CN117472868B - Method for realizing log integrity assurance based on HMAC algorithm - Google Patents

Method for realizing log integrity assurance based on HMAC algorithm Download PDF

Info

Publication number
CN117472868B
CN117472868B CN202311200265.1A CN202311200265A CN117472868B CN 117472868 B CN117472868 B CN 117472868B CN 202311200265 A CN202311200265 A CN 202311200265A CN 117472868 B CN117472868 B CN 117472868B
Authority
CN
China
Prior art keywords
log
real
file
log data
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311200265.1A
Other languages
Chinese (zh)
Other versions
CN117472868A (en
Inventor
尹旭
邓斌
庄恩贵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingan Yun Xin Technology Co ltd
Original Assignee
Beijing Jingan Yun Xin Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingan Yun Xin Technology Co ltd filed Critical Beijing Jingan Yun Xin Technology Co ltd
Priority to CN202311200265.1A priority Critical patent/CN117472868B/en
Publication of CN117472868A publication Critical patent/CN117472868A/en
Application granted granted Critical
Publication of CN117472868B publication Critical patent/CN117472868B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/1805Append-only file systems, e.g. using logs or journals to store data
    • G06F16/1815Journaling file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1446Point-in-time backing up or restoration of persistent data
    • G06F11/1448Management of the data involved in backup or backup restore
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/1805Append-only file systems, e.g. using logs or journals to store data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Quality & Reliability (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Debugging And Monitoring (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention relates to the technical field of artificial intelligence, in particular to a method for realizing the assurance of log integrity based on an HMAC algorithm, which comprises the following steps of S1, reading log data; s2, recording and unloading log data; and S3, detecting log data. According to the invention, the controller is used for reading the appendable file in a segmented manner to obtain second log data, the algorithm calculates an initial HMAC value when the second log data is read, the detector is used for carrying out HMAC value period verification on the log data of the log database in a preset detection period, when any target log file is read, the real-time HMAC value is compared with the initial HMAC value, the detector is used for judging whether the log data at the matched byte position is modified or not, the second register is used for storing each log data, the modified file is recovered in time, the integrity of the log data is ensured, the preset detection period is corrected according to the real-time append frequency and the real-time append frequency, and the redundant detection frequency is reduced.

Description

Method for realizing log integrity assurance based on HMAC algorithm
Technical Field
The invention relates to the technical field of artificial intelligence, in particular to a method for realizing log integrity assurance based on an HMAC algorithm.
Background
The log is an important tool in service operation and maintenance, the running state of the service and the existing problems can be known through the log, and the abnormality in the service system can be timely and reliably found through analyzing the integrity of the log; however, based on the existing methods, the integrity of the non-appendable log file can only be determined, the integrity of the appendable log file is difficult to ensure, and if the system is attacked or maliciously invaded, the existing methods can only detect the attack process and the integrity of the detected log, and cannot recover the tampered log file, so that a method for ensuring the integrity of the log is needed to overcome or alleviate some technical requirements in the defects and limitations of the situations.
Chinese patent publication No.: CN111444519a, which discloses a method for protecting the integrity of log data and a computer system implementing the method, has the technical point that secret information unknown to a first logic circuit is used to generate a protected log data element at a second logic circuit; therefore, in the existing method for guaranteeing the integrity of the log, the process of storing the log into the log database and the periodic detection of the log storage state are lacked, so that the modified log file is determined, the modified content is timely restored, and the integrity of the additionally-added log file is guaranteed.
Disclosure of Invention
Therefore, the invention provides a method for realizing the guarantee of the integrity of the log based on the HMAC algorithm, which is used for solving the problem that the integrity of the additionally-added file is difficult to guarantee in the prior art.
To achieve the above object, the present invention provides a method for implementing log integrity assurance based on HMAC algorithm, including,
Step S1, a mode of opening a target log file is read, whether the target log file can be added is determined, whether the additional target log file can be segmented is determined according to the number of standard bytes, a plurality of target log entries are obtained, segmented reading is carried out on the segmented target log file, integral reading is carried out on second log data corresponding to the target log file which is not segmented, and the second log data is restored through a second register;
step S2, calculating an initial HMAC value corresponding to each target log entry, recording log storage data of each target log entry, and transferring each log storage data to a first register, wherein any log storage data comprises a read file starting index, a read file ending index and an initial HMAC value;
And S3, when any target log file is read and second log data are generated through the control end, the detector compares the real-time HMAC value of the matched byte position with the initial HMAC value, judges the real-time accumulated HMAC value according to the standard HMAC value after the second log data are stored in the matched byte position in the log database, performs additional HMAC value verification on the target log file, performs HMAC value period verification on the stored log data in the log database in a preset detection period, and corrects the preset detection period according to the real-time additional frequency and the real-time additional times.
Further, in the step S1, the mode of opening the file is read by the controller, and whether the target log file is additionally available is judged according to the mode of opening the file,
If the target log file is an appendable file, the controller judges the real-time byte number according to the standard byte number to determine whether to segment the appendable target log file;
If the target log file is a non-appendable file, the controller reads the target log file, generates first log data, inputs the first log data into a log database to be stored and recorded as stored log data, inputs the stored log data into the second register to be transferred and stored, calculates an initial HMAC value of the first log data through an algorithm, transmits the initial HMAC value to the first register to be stored, and performs HMAC value period verification on the first log data through acquiring a corresponding initial HMAC stored in the first register by the detector.
Further, the controller is internally provided with a standard byte number, when the controller judges that the target log file is an appendable file, the controller obtains the real-time byte number of the target log file, judges the real-time byte number according to the standard byte number,
If the real-time byte number is smaller than or equal to the standard byte number, the controller does not cut the target log file, and integrally reads the target log file to generate second log data;
and if the real-time byte number is greater than the standard byte number, the controller segments the target log file to obtain a plurality of target log entries and generate a plurality of second log data.
Further, for any second log data, calculating an initial HMAC value of the second log data by an algorithm device, transmitting the initial HMAC value, a read file start index and a read file stop index corresponding to each target log entry to the first register by a controller for storage, transmitting the second log data to a second register for transfer, marking as repeated log data corresponding to the second log data, and performing HMAC value cycle verification and additional HMAC value verification on the second log data by the detector through acquiring the corresponding initial HMAC stored in the first register.
Further, in the step S3, when any one of the target log files is read by the controller and corresponding second log data is generated, the detector obtains an initial HMAC value, a read file start index and a read file stop index in the second log data by the first register, calculates a matching byte position of the target log file according to the read file start index and the read file stop index, calculates a real-time HMAC value of the second log data, compares the initial HMAC value with the real-time HMAC value to perform additional HMAC value verification on the target log file,
If the real-time HMAC value is equal to the initial HMAC value, the detector determines that the underlying log data of the matching byte location is unmodified and stores the second log data to the matching byte location in the log database;
If the real-time HMAC value is not equal to the initial HMAC value, the detector judges that the basic log data of the matched byte position is modified, deletes the basic log data, acquires the repeated log data of the same position as the matched byte position in the second register, transmits the repeated log data to the matched byte position for data recovery processing, and stores the second log data to the matched byte position in the log database;
wherein the matching byte position is equal to the read file cutoff subscript minus the read file start subscript plus one.
Further, the detector is capable of performing a current log integrity check on the real-time accumulated data after storing the second log data in the matching byte position in the log database, obtaining a real-time HMAC value of log base data as a base HMAC value, obtaining an initial HMAC value of the second log data, taking a sum of the base HMAC value and the initial HMAC value as a standard HMAC value, calculating a real-time accumulated HMAC value of the real-time accumulated data by the algorithm, determining the real-time accumulated HMAC value by the detector based on the standard HMAC value to perform an additional HMAC value verification on the target log file,
If the real-time accumulated HMAC value is equal to the standard HMAC value, the detector judges that the data in the second log data storage process is modified, the second log data is deleted in a log database, and the corresponding repeated log data is acquired from the second register and is transmitted to a matched byte position for data recovery processing;
if the real-time accumulated HMAC value is not equal to the standard HMAC value, the detector determines that the data of the second log data storage process is not modified and does not delete the second log data in the log database.
Further, the detector is provided with a standard addition number, and when the detector determines that the target log file is an additionally-available file, the detector can acquire the real-time addition number of the additionally-available file, determine the real-time addition number according to the standard addition number,
If the real-time adding frequency is smaller than or equal to the standard adding frequency, the detector does not correct the preset detection period;
If the number of real-time additions is greater than the standard additions, the real-time additions are determined based on the standard additions, and the detector determines the real-time additions based on the standard additions to determine whether to correct the predetermined detection period.
Further, a standard adding frequency is arranged in the detector, when the detector judges that the real-time adding frequency is larger than the standard adding frequency, the detector can acquire the real-time adding frequency of the additionally-added file in the preset detection period, judges the real-time adding frequency according to the standard adding frequency,
If the real-time additional frequency is smaller than or equal to the standard additional frequency, the detector does not correct the preset detection period;
And if the real-time adding frequency is larger than the standard adding frequency, the detector corrects the preset detection period according to the real-time adding frequency and the real-time adding times.
Further, in the step S3, the detector may perform HMAC value period verification on each stored log data in the log database in a preset detection period, respectively obtain initial HMAC values corresponding to each stored log data in the first register, calculate real-time HMAC values corresponding to each stored log data in the preset detection period, and if the real-time HMAC values are different from the corresponding initial HMAC values, obtain corresponding repeated data in the second register and transmit the repeated data to the log database for data recovery processing;
The stored log data comprises first log data and second log data, and the reproduced data comprises the first log data and the second log data which are correspondingly input into the second register for transfer.
Further, the detector is internally provided with a real-time clock and a standard clearing period, the real-time clock can time any one of the repeated log data when being stored in the second register, the detector can acquire the real-time clearing period of any one of the repeated log data, and the real-time clearing period is judged according to the standard clearing period,
If the real-time clearing period is smaller than the standard clearing period, the detector does not delete the repeated log data stored in the second register;
And if the real-time clearing period is greater than or equal to the standard clearing period, the detector deletes the repeated log data stored in the second register.
Compared with the prior art, the method has the advantages that the controller is used for reading the appendable file in a segmented mode to obtain second log data, the algorithm calculates an initial HMAC value when the second log data is read, the detector is used for detecting the integrity of the log data of the log database in a preset detection period, when any target log file is read, the real-time HMAC value is compared with the initial HMAC value, the detector is used for judging whether the log data of the matched byte position is modified or not, the second log data are stored through the second register, the modified file is restored in time, the integrity of the log data is guaranteed, the preset detection period is corrected according to the real-time append frequency and the real-time append frequency, and the redundant detection frequency is reduced.
Further, by distinguishing whether the target log file is an appendable file, since the appendable file is a fixed file, the initial HMAC value is directly calculated, the read first log data is stored in the log database, and the log database is periodically detected in a preset detection period, and since the appendable file has the characteristics of large storage data amount, sustainable expansion and complex file content, the appendable file with large storage data amount needs to be subjected to segmentation processing, so that the update and expansion of the appendable file are ensured continuously.
Further, the controller judges the real-time byte number according to the standard byte number by setting the standard byte number, if the controller judges that the real-time byte number is smaller than or equal to the standard byte number, the target log file is smaller and is not needed to be segmented, otherwise, if the target log file is larger, the target log file is segmented, the sizes of the segmented target log entries are the same, and the file starting subscript and the file ending subscript among the target log entries are continuous.
Further, by reading the second log data, performing HMAC calculation on each piece of data read through the algorithm, storing the result into the first register, recording the starting index of the read file, the ending index of the read file and the initial HMAC value by the first register, transferring the second log data to the second register for storage, and after the file is tampered, being capable of being used for restoring the tampered log file.
Further, the starting index of the file and the ending index of the file are read to determine byte positions in basic data, when any target log file is read to obtain corresponding second log data, the matching byte positions in the log database are determined according to the real-time byte positions of the target log file which is read currently, and the integrity detection is carried out on the data range where the matching byte positions are located, so that the situation that the data are tampered is detected, the integrity of the log data is recovered in time, and the fact that the target log file which is read currently can be successfully and correctly stored in the log database is determined.
Further, after the second log data is stored in the matching byte position in the log database, the data in the matching byte position is used as log basic data, the data after the second log data is added to the log basic data is recorded as real-time accumulated data, the current log integrity detection is carried out on the real-time accumulated data, so as to determine whether the situation that the data is tampered in the process of storing the additional file is determined, if the situation appears, the error data is deleted, and the second register is used for supplementing so as to restore the data, so that the integrity of the log file is ensured.
Further, since the detector detects the corresponding log data in the log database once every time the additional file is read, and the integrity detection is performed on the accumulated data after the additional file is correspondingly stored, in order to avoid redundancy caused by too frequent detection times of the detector in the preset detection period, the preset detection period needs to be adapted to be reduced.
Further, by correcting the preset detection period according to the number of additions and the frequency of additions of the additional file, if the number of additions is larger, the frequency of additions is larger, the preset detection period is increased, the initially set detection period is zero, when the target log file is just detected, the target log data is subjected to one-time integrity detection at the moment when the target log data is generated, namely, one-time detection is performed before the target log data is stored, tampered data is recovered in time, and the additional file is ensured to be correctly updated and expanded to the matching position.
Further, integrity detection is performed on each first log data and each second log data in the log database in a preset detection period, by comparing the real-time HMAC value of each segment of data with the initial HMAC value, if the real-time HMAC value is the same as the corresponding initial HMAC value, the content is not tampered, and by detecting, if the real-time HMAC value is different from the corresponding initial HMAC value, the content is tampered, and the second log data corresponding to the second log data is acquired from the second register and transmitted to the log database for data recovery processing, so that the integrity of the log data can be ensured.
Further, the second register has limited storage capacity, so that the storage of the re-engraved log data is limited, the capacity of data recovery processing is limited, and the re-engraved log data stored in the second register is deleted in a standard clearing period, so that the integrity of the log data in a certain period is ensured.
Drawings
FIG. 1 is a flow chart of a method for ensuring log integrity based on an HMAC algorithm according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a log storage verification system based on HMAC algorithm according to an embodiment of the invention.
Detailed Description
In order that the objects and advantages of the invention will become more apparent, the invention will be further described with reference to the following examples; it should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are merely for explaining the technical principles of the present invention, and are not intended to limit the scope of the present invention.
It should be noted that, in the description of the present invention, terms such as "upper," "lower," "left," "right," "inner," "outer," and the like indicate directions or positional relationships based on the directions or positional relationships shown in the drawings, which are merely for convenience of description, and do not indicate or imply that the apparatus or elements must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention.
Furthermore, it should be noted that, in the description of the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention can be understood by those skilled in the art according to the specific circumstances.
Referring to fig. 1, which is a flowchart illustrating a method for implementing log integrity assurance based on HMAC algorithm according to an embodiment of the present invention, the present invention provides a method for implementing log integrity assurance based on HMAC algorithm, including,
Step S1, a mode of opening a target log file is read, whether the target log file can be added is determined, whether the additional target log file can be segmented is determined according to the number of standard bytes, a plurality of target log entries are obtained, segmented reading is carried out on the segmented target log file, integral reading is carried out on second log data corresponding to the target log file which is not segmented, and the second log data is restored through a second register;
step S2, calculating an initial HMAC value corresponding to each target log entry, recording log storage data of each target log entry, and transferring each log storage data to a first register, wherein any log storage data comprises a read file starting index, a read file ending index and an initial HMAC value;
And S3, when any target log file is read and second log data are generated through the control end, the detector compares the real-time HMAC value of the matched byte position with the initial HMAC value, judges the real-time accumulated HMAC value according to the standard HMAC value after the second log data are stored in the matched byte position in the log database, performs additional HMAC value verification on the target log file, performs HMAC value period verification on the stored log data in the log database in a preset detection period, and corrects the preset detection period according to the real-time additional frequency and the real-time additional times.
The method comprises the steps of reading an appendable file in a segmented mode through a controller to obtain real-time log data, calculating an initial HMAC value when the real-time log data is read by an algorithm, detecting the integrity of the log data of a log database by a detector in a preset detection period, comparing the real-time HMAC value with the initial HMAC value when any target log file is read, judging whether the log data at a matched byte position is modified by the detector, storing each real-time log data by a second register, recovering the modified file in time, guaranteeing the integrity of the log data, correcting the initial detection period according to the real-time addition frequency and the real-time addition frequency, and reducing the redundant detection frequency.
Specifically, in the step S1, the mode of opening the file is read by the controller, whether the target log file is additionally available is judged according to the mode of opening the file,
If the target log file is an appendable file, the controller judges the real-time byte number according to the standard byte number to determine whether to segment the appendable target log file;
If the target log file is a non-appendable file, the controller reads the target log file, generates first log data, inputs the first log data into a log database to be stored and recorded as stored log data, inputs the stored log data into the second register to be transferred and stored, calculates an initial HMAC value of the first log data through an algorithm, transmits the initial HMAC value to the first register to be stored, and performs HMAC value period verification on the first log data through acquiring a corresponding initial HMAC stored in the first register by the detector.
By distinguishing whether the target log file is an appendable file or not, since the appendable file is a fixed file, the initial HMAC value is directly calculated, the read fixed log data is stored in the log database, and the log database is periodically detected in a preset detection period, and since the appendable file has the characteristics of large storage data volume, sustainable expansion and complex file content, the appendable file with large storage data volume needs to be subjected to segmentation processing so as to ensure the update and expansion of the appendable file continuously.
Specifically, the controller is internally provided with a standard byte number, when the controller judges that the target log file is an appendable file, the controller obtains the real-time byte number of the target log file, judges the real-time byte number according to the standard byte number,
If the real-time byte number is smaller than or equal to the standard byte number, the controller does not cut the target log file, and integrally reads the target log file to generate second log data;
and if the real-time byte number is greater than the standard byte number, the controller segments the target log file to obtain a plurality of target log entries and generate a plurality of second log data.
The standard byte number represents the byte number unit of the set segmentation appendable file, and the set value is related to the data capacity of the appendable file and the capacity of a storage medium and is generally set to 512KB;
and if the controller judges that the real-time byte quantity is smaller than or equal to the standard byte quantity, the target log file is smaller and is not needed to be segmented, otherwise, if the target log file is larger, the target log file is segmented, the sizes of the segmented target log entries are the same, and the file starting subscript and the file ending subscript among the target log entries are continuous.
Specifically, for any second log data, the initial HMAC value of the second log data is calculated by an algorithm device, the initial HMAC value, the read file start index and the read file stop index corresponding to each target log entry are transmitted to the first register by a controller to be stored, the second log data is transmitted to the second register to be transferred and stored, the second log data is marked as the multi-carved log data corresponding to the second log data, and the detector is used for performing HMAC value period verification and additional HMAC value verification on the second log data by acquiring the corresponding initial HMAC stored in the first register.
By reading real-time log data, performing HMAC calculation on each piece of read data through an algorithm, storing a result into a first register, recording a file path, a file name, a read file starting index, a read file ending index, an initial HMAC value, an initial identifier and initial serial number data in the first register, transmitting the real-time log data to a second register for storage, and after the file is tampered, recovering the tampered log file.
In this embodiment, the algorithm calculates the HMAC value by selecting a hash function MD5 to generate a random key, and calculates the HMAC value for each of the log entries using the hash function and the key, where the calculation formula may be expressed as h1=sha1 (m+l1), L1 represents the first log entry, m represents a random key generated, stores the result in the first register, and generates the initial serial number 0 of the log, which represents the unique identifier of the first log entry.
Specifically, in the step S3, when any target log file is read by the controller and corresponding second log data is generated, the detector obtains an initial HMAC value, a read file start index and a read file stop index in the second log data through the first register, calculates a matching byte position of the target log file according to the read file start index and the read file stop index, calculates a real-time HMAC value of the second log data, compares the initial HMAC value with the real-time HMAC value to verify the additional HMAC value of the target log file,
If the real-time HMAC value is equal to the initial HMAC value, the detector determines that the underlying log data of the matching byte location is unmodified and stores the second log data to the matching byte location in the log database;
If the real-time HMAC value is not equal to the initial HMAC value, the detector judges that the basic log data of the matched byte position is modified, deletes the basic log data, acquires the repeated log data of the same position as the matched byte position in the second register, transmits the repeated log data to the matched byte position for data recovery processing, and stores the second log data to the matched byte position in the log database;
wherein the matching byte position is equal to the read file cutoff subscript minus the read file start subscript plus one.
Reading a file starting index and a file ending index to determine byte positions in basic data, and when any target log file is read to obtain corresponding real-time log data, determining a matching byte position in a log database according to the real-time byte position of the target log file which is read currently, and detecting the integrity of a data range where the matching byte position is located so as to detect the situation that the data is tampered, recovering the integrity of the ensured log data in time, and determining that the target log file which is read currently can be smoothly and correctly stored in the log database.
Specifically, the detector is capable of performing current log integrity detection on the real-time accumulated data after storing the second log data in the matching byte position in the log database, obtaining a real-time HMAC value of log base data as a base HMAC value, obtaining an initial HMAC value of the second log data, taking a sum of the base HMAC value and the initial HMAC value as a standard HMAC value, an algorithm calculates a real-time accumulated HMAC value of the real-time accumulated data, the detector determines the real-time accumulated HMAC value based on the standard HMAC value to perform additional HMAC value verification on the target log file,
If the real-time accumulated HMAC value is equal to the standard HMAC value, the detector judges that the data in the second log data storage process is modified, the second log data is deleted in a log database, and the corresponding repeated log data is acquired from the second register and is transmitted to a matched byte position for data recovery processing;
if the real-time accumulated HMAC value is not equal to the standard HMAC value, the detector determines that the data of the second log data storage process is not modified and does not delete the second log data in the log database.
After the real-time log data is stored to the matched byte position in the log database, taking the data of the matched byte position as log basic data, taking the data after the real-time log data is added to the log basic data as real-time accumulated data, and carrying out current log integrity detection on the real-time accumulated data to determine whether the data is tampered or not in the process of storing the additional file, if so, deleting the error data, and supplementing the error data through a second register to restore the integrity of the data guarantee log file.
Specifically, the detector is provided with a standard addition number, and when the detector determines that the target log file is an additionally-available file, the detector is also capable of acquiring the real-time addition number of the additionally-available file, determining the real-time addition number based on the standard addition number,
If the real-time adding frequency is smaller than or equal to the standard adding frequency, the detector does not correct the preset detection period;
If the number of real-time additions is greater than the standard additions, the real-time additions are determined based on the standard additions, and the detector determines the real-time additions based on the standard additions to determine whether to correct the predetermined detection period.
The standard addition number represents a standard value of the addition number of a set single target log entry, and the set value is related to the attribute of the target log file and a preset detection period of the detector and can be set to 5-8 times; the detector detects the corresponding log data in the log database once every time the additional file is read, and detects the integrity of the accumulated data once after the additional file is correspondingly stored, so that the detector needs to adapt to the preset detection period of the adjustment in order to avoid redundancy caused by too frequent detection times of the detector in the preset detection period.
Specifically, the detector is provided with a standard adding frequency, when the detector judges that the real-time adding frequency is larger than the standard adding frequency, the detector can acquire the real-time adding frequency of the additionally-added file in the preset detection period, judges the real-time adding frequency according to the standard adding frequency,
If the real-time additional frequency is smaller than or equal to the standard additional frequency, the detector does not correct the preset detection period;
And if the real-time adding frequency is larger than the standard adding frequency, the detector corrects the preset detection period according to the real-time adding frequency and the real-time adding times.
Wherein Tc '=tc+ [1+ (Fs-Fb)/fs+ (Ns-Nb)/Ns ], tc=0, tc' represents a corrected preset detection period, tc represents an initially set detection period, that is, a corresponding time when the target log file is read, fs represents a real-time addition frequency, fb represents a set standard addition frequency, ns represents a real-time addition frequency, and Nb represents a set standard addition frequency.
By correcting the preset detection period according to the number of times of adding the additional file and the frequency of adding, if the number of times of adding is larger, the frequency of adding is larger, the preset detection period is increased, the initially set detection period is zero, when the target log file is just detected, the target log data is subjected to one-time integrity detection at the moment when the target log data is generated, namely, one-time detection is performed before the target log data is stored, tampered data is recovered in time, and the additional file is ensured to be correctly updated and expanded to the matching position.
Specifically, in the step S3, the detector may perform HMAC value period verification on each stored log data in the log database in a preset detection period, obtain initial HMAC values corresponding to each stored log data in the first register, calculate real-time HMAC values corresponding to each stored log data in the preset detection period, and if the real-time HMAC values are different from the corresponding initial HMAC values, obtain corresponding repeated data in the second register and transmit the repeated data to the log database for data recovery processing;
The stored log data comprises first log data and second log data, and the reproduced data comprises the first log data and the second log data which are correspondingly input into the second register for transfer.
Specifically, in the step S3, the detector may perform integrity detection on each fixed log data and each real-time log data in the log database in a preset detection period, obtain initial HMAC values corresponding to each fixed log data and each real-time log data in the first register, calculate real-time HMAC values corresponding to each fixed log data and each real-time log data in the preset detection period, and if the real-time HMAC values are different from the corresponding initial HMAC values, obtain corresponding real-time log data in the second register and transmit the obtained real-time log data to the log database for data recovery processing.
And carrying out integrity detection on each fixed log data and each real-time log data in the log database in a preset detection period, comparing the real-time HMAC value of each segment of data with the initial HMAC value, if the real-time HMAC value is the same as the corresponding initial HMAC value, indicating that the content is not tampered, and if the real-time HMAC value is different from the corresponding initial HMAC value, indicating that the content is tampered, acquiring the corresponding real-time log data from a second register, and transmitting the acquired real-time log data to the log database for data recovery processing, so that the integrity of the log data can be ensured.
Specifically, the detector is internally provided with a real-time clock and a standard clearing period, the real-time clock can time any one of the repeated log data when being stored in the second register, the detector can acquire the real-time clearing period of any one of the repeated log data, and the real-time clearing period is judged according to the standard clearing period,
If the real-time clearing period is smaller than the standard clearing period, the detector does not delete the repeated log data stored in the second register;
And if the real-time clearing period is greater than or equal to the standard clearing period, the detector deletes the repeated log data stored in the second register.
The standard clearing period represents a set time limit on the stored data of the second register, and the set value is related to the storage capacity of the second register, the size of the target log file and the application requirement and can be set to 48h;
The second register has limited storage capacity, so that the storage of the repeated log data is limited, the capacity of data recovery processing is limited, and the repeated log data stored in the second register is deleted in a standard clearing period, so that the integrity of the log data in a certain period is ensured.
Referring to fig. 2, which is a schematic diagram of a log storage verification system based on HMAC algorithm according to an embodiment of the present invention, the present invention further provides a log storage verification system based on HMAC algorithm, which comprises a controller, a detector, a first register, a second register, a log database and an algorithm unit, wherein,
The log database is used for storing the first log data and the second log data;
The controller is used for reading and segmenting the input target log file;
the detector is connected with the controller and the log database and is used for carrying out HMAC value verification on the target log data when the controller reads the target log file to generate second log data and stores the second log data in the log database, a preset detection period is arranged in the detector, and the detector can also carry out HMAC value period verification on any target log data in the log database when the real-time storage period of the target log data reaches the preset detection period;
A first register coupled to the controller and the detector for storing log storage data including a read file start index, a read file stop index, and an initial HMAC value;
A second register connected to the detector and the controller for transferring the first log data and the second log data;
And the algorithm device is connected with the first register and the detector and is used for calculating an initial HMAC value in the log storage data corresponding to each target log file and calculating the HMAC value of any target log data in the log database when the real-time storage period reaches a preset detection period.
Thus far, the technical solution of the present invention has been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of protection of the present invention is not limited to these specific embodiments. Equivalent modifications and substitutions for related technical features may be made by those skilled in the art without departing from the principles of the present invention, and such modifications and substitutions will be within the scope of the present invention.
The foregoing description is only of the preferred embodiments of the invention and is not intended to limit the invention; various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (3)

1. A method for ensuring log integrity based on HMAC algorithm, comprising,
Step S1, a mode of opening a target log file is read, whether the target log file can be added is determined, whether the additional target log file can be segmented is determined according to the number of standard bytes, a plurality of target log entries are obtained, segmented reading is carried out on the segmented target log file, integral reading is carried out on second log data corresponding to the target log file which is not segmented, and the second log data is restored through a second register;
step S2, calculating an initial HMAC value corresponding to each target log entry, recording log storage data of each target log entry, and transferring each log storage data to a first register, wherein any log storage data comprises a read file starting index, a read file ending index and an initial HMAC value;
Step S3, when any target log file is read and second log data are generated through a control end, the detector compares the real-time HMAC value of the matched byte position with the initial HMAC value, after the second log data are stored in the matched byte position in the log database, the real-time accumulated HMAC value is judged according to the standard HMAC value, so that additional HMAC value verification is carried out on the target log file, HMAC value period verification is carried out on the stored log data in the log database in a preset detection period, and the preset detection period is corrected according to the real-time additional frequency and the real-time additional times;
Wherein in the step S1, the mode of opening the file is read by the controller, whether the target log file can be added is judged according to the mode of opening the file,
If the target log file is an appendable file, the controller judges the real-time byte number according to the standard byte number to determine whether to segment the appendable target log file;
if the target log file is a non-appendable file, the controller reads the target log file,
Generating first log data, inputting the first log data into a log database for storage and recording the first log data as stored log data, inputting the first log data into the second register for transfer, calculating an initial HMAC value of the first log data through an algorithm, transmitting the initial HMAC value to the first register for storage, and carrying out HMAC value period verification on the first log data through the detector by acquiring a corresponding initial HMAC stored in the first register;
The controller is internally provided with standard byte quantity, when the controller judges that the target log file is an appendable file, the controller acquires the real-time byte quantity of the target log file, judges the real-time byte quantity according to the standard byte quantity,
If the real-time byte number is smaller than or equal to the standard byte number, the controller does not cut the target log file, and integrally reads the target log file to generate second log data;
If the real-time byte number is greater than the standard byte number, the controller segments the target log file to obtain a plurality of target log entries and generate a plurality of second log data;
For any second log data, calculating an initial HMAC value of the second log data by an algorithm device, transmitting the initial HMAC value, a reading file starting index and a reading file ending index corresponding to each target log entry to the first register by a controller for storage, transmitting the second log data to the second register for transfer, marking the second log data as multi-time log data corresponding to the second log data, and carrying out HMAC value period verification and additional HMAC value verification on the second log data by the detector through acquiring the corresponding initial HMAC stored by the first register;
In the step S3, when any target log file is read by the controller and corresponding second log data is generated, the detector obtains an initial HMAC value, a read file start index and a read file stop index in the second log data through the first register, calculates a matching byte position of the target log file according to the read file start index and the read file stop index, calculates a real-time HMAC value of the second log data, compares the initial HMAC value with the real-time HMAC value to verify the additional HMAC value of the target log file,
If the real-time HMAC value is equal to the initial HMAC value, the detector determines that the underlying log data of the matching byte location is unmodified and stores the second log data to the matching byte location in the log database;
If the real-time HMAC value is not equal to the initial HMAC value, the detector judges that the basic log data of the matched byte position is modified, deletes the basic log data, acquires the repeated log data of the same position as the matched byte position in the second register, transmits the repeated log data to the matched byte position for data recovery processing, and stores the second log data to the matched byte position in the log database;
Wherein, the matching byte position is equal to the read file cut-off subscript minus the read file start subscript plus one;
The detector is capable of performing additional HMAC value verification on the real-time accumulated data after storing the second log data in the matching byte position in the log database, obtaining a real-time HMAC value of log base data as a base HMAC value, obtaining an initial HMAC value of the second log data, taking the sum of the base HMAC value and the initial HMAC value as a standard HMAC value, calculating a real-time accumulated HMAC value of the real-time accumulated data by an algorithm, determining the real-time accumulated HMAC value by the detector based on the standard HMAC value,
If the real-time accumulated HMAC value is equal to the standard HMAC value, the detector judges that the data in the second log data storage process is modified, the second log data is deleted in a log database, and the corresponding repeated log data is acquired from the second register and is transmitted to a matched byte position for data recovery processing;
if the real-time accumulated HMAC value is not equal to the standard HMAC value, the detector judges that the data in the second log data storage process is not modified and does not delete the second log data in the log database;
The detector is provided with a standard adding number, and when the detector judges that the target log file is an appendable file, the detector can also obtain the real-time adding number of the appendable file, judge the real-time adding number according to the standard adding number,
If the real-time adding frequency is smaller than or equal to the standard adding frequency, the detector does not correct the preset detection period;
If the real-time adding frequency is greater than the standard adding frequency, judging the real-time adding frequency according to the standard adding frequency, and judging the real-time adding frequency according to the standard adding frequency by the detector to determine whether to correct the preset detection period;
the detector is internally provided with a standard adding frequency, when the detector judges that the real-time adding frequency is larger than the standard adding frequency, the detector can acquire the real-time adding frequency of the additionally-added file in the preset detection period, judges the real-time adding frequency according to the standard adding frequency,
If the real-time additional frequency is smaller than or equal to the standard additional frequency, the detector does not correct the preset detection period;
And if the real-time adding frequency is larger than the standard adding frequency, the detector corrects the preset detection period according to the real-time adding frequency and the real-time adding times.
2. The HMAC algorithm-based method of claim 1, wherein in step S3, the detector is capable of performing HMAC value periodic verification on each stored log data in the log database in a preset detection period, respectively acquiring initial HMAC values corresponding to each stored log data in the first register, calculating real-time HMAC values corresponding to each stored log data in the preset detection period, and if the real-time HMAC values are different from the corresponding initial HMAC values, acquiring corresponding re-engraved data in the second register and transmitting the re-engraved data to the log database for data recovery processing;
The stored log data comprises first log data and second log data, and the reproduced data comprises the first log data and the second log data which are correspondingly input into the second register for transfer.
3. The HMAC algorithm-based method of claim 1, wherein the real-time clock is provided with a standard clearing period and is capable of timing any one of the repeated log data stored in the second register, the detector is capable of acquiring the real-time clearing period of any one of the repeated log data and determining the real-time clearing period according to the standard clearing period,
If the real-time clearing period is smaller than the standard clearing period, the detector does not delete the repeated log data stored in the second register;
And if the real-time clearing period is greater than or equal to the standard clearing period, the detector deletes the repeated log data stored in the second register.
CN202311200265.1A 2023-09-18 2023-09-18 Method for realizing log integrity assurance based on HMAC algorithm Active CN117472868B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311200265.1A CN117472868B (en) 2023-09-18 2023-09-18 Method for realizing log integrity assurance based on HMAC algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311200265.1A CN117472868B (en) 2023-09-18 2023-09-18 Method for realizing log integrity assurance based on HMAC algorithm

Publications (2)

Publication Number Publication Date
CN117472868A CN117472868A (en) 2024-01-30
CN117472868B true CN117472868B (en) 2024-04-19

Family

ID=89622857

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311200265.1A Active CN117472868B (en) 2023-09-18 2023-09-18 Method for realizing log integrity assurance based on HMAC algorithm

Country Status (1)

Country Link
CN (1) CN117472868B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114722387A (en) * 2022-04-02 2022-07-08 中南民族大学 Database abnormal tampering detection method, device, equipment and storage medium
CN115794751A (en) * 2022-08-31 2023-03-14 中国银行股份有限公司 Method and device for determining integrity of log
CN116048876A (en) * 2022-12-08 2023-05-02 北京天融信网络安全技术有限公司 Data storage method, data detection device and readable storage medium
CN116305290A (en) * 2023-05-16 2023-06-23 北京安天网络安全技术有限公司 System log security detection method and device, electronic equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114722387A (en) * 2022-04-02 2022-07-08 中南民族大学 Database abnormal tampering detection method, device, equipment and storage medium
CN115794751A (en) * 2022-08-31 2023-03-14 中国银行股份有限公司 Method and device for determining integrity of log
CN116048876A (en) * 2022-12-08 2023-05-02 北京天融信网络安全技术有限公司 Data storage method, data detection device and readable storage medium
CN116305290A (en) * 2023-05-16 2023-06-23 北京安天网络安全技术有限公司 System log security detection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN117472868A (en) 2024-01-30

Similar Documents

Publication Publication Date Title
US8849750B2 (en) Synchronization for initialization of a remote mirror storage facility
CN106843957B (en) System firmware upgrading method and device
US5991774A (en) Method for identifying the validity of an executable file description by appending the checksum and the version ID of the file to an end thereof
CN100432932C (en) Updating data in a mobile terminal
JP4324976B2 (en) File difference management device, file difference management method, and file difference management program
CN110716895A (en) Target data archiving method and device, computer equipment and medium
CN110245154B (en) Multi-path link exception handling method and related equipment
CN105743732B (en) Method and system for recording transmission path and distribution condition of local area network files
CN114616544A (en) Firmware data processing method and device
CN111158948A (en) Data storage and verification method and device based on duplicate removal and storage medium
CN117472868B (en) Method for realizing log integrity assurance based on HMAC algorithm
US7594051B2 (en) Storage apparatus
KR101667756B1 (en) Archive file de-duplication apparatus and method
CN114722387A (en) Database abnormal tampering detection method, device, equipment and storage medium
CN117234791A (en) Method and device for detecting data loss of memory chip
CN117391099A (en) Data downloading and checking method and system for smart card and storage medium
CN115022078A (en) Controller built-in network safety protection method and device and electronic equipment
JP2022007238A (en) Information processing device, information processing method and program
CN108509143B (en) Data detection method and device based on cloud storage
CN112181713B (en) Data recovery method and system of computer storage system
KR101993648B1 (en) Method and apparatus for security in network device
CN111858139A (en) Method and device for detecting silent data errors
CN117873408B (en) Cloud printer data recovery method and related device
JP2002261737A (en) Transmission data loss detection system
EP4277310A1 (en) Method and system for data transfer from a vehicle

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant