A method, system and electronic device for monitoring file tampering

Abstract

The application provides a method, system and electronic equipment for monitoring file tampering, the method comprising: obtaining a target tracking point corresponding to an operating system file, receiving a file protection rule through an information layer and setting a process, and transmitting to a file kernel state program; determining that the process involved in the original file does not contain the set process, obtaining file content information corresponding to the target tracking point, and transmitting to a file user state program; calling the file protection rule in the file kernel state program, comparing the file content information corresponding to the target tracking point with the file protection rule through the file user state program, and judging whether the original file is tampered with; if so, determining that the original file is tampered with. Through the technical scheme provided by the embodiment of the application, kernel area repeated compilation is avoided, and the file tampering monitoring efficiency is improved; at the same time, which process has carried out file tampering is monitored and recorded, so that file tampering can be monitored and recorded in real time.

Description

Technical Field

[0001] This application relates to the field of network security technology, and in particular to a method, system, and electronic device for monitoring file tampering. Background Technology

[0002] With the rapid development of information technology, computers are increasingly used in daily production and life. While bringing convenience to people's lives, computers have also become controversial due to frequent leaks and tampering of computer files, causing huge economic losses to users. Therefore, file anti-tampering technology is of great practical significance in preventing file tampering.

[0003] Currently, existing file anti-tampering technologies are based on kernel drivers. When updating code, frequent compilation and deployment of one-time kernel drivers are required, slowing down development and iteration, consuming time, and reducing development efficiency. Furthermore, kernel drivers are bound to the kernel; each time a user uses a different kernel, the corresponding kernel driver needs to be recompiled before it can be loaded. If there are coding issues, it can easily lead to kernel crashes. In contrast, user-space file anti-tampering based on inotify avoids the need for repeated kernel driver compilation because user-space programs are compatible with most Linux kernels.

[0004] However, the inotify event in the inotify user-space anti-tampering technology lacks process information, and there is no monitoring or recording of which process performed file tampering, resulting in the inability to monitor and record file tampering. Summary of the Invention

[0005] This application provides a method, system, and electronic device for monitoring file tampering, to solve the problem of insufficient monitoring and recording of which process tampered with files, leading to the inability to monitor and record file tampering. The specific implementation scheme is as follows:

[0006] Firstly, this application provides a method for monitoring file tampering, the method comprising:

[0007] Obtain the target tracking point corresponding to the operating system file, receive the file protection rules and settings process through the information layer, and transmit them to the file kernel program;

[0008] Determine that the process involved in the original file does not include the set process, obtain the file content information corresponding to the target tracking point, and transmit it to the file user-space program;

[0009] The file protection rules in the kernel-mode program of the file are retrieved, and the file content information corresponding to the target tracking point is traversed and compared with the file protection rules through the user-mode program of the file to determine whether the original file has been tampered with.

[0010] If not, discard the original file and generate a log record;

[0011] If so, it is determined that the original file has been tampered with.

[0012] By processing trace points through file user-mode and file kernel-mode programs, repeated compilation of kernel regions is avoided, which speeds up development and iteration, saves time, and improves the efficiency of file tampering detection. At the same time, it monitors and records which process has tampered with the file, enabling real-time monitoring and recording of file tampering.

[0013] In one possible design, the process involved in determining the original file does not include the setting process, and includes:

[0014] Retrieve the trusted process and recovery process from the kernel-mode program of the file;

[0015] The kernel-mode program of the file determines whether the processes involved in the original file include the trusted process and the recovery process;

[0016] If so, discard the original file and generate the first log record;

[0017] If not, it is determined that the processes involved in the original file do not include the trusted process and the recovery process.

[0018] By using the kernel-mode program to determine whether the processes involved in the original file include the recovery process, the program is prevented from entering an infinite loop. At the same time, by using the kernel-mode program to determine whether the processes involved in the original file include trusted processes, files trusted by the program are excluded, thus saving system resources.

[0019] In one possible design, retrieving the file protection rules from the file kernel-mode program includes:

[0020] Retrieve the return value of the system call corresponding to the file's trace point;

[0021] If the return value is the first set value, it is determined that the system call to the tracking point corresponding to the file failed, the original file is released, and a second record log is generated;

[0022] If the return value is the second set value, it is determined that the system call for the corresponding tracking point of the file was successful.

[0023] By determining the return value of the system call to the corresponding tracking point of the file, the subsequent file tampering monitoring system is made more complete and accurate.

[0024] In one possible design, after determining that the original file has been tampered with, the following is also included:

[0025] Retrieve all files within the file protection rules that have been backed up by the backup program;

[0026] The file user-mode program calls all files backed up by the backup program to restore the tampered information in the original files and generates a third record log.

[0027] By calling the backup program after confirming that a file has been tampered with, the tampered file is restored to its original state, thus avoiding losses to the computer and the user caused by the file tampering.

[0028] Secondly, this application also provides a system for monitoring document tampering, the system comprising:

[0029] The acquisition module is used to acquire the target tracking point corresponding to the operating system file, receive the file protection rules and setting process through the information layer, and transmit them to the file kernel program;

[0030] The transmission module is used to determine that the process involved in the original file does not include the set process, obtain the file content information corresponding to the target tracking point, and transmit it to the file user-space program.

[0031] The processing module is used to retrieve the file protection rules in the file kernel program, and use the file user program to traverse and compare the file content information corresponding to the target tracking point with the file protection rules to determine whether the original file has been tampered with.

[0032] If not, discard the original file and generate a log record;

[0033] If so, it is determined that the original file has been tampered with.

[0034] In one possible design, the transmission module is specifically used to retrieve the trust process and recovery process in the file kernel-mode program;

[0035] The kernel-mode program of the file determines whether the processes involved in the original file include the trusted process and the recovery process;

[0036] If so, discard the original file and generate the first log record;

[0037] If not, it is determined that the processes involved in the original file do not include the trusted process and the recovery process.

[0038] In one possible design, the processing module is specifically used to obtain the return value of the system call corresponding to the file's tracking point;

[0039] If the return value is the first set value, it is determined that the system call to the tracking point corresponding to the file failed, the original file is released, and a second record log is generated;

[0040] If the return value is the second set value, it is determined that the system call for the corresponding tracking point of the file was successful.

[0041] In one possible design, the processing module is specifically used to retrieve all files within the file protection rules that have been backed up by the backup program;

[0042] The file user-mode program calls all files backed up by the backup program to restore the tampered information in the original files and generates a third record log.

[0043] Thirdly, this application provides an electronic device, comprising:

[0044] Memory, used to store computer programs;

[0045] When the processor executes the computer program stored in the memory, it implements the steps of the above-described method for monitoring file tampering.

[0046] Fourthly, this application provides a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of the above-described method for monitoring file tampering.

[0047] For the various aspects of the second to fourth aspects mentioned above, and the technical effects that each aspect may achieve, please refer to the above description of the technical effects that can be achieved for the first aspect or the various possible solutions in the first aspect, which will not be repeated here. Attached Figure Description

[0048] Figure 1 A flowchart of a method for monitoring document tampering provided in this application;

[0049] Figure 2 A schematic diagram of the overall technical solution for monitoring file tampering methods;

[0050] Figure 3 A schematic diagram illustrating the process for monitoring file tampering methods;

[0051] Figure 4 A schematic diagram of a monitoring document tampering system provided in this application;

[0052] Figure 5 A schematic diagram of an electronic device provided in this application. Detailed Implementation

[0053] To make the objectives, technical solutions, and advantages of this application clearer, the application will be further described in detail below with reference to the accompanying drawings. The specific operational methods in the method embodiments can also be applied to the device embodiments or system embodiments. It should be noted that in the description of this application, "multiple" is understood as "at least two". "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, and B existing alone. A connected to B can represent: A and B directly connected, and A and B connected through C. Furthermore, in the description of this application, terms such as "first" and "second" are used only for distinguishing the purpose of description and should not be construed as indicating or implying relative importance or order.

[0054] The embodiments of this application will now be described in detail with reference to the accompanying drawings.

[0055] Currently, in file anti-tampering technologies, kernel-driver-based methods require repeated compilation of the kernel driver, slowing down development and iteration, consuming time, and reducing development efficiency. While user-space file anti-tampering based on inotify avoids this issue because user-space programs are applicable to most Linux kernels, the lack of process information in inotify events means that it fails to monitor and record which process performed the file tampering, resulting in a lack of real-time monitoring and recording of file tampering.

[0056] Therefore, this application proposes a method for monitoring file tampering. This method can avoid repeated compilation of kernel regions, accelerate development and iteration speed, save time, and improve the efficiency of file tampering monitoring. At the same time, it monitors and records which process has tampered with the file, so that file tampering can be monitored and recorded in real time.

[0057] Reference Figure 1 The diagram shown is a flowchart of a method for monitoring file tampering provided in an embodiment of this application. The method includes:

[0058] S1, obtains the target tracking point corresponding to the operating system file, receives the file protection rules and setting process through the information layer, and transmits them to the file kernel program;

[0059] Specifically, this method can be applied to Linux systems. First, obtain the target tracking point corresponding to the operating system file, and then start the file tampering monitoring process.

[0060] Then, the file protection rules and configuration process are received through the information layer;

[0061] Finally, the above file protection rules and the above settings process are transmitted to the file kernel program.

[0062] It should be noted that, in the embodiments of this application, the target tracking points include operations on the original file such as opening a file, renaming a file, writing a file, modifying file permissions, and modifying the file owner.

[0063] The target tracking point consists of two related entry tracking points and exit tracking points.

[0064] For example, file renaming will have two related file renaming entry tracepoints (tracepoint:syscalls:sys_enter_renameat2) and file renaming exit tracepoints (tracepoint:syscalls:sys_exit_renameat2). The file renaming entry tracepoint and the file renaming exit tracepoint are combined to form the target tracepoint.

[0065] It should be noted that, in this embodiment of the application, the above information layer is created by the file user-space program, the above file protection rules include protected directories and excluded directories, the above setting process includes trusted process and backup program recovery process, wherein the backup program recovery process is the process that has been called by the backup program to restore the tampered file through this embodiment of the application, and the backup program in this embodiment of the application is rsync.

[0066] For example, in such Figure 2 In the illustrated technical solution diagram, in the Linux system, for the tracking point of file renaming, the filebpfd user-space program (i.e., the file user-space program) first creates filter maps (i.e., the information layer). Then, the filter maps receive the trusted process, the rsync recovery process (i.e., the backup program's recovery process), the protected directory "home / a", and the excluded directory "home / a / b", and transmit the aforementioned trusted process, the aforementioned rsync recovery process, the aforementioned protected directory "home / a", and the aforementioned excluded directory "home / a / b" to the filebpfd kernel-space program (i.e., the file kernel-space program).

[0067] S2, determine that the process involved in the original file does not include the set process, obtain the file content information corresponding to the target tracking point, and transmit it to the file user-space program;

[0068] Specifically, the first step is to retrieve the trust process and recovery process from the file's kernel-mode program;

[0069] The kernel-mode program determines whether the processes involved in the original file include trusted processes and recovery processes.

[0070] If so, let the original file pass, generate the first log record, and end the file tampering monitoring process;

[0071] If not, ensure that the processes involved in the original file do not include trust processes or recovery processes;

[0072] After determining that the processes involved in the original file do not include trusted processes or recovery processes, the system corresponding to the file at the target tracking point is invoked;

[0073] At the system call entry point corresponding to the file's tracking point, obtain the file content information corresponding to the target tracking point. The file content information includes all information about the original file content and file-related process information that operates on the file, such as process ID, absolute process path name, and absolute file path name.

[0074] It should be noted that, in this embodiment, the file content information corresponding to the target tracking point can be obtained by retrieving a data structure containing all process information at the system call entry point corresponding to the file tracking point. For example, in a Linux system, at the system call entry point corresponding to the file tracking point, a task_struct structure instance is obtained through the bpf_get_currency_task function. This structure instance is a data structure in the Linux kernel that contains all process information and is loaded into Random Access Memory (RAM). Through the task_struct structure instance, the directory name can be obtained using f_path; then the parent directory name can be obtained using f_path.d_parent; finally, a loop is used to trace back to the current root path and end the loop. Since the retrieved full file path is concatenated in reverse order, the path needs to be reversed to obtain the absolute path of the file, and finally, the file content information corresponding to the target tracking point can be obtained.

[0075] Furthermore, the content of the aforementioned file is transmitted to the task layer;

[0076] At the exit point of the system call corresponding to the file's trace point, obtain all the information contained in the task layer and the return value of the system call corresponding to the file's trace point;

[0077] Transmit all information contained in the above task layer and the above return value to the event layer and delete the task layer at the same time.

[0078] All the information contained in the event layer is transmitted to the file user-space program. Therefore, the file user-space program can obtain the tampering events of the original file in real time from the event layer and obtain the file content information corresponding to the target tracking point.

[0079] It should be noted that if the file involves processes that include the recovery process of the backup program in the configuration process, the file will enter an infinite loop when it proceeds to subsequent steps.

[0080] For example, if a file named 'c' is written to a tracking point and is located in the protected directory "home / a", and then tampered with, the backup program restores it to its original state. Because of this restore operation, when entering the next loop, the program will consider this operation as tampering and continue restoring the file, leading to an infinite loop and wasted resources. However, in this embodiment, the kernel-mode program checks whether the processes involved in the original file include the backup program's restore process, thus preventing the program from entering an infinite loop. Furthermore, the kernel-mode program's check of whether the processes involved in the original file include trusted processes excludes files trusted by the program, saving system resources.

[0081] For example, in such Figure 2 In the illustrated technical solution diagram, within the Linux system, the trusted process and rsync recovery process in the filebpfd kernel-mode program are retrieved. The filebpfd kernel-mode program determines that the processes involved in the original file do not include these trusted processes and rsync recovery processes. At this point, the hook file renaming system (i.e., the file-corresponding tracking point system) is invoked. At the system's entry point, the `bpf_get_current_task` function retrieves the `task_struct` data structure containing process information (i.e., all file content information related to the file renaming operation). This data structure includes `u32 ppid` (parent process ID), `u32 pid` (process ID), `char comm[TASK_COMM_LEN]` (process name), `char process_name` (absolute file path), `int retval` (system call return value), and `char ext` (extension). The process information contained in this data structure is then transmitted to `task maps` (task layer). Finally, at the system's exit point, all information contained in `task maps` and the system's return value are retrieved, transmitted to `event maps` (event layer), and the task is deleted. maps; the filebpfd user-space program retrieves file tampering events in real time from event maps, obtaining all content information related to file renaming.

[0082] S3 retrieves the file protection rules in the file kernel program, and uses the file user program to iterate through the file protection rules to determine whether the original file has been tampered with;

[0083] Specifically, the first step is to obtain the return value of the system call corresponding to the file's trace point;

[0084] If the return value is the first set value, it is determined that the system call to the corresponding tracking point of the file failed, the original file is released, a second record log is generated, and the file tampering monitoring process ends;

[0085] If the return value is the second set value, it confirms that the system call for the corresponding tracking point of the file was successful.

[0086] After confirming that the system call to the corresponding trace point of the file was successful, the file protection rules in the file kernel program are retrieved;

[0087] The file user-space program iterates through the file protection rules to determine whether the original file has been tampered with by examining the file content information corresponding to the target tracking point.

[0088] If not, proceed to step S4;

[0089] If so, proceed to step S5.

[0090] It should be noted that in this embodiment of the application, the first setting value is 1 and the second setting value is 0.

[0091] In this embodiment of the application, by determining the return value of the system call corresponding to the file tracking point, the subsequent file tampering monitoring system is made more complete and accurate.

[0092] For example, in a Linux system, for the trace point of file renaming, the return value of the file renaming system call is 0, indicating that the system call was successful; the file protection rules in the filebpfd kernel-mode program are retrieved, namely the protected directory "home / a" and the excluded directory "home / a / b". The filebpfd user-mode program then traverses the protected and excluded directories to find the file content information corresponding to the trace point of file renaming, and determines that the file has not been tampered with.

[0093] The above methods can be used to determine whether a file has been tampered with. Furthermore, based on the file content information, once the file has been tampered with, it can be determined which process operated on the file.

[0094] S4: Pass the original file and generate a log record;

[0095] Once it is determined that the original file has not been tampered with, the original file is allowed to pass, a log is generated, and the file tampering monitoring process is terminated.

[0096] For example, a write operation is performed on file 'e' in the directory "home / a / b". The protected directory in the protection rule is "home / a", and the excluded directory is "home / a / b". The filebpfd user-space program iterates through all information about the file content written to this tracking point in the protection rule. Since file 'e' is in the excluded directory, it is not included in the protection rule. At this point, it is determined that file 'e' has not been tampered with, so the file is allowed to pass, a log is generated, and the file tampering monitoring process ends.

[0097] S5, confirming that the original file has been tampered with;

[0098] After confirming that the original file has been tampered with, retrieve all files within the file protection rules that have been backed up by the backup program;

[0099] The file user-space program calls all files backed up by the backup program to restore the tampered information in the original files, generates a third-party log, and terminates the file tampering monitoring process.

[0100] For example, a write operation was performed on file 'e' in the directory "home / a / c". The protected directory in the file protection rules is "home / a", and the excluded directory is "home / a / b". The filebpfd user-space program iterates through all information about the file content written to this tracking point and compares it with the protection rules. Since file 'e' is in the protected directory, it is within the protection rules. At the same time, based on the above file content information, it is determined that file 'e' has been tampered with. At this point, all files in the "home / a" directory except the "home / a / b" directory backed up by rsync are retrieved. The filebpfd user-space program calls rsync to restore file 'e' and generates a third-record log, ending the file tampering monitoring process.

[0101] After confirming that a file has been tampered with, the above method allows the backup program to restore the tampered file to its original state, thus avoiding losses to the computer and the user.

[0102] In summary, the file tampering monitoring method proposed in this application, based on a custom file user-mode program and a file kernel-mode program, firstly transmits file protection rules and process settings to the file kernel-mode program through an information layer created by the file user-mode program. Secondly, after determining that processing logic needs to be triggered, the file kernel-mode program calls the file's corresponding tracking point system to transmit the file tampering event to the file user-mode program. The file user-mode program then filters and determines whether the file has been tampered with according to the file protection rules. Finally, after the file has been tampered with, it restores the file using a backup program. This method avoids repeated compilation of kernel regions, accelerates development and iteration speed, saves time, and improves the efficiency of file tampering monitoring. Simultaneously, it monitors and records which process performed the file tampering, enabling real-time monitoring and recording of file tampering.

[0103] The technical solution of this application will be further explained below with reference to a specific application process.

[0104] like Figure 3 The diagram shows the processing steps of the file tampering monitoring method. First, the target tracking point of the operating system file is obtained, and then the file tampering monitoring process is started.

[0105] The filebpfd user-space program creates filter maps, inputs protection rules, trusted processes, and rsync recovery processes, and shares them with the filebpfd kernel space. At the same time, it backs up the original files using rsync. The protection rules include protected directories and excluded directories.

[0106] The filebpfd kernel-mode program determines whether the processes involved in the original file corresponding to the target tracking point include trusted processes and rsync recovery processes.

[0107] If so, allow the original file to pass and generate a log entry, then terminate the file tampering monitoring process;

[0108] If not, at the system call entry point of the hook file tracking point, obtain the file information corresponding to the target tracking point and write it to task maps;

[0109] In the hook file, trace the system call exit point, obtain task maps information and system call return value, write them to event maps and delete task maps at the same time.

[0110] The filebpfd user-space program obtains file tampering events in real time from event maps, thus obtaining all information about the original file;

[0111] The success of a system call can be determined by its return value.

[0112] If the system call returns 1, the system call is determined to have failed. The original file is allowed to pass, a log is generated, and the file tampering monitoring process is terminated.

[0113] If the system call returns 0, the system call is considered successful.

[0114] After confirming that the system call was successful, the filebpfd user-space program iterates through the original file tampering information and compares it with the protection rules to determine whether the file has been tampered with.

[0115] If not, allow the original file and generate a log entry, then terminate the file tampering monitoring process;

[0116] If so, the filebpfd user-space program calls rsync to back up and restore the original file tampering information, generates a log record, and terminates the file tampering monitoring process.

[0117] By using the filebpfd user-space program and the filebpfd kernel-space program to process files, the repeated compilation of kernel regions is avoided, which speeds up development and iteration, saves time, and improves the efficiency of file tampering detection. At the same time, it monitors and records which process has tampered with files, so that file tampering can be monitored and recorded in real time.

[0118] Based on the same inventive concept, embodiments of this application also provide a system for monitoring file tampering, such as... Figure 4 The diagram shown is a structural schematic of a document tampering monitoring system provided in this application. The system includes:

[0119] The acquisition module 401 is used to acquire the target tracking point corresponding to the operating system file, receive the file protection rules and setting process through the information layer, and transmit them to the file kernel program.

[0120] The transmission module 402 is used to determine that the process involved in the original file does not include the set process, obtain the file content information corresponding to the target tracking point, and transmit it to the file user-space program.

[0121] Processing module 403 is used to retrieve the file protection rules in the file kernel program, and compare the file content information corresponding to the target tracking point with the file protection rules through the file user program to determine whether the original file has been tampered with.

[0122] If not, discard the original file and generate a log entry;

[0123] If so, it confirms that the original file has been tampered with.

[0124] In one possible design, the transmission module 402 is specifically used to retrieve the trust process and recovery process in the file kernel-mode program;

[0125] The kernel-mode program determines whether the processes involved in the original file include trusted processes and recovery processes.

[0126] If so, discard the original file and generate the first log record;

[0127] If not, determine that the processes involved in the original file do not include trust processes or recovery processes.

[0128] In one possible design, the processing module 403 is specifically used to obtain the return value of the system call corresponding to the file's tracking point;

[0129] If the return value is the first set value, it indicates that the system call to the corresponding tracking point of the file failed, the original file is released, and a second record log is generated;

[0130] If the return value is the second set value, it confirms that the system call for the corresponding tracking point of the file was successful.

[0131] In one possible design, the processing module 403 is specifically used to retrieve all files within the file protection rules that are backed up by the backup program;

[0132] The file user-mode program calls the backup program to restore all files backed up by the backup program, recovers the tampered information in the original files, and generates a third-party log.

[0133] Based on the same inventive concept, this application also provides an electronic device that can realize the functions of the aforementioned monitoring file tampering system. (Refer to...) Figure 5 The aforementioned electronic devices include:

[0134] At least one processor 501 and a memory 502 connected to at least one processor 501. In this embodiment, the specific connection medium between the processor 501 and the memory 502 is not limited. Figure 5 The example shown is the connection between processor 501 and memory 502 via bus 500. Bus 500 is... Figure 5 The connections between other components are indicated by thick lines and are for illustrative purposes only, not as limiting information. The Bus 500 can be divided into address bus, data bus, control bus, etc., for ease of representation. Figure 5 The term 501 is represented by a single thick line, but this does not imply that there is only one bus or one type of bus. Alternatively, the processor 501 can also be called a controller; there is no restriction on the name.

[0135] In this embodiment, memory 502 stores instructions executable by at least one processor 501. By executing the instructions stored in memory 502, at least one processor 501 can perform the file tampering monitoring method described above. Processor 501 can implement... Figure 5The functions of each module in the electronic device shown.

[0136] The processor 501 is the control center of the system. It can connect to various parts of the control device through various interfaces and lines. By running or executing instructions stored in memory 502 and calling data stored in memory 502, the system can perform various functions and process data, thereby monitoring the system as a whole.

[0137] In one possible design, processor 501 may include one or more processing units. Processor 501 may integrate an application processor and a modem processor, wherein the application processor mainly handles the operating system, user interface, and applications, and the modem processor mainly handles wireless communication. It is understood that the modem processor may also not be integrated into processor 501. In some embodiments, processor 501 and memory 502 may be implemented on the same chip; in some embodiments, they may also be implemented on separate chips.

[0138] Processor 501 can be a general-purpose processor, such as a central processing unit (CPU), digital signal processor, application-specific integrated circuit, field-programmable gate array or other programmable logic device, discrete gate or transistor logic device, or discrete hardware component, capable of implementing or executing the methods, steps, and logic block diagrams disclosed in the embodiments of this application. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the monitoring file tampering method disclosed in the embodiments of this application can be directly manifested as execution by a hardware processor, or execution by a combination of hardware and software modules within the processor.

[0139] Memory 502, as a non-volatile computer-readable storage medium, can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. Memory 502 may include at least one type of storage medium, such as flash memory, hard disk, multimedia card, card-type memory, random access memory (RAM), static random access memory (SRAM), programmable read-only memory (PROM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), magnetic memory, magnetic disk, optical disk, etc. Memory 502 can be any other medium capable of carrying or storing desired program code in the form of instructions or data structures that can be accessed by a computer, but is not limited thereto. Memory 502 in the embodiments of this application may also be a circuit or any other system capable of implementing storage functions for storing program instructions and / or data.

[0140] By designing and programming the processor 501, the code corresponding to the file tampering monitoring method described in the foregoing embodiments can be embedded into the chip, thereby enabling the chip to execute the code during operation. Figure 4 The steps of the monitoring file tampering method in the illustrated embodiment are as follows. How to design and program the processor 501 is a technique well-known to those skilled in the art and will not be described further here.

[0141] Based on the same inventive concept, embodiments of this application also provide a storage medium storing computer instructions that, when executed on a computer, cause the computer to perform the aforementioned method for monitoring file tampering.

[0142] In some possible implementations, various aspects of the monitoring file tampering method provided in this application can also be implemented in the form of a program product, which includes program code that, when the program product is run on a system, causes the control device to perform the steps in the monitoring file tampering method according to the various exemplary embodiments of this application described above.

[0143] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0144] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart... Figure 1 One or more processes and / or boxes Figure 1 A system that specifies functions in one or more boxes.

[0145] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including an instruction set implemented in a process. Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0146] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0147] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.

Claims

1. A method for monitoring file tampering, characterized in that, include: The system obtains the target tracking point corresponding to the operating system file, receives the file protection rules and setting process through the information layer, and transmits them to the file kernel program; wherein, the file protection rules include protected directories and excluded directories, and the setting process includes trusted processes and backup program recovery processes; Determine that the processes involved in the original file do not include the trusted process and the recovery process, obtain the file content information corresponding to the target tracking point, and transmit it to the file user-space program; The protected directory and the excluded directory in the kernel program of the file are retrieved. The file content information corresponding to the target tracking point is traversed and compared with the protected directory and the excluded directory through the user program of the file to determine whether the original file has been tampered with. If not, discard the original file and generate a log record; If so, determine that the original file has been tampered with; retrieve all files in the protected directory except the excluded directory that have been backed up by the backup program; restore the tampered information in the original file by calling all files backed up by the backup program through the file user-mode program, and generate a third record log; The step of determining whether the original file has been tampered with includes: when the file content information is in the excluded directory under the protected directory, it is determined that the original file has not been tampered with; when the file content information is in a non-excluded directory under the protected directory, it is determined that the original file has been tampered with.

2. The method as described in claim 1, characterized in that, The process involved in determining the original file does not include the trust process and the recovery process, and includes: Retrieve the trusted process and the recovery process from the kernel-mode program of the file; The kernel-mode program of the file determines whether the processes involved in the original file include the trusted process and the recovery process; If so, discard the original file and generate the first log record; If not, it is determined that the processes involved in the original file do not include the trusted process or the recovery process.

3. The method as described in claim 1, characterized in that, The step of retrieving the protected directory and the excluded directory from the kernel-mode program of the file includes: Retrieve the return value of the system call corresponding to the file's trace point; If the return value is the first set value, it is determined that the system call to the tracking point corresponding to the file failed, the original file is released, and a second record log is generated; If the return value is the second set value, it is determined that the system call for the corresponding tracking point of the file was successful.

4. A system for monitoring document tampering, characterized in that, include: The acquisition module is used to acquire the target tracking point corresponding to the operating system file, receive file protection rules and setting processes through the information layer, and transmit them to the file kernel program; wherein, the file protection rules include protected directories and excluded directories, and the setting process includes trusted processes and backup program recovery processes; The transmission module is used to determine that the processes involved in the original file do not include the trusted process and the recovery process, obtain the file content information corresponding to the target tracking point, and transmit it to the file user-space program. The processing module is used to retrieve the protected directory and the excluded directory in the kernel-mode program of the file, and to traverse and compare the file content information corresponding to the target tracking point with the protected directory and the excluded directory through the user-mode program of the file to determine whether the original file has been tampered with; If not, discard the original file and generate a log record; If so, determine that the original file has been tampered with; retrieve all files in the protected directory except the excluded directory that have been backed up by the backup program; restore the tampered information in the original file by calling all files backed up by the backup program through the file user-mode program, and generate a third record log; The step of determining whether the original file has been tampered with includes: when the file content information is in the excluded directory under the protected directory, it is determined that the original file has not been tampered with; when the file content information is in a non-excluded directory under the protected directory, it is determined that the original file has been tampered with.

5. The system as described in claim 4, characterized in that, The transmission module is used to retrieve the trust process and recovery process in the kernel-mode program of the file; The kernel-mode program of the file determines whether the processes involved in the original file include the trusted process and the recovery process; If so, discard the original file and generate the first log record; If not, it is determined that the processes involved in the original file do not include the trusted process and the recovery process.

6. The system as described in claim 4, characterized in that, The processing module is used to obtain the return value of the system call corresponding to the file's tracking point; If the return value is the first set value, it is determined that the system call to the tracking point corresponding to the file failed, the original file is released, and a second record log is generated; If the return value is the second set value, it is determined that the system call for the corresponding tracking point of the file was successful.

7. An electronic device, characterized in that, include: Memory, used to store computer programs; A processor, when executing a computer program stored in the memory, implements the method steps of any one of claims 1-3.

8. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the method described in any one of claims 1-3.

Images