CN118094623A - Trusted processing method and device for log, computer equipment and storage medium - Google Patents

Trusted processing method and device for log, computer equipment and storage medium Download PDF

Info

Publication number
CN118094623A
CN118094623A CN202410232864.XA CN202410232864A CN118094623A CN 118094623 A CN118094623 A CN 118094623A CN 202410232864 A CN202410232864 A CN 202410232864A CN 118094623 A CN118094623 A CN 118094623A
Authority
CN
China
Prior art keywords
target
log data
log
data
execution environment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410232864.XA
Other languages
Chinese (zh)
Inventor
刘佳伟
江义晟
王剑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zitiao Network Technology Co Ltd
Original Assignee
Beijing Zitiao Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zitiao Network Technology Co Ltd filed Critical Beijing Zitiao Network Technology Co Ltd
Priority to CN202410232864.XA priority Critical patent/CN118094623A/en
Publication of CN118094623A publication Critical patent/CN118094623A/en
Pending legal-status Critical Current

Links

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The disclosure relates to the technical field of computers, and discloses a method and a device for trusted processing of logs, computer equipment and a storage medium. Wherein the method comprises the following steps: acquiring a target private line service in a cloud computing environment; capturing log data corresponding to the target private line service in a trusted execution environment, and performing log processing on the log data to generate target log data; and constructing a data transmission channel based on the trusted execution environment, and transmitting the target log data to the target storage position through the data transmission channel. By implementing the technical scheme, based on the trusted computing technology of the trusted execution environment, the log data acquisition operation, the log data processing operation and the log data transmission operation aiming at the target private line service are put into the trusted execution environment to be executed, so that the credibility of the log data is ensured, the record transparency and the record openness of the log data are ensured, and the log data can be audited and traced.

Description

Trusted processing method and device for log, computer equipment and storage medium
Technical Field
The disclosure relates to the technical field of computers, and in particular relates to a method and a device for trusted processing of logs, computer equipment and a storage medium.
Background
In cloud computing services, when a unique scenario of private line services is involved, cloud vendors can only rent private line services for service construction to provide services to their users. For example, under the limitations of some special industries, where ownership of a private line service is affiliated with a particular enterprise or organization, cloud vendors can only build complete services on leased private line services, the maintenance of which is maintained by the particular enterprise or organization.
When a customer uses a service developed by a cloud manufacturer based on a private line service to cause a problem, since a log generated for the private line service is recorded in the private line service, which is maintained by a specific enterprise or organization, it is difficult to determine the credibility of the log record, so that it is difficult to ensure the transparency and the openness of the log record, resulting in difficulty in tracing the problem according to the log record.
Disclosure of Invention
In view of this, the present disclosure provides a method, an apparatus, a computer device, and a storage medium for trusted processing of logs, so as to solve the problem that it is difficult to determine the reliability of log records.
In a first aspect, the present disclosure provides a trusted processing method for a log, including: acquiring a target private line service in a cloud computing environment; capturing log data corresponding to the target private line service in a trusted execution environment, and performing log processing on the log data to generate target log data; and constructing a data transmission channel based on the trusted execution environment, and transmitting the target log data to the target storage position through the data transmission channel.
In a second aspect, the present disclosure provides a trusted processing apparatus for journaling, comprising: the acquisition module is used for acquiring a target private line service in the cloud computing environment; the log processing module is used for capturing log data corresponding to the target private line service in the trusted execution environment, and carrying out log processing on the log data to generate target log data; the log transmission module is used for constructing a data transmission channel based on the trusted execution environment and transmitting the target log data to the target storage position through the data transmission channel.
In a third aspect, the present disclosure provides a computer device comprising: the processor executes the computer instructions, thereby executing the trusted processing method of the log according to the first aspect or any implementation manner corresponding to the first aspect.
In a fourth aspect, the present disclosure provides a computer-readable storage medium having stored thereon computer instructions for causing a computer to perform the trusted processing method of the log of the first aspect or any of its corresponding embodiments.
According to the trusted processing method, the trusted processing device, the computer equipment and the storage medium for the log, the target private line service is monitored in the trusted execution environment to capture log data corresponding to the target private line service, so that the capture process of the log data is not interfered by the external environment, and the capture safety of the log data is guaranteed. Meanwhile, the captured log data is processed in the trusted execution environment to obtain corresponding target log data, so that the log data is processed through the trusted execution environment, and the safety of a log data processing process is ensured. By constructing a data transmission channel aiming at the target log data in the trusted execution environment, the transmission reliability of the target log data is ensured, and the transmission safety of the target log data is ensured. Therefore, the journal data acquisition operation, the journal data processing operation and the journal data transmission operation aiming at the target private line service are put into the trusted execution environment to be executed through the trusted computing technology based on the trusted execution environment, so that the credibility of the journal data is ensured, the record transparency and the record openness of the journal data are ensured, and the journal data can be audited and traced.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the prior art, the drawings that are required in the detailed description or the prior art will be briefly described, it will be apparent that the drawings in the following description are some embodiments of the present disclosure, and other drawings may be obtained according to the drawings without inventive effort for a person of ordinary skill in the art.
FIG. 1 is a flow diagram of a method of trusted processing of logs according to an embodiment of the present disclosure;
FIG. 2 is a flow diagram of another method of trusted processing of logs according to an embodiment of the present disclosure;
FIG. 3 is a flow diagram of a method of trusted processing of yet another log according to an embodiment of the present disclosure;
FIG. 4 is a specific flow diagram of a method of trusted processing of logs according to an embodiment of the present disclosure;
FIG. 5 is a block diagram of a trusted processing device of a log according to an embodiment of the present disclosure;
Fig. 6 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. Based on the embodiments in this disclosure, all other embodiments that a person skilled in the art would obtain without making any inventive effort are within the scope of protection of this disclosure.
When a customer uses a service developed by a cloud manufacturer based on a private line service to cause a problem, since a log generated for the private line service is recorded in the private line service, which is maintained by a specific enterprise or organization, it is difficult to determine the credibility of the log record, so that it is difficult to ensure the transparency and the openness of the log record, resulting in difficulty in tracing the problem according to the log record.
Based on the method, the technical scheme is based on a trusted computing technology, and the log data generated in the special line service using process is acquired, processed and stored in a trusted execution environment, so that the transparency, disclosure, auditability and traceability of the log data are ensured.
In accordance with the disclosed embodiments, there is provided a trusted processing method embodiment for logs, it being noted that the steps shown in the flowcharts of the figures may be performed in a computer system such as a set of computer executable instructions, and, although a logical order is shown in the flowcharts, in some cases, the steps shown or described may be performed in an order other than that shown or described herein.
In this embodiment, a trusted processing method of a log is provided, which may be used in a computer device, such as a computer, a server, etc., and fig. 1 is a flowchart of a trusted processing method of a log according to an embodiment of the disclosure, as shown in fig. 1, where the flowchart includes the following steps:
Step S101, obtaining a target private line service in a cloud computing environment.
Cloud computing environments refer to virtualized environments that access and utilize computing resources over the internet or a private network. The private line service is a service for providing a private network connection in a cloud computing environment, does not share bandwidth and resources with other clients, and ensures the security and privacy of data transmission. Specifically, the private line service may include private line leases, virtual private lines, ethernet private lines, cloud private lines, etc., and the private line service may be provided by a telecom operator, an internet service provider, or a private line service provider. For example, connecting a local data center of an enterprise to a data center of a cloud service provider through a private line service; connecting data centers among different cloud service providers through private line service, and the like.
The cloud manufacturer serves as a provider of cloud computing services, can build complete cloud computing services through private line services to provide cloud computing services to customers, and allows the customers to run applications and store data in a cloud computing environment without having to own and maintain physical servers and data centers. Specifically, cloud computing services include infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
When a customer uses a cloud computing service developed by a cloud vendor based on a private line service, the cloud vendor may forward a target private line service corresponding to the cloud computing service to a trusted execution environment (Trusted Execution Environment, TEE) in the computer device. Accordingly, the trusted execution environment in the computer device may obtain the corresponding target private line service.
The trusted execution environment is a hardware-based security mechanism, which can load the codes and data participating in calculation into the trusted environment protected by the CPU, and provide protection on confidentiality and integrity.
Step S102, capturing the log data corresponding to the target private line service in the trusted execution environment, and performing log processing on the log data to generate target log data.
The log data is various types of logs generated by monitoring and analyzing the network connection performance and the running state of the target private line service. And monitoring the running condition, the fault removal, the capacity planning, the network performance and other information of the target private line service through the trusted execution environment so as to capture the log data of the target private line service according to the monitoring information.
Specifically, the log data may include: connection log, bandwidth log, delay log, error log, security log, traffic log, etc. The connection log is used for recording information such as time, starting point, end point, connection duration and the like of establishing connection with the target private line service; the bandwidth log is used for recording the bandwidth use condition of network connection, including the data volume of uploading and downloading, bandwidth utilization rate and the like; the delay log is used for recording the delay condition of the connection, including round trip time and network delay; the error log is used for recording errors and anomalies such as connection interruption, connection failure and the like which occur in the connection process; the security log is used for recording security events and access conditions of the service of the special line with the target, such as login attempt, identity verification log and the like; the traffic log is used to record network traffic through the target private line service, including source IP address, destination IP address, port number, traffic, etc.
The log processing is to analyze, filter and encrypt the captured log data in the trusted execution environment to obtain the processed target log data. For example, by parsing the log data to extract useful fields and information from the log data, such as time stamps, log levels, IP addresses, etc.; the log data can be filtered according to the use requirement so as to filter out irrelevant or invalid log events and keep the required log events; the log data can be encrypted to ensure the subsequent encrypted communication of the log data.
Specifically, a log processing tool can be deployed in the trusted execution environment, and log processing and log analysis are performed on log data captured in the trusted execution environment through the log processing tool, so that log data generated by a target private line service can be processed rapidly and effectively, and corresponding target log data can be obtained. The log processing tool may be ELK (ELASTICSEARCH, LOGSTASH, KIBANA) stack, splunk, fluentd, APACHE KAFKA, APACHE SPARK, etc., which are not particularly limited herein.
Step S103, constructing a data transmission channel based on the trusted execution environment, and transmitting the target log data to the target storage position through the data transmission channel.
The target storage location is a location, such as a time series database, log server, etc., external to the trusted execution environment for storing target log data. The data transmission channel is a transmission channel formed between the data transmission channel and the target storage position, which is constructed by the trusted execution environment.
After the trusted execution environment completes processing for the log data, it may establish a secure connection between it and the external target storage location via a trusted protocol, such as an encryption protocol, a secure transport layer protocol (Transport Layer Security, TLS), or the like. And then, a data transmission channel is formed through the secure connection, and the target log data is transmitted to the target storage position through the data transmission channel, so that the target log data is prevented from being intercepted or tampered in the transmission process, and the accuracy and the integrity of the target log data received by the target storage position are ensured.
According to the trusted processing method for the log, the target private line service is monitored in the trusted execution environment to capture log data corresponding to the target private line service, so that the capture process of the log data is not interfered by an external environment, and the capture safety of the log data is guaranteed. Meanwhile, the captured log data is processed in the trusted execution environment to obtain corresponding target log data, so that the log data is processed through the trusted execution environment, and the safety of a log data processing process is ensured. By constructing a data transmission channel aiming at the target log data in the trusted execution environment, the transmission reliability of the target log data is ensured, and the transmission safety of the target log data is ensured. Therefore, the journal data acquisition operation, the journal data processing operation and the journal data transmission operation aiming at the target private line service are put into the trusted execution environment to be executed through the trusted computing technology based on the trusted execution environment, so that the credibility of the journal data is ensured, the record transparency and the record openness of the journal data are ensured, and the journal data can be audited and traced.
In this embodiment, a trusted processing method of a log is provided, which may be used in a computer device, such as a computer, a server, etc., and fig. 2 is a flowchart of a trusted processing method of a log according to an embodiment of the disclosure, as shown in fig. 2, where the flowchart includes the following steps:
Step S201, obtaining a target private line service in a cloud computing environment. For detailed description, please refer to the corresponding related description of the above embodiments, and the detailed description is omitted herein.
Step S202, capturing the log data corresponding to the target private line service in the trusted execution environment, and performing log processing on the log data to generate target log data.
Specifically, the step S202 may include:
in step S2021, a secure application running in the trusted execution environment is acquired.
The secure application is a pre-written secure application (Trusted Application, TA) that matches the trusted execution environment. Specifically, an instance of a trusted execution environment is created in a cloud computing environment corresponding to the computer device in advance, and a security application program is loaded into the trusted execution environment so as to ensure that the security application program can be correctly executed in the limited cloud computing environment through the fact that the security application program is responsible for log processing.
After the target private line service is acquired, the computer device may transmit the target private line service to the trusted execution environment. At this point, the computer device may parse the trusted execution environment, obtaining the secure applications deployed in the trusted execution environment.
In step S2022, the log source corresponding to the target private line service is monitored by the security application.
The log source is a designated log source monitored by a secure application running in a trusted execution environment, such as an application output, a system call log, a network connection activity, etc., corresponding to a target private line service. The security application running in the trusted execution environment can be responsible for log processing, so that after the target private line service is acquired, the security application running in the trusted execution environment can be invoked to monitor the log source of the target private line service through the security application.
In step S2023, when the log source passes the trusted verification, log data generated by the target private line service is captured from the log source.
Only authorized code and processes can proceed in the trusted execution environment based on the trusted execution attributes that the trusted execution environment has. And when the log source corresponding to the target private line service is monitored, performing trusted verification on the log source through a trusted execution environment to determine whether the log source corresponding to the target private line service is trusted or not.
When the trusted execution environment determines that the log source passes the trusted verification, the log source is indicated to pass the authorization of the trusted execution environment, and at the moment, the information such as file reading, network port monitoring, system calling and the like related to the log source is monitored through a security application program of the trusted execution environment, so that the capture process of the log data is ensured not to be interfered by an external environment (such as a host operating system), and the originality and the integrity of the captured log data are ensured.
In some alternative embodiments, the above method further comprises:
and a step a1, obtaining a time stamp for generating log data, checking the time stamp, and generating a time stamp checking result.
And a step a2, determining the time credibility of the log data based on the time stamp checking result.
The TEE is capable of providing hardware level security protection and isolation, with a secure time source (Secure Time Source, STS) deployed in the TEE, through which accurate and reliable timestamps are provided.
Specifically, a secure clock of the TEE is deployed inside the TEE, and a timestamp generated by the secure clock is not tamperable to an external environment. After the log data is transmitted to the TEE, the time stamp of the generated log data is checked by the TEE, and whether the time stamp of the generated log data is consistent with a safety clock running inside the TEE is determined so as to generate a time stamp checking result. If the timestamp of the generated log data is inconsistent with the secure clock running inside the TEE, the timestamp of the generated log data is updated to be consistent with the secure clock. Therefore, the time reliability of the log data is guaranteed by combining the time stamp checking result, and the accuracy and the reliability of the time stamp of the log data are guaranteed through the time source of the TEE.
Specifically, the TEE may also perform time synchronization with an external time server, and by communicating with a trusted time server, the TEE may obtain accurate time information, and use this time as a timestamp of the log data to generate a timestamp verification result of the log data. Therefore, the consistency of the log data in the TEE in time is ensured, and the reliability of the log data in the TEE in time is ensured.
In the above embodiment, the secure time source provided by the TEE is used to ensure that the time stamp of the log data is not tampered or falsified, so that the time stamp of the log data is checked by the time source provided by the trusted execution environment, the accuracy and reliability of the time stamp of the log data are ensured, the time line and sequence of the log data are conveniently and accurately determined by combining the time stamp of the log data, and meanwhile, the log data can be accurately analyzed by combining the time stamp of the log data.
Specifically, the step S202 may further include:
In step S2024, the irrelevant data in the log data is detected, and the filtering process is performed on the irrelevant data.
The extraneous data is invalid data recorded in the log data, and specifically, the extraneous data in the log data may include: invalid log events, such as heartbeat logs automatically performed by the system, repeated login attempts, etc.; debug information, i.e. a large number of debug logs generated during development and debugging; information noise, i.e., general information records for log events, is wasteful of information for problem trace back and analysis; sensitive data, such as user passwords, identification numbers, etc., should be desensitized or encrypted to protect customer privacy.
When filtering irrelevant data in the log data, the key information related to the log data can be screened out according to the matching rule of the set key words or regular expressions, and the irrelevant data can be filtered out. For example, keyword filtering rules may be set to only keep log events containing specific keywords; the required log event can be screened out according to different log levels (such as debugging, information, warning and error), and other irrelevant levels can be filtered out; the time range filtering condition can be set according to the timestamp information, only log data in a specified time period is reserved, and data in other irrelevant time periods are removed; the log data which does not belong to the specific IP address or the client can be filtered according to the IP address or the client information, and only relevant data is reserved; of course, abnormal or erroneous log events can be filtered out according to a predefined abnormal or error pattern, and only normal log data is reserved. The removal method of the irrelevant data is not particularly limited, and can be determined by one skilled in the art according to actual requirements.
Specifically, log processing tools may be deployed or corresponding scripts written in the TEE to implement the filtering process of the extraneous data. The log processing tool may be ELK (ELASTICSEARCH, LOGSTASH, KIBANA) stack, splunk, etc.; script writing can adopt Python, shell and other script languages to realize the filtering processing of irrelevant data through regular expression or condition judgment.
In step S2025, the log data is subjected to formatting processing.
Formatting refers to normalizing and sorting the original log data according to a specific format to facilitate subsequent processing and analysis. In particular, the formatting process may be implemented using a programming language and associated libraries or tools, such as regular expressions of Python, string parsing of Java, AWK, etc., and may also be implemented using log formatting functions provided by log processing tools, such as ELK (ELASTICSEARCH, LOGSTASH, KIBANA) stacks, splunk, etc. The formatting process is not limited herein, and those skilled in the art can flexibly configure the formatting process according to actual needs.
When formatting the log data, firstly analyzing the log format of the log data, such as the position of a time stamp, the representation mode of a log level, the separator of a field and the like, so as to determine the structure and the field of the log data according to the log format; secondly, the log data is decomposed into different fields, such as a time stamp, a log level, an IP address, a message content, etc., according to a log format, so that the value of each field is more easily accessed and processed; then, each field obtained through decomposition is formatted according to actual requirements, such as converting a time stamp into a specific date and time format, standardizing an IP address and the like, so as to keep consistency of log data, and readability and analyzability of the log data are realized; then, according to the new format, a new log record is generated, i.e. the formatted fields are recombined into a new log record row.
In the process of formatting the log data, exception processing can be performed on invalid or erroneous log data, for example, log lines which cannot be resolved are skipped, error information is recorded, and the like, so that stability and integrity of the whole formatting process are ensured.
In step S2026, the log data is subjected to encryption processing, and key information for the log data is generated.
And (3) encrypting the log data captured in the TEE environment in a symmetrical encryption or asymmetrical encryption mode to generate corresponding key information, storing the key information in the TEE, and managing the key information through the TEE.
For example, when the encryption process is performed in a symmetric encryption manner, the same key may be used for encryption and decryption, such as AES, and a random symmetric key may be generated for each log data. The log data is then encrypted using the key, ensuring that only the service holding the key information can decrypt and view the log data.
For example, when an asymmetric encryption mode is adopted for encryption processing, a public key and a private key are used for encryption and decryption, a pair of public key and private key is generated at the same time, the public key is deployed at a generation end of log data, the generation end of log data encrypts data by using the public key, and it is ensured that only a service with the private key can decrypt and view the log data.
Specifically, in generating the key information for the log data, an appropriate key length, such as 256 bits, may be selected in a manner of randomly generating the key to generate a random key; the key derivation function may also be used to derive a corresponding key from certain specific information (e.g., timestamp, IP address) in the log data, so that corresponding key information may be generated from the specific log data; a proprietary key management system (KEY MANAGEMENT SYSTEM, KMS) may also be deployed in the TEE, generating and managing key information for the log data through the KMS.
In some alternative embodiments, the above method further comprises: and acquiring a secure storage area corresponding to the trusted execution environment, and storing the target log data into the secure storage area.
The secure Storage area is an area provided inside the TEE for Trusted Storage, such as Trusted Storage (Trusted Storage) in the TEE. The secure storage area is located inside the TEE and protected and isolated by TEE hardware, and the external environment cannot directly access and tamper with the target log data stored in the secure storage area. Specifically, proper access control, encryption measures and backup strategies are set for the secure storage area so as to reasonably manage and protect the target log data stored in the secure storage area and ensure the security and availability of the target log data.
The processed target log data is stored in the safe storage area, so that unauthorized access and reading can be prevented, and confidentiality of the log data is ensured. At the same time, the secure storage area may provide data integrity protection to prevent target log data from being tampered with or corrupted.
The safe storage area can serve as a temporary buffer area to provide a temporary storage space for the target log data so as to temporarily store the processed target log data, and confidentiality and integrity of the target log data are ensured in the process that the target log data wait for uploading or further processing.
In the embodiment, the target log data is stored in the safe storage area in the trusted execution environment to wait for subsequent log data transmission, so that temporary storage safety of the log data is ensured, and malicious access of other services to the log data is avoided.
Step S203, a data transmission channel is constructed based on the trusted execution environment, and the target log data is transmitted to the target storage position through the data transmission channel. For detailed description, please refer to the corresponding related description of the above embodiments, and the detailed description is omitted herein.
According to the trusted processing method for the log, the security application program is loaded in the trusted execution environment, so that the log source of the target private line service is verified through the security application program, only the authorized process of the target private line service can be executed in the trusted execution environment, and the source credibility of log data is ensured. The safety of the log data processing process is ensured by performing irrelevant data, formatting, encryption and other processing on the captured log data in the trusted execution environment.
In this embodiment, a trusted processing method of a log is provided, which may be used in a computer device, such as a computer, a server, etc., and fig. 3 is a flowchart of a trusted processing method of a log according to an embodiment of the disclosure, as shown in fig. 3, where the flowchart includes the following steps:
Step S301, obtaining a target private line service in the cloud computing environment. For detailed description, please refer to the corresponding related description of the above embodiments, and the detailed description is omitted herein.
Step S302, capturing the log data generated by the target private line service in the trusted execution environment, and performing log processing on the log data to generate target log data. For detailed description, please refer to the corresponding related description of the above embodiments, and the detailed description is omitted herein.
Step S303, a data transmission channel is constructed based on the trusted execution environment, and the target log data is transmitted to the target storage position through the data transmission channel.
Specifically, the step S303 may include:
step S3031, the identity verification is performed on the target storage location based on the trusted credential information of the trusted execution environment.
The trusted credential information is a credential, such as an API key, that is securely stored inside the TEE. And carrying out identity verification on the target storage position through the trusted credential information to determine whether the target storage position is a position authorized by the TEE and capable of receiving the target log data. When the target storage location passes the identity verification, step S3032 is executed, otherwise, it indicates that the target storage location is not a trusted storage location, and the sending of the target log data to the target storage location is refused.
In step S3032, when the target storage location passes the authentication, a data transmission channel between the trusted execution environment and the target storage location is constructed based on a preset encryption protocol.
The preset encryption protocol is a preset protocol for constructing an encrypted transmission channel, for example, TLS protocol, and is not particularly limited herein, as long as the preset encryption protocol is an encryption protocol capable of constructing a secure connection between the TEE and the target storage location.
When the target storage location passes the identity verification, the target storage location is indicated to be a trusted storage location authorized by the TEE. At this time, the secure application TA running in the TEE may establish a secure connection between the TEE and the target storage location according to a preset encryption protocol, and establish a data transmission channel between the TEE and the target storage location through the secure connection, so as to prevent the target storage location that is not authenticated from accessing the data transmission channel.
In step S3033, the target log data is transmitted to the target storage location through the data transmission channel.
And the target log data is transmitted in an encrypted manner through a data transmission channel constructed by the secure connection, so that the target log data is transmitted to a target storage position safely, and the target log data is prevented from being intercepted or tampered by other services maliciously in the transmission process. The target log data of the encrypted transmission specifically comprises log content, a time stamp and other metadata related to the log event.
In some alternative embodiments, the step S3033 may include: and adding the integrity mark in the target log data, and transmitting the target log data added with the integrity mark to a target storage position through a data transmission channel.
The integrity identifier is an identifier characterizing the integrity of the target log data. In particular, a hash function may be employed herein to generate a hash value to ensure the integrity of the target log data. Since the hash function maps target log data of arbitrary length to a hash value of fixed length. When the target log data changes, even a small change, the hash value calculated by the target log data is completely different. Therefore, the corresponding hash value can be transmitted to the target storage position together in the process of transmitting the target log data. Accordingly, after receiving the target log data, the target storage location may calculate the target log data using a hash function, so as to compare the hash value obtained by calculation with the hash value carried by the target log data, so as to determine whether the hash value and the hash value are consistent, thereby implementing integrity verification for the target log data.
In particular, digital signatures may also be employed herein to ensure the integrity of the target log data. The digital signature encrypts the target log data using a private key and is capable of decrypting the encrypted target data using a corresponding public key. Accordingly, the encrypted target log data and the digital signature are transmitted to the target storage position together, accordingly, the target storage position can receive the target log data and decrypt the target log data by using a public key corresponding to the digital signature so as to verify the digital signature validity of the target log data, and if the digital signature passes the verification, the target log data is complete and credible.
In the above embodiment, when the target log data is transmitted in the trusted execution environment, the integrity identifier is added to the target log data, so that the transmission integrity of the target log data is ensured, and the target log data is prevented from being tampered and damaged.
In some alternative embodiments, the above method may further comprise: and generating index information of the target log data, and storing the index information and the target log data into a target storage position.
The index information is used to retrieve and query the target log data. Specifically, by parsing the target log data, an index field, such as a time stamp, a log level, an IP address, a user ID, etc., for the target log data is determined; according to the type of the index field and the query requirement, a corresponding index method is determined, for example, a B tree index method can be used for the accurate matching query, a full text index can be used for full text search, an inverted index can be used for the range query, and the like, and the method is not particularly limited herein; and dividing and sequencing the target log data according to the values of the index fields according to the selected index method and the index fields, constructing an index structure, and generating corresponding index information. And then, the generated index information and the target log data are stored in the target storage position together.
In particular, indexing and searching functions provided by log processing tools may be employed for indexing log data, such as ELK (ELASTICSEARCH, LOGSTASH, KIBANA) stacks, splunk, and the like. After the index information is generated, as the target log data increases and changes, the index information needs to be maintained periodically to maintain its accuracy, and maintenance for the index information may include adding new target log data to the index, deleting outdated target log data, and so on.
The index information is used for searching and analyzing the target log data, so that the log data meeting the conditions can be quickly positioned according to the query conditions, and the searching efficiency is improved. Meanwhile, the results of searching and analyzing the target log data based on the index information can be displayed in the form of a report and a visualized chart, so that a user can more intuitively understand and utilize the target log data.
In the above embodiment, before storing the target log data and the index information in the target storage location, the index information of the target log data is generated to realize indexing with respect to the target log data, so that the target log information in the target storage location is conveniently searched, analyzed and reported subsequently.
In some alternative embodiments, the above method may further comprise: an acknowledgement signal for the target log data is received for feedback of the target storage location.
The acknowledgement signal is used to characterize that the target storage location has successfully received the target log data. After successful transfer of the target log data to the target storage location, the target storage location may receive the target log data and generate a corresponding acknowledgement signal. The target storage location feeds back the acknowledgement signal to the TEE through the data transmission channel, and accordingly, the TEE can receive the acknowledgement signal fed back by the target storage location to ensure that the target log data is successfully transmitted to the target storage location and received by the target storage location.
In the above embodiment, successful transmission of the target log data is ensured by receiving the acknowledgement signal generated for the target log data.
In some alternative embodiments, the above method may further comprise:
step c1, obtaining a target service for requesting target log data.
And c2, synchronously forwarding the target log data to the target service when the target log data are transmitted to the target storage position through the data transmission channel.
The target service is a service for requesting target log data, and the TEE can monitor the request of the target service outside the target storage location for the target log data in real time in the process of transmitting the target log data to the target storage location. When it is monitored that a target service requests target log data, it may receive a request initiated by the target service and check if the target service is trusted. If the target service is determined to be trusted, the target log data can be synchronously forwarded to a target service outside the target storage location, such as a real-time monitoring service or an alarm service, while the target log data is written to the target storage location. Therefore, the transmission and the forwarding of the target log data are synchronously carried out, and the real-time monitoring or the alarm of the target log data can be conveniently realized.
In some alternative embodiments, the above method may further comprise:
Step d1, obtaining the target service of the request target log data.
And d2, after the target log data are transmitted to the target storage position through the data transmission channel, forwarding the target log data to the target service.
When the trust of the target service is determined, in order to ensure the safe storage and index of the target log data, the target log data can be written into the target storage position at the moment, and then the target log data requested by the target service is forwarded to the target service according to the request initiated by the target service.
In a specific embodiment, the target storage location may be a time sequence database, and the target log data is stored in the time sequence database, so that a large amount of log data can be efficiently processed through the time sequence database, and the security of the log data stored in the time sequence database can be greatly enhanced by combining the data encryption and integrity protection provided by the time sequence database and the TEE. In addition, the time sequence database supports complex time inquiry, so that the time-based complex inquiry can be effectively processed, and accurate log analysis and fault investigation can be realized.
According to the trusted processing method of the log, the target storage position is subjected to identity verification through the trusted credential information of the trusted execution environment, so that safe connection between the trusted execution environment and the external target storage position is established, a data transmission channel between the trusted execution environment and the external target storage position is generated through the safe connection, the target log data is prevented from being intercepted or tampered in the transmission process, and the transmission safety of the target log data is guaranteed. Therefore, safety guarantee is realized in the process of acquiring and uploading the log data to the whole link for storing, so that the target log data stored in the target storage position has higher credibility.
The present embodiment describes a trusted processing method of a log with a specific example. As shown in fig. 4, a class B client is a client using a cloud computing service, which is a service developed by a cloud vendor based on a private line service rented by the cloud vendor, for connecting a plurality of resources of different geographical locations, such as a data center, a cloud server, etc. of each location. The private line service has a corresponding private line service provider for constructing, managing and maintaining data transmission lines dedicated to the private line service to connect the local network of the customer to a designated data center or other network node.
Specifically, the customer may initiate a private line service request to the cloud vendor to obtain the target private line service from the cloud vendor. The cloud manufacturer provides the target private line service for the client, and in the process that the client uses the target private line service, the cloud manufacturer forwards the target private line service to a TEE-based trusted execution environment, and log data acquisition, log data processing, log data uploading, log data storage to a time sequence database and other operations aiming at the target private line service are completed through the executable environment. Meanwhile, in the process that the trusted execution environment operates on the log data generated by the target private line service, the cloud factory can forward the target private line service to the private line service provider together, so that the private line service provider manages and maintains the target private line service.
The embodiment also provides a trusted processing device for logs, which is used for implementing the above embodiment and the preferred implementation, and the description is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The present embodiment provides a trusted processing apparatus for logs, as shown in fig. 5, including:
the acquiring module 401 is configured to acquire a target private line service in a cloud computing environment.
The log processing module 402 is configured to capture log data corresponding to the target private line service in a trusted execution environment, and perform log processing on the log data to generate target log data.
The log transmission module 403 is configured to construct a data transmission channel based on the trusted execution environment, and transmit the target log data to the target storage location through the data transmission channel.
In some alternative embodiments, the log processing module 402 may include:
the secure application acquisition unit is used for acquiring the secure application program running in the trusted execution environment.
And the monitoring unit is used for monitoring the log source corresponding to the target private line service through the security application program.
And the log capturing unit is used for capturing log data generated by the target private line service from the log source when the log source passes the trusted verification.
In some alternative embodiments, the log processing module 402 may further include:
And the time stamp checking unit is used for acquiring the time stamp for generating the log data, checking the time stamp and generating a time stamp checking result.
And the time credibility determining unit is used for determining the time credibility of the log data based on the time stamp checking result.
In some alternative embodiments, the log processing module 402 may further include:
And the filtering unit is used for detecting irrelevant data in the log data and filtering the irrelevant data.
And the formatting unit is used for formatting the log data.
And the encryption unit is used for carrying out encryption processing on the log data and generating key information aiming at the log data.
In some alternative embodiments, the log processing module 402 may further include:
The storage unit is used for acquiring a safe storage area corresponding to the trusted execution environment and storing the target log data into the safe storage area.
In some alternative embodiments, the log transmission module 403 may include:
and the identity verification unit is used for carrying out identity verification on the target storage location based on the trusted credential information of the trusted execution environment.
And the channel construction unit is used for constructing a data transmission channel between the trusted execution environment and the target storage location based on a preset encryption protocol when the target storage location passes the identity verification.
And the transmission unit is used for transmitting the target log data to the target storage position through the data transmission channel.
In some alternative embodiments, the transmission unit may include:
the integrity identification module is used for adding the integrity identification in the target log data and transmitting the target log data added with the integrity identification to a target storage position through a data transmission channel.
In some alternative embodiments, the apparatus may further include:
and the index module is used for generating index information of the target log data and storing the index information and the target log data into a target storage position.
In some alternative embodiments, the apparatus may further include:
And the signal receiving module is used for receiving the confirmation signal which is fed back by the target storage position and is aimed at the target log data.
In some alternative embodiments, the apparatus may further include:
And the target service acquisition module is used for acquiring the target service requesting the target log data.
And the synchronization module is used for synchronously forwarding the target log data to the target service when the target log data are transmitted to the target storage position through the data transmission channel.
And the forwarding module is used for forwarding the target log data to the target service after the target log data are transmitted to the target storage position through the data transmission channel.
Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.
The trusted processing apparatus of the log in this embodiment is presented in the form of a functional unit, where the unit refers to an ASIC (Application SPECIFIC INTEGRATED Circuit) Circuit, a processor and a memory that execute one or more software or fixed programs, and/or other devices that can provide the above functions.
According to the trusted processing device for the log, the target private line service is monitored in the trusted execution environment to capture log data corresponding to the target private line service, so that the capture process of the log data is not interfered by an external environment, and the capture safety of the log data is ensured. Meanwhile, the captured log data is processed in the trusted execution environment to obtain corresponding target log data, so that the log data is processed through the trusted execution environment, and the safety of a log data processing process is ensured. By constructing a data transmission channel aiming at the target log data in the trusted execution environment, the transmission reliability of the target log data is ensured, and the transmission safety of the target log data is ensured. Therefore, the journal data acquisition operation, the journal data processing operation and the journal data transmission operation aiming at the target private line service are put into the trusted execution environment to be executed through the trusted computing technology based on the trusted execution environment, so that the credibility of the journal data is ensured, the record transparency and the record openness of the journal data are ensured, and the journal data can be audited and traced.
The embodiment of the disclosure also provides a computer device, which is provided with the trusted processing device of the log shown in the figure 5.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a computer device according to an alternative embodiment of the disclosure, as shown in fig. 6, the computer device includes: one or more processors 10, memory 20, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 6.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform the methods shown in implementing the above embodiments.
The memory 20 may include a storage program area that may store an operating system, at least one application program required for functions, and a storage data area; the storage data area may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; the memory 20 may also comprise a combination of the above types of memories.
The computer device also includes a communication interface 30 for the computer device to communicate with other devices or communication networks.
The presently disclosed embodiments also provide a computer readable storage medium, and the methods described above according to the presently disclosed embodiments may be implemented in hardware, firmware, or as recordable storage medium, or as computer code downloaded over a network that is originally stored in a remote storage medium or a non-transitory machine-readable storage medium and is to be stored in a local storage medium, such that the methods described herein may be stored on such software processes on a storage medium using a general purpose computer, special purpose processor, or programmable or dedicated hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
Although embodiments of the present disclosure have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the disclosure, and such modifications and variations are within the scope defined by the appended claims.

Claims (13)

1. A method for trusted processing of logs, comprising:
acquiring a target private line service in a cloud computing environment;
capturing log data corresponding to the target private line service in a trusted execution environment, and performing log processing on the log data to generate target log data;
And constructing a data transmission channel based on the trusted execution environment, and transmitting the target log data to a target storage position through the data transmission channel.
2. The method of claim 1, wherein capturing log data generated by the target private line service in a trusted execution environment comprises:
Acquiring a security application running in the trusted execution environment;
Monitoring a log source corresponding to the target private line service through the security application program;
And when the log source passes the trusted verification, capturing log data generated by the target private line service from the log source.
3. The method as recited in claim 2, further comprising:
Acquiring a time stamp for generating the log data, checking the time stamp, and generating a time stamp checking result;
and determining the time credibility of the log data based on the timestamp checking result.
4. A method according to any one of claims 1-3, wherein said journaling data comprises:
Detecting irrelevant data in the log data, and filtering the irrelevant data;
and/or the number of the groups of groups,
Formatting the log data;
and/or the number of the groups of groups,
And encrypting the log data to generate key information aiming at the log data.
5. The method as recited in claim 4, further comprising:
And acquiring a secure storage area corresponding to the trusted execution environment, and storing the target log data into the secure storage area.
6. The method of claim 1, wherein constructing a data transfer channel based on the trusted execution environment, transferring the target log data to a target storage location through the data transfer channel, comprises:
verifying the identity of the target storage location based on trusted credential information of the trusted execution environment;
when the target storage position passes the identity verification, a data transmission channel between the trusted execution environment and the target storage position is constructed based on a preset encryption protocol;
and transmitting the target log data to the target storage position through the data transmission channel.
7. The method of claim 6, wherein the transmitting the target log data to the target storage location via the data transmission channel comprises:
and adding an integrity mark in the target log data, and transmitting the target log data added with the integrity mark to the target storage position through the data transmission channel.
8. The method according to claim 6 or 7, further comprising:
and generating index information of the target log data, and storing the index information and the target log data into the target storage position.
9. The method according to claim 6 or 7, further comprising:
and receiving an acknowledgement signal fed back by the target storage position and aiming at the target log data.
10. The method as recited in claim 1, further comprising:
Acquiring a target service requesting the target log data;
Synchronously forwarding the target log data to the target service when the target log data is transmitted to a target storage location through the data transmission channel;
Or alternatively, the first and second heat exchangers may be,
And forwarding the target log data to the target service after the target log data is transmitted to a target storage position through the data transmission channel.
11. A trusted processing apparatus for journals, comprising:
The acquisition module is used for acquiring a target private line service in the cloud computing environment;
The log processing module is used for capturing log data corresponding to the target private line service in a trusted execution environment, and carrying out log processing on the log data to generate target log data;
and the log transmission module is used for constructing a data transmission channel based on the trusted execution environment and transmitting the target log data to a target storage position through the data transmission channel.
12. A computer device, comprising:
A memory and a processor in communication with each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the trusted processing method of the log of any one of claims 1 to 10.
13. A computer-readable storage medium having stored thereon computer instructions for causing a computer to perform the trusted processing method of a log according to any one of claims 1 to 10.
CN202410232864.XA 2024-02-29 2024-02-29 Trusted processing method and device for log, computer equipment and storage medium Pending CN118094623A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410232864.XA CN118094623A (en) 2024-02-29 2024-02-29 Trusted processing method and device for log, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410232864.XA CN118094623A (en) 2024-02-29 2024-02-29 Trusted processing method and device for log, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN118094623A true CN118094623A (en) 2024-05-28

Family

ID=91154805

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410232864.XA Pending CN118094623A (en) 2024-02-29 2024-02-29 Trusted processing method and device for log, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN118094623A (en)

Similar Documents

Publication Publication Date Title
CN110826111B (en) Test supervision method, device, equipment and storage medium
CN108923908B (en) Authorization processing method, device, equipment and storage medium
US11296934B2 (en) Device provisioning system
CN108780485B (en) Pattern matching based data set extraction
WO2020000722A1 (en) Method and apparatus for saving server log
CN112149105A (en) Data processing system, method, related device and storage medium
US11803461B2 (en) Validation of log files using blockchain system
CN110336675B (en) Monitoring method and device for digital certificate expiration date
CN113221166A (en) Method and device for acquiring block chain data, electronic equipment and storage medium
WO2021174870A1 (en) Network security risk inspection method and system, computer device, and storage medium
CA3216355C (en) Generating synthetic transactions with packets
US20230244797A1 (en) Data processing method and apparatus, electronic device, and medium
US20170237716A1 (en) System and method for interlocking intrusion information
CN111611620A (en) Access request processing method of access platform and related device
CN116522308A (en) Database account hosting method, device, computer equipment and storage medium
Feng et al. Autonomous Vehicles' Forensics in Smart Cities
CN114189515B (en) SGX-based server cluster log acquisition method and device
CN113608907B (en) Database auditing method, device, equipment, system and storage medium
CN118094623A (en) Trusted processing method and device for log, computer equipment and storage medium
CN115114657A (en) Data protection method, electronic device and computer storage medium
CN110677483B (en) Information processing system and trusted security management system
CN100555237C (en) Be used to detect and prevent the method and system of replay attack
KR101435592B1 (en) A log verification device for the contents distribution log of authoring content provided as an online service
CN117194334B (en) Log storage method, device, equipment and medium of distributed log storage system
CN113037724B (en) Method and device for detecting illegal access

Legal Events

Date Code Title Description
PB01 Publication