CN117251885A - Processing system and method for information system log integrity protection - Google Patents
Processing system and method for information system log integrity protection Download PDFInfo
- Publication number
- CN117251885A CN117251885A CN202311222435.6A CN202311222435A CN117251885A CN 117251885 A CN117251885 A CN 117251885A CN 202311222435 A CN202311222435 A CN 202311222435A CN 117251885 A CN117251885 A CN 117251885A
- Authority
- CN
- China
- Prior art keywords
- log
- abstract
- control center
- record
- library
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012545 processing Methods 0.000 title claims abstract description 22
- 238000000034 method Methods 0.000 title abstract description 4
- 238000012986 modification Methods 0.000 claims description 19
- 230000004048 modification Effects 0.000 claims description 19
- 238000012217 deletion Methods 0.000 claims description 10
- 230000037430 deletion Effects 0.000 claims description 10
- 238000012795 verification Methods 0.000 claims description 10
- 230000004044 response Effects 0.000 claims description 9
- 238000013475 authorization Methods 0.000 claims description 6
- 238000003672 processing method Methods 0.000 claims description 4
- 230000007246 mechanism Effects 0.000 description 7
- 238000012937 correction Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1805—Append-only file systems, e.g. using logs or journals to store data
- G06F16/1815—Journaling file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1873—Versioning file systems, temporal file systems, e.g. file system supporting different historic versions of files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Databases & Information Systems (AREA)
- Bioethics (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a processing system and a method for protecting the integrity of an information system log, wherein the processing system comprises the following steps: the control center and the proxy end connected with the control center; the control center is used for sending the protection strategy to the proxy end, receiving the log abstract record from the proxy end, and carrying out initialization synchronization, comparison and update operation on the log abstract record; the agent end is used for storing the protection strategy sent by the control center, reading and selecting the log file and the record type which need to be integrity protected, generating a log abstract record, and sending a receiving request of the log abstract record to the control center: the control center and the proxy end provide the program application service through the server, the proxy end operates on the server which needs log integrity protection, the control center operates on an independent server, the proxy end reads the log records which accord with the protection strategy, the password hash algorithm is called to calculate the log abstract value, the log abstract record is generated, and the log abstract record is sent to the control center.
Description
Technical Field
The invention relates to the technical field of security protection of information systems, in particular to a processing system and a processing method for protecting the integrity of logs of an information system.
Background
In the prior art, the blockchain technology is applied to log protection of an information system, newly generated log records are stored through the blockchain system, and the modification and deletion of the logs are prevented by utilizing the anti-tampering characteristic of the cryptographic technology of the blockchain system, but the scheme changes the information system, so that the calculated amount and time delay of generating blockchain transaction records are large, the modification of the logs cannot be monitored in time, the modification can be found only by carrying out deep analysis on the blockchain transaction records, the integrity of the logs cannot be protected, the cost efficiency is low, and the system is not practical.
At present, the prior art can also carry out digital signature/MAC calculation on an information system through a built-in trusted computing module, a password card, an encrypted hard disk, a software password module or an external intelligent password key and a server password machine, so as to verify the integrity of a log in the information system; taking the technical scheme of Tripwire as an example, a digital signature mechanism based on a public key cryptographic algorithm calculates and generates a signature of a file on an important file, stores the signature in a database, and executes signature verification operation on the important file and the stored signature at regular time, if the signature verification is successful, the important file is not subjected to unauthorized modification, otherwise, the important file is subjected to suspected unauthorized modification, the technology is not suitable for log files, and because the log files are dynamically changed and are different from other static important files, legal modification is often carried out on the log files, so that alarming of the suspected unauthorized modification is very frequent, and the expected protection effect cannot be achieved.
The prior art also proposes the use of backup and error correction mechanisms to ensure the integrity of the system log, for example: the backup log in the technical scheme still has the risk of being maliciously modified by an intruder, the error correction mechanism cannot use a private key, unintentional modification in storage and transmission can be detected only, malicious modification of an intruder of an information system cannot be resisted, and the intruder can calculate a new check code according to the error correction mechanism after modifying the log, so that the integrity and the safety of the log cannot be ensured.
Based on the above, how to timely monitor the unauthorized modification and deletion of the log, reduce false alarm and provide log integrity protection for the information system is the problem to be solved by the invention.
Disclosure of Invention
According to a first aspect of the object of the present invention, there is provided a processing system for information system log integrity protection, the system comprising a control center and a proxy connected to the control center;
the control center is used for sending a protection strategy to the proxy end, receiving a log abstract record from the proxy end, and carrying out initialization synchronization, comparison and update operation on the log abstract record;
the proxy end is used for storing the protection strategy sent by the control center, reading and selecting the log file and record type needing integrity protection, generating a log abstract record, and sending a receiving request of the log abstract record to the control center:
the control center and the proxy end provide the program application service through a server, the proxy end operates on the server which needs log integrity protection, the control center operates on an independent server, reads log records conforming to a protection strategy through the proxy end, invokes a password hash algorithm to calculate a log abstract value, generates the log abstract record and sends the log abstract record to the control center, and the control center receives one or more log abstract records from the proxy end:
the control center detects whether the proxy end is transmitted for the first time, if yes, the initialization synchronization operation is executed, the control center firstly empties the log file record of the proxy end in the original log abstract library, and then stores the received log abstract record into the log abstract library;
if not, directly executing comparison operation, wherein the control center firstly stores the log abstract record in a temporary log abstract library and then compares the log abstract record with the log file record of the agent end in the original log abstract library, and the control center comprises the following steps:
if the temporary log abstract library and the log abstract header information shared by the log abstract library exist and the log abstract values are inconsistent, the log file is modified by unauthorized;
if the journal abstract header information only exists in the temporary journal abstract library, the journal file is a newly added journal, and an update operation is executed;
if the journal abstract header information only exists in the journal abstract library, the journal file is deleted without authorization.
Further, executing the initialization synchronization operation specifically includes:
the control center stores the log abstract record in a log abstract library;
taking the log abstract record as a leaf node, and generating a log abstract tree layer by layer;
storing the value of each leaf node in the log summary library;
and transmitting the root node value of the log abstract tree to a password server to obtain a digital signature of the message authentication code, and storing the digital signature in a log abstract library.
Further, the updating operation is executed, specifically including:
the control center adds the normal newly-added log into a log abstract library, and updates a log abstract tree generated layer by taking the log abstract library as a leaf node;
storing the value of each leaf node in a log summary library;
and updating the root node value of the log abstract tree, sending the root node value to a password server, obtaining a digital signature of the message authentication code, and storing the digital signature in a log abstract library.
Further, one end of the control center is connected with one or more proxy ends, and the other end of the control center is connected with the password server, so that the control center is used for sending a signature request to the password server, receiving a signature response, storing the signature response, sending a signature verification request and receiving a signature verification response.
Further, the control center comprises a policy module, the policy module is used for collecting log information from the proxy end, obtaining protection preference appointed by the proxy end from a control UI and a configuration file of the control center, calculating the abstract value of the log record according to an appointed integrity protection algorithm for the log record in the proxy end, and generating the log abstract record, wherein the log abstract record at least comprises log abstract header information and log abstract value.
Further, the control center also comprises an alarm module, and the alarm module outputs warning information according to the result of the comparison operation and alarm preference obtained from a control UI or a configuration file of the control center;
wherein the alarm preference is unauthorized modification and unauthorized deletion.
According to a second aspect of the object of the present invention, there is provided a processing method for information system log integrity protection, comprising the steps of:
step 1, a control center collects log information from an agent end and sends a protection strategy, wherein the protection strategy at least comprises processing time, a log file name to be protected or an application name needing log protection and a log record type to be protected;
step 2, the agent reads the log records conforming to the protection strategy, invokes a password hash algorithm to calculate a log abstract value, and generates the log abstract records;
step 3, the generated log abstract records are sent to the control center, and the control center receives one or more log abstract records from the agent end:
the control center detects whether the proxy end is transmitted for the first time, if yes, the initialization synchronization operation is executed, the control center firstly empties the log file record of the proxy end in the original log abstract library, and then stores the received log abstract record into the log abstract library;
if not, directly executing comparison operation, wherein the control center firstly stores the log abstract record in a temporary log abstract library and then compares the log abstract record with the log file record of the agent end in the original log abstract library, and the control center comprises the following steps:
if the temporary log abstract library and the log abstract header information shared by the log abstract library exist and the log abstract values are inconsistent, the log file is modified by unauthorized;
if the journal abstract header information only exists in the temporary journal abstract library, the journal file is a newly added journal, and an update operation is executed;
if the journal abstract header information only exists in the journal abstract library, the journal file is deleted without authorization
Compared with the prior art, the invention has the beneficial effects that:
1. the invention generates a protection strategy and corresponding alarm preference through the intelligent strategy module and the intelligent alarm module arranged in the control center, and distinguishes the changes of unauthorized modification, unauthorized deletion and normal newly added log records by combining the stored log abstract tree.
2. The real-time application of the invention can identify and distinguish normal update and unauthorized modification and deletion of the log, reduce false alarm rate, ensure that the information system meets the basic requirements of national standard password application, provide log integrity protection for the information system and improve information safety and reliability.
3. The method reduces false alarm while monitoring unauthorized modification and deletion of the log in time, has low realization cost and high efficiency, and improves the value of practical application.
It should be understood that all combinations of the foregoing concepts, as well as additional concepts described in more detail below, may be considered a part of the inventive subject matter of the present disclosure as long as such concepts are not mutually inconsistent. In addition, all combinations of claimed subject matter are considered part of the disclosed inventive subject matter.
The foregoing and other aspects, embodiments, and features of the present teachings will be more fully understood from the following description, taken together with the accompanying drawings. Other additional aspects of the invention, such as features and/or advantages of the exemplary embodiments, will be apparent from the description which follows, or may be learned by practice of the embodiments according to the teachings of the invention.
Drawings
The drawings are not intended to be drawn to scale. In the drawings, each identical or nearly identical component that is illustrated in various figures may be represented by a like numeral. For purposes of clarity, not every component may be labeled in every drawing. Embodiments of various aspects of the invention will now be described, by way of example, with reference to the accompanying drawings.
FIG. 1 is a schematic diagram of a system module configuration according to the present invention;
FIG. 2 is a schematic diagram of a control center and proxy processing flow in accordance with the present invention;
FIG. 3 is a schematic diagram of the present invention for computing the digest value of a root node;
FIG. 4 is a schematic diagram of calculating a cryptographic digest value corresponding to a proxy according to the present invention.
Detailed Description
For a better understanding of the technical content of the present invention, specific examples are set forth below, along with the accompanying drawings.
Aspects of the invention are described in this disclosure with reference to the drawings, in which are shown a number of illustrative embodiments. The embodiments of the present disclosure are not necessarily intended to include all aspects of the invention. It should be understood that the various concepts and embodiments described above, as well as those described in more detail below, may be implemented in any of a number of ways, as the disclosed concepts and embodiments are not limited to any implementation. Additionally, some aspects of the disclosure may be used alone or in any suitable combination with other aspects of the disclosure.
The important information in the information system mostly adopts the cryptographic technology to ensure the integrity of log records, and prevent unauthorized modification and deletion, for example: the important audit log information, the system resource access control information and the important information resource sensitive mark are used for carrying out information security protection on the information system through a Message Authentication Code (MAC) mechanism of a symmetric cryptographic algorithm or a cryptographic hash algorithm and a digital signature mechanism of a public key cryptographic algorithm, but the problem that log integrity protection is insufficient in the prior art is still solved, and in view of the problem, the embodiment provides a processing system for log integrity protection of the information system to solve the problem.
Referring to fig. 1 and 2, a processing system for information system log integrity protection includes a control center and a proxy connected to the control center, the control center and the proxy providing a program application service through a server, wherein: the agent end operates on a server requiring log integrity protection, and the control center operates on an independent server.
In one embodiment, the proxy end runs on an application server.
In another embodiment, the proxy runs on a log server.
As an example, the control center is configured to send a protection policy to the proxy end, receive a log summary record from the proxy end, and perform operations of initializing synchronization, comparing, and updating the log summary record.
As an example, the proxy is configured to store the protection policy sent by the control center, read and select the log file and the record type that need to be integrity protected, generate a log summary record, and send a request for receiving the log summary record to the control center.
In an embodiment of the invention, the control center comprises a policy module and an alarm module, wherein: the strategy module is used for collecting log information from the proxy end, obtaining the protection preference appointed by the proxy end from the control UI and the configuration file of the control center, calculating the abstract value of the log record in the proxy end according to the appointed integrity protection algorithm, and generating the log abstract record, wherein the log abstract record at least comprises log abstract head information and log abstract value; and the alarm module outputs alarm information according to the result of the comparison operation and alarm preference obtained from a control UI or a configuration file of the control center.
As an example, the alert preference is set to unauthorized modification and unauthorized deletion.
By way of example, the collected log information contains at least a new log generation time, a program module type and a severity of the new log.
As an example, the protection preferences specified by the proxy end include at least protection level, protection content, integrity protection algorithm used.
It should be noted that, the protection policy sent by the control center includes, but is not limited to, processing time, a name of a log file to be protected, an application name to be log protected, a type of log record to be protected, such as a program module (Facility) and a Severity (Level) of the log record.
In one embodiment, the treatment time may be set to a periodic time, such as 0 points 0 minutes per day.
In yet another embodiment, the processing time may be set to be the time of event-driven, such as the corresponding time when a new log is generated.
As an optional embodiment, the proxy end reads the log file needing integrity protection according to the protection policy at the set processing time, selects the record type needing integrity protection, reads the log record conforming to the protection policy, and calculates and generates a corresponding digest value by adopting a cryptographic hash algorithm (i.e. a cryptographic hash algorithm) to generate a log digest record.
As an example, the log summary record contains at least log summary header information and a log summary value.
In alternative embodiments, the log summary header information includes, but is not limited to, a log file name (FileName), a log sequence number (Seq), a log summary value.
In alternative embodiments, the log sequence number includes, but is not limited to, a custom sequence number, a time of the log record itself, or a timestamp.
Referring to fig. 2, it should be noted that one end of the control center is connected to one or more proxy ends, and the other end of the control center is connected to the cryptographic server, so as to send a signature request to the cryptographic server, receive a signature response, store the signature response, send a signature verification request, and receive a signature verification response.
In an alternative embodiment, the signature verification may be performed according to a message authentication code algorithm or a public key digital signature verification algorithm, which is used to verify whether the message (e.g. H in fig. 2) and the signature (e.g. Sig in fig. 2) match, so as to solve the problem that the error correction mechanism cannot use the private key, and improve the security and reliability of the processing system.
Preferably, in the embodiment of the present invention, the agent reads the log records conforming to the protection policy, invokes the cryptographic hash algorithm to calculate the log digest value, generates the log digest record, sends the log digest record to the control center, and the control center receives one or more log digest records from the agent:
the control center detects whether the proxy end is transmitted for the first time, if yes, the initialization synchronization operation is executed, the control center firstly empties the proxy end log file record in the original log abstract library, and then stores the received log abstract record into the log abstract library;
if not, directly executing comparison operation, wherein the control center firstly stores the log abstract record in a temporary log abstract library and then compares the log abstract record with the log file record of the agent end in the original log abstract library, and the control center comprises the following steps:
if the temporary log abstract library and the log abstract header information shared by the log abstract library exist and the log abstract values are inconsistent, the log file is modified by unauthorized;
if the journal abstract header information only exists in the temporary journal abstract library, the journal file is a newly added journal, and an update operation is executed;
if the journal summary header information is only in the journal summary library, the journal file is deleted without authorization.
Preferably, the embodiment of the invention also provides a processing method for protecting the integrity of the information system log, which comprises the following steps:
step 1, a control center collects log information from an agent end and sends a protection strategy, wherein the protection strategy at least comprises processing time, a log file name to be protected or an application name needing log protection and a log record type to be protected;
step 2, the agent reads the log records conforming to the protection strategy, invokes the password hash algorithm to calculate the log abstract value, and generates the log abstract records;
step 3, the generated log abstract records are sent to a control center, and the control center receives one or more log abstract records from the proxy end:
the control center detects whether the proxy end is transmitted for the first time, if yes, the initialization synchronization operation is executed, the control center firstly empties the proxy end log file record in the original log abstract library, and then stores the received log abstract record into the log abstract library;
if not, directly executing comparison operation, wherein the control center firstly stores the log abstract record in a temporary log abstract library and then compares the log abstract record with the log file record of the agent end in the original log abstract library, and the control center comprises the following steps:
if the temporary log abstract library and the log abstract header information shared by the log abstract library exist and the log abstract values are inconsistent, the log file is modified by unauthorized;
if the journal abstract header information only exists in the temporary journal abstract library, the journal file is a newly added journal, and an update operation is executed;
if the journal summary header information is only in the journal summary library, the journal file is deleted without authorization.
Further, the initialization synchronization operation is executed, specifically including:
the control center stores the log abstract record in a log abstract library;
taking the log abstract record as a leaf node, and generating a log abstract tree layer by layer;
storing the value of each leaf node in a log summary library;
and transmitting the root node value of the log abstract tree to a password server to obtain a digital signature of the message authentication code, and storing the digital signature in a log abstract library.
As an example, referring to fig. 3, the log summary record of the same FileName is taken as a leaf node, and is spliced together to calculate the password summary value H, and then the summary values H1, H2, …, hk of the plurality of files are spliced together to calculate the summary value H of the root node (i.e., the root node value in this embodiment).
Still further, performing an update operation, specifically includes:
the control center adds the normal newly-added log into a log abstract library, and updates a log abstract tree generated layer by taking the log abstract library as a leaf node;
storing the value of each leaf node in a log summary library;
and updating the root node value of the log abstract tree, transmitting the root node value to a password server, obtaining the digital signature of the message authentication code, and storing the digital signature in a log abstract library.
As an example, referring to fig. 4, the log summary record of the same FileName is added to the log summary tree one by one as a leaf node, the password summary values H1, …, hk corresponding to the file are calculated, and then the password summary values H corresponding to the proxy end (i.e., the root node value in the embodiment) are calculated by stitching them together.
Preferably, the invention generates the protection strategy and the corresponding alarm preference through the intelligent strategy module and the intelligent alarm module arranged in the control center, and distinguishes the change of the unauthorized modification, unauthorized deletion and normal newly-added log record by combining the stored log abstract tree, thereby reducing the false alarm rate, leading the information system to meet the basic requirements of national standard password application, providing log integrity protection for the information system and improving the information safety and reliability.
The hash algorithm and the digest value calculation method for log protection can be performed by using a mode and a means in the prior art, and are not described in detail in this example.
While the invention has been described with reference to preferred embodiments, it is not intended to be limiting. Those skilled in the art will appreciate that various modifications and adaptations can be made without departing from the spirit and scope of the present invention. Accordingly, the scope of the invention is defined by the appended claims.
Claims (7)
1. A processing system for protecting the integrity of an information system log, which is characterized by comprising a control center and a proxy end connected with the control center;
the control center is used for sending a protection strategy to the proxy end, receiving a log abstract record from the proxy end, and carrying out initialization synchronization, comparison and update operation on the log abstract record;
the proxy end is used for storing the protection strategy sent by the control center, reading and selecting the log file and record type needing integrity protection, generating a log abstract record, and sending a receiving request of the log abstract record to the control center:
the control center and the proxy end provide the program application service through a server, the proxy end operates on the server which needs log integrity protection, the control center operates on an independent server, reads log records conforming to a protection strategy through the proxy end, invokes a password hash algorithm to calculate a log abstract value, generates the log abstract record and sends the log abstract record to the control center, and the control center receives one or more log abstract records from the proxy end:
the control center detects whether the proxy end is transmitted for the first time, if yes, the initialization synchronization operation is executed, the control center firstly empties the log file record of the proxy end in the original log abstract library, and then stores the received log abstract record into the log abstract library;
if not, directly executing comparison operation, wherein the control center firstly stores the log abstract record in a temporary log abstract library and then compares the log abstract record with the log file record of the agent end in the original log abstract library, and the control center comprises the following steps:
if the temporary log abstract library and the log abstract header information shared by the log abstract library exist and the log abstract values are inconsistent, the log file is modified by unauthorized;
if the journal abstract header information only exists in the temporary journal abstract library, the journal file is a newly added journal, and an update operation is executed;
if the journal abstract header information only exists in the journal abstract library, the journal file is deleted without authorization.
2. The processing system for information system log integrity protection of claim 1, wherein performing the initialization synchronization operation comprises:
the control center stores the log abstract record in a log abstract library;
taking the log abstract record as a leaf node, and generating a log abstract tree layer by layer;
storing the value of each leaf node in the log summary library;
and transmitting the root node value of the log abstract tree to a password server to obtain a digital signature of the message authentication code, and storing the digital signature in a log abstract library.
3. The processing system for information system log integrity protection of claim 1, wherein performing the update operation comprises:
the control center adds the normal newly-added log into a log abstract library, and updates a log abstract tree generated layer by taking the log abstract library as a leaf node;
storing the value of each leaf node in a log summary library;
and updating the root node value of the log abstract tree, sending the root node value to a password server, obtaining a digital signature of the message authentication code, and storing the digital signature in a log abstract library.
4. A processing system for information system log integrity protection according to claim 2 or 3, wherein one end of the control center is connected to one or more proxy ends, and the other end of the control center is connected to the cryptographic server, for sending signature requests to the cryptographic server, receiving signature responses, storing signature responses, sending signature verification requests, receiving signature verification responses.
5. The system of claim 4, wherein the control center includes a policy module for collecting log information from the agent, and generating a log summary record by obtaining agent-specified protection preferences from a control UI, a configuration file of the control center, and calculating summary values of the log records according to a specified integrity protection algorithm for the log records in the agent, the log summary record including at least log summary header information and the log summary values.
6. The processing system for information system log integrity protection as claimed in claim 4, wherein the control center further comprises an alarm module for outputting a warning message according to a result of the comparison operation, an alarm preference obtained from a control UI or a profile of the control center;
wherein the alarm preference is unauthorized modification and unauthorized deletion.
7. A processing method based on the processing system for information system log integrity protection according to any one of claims 1 to 6, characterized by comprising the steps of:
step 1, a control center collects log information from an agent end and sends a protection strategy, wherein the protection strategy at least comprises processing time, a log file name to be protected or an application name needing log protection and a log record type to be protected;
step 2, the agent reads the log records conforming to the protection strategy, invokes a password hash algorithm to calculate a log abstract value, and generates the log abstract records;
step 3, the generated log abstract records are sent to the control center, and the control center receives one or more log abstract records from the agent end:
the control center detects whether the proxy end is transmitted for the first time, if yes, the initialization synchronization operation is executed, the control center firstly empties the log file record of the proxy end in the original log abstract library, and then stores the received log abstract record into the log abstract library;
if not, directly executing comparison operation, wherein the control center firstly stores the log abstract record in a temporary log abstract library and then compares the log abstract record with the log file record of the agent end in the original log abstract library, and the control center comprises the following steps:
if the temporary log abstract library and the log abstract header information shared by the log abstract library exist and the log abstract values are inconsistent, the log file is modified by unauthorized;
if the journal abstract header information only exists in the temporary journal abstract library, the journal file is a newly added journal, and an update operation is executed;
if the journal abstract header information only exists in the journal abstract library, the journal file is deleted without authorization.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311222435.6A CN117251885A (en) | 2023-09-20 | 2023-09-20 | Processing system and method for information system log integrity protection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311222435.6A CN117251885A (en) | 2023-09-20 | 2023-09-20 | Processing system and method for information system log integrity protection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117251885A true CN117251885A (en) | 2023-12-19 |
Family
ID=89136370
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311222435.6A Pending CN117251885A (en) | 2023-09-20 | 2023-09-20 | Processing system and method for information system log integrity protection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117251885A (en) |
-
2023
- 2023-09-20 CN CN202311222435.6A patent/CN117251885A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7996679B2 (en) | System and method for performing a trust-preserving migration of data objects from a source to a target | |
| US7305564B2 (en) | System and method to proactively detect software tampering | |
| EP0814398B1 (en) | Method and system for detecting fraudulent data update | |
| JP4662706B2 (en) | Secure recovery in serverless distributed file system | |
| US7958367B2 (en) | Authentication system and apparatus | |
| US20030236992A1 (en) | Method and system for providing secure logging for intrusion detection | |
| WO2005052756A2 (en) | Remote web site security system | |
| US7809958B2 (en) | Method for guaranteeing freshness of results for queries against a non-secure data store | |
| US12013972B2 (en) | System and method for certifying integrity of data assets | |
| CN101473335A (en) | Information processing terminal and status notifying method | |
| CN111832083B (en) | System resource tamper-proofing method based on block chain and national secret digital fingerprint technology | |
| CN111901124B (en) | Communication safety protection method and device and electronic equipment | |
| CN112422527B (en) | Threat assessment system, method and device for substation power monitoring system | |
| Cao et al. | Design and implementation for MD5-based data integrity checking system | |
| EP2477137A1 (en) | Method for verifying the integrity of a set of data | |
| CN117251885A (en) | Processing system and method for information system log integrity protection | |
| KR100945781B1 (en) | Method for guaranteeing freshness of results for queries against a non-secure data store | |
| CN113360568A (en) | Method and system for shielding alliance link data and computer readable storage medium | |
| CN113468217A (en) | Data query management method and device, computer equipment and readable storage medium | |
| CN111444270A (en) | Method and system for controlling harmful information based on block chain | |
| CN110781531A (en) | Tamper-proof grain depot data secure storage system and method | |
| CN117540348A (en) | Method for generating and verifying software authorization file | |
| CN118278044A (en) | Data security management method for land informatization government affair management | |
| CN117592116A (en) | Dynamic file verification method | |
| CN117421157A (en) | Data backup storage method and system based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |