CN104239478A - File monitoring method and device - Google Patents
File monitoring method and device Download PDFInfo
- Publication number
- CN104239478A CN104239478A CN201410448557.1A CN201410448557A CN104239478A CN 104239478 A CN104239478 A CN 104239478A CN 201410448557 A CN201410448557 A CN 201410448557A CN 104239478 A CN104239478 A CN 104239478A
- Authority
- CN
- China
- Prior art keywords
- event
- list
- regularization term
- action
- title
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/1734—Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a file monitoring method and a file monitoring device. The method comprises the following steps of collecting an audit record of an audit unit of an operating system to a file; generating an event by using the collected audit record, and putting into an event list; reading events in the event list, identifying events in types selected by a user in the event list by adopting a preset event identification rule, and putting the identified events in the types selected by the user into an action event list; reading events in the action event list, and executing corresponding actions according to a preset action rule. Through the scheme, the change notice of the file is more flexible, and the method and the device can meet the diversified requirements of users.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of file monitor method and device.
Background technology
Along with continuous progress and the development of science and technology, Computer Science and Technology also achieve the progress of advancing by leaps and bounds.Computer system security technology is the emphasis of network information system development.Traditional computer security pattern, adopts the means such as strict access authorization control and data encryption, sets up the safety protective layer of computing machine.But this mode does not relate to be monitored the integrality of data.
Also the mechanism that the integrality of the file of computer system is monitored is there is in prior art, such as, the document change notice mechanism that linux system provides, it utilizes Inotify to monitor file, when monitored file occurs to change, the Incron of the Cron system in document change notice mechanism just can send corresponding document change message, and performs corresponding action according to the rule preset, such as, file access pattern and message informing etc.
But above-mentioned file integrality method for supervising, also exists the problem of monitoring very flexible, cannot meet the diversified demand of user.
Summary of the invention
The problem that the embodiment of the present invention solves is the dirigibility improving file monitor, meets the diversified demand of user.
For solving the problem, embodiments provide a kind of file monitor method, described method comprises:
Collect the auditable unit of operating system to the record of the audit of described file;
Use collected record of the audit to generate event, and put into list of thing;
Read the event in described list of thing, and adopt the event of the user-selected type of getting in list of thing described in default event identification rule identification, and the event of identified user-selected type of getting is put into action event list;
Read the event in described action event list, and perform corresponding action according to the action rules preset.
Alternatively, the auditable unit of described operating system comprises the audit auditable unit of (SuSE) Linux OS.
Alternatively, described event identification rule comprises multiple event identification rule item, and described event identification rule item comprises: title regularization term, display regularization term and record of the audit regularization term, wherein:
Described title regularization term, for representing the title of event to be identified;
Described display regularization term, for representing the display mode of event to be identified;
Described record of the audit regularization term, for representing the type of the record of the audit that event to be identified is corresponding.
Alternatively, described default action rules comprises multiple action rules item, and described action rules item comprises: event title regularization term and action executing regularization term, wherein:
Described event title regularization term, for representing the title of the event triggering corresponding action, described title is identical with the title in title regularization term in the event identification rule identifying described event;
Described action executing regularization term, for representing the information of the corresponding action performed when described event occurs.
Alternatively, described method also comprises: described event identification rule left in list of rules, and the type of Article 1 record of the audit in the event of the type user that described event identification rule identifies chosen is as the index of described event identification rule.
Alternatively, described method also comprises: safeguard Archive sit list, and described Archive sit list comprises the mark of the Archive sit of described file and the information of absolute path.
Alternatively, described Archive sit list to be safeguarded, comprising: the mark of Archive sit of the described specified file in described Archive sit list and the information of absolute path are added, revised or deletion action.
Alternatively, described event identification rule also comprises list maintenance regularization term, for recording the attended operation for described Archive sit list.
The embodiment of the present invention additionally provides a kind of document monitoring device, and described device comprises:
Collector unit, is suitable for the auditable unit of collection operating system to the record of the audit of described file;
Generation unit, the record of the audit be suitable for collected by using generates event, and puts into list of thing;
Recognition unit, be suitable for reading the event in described list of thing, and adopt the event of the user-selected type of getting in list of thing described in default event identification rule identification, and the event of identified user-selected type of getting is put into action event list;
Performance element, is suitable for reading the event in described action event list, and performs corresponding action according to the action rules preset.
Alternatively, the auditable unit of described operating system comprises the audit auditable unit of (SuSE) Linux OS.
Alternatively, described event identification rule comprises multiple event identification rule item, and described event identification rule item comprises: title regularization term, display regularization term and record of the audit regularization term, wherein:
Described title regularization term, for representing the title of event to be identified;
Described display regularization term, for representing the display mode of event to be identified;
Described record of the audit regularization term, for representing the type of the record of the audit that event to be identified is corresponding.
Alternatively, described default action rules comprises multiple action rules item, and described action rules item comprises: event title regularization term and action executing regularization term, wherein:
Described event title regularization term, for representing the title of the event triggering corresponding action, described title is identical with the title set by title regularization term in described event identification rule;
Described action executing regularization term, for representing the information of the corresponding action performed when described event occurs.
Alternatively, described device also comprises: storage unit, be suitable for described event identification rule to leave in list of rules, and the type of Article 1 record of the audit in the event of the type user that described event identification rule identifies chosen is as the index of described event identification rule.
Alternatively, described device also comprises: maintenance unit, is suitable for safeguarding Archive sit list, and described Archive sit list comprises the mark of the Archive sit of described file and the information of absolute path.
Alternatively, described Archive sit list to be safeguarded, comprising: the mark of Archive sit of the described specified file in described Archive sit list and the information of absolute path are added, revised or deletion action.
Alternatively, described event identification rule also comprises list maintenance regularization term, for recording the attended operation for described Archive sit list.
Compared with prior art, technical scheme of the present invention has following advantage:
By the Audit Mechanism using operating system to provide, file is monitored, record of the audit to be packed formation event, and the event of user-selected type of getting can be identified according to the event identification rule of user preset, perform corresponding action, make the Notification of Changes of file more versatile and flexible, the diversified demand of user can be met.
Further, due to described event identification rule is left in list of rules, and using the index of the Article 1 rule entries in described event identification rule as described event identification rule, rapidly event can be mated with event identification rule, thus the recognition efficiency of event can be improved, and then improve the efficiency of file monitor.
Further, because described Archive sit list comprises the identification information of the Archive sit of described specified file and the information of absolute path, when adding the information of new specified file in Archive sit list, the absolute path of document creation event and acquisition file can be identified fast.
Accompanying drawing explanation
Fig. 1 is the process flow diagram of a kind of file monitor method in the embodiment of the present invention;
Fig. 2 is the process flow diagram of the another kind of file monitor method in the embodiment of the present invention;
Fig. 3 is the structural representation of a kind of document monitoring device in the embodiment of the present invention.
Embodiment
In prior art, (SuSE) Linux OS utilizes document change notice mechanism (Inotify) to monitor file.When monitored file occurs to change, Inotify just can send document change notice message, the Incron of plan target (Cron) system in document change notice mechanism can receive corresponding document change notice message, and perform pre-configured operation, such as, file access pattern and message informing etc.
But the focusing on of this file monitor mechanism monitors the action of document change, comprise amendment, open, create, deletion etc., and any information relevant with document change event itself is not provided.Further, the document change event of Incron is all predefined, and user can not carry out self-defined, and Incron does not support to quote any of the information that document change event is correlated with simultaneously, therefore, there is the problem of monitoring very flexible.
For solving the above-mentioned problems in the prior art, the auditable unit that the embodiment of the present invention is provided by use operating system is monitored file, record of the audit to be packed formation event, and the event of user-selected type of getting can be identified according to the event identification rule of user preset, perform corresponding action, make the Notification of Changes of file more versatile and flexible, the diversified demand of user can be met.
For enabling above-mentioned purpose of the present invention, feature and advantage more become apparent, and are described in detail specific embodiments of the invention below in conjunction with accompanying drawing.
Fig. 1 shows the process flow diagram of a kind of file monitor method in the embodiment of the present invention.File monitor method as shown in Figure 1, can comprise:
Step S11: collect the auditable unit of operating system to the record of the audit of described file.
In concrete enforcement, the auditable unit of described operating system can be monitored file, and forms record of the audit.
Step S12: the record of the audit collected by use generates event, and puts into list of thing.
In concrete enforcement, described event comprises at least one record of the audit.
Step S13: read the event in described list of thing, and the event adopting the user-selected type of getting in list of thing described in default event identification rule identification, and the event of identified user-selected type of getting is put into action event list.
In concrete enforcement, described event identification rule can be set according to the demand of self by user.
Step S14: read the event in described action event list, and perform corresponding action according to the action rules preset.
In concrete enforcement, described default action rules can be set according to the demand of self by user.
Fig. 2 shows the process flow diagram of the another kind of file monitor method in the embodiment of the present invention.File monitor method as shown in Figure 2, can comprise:
Step S21: collect the audit auditable unit of (SuSE) Linux OS to the record of the audit of described file.
In concrete enforcement, the audit auditable unit of (SuSE) Linux OS to the user totem information (UID) of document change event can be comprised in the record of the audit of described file, the multinomial information relevant to document change event such as mark (PID) information, system call information etc. of process that calling program produces.
Step S22: the record of the audit collected by use generates event, and puts into list of thing.
In concrete enforcement, user can, according to the demand of oneself, use collected record of the audit to generate corresponding event.The record of the audit of one or more can be comprised in described event, and the relevant information of multinomial and described document change can be comprised in every bar record of the audit, such as, the time that document change occurs, sequence and the type etc. belonging to described record of the audit.
In concrete enforcement, whenever generating new events, the new events generated all can leave in list of thing, to treat further process.
Step S23: default event identification rule is left in list of rules.
In concrete enforcement, described event identification rule can comprise multiple event identification rule item, described event identification rule item can comprise: title regularization term, display regularization term and record of the audit regularization term, wherein: described title regularization term, for representing the title of event to be identified; Described display regularization term, for representing the display mode of event to be identified; Described record of the audit regularization term, for representing the type of the record of the audit that event to be identified is corresponding.
Such as, in one embodiment of this invention, described event identification rule can adopt following mode:
%%
ACTION:modify_by_human
DISPLAY:?%user%?at?%cwd%?used?%exe%?to%action%?%name%with?%tty%
INODE:modify
SYSCALL:syscall=(^2|257$),tty=(?!\(none\)$).*
%%
Wherein, the mark that " %% " is event identification rule, the part between two " %% " is described event identification rule.
" ACTION:modify_by_human " is title regularization term, and " ACTION: " is wherein the mark of described title regularization term, and " modify_by_human (artificially revising) " represents the title of the event that described event identification rule identifies.
" DISPLAY:%user% at %cwd% used % exe% to %action% %name% with %tty% " is display regularization term, wherein:
" DISPLAY: " is the mark of described display regularization term, " %user% at %cwd% used %exe%to%action%%name%with%tty% " represents concrete display rule, %user% represents the user initiating described event, %cwd% represents the catalogue at described user place, %exe% represents the program that described user calls, %action% represents the title of the action that described user performs, %name% represents the absolute path of described file, %syscall% represents invoked system call name, %tty% represents the mark of the virtual terminal that operating system provides.
" INODE:modify " is Archive sit (inode) list maintenance regularization term, " INODE: " is wherein the mark of described Archive sit list maintenance regularization term, and described " modify " represents that the attended operation for the Archive sit list of described file is retouching operation.
" SYSCALL:syscall=(^2|257 $), tty=(?! (none) $) .* " be system call regularization term; " SYSCALL: " is wherein the mark of described system call regularization term; the value of the syscall that " syscall=(^2|257 $) " represents in the record of the audit that described event comprises is 2 or 257; that is to say, the value of tty is non-.
In concrete enforcement, described event identification rule may be used for identifying the event in described list of thing.
In concrete enforcement, in order to improve the matching speed of event identification rule and event, can when event identification rule be left in described list of rules, the type of the Article 1 record of the audit in the event of the user-selected type of getting that described event identification rule identifiable design can be gone out, as the index of described event identification rule.Like this, when the type matching of the Article 1 record in the event in the index and list of thing of event identification rule, just can determine that described event is the event of the particular type that described event identification rule can identify, therefore, the efficiency of event recognition can be improved.
Step S24: read the event in described list of thing, and the event adopting the user-selected type of getting in list of thing described in described event identification rule identification, and the event of identified user-selected type of getting is put into action event list.
In concrete enforcement, when using the event identification rule left in described list of rules to identify the event in described list of thing, corresponding event identification rule can be retrieved by the Article 1 event identification rule item in described event identification rule, and the event read in described list of thing, read event is mated with the event identification rule retrieved, when the match is successful for the event identification rule in the event in described list of thing and described list of rules, identified event can be put into action event list to deposit, to treat further process.
Step S25: Archive sit list is safeguarded.
In concrete enforcement, described Archive sit list comprises the mark of the Archive sit of described file and the information of absolute path.
Wherein, Archive sit (inode), for the metamessage of storage file, comprising: user's group, access limit etc. of file size, owner, ownership.Archive sit is that each file carries out information index, so just there has been the numerical value of Archive sit.Operating system, according to instruction, can find corresponding file by the numerical value of Archive sit rapidly.
But in order to security consideration, operating system does not allow user to utilize the mark direct index file of inode.Now, corresponding file can just can only be found by file path.Meanwhile, at the audit auditable unit of (SuSE) Linux OS in the record of the audit of file, only can obtain the inode mark of described file, and there is no the information of the absolute path of described file.Therefore, in one embodiment of this invention, the inode mark of described file and the information of absolute path and corresponding relation is therebetween stored in Archive sit list, when obtaining the information of the absolute path of file, by obtaining the inode mark in record of the audit, search described Archive sit list again, just can obtain the information of the absolute path of file rapidly.Therefore, in order to identify the establishment event of described file rapidly and obtain the absolute path of described file according to the Archive sit of described file rapidly, file monitor method in the embodiment of the present invention, can also comprise the operation safeguarded Archive sit list.
In concrete enforcement, described Archive sit list to be safeguarded, comprising: the mark of Archive sit of the described specified file in described Archive sit list and the information of absolute path are added, revised or deletion action.
Here it is to be noted, when the record of the audit for described file comprise the information of attended operation is carried out for Archive sit list time, can also comprise list maintenance regularization term in described event identification rule, described list maintenance regularization term is for recording the attended operation for described Archive sit list.
Step S26: read the event in described action event list, and perform corresponding action according to the action rules preset.
In concrete enforcement, described default action rules can comprise multiple action rules item, described action rules item can comprise: event title regularization term and action executing regularization term, wherein: described event title regularization term, for representing the title of the event triggering corresponding action, described title is identical with the title in title regularization term in the event identification rule identifying described event; Described action executing regularization term, for representing the information of the corresponding action performed when described event occurs.
In concrete enforcement, the event title regularization term of action rules item can be identical with the title of the title regularization term in described event identification rule item, and also namely action rules item can quote the event triggering corresponding action.Like this, when the event title regularization term in described action rules item is identical with the name item in described event identification rule, described event just can trigger the execution of corresponding action in described action executing regularization term.
Such as, in one embodiment of this invention, described action rules can adopt following mode:
%%
ACTION:modify_by_human
COMMAND:cp?%name%.backup?%name%?&&sendsms--message=’%user%?modified?%name%?and?the?file?has?been?recovered?automatically.’
%%
Above-mentioned action executing rule is using " %% " as mark, and the part between two " %% " is the content of described action executing rule.Wherein:
" ACTION:modify_by_human " is event title regularization term, " ACTION: " is wherein the mark of described event title regularization term, and " modify_by_human (artificially revising) " represents the title of the event that described event identification rule identifies.
" COMMAND:cp %name%.backup %name% & & sendsms--message=' %user% modified %name% and the file has been recovered automatically. ' " is action executing regularization term, wherein:
" COMMAND: " is the mark of described action executing regularization term, " cp %name%.backup %name% " is first element pending in described action executing regularization term, represent and " %name%.backup " is copied to " %name% " (namely carrying out file access pattern), " cp " represents replicate run, " %name% " represents the title of described file, and " %name%.backup " represents the backup file of described file.
" & & " is the connection identifier between adjacent two actions,
" sendsms--message=' %user% modified %name% and the file has been recovered automatically. ' " send the action of note and the content of note for pending second action " the sendsms--message=: " expression in described action executing regularization term performs, %user% represents the user initiating described event, and %name% represents the absolute path of described file.
When the value of " %name% " is "/etc/ssh/sshd_config ", when the value of %user% is " Zhang San ", above-mentioned action executing Rule Expression:
When there is name and being called the event of modify_by_human, file "/etc/ssh/sshd_config.backup " is copied to "/etc/ssh/sshd_config " (i.e. reduction/etc/ssh/sshd_config file), and send note to related personnel, short message content is: " Zhang San have modified file/etc/ssh/sshd_config, and described file recovers automatically ".
Fig. 3 shows the structural representation of a kind of document monitoring device in the embodiment of the present invention.Document monitoring device 30 as shown in Figure 3, can comprise collector unit 31, generation unit 32, recognition unit 33 and performance element 34, wherein:
Described collector unit 31, is suitable for the auditable unit of collection operating system to the record of the audit of described file.
In concrete enforcement, the auditable unit of described operating system comprises the audit auditable unit of (SuSE) Linux OS.
Described generation unit 32, the record of the audit be suitable for collected by using generates event, and puts into list of thing.
Described recognition unit 33, be suitable for reading the event in described list of thing, and adopt the event of the user-selected type of getting in list of thing described in default event identification rule identification, and the event of identified user-selected type of getting is put into action event list.
In concrete enforcement, described event identification rule can comprise multiple event identification rule item, and described event identification rule item comprises: title regularization term, display regularization term and record of the audit regularization term, wherein:
Described title regularization term, for representing the title of event to be identified.
Described display regularization term, for representing the display mode of event to be identified.
Described record of the audit regularization term, for representing the type of the record of the audit that event to be identified is corresponding.
Described performance element 34, is suitable for reading the event in described action event list, and performs corresponding action according to the action rules preset.
In concrete enforcement, described default action rules can comprise multiple action rules item, and described action rules item comprises: event title regularization term and action executing regularization term, wherein:
Described event title regularization term, for representing the title of the event triggering corresponding action, described title is identical with the title in title regularization term in the event identification rule identifying described event.
Described action executing regularization term, for representing the information of the corresponding action performed when described event occurs.
In concrete enforcement, document monitoring device 30 as shown in Figure 3, can also comprise: storage unit 35, be suitable for described event identification rule to leave in list of rules, and the type of Article 1 record of the audit in the event of the type user that described event identification rule identifies chosen is as the index of described event identification rule.
In concrete enforcement, document monitoring device 30 as shown in Figure 3, can also comprise: maintenance unit 36, is suitable for safeguarding Archive sit list, and described Archive sit list comprises the mark of the Archive sit of described file and the information of absolute path.
In concrete enforcement, described Archive sit list to be safeguarded, comprising: the mark of Archive sit of the described specified file in described Archive sit list and the information of absolute path are added, revised or deletion action.
In concrete enforcement, when comprising the attended operation for Archive sit list to the record of the audit of described file, described event identification rule can also comprise list maintenance regularization term.
Described list maintenance regularization term, for recording the attended operation for described Archive sit list.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is that the hardware that can carry out instruction relevant by program has come, this program can be stored in computer-readable recording medium, and storage medium can comprise: ROM, RAM, disk or CD etc.
Done detailed introduction to the method and system of the embodiment of the present invention above, the present invention is not limited to this.Any those skilled in the art, without departing from the spirit and scope of the present invention, all can make various changes or modifications, and therefore protection scope of the present invention should be as the criterion with claim limited range.
Claims (16)
1. a file monitor method, is characterized in that, comprising:
Collect the auditable unit of operating system to the record of the audit of described file;
Use collected record of the audit to generate event, and put into list of thing;
Read the event in described list of thing, and adopt the event of the user-selected type of getting in list of thing described in default event identification rule identification, and the event of identified user-selected type of getting is put into action event list;
Read the event in described action event list, and perform corresponding action according to the action rules preset.
2. file monitor method according to claim 1, is characterized in that, the auditable unit of described operating system comprises the audit auditable unit of (SuSE) Linux OS.
3. file monitor method according to claim 1, is characterized in that, described event identification rule comprises multiple event identification rule item, and described event identification rule item comprises: title regularization term, display regularization term and record of the audit regularization term, wherein:
Described title regularization term, for representing the title of event to be identified;
Described display regularization term, for representing the display mode of event to be identified;
Described record of the audit regularization term, for representing the type of the record of the audit that event to be identified is corresponding.
4. file monitor method according to claim 3, is characterized in that, described default action rules comprises multiple action rules item, and described action rules item comprises: event title regularization term and action executing regularization term, wherein:
Described event title regularization term, for representing the title of the event triggering corresponding action, described title is identical with the title in title regularization term in the event identification rule identifying described event;
Described action executing regularization term, for representing the information of the corresponding action performed when described event occurs.
5. file monitor method according to claim 3, it is characterized in that, also comprise: described event identification rule is left in list of rules, and the type of Article 1 record of the audit in the event of the type user that described event identification rule identifies chosen is as the index of described event identification rule.
6. the file monitor method according to any one of claim 1-5, is characterized in that, also comprise: safeguard Archive sit list, and described Archive sit list comprises the mark of the Archive sit of described file and the information of absolute path.
7. file monitor method according to claim 6, it is characterized in that, described Archive sit list to be safeguarded, comprising: the mark of Archive sit of the described file in described Archive sit list and the information of absolute path are added, revised or deletion action.
8. file monitor method according to claim 7, is characterized in that, described event identification rule also comprises list maintenance regularization term, for recording the attended operation for described Archive sit list.
9. a document monitoring device, is characterized in that, comprising:
Collector unit, is suitable for the auditable unit of collection operating system to the record of the audit of described file;
Generation unit, the record of the audit be suitable for collected by using generates event, and puts into list of thing;
Recognition unit, be suitable for reading the event in described list of thing, and adopt the event of the user-selected type of getting in list of thing described in default event identification rule identification, and the event of identified user-selected type of getting is put into action event list;
Performance element, is suitable for reading the event in described action event list, and performs corresponding action according to the action rules preset.
10. document monitoring device according to claim 9, is characterized in that, the auditable unit of described operating system comprises the audit auditable unit of (SuSE) Linux OS.
11. document monitoring devices according to claim 9, is characterized in that, described event identification rule comprises multiple event identification rule item, and described event identification rule item comprises: title regularization term, display regularization term and record of the audit regularization term, wherein:
Described title regularization term, for representing the title of event to be identified;
Described display regularization term, for representing the display mode of event to be identified;
Described record of the audit regularization term, for representing the type of the record of the audit that event to be identified is corresponding.
12. document monitoring devices according to claim 11, is characterized in that, described default action rules comprises multiple action rules item, and described action rules item comprises: event title regularization term and action executing regularization term, wherein:
Described event title regularization term, for representing the title of the event triggering corresponding action, described title is identical with the title in the title regularization term in the event identification rule identifying described event;
Described action executing regularization term, for representing the information of the corresponding action performed when described event occurs.
13. document monitoring devices according to claim 11, it is characterized in that, also comprise: storage unit, be suitable for described event identification rule to leave in list of rules, and the type of Article 1 record of the audit in the event of the type user that described event identification rule identifies chosen is as the index of described event identification rule.
14. document monitoring devices according to any one of claim 9-13, it is characterized in that, also comprise: maintenance unit, be suitable for safeguarding Archive sit list, described Archive sit list comprises the mark of the Archive sit of described file and the information of absolute path.
15. document monitoring devices according to claim 14, it is characterized in that, described Archive sit list to be safeguarded, comprising: the mark of Archive sit of the described specified file in described Archive sit list and the information of absolute path are added, revised or deletion action.
16. document monitoring devices according to claim 15, is characterized in that, described event identification rule also comprises list maintenance regularization term, for recording the attended operation for described Archive sit list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410448557.1A CN104239478B (en) | 2014-09-04 | 2014-09-04 | File monitor method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410448557.1A CN104239478B (en) | 2014-09-04 | 2014-09-04 | File monitor method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104239478A true CN104239478A (en) | 2014-12-24 |
| CN104239478B CN104239478B (en) | 2018-07-27 |
Family
ID=52227537
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410448557.1A Active CN104239478B (en) | 2014-09-04 | 2014-09-04 | File monitor method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104239478B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112084127A (en) * | 2020-08-24 | 2020-12-15 | 珠海格力电器股份有限公司 | Distributed controller and distributed autonomous system |
| CN113553598A (en) * | 2021-09-18 | 2021-10-26 | 云宏信息科技股份有限公司 | Integrity verification method of operating system, readable storage medium and verification system |
| CN114238153A (en) * | 2022-02-21 | 2022-03-25 | 麒麟软件有限公司 | Binary file detection method in Linux system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1561035A (en) * | 2004-02-19 | 2005-01-05 | 上海复旦光华信息科技股份有限公司 | Universal safety audit strategies customing method based on mapping table |
| CN101388033A (en) * | 2008-11-05 | 2009-03-18 | 山东中创软件工程股份有限公司 | File protection technology based on Windows system file altering event |
| CN102073579A (en) * | 2011-01-24 | 2011-05-25 | 复旦大学 | Method for merging and optimizing audit events of Linux file system |
-
2014
- 2014-09-04 CN CN201410448557.1A patent/CN104239478B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1561035A (en) * | 2004-02-19 | 2005-01-05 | 上海复旦光华信息科技股份有限公司 | Universal safety audit strategies customing method based on mapping table |
| CN101388033A (en) * | 2008-11-05 | 2009-03-18 | 山东中创软件工程股份有限公司 | File protection technology based on Windows system file altering event |
| CN102073579A (en) * | 2011-01-24 | 2011-05-25 | 复旦大学 | Method for merging and optimizing audit events of Linux file system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112084127A (en) * | 2020-08-24 | 2020-12-15 | 珠海格力电器股份有限公司 | Distributed controller and distributed autonomous system |
| CN113553598A (en) * | 2021-09-18 | 2021-10-26 | 云宏信息科技股份有限公司 | Integrity verification method of operating system, readable storage medium and verification system |
| CN114238153A (en) * | 2022-02-21 | 2022-03-25 | 麒麟软件有限公司 | Binary file detection method in Linux system |
| CN114238153B (en) * | 2022-02-21 | 2022-07-08 | 麒麟软件有限公司 | Binary file detection method in Linux system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104239478B (en) | 2018-07-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102932407B (en) | Based on the carrying out safety backup system and method for cloud computing | |
| US20190332765A1 (en) | File processing method and system, and data processing method | |
| CN104881483B (en) | Automatic detection evidence collecting method for the attack of Hadoop platform leaking data | |
| CN107563192A (en) | A kind of means of defence for extorting software, device, electronic equipment and storage medium | |
| US10096074B2 (en) | Systems and methods for expanding relevant search results in electronic discovery | |
| CN104239478A (en) | File monitoring method and device | |
| CN105204973A (en) | Abnormal behavior monitoring and analysis system and method based on virtual machine technology under cloud platform | |
| CN108551764A (en) | System and method for backing up large-scale distributed data system extending transversely | |
| CN107871079A (en) | A kind of suspicious process detection method, device, equipment and storage medium | |
| WO2018140840A1 (en) | Management of cloud-based shared content using predictive cost modeling | |
| CN115904605A (en) | Software defense method and related equipment | |
| Prince | Cybersecurity: The security and protection challenges of our digital world | |
| CN104361297B (en) | A kind of file encryption-decryption method based on (SuSE) Linux OS | |
| CN104462940A (en) | Monitoring method and device for computer USB interface | |
| CN105659247B (en) | The proactive Threat Management system of context-aware | |
| KR102311997B1 (en) | Apparatus and method for endpoint detection and response terminal based on artificial intelligence behavior analysis | |
| CN108139868A (en) | For the system and method for image segment frequently used from cache supply | |
| CN106254364A (en) | Computer desktop service access apparatus under a kind of Multi net voting isolation environment and method | |
| Hemdan et al. | A cloud forensic strategy for investigation of cybercrime | |
| Alabi et al. | Toward a data spillage prevention process in Hadoop using data provenance | |
| Wang et al. | The researches on public service information security in the context of big data | |
| CN105162765A (en) | Cloud data security realizing method based on tail-cutoff survival | |
| CN110874474A (en) | Lessocian virus defense method, Lessocian virus defense device, electronic device and storage medium | |
| KR102348357B1 (en) | Apparatus and methods for endpoint detection and reponse using dynamic analysis plans | |
| WO2017127124A1 (en) | Ranking backup files |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Zhang Jingyi Inventor after: Kang Kai Inventor before: Zhang Jingyi |
|
| COR | Change of bibliographic data | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |