Method for auditing data integrity in a high availability database |
| JP2009199470A (en) * | 2008-02-22 | 2009-09-03 | Nec Corp | Data change detection apparatus, data change detection method and program |
| US20150188715A1 (en) * | 2013-12-30 | 2015-07-02 | Palantir Technologies, Inc. | Verifiable redactable audit log |
| CN107609874A (en) * | 2017-10-09 | 2018-01-19 | 恒宝股份有限公司 | A kind of transaction log data verification method and checking system |
-
2023
- 2023-05-16 CN CN202310546715.6A patent/CN116305290A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE10248542A1 (en) * | 2002-10-14 | 2004-04-22 | Deutsche Telekom Ag | Protecting log files involves data processing system security module providing information for each entry in log file, whereby each entry has associated function value, especially digital signature |
| CN1549135A (en) * | 2003-05-12 | 2004-11-24 | 四川大学 | Digital watermark journal structural method |
| US20080189498A1 (en) * | 2007-02-06 | 2008-08-07 | Vision Solutions, Inc. | Method for auditing data integrity in a high availability database |
| JP2009199470A (en) * | 2008-02-22 | 2009-09-03 | Nec Corp | Data change detection apparatus, data change detection method and program |
| US20150188715A1 (en) * | 2013-12-30 | 2015-07-02 | Palantir Technologies, Inc. | Verifiable redactable audit log |
| CN107609874A (en) * | 2017-10-09 | 2018-01-19 | 恒宝股份有限公司 | A kind of transaction log data verification method and checking system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117472868A (en) * | 2023-09-18 | 2024-01-30 | 北京景安云信科技有限公司 | Method for realizing log integrity assurance based on HMAC algorithm |
| CN117472868B (en) * | 2023-09-18 | 2024-04-19 | 北京景安云信科技有限公司 | Method for realizing log integrity assurance based on HMAC algorithm |
| CN117150575A (en) * | 2023-10-30 | 2023-12-01 | 西安热工研究院有限公司 | Method, system, equipment and medium for preventing manipulation of operation log of trusted industrial control system |
| CN117150575B (en) * | 2023-10-30 | 2024-02-23 | 西安热工研究院有限公司 | Method, system, equipment and medium for preventing manipulation of operation log of trusted industrial control system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108268354B (en) | Data security monitoring method, background server, terminal and system | |
| CN110826111B (en) | Test supervision method, device, equipment and storage medium | |
| US9659175B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| CN116305290A (en) | System log security detection method and device, electronic equipment and storage medium | |
| US8533818B1 (en) | Profiling backup activity | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| CN110321714B (en) | Dynamic measurement method and device of trusted computing platform based on dual-architecture | |
| CN112039894B (en) | Network access control method, device, storage medium and electronic equipment | |
| EP3501158B1 (en) | Interrupt synchronization of content between client device and cloud-based storage service | |
| US20230007032A1 (en) | Blockchain-based host security monitoring method and apparatus, medium and electronic device | |
| WO2021121382A1 (en) | Security management of an autonomous vehicle | |
| US10466924B1 (en) | Systems and methods for generating memory images of computing devices | |
| CN105930740B (en) | Source retroactive method, monitoring method, restoring method and system when software file is changed | |
| CN112347484A (en) | Software vulnerability detection method, device, equipment and computer readable storage medium | |
| US20220237286A1 (en) | Kernel based exploitation detection and prevention using grammatically structured rules | |
| CN114491661A (en) | Log tamper-proofing method and system based on block chain | |
| CN110362983B (en) | Method and device for ensuring consistency of dual-domain system and electronic equipment | |
| CN109583204B (en) | Method for monitoring static object tampering in mixed environment | |
| CN114556346A (en) | Tamper-proofing of event logs | |
| CN110826078A (en) | Data storage method, device and system | |
| CN116861428B (en) | Malicious detection method, device, equipment and medium based on associated files | |
| CN115577369B (en) | Source code leakage behavior detection method and device, electronic equipment and storage medium | |
| KR100512145B1 (en) | Method for inspecting file faultless in invasion detection system | |
| CN110324150B (en) | Data storage method and device, computer readable storage medium and electronic equipment | |
| CN116861429B (en) | Malicious detection method, device, equipment and medium based on sample behaviors |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |