CN103440461B - A kind of PDF document security auditing method - Google Patents
A kind of PDF document security auditing method Download PDFInfo
- Publication number
- CN103440461B CN103440461B CN201310422819.2A CN201310422819A CN103440461B CN 103440461 B CN103440461 B CN 103440461B CN 201310422819 A CN201310422819 A CN 201310422819A CN 103440461 B CN103440461 B CN 103440461B
- Authority
- CN
- China
- Prior art keywords
- pdf document
- security audit
- target
- target pdf
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
A kind of PDF document security auditing method, by security audit code embedding grammar in PDF document and log recording and alarm method, and utilizing security audit code that target PDF document is carried out security audit, described method includes procedure below: target PDF document carries out the process of pretreatment;When pretreated target PDF document carries out the process of security audit record when end host is opened.The present invention is by being embedded into security audit code in target PDF document and security audit code and target PDF document being bound together, the unauthorized of PDF document can be opened or the document situation of divulging a secret is monitored, provide clue or evidence that PDF document is revealed, monitoring software need not be disposed at end host, configuration is simple, and security audit code and target PDF document bind together, effectively prevent malicious attacker bypass monitoring software.
Description
Technical field
The present invention relates to document security monitoring technical field, specifically a kind of PDF document security auditing method.
Background technology
The form that in current enterprises and institutions, some information important, even secret are generally adopted office documents stores, and PDF document receives as a kind of cross-platform office documents form and welcomes widely, the audit of information security hence for PDF document just becomes an important problem.
At present the safety auditing system of office documents is mostly adopted to the structure of client/server, such as Application Number (patent) a kind of document monitor and management system based on comprehensive safety audit that has been the patent disclosure of CN201010226282.9, this system needs to install client software on the main frame to monitor, the operation of document on client host is monitored, forbids violating the operation of security strategy.The advantage of this scheme is able to client host is carried out fine-grained monitoring;Shortcoming be system deployment configuration complexity, and if client host malice unload client software, will cause thrashing, or document be fitted without the main hands-operation of client software, also result in document to be protected escape monitor.
Therefore, existing document security auditing system, its document monitor software separates with monitored document, and malicious attacker can find method bypass or disabling monitoring software, causes safety auditing system cisco unity malfunction.
Summary of the invention
For above-mentioned deficiency, the invention provides a kind of PDF document security auditing method, it, by providing the method for auditing safely of a kind of new PDF document, ensures the safety of PDF document effectively.
This invention address that its technical problem adopts the technical scheme that: a kind of PDF document security auditing method, it is characterized in that, by security audit code embedding grammar in PDF document and log recording and alarm method, and utilize security audit code that target PDF document is carried out security audit, described method includes procedure below:
Target PDF document is carried out the process of pretreatment;
When pretreated target PDF document carries out the process of security audit record when end host is opened.
Further, the described process that target PDF document carries out pretreatment comprises the following steps:
A1: determine the PDF document needing to carry out security audit, is called target PDF document;
A2: utilize security audit code embedding grammar in described PDF document, embeds security audit code in target PDF document;
A3: generate the digital signature of target PDF document;
A4: utilize security audit code embedding grammar in described PDF document, the digital signature generated is embedded in target PDF document in step A3.
Further, the described step embedding security audit code in target PDF document includes step in detail below:
A21), according to PDF specification, from target PDF document, search Catalog object, and extract the complete information of root object;
A22), extract the Article 1 record information of cross reference table and the full detail of keyword trailer, extract the value of last startxref field;
A23), target PDF document content is replicated to new PDF document;
A24), add OpenAction field at root object afterbody, re-write new PDF document afterbody, and security audit code is appended to new PDF document afterbody;
A25), add new cross reference table, the position skew of amendment root object
A26), add the reference list record of new object, and revise the Prev field of keyword trailer and the value of Size field;
A27), add end mark, form fresh target PDF document.
Further, the step of the digital signature of described generation target PDF document includes step in detail below:
A31), read in the step A2 PDF document generated, utilize hash algorithm to generate the eap-message digest of aforementioned PDF document;
A32), utilize Digital Signature Algorithm that above-mentioned eap-message digest is digitally signed.
Further, the step that the described digital signature generated by step A3 embeds target PDF document includes step in detail below:
A41), according to PDF specification, from target PDF document, search Catalog object, and extract the complete information of root object;
A42), extract the Article 1 record information of cross reference table and the full detail of keyword trailer, extract the value of last startxref field;
A43), target PDF document content is replicated to new PDF document;
A44), searching OpenAction field in root object, in positioning step A2, the security audit code of write is, and after the digital signature generated by step A3 adds security audit code to;
A45), the position skew of root object is revised;
A46), the Prev field of keyword trailer and the value of Size field are revised;
A47), add end mark, form fresh target PDF document.
Further, the described process carrying out security audit record when end host is opened when pretreated target PDF document comprises the following steps:
B1: by performing security audit code, the digital signature in target PDF document is verified, if digital signature is correct, then goes to step B2;Otherwise close target PDF document;
B2: obtain the opening time of the IP address of end host, MAC Address, host name, login username and target PDF document, by continuing executing with security audit code, is sent to log server by the mode that the above-mentioned information obtained is submitted to by Web list;
B3: log server compares receiving information with the security strategy preset, if met, storing in journal file by the information received, otherwise issuing warning message, the information received is stored in journal file simultaneously.
The invention has the beneficial effects as follows: the present invention is by being embedded into security audit code in target PDF document and security audit code and target PDF document being bound together, effectively prevent the shortcoming that can bypass monitoring system in original method, the unauthorized of PDF document can be opened or the document situation of divulging a secret is monitored, provide clue or evidence that PDF document is revealed, for the method that the security audit offer of PDF document is new.
The present invention need not dispose monitoring software at end host, and configuration is simple, and security audit code binds together with target PDF document, effectively prevent malicious attacker bypass monitoring software.
Accompanying drawing explanation
Fig. 1 is the method flow diagram that target PDF document carries out pretreatment of the present invention;
Fig. 2 is the method flow diagram that target PDF document carries out security audit record of the present invention.
Detailed description of the invention
For knowing the technical characterstic that this programme is described, below by detailed description of the invention, and in conjunction with its accompanying drawing, the present invention will be described in detail.
As depicted in figs. 1 and 2, a kind of PDF document security auditing method of the present invention, by security audit code embedding grammar in PDF document and log recording and alarm method, and utilizing security audit code that target PDF document is carried out security audit, described method includes procedure below:
Target PDF document is carried out the process of pretreatment;
When pretreated target PDF document carries out the process of security audit record when end host is opened.
As it is shown in figure 1, the process that target PDF document carries out pretreatment of the present invention comprises the following steps:
A1: determine the PDF document needing to carry out security audit, is called target PDF document.
A2: utilize security audit code embedding grammar in described PDF document, embeds security audit code in target PDF document.It concretely comprises the following steps:
A21), according to PDF specification, from target PDF document, search Catalog object, and extract the complete information of root object;
A22), extract the Article 1 record information of cross reference table and the full detail of keyword trailer (Size especially therein and Prev field), extract the value of last startxref field;
A23), target PDF document content is replicated to new PDF document;
A24), add OpenAction field at root object afterbody, re-write new PDF document afterbody, and security audit code is appended to new PDF document afterbody;
A25), add new cross reference table, the position skew of amendment root object
A26), add the reference list record of new object, and revise the Prev field of keyword trailer and the value of Size field;
A27), add end mark: %%EOF, form fresh target PDF document.
A3: generate the digital signature of target PDF document.It concretely comprises the following steps:
A31), read in the step A2 PDF document generated, utilize the hash algorithms such as disclosed MD5 or SHA-1 to generate the eap-message digest of aforementioned PDF document;
A32), utilize the Digital Signature Algorithms such as disclosed RSA that above-mentioned eap-message digest is digitally signed.
A4: utilize security audit code embedding grammar in described PDF document, the digital signature generated is embedded in target PDF document in step A3.It concretely comprises the following steps:
A41), according to PDF specification, from target PDF document, search Catalog object, and extract the complete information of root object;
A42), extract the Article 1 record information of cross reference table and the full detail of keyword trailer (Size especially therein and Prev field), extract the value of last startxref field;
A43), target PDF document content is replicated to new PDF document;
A44), searching OpenAction field in root object, in positioning step A2, the security audit code of write is, and after the digital signature generated by step A3 adds security audit code to;
A45), the position skew of root object is revised;
A46), the Prev field of keyword trailer and the value of Size field are revised;
A47), add end mark: %%EOF, form fresh target PDF document.
