A log integrity verification method, device, setting and medium

By encrypting log data and storing it with hash values ​​using SM4 and SM3 algorithms, the problem of insufficient efficiency and security in log integrity verification is solved, realizing log data protection throughout its entire lifecycle and making it suitable for various log management scenarios.

CN122160145APending Publication Date: 2026-06-05NO 30 INST OF CHINA ELECTRONIC TECH GRP CORP

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NO 30 INST OF CHINA ELECTRONIC TECH GRP CORP
Filing Date
2026-03-18
Publication Date
2026-06-05

Smart Images

  • Figure CN122160145A_ABST
    Figure CN122160145A_ABST
Patent Text Reader

Abstract

The application discloses a log integrity verification method and device, a log integrity verification setting and a medium. The method comprises the following steps: calculating a hash value of first log data, encrypting the hash value to obtain a first encrypted hash value, and taking the first encrypted hash value as a previous encrypted hash value of second log data; encrypting preprocessed log data to obtain second encrypted log data; storing a second time stamp, the previous encrypted hash value and the second encrypted log data to obtain the second log data; calculating a hash value of the second log data to obtain a current hash value, and encrypting the current hash value to obtain a current encrypted hash value; when the cumulative storage amount of the log data is greater than a preset storage amount, directly comparing whether the previous encrypted hash value is consistent with a first current encrypted hash value of the last log data; and if the previous encrypted hash value is consistent with the first current encrypted hash value, determining that the integrity verification is passed. The application effectively guarantees the high safety, high reliability and good maintainability of the system.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security technology, and in particular to a log integrity verification method, apparatus, setting, and medium. Background Technology

[0002] Current log integrity verification technologies face multiple technical challenges. First, with the increasing sophistication and stealth of internet attacks, attackers can compromise log credibility by selectively tampering with or inserting forged logs, or exploiting timestamp vulnerabilities, rendering tracing ineffective. Second, the explosive growth in log data volume (e.g., in cloud services and IoT scenarios) places higher demands on real-time performance, storage efficiency, and verification capabilities, making it difficult for traditional hash verification mechanisms to balance efficiency and security. Existing technologies typically perform verification only at a single stage of log generation or transmission, lacking a lifecycle-wide integrity protection mechanism and failing to prevent tampering during storage. For continuously appended log files, traditional methods cannot effectively support incremental verification, resulting in low verification efficiency for large log files. Summary of the Invention

[0003] To address the issues of insufficient security and low efficiency in existing log verification technologies, this application provides a log integrity verification method, apparatus, settings, and medium that enables comprehensive integrity verification of logs, effectively improving system security.

[0004] This application discloses a log integrity verification method, which includes: Step 1: Obtain log data, preprocess the log data, and obtain preprocessed log data; Step 2: Encrypt the preprocessed log data using the SM4 algorithm to obtain the first encrypted log data, and add a first timestamp to the first encrypted log data to obtain the first log data; Step 3: Calculate the hash value of the first log data using the SM3 algorithm, encrypt the hash value using the SM4 algorithm to obtain the first encrypted hash value, and use it as the preceding encrypted hash value of the second log data; Step 4: Encrypt the preprocessed log data using the SM4 algorithm to obtain the second encrypted log data; Step 5: Associate and store the second timestamp, the preceding encrypted hash value, and the second encrypted log data to obtain the second log data; calculate the hash value of the second log data using the SM3 algorithm to obtain the current hash value, and encrypt the current hash value using the SM4 algorithm to obtain the current encrypted hash value; Step 6: Receive a verification request or execute a periodic verification process. When the cumulative storage amount of log data is greater than the preset storage amount, directly compare whether the preceding encrypted hash value is consistent with the first current encrypted hash value of the previous log data. If they are consistent, the integrity verification is passed. If they are inconsistent, a log integrity corruption alarm is issued and the data recovery mechanism is triggered.

[0005] This application uses the SM4 algorithm to encrypt log data and its SM3 hash value, ensuring the confidentiality of log data and integrity check values ​​during storage or transmission and preventing the leakage of sensitive information. This application ensures log integrity through the SM3 algorithm and protects log content using the SM4 algorithm.

[0006] Furthermore, after step 5 and before step 6, the following steps are also included: The second timestamp, the preceding encrypted hash value, the second encrypted log data, and the calculated first current encrypted hash value are associated and stored to obtain a brand new log data, which serves as the third log data.

[0007] Furthermore, it also includes: If the third log data needs to be decrypted, the hash value calculation and comparison are re-executed: based on the second timestamp, the preceding encrypted hash value, and the decrypted second log content, the hash value is recalculated using the SM3 algorithm. The recalculated hash value is then compared with the hash value after the current encrypted hash value is decrypted using the SM4 algorithm. If they match, the integrity check is passed. If they do not match, a log integrity corruption alarm is issued, and the data recovery mechanism is triggered.

[0008] Further, step 2 includes: Read the pre-processed log data from the storage system to ensure that the data format is uniform and meets the requirements, providing a data foundation for subsequent timestamp addition operations; use the system time at the moment of data processing as the timestamp and insert the timestamp as a new field at the beginning of the log content to form the first log data.

[0009] Further, step 3 includes: The first log data is converted into a byte stream format and used as input data for the hash operation; the SM3 algorithm interface is called to perform a one-way hash operation on the first log data to obtain the corresponding hash value; the SM4 algorithm interface is called to encrypt the hash value obtained by the SM3 algorithm to obtain the first encrypted hash value, which is then used as the preceding encrypted hash value of the second log data.

[0010] Furthermore, it also includes: an incremental detection strategy, which is implemented in conjunction with hash value chain verification logic. Specifically, it includes three stages: baseline maintenance, incremental log verification, and incremental data backup. The incremental verification process relies on the chain association characteristics of log hash values ​​to complete integrity verification.

[0011] Furthermore, the baseline maintenance includes: The system maintains a verification baseline, which records in real time the timestamp corresponding to the completion of the last integrity verification and the current encrypted hash value of the log corresponding to that timestamp, as the benchmark for subsequent incremental verification. The incremental log verification includes: Using the timestamp of the baseline record as the dividing point, incremental integrity verification is performed only on newly generated log data after that timestamp. The incremental verification process is as follows: compare the previous encrypted hash value of each log in the new log with the current encrypted hash value of the previous log to determine whether the corresponding log data has been tampered with. If any log data in the middle is tampered with, the current encrypted hash value of that log and all subsequent logs will be invalid and will fail the consistency comparison. The incremental data backup includes: For the data blocks corresponding to the log data participating in incremental verification, the SM3 algorithm is used to calculate the checksum of each data block. Backup operations are only performed on data blocks whose checksums change, and data blocks that have not changed do not need to be backed up again.

[0012] This application also discloses a log integrity verification device that implements the above-described log integrity verification method, comprising: The log acquisition and preprocessing module is used to acquire log data, preprocess the log data, and obtain preprocessed log data. The first encryption module is used to encrypt the preprocessed log data using the SM4 algorithm to obtain first encrypted log data, and add a first timestamp to the first encrypted log data to obtain the first log data. The second encryption module is used to calculate the hash value of the first log data using the SM3 algorithm, encrypt the hash value using the SM4 algorithm to obtain the first encrypted hash value, and use it as the preceding encrypted hash value of the second log data. The third encryption module is used to encrypt the preprocessed log data using the SM4 algorithm to obtain the second encrypted log data; The hash value calculation module is used to associate and store the second timestamp, the preceding encrypted hash value, and the second encrypted log data to obtain the second log data; calculate the hash value of the second log data using the SM3 algorithm to obtain the current hash value, and encrypt the current hash value using the SM4 algorithm to obtain the current encrypted hash value; The verification and response module is used to receive verification requests or execute periodic verification processes. When the cumulative storage amount of log data is greater than the preset storage amount, it directly compares whether the preceding encrypted hash value is consistent with the first current encrypted hash value of the previous log data. If they are consistent, the integrity verification is passed. If they are inconsistent, a log integrity corruption alarm is issued and a data recovery mechanism is triggered.

[0013] This application also discloses an electronic device, including a memory and a processor, wherein the memory stores a computer program, and the computer program, when executed by the processor, implements the log integrity verification method described above.

[0014] This application also discloses a computer-readable storage medium comprising a computer program or instructions that, when executed on a computer, cause the computer to perform the log integrity verification method described above.

[0015] This application significantly improves the integrity and security of log data in the following aspects: 1. Dual security protection: SM4 ensures the confidentiality of log content and prevents the leakage of sensitive information; SM3 ensures the integrity of logs and prevents data from being tampered with without being detected. The combination of the two achieves both confidentiality and anti-tampering.

[0016] 2. High resistance to attacks: The SM3 algorithm is rigorously designed with high collision resistance and resistance to preprocessing, effectively resisting collision attacks and preprocessing attacks. The SM4 algorithm, as a block cipher, can also effectively resist various cryptanalysis attacks.

[0017] 3. High adaptability: Supports integrity verification of static log files and dynamically appended log files, adapting to various log management scenarios.

[0018] 4. This application significantly improves the ability to verify log integrity, effectively preventing the risk of data leakage and tampering. It is particularly suitable for fields with high security requirements, providing a reliable data foundation for system security auditing and troubleshooting. Attached Figure Description

[0019] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments recorded in the embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings.

[0020] Figure 1 This is a flowchart illustrating a log integrity verification method according to an embodiment of this application; Figure 2 This is a schematic diagram of the log encryption process according to an embodiment of this application; Figure 3 This is a schematic diagram illustrating the new log composition of an embodiment of this application; Figure 4 This is a schematic diagram of the log decryption process according to an embodiment of this application; Figure 5 This is a schematic diagram of the incremental verification process according to an embodiment of this application; Figure 6 This is a block diagram of a log integrity verification system according to an embodiment of this application; Figure 7 This is a flowchart illustrating the SM3 algorithm according to an embodiment of this application; Figure 8 This is a flowchart illustrating the SM4 algorithm in an embodiment of this application. Detailed Implementation

[0021] The present application will be further described in conjunction with the accompanying drawings and embodiments. The described embodiments are only some, not all, of the embodiments of the present application. All other embodiments obtained by those skilled in the art should fall within the protection scope of the embodiments of the present application.

[0022] See Figure 1 This application provides an embodiment of a log integrity verification method, which includes: Step 1: Obtain log data, preprocess the log data, and obtain preprocessed log data; Step 2: Encrypt the preprocessed log data using the SM4 algorithm to obtain the first encrypted log data, and add a first timestamp to the first encrypted log data to obtain the first log data; Step 3: Calculate the hash value of the first log data using the SM3 algorithm, encrypt the hash value using the SM4 algorithm to obtain the first encrypted hash value, and use it as the preceding encrypted hash value of the second log data; Step 4: Encrypt the preprocessed log data using the SM4 algorithm to obtain the second encrypted log data; Step 5: Associate and store the second timestamp, the preceding encrypted hash value, and the second encrypted log data to obtain the second log data; calculate the hash value of the second log data using the SM3 algorithm to obtain the current hash value, and encrypt the current hash value using the SM4 algorithm to obtain the current encrypted hash value, as shown below. Figure 2 and Figure 3 As shown; Step 6: Receive a verification request or execute a periodic verification process. When the cumulative storage amount of log data exceeds the preset storage amount, directly compare the preceding encrypted hash value with the first current encrypted hash value of the previous log data. If they match, the integrity verification is deemed successful. Figure 4 If the logs are inconsistent, a log integrity violation alarm will be issued, and a data recovery mechanism will be triggered.

[0023] Optionally, after step 5 and before step 6, the method further includes: The second timestamp, the preceding encrypted hash value, the second encrypted log data, and the calculated first current encrypted hash value are associated and stored to obtain a brand new log data, which serves as the third log data.

[0024] Optionally, it also includes: If the third log data needs to be decrypted, the hash value calculation and comparison are re-executed: based on the second timestamp, the preceding encrypted hash value, and the decrypted second log content, the hash value is recalculated using the SM3 algorithm. The recalculated hash value is then compared with the hash value after the current encrypted hash value is decrypted using the SM4 algorithm. If they match, the integrity check is passed. If they do not match, a log integrity corruption alarm is issued, and the data recovery mechanism is triggered.

[0025] Optionally, step 2 includes: Read the pre-processed log data from the storage system to ensure that the data format is uniform and meets the requirements, providing a data foundation for subsequent timestamp addition operations; use the system time at the moment of data processing as the timestamp, with the timestamp format being YYYY-MM-DD HH:MM:SS; insert the formatted timestamp as a new field at the beginning of the log content to form the first log data.

[0026] Optionally, step 3 includes: The first log data is converted into a byte stream format and used as input data for the hash operation; the SM3 algorithm interface is called to perform a one-way hash operation on the first log data to obtain the corresponding hash value; the SM4 algorithm interface is called to encrypt the hash value obtained by the SM3 algorithm to obtain the first encrypted hash value, which is then used as the preceding encrypted hash value of the second log data.

[0027] Optionally, it also includes: an incremental detection strategy, which is implemented in conjunction with hash value chain verification logic, specifically including three stages: baseline maintenance, incremental log verification, and incremental data backup. The incremental verification process relies on the chain association characteristics of log hash values ​​to complete integrity verification.

[0028] Optionally, the baseline maintenance includes: The system maintains a verification baseline, which records in real time the timestamp corresponding to the completion of the last integrity verification and the current encrypted hash value of the log corresponding to that timestamp, as the benchmark for subsequent incremental verification. The incremental log verification includes: See Figure 5 Using the timestamp of the baseline record as the dividing point, incremental integrity verification is performed only on newly generated log data after that timestamp. The incremental verification process is as follows: compare the previous encrypted hash value of each log in the new log with the current encrypted hash value of the previous log to determine whether the corresponding log data has been tampered with. Since the calculation of the current encrypted hash value of a single log depends on the content of this log and the previous encrypted hash value of the previous log, forming a chain hash association, if any log data in the middle is tampered with, the current encrypted hash value of this log and all subsequent logs will become invalid and cannot pass the consistency comparison. The incremental data backup includes: For the data blocks corresponding to the log data participating in incremental verification, the SM3 algorithm is used to calculate the checksum of each data block. Backup operations are only performed on data blocks whose checksums change, and data blocks that have not changed do not need to be backed up again.

[0029] In this embodiment, the complete checksum is generated as follows: The SM3 algorithm is used to calculate the hash value of the log data. The SM3 algorithm generates a fixed-length 256-bit (32-byte) hash value, which serves as the integrity checksum for the log data. Log data encryption: The SM4 algorithm is used for encryption to ensure confidentiality. SM4 is a block cipher algorithm with a key length of 128 bits. Before encryption, the log data may need to be padded to meet the SM4 block length requirement. Storage and transmission: The timestamp, the SM4-encrypted log data, the preceding hash value, and the calculated current hash value are associated and stored or transmitted together in a log file and sent to the recipient. Integrity verification: When the log is needed, the stored encrypted log data is decrypted using the SM4 algorithm to restore the original log content. The hash value is then recalculated using the same SM3 algorithm. If it is exactly the same as the previously stored original hash value, it proves that the log data has not been tampered with during transmission and storage. If they are inconsistent, the data has been damaged or tampered with during storage or transmission. Incremental verification: First, obtain the previous hash value as the baseline. Starting from the baseline position, read the newly added logs, calculate the SM3 hash value for each log entry, and compare it with the stored hash value. If a mismatch is found, immediately issue an alarm and record the tampering event, and immediately update the verification baseline to the latest position.

[0030] The technical solutions of this application include: Throughout the entire log lifecycle, including log generation, encryption, storage, transmission, and destruction, continuous encryption and verification are performed to ensure log data integrity. Regular integrity verification is conducted because any data tampering will cause a significant change in the hash value; therefore, any tampering can be immediately detected during encryption and decryption, ensuring that log data has not been altered at any stage. When logs are destroyed, the encrypted digest value and the original log data are securely destroyed together to prevent information leakage.

[0031] Through the above steps, the log integrity verification method based on the SM3 and SM4 algorithms can effectively protect the integrity of log data, prevent data tampering, and ensure system security.

[0032] The dynamic verification capability of this application refers to the ability to perform integrity verification in real time or periodically throughout the lifecycle of log data, ensuring that the log data has not been tampered with or damaged at any time. The following are the specific steps and methods for implementing dynamic verification capability based on the SM3 and SM4 algorithms: Each time a log is accessed, the hash value is recalculated immediately and compared with the stored value. Regular batch verification is performed via scheduled tasks that scan and verify a large number of stored log files or database records. Verification is also performed during transmission, checking data blocks during log reporting, synchronization, and other transmission processes.

[0033] By following the steps and methods described above, the log integrity verification method based on the SM3 and SM4 algorithms can achieve efficient dynamic verification capabilities, ensuring that log data remains intact and reliable at all times. This dynamic verification mechanism can not only detect and prevent log data tampering in real time, but also quickly respond to and handle abnormal events, ensuring the security and reliability of the system.

[0034] The core idea of ​​incremental verification in this application is to perform integrity verification only on newly added or modified log data, avoiding the performance overhead of full verification. This is achieved through the following mechanism: 1) Hash chain construction mechanism Because each log record contains the SM3 hash value of the previous log record, an immutable chain structure is formed. When a new log is added, the system automatically calculates the SM3 hash value of the current log, timestamp, and previous hash value, and stores it as the "previous hash" field of the next log record. In this way, if any intermediate log is tampered with, all subsequent hash values ​​will be mismatched, thus quickly locating the tampering point.

[0035] 2) Incremental detection strategy The system maintains a verification baseline, and only newly added logs are verified thereafter. Specific implementation details include: Timestamp tracking: Records the timestamp of the last verification and only verifies new logs added after that time point.

[0036] File hash comparison: Calculate the SM3 checksum of the data block and back up only the blocks whose hash values ​​have changed.

[0037] See Figure 6 This application also provides a log integrity verification device to implement the log integrity verification method described above, comprising: The log acquisition and preprocessing module is used to acquire log data, preprocess the log data, and obtain preprocessed log data. The first encryption module is used to encrypt the preprocessed log data using the SM4 algorithm to obtain first encrypted log data, and add a first timestamp to the first encrypted log data to obtain the first log data. The second encryption module is used to calculate the hash value of the first log data using the SM3 algorithm, encrypt the hash value using the SM4 algorithm to obtain the first encrypted hash value, and use it as the preceding encrypted hash value of the second log data. The third encryption module is used to encrypt the preprocessed log data using the SM4 algorithm to obtain the second encrypted log data; The hash value calculation module is used to associate and store the second timestamp, the preceding encrypted hash value, and the second encrypted log data to obtain the second log data; calculate the hash value of the second log data using the SM3 algorithm to obtain the current hash value, and encrypt the current hash value using the SM4 algorithm to obtain the current encrypted hash value; The verification and response module is used to receive verification requests or execute periodic verification processes. When the cumulative storage amount of log data is greater than the preset storage amount, it directly compares whether the preceding encrypted hash value is consistent with the first current encrypted hash value of the previous log data. If they are consistent, the integrity verification is passed. If they are inconsistent, a log integrity corruption alarm is issued and a data recovery mechanism is triggered.

[0038] The various modules in this application's embodiments work collaboratively to achieve comprehensive log integrity verification, effectively improving system security. Modular design not only enhances system maintainability and scalability but also strengthens its flexibility and configurability, providing a solid technical guarantee for addressing complex security threats. This application's embodiments employ a modular design to construct log integrity verification, enabling independent development, testing, deployment, and expansion of each module. Efficient interaction between modules is achieved through standardized interfaces, thereby effectively ensuring high system security, high reliability, and good maintainability.

[0039] This application also provides an embodiment of an electronic device, including a memory and a processor, wherein the memory stores a computer program, and when the computer program is executed by the processor, it implements the log integrity verification method described in the above embodiment.

[0040] This application also provides an embodiment of a computer-readable storage medium, the computer-readable storage medium including a computer program or instructions that, when the computer program or instructions are run on a computer, cause the computer to perform the log integrity verification method described in the above embodiment.

[0041] The principle of the SM3 algorithm in the above embodiments of this application is as follows: SM3 is a cryptographic hash function standard. Its function is to take a message of a certain length, and through padding, grouping, expansion, and iterative compression, finally generate a 256-bit hash value. Its algorithm structure diagram is as follows. Figure 7 As shown; the principle of the SM4 algorithm is that SM4 is a 128-bit symmetric key block cipher algorithm. Its input data, input key, initialization vector (IV), and output data are all 128 bits. The encryption key and decryption key are the same, the difference being that the key is input in reverse during encryption and decryption. The encryption and decryption process of the SM4 algorithm is implemented by 32 nonlinear iterative round functions. During the encryption and decryption process, various computational components are used: S-box transformation, linear transformation L, nonlinear transformation τ, composition transformation T, and round function F. The structure diagram of the SM4 algorithm is shown below. Figure 8 As shown.

[0042] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of this application and not to limit them. Although this application has been described in detail with reference to the above embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the specific implementation of this application. Any modifications or equivalent substitutions that do not depart from the spirit and scope of this application should be covered within the protection scope of the claims of this application.

Claims

1. A log integrity verification method, characterized in that, include: Step 1: Obtain log data, preprocess the log data, and obtain preprocessed log data; Step 2: Encrypt the preprocessed log data using the SM4 algorithm to obtain the first encrypted log data, and add a first timestamp to the first encrypted log data to obtain the first log data; Step 3: Calculate the hash value of the first log data using the SM3 algorithm, encrypt the hash value using the SM4 algorithm to obtain the first encrypted hash value, and use it as the preceding encrypted hash value of the second log data; Step 4: Encrypt the preprocessed log data using the SM4 algorithm to obtain the second encrypted log data; Step 5: Associate and store the second timestamp, the preceding encrypted hash value, and the second encrypted log data to obtain the second log data; calculate the hash value of the second log data using the SM3 algorithm to obtain the current hash value, and encrypt the current hash value using the SM4 algorithm to obtain the current encrypted hash value; Step 6: Receive a verification request or execute a periodic verification process. When the cumulative storage amount of log data is greater than the preset storage amount, directly compare whether the preceding encrypted hash value is consistent with the first current encrypted hash value of the previous log data. If they are consistent, the integrity verification is passed. If they are inconsistent, a log integrity corruption alarm is issued and the data recovery mechanism is triggered.

2. The log integrity verification method according to claim 1, characterized in that, After step 5 and before step 6, the following is also included: The second timestamp, the preceding encrypted hash value, the second encrypted log data, and the calculated first current encrypted hash value are associated and stored to obtain a brand new log data, which serves as the third log data.

3. The log integrity verification method according to claim 2, characterized in that, Also includes: If the third log data needs to be decrypted, the hash value calculation and comparison are re-executed: based on the second timestamp, the preceding encrypted hash value, and the decrypted second log content, the hash value is recalculated using the SM3 algorithm. The recalculated hash value is then compared with the hash value after the current encrypted hash value is decrypted using the SM4 algorithm. If they match, the integrity check is passed. If they do not match, a log integrity corruption alarm is issued, and the data recovery mechanism is triggered.

4. The log integrity verification method according to claim 1, characterized in that, Step 2 includes: Read the pre-processed log data from the storage system to ensure that the data format is uniform and meets the requirements, providing a data foundation for subsequent timestamp addition operations; use the system time at the moment of data processing as the timestamp and insert the timestamp as a new field at the beginning of the log content to form the first log data.

5. The log integrity verification method according to claim 1, characterized in that, Step 3 includes: The first log data is converted into a byte stream format and used as input data for the hash operation; the SM3 algorithm interface is called to perform a one-way hash operation on the first log data to obtain the corresponding hash value; the SM4 algorithm interface is called to encrypt the hash value obtained by the SM3 algorithm to obtain the first encrypted hash value, which is then used as the preceding encrypted hash value of the second log data.

6. The log integrity verification method according to claim 1, characterized in that, Also includes: It also includes an incremental detection strategy, which is implemented by combining hash value chain verification logic. Specifically, it includes three stages: baseline maintenance, incremental log verification, and incremental data backup. The incremental verification process relies on the chain association characteristics of log hash values ​​to complete integrity verification.

7. The log integrity verification method according to claim 6, characterized in that, The baseline maintenance includes: The system maintains a verification baseline, which records in real time the timestamp corresponding to the completion of the last integrity verification and the current encrypted hash value of the log corresponding to that timestamp, as the benchmark for subsequent incremental verification. The incremental log verification includes: Using the timestamp of the baseline record as the dividing point, incremental integrity verification is performed only on newly generated log data after that timestamp. The incremental verification process is as follows: compare the previous encrypted hash value of each log in the new log with the current encrypted hash value of the previous log to determine whether the corresponding log data has been tampered with. If any log data in the middle is tampered with, the current encrypted hash value of that log and all subsequent logs will be invalid and will fail the consistency comparison. The incremental data backup includes: For the data blocks corresponding to the log data participating in incremental verification, the SM3 algorithm is used to calculate the checksum of each data block. Backup operations are only performed on data blocks whose checksums change, and data blocks that have not changed do not need to be backed up again.

8. A log integrity verification device, implementing the log integrity verification method according to any one of claims 1-7, characterized in that, include: The log acquisition and preprocessing module is used to acquire log data, preprocess the log data, and obtain preprocessed log data. The first encryption module is used to encrypt the preprocessed log data using the SM4 algorithm to obtain first encrypted log data, and add a first timestamp to the first encrypted log data to obtain the first log data. The second encryption module is used to calculate the hash value of the first log data using the SM3 algorithm, encrypt the hash value using the SM4 algorithm to obtain the first encrypted hash value, and use it as the preceding encrypted hash value of the second log data. The third encryption module is used to encrypt the preprocessed log data using the SM4 algorithm to obtain the second encrypted log data; The hash value calculation module is used to associate and store the second timestamp, the preceding encrypted hash value, and the second encrypted log data to obtain the second log data; calculate the hash value of the second log data using the SM3 algorithm to obtain the current hash value, and encrypt the current hash value using the SM4 algorithm to obtain the current encrypted hash value; The verification and response module is used to receive verification requests or execute periodic verification processes. When the cumulative storage amount of log data is greater than the preset storage amount, it directly compares whether the preceding encrypted hash value is consistent with the first current encrypted hash value of the previous log data. If they are consistent, the integrity verification is passed. If they are inconsistent, a log integrity corruption alarm is issued and a data recovery mechanism is triggered.

9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the computer program is executed by the processor, it implements the log integrity verification method according to any one of claims 1-7.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium includes a computer program or instructions that, when executed on a computer, cause the computer to perform the log integrity verification method according to any one of claims 1-7.