System security protection method and electronic device
By capturing event information and executing security policies on the target system behavior of executable programs, log data carrying security semantics is generated, which solves the problem that log data is only used for post-event auditing in the existing technology, realizes a proactive protection closed loop, and improves the timeliness and reliability of system security protection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING LINX SOFTWARE CORP
- Filing Date
- 2026-03-13
- Publication Date
- 2026-06-19
AI Technical Summary
In existing system security protection methods, log data is only used as post-event audit data, which cannot trigger an active protection closed loop from the source. This results in protection delays and the risk of missed detections, and cannot achieve timely and reliable system security protection.
By capturing event information of target system behaviors triggered during the execution of executable programs, log data carrying security semantic information is generated, and security risks are determined based on the event information, and corresponding security policies are executed to achieve a proactive protection closed loop.
It improves the timeliness and reliability of security protection. Log data, as decision data for security response, enables proactive protection to be triggered from the source of the event, clarifies the process of security policy execution, and facilitates the tracing of security events.
Smart Images

Figure CN121859299B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of computer technology, and in particular to a system security protection method and electronic device. Background Technology
[0002] In complex information system environments, system security protection has evolved from traditional perimeter defense to a refined protection paradigm that delves deep into the system's interior. The core of existing refined protection paradigms is "raw event capture + post-event rule matching," such as analyzing logs generated over a period of time and assigning risk labels through rule matching to further trigger relevant protection strategies. In existing methods, log data is only used as post-event audit data, failing to trigger a proactive protection loop from the source. This results in protection delays and the risk of missed detections, failing to achieve timely and reliable system security protection. Summary of the Invention
[0003] Based on the above analysis, the present invention aims to provide a system security protection method to solve the problem that in existing security protection methods, log data is only used as post-event audit data, which cannot trigger an active protection closed loop from the source, resulting in protection delays and the risk of missed detections, and thus failing to achieve timely and reliable system security protection.
[0004] On one hand, the present invention provides a system security protection method, which includes: capturing event information of target system behavior triggered during the execution of an executable program; determining the security risk of the target system behavior of the executable program based on the event information; generating log data carrying security semantic information in response to the existence of security risk in the target system behavior of the executable program; wherein the security semantic information includes the process name of the executable program and a security policy for the target system behavior of the executable program; and executing the security policy on the process of the executable program based on the process name to provide security protection for the target system behavior of the executable program.
[0005] Based on a further improvement of the above method, the event information includes the process name of the executable program, the event type identifier of the target system behavior, and the event parameters of the target system behavior; wherein, the event parameters are used to distinguish different events belonging to the same event type; determining the security risk of the target system behavior of the executable program based on the event information includes: obtaining a pre-set security label element corresponding to the event type identifier; wherein, the security label element includes partial or complete information of the security label, and the security label is used to represent sensitive events of concern to system security protection; obtaining a pre-set security rule; wherein, the security rule includes the program name, the security label, and the security policy; in response to matching a security rule in which the security label includes the security label element, further matching the program name of the executable program in the security rule, wherein the security label is used to prohibit the event represented by the event parameters; in response to matching the security rule, determining that the target system behavior of the executable program has a security risk.
[0006] Based on a further improvement of the above method, before the step of further matching the program name as the executable program name in the security rule, and the security label being used to prohibit the event represented by the event parameter, the method further includes: determining a security label for prohibiting the event type identifier and the event represented by the event parameter based on the event parameter.
[0007] A further improvement to the above method is provided, which is a method for matching the security label of the event type identifier and the event represented by the event parameter, comprising: taking the security label related to the event corresponding to the event type identifier as the security label to be matched; determining the matching parameter according to the security label to be matched and the security label element corresponding to the event type identifier; and determining that a security label for prohibiting the event represented by the event type identifier and the event parameter is matched in response to the event parameter matching at least one of the matching parameters.
[0008] A further improvement to the above method is that generating log data carrying security semantic information includes: generating log data carrying security semantic information based on the process name in the event information and the record data corresponding to the security policy.
[0009] A further improvement to the above method is that, after generating log data carrying security semantic information based on the process name and the record data corresponding to the security policy in the event information, the method further includes: obtaining context information of the target system behavior and adding the context information to the log data.
[0010] Based on a further improvement to the above method, before capturing event information of target system behavior triggered during the execution of the executable program, the method further includes: configuring or modifying the security rules through user-space tools.
[0011] Based on a further improvement of the above method, the system security protection method is implemented through a log generation process and a log processing process; wherein, the log generation process is used to perform: capturing event information of target system behavior triggered during the execution of the executable program; determining the security risk of the target system behavior of the executable program based on the event information; and generating log data carrying security semantic information in response to the existence of security risk in the target system behavior of the executable program; the log processing process is used to perform: executing the security policy on the process of the executable program according to the process name to provide security protection for the target system behavior of the executable program.
[0012] Based on a further improvement of the above method, the log generation process and the log processing process adopt a producer-consumer architecture; wherein: the log generation process, as a producer, is also used to store the log data carrying security semantic information in a buffer after generating the log data; the log processing process, as a consumer, is also used to read the log data from the buffer before executing the security policy on the process of the executable program according to the process name to provide security protection for the target system behavior of the executable program.
[0013] The present invention also provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the system security protection method described above.
[0014] The present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the system security protection method as described above.
[0015] The present invention also provides a computer program product, including a computer program that, when executed by a processor, implements the system security protection method as described above.
[0016] The system security protection method and electronic device provided by this invention captures event information of target system behavior triggered during the execution of an executable program. After determining that the target system behavior of the executable program has security risks based on the event information, log data carrying security semantic information is generated. Then, security protection is performed based on the log data. The log data serves as decision data for security response, realizing an active protection closed loop triggered from the source of the event, improving the timeliness and reliability of security protection. Furthermore, the log data carries security semantic information, which can clearly identify the program process of security policy execution and facilitate the tracing of security events.
[0017] In this invention, the above-described technical solutions can be combined with each other to achieve more preferred combinations. Other features and advantages of this invention will be set forth in the following description, and some advantages may become apparent from the description or be learned by practicing the invention. The objects and other advantages of this invention can be realized and obtained from what is particularly pointed out in the description and drawings. Attached Figure Description
[0018] The accompanying drawings are for illustrative purposes only and are not intended to limit the invention. Throughout the drawings, the same reference numerals denote the same parts.
[0019] Figure 1 This is a flowchart illustrating the system security protection method provided by the present invention.
[0020] Figure 2 A schematic diagram of the physical structure of an electronic device is provided. Detailed Implementation
[0021] Preferred embodiments of the present invention will now be described in detail with reference to the accompanying drawings, which form part of this application and are used together with the embodiments of the present invention to illustrate the principles of the present invention, but are not intended to limit the scope of the present invention.
[0022] Figure 1 This is a flowchart illustrating the system security protection method provided by the present invention. For example... Figure 1 As shown, the method includes:
[0023] Step S1: Capture event information of target system behaviors triggered during the execution of the executable program.
[0024] Based on the kernel's hook mechanism, target system behaviors triggered during the execution of an executable program can be captured. These target system behaviors can be pre-defined critical system behaviors. The system call mount point in the hook mechanism is designed according to the target system behavior of interest. The main logic of the code in the system call mount point is to collect various event information. For example, if the target system behavior of interest is file access, then the system call mount point is the `openat` function. This system call mount point is triggered when a file is accessed, and after triggering, it collects relevant event information.
[0025] Step S2: Determine the security risks of the target system behavior of the executable program based on the event information.
[0026] Security rules can be pre-set, which include information on which events of the executable program are considered sensitive events. The captured event information can be matched with the sensitive event information in the security rules. If a relevant sensitive event is matched, it can be determined that the target system behavior of the executable program has a security risk; otherwise, it can be determined that the target system behavior of the executable program does not have a security risk.
[0027] Step S3: In response to the security risk of the target system behavior of the executable program, generate log data carrying security semantic information; wherein, the security semantic information includes the process name of the executable program and the security policy for the target system behavior of the executable program.
[0028] If the target system behavior of the executable program poses a security risk, log data carrying security semantic information is generated. This security semantic information includes at least the process name of the executable program and the security policy targeting the target system behavior of the executable program.
[0029] Step S4: Execute the security policy on the process of the executable program according to the process name to protect the target system behavior of the executable program.
[0030] The process whose process name matches the process name in the security semantic information is obtained, and the security policy in the security semantic information is executed on the process, thereby achieving security protection for the target system behavior of the executable program.
[0031] The system security protection method provided by this invention captures event information of target system behaviors triggered during the execution of an executable program. After determining that the target system behaviors of the executable program have security risks based on the event information, log data carrying security semantic information is generated. Then, security protection is performed based on the log data. The log data serves as decision data for security response, realizing an active protection closed loop triggered from the source of the event, improving the timeliness and reliability of security protection. Furthermore, the log data carries security semantic information, which can clearly identify the program process of security policy execution and facilitate the tracing of security events.
[0032] According to a system security protection method provided by the present invention, the event information includes the process name of the executable program, the event type identifier of the target system behavior, and the event parameters of the target system behavior; wherein, the event parameters are used to distinguish different events belonging to the same event type; determining the security risk of the target system behavior of the executable program based on the event information includes: obtaining a pre-set security label element corresponding to the event type identifier; wherein, the security label element includes partial or complete information of the security label, and the security label is used to represent the sensitive event of concern to the system security protection; obtaining a pre-set security rule; wherein, the security rule includes the program name, the security label, and the security policy; in response to a security rule that matches the security label including the security label element, further matching the program name of the executable program in the security rule, wherein the security label is used to prohibit the security rule represented by the event type identifier and the event parameters; in response to a security rule that matches, determining that the target system behavior of the executable program has a security risk.
[0033] The event information includes the executable program's process name, the event type identifier of the target system behavior, and the event parameters of the target system behavior. The event type identifier for each target system behavior can be predefined. The event parameters of the target system behavior are used to distinguish different events belonging to the same event type. For example, when the event type is file access, the event parameter can be set to the access path to represent different file accesses.
[0034] The following describes the implementation process for determining the security risks of the target system behavior of executable programs based on event information.
[0035] Retrieves pre-defined security label elements corresponding to event type identifiers. These security label elements include partial or complete information about the security label associated with the event corresponding to the event type identifier. The security label indicates a sensitive event of concern to the system's security protection. Examples of security labels include: DISABLE_OP_SUDO and DISABLE_AC_ETC. DISABLE_OP_SUDO indicates that SUDO operation is prohibited; DISABLE_AC_ETC indicates that access to the ETC directory is prohibited. The event type identifier identifies the specific event type, such as file access or file modification. The security label element associated with the event type identifier includes partial or complete information about the security label associated with the event corresponding to the event type identifier. For example, for a file access event, the security label element could be DISABLE_AC, indicating that file access occurred, specifically including partial information such as the security label DISABLE_AC_ETC for prohibiting access to ETC and the security label DISABLE_AC_ABC for prohibiting access to ABC. If there is only one security label corresponding to a certain event type, the security label element associated with the event type identifier can be consistent with the security label, i.e., it can contain all the information of the security label.
[0036] Retrieves pre-defined security rules. Security rules can be one or more. Each security rule includes a program name, security label, and security policy. The security policy defines the actions to be taken when a security event is detected; its purpose is to provide a set of optional response actions for the formulation of security rules. For example, KILL represents forcibly terminating the program, and NOTICE_ROOT represents reporting a notification to the root user. For instance, a security rule like "Program Name A; DISABLE_OP_SUD (Security Label); KILL (Security Policy)" means that when program A triggers the DISABLE_OP_SUDO (Disable SUDO) security label, the action is KILL (forcibly terminating the program).
[0037] Determine whether the security labels in each security rule include security label elements corresponding to the event type identifier. For example, if the security label element is DISABLE_AC, check if the security rule contains a security label starting with DISABLE_AC. If the pre-set security rule contains a security label starting with DISABLE_AC, it means a security rule containing a security label element has been matched. If a security rule containing a security label element has been matched, it means that the security rule contains a security rule for restricting events corresponding to the event type identifier, such as a security rule for restricting file access. Whether security protection should be applied to the current target system behavior needs to be determined based on the event information. If the security rule only includes a security rule prohibiting file access to certain paths, it is not necessary to prohibit all file access. Further, match the security rule for programs whose program name is an executable program. The security label is used to prohibit security rules representing events represented by the event type identifier and event parameters. The event type identifier identifies the event type, and the event parameters distinguish different events belonging to the same event type. For example, for a file access event, the event parameters can include the specific access path to differentiate between different file access events. If the target system's behavior is determined to be accessing a file in the ETC directory based on the event type identifier and event parameters, then it can be confirmed that the security label DISABLE_AC_ETC, which is used to prohibit access to the ETC directory, has been triggered.
[0038] If a program name that is an executable program is matched in the security rules, the security label is used to prohibit the security rules for the event represented by the event parameter, thus determining that the target system behavior of the executable program poses a security risk.
[0039] The system security protection method provided by this invention determines the security risks of the target system behavior of an executable program based on event information through a step-by-step matching method, thereby improving the efficiency and accuracy of security risk determination.
[0040] According to a system security protection method provided by the present invention, a method for prohibiting the matching of security tags of an event represented by an event type identifier and an event parameter includes: taking a security tag related to the event corresponding to the event type identifier as a security tag to be matched; determining a matching parameter based on the security tag to be matched and the security tag element corresponding to the event type identifier; and determining a matching security tag for prohibiting the event represented by the event type identifier and the event parameter in response to the event parameter matching at least one of the matching parameters.
[0041] When matching security rules to determine if a security label exists for the event represented by the event type identifier and event parameters, the security label to be matched is first determined based on the security label related to the event type identifier. The method for constructing the security label for each event type is predefined. This method includes a method for determining the security label for that type of event based on security label elements. For example, in a file access event, this method can be set to use the security label element corresponding to the event type identifier as a prefix. If the security label element only includes partial information about the security label, then the security label is determined based on the specific access path to be prohibited. For example, a security label of DISABLE_AC_ETC is used to prohibit access to the ETC directory. A security label of DISABLE_AC_ABC is used to prohibit access to the ABC directory.
[0042] The matching parameters are determined based on the security label elements corresponding to the security labels to be matched and the event type identifier. Multiple security labels to be matched can yield multiple matching parameters. The matching parameters are used to match with the event parameters to determine whether there exists a security label used to prohibit the event represented by the event type identifier and the event parameters. For example, for the security label DISABLE_AC_ETC, the prefix DISABLE_AC indicates that access is prohibited, but this content is not included in the event parameters. In this example, the matching parameter is ETC obtained after removing the security label prefix; that is, in this security label, the matching parameter is the specific access path ETC.
[0043] If an event parameter matches at least one matching parameter, then a security label representing the event type and the event represented by the event parameter is determined to have been matched. One scenario for an event parameter to match a matching parameter is that the event parameter contains the matching parameter. For example, if the access path represented by the event parameter contains the prohibited path ETC, and the operation object represented by the event parameter contains the prohibited operation object SUDO, then the event parameter contains the matching parameter, and the event parameter and the matching parameter match. It's important to understand that matching an event parameter and a matching parameter does not require a direct containment relationship between them; it only requires that, under a certain event type, the specific event represented by the event parameter triggers the specific event represented by the matching parameter. This can be configured in the code based on the actual event situation.
[0044] The system security protection method provided by the present invention determines the security label to be matched based on the event type identifier and the corresponding security label element, determines the matching parameters based on the security label to be matched, and determines that the security label used to prohibit the event represented by the event type identifier and the event parameters is matched when the event parameters match the matching parameters. This achieves accurate matching of security labels used to prohibit the event represented by the event type identifier and the event parameters.
[0045] According to a system security protection method provided by the present invention, after determining that the target system behavior of the executable program has a security risk, the method further includes: recording data of security rules for the program name being the executable program name, and the security label being used to prohibit the event represented by the event parameter, to obtain recorded data.
[0046] After determining that the target system behavior of an executable program poses a security risk, it is necessary to generate log data carrying security semantic information. This can be achieved by recording data for security rules whose program name is the executable program name and whose security labels are used to prohibit events represented by event parameters. This process ensures the generation of log data while providing a foundation for subsequent data analysis. The recorded data for security rules includes the security rule program name, security label, and security policy.
[0047] The system security protection method provided by this invention records the security rules for events represented by security tags used to prohibit events, which are program names of executable programs. This process not only ensures the generation of log data but also provides a basis for subsequent data analysis.
[0048] According to a system security protection method provided by the present invention, generating log data carrying security semantic information includes: generating log data carrying security semantic information based on the process name in the event information and the record data corresponding to the security policy.
[0049] The information included in the log data can be preset. It can include only all the information in the security rules, or it can include all the information in the security rules, or it can include other information. Log data carrying security semantic information must at least include the executed security policy and the object of the security policy execution. Therefore, in this embodiment, log data carrying security semantic information is generated based on the process name in the event information and the record data corresponding to the security policy.
[0050] The system security protection method provided by this invention generates log data carrying security semantic information based on the process name and security policy corresponding record data in the event information, thereby realizing the rapid acquisition of log data as decision data for security protection response.
[0051] According to a system security protection method provided by the present invention, after generating log data carrying security semantic information based on the process name and the record data corresponding to the security policy in the event information, the method further includes: obtaining context information of the target system behavior and adding the context information to the log data.
[0052] The execution of target system behaviors generates relevant context information. In this embodiment, the context information of the target system behaviors is recorded as part of the log data. This way, when analyzing the log data later, it can be clearly determined what kind of event triggered the execution of the security protection.
[0053] The system security protection method provided by this invention facilitates subsequent traceability by adding contextual information about the target system's behavior to log data.
[0054] According to a system security protection method provided by the present invention, before capturing event information of target system behavior triggered during the execution of an executable program, the method further includes: configuring or modifying the security rules through user-space tools.
[0055] Before capturing event information of target system behaviors triggered during the execution of an executable program, security rules are configured or modified using user-space tools. In this invention, security policies are decoupled from kernel mechanisms; for example, configuring security policies does not affect the capture of event information based on the kernel hook mechanism. Users only need to configure security rules to adjust protection policies, significantly reducing usage and maintenance costs.
[0056] Standard security labels and security policies can be pre-configured in the system. Users can associate programs, behaviors, and processing methods by writing security rules, which are specifically reflected in the program name, security label, and security policy in the security rules.
[0057] The system security protection method provided by this invention enables user-side adjustment of protection strategies by configuring or modifying security rules through user-space tools, decoupling it from the kernel mechanism and significantly reducing usage and maintenance costs.
[0058] According to a system security protection method provided by the present invention, the system security protection method is implemented through a log generation process and a log processing process; wherein, the log generation process is used to perform: capturing event information of target system behavior triggered during the execution of an executable program; determining the security risk of the target system behavior of the executable program based on the event information; and generating log data carrying security semantic information in response to the existence of security risk in the target system behavior of the executable program.
[0059] The log processing process is used to execute: based on the process name, security policies are applied to the executable program's process to protect the target system behavior of the executable program.
[0060] The log generation process generates log data carrying security semantic information, which can then be sent to the log processing process. The log processing process can then apply security policies to the executable program's process based on the process name and security policy in the log data.
[0061] The system security protection method provided by this invention improves the convenience of program maintenance and avoids mutual interference between processing flows by decoupling log generation and log processing.
[0062] According to a system security protection method provided by the present invention, the log generation process and the log processing process adopt a producer-consumer architecture; wherein: the log generation process, as a producer, is further configured to store the log data carrying security semantic information in a buffer after generating the log data; the log processing process, as a consumer, is further configured to read the log data from the buffer before executing the security policy on the process of the executable program according to the process name to perform security protection on the target system behavior of the executable program.
[0063] The log generation and processing processes adopt a producer-consumer architecture. The log generation process, acting as the producer, generates log data carrying security semantic information and stores the log data in a buffer. The log processing process, acting as the consumer, reads the log data from the buffer and executes security protection measures based on the log data.
[0064] The system security protection method provided by this invention adopts a producer-consumer architecture for the log generation process and the log processing process. The log generation process and the log processing process can process according to their own resources and task conditions, thereby improving the system decoupling performance.
[0065] According to a system security protection method provided by the present invention, the security strategy includes at least one of the following processing methods: forcibly terminating the illegal program; generating security alarm information; and reporting the event information.
[0066] Among them, the ability to generate security alarm information can be configured to generate alarms with different priorities, and the ability to report event information can be configured to report to a designated management terminal or the root user.
[0067] The system security protection method provided by the present invention improves the richness of security policies by setting security policies including at least one of forcibly terminating illegal programs, generating security alarm information, and reporting event information.
[0068] The system security protection method provided by this invention constructs a proactive protection system of "source semantic tagging + log-driven protection + 'kernel-policy decoupling'". Its core innovation is upgrading "semantic-free raw logs" into "decision data with security semantics," achieving lightweight, refined, and highly usable host-level semantic log-driven protection. Logs carrying security semantics serve as the central carrier connecting program behavior, policy determination, and security response, thereby constructing a decoupled, traceable security protection system that effectively balances efficiency and usability while ensuring security. The log-driven approach enables the execution of security policies, decoupling it from the kernel mechanism and balancing security with system maintainability.
[0069] The system security protection method provided by this invention accurately and completely captures security-related behaviors at the source of program behavior and assigns them clear security semantics. It achieves flexible configuration and dynamic response of security policies without increasing kernel complexity. It constructs a traceable and interpretable security protection mechanism, ensuring that every security action has clear behavioral basis and log evidence. It avoids the generation of a large number of irrelevant logs, reducing system performance overhead and operational burden while ensuring security coverage. This method assigns standardized security semantics to log data at the source of behavior (kernel hook point). The log itself is an "instruction with decision-making basis," directly driving the response without intermediate links, resulting in more timely and clearer semantics.
[0070] The core advantages of the system security protection method provided by this invention are obvious:
[0071] More proactive: Logs directly trigger security responses such as terminating the violating process and reporting alerts, rather than just post-event auditing;
[0072] More comprehensive: Covers the protection of all system behaviors, far exceeding the limitations of a single audit scenario;
[0073] More intelligent: Logs come with standardized security semantic information, allowing for direct decision-making without secondary parsing;
[0074] More flexible: The policy is decoupled from the kernel. Users only need to configure the security rules of "program name - security label - security policy" to adjust the protection logic without modifying the kernel or analysis engine. The operation and maintenance cost is extremely low and the scalability is extremely strong.
[0075] More efficient: By default, irrelevant logs are not recorded, resulting in low system overhead and low maintenance costs, with no redundant noise.
[0076] In short, the system security protection method provided by this invention realizes a "closed-loop security protection system" that can more accurately address the core security needs of complex information systems.
[0077] Figure 2 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 2 As shown, the electronic device may include a processor 210, a communications interface 220, a memory 230, and a communication bus 240, wherein the processor 210, the communications interface 220, and the memory 230 communicate with each other via the communication bus 240. The processor 210 can call logical instructions in the memory 230 to execute the system security protection methods provided in the above embodiments.
[0078] Furthermore, the logical instructions in the aforementioned memory 230 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0079] On the other hand, the present invention also provides a computer program product, which includes a computer program that can be stored on a non-transitory computer-readable storage medium. When the computer program is executed by a processor, the computer can execute the system security protection methods provided in the above embodiments.
[0080] In another aspect, the present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, is implemented to perform the system security protection methods provided in the above embodiments.
[0081] Those skilled in the art will understand that all or part of the processes of the methods described in the above embodiments can be implemented by a computer program instructing related hardware, and the program can be stored in a computer-readable storage medium. The computer-readable storage medium may be a disk, optical disk, read-only memory, or random access memory, etc.
[0082] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.
[0083] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.
[0084] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
[0085] The above description is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any changes or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in the present invention should be included within the scope of protection of the present invention.
Claims
1. A system security protection method, characterized by, The system security protection method is implemented through a log generation process and a log processing process; wherein, the log generation process is used to execute: Capture event information related to the target system's behavior triggered during the execution of the executable program; Based on the event information, determine the security risks of the target system behavior of the executable program; In response to the existence of security risks in the target system behavior of the executable program, log data carrying security semantic information is generated; wherein, the security semantic information includes the process name of the executable program and the security policy for the target system behavior of the executable program; The log processing process is used to perform: The security policy is executed on the process of the executable program according to the process name to protect the target system behavior of the executable program. The log generation process and the log processing process adopt a producer-consumer architecture; wherein: The log generation process, acting as a producer, is also used to store the log data carrying security semantic information in a buffer after generating the log data. The log processing process, acting as a consumer, is also used to read the log data from the buffer before executing the security policy on the process of the executable program according to the process name to provide security protection for the target system behavior of the executable program; The generation of log data carrying security semantic information includes: Log data carrying security semantic information is generated based on the process name and the record data corresponding to the security policy in the event information. After generating log data carrying security semantic information based on the process name in the event information and the record data corresponding to the security policy, the method further includes: Obtain the context information of the target system's behavior and add the context information to the log data.
2. The system security protection method of claim 1, wherein, The event information includes the process name of the executable program, the event type identifier of the target system behavior, and the event parameters of the target system behavior; wherein, the event parameters are used to distinguish different events belonging to the same event type; The step of determining the security risks of the target system behavior of the executable program based on the event information includes: Obtain a pre-set security tag element corresponding to the event type identifier; wherein, the security tag element includes partial or complete information of the security tag, and the security tag is used to represent the sensitive event of concern to the system security protection; Obtain pre-set security rules; wherein, the security rules include the program name, the security label, and the security policy; In response to a security rule that matches the security label including the security label element, the program name that is the executable program is further matched in the security rule, and the security label is used to prohibit the security rule representing the event type identifier and the event parameter; In response to a match with the security rule, it is determined that the target system behavior of the executable program poses a security risk.
3. The system security protection method of claim 2, wherein, A method for matching the security label of the event type identifier and the event represented by the event parameter, comprising: The security label associated with the event corresponding to the event type identifier is used as the security label to be matched; The matching parameters are determined based on the security tag element corresponding to the security tag to be matched and the event type identifier; In response to the event parameter matching at least one of the matching parameters, a security label is determined to be matched to prohibit the event type identifier and the event represented by the event parameter.
4. The system security protection method of claim 3, wherein, After determining that the target system behavior of the executable program poses a security risk, the method further includes: For the program name that is the executable program, the security label is used to record the data of the security rules for prohibiting the event represented by the event parameter, and the recorded data is obtained.
5. The method of claim 2, wherein, Before capturing event information related to target system behaviors triggered during the execution of the executable program, the method further includes: Configure or modify the security rules using user-space tools.
6. An electronic device comprising a memory, a processor, and a computer program stored on the memory and running on the processor, characterized in that, When the processor executes the computer program, it implements the system security protection method as described in any one of claims 1 to 5.