As in figure 2 it is shown, the process carrying out security audit record when end host is opened when pretreated target PDF document of the present invention comprises the following steps:
B1: by performing security audit code, the digital signature in target PDF document is verified, if digital signature is correct, then goes to step B2;Otherwise close target PDF document.
B2: obtain the opening time of the IP address of end host, MAC Address, host name, login username and target PDF document, by continuing executing with security audit code, is sent to log server by the mode that the above-mentioned information obtained is submitted to by Web list.
B3: log server compares receiving information with the security strategy preset, if met, storing in journal file by the information received, otherwise issuing warning message, the information received is stored in journal file simultaneously.
The above is the preferred embodiment of the present invention, for those skilled in the art, under the premise without departing from the principles of the invention, it is also possible to make some improvements and modifications, and these improvements and modifications are also regarded as protection scope of the present invention.
Claims (4)
1. a PDF document security auditing method, it is characterized in that, by security audit code embedding grammar in PDF document and log recording and alarm method, and utilizing security audit code that target PDF document is carried out security audit, described method includes procedure below:
Target PDF document is carried out the process of pretreatment;
When pretreated target PDF document carries out the process of security audit record when end host is opened;
The described process that target PDF document carries out pretreatment comprises the following steps:
A1: determine the PDF document needing to carry out security audit, is called target PDF document;
A2: utilize security audit code embedding grammar in described PDF document, embeds security audit code in target PDF document;
A3: generate the digital signature of target PDF document;
A4: utilize security audit code embedding grammar in described PDF document, the digital signature generated is embedded in target PDF document in step A3;
The described step embedding security audit code in target PDF document includes step in detail below:
A21), according to PDF specification, from target PDF document, search Catalog object, and extract the complete information of root object;
A22), extract the Article 1 record information of cross reference table and the full detail of keyword trailer, extract the value of last startxref field;
A23), target PDF document content is replicated to new PDF document;
A24), add OpenAction field at root object afterbody, re-write new PDF document afterbody, and security audit code is appended to new PDF document afterbody;
A25), add new cross reference table, the position skew of amendment root object;
A26), add the reference list record of new object, and revise the Prev field of keyword trailer and the value of Size field;
A27), add end mark, form fresh target PDF document.
2. a kind of PDF document security auditing method according to claim 1, is characterized in that, the step of the digital signature of described generation target PDF document includes step in detail below:
A31), read in the step A2 PDF document generated, utilize hash algorithm to generate the eap-message digest of aforementioned PDF document;
A32), utilize Digital Signature Algorithm that above-mentioned eap-message digest is digitally signed.
3. a kind of PDF document security auditing method according to claim 1, is characterized in that, the step that the described digital signature generated by step A3 embeds target PDF document includes step in detail below:
A41), according to PDF specification, from target PDF document, search Catalog object, and extract the complete information of root object;
A42), extract the Article 1 record information of cross reference table and the full detail of keyword trailer, extract the value of last startxref field;
A43), target PDF document content is replicated to new PDF document;
A44), searching OpenAction field in root object, in positioning step A2, the security audit code of write is, and after the digital signature generated by step A3 adds security audit code to;
A45), the position skew of root object is revised;
A46), the Prev field of keyword trailer and the value of Size field are revised;
A47), add end mark, form fresh target PDF document.
4. a kind of PDF document security auditing method according to any one of claims 1 to 3, is characterized in that, the described process carrying out security audit record when end host is opened when pretreated target PDF document comprises the following steps:
B1: by performing security audit code, the digital signature in target PDF document is verified, if digital signature is correct, then goes to step B2;Otherwise close target PDF document;
B2: obtain the opening time of the IP address of end host, MAC Address, host name, login username and target PDF document, by continuing executing with security audit code, the mode that the opening time information of the IP address of the end host of acquisition, MAC Address, host name, login username and target PDF document is submitted to by Web list is sent to log server;
B3: log server compares receiving information with the security strategy preset, if met, storing in journal file by the information received, otherwise issuing warning message, the information received is stored in journal file simultaneously.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310422819.2A CN103440461B (en) | 2013-09-16 | 2013-09-16 | A kind of PDF document security auditing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310422819.2A CN103440461B (en) | 2013-09-16 | 2013-09-16 | A kind of PDF document security auditing method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103440461A CN103440461A (en) | 2013-12-11 |
| CN103440461B true CN103440461B (en) | 2016-07-06 |
Family
ID=49694154
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310422819.2A Active CN103440461B (en) | 2013-09-16 | 2013-09-16 | A kind of PDF document security auditing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103440461B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104063633B (en) * | 2014-04-29 | 2017-05-31 | 航天恒星科技有限公司 | A kind of safety auditing system based on filtration drive |
| CN104091098A (en) * | 2014-07-15 | 2014-10-08 | 福建师范大学 | Document operation safety auditing system |
| CN107229843A (en) * | 2016-03-23 | 2017-10-03 | 福建福昕软件开发股份有限公司 | A kind of method of automatic alarm after encrypted document is divulged a secret |
| CN108234488A (en) * | 2017-12-29 | 2018-06-29 | 北京长御科技有限公司 | A kind of file tracking method and device |
| WO2020034153A1 (en) * | 2018-08-16 | 2020-02-20 | 朱小军 | Bionic data cell body |
| CN112035837B (en) * | 2020-07-31 | 2023-06-20 | 中国人民解放军战略支援部队信息工程大学 | Malicious PDF document detection system and method based on mimicry defense |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102622545A (en) * | 2012-03-01 | 2012-08-01 | 重庆大学 | Picture file tracking method |
| CN102622562A (en) * | 2012-02-27 | 2012-08-01 | 中山大学 | PDF (Portable Document Format) file information embedding and extracting method based on PDF cross reference table |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2008217340A (en) * | 2007-03-02 | 2008-09-18 | Fuji Xerox Co Ltd | Document discard processing system and program |
-
2013
- 2013-09-16 CN CN201310422819.2A patent/CN103440461B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102622562A (en) * | 2012-02-27 | 2012-08-01 | 中山大学 | PDF (Portable Document Format) file information embedding and extracting method based on PDF cross reference table |
| CN102622545A (en) * | 2012-03-01 | 2012-08-01 | 重庆大学 | Picture file tracking method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103440461A (en) | 2013-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103440461B (en) | A kind of PDF document security auditing method | |
| US11044100B2 (en) | Validating documents | |
| US9935973B2 (en) | Systems and methods for automatic detection of malicious activity via common files | |
| US7752667B2 (en) | Rapid virus scan using file signature created during file write | |
| US8612398B2 (en) | Clean store for operating system and software recovery | |
| CN103294950B (en) | A kind of high-power secret information stealing malicious code detecting method based on backward tracing and system | |
| US9686304B1 (en) | Systems and methods for healing infected document files | |
| US8255993B2 (en) | Methods and systems for determining file classifications | |
| CN102110198B (en) | Anti-counterfeiting method for web page | |
| US20100115284A1 (en) | Support of tamper detection for a log of records | |
| US8839446B2 (en) | Protecting archive structure with directory verifiers | |
| CN105184118B (en) | A kind of Android application program shell adding guard methods and device based on code fragmentation | |
| CN102111267A (en) | Website safety protection method based on digital signature and system adopting same | |
| CN105260654A (en) | Method for verifying self integrity of software system | |
| US8474038B1 (en) | Software inventory derivation | |
| US20200382284A1 (en) | Tracking, storage and authentication of documented intellectual property | |
| CN108229162B (en) | Method for realizing integrity check of cloud platform virtual machine | |
| CN105550573B (en) | The method and apparatus for intercepting bundled software | |
| CN106598772A (en) | Direct erasure coding implementation method based on NVRAM and mass storage system | |
| CN107193590A (en) | A kind of anti-root methods based on android | |
| Greengard | Hidden malware ratchets up cybersecurity risks | |
| US8364705B1 (en) | Methods and systems for determining a file set | |
| CN102855425A (en) | Electronic evidence preservation method based on threshold digital signature | |
| US8701193B1 (en) | Malware detection via signature indices | |
| Gutierrez et al. | Reactive redundancy for data destruction protection (R2D2) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |