CN111967058A - Tamper-proof method supporting user white list, electronic device and storage medium - Google Patents

Tamper-proof method supporting user white list, electronic device and storage medium Download PDF

Info

Publication number
CN111967058A
CN111967058A CN202010737318.3A CN202010737318A CN111967058A CN 111967058 A CN111967058 A CN 111967058A CN 202010737318 A CN202010737318 A CN 202010737318A CN 111967058 A CN111967058 A CN 111967058A
Authority
CN
China
Prior art keywords
tamper
user
white list
list information
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010737318.3A
Other languages
Chinese (zh)
Inventor
姜喜庆
孟希杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Jundun Information Technology Co ltd
Original Assignee
Zhejiang Jundun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Jundun Information Technology Co ltd filed Critical Zhejiang Jundun Information Technology Co ltd
Priority to CN202010737318.3A priority Critical patent/CN111967058A/en
Publication of CN111967058A publication Critical patent/CN111967058A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to a tamper-proof method, device, electronic device and storage medium supporting a user white list. The tamper-proofing method supporting the user white list comprises the following steps: acquiring white list information and tamper-resistant rule information; under the condition that the file system is monitored to be changed, a changed file path is obtained; matching the anti-tampering rules corresponding to the changed file paths according to the changed file paths; matching the IP address and/or the user name of the user corresponding to the tamper-proof rule in the white list information under the condition that the tamper-proof rule corresponding to the changed file path is matched; and under the condition that the IP address and/or the user name of the user corresponding to the tamper-resistant rule are/is matched in the white list information, releasing the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-resistant rule. By the method and the device, the maintenance cost of the webpage tamper-resistant system is reduced.

Description

Tamper-proof method supporting user white list, electronic device and storage medium
Technical Field
The present application relates to the field of computers, and in particular, to a tamper-resistant method, apparatus, electronic apparatus, and storage medium for supporting a user white list.
Background
Web page tampering is a frequently used method of hacking. After the webpage content is tampered, the user can be greatly influenced, and meanwhile, hackers can publish and spread viruses in the webpage content, so that property and economic losses of the user are caused. The webpage tamper-proofing system adopts a file filtering driving technology and an event triggering technology, can timely discover and prevent the hacker from tampering the website content, and cannot tamper the website page content even if the hacker enters a WEB server
In order to avoid the attack of hackers in the related technology, the change of the file system can be checked in real time through the webpage tamper-proof system, and the file system is intercepted in time when operations such as addition, deletion, modification and the like exist in the file system, so that the condition that the file system is tampered is solved fundamentally. However, in the research process, it is found that, after a webpage tamper-proofing rule is installed, once a protected website needs to be changed, the tamper-proofing rule of the webpage tamper-proofing system needs to be closed or the change needs to be realized by using the release function of the webpage tamper-proofing system, and operation and maintenance personnel are also needed to maintain the webpage tamper-proofing system, so that the problems of manpower and material resources waste and high maintenance cost of the webpage tamper-proofing system are caused.
At present, no effective solution is provided for the problem of high maintenance cost of a webpage tamper-resistant system in the related art.
Disclosure of Invention
The embodiment of the application provides a tamper-proof method, a tamper-proof device, an electronic device and a storage medium for supporting a user white list, so as to at least solve the problem of high maintenance cost of a webpage tamper-proof system in the related art.
In a first aspect, an embodiment of the present application provides a tamper-resistant method for supporting a user white list, including:
acquiring white list information and tamper-proof rule information, wherein the white list information comprises an IP address and/or a user name of a user; the tamper-proof rule information comprises a file path and a tamper-proof rule corresponding to the file path;
under the condition that the file system is monitored to be changed, a changed file path is obtained;
matching an anti-tampering rule corresponding to the changed file path according to the changed file path;
under the condition that a tamper-proof rule corresponding to the changed file path is matched, matching the IP address and/or the user name of a user corresponding to the tamper-proof rule in the white list information;
and under the condition that the IP address and/or the user name of the user corresponding to the tamper-proof rule are/is matched in the white list information, releasing the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-proof rule.
In some of these embodiments, the file system changing comprises: and performing creation, deletion or modification operation on the file system.
In some embodiments, after releasing the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-resistant rule, the method further includes:
and generating an operation log of the operation process of the user operation corresponding to the IP address and/or the user name of the user corresponding to the released anti-tampering rule, and storing the operation log.
In some of these embodiments, the method further comprises:
and under the condition that the IP address and/or the user name of the user corresponding to the tamper-proof rule are not matched in the white list information, forbidding to release the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-proof rule.
In some embodiments, after obtaining the white list information and the tamper-resistant rule information, the method further includes:
converting the white list information into kernel state white list information which can be identified by a kernel state, and generating a corresponding relation between the white list information and the kernel state white list information;
under the condition that the file system is monitored to be changed, a changed file path is obtained;
according to the changed file path, matching an anti-tampering rule corresponding to the changed file path in the kernel mode;
under the condition that a tamper-proof rule corresponding to the changed file path is matched in the kernel mode, converting the tamper-proof rule into a kernel mode tamper-proof rule which can be identified by the kernel mode, and matching the kernel mode white list information corresponding to the IP address and/or the user name of the user corresponding to the kernel mode tamper-proof rule in the kernel mode;
and under the condition that the kernel state white list information corresponding to the IP address and/or the user name of the user corresponding to the kernel state anti-tampering rule is matched in the kernel state, releasing the user operation corresponding to the IP address and/or the user name of the user corresponding to the kernel state anti-tampering rule.
In some of these embodiments, the white list information includes the user's IP address; converting the white list information into kernel state white list information which can be identified by a kernel state, and generating a corresponding relation between the white list information and the kernel state white list information comprises the following steps:
and converting the IP address of the user in the white list information into a Session ID which can be identified by a kernel mode, and generating a corresponding relation between the IP address of the user in the white list information and the Session ID.
In some of these embodiments, the white list information includes a username; converting the white list information into kernel state white list information which can be identified by a kernel state, and generating a corresponding relation between the white list information and the kernel state white list information comprises the following steps:
and converting the user name in the white list information into a user ID which can be identified by a kernel state, and generating a corresponding relation between the user name in the white list information and the user ID which can be identified by the kernel state.
In a second aspect, an embodiment of the present application provides a tamper-resistant apparatus for supporting a user white list, including:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring white list information and tamper-proof rule information, and the white list information comprises an IP address and/or a user name of a user; the tamper-proof rule information comprises a file path and a tamper-proof rule corresponding to the file path;
the second acquisition module is used for acquiring a changed file path under the condition that the change of the file system is monitored;
the first matching module is used for matching an anti-tampering rule corresponding to the changed file path according to the changed file path;
the second matching module is used for matching the IP address and/or the user name of the user corresponding to the anti-tampering rule in the white list information under the condition that the anti-tampering rule corresponding to the changed file path is matched;
and the first releasing module is used for releasing the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-resistant rule under the condition that the IP address and/or the user name of the user corresponding to the tamper-resistant rule are matched in the white list information.
In a third aspect, an embodiment of the present application provides an electronic apparatus, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the processor implements the tamper-proofing method for supporting the user white list according to the first aspect.
In a fourth aspect, an embodiment of the present application provides a storage medium, on which a computer program is stored, where the program, when executed by a processor, implements the tamper-proofing method for supporting a user white list as described in the first aspect.
Compared with the related art, the tamper-proofing method, device, electronic device and storage medium supporting the user white list provided by the embodiment of the application acquire the white list information and the tamper-proofing rule information, wherein the white list information comprises the IP address and/or the user name of the user; the anti-tampering rule information comprises a file path and an anti-tampering rule corresponding to the file path; under the condition that the file system is monitored to be changed, a changed file path is obtained; matching the anti-tampering rules corresponding to the changed file paths according to the changed file paths; matching the IP address and/or the user name of the user corresponding to the tamper-proof rule in the white list information under the condition that the tamper-proof rule corresponding to the changed file path is matched; and under the condition that the IP address and/or the user name of the user corresponding to the anti-tampering rule are/is matched in the white list information, the user operation corresponding to the IP address and/or the user name of the user corresponding to the anti-tampering rule is released, so that the problem of high maintenance cost of the webpage anti-tampering system in the related technology is solved, and the maintenance cost of the webpage anti-tampering system is reduced.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware structure of a terminal supporting a tamper-proof method for a user white list according to an embodiment of the present invention;
FIG. 2 is a flow diagram of a tamper-resistant method that supports user whitelists according to an embodiment of the application;
FIG. 3 is a flow diagram of a tamper-resistant method of supporting user whitelists according to yet another embodiment of the present application;
FIG. 4 is a block diagram of a tamper resistant device that supports user whitelisting according to a preferred embodiment of the present application;
FIG. 5 is an interaction flow diagram of a tamper resistant device that supports user whitelisting according to a preferred embodiment of the present application;
fig. 6 is a block diagram of a tamper resistant device supporting a user white list according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The method provided by the embodiment can be executed in a terminal, a computer or a similar operation device. Taking the operation on the terminal as an example, fig. 1 is a hardware structure block diagram of the terminal supporting the tamper-proof method for the user white list according to the embodiment of the present invention. As shown in fig. 1, the terminal may include one or more (only one shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the terminal. For example, the terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 can be used for storing computer programs, for example, software programs and modules of application software, such as a computer program corresponding to the tamper-proof method supporting the user white list in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer program stored in the memory 104, thereby implementing the above-mentioned method. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The present embodiment provides a tamper-proofing method supporting a user white list, and fig. 2 is a flowchart of the tamper-proofing method supporting the user white list according to the embodiment of the present application, and as shown in fig. 2, the flowchart includes the following steps:
step S201, obtaining white list information and tamper-proof rule information, wherein the white list information comprises an IP address and/or a user name of a user; the tamper-resistant rule information includes a file path and a tamper-resistant rule corresponding to the file path.
In this step, the white list information may be configured online by the user; the tamper-resistant rule information may also be configured in advance, for example, a file path and a tamper-resistant rule corresponding to the file path may be configured.
Step S202, under the condition that the change of the file system is monitored, a changed file path is obtained.
In this step, the changed file path can be obtained by monitoring the status of the file system in real time under the condition that the change of the file system is monitored.
In some embodiments, the step S202 of changing the file system includes: and performing creation, deletion or modification operation on the file system.
Step S203, according to the changed file path, matching the tamper-proof rule corresponding to the changed file path.
It should be noted that whether each file path has a corresponding tamper-resistant rule or not may be set by a user. And the configured tamper-proof rule can be used for preventing the IP address and/or the user name of the user in the blacklist from tampering the content corresponding to the website content or the file path.
And step S204, under the condition that the anti-tampering rule corresponding to the changed file path is matched, the IP address and/or the user name of the user corresponding to the anti-tampering rule are matched in the white list information.
In this step, the manner of matching the IP address and/or the user name of the user corresponding to the tamper-resistant rule in the white list information may be a preset matching rule, and the preset matching rule may be an association rule between the tamper-resistant rule and the white list information.
If the tamper-resistant rule corresponding to the changed file path is not matched, it indicates that the tamper-resistant rule is not configured for the file path, and user operations, such as creating, deleting, or modifying the file path, may be directly released.
Step S205, in the case that the IP address and/or the user name of the user corresponding to the tamper-resistant rule are matched in the white list information, releasing the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-resistant rule.
Based on steps S201 to S205, the releasing of the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-resistant rule in the web tamper-resistant system is realized by releasing the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-resistant rule when the tamper-resistant rule corresponding to the changed file path is matched, and when the IP address and/or the user name of the user corresponding to the tamper-resistant rule is matched in the white list information, so that more application scenarios are provided for the user, the tamper-resistant rule of the web tamper-resistant system does not need to be closed or the release function does not need to be used, the problem of high maintenance cost of the web tamper-resistant system in the related art is solved, the maintenance cost of the web tamper-resistant system is reduced, and the manpower required for maintaining the web tamper-resistant system is saved, And (5) material resources.
It should be noted that the tamper-proofing method supporting the user white list of the present application can be applied to a webpage tamper-proofing system, so that the webpage tamper-proofing system can realize tamper-proofing supporting the user white list.
In some embodiments, after the user operation corresponding to the IP address and/or the user name of the user corresponding to the anti-tampering rule is released, an operation log may be generated from the operation process of the user operation corresponding to the IP address and/or the user name of the user corresponding to the release anti-tampering rule, and the operation log may be stored. In this embodiment, the method of storing the operation log can facilitate the monitoring of the tamper-resistant rule corresponding to the changed file path by the user.
In some embodiments, after step S204, in a case that the IP address and/or the user name of the user corresponding to the tamper-resistant rule are not matched in the white list information, the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-resistant rule is prohibited from being released. By the method, the operation of creating, deleting or modifying the file path by the IP address and/or the user name of the user except the white list information can be prevented, and the safety of the file corresponding to the file path is improved.
It should be noted that the operation flow in the above embodiments may be performed in a user mode of a computer.
In order to further improve the security of the file corresponding to the file path, the operation flow in the above embodiment may be switched to a kernel mode of the computer.
Fig. 3 is a flowchart of a tamper-proofing method for supporting a user white list according to another embodiment of the present application, and as shown in fig. 3, the method flowchart includes:
step S301, obtaining white list information and tamper-proof rule information, wherein the white list information comprises an IP address and/or a user name of a user; the tamper-resistant rule information includes a file path and a tamper-resistant rule corresponding to the file path.
Step S302, the white list information is converted into kernel-mode white list information which can be identified by a kernel mode, and a corresponding relation between the white list information and the kernel-mode white list information is generated.
Step S303, under the condition that the file system is monitored to be changed, a changed file path is obtained.
And step S304, according to the changed file path, matching the anti-tampering rule corresponding to the changed file path in the kernel mode.
Step S305, under the condition that the anti-tampering rule corresponding to the changed file path is matched in the kernel mode, the anti-tampering rule is converted into the kernel mode anti-tampering rule which can be identified by the kernel mode, and the kernel mode white list information corresponding to the IP address and/or the user name of the user corresponding to the kernel mode anti-tampering rule is matched in the kernel mode.
Step S306, under the condition that the kernel-state white list information corresponding to the IP address and/or the user name of the user corresponding to the kernel-state anti-tampering rule is matched in the kernel state, the user operation corresponding to the IP address and/or the user name of the user corresponding to the kernel-state anti-tampering rule is released.
In this embodiment, the matching of the kernel-state white list information corresponding to the user IP address and/or the user name corresponding to the kernel-state anti-tampering rule in the kernel state is achieved by converting the white list information into kernel-state white list information whose kernel state can be identified, generating a corresponding relationship between the white list information and the kernel-state white list information, converting the anti-tampering rule into a kernel-state anti-tampering rule whose kernel state can be identified, and matching the kernel-state white list information corresponding to the user IP address and/or the user name corresponding to the kernel-state anti-tampering rule in the kernel state, thereby further improving the security of the file corresponding to the file path.
In some of these embodiments, the white list information includes the user's IP address; converting the white list information into kernel-state white list information which can be identified by a kernel state, and generating a corresponding relation between the white list information and the kernel-state white list information comprises the following steps: and converting the IP address of the user in the white list information into the sessionID which can be identified by the kernel mode, and generating the corresponding relation between the IP address of the user in the white list information and the sessionID.
In this embodiment, a TCP connection may be found by reading all TCP connections under proc/net and/proc/pid/inode and all files under sco/net, and a corresponding relationship between an IP address of a user and a SessionID may be found according to a network connection condition, so as to realize a conversion between the IP address of the user and the SessionID.
In some of these embodiments, the white list information includes a username; converting the white list information into kernel-state white list information which can be identified by a kernel state, and generating a corresponding relation between the white list information and the kernel-state white list information comprises the following steps: and converting the user name in the white list information into the user ID which can be identified by the kernel state, and generating the corresponding relation between the user name in the white list information and the user ID which can be identified by the kernel state.
In this embodiment, the user name and the UserID may be converted by reading/etc/password file content to obtain the corresponding relationship between the user name and the UserID.
The embodiments of the present application are described and illustrated below by means of preferred embodiments.
The tamper-proofing method for supporting the user white list in the above embodiment may be applied to the tamper-proofing apparatus for supporting the user white list in fig. 4, where fig. 4 is a block diagram of a tamper-proofing apparatus for supporting the user white list according to a preferred embodiment of the present application, and as shown in fig. 4, the apparatus includes:
the center server 41: for issuing tamper-resistant rules to the tamper-resistant application 42 and specifying a tamper-resistant file path, and an IP address and/or user name for the user in the white list information; and meanwhile, the method can also be used as a display platform of a tamper log (namely, the operation log in the above embodiment).
Tamper resistant application 42: the system comprises a configuration white list information server, a kernel state identification server and a configuration server, wherein the configuration white list information server is used for converting an IP address of a user in the configuration white list information into a sessionID which can be identified by the kernel state, converting a user name into a UserID which can be identified by the kernel state, writing operation rules such as read/write and the like corresponding to a file into an anti-tampering rule, and informing the kernel state to read the anti-tampering rule; and is further configured to forward the tampering log reported to the user mode in the kernel mode to the central server 41, and in addition, convert the SessionID into the IP address of the user and convert the UserID into the user name before forwarding to the central server 41, which is convenient for viewing.
Tamper resistant driver 43: for monitoring changes in the file system in real time.
The following describes and explains the interaction flow of the tamper resistant device supporting the user white list in the above embodiment with reference to the embodiment.
Fig. 5 is an interaction flow diagram of a tamper resistant device supporting user white list according to a preferred embodiment of the present application, and the interaction flow shown in fig. 5 includes: a tamper-proof rule issuing flow (data issuing flow) and a tamper-proof rule matching flow (data uplink flow). Wherein,
the anti-tampering rule issuing process comprises the following steps:
step S501, the central server sends the tamper-resistant rule and the white list information to the tamper-resistant application program of SELinux.
In this step, it is assumed that the web page path is stored under the server/app/xxx path of the server. Configuring the IP of the released user to be 1.1.1.1 and the released user name to be root, when the IP address 1.1.1.1 of the user logs in the file system and the user name of the operation user is root, the operation of the 1.1.1.1 and the root on the webpage path is released, but the operation of the IP addresses and/or user names of other users on the webpage server after the user logs in is prevented.
Step S502, when the user mode of the tamper-resistant application program receives the tamper-resistant rule, the user mode acquires the white list information.
In this step, if the white list information is not obtained, the user mode of the tamper-resistant application notifies the kernel mode of the tamper-resistant application to update the tamper-resistant rule.
Step S503, the user mode of the tamper-resistant application program reads all TCP connections/proc/net/and all files/proc/pid/inode/and finds TCP connections, finds the corresponding relation between the IP address of the user and the Session ID according to the network connection condition, and converts the IP address of the user into the Session ID.
In this step, the tamper-resistant rule is matched in the kernel mode of the tamper-resistant application program, but the kernel mode of the tamper-resistant application program cannot directly acquire the IP address of the user, but can acquire the SessionID.
Step S504, the user mode of the tamper-resistant application program reads/etc/password file content, obtains the corresponding relation between the user name and the UserID, and converts the user name into the UserID.
In this step, the tamper-resistant rule is matched in the kernel mode of the tamper-resistant application program, but the kernel mode of the tamper-resistant application program cannot directly acquire the user name but can acquire the UserID.
In step S505, the user mode of the tamper resistant application generates a correspondence relationship based on step S503 and step S504.
The corresponding relation in this step includes: the corresponding relation between the user name and the user ID and/or the corresponding relation between the IP address of the user and the Session ID.
Step S506, the user mode of the tamper-resistant application program generates a tamper-resistant rule which can be identified by the kernel mode according to the configured tamper-resistant rule.
Step S507, the user mode of the tamper-resistant application sends the SessionID and/or UserID recognizable by the kernel mode of the tamper-resistant application to the kernel mode of the tamper-resistant application, and sends the correspondence and the tamper-resistant rule recognizable by the kernel mode of the tamper-resistant application to the kernel mode of the tamper-resistant application.
In step S508, the kernel mode of the tamper resistant application records the received identifiable tamper resistant RULE as RULE1, and the corresponding relationship is recorded as RULE 2.
Through the process, after the anti-tampering rule of the central server is issued to the kernel state of the anti-tampering application program, when the change of the file system is monitored, the anti-tampering rule which can be identified by the kernel state can be matched, the IP address and the user name of the corresponding user are matched according to the Session ID and the UserID, whether the corresponding operation is released or not is judged under the matched condition, and the operation corresponding to the IP address and the user name of the user is released.
The tamper-resistant rule matching process comprises the following steps:
in step S509, the tamper-resistant application driver hijacks the file system call of operations such as creation, deletion, and modification (including modification of file attributes and contents) in the file system using the SELinux framework technology.
In this step, SELinux (Security-Enhanced Linux) is a Security architecture, and based on a request for intercepting a web page file by a kernel, interaction between a kernel driver and an application layer can be avoided, so that tamper-resistant efficiency can be improved.
Step S510, the tamper-resistant application determines a changed file path when the change of the file system is monitored.
Step S511, the tamper-resistant application matches the tamper-resistant rule according to the transformed file path.
Step S512, the tamper-resistant application program converts the tamper-resistant rule into a tamper-resistant rule which can be identified by a kernel state under the condition that the tamper-resistant rule is matched.
Step S513, the tamper resistant application matches the SessionID and the UserID according to the tamper resistant rule and the corresponding relationship that the kernel state can recognize.
In this step, the tamper-resistant application matching may be to convert the tamper-resistant rule into a kernel-state tamper-resistant rule recognizable by the kernel state under the condition that the tamper-resistant rule corresponding to the changed file path is matched in the kernel state, and match the kernel-state white list information corresponding to the IP address and/or the user name of the user corresponding to the kernel-state tamper-resistant rule in the kernel state.
Step S514, the tamper-resistant application, in the case that the kernel mode is matched with the kernel mode white list information corresponding to the user IP address and/or the user name corresponding to the kernel mode tamper-resistant rule, passes the user operation corresponding to the user IP address and/or the user name corresponding to the kernel mode tamper-resistant rule.
It should be noted that, if only the tamper-resistant rule of the changed file path is matched in the above steps, the user operation is prevented; if the sessionID and/or the UserID corresponding to the white list information are/is matched under the condition that the anti-tampering rule of the changed file path is matched, the operation is released, and thus the operation corresponding to the IP address and the user name of the released user set by the user can be realized.
And under the condition that the user sets a tamper-proof rule and needs to report the tamper log, the tamper-proof application program converts the sessionID and the UserID in the tamper log into the IP address and the user name of the corresponding user through the corresponding relation, and reports the converted tamper log to the central server.
Through the mode, the condition that the IP address and/or the user name of the appointed user is released when the user uses the webpage anti-tampering system is met, more application scenes are provided for the user, the maintenance cost of the webpage anti-tampering system is reduced, and manpower and material resources required for maintaining the webpage anti-tampering system are saved.
The present embodiment further provides a tamper-resistant device supporting a user white list, where the tamper-resistant device is used to implement the foregoing embodiments and preferred embodiments, and details are not repeated after the description is given. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 6 is a block diagram of a tamper-resistant apparatus supporting a user white list according to an embodiment of the present application, where as shown in fig. 6, the apparatus includes:
the first obtaining module 61 is configured to obtain white list information and tamper-resistant rule information, where the white list information includes an IP address and/or a user name of a user; the anti-tampering rule information comprises a file path and an anti-tampering rule corresponding to the file path;
the second obtaining module 62, coupled to the first obtaining module 61, is configured to obtain a changed file path when it is monitored that the file system is changed;
the first matching module 63 is coupled to the second obtaining module 62 and configured to match, according to the changed file path, the tamper-resistant rule corresponding to the changed file path;
the second matching module 64 is coupled to the first matching module 63 and is used for matching the IP address and/or the user name of the user corresponding to the anti-tampering rule in the white list information under the condition that the anti-tampering rule corresponding to the changed file path is matched;
and the first releasing module 65 is coupled to the second matching module 64, and is configured to release the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-resistant rule if the IP address and/or the user name of the user corresponding to the tamper-resistant rule are matched in the white list information.
In some of these embodiments, the file system change comprises: and performing creation, deletion or modification operation on the file system.
In some of these embodiments, the apparatus further comprises: and the generation module is used for generating an operation log of the operation process of the user operation corresponding to the IP address and/or the user name of the user corresponding to the released anti-tampering rule and storing the operation log.
In some of these embodiments, the apparatus further comprises: and the forbidding module is used for forbidding to release the user operation corresponding to the IP address and/or the user name of the user corresponding to the anti-tampering rule under the condition that the IP address and/or the user name of the user corresponding to the anti-tampering rule are not matched in the white list information.
In some of these embodiments, the apparatus further comprises: the first conversion module is used for converting the white list information into kernel state white list information which can be identified by a kernel state and generating a corresponding relation between the white list information and the kernel state white list information; the third acquisition module is used for acquiring a changed file path under the condition that the change of the file system is monitored; the third matching module is used for matching the anti-tampering rules corresponding to the changed file paths in the kernel mode according to the changed file paths; the fourth matching module is used for converting the anti-tampering rule into a kernel-state anti-tampering rule which can be identified by the kernel state under the condition that the anti-tampering rule corresponding to the changed file path is matched in the kernel state, and matching the kernel-state white list information corresponding to the IP address and/or the user name of the user corresponding to the kernel-state anti-tampering rule in the kernel state; and the second releasing module is used for releasing the user operation corresponding to the IP address and/or the user name of the user corresponding to the kernel-mode anti-tampering rule under the condition that the kernel-mode white list information corresponding to the IP address and/or the user name of the user corresponding to the kernel-mode anti-tampering rule is matched in the kernel mode.
In some of these embodiments, the conversion module comprises: and the first conversion unit is used for converting the IP address of the user in the white list information into the sessionID which can be identified by the kernel mode and generating the corresponding relation between the IP address of the user in the white list information and the sessionID.
In some embodiments, the conversion module further comprises: and the second conversion unit is used for converting the user name in the white list information into the user ID which can be identified by the kernel state and generating the corresponding relation between the user name in the white list information and the user ID which can be identified by the kernel state.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory having a computer program stored therein and a processor configured to execute the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s201, obtaining white list information and tamper-proof rule information, wherein the white list information comprises an IP address and/or a user name of a user; the tamper-resistant rule information includes a file path and a tamper-resistant rule corresponding to the file path.
S202, under the condition that the file system is monitored to be changed, a changed file path is obtained.
And S203, matching the anti-tampering rule corresponding to the changed file path according to the changed file path.
And S204, matching the IP address and/or the user name of the user corresponding to the tamper-proof rule in the white list information under the condition that the tamper-proof rule corresponding to the changed file path is matched.
S205, under the condition that the IP address and/or the user name of the user corresponding to the tamper-proof rule are matched in the white list information, the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-proof rule is released.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In addition, in combination with the tamper-resistant method for supporting the user white list in the above embodiment, the embodiment of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; the computer program, when executed by a processor, implements any of the above-described embodiments of a tamper-resistant method for supporting a user white list.
It should be understood by those skilled in the art that various features of the above-described embodiments can be combined in any combination, and for the sake of brevity, all possible combinations of features in the above-described embodiments are not described in detail, but rather, all combinations of features which are not inconsistent with each other should be construed as being within the scope of the present disclosure.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A tamper-resistant method for supporting a white list of users, comprising:
acquiring white list information and tamper-proof rule information, wherein the white list information comprises an IP address and/or a user name of a user; the tamper-proof rule information comprises a file path and a tamper-proof rule corresponding to the file path;
under the condition that the file system is monitored to be changed, a changed file path is obtained;
matching an anti-tampering rule corresponding to the changed file path according to the changed file path;
under the condition that a tamper-proof rule corresponding to the changed file path is matched, matching the IP address and/or the user name of a user corresponding to the tamper-proof rule in the white list information;
and under the condition that the IP address and/or the user name of the user corresponding to the tamper-proof rule are/is matched in the white list information, releasing the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-proof rule.
2. The tamper-resistant method of supporting white listing of users according to claim 1, wherein the file system change comprises: and performing creation, deletion or modification operation on the file system.
3. The tamper-proofing method supporting user whitelisting according to claim 1, wherein after releasing the user operation corresponding to the IP address and/or user name of the user corresponding to the tamper-proofing rule, the method further comprises:
and generating an operation log of the operation process of the user operation corresponding to the IP address and/or the user name of the user corresponding to the released anti-tampering rule, and storing the operation log.
4. The tamper-resistant method of supporting white lists of users according to claim 1, further comprising:
and under the condition that the IP address and/or the user name of the user corresponding to the tamper-proof rule are not matched in the white list information, forbidding to release the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-proof rule.
5. The tamper-resistant method for supporting white lists of users according to claim 1, wherein after obtaining white list information and tamper-resistant rule information, the method further comprises:
converting the white list information into kernel state white list information which can be identified by a kernel state, and generating a corresponding relation between the white list information and the kernel state white list information;
under the condition that the file system is monitored to be changed, a changed file path is obtained;
according to the changed file path, matching an anti-tampering rule corresponding to the changed file path in the kernel mode;
under the condition that a tamper-proof rule corresponding to the changed file path is matched in the kernel mode, converting the tamper-proof rule into a kernel mode tamper-proof rule which can be identified by the kernel mode, and matching the kernel mode white list information corresponding to the IP address and/or the user name of the user corresponding to the kernel mode tamper-proof rule in the kernel mode;
and under the condition that the kernel state white list information corresponding to the IP address and/or the user name of the user corresponding to the kernel state anti-tampering rule is matched in the kernel state, releasing the user operation corresponding to the IP address and/or the user name of the user corresponding to the kernel state anti-tampering rule.
6. The tamper-resistant method of supporting white lists of users of claim 5, wherein the white list information includes an IP address of a user; converting the white list information into kernel state white list information which can be identified by a kernel state, and generating a corresponding relation between the white list information and the kernel state white list information comprises the following steps:
and converting the IP address of the user in the white list information into a Session ID which can be identified by a kernel mode, and generating a corresponding relation between the IP address of the user in the white list information and the Session ID.
7. The tamper-resistant method of supporting white lists of users according to claim 5, wherein the white list information includes a user name; converting the white list information into kernel state white list information which can be identified by a kernel state, and generating a corresponding relation between the white list information and the kernel state white list information comprises the following steps:
and converting the user name in the white list information into a user ID which can be identified by a kernel state, and generating a corresponding relation between the user name in the white list information and the user ID which can be identified by the kernel state.
8. A tamper-resistant apparatus that supports a user white list, comprising:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring white list information and tamper-proof rule information, and the white list information comprises an IP address and/or a user name of a user; the tamper-proof rule information comprises a file path and a tamper-proof rule corresponding to the file path;
the second acquisition module is used for acquiring a changed file path under the condition that the change of the file system is monitored;
the first matching module is used for matching an anti-tampering rule corresponding to the changed file path according to the changed file path;
the second matching module is used for matching the IP address and/or the user name of the user corresponding to the anti-tampering rule in the white list information under the condition that the anti-tampering rule corresponding to the changed file path is matched;
and the first releasing module is used for releasing the user operation corresponding to the IP address and/or the user name of the user corresponding to the tamper-resistant rule under the condition that the IP address and/or the user name of the user corresponding to the tamper-resistant rule are matched in the white list information.
9. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the computer program to perform the method of any of claims 1 to 7 for supporting user whitelisting tamper-proofing.
10. A storage medium, in which a computer program is stored, wherein the computer program is configured to execute the tamper-proof method of supporting a white list of users of any one of claims 1 to 7 when running.
CN202010737318.3A 2020-07-28 2020-07-28 Tamper-proof method supporting user white list, electronic device and storage medium Pending CN111967058A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010737318.3A CN111967058A (en) 2020-07-28 2020-07-28 Tamper-proof method supporting user white list, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010737318.3A CN111967058A (en) 2020-07-28 2020-07-28 Tamper-proof method supporting user white list, electronic device and storage medium

Publications (1)

Publication Number Publication Date
CN111967058A true CN111967058A (en) 2020-11-20

Family

ID=73363131

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010737318.3A Pending CN111967058A (en) 2020-07-28 2020-07-28 Tamper-proof method supporting user white list, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN111967058A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113297628A (en) * 2021-05-26 2021-08-24 杭州安恒信息技术股份有限公司 Modification behavior auditing method, device, equipment and readable storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102902928A (en) * 2012-09-21 2013-01-30 杭州迪普科技有限公司 Method and device for webpage integrity assurance
CN102930205A (en) * 2012-10-10 2013-02-13 北京奇虎科技有限公司 Monitoring unit and method
CN104766009A (en) * 2015-03-18 2015-07-08 杭州安恒信息技术有限公司 System for preventing webpage document tampering based on operating system bottom layer
CN106991301A (en) * 2016-01-20 2017-07-28 中国电信股份有限公司 Methods, devices and systems for anti-tamper rights management
CN107423325A (en) * 2017-04-07 2017-12-01 杭州安恒信息技术有限公司 A kind of method for tracing webpage tamper behavior source
CN107506642A (en) * 2017-08-10 2017-12-22 四川长虹电器股份有限公司 The method and system for preventing file from being damaged by malicious operation behavior
CN109460671A (en) * 2018-10-21 2019-03-12 北京亚鸿世纪科技发展有限公司 A method of realizing that web page contents are anti-tamper based on operating system nucleus
CN110837661A (en) * 2019-11-11 2020-02-25 杭州安恒信息技术股份有限公司 Webpage tamper-proofing method, device, equipment and readable storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102902928A (en) * 2012-09-21 2013-01-30 杭州迪普科技有限公司 Method and device for webpage integrity assurance
CN102930205A (en) * 2012-10-10 2013-02-13 北京奇虎科技有限公司 Monitoring unit and method
CN104766009A (en) * 2015-03-18 2015-07-08 杭州安恒信息技术有限公司 System for preventing webpage document tampering based on operating system bottom layer
CN106991301A (en) * 2016-01-20 2017-07-28 中国电信股份有限公司 Methods, devices and systems for anti-tamper rights management
CN107423325A (en) * 2017-04-07 2017-12-01 杭州安恒信息技术有限公司 A kind of method for tracing webpage tamper behavior source
CN107506642A (en) * 2017-08-10 2017-12-22 四川长虹电器股份有限公司 The method and system for preventing file from being damaged by malicious operation behavior
CN109460671A (en) * 2018-10-21 2019-03-12 北京亚鸿世纪科技发展有限公司 A method of realizing that web page contents are anti-tamper based on operating system nucleus
CN110837661A (en) * 2019-11-11 2020-02-25 杭州安恒信息技术股份有限公司 Webpage tamper-proofing method, device, equipment and readable storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113297628A (en) * 2021-05-26 2021-08-24 杭州安恒信息技术股份有限公司 Modification behavior auditing method, device, equipment and readable storage medium

Similar Documents

Publication Publication Date Title
CN109766696B (en) Method and device for setting software permission, storage medium and electronic device
CN109743315B (en) Behavior identification method, behavior identification device, behavior identification equipment and readable storage medium for website
US11017093B2 (en) System and method for creating and executing breach scenarios utilizing virtualized elements
Zhang et al. An IoT honeynet based on multiport honeypots for capturing IoT attacks
US20140201843A1 (en) Systems and methods for identifying and reporting application and file vulnerabilities
Tien et al. KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches
Jiang et al. Android malware
CN110784361A (en) Virtualized cloud honey network deployment method, device, system and computer-readable storage medium
RU2477520C1 (en) System and method for device configuration-based dynamic adaptation of antivirus application functional
KR20160090905A (en) Protection system including security rule evaluation
CN111131221B (en) Interface checking device, method and storage medium
TW201702927A (en) Method and system of managing a security key for a rack server system
US11785044B2 (en) System and method for detection of malicious interactions in a computer network
CN110278192A (en) Method, apparatus, computer equipment and the readable storage medium storing program for executing of extranet access Intranet
CN111585956A (en) Website anti-brushing verification method and device
TW200915126A (en) Systems, methods, and media for firewall control via process interrogation
Park et al. Performance evaluation of open-source endpoint detection and response combining *** rapid response and osquery for threat detection
CN114244568B (en) Security access control method, device and equipment based on terminal access behavior
CN105592049B (en) A kind of open method and device of attack defending rule
CN108833500B (en) Service calling method, service providing method, data transmission method and server
CN111967058A (en) Tamper-proof method supporting user white list, electronic device and storage medium
CN116070210A (en) Method and device for determining abnormal progress and virus checking and killing method
CN114567678B (en) Resource calling method and device for cloud security service and electronic equipment
CN106485104B (en) Automatic restoration method, device and system for terminal security policy
CN112383517A (en) Hiding method, device and equipment of network connection information and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination