CN112506884A - Log checking method, device, equipment and storage medium - Google Patents
Log checking method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN112506884A CN112506884A CN202011434975.7A CN202011434975A CN112506884A CN 112506884 A CN112506884 A CN 112506884A CN 202011434975 A CN202011434975 A CN 202011434975A CN 112506884 A CN112506884 A CN 112506884A
- Authority
- CN
- China
- Prior art keywords
- log
- current
- current log
- fingerprint
- tampered
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000012795 verification Methods 0.000 claims description 34
- 238000004422 calculation algorithm Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 10
- 230000005540 biological transmission Effects 0.000 abstract description 16
- 238000004364 calculation method Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 2
- 235000008694 Humulus lupulus Nutrition 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1805—Append-only file systems, e.g. using logs or journals to store data
- G06F16/1815—Journaling file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3466—Performance evaluation by tracing or monitoring
- G06F11/3476—Data logging
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
- G06F16/2308—Concurrency control
- G06F16/2315—Optimistic concurrency control
- G06F16/2322—Optimistic concurrency control using timestamps
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Computer Hardware Design (AREA)
- Bioethics (AREA)
- Software Systems (AREA)
- Quality & Reliability (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Collating Specific Patterns (AREA)
Abstract
The invention discloses a log checking method, a device, equipment and a storage medium, wherein the method comprises the following steps: determining the currently received log as a current log, and acquiring a specific fingerprint of the current log, which is contained in the current log and is acquired before the sending end sends the current log; the specific fingerprint of any log is obtained by calculating the log; and calculating the current log to obtain a corresponding specific fingerprint, if the specific fingerprint obtained by calculating the current log is the same as the specific fingerprint contained in the current log, preliminarily determining that the current log is not tampered, and otherwise, determining that the current log is tampered. Therefore, whether the log changes can be judged by judging whether the fingerprint before and after the log is transmitted changes, and whether the log is tampered in the transmission process can be effectively identified.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a log checking method, apparatus, device, and storage medium.
Background
A system log (which may be referred to as a log for short) is information for recording hardware, software and system problems in a system, and can also monitor events occurring in the system; the user can check the reason of the error or find the trace left by the attacker when the user is attacked; the log may specifically include a log of a system, an application log, a security log, and the like.
In the face of numerous logs, a special sending end and a corresponding system such as log audit and the like are often needed for analysis and processing so as to analyze useful messages from mass data; the conventional method for collecting logs at a sending end or directly transmitting logs to a receiving end when the receiving end finds threat intelligence such as viruses and the like, but the logs may be tampered in the transmission process, and the identification of whether the logs are tampered in the transmission process is a problem to be solved urgently by technical staff in the field.
Disclosure of Invention
The invention aims to provide a log verification method, a log verification device, log verification equipment and a log verification storage medium, which can judge whether a log is changed or not according to whether fingerprints before and after log transmission are changed or not, and realize effective identification of whether the log is tampered in the transmission process or not.
In order to achieve the above purpose, the invention provides the following technical scheme:
a log checking method, comprising:
determining the currently received log as a current log, and acquiring a specific fingerprint of the current log, which is contained in the current log and is acquired before the sending end sends the current log; the specific fingerprint of any log is obtained by calculating the log;
and calculating the current log to obtain a corresponding specific fingerprint, if the specific fingerprint obtained by calculating the current log is the same as the specific fingerprint contained in the current log, preliminarily determining that the current log is not tampered, and otherwise, determining that the current log is tampered.
Preferably, after preliminarily determining that the current log is not tampered, the method further includes:
acquiring a timestamp and a chained fingerprint contained in a current log; the chain fingerprints of any log comprise specific fingerprints of the log and specific fingerprints of next n logs to be sent by the sending end after the log, the specific fingerprints included in the chain fingerprints are arranged from early to late according to the sending time of the sending end, and the timestamp of the log is the time for sending the log by the sending end;
and if the timestamp of the current log is later than that of the last received log, and the first n-1 specific fingerprints in the chain fingerprints contained in the current log are the same as the last n-1 specific fingerprints in the chain fingerprints contained in the last received log, determining that the current log is not tampered again, otherwise, determining that the current log is tampered.
Preferably, after determining again that the current log has not been tampered, the method further includes:
receiving a next log of a current log as a target log, and acquiring a specific fingerprint of the target log;
and finally determining that the current log is not tampered if the specific fingerprint of the target log is the same as the 2 nd specific fingerprint in the chained fingerprint contained in the current log, and otherwise, determining that the current log is tampered.
Preferably, after determining that the currently received log is the current log, the method further includes:
and if the current log is the first log or the last log in a plurality of continuously received logs, determining that the current log does not need to be checked, otherwise, executing the step of acquiring the specific fingerprint of the current log, which is contained in the current log and is acquired before the sending end sends the current log.
Preferably, after the specific fingerprint and the chain fingerprint of the current log are acquired, the method further includes:
and storing the specific fingerprint of the current log and other specific fingerprints in the chained fingerprints into a memory by adopting a balanced binary tree algorithm for searching and using when needed.
Preferably, the method further comprises the following steps:
after receiving any log, collecting the any log into a log pool;
correspondingly, after determining whether the current log is tampered, the method further includes:
and if the current log is finally determined not to be tampered, transferring the current log from the log pool to a specified storage position, and otherwise, deleting the current log from the log pool.
Preferably, after determining that the current log is tampered, the method further includes:
and returning the information that the current log check fails to the sending end.
A log-checking apparatus comprising:
an acquisition module to: determining the currently received log as a current log, and acquiring a specific fingerprint of the current log, which is contained in the current log and is acquired before the sending end sends the current log; the specific fingerprint of any log is obtained by calculating the log;
a first verification module to: and calculating the current log to obtain a corresponding specific fingerprint, if the specific fingerprint obtained by calculating the current log is the same as the specific fingerprint contained in the current log, preliminarily determining that the current log is not tampered, and otherwise, determining that the current log is tampered.
A log verification device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the log check method as described in any one of the above when executing the computer program.
A computer readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the log checking method as claimed in any one of the preceding claims.
The invention provides a log checking method, a device, equipment and a storage medium, wherein the method comprises the following steps: determining the currently received log as a current log, and acquiring a specific fingerprint of the current log, which is contained in the current log and is acquired before the sending end sends the current log; the specific fingerprint of any log is obtained by calculating the log; and calculating the current log to obtain a corresponding specific fingerprint, if the specific fingerprint obtained by calculating the current log is the same as the specific fingerprint contained in the current log, preliminarily determining that the current log is not tampered, and otherwise, determining that the current log is tampered. After receiving any log, calculating the log to obtain a corresponding specific fingerprint, obtaining the specific fingerprint obtained by calculating the log before a sending end sends the specific fingerprint, comparing the two specific fingerprints, and if the two specific fingerprints are the same, indicating that the log is not changed in the transmission process, namely not tampered, or else indicating that the log is changed in the transmission process, namely tampered. Therefore, whether the log changes can be judged by judging whether the fingerprint before and after the log is transmitted changes, and whether the log is tampered in the transmission process can be effectively identified.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a log checking method according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a log checking apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, a flowchart of a log checking method according to an embodiment of the present invention is shown, where the log checking method includes:
s11: determining the currently received log as a current log, and acquiring a specific fingerprint of the current log, which is contained in the current log and is acquired before the sending end sends the current log; wherein, the specific fingerprint of any log is obtained by calculating the log.
The executing main body of the log checking method provided by the embodiment of the invention can be a corresponding log checking device, and the log checking device can be arranged in the receiving end, so that the executing main body of the log checking method can be the receiving end.
The sending end can be a log collector, and the receiving end can be an analyzer. After the sending end collects any log, the sending end can perform abstract calculation on the log to obtain a corresponding string of unique character string information as a specific fingerprint. In a specific implementation manner, when performing digest calculation on any log, the digest calculation may be performed on the any log by using an asymmetric encryption algorithm (such as the SHA-192 algorithm, etc.), where the asymmetric encryption algorithm needs two keys for encryption and decryption, where the two keys are a public key (public key for short) and a private key (private key for short), respectively; because the asymmetric algorithm has higher safety and reliability compared with other encryption algorithms, the method and the device utilize the asymmetric algorithm to realize the calculation of the specific fingerprint corresponding to the log, and can enable the log to have higher safety and reliability.
In addition, the sending end can adopt a UDP protocol to realize the transmission of the log to the receiving end, thereby ensuring the high efficiency of the transmission.
S12: and calculating the current log to obtain a corresponding specific fingerprint, if the specific fingerprint obtained by calculating the current log is the same as the specific fingerprint contained in the current log, preliminarily determining that the current log is not tampered, and otherwise, determining that the current log is tampered.
After receiving the current log, calculating the current log by using a mode that a sending end calculates the current log to obtain a specific fingerprint to obtain a corresponding specific fingerprint; if the specific fingerprint obtained by calculating the current log is the same as the specific fingerprint contained in the current log, the current log can be preliminarily considered not to be tampered in the transmission process based on the specific fingerprint, otherwise, the current log is tampered in the transmission process.
After receiving any log, calculating the log to obtain a corresponding specific fingerprint, obtaining the specific fingerprint obtained by calculating the log before a sending end sends the specific fingerprint, comparing the two specific fingerprints, and if the two specific fingerprints are the same, indicating that the log is not changed in the transmission process, namely not tampered, or else indicating that the log is changed in the transmission process, namely tampered. Therefore, whether the log changes can be judged by judging whether the fingerprint before and after the log is transmitted changes, and whether the log is tampered in the transmission process can be effectively identified.
The log verification method provided by the embodiment of the present invention, after preliminarily determining that the current log is not tampered, may further include:
acquiring a timestamp and a chained fingerprint contained in a current log; the chain fingerprints of any log comprise specific fingerprints of the log and specific fingerprints of next n logs to be sent by a sending end after the log, the specific fingerprints contained in the chain fingerprints are arranged from early to late according to the sending time of the sending end, and the timestamp of the log is the time for the sending end to send the log;
and if the timestamp of the current log is later than that of the last received log, and the first n-1 specific fingerprints in the chain fingerprints contained in the current log are the same as the last n-1 specific fingerprints in the chain fingerprints contained in the last received log, determining that the current log is not tampered again, otherwise, determining that the current log is tampered.
It should be noted that, after the sending end collects a plurality of logs, the logs may be sorted in a manner that the earlier the log generation time is, the higher the log generation time is, and then the logs are sent to the receiving end from front to back according to the sorted position. When a certain log needs to be sent immediately, the current time is taken as the time for sending the log, and then a timestamp corresponding to the current time is added to the log (specifically, a timestamp may be added to the log header of the log), so that the receiving end can know the time for sending the log by the sending end based on the timestamp in the received log. In the embodiment of the application, after receiving the current log, the receiving end can judge whether the time corresponding to the timestamp of the current log is later than the time corresponding to the timestamp of the last received log, so that the logs can be transmitted in sequence, and the validity of the log-based chain fingerprints (due to the fact that each specific fingerprint in the chain fingerprints is related to the sequence of the logs) in verification can be guaranteed.
In order to realize chain fingerprint verification, in the embodiment of the application, before a sending end sends any log, a specific fingerprint of the log and specific fingerprints of n logs behind the log are generated to obtain a corresponding chain fingerprint; the sending time of the next n logs after the arbitrary log is closest to the sending time of the arbitrary log, and the sending time of the next n logs after the arbitrary log is from the 1 st to the nth logs from the early to the late, that is, the specific fingerprints are arranged in the chained fingerprint from the early to the late according to the sending time of the corresponding log. The last log of any log received is also a log which is finally determined to be not tampered and has a time close to the time of receiving the log, because the 1 st specific fingerprint in the chain fingerprint of the log and the 2 nd specific fingerprint in the chain fingerprint of the last log of the log belong to the same log, the two logs should be the same, and because the 2 nd specific fingerprint in the chain fingerprint of the log and the 3 rd specific fingerprint in the chain fingerprint of the last log of the log belong to the same log, the two logs should be the same, …, because the n-1 st specific fingerprint in the chain fingerprint of the log and the n th specific fingerprint in the chain fingerprint of the last log of the log belong to the same log, the two logs should be the same. Based on this, for any log which is preliminarily determined to be not tampered, if the first n-1 specific fingerprints in the chain fingerprints of the any log are judged to be the same as the last n-1 specific fingerprints in the chain fingerprints of the previous log of the any log in a one-to-one correspondence manner, the any log can be determined to be not tampered again. Therefore, the specific fingerprint is stored in a chain type mode in a chain type encryption mode, once a certain node is tampered, the whole chain cannot be connected in series, the time sequence of the log is guaranteed, the deciphering difficulty is greatly increased, and the reliability of the log is guaranteed.
n is an integer of not less than 2; taking n as 2 as an example for explanation, the sending end records a next-hop specific fingerprint of the log (a specific fingerprint of the next log), a next-two-hop specific fingerprint (a specific fingerprint of the next log), and a timestamp; judging whether the log is not tampered if the condition that the time stamp of the log is later than that of the last compliance log (finally, the log which is not tampered is determined to be the compliance log), calculating that the specific fingerprint of any log is consistent with the specific fingerprint of the next hop of the last compliance log, and judging that any log is not tampered if the specific fingerprint of the next hop of any log is consistent with the specific fingerprint of the next two hops of the last compliance log.
The log verification method provided by the embodiment of the present invention may further include, after determining that the current log is not tampered, that:
receiving a next log of the current log as a target log, and acquiring a specific fingerprint of the target log;
and finally determining that the current log is not tampered if the specific fingerprint of the target log is the same as the 2 nd specific fingerprint in the chained fingerprint contained in the current log, and otherwise, determining that the current log is tampered.
According to the embodiment of the application, after the current log is determined to be not tampered again, the next log is waited to be received, whether the next log is the same as the specific fingerprint corresponding to the chain fingerprint of the current log or not is determined, and if the next log is the same as the specific fingerprint corresponding to the chain fingerprint of the current log, the corresponding specific fingerprint recorded in the chain fingerprint can be determined to have no error, so that the current log can be finally determined to be not tampered, and the reliability of the log is further improved by utilizing the chain fingerprint. When the specific fingerprint of the target log is obtained, the specific fingerprint of the target log contained in the target log can be obtained, or the target log can be calculated to obtain the corresponding specific fingerprint, which is within the protection scope of the present invention.
The log verification method provided in the embodiment of the present invention, after determining that the currently received log is the current log, may further include:
and if the current log is the first log or the last log in a plurality of continuously received logs, determining that the current log does not need to be checked, otherwise, executing the step of acquiring the specific fingerprint of the current log, which is contained in the current log and is acquired before the sending end sends the current log.
In order to effectively realize the log verification, a head log with empty log content can be created before a first log needing to be sent, and a tail log with empty log content can be created after a last log needing to be sent, so that a first log and a last log in a plurality of corresponding logs can be obtained, and the first log and the last log only contain chain fingerprints and time stamps. In addition, for the penultimate log, the chained fingerprint may only include the next-hop specific fingerprint, that is, the specific fingerprint of the last log, and then the log check is implemented based on the fingerprint information of the last log.
The log verification method provided by the embodiment of the present invention may further include, after acquiring the specific fingerprint and the chained fingerprint of the current log, the following steps:
and storing the specific fingerprint of the current log and other specific fingerprints in the chained fingerprints into a memory by adopting a balanced binary tree algorithm for searching and using when needed.
According to the embodiment of the application, after any log is received and the specific fingerprint and the chain fingerprint of the log are acquired, the specific fingerprint contained in the chain fingerprint can be stored in the memory by adopting the balanced binary tree algorithm, so that when any specific fingerprint needs to be used, the specific fingerprint can be searched and acquired from the memory, the specific fingerprint can be stored and searched by the balanced binary tree algorithm, and the searching speed of the specific fingerprint can be effectively improved.
The log verification method provided by the embodiment of the invention can further comprise the following steps:
after receiving any log, collecting the any log into a log pool;
correspondingly, after determining whether the current log is tampered, the method further includes:
and if the current log is finally determined not to be tampered, transferring the current log from the log pool to a specified storage position, and otherwise, deleting the current log from the log pool.
According to the embodiment of the application, after any log is received, any log can be collected into the log pool cache, after the fact that any log is not tampered is finally determined, the any log is removed from the log pool and stored to the storage position which is specified in advance according to actual needs, and if the fact that any log is tampered is determined, the any log is directly removed from the log pool, so that effective management of the log is achieved through the log pool.
The log verification method provided by the embodiment of the present invention, after determining that the current log is tampered, may further include:
and returning the information that the current log check fails to the sending end.
According to the embodiment of the application, after the current log is determined to be tampered, information that the current log fails to be checked can be returned to the sending end, so that the sending end can realize log retransmission or other operations based on the information.
In a specific application scenario, the technical solution provided by the embodiment of the present invention can be mainly divided into two functions, namely, log encryption transmission and log reception verification:
1. log encrypted sending
Carrying out sequencing preparation on the logs, and adding a time stamp to each log head; calculating each log by using an SHA-192 asymmetric algorithm to obtain a specific fingerprint of the log and adding the specific fingerprint to a log header;
and transmitting the log + the timestamp + the next-hop specific fingerprint + the next two-hop specific fingerprint to a receiving end together.
2. Log reception parsing
After the logs are received, collecting the logs into a log pool, calculating by using an SHA-192 asymmetric algorithm to obtain a specific fingerprint of each received log, obtaining the specific fingerprint contained in each log, and storing each specific fingerprint into a memory of a receiving end by adopting a balanced binary tree algorithm for convenient searching.
For convenience of description, a first log is called as an A log, a second log is called as a B log, and a third log is called as a C log; the log verification method provided by the embodiment of the invention can be realized by finding out whether a B log exists in a receiving end memory according to a next-hop specific fingerprint of the A log, determining the B log and then determining the A log as a compliant log, and performing the following condition judgment:
(1) comparing whether the timestamp of the log B is later than the timestamp of the log A;
(2) calculating whether the specific fingerprint obtained by the B log is the same as the specific fingerprint contained in the B log;
(3) comparing whether the next two-hop specific fingerprint of the log A is the same as the next-hop specific fingerprint of the log B;
(4) wait until log C of next hop specific fingerprint of B log exists.
If the four conditions are met (yes), the log B is determined not to be tampered, the log B is determined to be a compliance log, whether the log C is compliant or not is continuously judged, and the log B is removed from the log pool.
The invention adopts a log chain fingerprint checking mode, the log firstly obtains a time stamp before being sent, generates a specific fingerprint of the log and specific fingerprints of next n logs, the specific fingerprints are sequenced according to a certain sequence, and a receiving end server stores the log into a log pool cache after receiving the log and starts to wait for checking the log. The method includes the steps that a log is subjected to multi-dimensional packaging; fingerprint information of the log is stored in a chain mode, so that the decoding difficulty is greatly increased; the log is subjected to tamper-proof verification, so that the false alarm rate of the system is reduced, and the system safety is ensured; the logs are subjected to abstract screening, so that the calculation data magnitude is reduced, and the efficiency is improved; by storing the log fingerprints in a chained mode, the decoding difficulty is greatly increased, and the data result is more reliable.
An embodiment of the present invention further provides a log verification apparatus, as shown in fig. 2, which may include:
an obtaining module 11, configured to: determining the currently received log as a current log, and acquiring a specific fingerprint of the current log, which is contained in the current log and is acquired before the sending end sends the current log; the specific fingerprint of any log is obtained by calculating the log;
a first verification module 12 for: and calculating the current log to obtain a corresponding specific fingerprint, if the specific fingerprint obtained by calculating the current log is the same as the specific fingerprint contained in the current log, preliminarily determining that the current log is not tampered, and otherwise, determining that the current log is tampered.
The log verification device provided by the embodiment of the present invention may further include:
a second check module to: after the current log is preliminarily determined to be not tampered, acquiring a chained fingerprint and a timestamp contained in the current log; the chain fingerprint of any log comprises the specific fingerprint of the log and the specific fingerprints of the next n logs to be received after the log, the chain fingerprint of the log comprises the specific fingerprint of the log and the specific fingerprints of the next n logs to be received after the log, and the time stamp of the log is the time for the sending end to send the log; and if the timestamp of the current log is later than that of the last received log, and the first n-1 specific fingerprints in the chain fingerprints contained in the current log are the same as the last n-1 specific fingerprints in the chain fingerprints contained in the last received log, determining that the current log is not tampered again, otherwise, determining that the current log is tampered.
The log verification device provided by the embodiment of the present invention may further include:
a third verification module to: after the current log is determined to be not tampered again, receiving the next log of the current log as a target log, and acquiring a specific fingerprint of the target log; and finally determining that the current log is not tampered if the specific fingerprint of the target log is the same as the 2 nd specific fingerprint in the chained fingerprint contained in the current log, and otherwise, determining that the current log is tampered.
The log verification device provided by the embodiment of the present invention may further include:
a first determination module to: after the currently received log is determined to be the current log, if the current log is the first log or the last log in a plurality of continuously received logs, the current log is determined not to need to be checked, otherwise, a step of acquiring a specific fingerprint of the current log, which is included in the current log and is acquired before the sending end sends the current log, is executed.
The log verification device provided by the embodiment of the present invention may further include:
a storage module to: after the specific fingerprint and the chain fingerprint of the current log are obtained, the specific fingerprint of the current log and other specific fingerprints in the chain fingerprint are stored in a memory by adopting a balanced binary tree algorithm for searching and using when needed.
The log verification device provided by the embodiment of the present invention may further include:
a collection module to: after receiving any log, collecting the any log into a log pool;
a second determination module to: and after determining whether the current log is tampered, if finally determining that the current log is not tampered, transferring the current log from the log pool to a specified storage position, and otherwise, deleting the current log from the log pool.
The log verification device provided by the embodiment of the present invention may further include:
a feedback module to: and after the current log is determined to be tampered, returning information that the current log fails to check to the sending end.
An embodiment of the present invention further provides a log verification device, which may include:
a memory for storing a computer program;
a processor for implementing the steps of the log verification method as described above when executing the computer program.
The embodiment of the invention also provides a computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when being executed by a processor, the computer program can realize the steps of any log verification method.
It should be noted that for the description of the relevant parts in the log verification apparatus, the device and the storage medium provided in the embodiment of the present invention, reference is made to the detailed description of the corresponding parts in the log verification method provided in the embodiment of the present invention, and details are not repeated herein. In addition, parts of the technical solutions provided in the embodiments of the present invention that are consistent with the implementation principles of the corresponding technical solutions in the prior art are not described in detail, so as to avoid redundant description.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A log checking method, comprising:
determining the currently received log as a current log, and acquiring a specific fingerprint of the current log, which is contained in the current log and is acquired before the sending end sends the current log; the specific fingerprint of any log is obtained by calculating the log;
and calculating the current log to obtain a corresponding specific fingerprint, if the specific fingerprint obtained by calculating the current log is the same as the specific fingerprint contained in the current log, preliminarily determining that the current log is not tampered, and otherwise, determining that the current log is tampered.
2. The method of claim 1, wherein after preliminarily determining that the current log has not been tampered with, further comprising:
acquiring a timestamp and a chained fingerprint contained in a current log; the chain fingerprints of any log comprise specific fingerprints of the log and specific fingerprints of next n logs to be sent by the sending end after the log, the specific fingerprints included in the chain fingerprints are arranged from early to late according to the sending time of the sending end, and the timestamp of the log is the time for sending the log by the sending end;
and if the timestamp of the current log is later than that of the last received log, and the first n-1 specific fingerprints in the chain fingerprints contained in the current log are the same as the last n-1 specific fingerprints in the chain fingerprints contained in the last received log, determining that the current log is not tampered again, otherwise, determining that the current log is tampered.
3. The method of claim 2, wherein after again determining that the current log has not been tampered with, further comprising:
receiving a next log of a current log as a target log, and acquiring a specific fingerprint of the target log;
and finally determining that the current log is not tampered if the specific fingerprint of the target log is the same as the 2 nd specific fingerprint in the chained fingerprint contained in the current log, and otherwise, determining that the current log is tampered.
4. The method of claim 3, wherein after determining that the currently received log is the current log, further comprising:
and if the current log is the first log or the last log in a plurality of continuously received logs, determining that the current log does not need to be checked, otherwise, executing the step of acquiring the specific fingerprint of the current log, which is contained in the current log and is acquired before the sending end sends the current log.
5. The method of claim 4, wherein after obtaining the specific fingerprint and the chain fingerprint of the current log, further comprising:
and storing the specific fingerprint of the current log and other specific fingerprints in the chained fingerprints into a memory by adopting a balanced binary tree algorithm for searching and using when needed.
6. The method of claim 5, further comprising:
after receiving any log, collecting the any log into a log pool;
correspondingly, after determining whether the current log is tampered, the method further includes:
and if the current log is finally determined not to be tampered, transferring the current log from the log pool to a specified storage position, and otherwise, deleting the current log from the log pool.
7. The method of claim 6, wherein after determining that the current log has been tampered with, further comprising:
and returning the information that the current log check fails to the sending end.
8. A log verifying apparatus, comprising:
an acquisition module to: determining the currently received log as a current log, and acquiring a specific fingerprint of the current log, which is contained in the current log and is acquired before the sending end sends the current log; the specific fingerprint of any log is obtained by calculating the log;
a first verification module to: and calculating the current log to obtain a corresponding specific fingerprint, if the specific fingerprint obtained by calculating the current log is the same as the specific fingerprint contained in the current log, preliminarily determining that the current log is not tampered, and otherwise, determining that the current log is tampered.
9. A log verification device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the log checking method according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the log check method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011434975.7A CN112506884A (en) | 2020-12-10 | 2020-12-10 | Log checking method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011434975.7A CN112506884A (en) | 2020-12-10 | 2020-12-10 | Log checking method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112506884A true CN112506884A (en) | 2021-03-16 |
Family
ID=74970427
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011434975.7A Pending CN112506884A (en) | 2020-12-10 | 2020-12-10 | Log checking method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112506884A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104714878A (en) * | 2013-12-11 | 2015-06-17 | 阿里巴巴集团控股有限公司 | Method and device for collecting log data |
| CN107609874A (en) * | 2017-10-09 | 2018-01-19 | 恒宝股份有限公司 | A kind of transaction log data verification method and checking system |
| CN109902071A (en) * | 2019-01-31 | 2019-06-18 | 阿里巴巴集团控股有限公司 | Business diary storage method, system, device and equipment |
| CN110019373A (en) * | 2019-01-31 | 2019-07-16 | 阿里巴巴集团控股有限公司 | A kind of data query method, device and equipment based on cryptographic Hash |
| CN110162964A (en) * | 2019-05-29 | 2019-08-23 | 中国银行股份有限公司 | A kind of inspection method that file is distorted, apparatus and system |
| CN110289997A (en) * | 2019-06-17 | 2019-09-27 | 杭州迪普科技股份有限公司 | A kind of log message checking method, apparatus and system |
| CN110839015A (en) * | 2019-10-12 | 2020-02-25 | 深圳壹账通智能科技有限公司 | Log storage and reading method, device, equipment and medium based on block chain |
-
2020
- 2020-12-10 CN CN202011434975.7A patent/CN112506884A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104714878A (en) * | 2013-12-11 | 2015-06-17 | 阿里巴巴集团控股有限公司 | Method and device for collecting log data |
| CN107609874A (en) * | 2017-10-09 | 2018-01-19 | 恒宝股份有限公司 | A kind of transaction log data verification method and checking system |
| CN109902071A (en) * | 2019-01-31 | 2019-06-18 | 阿里巴巴集团控股有限公司 | Business diary storage method, system, device and equipment |
| CN110019373A (en) * | 2019-01-31 | 2019-07-16 | 阿里巴巴集团控股有限公司 | A kind of data query method, device and equipment based on cryptographic Hash |
| CN110162964A (en) * | 2019-05-29 | 2019-08-23 | 中国银行股份有限公司 | A kind of inspection method that file is distorted, apparatus and system |
| CN110289997A (en) * | 2019-06-17 | 2019-09-27 | 杭州迪普科技股份有限公司 | A kind of log message checking method, apparatus and system |
| CN110839015A (en) * | 2019-10-12 | 2020-02-25 | 深圳壹账通智能科技有限公司 | Log storage and reading method, device, equipment and medium based on block chain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9848004B2 (en) | Methods and systems for internet protocol (IP) packet header collection and storage | |
| CN111277570A (en) | Data security monitoring method and device, electronic equipment and readable medium | |
| US7903566B2 (en) | Methods and systems for anomaly detection using internet protocol (IP) traffic conversation data | |
| US9305055B2 (en) | Method and apparatus for analysing data packets | |
| US8726382B2 (en) | Methods and systems for automated detection and tracking of network attacks | |
| US7995496B2 (en) | Methods and systems for internet protocol (IP) traffic conversation detection and storage | |
| EP3065341B1 (en) | Content classification medthod and device | |
| US20100050084A1 (en) | Methods and systems for collection, tracking, and display of near real time multicast data | |
| US20070261061A1 (en) | System and method of aggregating and consolidating security event data | |
| WO2022116883A1 (en) | Replay attack detection method, apparatus, and device, and storage medium | |
| CN111026811A (en) | Block chain-based medical analysis method and analysis system thereof | |
| Kebande et al. | Functional requirements for adding digital forensic readiness as a security component in IoT environments | |
| CN102111400B (en) | Trojan horse detection method, device and system | |
| CN115695031A (en) | Host computer sink-loss detection method, device and equipment | |
| CN101719906B (en) | Worm propagation behavior-based worm detection method | |
| CN113660216B (en) | Password attack detection method, device, electronic device and storage medium | |
| CN115952515B (en) | Data security processing method and device based on big data | |
| CN112927078A (en) | Block chain financial big data analysis processing system and method and transaction platform system | |
| CN112713996A (en) | Fault verification method based on block chain, server and terminal | |
| CN112506884A (en) | Log checking method, device, equipment and storage medium | |
| CN116467388A (en) | System and method for maintaining consistency of shared files based on blockchain | |
| CN114979109B (en) | Behavior track detection method, behavior track detection device, computer equipment and storage medium | |
| CN113596037A (en) | APT attack detection method based on event relation directed graph in network full flow | |
| CN109558744B (en) | Data processing method and system | |
| CN116094841B (en) | Behavior identification method and device in encrypted channel and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210316 |
|
| RJ01 | Rejection of invention patent application after publication |