CN116561827A - Security audit system and method based on hard disk and system log - Google Patents
Security audit system and method based on hard disk and system log Download PDFInfo
- Publication number
- CN116561827A CN116561827A CN202310495476.6A CN202310495476A CN116561827A CN 116561827 A CN116561827 A CN 116561827A CN 202310495476 A CN202310495476 A CN 202310495476A CN 116561827 A CN116561827 A CN 116561827A
- Authority
- CN
- China
- Prior art keywords
- module
- audit
- hard disk
- information
- security audit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012550 audit Methods 0.000 title claims abstract description 95
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000012544 monitoring process Methods 0.000 claims abstract description 23
- 238000013500 data storage Methods 0.000 claims abstract description 9
- 238000007726 management method Methods 0.000 claims abstract description 9
- 238000007405 data analysis Methods 0.000 claims description 6
- 238000007781 pre-processing Methods 0.000 claims description 6
- 230000003993 interaction Effects 0.000 claims description 4
- 230000006978 adaptation Effects 0.000 claims description 3
- 230000002085 persistent effect Effects 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 238000004458 analytical method Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/80—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3037—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a memory, e.g. virtual memory, cache
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention discloses a security audit system and a security audit method based on a hard disk and a system log, wherein the security audit system comprises an information acquisition subsystem and a security audit subsystem, a starting monitoring module is used for analyzing and monitoring whether the starting process of an operating system is finished in real time after the operating system is started, and sending an information acquisition instruction to the information acquisition module, and the information acquisition module reads and acquires data information of a hard disk SMART and starting and closing log information of the operating system after receiving the information acquisition instruction of the starting monitoring module. The invention discloses a security audit system based on a hard disk and a system log, wherein the information acquisition subsystem comprises a starting monitoring module, an information acquisition module and a storage encryption module, and the security audit subsystem comprises a data storage module, a rule management module, a security audit module and an interface UI module, is suitable for Windows and Linux operating systems, obtains hard disk access and use data by adopting an audit method, positions risks and protects system security.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a security audit system and method based on a hard disk and a system log.
Background
The computer system security audit is a process for discovering system loopholes and intrusion behaviors by utilizing information such as security logs, program logs, system users, network monitoring, network sharing and the like in an operating system, checking, examining and checking the environment and activities of operation events according to a certain security policy. The hard disk is used as an important hardware device for storing data of a computer and is a physical medium for bearing user data information, and the access and the use of the hard disk are important security audit matters.
With the rapid development of information technology, a software method for temporarily removing off-site copies of a computer hard disk and then restoring and installing the off-site copies and exporting data after the system is started through Windows PE (Windows Preinstallation Environment, windows pre-installation environment) appears aiming at the endlessly developed attack means of dimension reduction bypass theft of computer data information. The methods can bypass the existing security audit means which simply depend on the operating system, no stealing trace is left in the operating system, and therefore the method cannot be found and audited by the conventional audit software in the system, and the risk is positioned and the system security is protected by the analysis and audit means which are used for such behavior after the fact.
Disclosure of Invention
The invention aims at: in order to solve the problems, a security audit system and a security audit method based on a hard disk and a system log are provided.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
the security audit system based on the hard disk and the system log comprises an information acquisition subsystem and a security audit subsystem, wherein the information acquisition subsystem comprises a starting monitoring module, an information acquisition module and a storage encryption module, and the security audit subsystem comprises a data storage module, a rule management module, a security audit module and an interface UI module.
Preferably, the starting monitoring module is used for analyzing and monitoring whether the starting process of the operating system is completed in real time after the operating system is started, and sending an information acquisition instruction to the information acquisition module.
Preferably, the information acquisition module reads and acquires the hard disk SMART data information and the operating system startup and shutdown log information after receiving the information acquisition instruction for starting the monitoring module after the operating system is started.
Preferably, the storage encryption module formats the hard disk SMART data information and the operating system log information acquired by the information acquisition module into a source data packet, encrypts and stores the source data packet by adopting an asymmetric encryption algorithm, and sends an audit instruction to the security audit subsystem.
Preferably, the rule management module is used for configuring and managing audit rules and providing a matching algorithm for audit judgment, and the security audit module reads the hard disk and the log source data packet stored by the hard disk and the log information acquisition subsystem and invokes the matching algorithm in the audit rules to carry out audit judgment.
Preferably, the data storage module is responsible for carrying out persistent storage on a system source data packet and an audit result, and the interface UI module is used for realizing a system man-machine interaction interface.
Preferably, the auditing method of the security confidentiality auditing system comprises the following steps:
s1, continuously monitoring an operating system start completion state event in real time, and entering a data information acquisition task step after the operating system is started;
s2, completing source data acquisition comprising hard disk SMART data information and operating system log information;
s3, completing source data formatting processing of the collected hard disk SMART data information and the operation system log information, encrypting and storing, and entering an audit data analysis preprocessing task step;
s4, the stored previous source data packet and the newly acquired source data packet are called, and data analysis and data format preprocessing of adaptation audit rules are carried out;
s5, an algorithm in an audit rule is called to analyze and algorithm matching and judge the source data packet of the two times, and the data difference of the two times is analyzed according to the algorithm rule to judge the risk violation event or the safety compliance event;
s6, after the auditing operation is finished, if the risk violation event is judged, displaying a risk violation alarm notification through an interface UI module, and if the safety compliance event is judged, not carrying out the alarm notification;
s7, recording and storing the audit result data, and only storing the audit result data.
Preferably, the determining method in the step S5 is as follows:
according to hard disk SMART information and operating system log information in the previous and current source data packets, the hard disk SMART information and the operating system log information comprise the number of times of disk energization of a hard disk, the accumulated variation of energization time, and the variation of system startup events, shutdown events, restarting events and logout events in the operating system log, the hit audit violation rules are judged to be risk violation events, and the miss is judged to be a safety compliance event.
In summary, due to the adoption of the technical scheme, the beneficial effects of the invention are as follows:
1. the security audit system based on the hard disk and the system log comprises an information acquisition subsystem and a security audit subsystem, wherein the information acquisition subsystem comprises a starting monitoring module, an information acquisition module and a storage encryption module, and the security audit subsystem comprises a data storage module, a rule management module, a security audit module and an interface UI module, is suitable for Windows and Linux operating systems, obtains hard disk access and use data by adopting an audit method, positions risks and protects system security.
Drawings
FIG. 1 shows a schematic block diagram of a security audit system based on a hard disk and a system log according to an embodiment of the present invention;
fig. 2 shows a flowchart of a security audit method according to an embodiment of the present invention.
Legend description:
101. starting a monitoring module; 102. an information acquisition module; 103. storing an encryption module; 104. a data storage module; 105. a rule management module; 106. a security audit module; 107. and an interface UI module.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1-2, the present invention provides a technical solution:
the security audit system based on the hard disk and the system log comprises an information acquisition subsystem and a security audit subsystem, wherein the information acquisition subsystem comprises a starting monitoring module 101, an information acquisition module 102 and a storage encryption module 103, and the security audit subsystem comprises a data storage module 104, a rule management module 105, a security audit module 106 and an interface UI module 107; the starting monitoring module 101 is used for analyzing and monitoring whether the starting process of the operating system is completed in real time after the operating system is started, and sending an information acquisition instruction to the information acquisition module 102; the information acquisition module 102 reads and acquires hard disk SMART data information and operating system startup and shutdown log information after the operating system is started and after receiving an information acquisition instruction for starting the monitoring module 101.
Specifically, as shown in fig. 1 and fig. 2, the storage encryption module 103 formats the hard disk SMART (Self-Monitoring Analysis and Reporting Technology Self-monitoring, analysis and reporting technology) data information and operating system log information acquired by the information acquisition module 102 into a source data packet, encrypts and stores the source data packet by adopting an asymmetric encryption algorithm, and sends an audit instruction to the security audit subsystem; the rule management module 105 is used for configuring and managing audit rules and providing a matching algorithm for audit judgment, the security audit module 106 is responsible for reading the hard disk and the log source data packet stored by the hard disk and log information acquisition subsystem, calling the matching algorithm in the audit rules to carry out audit judgment, and judging a conclusion to be classified into a risk violation event or a security compliance event; the data storage module 104 is responsible for persistent storage of system source data packets and audit results, and provides operation interfaces for reading and writing to each module, and the interface UI module 107 is used for realizing a system man-machine interaction interface and is responsible for alarm notification interaction display of the audit results.
Specifically, as shown in fig. 1 and fig. 2, the auditing method of the security audit system includes the following steps:
s1, continuously monitoring an operating system start completion state event in real time, and entering a data information acquisition task step after the operating system is started;
s2, completing source data acquisition comprising hard disk SMART data information and operating system log information;
s3, completing source data formatting processing of the collected hard disk SMART data information and the operation system log information, encrypting and storing, and entering an audit data analysis preprocessing task step;
s4, the stored previous source data packet and the newly acquired source data packet are called, and data analysis and data format preprocessing of adaptation audit rules are carried out;
s5, an algorithm in an audit rule is called to analyze and algorithm matching and judge the source data packet of the two times, and the data difference of the two times is analyzed according to the algorithm rule to judge the risk violation event or the safety compliance event;
s6, after the auditing operation is finished, if the risk violation event is judged, displaying a risk violation alarm notification through the interface UI module 107, and if the safety compliance event is judged, not carrying out the alarm notification;
s7, recording and storing the audit result data, and only storing the audit result data.
The hard disk SMART data information collected in step S2 includes, but is not limited to, the number of times of disk power-on, the accumulation of time of disk power-on, the serial number of disk, the model number of disk, and the version of disk firmware; the collected log information of the operating system includes, but is not limited to, a system startup event log, a shutdown event log, a restart event log, and a log of log off events.
The previous source data packet fetched in step S4 refers to a source data packet that has been completed by the last audit stored in the security audit system, and the newly collected source data packet refers to a source data packet that has been collected and stored during the currently ongoing audit operation.
The determination method in step S5 is as follows:
analyzing data of the same hard disk with the same disk serial number, disk model and disk firmware version identifier in the previous and current source data packets, wherein the analyzed data comprise hard disk SMART information and operating system log information, and the analyzed data comprise the disk power-on times of the hard disk, the accumulated variation of power-on time and the variation of system power-on events, power-off events, restarting events and logout events in the operating system log;
and according to the analyzed data variable quantity information, analyzing and judging by applying an audit judgment algorithm rule configured by a security and confidentiality audit system. If the conditions of the hard disk use trace and the operating system use trace are not matched, the hit audit violation rules are judged to be illegally used, the risk violation event is found, and if the risk violation event is not found, the normal use safety compliance event is judged.
The previous description of the embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (8)
1. The security audit system based on the hard disk and the system log is characterized by comprising an information acquisition subsystem and a security audit subsystem, wherein the information acquisition subsystem comprises a starting monitoring module (101), an information acquisition module (102) and a storage encryption module (103), and the security audit subsystem comprises a data storage module (104), a rule management module (105), a security audit module (106) and an interface UI module (107).
2. The security audit system based on hard disk and system log according to claim 1, wherein the start monitoring module (101) is configured to analyze in real time whether the start process of the monitoring operating system is completed after the operating system is started, and send an information acquisition instruction to the information acquisition module (102).
3. The security audit system based on hard disk and system log according to claim 2, wherein the information collection module (102) reads and collects hard disk SMART data information and operating system startup and shutdown log information after receiving an information collection instruction to start the monitor module (101) after the operating system is started.
4. A security audit system based on hard disk and system log according to claim 3, wherein the storage encryption module (103) formats the hard disk SMART data information and the operating system log information acquired by the information acquisition module (102) into a source data packet, encrypts and stores the source data packet by adopting an asymmetric encryption algorithm, and sends an audit instruction to the security audit subsystem.
5. The security audit system based on hard disk and system log according to claim 4, wherein the rule management module (105) is configured and used for managing audit rules and providing a matching algorithm for audit determination, and the security audit module (106) reads the hard disk and log source data packets stored in the hard disk and log information acquisition subsystem and invokes the matching algorithm in the audit rules to perform audit determination.
6. The security audit system based on hard disk and system log according to claim 5, wherein the data storage module (104) is responsible for persistent storage of system source data packets and audit results, and the interface UI module (107) is used for implementing a system man-machine interaction interface.
7. The security audit system based on hard disk and system log according to claim 6, characterized in that the audit method of the security audit system comprises the following steps:
s1, continuously monitoring an operating system start completion state event in real time, and entering a data information acquisition task step after the operating system is started;
s2, completing source data acquisition comprising hard disk SMART data information and operating system log information;
s3, completing source data formatting processing of the collected hard disk SMART data information and the operation system log information, encrypting and storing, and entering an audit data analysis preprocessing task step;
s4, the stored previous source data packet and the newly acquired source data packet are called, and data analysis and data format preprocessing of adaptation audit rules are carried out;
s5, an algorithm in an audit rule is called to analyze and algorithm matching and judge the source data packet of the two times, and the data difference of the two times is analyzed according to the algorithm rule to judge the risk violation event or the safety compliance event;
s6, after the auditing operation is finished, if the risk violation event is judged, displaying a risk violation alarm notification through an interface UI module (107), and if the safety compliance event is judged, not carrying out the alarm notification;
s7, recording and storing the audit result data, and only storing the audit result data.
8. The security audit system based on hard disk and system log according to claim 7 wherein the determining method in step S5 is:
according to hard disk SMART information and operating system log information in the previous and current source data packets, the hard disk SMART information and the operating system log information comprise the number of times of disk energization of a hard disk, the accumulated variation of energization time, and the variation of system startup events, shutdown events, restarting events and logout events in the operating system log, the hit audit violation rules are judged to be risk violation events, and the miss is judged to be a safety compliance event.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310495476.6A CN116561827A (en) | 2023-05-05 | 2023-05-05 | Security audit system and method based on hard disk and system log |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310495476.6A CN116561827A (en) | 2023-05-05 | 2023-05-05 | Security audit system and method based on hard disk and system log |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116561827A true CN116561827A (en) | 2023-08-08 |
Family
ID=87485555
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310495476.6A Pending CN116561827A (en) | 2023-05-05 | 2023-05-05 | Security audit system and method based on hard disk and system log |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116561827A (en) |
-
2023
- 2023-05-05 CN CN202310495476.6A patent/CN116561827A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11687653B2 (en) | Methods and apparatus for identifying and removing malicious applications | |
| US10032019B2 (en) | System, method, and computer program product for detecting access to a memory device | |
| JP5144488B2 (en) | Information processing system and program | |
| GB2592132A (en) | Enterprise network threat detection | |
| CN110688653A (en) | Client security protection method and device and terminal equipment | |
| EP2278467A2 (en) | System and method for auditing software usage | |
| JP5214135B2 (en) | Work content recording system and method, and program thereof | |
| EP2278468A2 (en) | System and method for tracking application usage | |
| CN116305290A (en) | System log security detection method and device, electronic equipment and storage medium | |
| CN116561827A (en) | Security audit system and method based on hard disk and system log | |
| US20230315855A1 (en) | Exact restoration of a computing system to the state prior to infection | |
| CN110874474A (en) | Lessocian virus defense method, Lessocian virus defense device, electronic device and storage medium | |
| CN112069489A (en) | Detection method for cross use of internal network and external network of mobile storage medium | |
| Silowash et al. | Insider threat control: Using universal serial bus (usb) device auditing to detect possible data exfiltration by malicious insiders | |
| KR100961438B1 (en) | System and method for real-time intrusion detection, and record media recoded program for implement thereof | |
| JP2007249304A (en) | Information processor, secret data monitoring method, and program | |
| Verbowski et al. | LiveOps: Systems Management as a Service. | |
| CN116089965B (en) | Information security emergency management system and method based on SOD risk model | |
| CN116644424A (en) | Computing device security protection method and system, electronic device, and readable storage medium | |
| US11368377B2 (en) | Closed loop monitoring based privileged access control | |
| CN111131248B (en) | Website application security defect detection model modeling method and defect detection method | |
| EP3913486A1 (en) | Closed loop monitoring based privileged access control | |
| CN114021125A (en) | Terminal equipment abnormity detection method and device, computing equipment and storage medium | |
| CN114936138A (en) | Log processing method and device, electronic equipment and storage medium | |
| Anand et al. | and Sandeep K Shukla Department of Computer Science and Engineering, Indian Institute of Technology, Kanpur, Kanpur, India {pmohan, pvcharan, hrushicnv, sandeeps}@ cse. iitk. ac. in |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |