[go: up one dir, main page]

CN116185958A - Data auditing method, device, electronic equipment and readable storage medium - Google Patents

Data auditing method, device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN116185958A
CN116185958A CN202310215777.9A CN202310215777A CN116185958A CN 116185958 A CN116185958 A CN 116185958A CN 202310215777 A CN202310215777 A CN 202310215777A CN 116185958 A CN116185958 A CN 116185958A
Authority
CN
China
Prior art keywords
audit
data
target
task
auditing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310215777.9A
Other languages
Chinese (zh)
Inventor
王鉴
韩争光
李小军
李亚洲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qi'an Pangu Shanghai Information Technology Co ltd
Original Assignee
Qi'an Pangu Shanghai Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qi'an Pangu Shanghai Information Technology Co ltd filed Critical Qi'an Pangu Shanghai Information Technology Co ltd
Priority to CN202310215777.9A priority Critical patent/CN116185958A/en
Publication of CN116185958A publication Critical patent/CN116185958A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/14Details of searching files based on file metadata
    • G06F16/148File search processing
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/13File access structures, e.g. distributed indices
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/16File or folder operations, e.g. details of user interfaces specifically adapted to file systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Library & Information Science (AREA)
  • Human Computer Interaction (AREA)
  • Testing And Monitoring For Control Systems (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application provides a data auditing method, a device, electronic equipment and a readable storage medium, wherein the method comprises the following steps: receiving an audit task, wherein the audit task comprises an audit object; acquiring target audit data of the audit object from the audited party equipment based on the audit task; and sending the target audit data through the agent program so that an auditor can audit the target audit data.

Description

Data auditing method, device, electronic equipment and readable storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to a data auditing method, apparatus, electronic device, and readable storage medium.
Background
In the existing enterprise investigation aiming at some security events, the method is generally realized in a form of auditing various data in the enterprise, and currently, the discovery of the data needing to be audited in the enterprise is generally realized by screening the electronic data of an office computer by using a manual means.
Disclosure of Invention
The purpose of the application is to provide a data auditing method, a device, electronic equipment and a readable storage medium, which can improve the efficiency of obtaining auditing data in a computer.
In a first aspect, the present application provides a data auditing method applied to an agent program, where the agent program is installed on an audited device, the data auditing method includes: receiving an audit task, wherein the audit task comprises an audit object; acquiring target audit data of the audit object from the audited party equipment based on the audit task; and sending the target audit data through the agent program so that an auditor can audit the target audit data.
Through the implementation mode, the equipment of the user needing auditing can be screened in a manual mode, the auditing data can be obtained relatively quickly, and the efficiency of the auditing flow is improved. In addition, the audited party equipment of the related user can be omitted in the auditing process, and inconvenience brought to the user by auditing can be reduced.
In an alternative embodiment, the audit task includes: a evidence obtaining task; based on the audit task, acquiring target audit data of the audit object in the audited party equipment, wherein the target audit data comprises the following steps: loading a local file system and obtaining a file directory; determining a target file corresponding to the audit object from the file directory; and determining target audit data meeting the evidence obtaining task from the target file.
In an alternative embodiment, the forensic task includes: user behavior evidence obtaining tasks; the target audit data comprises user behavior data; the determining the target audit data meeting the evidence obtaining task from the target file comprises the following steps: analyzing the target file to obtain target plaintext data; and performing type recognition on the target plaintext data, and determining the user behavior data meeting the user behavior evidence obtaining task from the target plaintext data with the type of the user behavior data.
In an alternative embodiment, the method further comprises: starting a first monitoring component to monitor preset messages triggered by an auditing object, wherein the preset messages comprise at least one of the following: system messages, target database change messages, and system driven event messages.
In an alternative embodiment, the audit task includes: a behavior monitoring task; the target audit data comprises target behavior data; based on the audit task, acquiring target audit data of the audit object in the audited party equipment, wherein the target audit data comprises the following steps: and acquiring target behavior data belonging to the audited object and meeting the behavior monitoring task from the audited party equipment after the first monitoring component monitors the preset message.
By the embodiment, the behavior of the user or the real-time data generated by the user terminal can be monitored, and the possible harmful behavior can be found in time. The method can monitor the real-time data generated by the user terminal, so that the audit data can be obtained more comprehensively, and the subsequent audit result can be more accurate.
In an alternative embodiment, the audit task includes: monitoring tasks in real time; the target audit data comprises real-time state data; based on the audit task, acquiring target audit data of the audit object in the audited party equipment, wherein the target audit data comprises the following steps: starting a second monitoring component to acquire real-time state data of the auditing object; and acquiring real-time state data meeting the real-time monitoring task from the real-time state data of the auditing object acquired by the second monitoring component.
In the embodiment, the timeliness requirement of the real-time state data is more strict, so that the target audit data can be directly sent to the auditor equipment, and the auditor equipment can be better kept to obtain the real-time data more timely.
In an alternative embodiment, before the sending, by the agent, the target audit data, the method further includes: judging whether the agent program is communicated with the client; if the agent program and the client are in a communication state, the target audit data is sent to the client; and/or judging whether the agent program is in a communication state with the server side; and if the agent program and the server are in a connected state, sending the target audit data to the server.
In an alternative embodiment, prior to sending the target audit data, the method further comprises: and judging whether the audit task is a real-time audit task, if so, sending the target audit data to a client, otherwise, sending the target audit data to a server.
In an alternative embodiment, the method further comprises: acquiring installation data of the agent program; the agent is installed and started based on the installation data of the agent.
In an alternative embodiment, the installation data of the agent program includes a first communication address, a first port, a second communication address and a second port of a server side running in the server, where the first communication address and the first port are used to accept access of a local area network, and the second communication address and the second port are used to accept access of a wide area network.
In the embodiment, the ports accessed by the local area network and the wide area network can be configured aiming at the agent program, so that the target audit data can be obtained regardless of the position of audited equipment, and the effectiveness and success rate of audit data acquisition are improved.
In an alternative embodiment, the obtaining the installation data of the agent includes: receiving remote operation of auditor equipment to obtain installation data of the agent program through the remote operation of auditor equipment; or receiving the installation data of the agent program transmitted by the auditor equipment through a local area network; or monitoring an access request of the external storage device, and obtaining the installation data of the agent program from the external storage device after the access of the external storage device is monitored.
In a second aspect, an embodiment of the present application provides a data auditing method, applied to an auditing system, where the auditing system includes: the agent program is installed on audited equipment, the client is installed on the audited equipment, and the data auditing method comprises the following steps: triggering an audit task through a client of the audit party equipment and submitting the audit task to the server, wherein the audit task comprises an audit object; sending the auditing task to an agent program of the audited party equipment through the server; acquiring target audit data of the audit object by the agent program based on the audit task according to the method; and auditing the target audit data through the client installed by the auditor equipment.
In a third aspect, an embodiment of the present application provides a data auditing apparatus for a proxy program, where the proxy program is installed in an audited device, the data auditing apparatus includes: the receiving module is used for receiving an audit task, wherein the audit task comprises an audit object; the first acquisition module is used for acquiring target audit data of the audit object from the audited party equipment based on the audit task; and the first sending module is used for sending the target audit data through the agent program so that an auditor can audit the target audit data.
In a fourth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory storing machine-readable instructions executable by the processor, which when executed by the processor perform the steps of the method described above when the electronic device is run.
In a fifth aspect, embodiments of the present application provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of a method as described above.
In a sixth aspect, embodiments of the present application provide an audit system comprising: agent program, client and server; the client is used for triggering an audit task and submitting the audit task to the server, wherein the audit task comprises an audit object; the server is used for sending the auditing task to the agent program; the agent program obtains target audit data of the audit object according to any one of the methods based on the audit task; and the client is used for auditing the target audit data.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered limiting the scope, and that other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of interaction performed by an audit data obtaining system provided in an embodiment of the present application;
fig. 2 is a schematic block diagram of an electronic device according to an embodiment of the present application;
FIG. 3 is a flowchart of a data auditing method provided by an embodiment of the present application;
FIG. 4 is an alternative flow chart of step 330 of the data auditing method provided by embodiments of the present application;
FIG. 5 is a flowchart of an alternative method of auditing data, step 330, provided in an embodiment of the present application;
fig. 6 is a schematic diagram of a functional module of a data auditing apparatus according to an embodiment of the present application;
fig. 7 is a flowchart of another data auditing method according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
First, concepts referred to in this application will be described:
electron discovery (also referred to as e-discovery or edison): refers to the discovery in the forensic program that the information sought is in electronic format, commonly referred to as electronically stored information (Electronic storage information, abbreviated: ESI), and may also be understood as the archiving and reproduction of electronic evidence.
An electron discovery reference model (Electronic Discovery Reference Model, abbreviated EDRM) model: the EDRM model consists of multiple phases. And (3) information management: from the initial creation of electronically stored information to the final disposition. And (3) identification: find potential ESI sources and determine their range, breadth and depth. And (3) preserving: ensuring that the ESI is protected from undue alteration or corruption. And (3) collecting: the ESI is collected for further use (processing, review, etc.) in the electronic discovery process. And (3) treatment: the number of ESI is reduced and, if necessary, converted to a form more suitable for review and analysis. And (5) checking: the correlation and confidentiality of ESI were evaluated. Analysis: the content and context of the ESI is evaluated, including key patterns, topics, people, and discussions. Manufacturing: the ESI is delivered to others in an appropriate form and using an appropriate delivery mechanism. Demonstration: ESI is presented in front of the audience (in the case of evidence collection, listening, judgment, etc.), particularly in a native and near-native form, to gain further information, to verify existing facts or standpoints, or to persuade the audience.
Remote procedure call (Remote Procedure Call, abbreviated as RPC): is a protocol that requests services from a remote computer program over a network without requiring knowledge of underlying network technology. The RPC protocol assumes the existence of certain transport protocols, such as TCP or UDP, to carry information data between communication programs.
Domain management tool: the device refers to domain control tools such as Windows AD and other management tools or security tools capable of monitoring and controlling computers in batches.
In the current investigation of the security events of the enterprises, the method is generally realized in an audit mode aiming at financial data and business data in the enterprises, and the clear data audit is easy to operate but has large workload. Thus, an electronic discovery (e-discovery) scheme was proposed abroad to assist in data auditing. While office computers within an enterprise are an important carrier for electronic data auditing, it is inevitable that some important data will often be ignored due to insufficient technical capabilities of the investigators.
There are two technical approaches currently used in the investigation of security events of enterprises in terms of electronic data review.
The first is to use an electronic discovery (e-discovery) technique. The technique is implemented based on an EDMR model. Firstly, managing and properly storing system data generated in the business (office) process, then calling the data of history management by utilizing investigation analysis software (platform), searching the data content, and finding out key clues and evidences. The method needs to start from the construction of the IT system of the enterprise, has great influence on the IT service system of the enterprise and has high deployment cost. Meanwhile, the data examination range of the enterprise informatization system is limited, and the examination of user data generated by an office computer cannot be realized by the method.
The second is to use manual means to examine the electronic data of the office computer. In general, a researcher needs to temporarily withhold a related office computer and then manually examine the user interface in the system in a mode of screenshot, screen recording, audio recording and video recording. This approach has a number of disadvantages: 1. the inspection efficiency is low, an experienced investigator is required to open corresponding software, corresponding screenshot is carried out in the software, and the operation is complex. The effort is great in the case of large data volumes, resulting in inefficiency. 2. Most of data is unstructured pictures, audio and video and file content, and the data is difficult to use in links of subsequent searching, analysis and research judgment, so that the efficiency is low, and the examination result is more effective. 3. If the structured data is to be extracted really, a very high technical threshold is needed, and it is very difficult for a general professional to ensure the evidence obtaining efficiency under the manual condition.
Based on the research, the data auditing method provided by the application can improve the auditing data obtaining efficiency, and the obtained auditing data can be more comprehensive.
To facilitate an understanding of this embodiment, an audit system for performing the embodiments disclosed herein will first be described.
As shown in fig. 1, an audit system provided in an embodiment of the present application is shown in a schematic view. The auditing system may include: agent program, client and server.
In this embodiment, the agent is installed on the audited device 130, the client is installed on the audited device 110, and the server is installed on the server 120.
The server 120 may be a web server, a database server, or the like. Audit device 110 may be a personal computer (personal computer, PC), tablet, smart phone, personal digital assistant (personal digital assistant, PDA), or the like. Audited device 130 may be a personal computer (personal computer, PC), tablet, smart phone, personal digital assistant (personal digital assistant, PDA), or the like.
The server 120 is communicatively coupled to one or more audited devices 130 for data communication or interaction over a network. The server 120 may illustratively communicate with one or more audited devices 130 via a local area network or a wide area network.
The server 120 is communicatively coupled to one or more of the auditor devices 110 for data communication or interaction over a network. The server 120 may illustratively communicate with one or more auditor devices 110 over a local area network or a wide area network.
The audited device 110 may have a Client running therein, the Server 120 may have a Server running therein, the audited device 130 may have a proxy running therein, and the Client, the Server, and the proxy may form a C/S (Client-Server) architecture.
Audit device 110 may be a computer device used by a researcher, and the client is an portal for the researcher to use the audit data acquisition system. In this embodiment, when the first use or the server deployment configuration is changed, the client may configure the server information, and the main content of the configuration may include the IP address and the port of the server. The client may log in through an account number, and send a login request to the server. After the client is successfully logged in, the case information which comprises case names, case task authorities, case conditions, related personnel information, related equipment information and the like can be recorded by the investigator. An audit task may be generated based on the case information. The auditor device 110 can then send the determined audit task to the server 120, and the server 120 can then forward the audit task to the corresponding audited device 130. For example, client-generated audit tasks may be bound to target audited party devices that need to be audited. When forwarding the audit task, server 120 may forward the audit task to its bound target audited party device.
Server 120 may interact with auditor device 110 and audited device 130, and its running server may be configured to record various types of audit data obtained from audited device 130. For example, the audit data may be case information, task information, audit data, and the like. The server serves as a center to support the agent and the client, and connects the client and the agent. In this embodiment, after the deployment of the server is completed, the server may be started, and the server may perform resident operation. The server may perform authentication after receiving a login request from the client, and send a login result to the client. After the server receives the audit task initiated by the client, the audit task can be recorded. When the agent program corresponding to the auditing task can access the server side, the server side can send the auditing task to the agent program.
Audited party device 130 performs the steps of the data auditing method described above based on the auditing tasks. After obtaining the audit task, the agent program of the audited party device 130 may store the audit task in the task queue, query the audit task using a rotation training, and execute the audit task.
The audited device 130 may be an office computer device of a user needing investigation, for example, an office computer device of an enterprise employee, where the audited device 130 is mainly used to perform an audit task, and the performed audit data is uploaded to a server for saving.
The client, the server and the agent are deployed on three different devices and are connected through a network, and the main communication and connection mode can be unified transfer communication through the server. Alternatively, in the case that some big data transmission has real-time requirements, the client and the agent directly transmit the data in real time through Peer-to-Peer (P2P) communication.
In this embodiment, data and control command transmissions among the client, the server, and the agent may be communicated using RPC techniques.
The modules of the client, the server and the agent can be theoretically connected in any network form. In the example shown in fig. 1, the network topology is exemplified, and the server and the client access in the local area network of the enterprise through the switch and/or the router 140. The agent in audited device 130 can then be divided into two cases. When audited device 130 is located on a local area network, connectivity access is made through switch and/or router 140 on the enterprise's local area network. When audited device 130 is located on a wide area network, then interconnection communications with the server are made through the server at ports mapped through firewall 150 at gateway 160 of the internet.
In this embodiment, the data of the server and the client have sensitivity, and the intranet is protected by the firewall 150. The server may communicate with the audited device 130 over the internet through only one port. By the method, the system safety is protected, and the audited equipment 130 can be communicated at any network position to acquire audit data.
As shown in fig. 2, a block schematic diagram of the electronic device is shown. The electronic device 200 may include a memory 211, a processor 213. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 2 is merely illustrative and is not intended to limit the configuration of the electronic device 200. For example, the electronic device 200 may also include more or fewer components than shown in FIG. 2, or have a different configuration than shown in FIG. 2.
The above-mentioned memory 211 and the processor 213 are electrically connected directly or indirectly to each other to realize data transmission or interaction. For example, the elements may be electrically connected to each other via one or more communication buses or signal lines. The processor 213 is configured to execute executable modules stored in the memory.
The Memory 211 may be, but is not limited to, a random access Memory (Random Access Memory, RAM), a Read Only Memory (ROM), a programmable Read Only Memory (Programmable Read-Only Memory, PROM), an erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), an electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc. The memory 211 is configured to store a program, and the processor 213 executes the program after receiving an execution instruction, and the method executed by the electronic device 200 defined by the process disclosed in any embodiment of the present application may be applied to the processor 213 or implemented by the processor 213.
The processor 213 may be an integrated circuit chip with signal processing capabilities. The processor 213 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (digital signal processor, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field programmable gate arrays (Field Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The server 120, auditor device 110, and audited device 130 shown in fig. 1 may include the components of the electronic device 200 shown in fig. 2. Of course, each terminal shown in fig. 1 may also include more components than the electronic device shown in fig. 2, for example, the audited device 130 may also include a display unit, a positioning unit, and the like, depending on the actual use of each terminal.
The electronic device 200 in the present embodiment may be used to perform each step in each method provided in the embodiments of the present application. The implementation of the data auditing method is described in detail below by way of several embodiments.
Referring to fig. 3, a flowchart of a data auditing method according to an embodiment of the present application is provided. The method provided by the present embodiment can be applied to an agent program installed in an audited party device. The specific flow shown in fig. 3 will be described in detail.
In step 310, an audit task is received.
An audit task sent by a server in communication with the audited party device is received.
Wherein the audit task includes an audit object. The audit task may be sent by a server communicatively coupled to the agent. In one example, the audit task may be triggered by and submitted to a client of an auditor device communicatively coupled to the server.
The audit object may be, for example, a program running in the audited device, e.g., an instant messaging tool, browser. The audit object may also be a designated folder or the like in the audited party device.
The audit task is used for determining target audit data from the audited party equipment.
And 330, acquiring target audit data of the audit object in the audited party equipment based on the audit task.
For different types of audit tasks, the target audit data can be determined by different means.
When the auditing task is a task of some monitoring classes, the target auditing data can be real-time auditing data obtained in the monitoring process. When the audit task is a task of some investigation classes, the target audit data can be audit data screened by screening data in audited party equipment.
The content of the target audit data may also be different for different audit objects. For example, where the audit object is an instant messaging tool, the target audit data may be dialogue information generated by the instant messaging tool, a transmitted file, or the like. For another example, where the audit object is a browser, the target audit data may be a browse record in the browser. For another example, where the audit object is a specified folder, the target audit data may be all files under the specified folder.
And 350, sending target audit data through the agent program so that the auditor can audit the target audit data.
The agent may send the target audit data to a server in communication therewith, or may send the target audit data to a client of an auditor device in communication therewith, for example.
In this embodiment, if the target audit data is sent to the server, the server may be accessed by a client in the auditor device, so as to feed back the target audit data to the client in the auditor device, and the auditor may view the target audit data from the auditor device.
Through the steps, the equipment of the user needing to be audited can be screened in a manual mode, audit data can be obtained relatively quickly, and the efficiency of an audit process is improved. In addition, the audited party equipment of the related user can be omitted in the auditing process, and inconvenience brought to the user by auditing can be reduced.
In practical application, various audit tasks may exist, and the process of obtaining target audit data for different audit tasks is described below.
Optionally, the audit task may include: and (5) a evidence obtaining task. As shown in fig. 4, the step 330 may include: steps 331 to 333.
Step 331, loading a local file system and obtaining a file directory.
And 332, determining the target file corresponding to the auditing object from the file catalog.
Illustratively, the target location of the data file corresponding to the audit object may be determined from the audit object. And then reading the target file corresponding to the auditing object from the target position.
Taking an instant messaging tool as an example, the target location may be a storage location storing relevant data of the instant messaging tool.
In step 333, target audit data satisfying the forensic task is determined from the target file.
Illustratively, the forensic task may comprise a user behavior forensic task, and step 333 described above may comprise: the target file can be analyzed to obtain target plaintext data; and performing type recognition on the target plaintext data, and determining the user behavior data meeting the user behavior evidence obtaining task from the target plaintext data with the type of the user behavior data.
Wherein the target audit data includes user behavior data.
The parsing scheme used for different files may be different. For example, the data content of a file may be structured according to the file format, data storage logic, and associations between different data for which the audit object is storing data.
For example, the format of the target file may be determined first, and the target file may be read by a format specification, for example, the format of the file may be sqlite database, json, xml, or the like. After the target file is read, the data content in the target file is interpreted.
Illustratively, in the interpretation process of the data content, the data content can be subjected to secondary structural analysis due to the conditions of possible scrambling, encryption, format nesting, disassembly and the like of the data content. For example, the target file can be decrypted and decoded by using a key required by the target file, and analysis of the target file can be completed by means of supplementing means such as reorganization and splicing of data in the target file.
In this embodiment, in the process of analyzing the target file, if the target plaintext data obtained by analysis is critical data, but is not audit data, the critical data may be locally stored for use in subsequent analysis of other files. When an audit task is subsequently performed, it is determined that other file lookups or content reads may rely on the critical data. For example, the key data may be the location of other files recorded in the configuration file, the key data may be encryption and decryption keys of other files, and the like.
The target plaintext data may be presented in the form of intuitive data that is easy for the user to understand.
In this embodiment, after the target plaintext data is obtained, whether the target plaintext data can be used as evidence or not may be identified, so as to form audit data.
Taking an instant messaging tool as an example, the audit object can judge whether the obtained target plaintext data is data generated by chat of the user, if so, the audit object can be determined to be user behavior data, and the audit object can be used as target audit data.
Taking the example that the audit object is a browser, whether the obtained target plaintext data is a browsing record of the user can be judged, if so, the target plaintext data can be determined to be the user behavior data, and the target plaintext data can be used as the target audit data.
In this embodiment, after determining the target audit data through steps 331 to 333, the server may be tried to connect, and if the communication with the server is enabled, the target audit data may be sent to the server. If the target audit data can not be communicated with the server side in the server, the target audit data can be stored locally, and then the target audit data is sent to the server side when the target audit data can be communicated with the server side.
In this embodiment, the audited device may not rely on the connection state with the server to perform the audit task, and only when the audited device can connect with the server, the audited device may send the target audit data to the server.
Optionally, the audit task includes: behavior monitoring, prior to step 330, the method provided in this embodiment may further include step 320: and starting the first monitoring component to monitor a preset message triggered by the auditing object.
Wherein the preset message includes at least one of the following: system messages, target database change messages, and system driven event messages.
The target database can be a database externally connected with the audited equipment, or a database locally used for storing data by the audited equipment. The user behavior-related database may be different for different audit objects, for example, the user behavior-related database may be a database for storing data generated by an instant messaging tool. As another example, the database related to user behavior may be a database for storing browser-generated data.
In an embodiment, the audit tasks may include behavior monitoring tasks. The target audit data includes target behavior data.
Step 330 may be implemented as: and acquiring target behavior data belonging to the audited object and meeting the behavior monitoring task from the audited party equipment after the first monitoring component monitors the preset message.
For example, in the monitoring of the system message by the first monitoring component, if the user behavior generated by the audit object is monitored to trigger the system message, the target behavior data can be obtained from the behavior of the user behavior triggering system.
In the monitoring of the target database corresponding to the audit object by the first monitoring component, if the user behavior generated by the audit object is monitored to trigger the change of the target database, the target behavior data can be obtained from the data of the change of the target database.
For example, in the monitoring of the system driver of the audit object by the first monitoring component, if a user behavior trigger driven event generated by the audit object is monitored, the target behavior data may be determined from the user behavior trigger driven event.
In this embodiment, if the first monitoring component is started to monitor the preset message triggered by the audit object so as to determine the target audit data, the server may be tried to be connected, and if the first monitoring component is capable of communicating with the server, the target audit data may be sent to the server. If the target audit data can not be communicated with the server, the target audit data can be locally stored, and then the target audit data is sent to the server when the target audit data can be communicated with the server.
By the method, the behavior of the user can be monitored, and possible harmful behaviors can be found in time.
Optionally, the audit task may include: and monitoring tasks in real time. As shown in fig. 5, step 330 may include: step 336 and step 337.
Step 336, the second monitoring component is activated to collect real-time status data of the auditing object.
The second monitoring component is used for collecting real-time state data of the auditing object.
And step 337, acquiring real-time state data meeting the real-time monitoring task from the real-time state data of the auditing object acquired by the second monitoring component.
Wherein the target audit data includes real-time status data.
Illustratively, a user desktop of the audit object may be recorded, system process information invoked using an interface, and so forth.
Alternatively, the second monitoring component may obtain real-time data of the audit object once per a specified time interval. The specified time may be set as desired, and may be, for example, 5s, 1min, etc.
Optionally, the audit task may further include an acquisition time period, and the second monitoring component acquires only real-time data of the audit object in the acquisition time period.
Through the implementation mode, compared with the manually obtained screenshot, audio and video and file. The second monitoring component can analyze the data into structural data, so that a technical basis is provided for subsequent searching, analysis and research and judgment, and convenience of data audit is improved.
In this embodiment, in order to make the target audit data more quickly known to the auditor. Forwarding of the target audit data is achieved through the steps of steps 341 through 344.
Step 341, determining whether the agent is connected to the client.
The auditing party equipment is one end for triggering the auditing task, and after the auditing party equipment triggers the auditing task, the auditing task is sent to the server so that the server can send the auditing task to the audited party equipment.
If the client is connected to the auditor device, step 351 is executed.
And step 351, transmitting the target audit data to the client.
Step 342, determining whether the agent is connected to the server.
If the agent is in a connected state with the server, step 344 is executed.
And step 352, transmitting the target audit data to a server.
In this embodiment, it may be first determined whether the agent is in a connected state with the server; and if the agent program and the server are in a connected state, the target audit data is sent to the server, and then the server forwards the target audit data to the client of the auditor device.
In this embodiment, whether the agent is in a connected state with the client may be determined first; and if the agent program and the client are in a connected state, sending the target audit data to the client.
Optionally, before step 350, the method may further include: and judging whether the auditing task is a real-time auditing task or not.
If the audit task is a real-time audit task, step 350 may include: sending the target audit data to a client; if the audit task is not a real-time audit task, step 350 may include: and sending the target audit data to a server.
In the above steps, since the timeliness of the real-time status data is relatively stricter, when the real-time status data cannot be communicated with the service end in the service end, the target audit data can be directly sent to the audit party equipment, and the timeliness of the target audit data can be better maintained.
Optionally, for some non-real-time status data, the data may be stored locally, and after the data can be communicated with the server, the target audit data is sent to the server.
In this embodiment, the above steps may be performed by an agent running in the audited device, and thus the agent may also be deployed in advance in the audited device prior to step 310. The data auditing method may further include: step 410 and step 420.
In step 410, installation data of the agent program is acquired.
The installation data of the agent program comprises a communication address and a port of a server side running in the server.
Step 420, installing and starting the agent to pass through the steps in the method described above by the agent based on the installation data of the agent.
In this embodiment, the installation data of the agent program includes a first communication address, a first port, a second communication address, and a second port of a server running in the server, where the first communication address and the first port are used to accept access of the local area network, and the second communication address and the second port are used to accept access of the wide area network.
The agent program in the audited party equipment is configured with the communication addresses of the local area network and the wide area network of the server, so that the server can be normally accessed no matter the audited party equipment is in the local area network or the wide area network.
The installation data of the agent may be acquired in different ways for different situations.
Illustratively, in the case where the auditor device has administrator privileges for the audited device, remote deployment may be directly via the computer network port. Remote operation of the auditor device may be accepted to obtain installation data of the agent program through remote operation of the auditor device.
Illustratively, in the case that the auditor device has domain management authority, the installation data of the agent program is remotely issued to the audited device through the policy of the domain management tool. The audited device may then receive installation data for the agent transmitted by the audited device over the local area network.
The installation is illustratively performed using an offline installation package in the event that the audited device does not possess any control authority of the audited device, or in the event that the audited device cannot connect to the network. The audited side device monitors the access request of the external storage device, and obtains the installation data of the agent program from the external storage device after the access of the external storage device is monitored.
In this embodiment, after the agent program is started, a process protection technique may be used to protect the started process. The process of the agent program can be hidden from being found, so that the situation that the antivirus software is killed by mistake is reduced, the situation that the process is closed by a user in a forced mode is also reduced, and the success rate of obtaining target audit data is improved.
Alternatively, the agent may automatically uninstall after completion of the audit task.
In the embodiment of the application, the object to be audited is an office computer, so that unified management of enterprise data is not needed compared with an electronic discovery scheme, the improvement of an enterprise information system or a network environment is not needed, and the investment cost of audit construction is reduced. The method provided by the embodiment of the application replaces manual audit electronic data, and compared with a manual mode, the method greatly improves the efficiency of the audit.
In the embodiment of the application, evidence collection of electronic data and monitoring of the electronic data can be realized. User trace data and application trace data can be obtained under various audit tasks. Compared with the scheme of electronic discovery based on information system data management, the method can be better suitable for office production software on the market at present.
Further, in the embodiment of the application, when the auditing terminal has the control authority of each audited party device, the audited party device can directly silence and deploy the execution agent program in the audited party device. The influence of electronic data audit of office equipment on normal production of enterprises is reduced.
In the embodiment of the application, the auditing task can comprise evidence obtaining, behavior monitoring and real-time monitoring, and can audit the historical data which are happened and the real-time data which are happening, so that the auditing data are more comprehensive.
Based on the same application conception, the embodiment of the application also provides a data auditing device corresponding to the data auditing method, and because the principle of solving the problem by the device in the embodiment of the application is similar to that of the embodiment of the data auditing method, the implementation of the device in the embodiment of the application can be referred to the description in the embodiment of the method, and the repetition is omitted.
Fig. 6 is a schematic functional block diagram of a data auditing apparatus according to an embodiment of the present application. The modules in the data auditing device in this embodiment are configured to execute the steps in the method embodiment described above. The data auditing device comprises: a receiving module 510, a first obtaining module 520, and a first transmitting module 530; the contents of each module are as follows:
a receiving module 510, configured to receive an audit task, where the audit task includes an audit object;
a first obtaining module 520, configured to obtain, based on the audit task, target audit data of the audit object in the audited device;
and a first sending module 530, configured to send, through the agent, the target audit data, so that an auditor audits the target audit data.
In one possible implementation, the auditing task includes: the audit task includes: a evidence obtaining task; the first obtaining module 520 is configured to load a local file system to obtain a file directory; determining a target file corresponding to the audit object from the file directory; and determining target audit data meeting the evidence obtaining task from the target file.
In a possible embodiment, the forensic task includes: user behavior evidence obtaining tasks; the target audit data comprises user behavior data; the first obtaining module 520 is configured to parse the target file to obtain target plaintext data; and performing type recognition on the target plaintext data, and determining the user behavior data meeting the user behavior evidence obtaining task from the target plaintext data with the type of the user behavior data.
In a possible implementation manner, the starting module is configured to start the first monitoring component to monitor a preset message triggered by the auditing object, where the preset message includes at least one of the following: system messages, target database change messages, and system driven event messages.
In a possible implementation, the auditing task includes: a behavior monitoring task; the target audit data comprises target behavior data; the first obtaining module 520 is configured to obtain, from the audited device, target behavior data belonging to the audited object and meeting the behavior monitoring task, based on the preset message monitored by the first monitoring component.
In a possible implementation, the auditing task includes: monitoring tasks in real time; the target audit data comprises real-time state data; the first obtaining module 520 is further configured to start the second monitoring component to collect real-time status data of the auditing object; and acquiring real-time state data meeting the real-time monitoring task from the real-time state data of the auditing object acquired by the second monitoring component.
In a possible implementation manner, the apparatus of this embodiment may further include: the first judging module is used for judging whether the agent program is in a communication state with the client;
the first obtaining module 520 is further configured to send the target audit data to the client if the agent is in a connected state with the client; or,
the apparatus of this embodiment may further include: the second judging module is used for judging whether the agent program is in a communication state with the server side or not;
the first obtaining module 520 is further configured to send the target audit data to the server if the agent is in a connected state with the server.
In a possible implementation manner, the apparatus of this embodiment may further include: and the third judging module is used for judging whether the auditing task is a real-time auditing task, if so, sending the target auditing data to the client, and if not, sending the target auditing data to the server.
In a possible implementation manner, the data auditing apparatus provided in this embodiment:
the second acquisition module is used for acquiring the installation data of the agent program, wherein the agent program is used for executing the functional modules, and the installation data of the agent program comprises a communication address and a port of a server side running in the server;
and the starting module is used for installing and starting the agent program based on the installation data of the agent program so as to execute the functional modules through the agent program.
In one possible implementation, the installation data of the agent program includes a first communication address, a first port, a second communication address, and a second port of a server running in the server, where the first communication address and the first port are used to accept access to the local area network, and the second communication address and the second port are used to accept access to the wide area network.
In a possible implementation manner, the second obtaining module is configured to accept remote operation of the auditor device, so as to obtain installation data of the agent program through remote operation of the auditor device; or receiving the installation data of the agent program transmitted by the auditor equipment through the local area network; or monitoring the access request of the external storage device, and obtaining the installation data of the agent program from the external storage device after the access of the external storage device is monitored.
Referring to fig. 7, a flowchart of a data auditing method according to an embodiment of the present application is provided. The method provided in this embodiment is similar to the method provided in the above-described method embodiment, except that the method in this embodiment is applied to an auditing system, and the method in the above-described embodiment is applied to an agent. Wherein, the audit system includes: the client is installed on the audited equipment.
The specific flow shown in fig. 7 will be described in detail.
In step 410, an audit task is triggered by the client and submitted to the server.
Wherein the audit task includes an audit object.
And step 420, sending the auditing task to the agent program through the server side.
Step 430, obtaining, by the agent, target audit data of the audit object based on the audit task.
Wherein, this step 430 may obtain the target audit data according to the method applied to the agent as described above.
And step 440, auditing the target audit data through the client installed by the auditor equipment.
For further details regarding the method provided in this embodiment, reference may be made to the description of the method applied to the agent, which is not repeated here.
An audit system is provided in an embodiment of the present application, including: agent program, client and server; the client is used for triggering an audit task and submitting the audit task to the server, wherein the audit task comprises an audit object; the server side is used for sending the auditing task to the agent program; the agent program obtains target audit data of an audit object according to any one of the methods based on the audit task; the client is used for auditing the target audit data.
Furthermore, the embodiment of the present application further provides a computer readable storage medium, where a computer program is stored, where the computer program is executed by a processor to perform the steps of the data auditing method described in the foregoing method embodiment.
The computer program product of the data auditing method provided in the embodiments of the present application includes a computer readable storage medium storing program code, where instructions included in the program code may be used to execute steps of the data auditing method described in the method embodiments, and specifically, reference may be made to the method embodiments described above, and details are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes. It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the same, but rather, various modifications and variations may be made by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (16)

1. A data auditing method, characterized by being applied to an agent program, the agent program being installed on an audited party device, the data auditing method comprising:
receiving an audit task, wherein the audit task comprises an audit object;
Acquiring target audit data of the audit object from the audited party equipment based on the audit task;
and sending the target audit data through the agent program so that an auditor can audit the target audit data.
2. The method of claim 1, wherein the auditing task comprises: a evidence obtaining task;
based on the audit task, acquiring target audit data of the audit object in the audited party equipment, wherein the target audit data comprises the following steps:
loading a local file system and obtaining a file directory;
determining a target file corresponding to the audit object from the file directory;
and determining target audit data meeting the evidence obtaining task from the target file.
3. The method of claim 2, wherein the forensic task comprises: user behavior evidence obtaining tasks; the target audit data comprises user behavior data;
the determining the target audit data meeting the evidence obtaining task from the target file comprises the following steps:
analyzing the target file to obtain target plaintext data;
and performing type recognition on the target plaintext data, and determining the user behavior data meeting the user behavior evidence obtaining task from the target plaintext data with the type of the user behavior data.
4. The method according to claim 1, wherein the method further comprises:
starting a first monitoring component to monitor preset messages triggered by an auditing object, wherein the preset messages comprise at least one of the following: system messages, target database change messages, and system driven event messages.
5. The method of claim 4, wherein the auditing task includes: a behavior monitoring task; the target audit data comprises target behavior data; based on the audit task, acquiring target audit data of the audit object in the audited party equipment, wherein the target audit data comprises the following steps:
and acquiring target behavior data belonging to the audited object and meeting the behavior monitoring task from the audited party equipment after the first monitoring component monitors the preset message.
6. The method of claim 1, wherein the auditing task comprises: monitoring tasks in real time; the target audit data comprises real-time state data;
based on the audit task, acquiring target audit data of the audit object in the audited party equipment, wherein the target audit data comprises the following steps:
starting a second monitoring component to acquire real-time state data of the auditing object;
And acquiring real-time state data meeting the real-time monitoring task from the real-time state data of the auditing object acquired by the second monitoring component.
7. The method of claim 1, wherein prior to said sending, by said agent, said target audit data, said method further comprises:
judging whether the agent program is communicated with a client, wherein the client is installed on auditing equipment;
if the agent program and the client are in a communication state, sending the target audit data to the client; and/or the number of the groups of groups,
judging whether the agent program is communicated with a server or not;
and if the agent program and the server are in a connected state, sending the target audit data to the server.
8. The method of claim 1, wherein prior to transmitting the target audit data, the method further comprises:
and judging whether the audit task is a real-time audit task, if so, sending the target audit data to a client, otherwise, sending the target audit data to a server.
9. The method according to claim 1, wherein the method further comprises:
Acquiring installation data of the agent program;
the agent is installed and started based on the installation data of the agent.
10. The method of claim 9, wherein the installation data of the agent includes a first communication address, a first port, a second communication address, and a second port of a server running in the server, wherein the first communication address and the first port are used to accept access to a local area network, and the second communication address and the second port are used to accept access to a wide area network.
11. The method of claim 9, wherein the obtaining the installation data of the agent comprises:
receiving remote operation of auditor equipment to obtain installation data of the agent program through the remote operation of auditor equipment; or,
receiving installation data of the agent program transmitted by the auditor equipment through a local area network; or,
and monitoring an access request of the external storage device, and obtaining the installation data of the agent program from the external storage device after the access of the external storage device is monitored.
12. A data auditing method, characterized by being applied to an auditing system, the auditing system comprising: the agent program is installed on audited equipment, the client is installed on the audited equipment, and the data auditing method comprises the following steps:
Triggering an audit task through a client of the audit party equipment and submitting the audit task to the server, wherein the audit task comprises an audit object;
sending the auditing task to an agent program of the audited party equipment through the server;
acquiring target audit data of the audit object by the agent program based on the audit task according to the method of any one of claims 1 to 8;
and auditing the target audit data through the client installed by the auditor equipment.
13. A data auditing apparatus for use with a proxy program installed on an audited party device, the data auditing apparatus comprising:
the receiving module is used for receiving an audit task, wherein the audit task comprises an audit object;
the first acquisition module is used for acquiring target audit data of the audit object from the audited party equipment based on the audit task;
and the first sending module is used for sending the target audit data through the agent program so that an auditor can audit the target audit data.
14. An electronic device, comprising: a processor, a memory storing machine-readable instructions executable by the processor, which when executed by the processor perform the steps of the method of any of claims 1 to 11 when the electronic device is run.
15. A computer-readable storage medium, characterized in that it has stored thereon a computer program which, when executed by a processor, performs the steps of the method according to any of claims 1 to 11.
16. An auditing system, comprising: agent program, client and server;
the client is used for triggering an audit task and submitting the audit task to the server, wherein the audit task comprises an audit object;
the server is used for sending the auditing task to the agent program;
the agent program obtains target audit data of the audit object according to the method of any one of claims 1 to 8 based on the audit task;
and the client is used for auditing the target audit data.
CN202310215777.9A 2023-03-07 2023-03-07 Data auditing method, device, electronic equipment and readable storage medium Pending CN116185958A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310215777.9A CN116185958A (en) 2023-03-07 2023-03-07 Data auditing method, device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310215777.9A CN116185958A (en) 2023-03-07 2023-03-07 Data auditing method, device, electronic equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN116185958A true CN116185958A (en) 2023-05-30

Family

ID=86442243

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310215777.9A Pending CN116185958A (en) 2023-03-07 2023-03-07 Data auditing method, device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN116185958A (en)

Similar Documents

Publication Publication Date Title
US10447560B2 (en) Data leakage protection in cloud applications
US8032489B2 (en) Log collection, structuring and processing
CA2629279C (en) Log collection, structuring and processing
US10122575B2 (en) Log collection, structuring and processing
Kent et al. Guide to computer security log management
US7877804B2 (en) Comprehensive security structure platform for network managers
CN101194233B (en) System and method of testing wireless component applications
US20110314148A1 (en) Log collection, structuring and processing
Nabil et al. SIEM selection criteria for an efficient contextual security
US20110252269A1 (en) System and method for automatically uploading analysis data for customer support
Stirland et al. Developing cyber forensics for SCADA industrial control systems
US20070180101A1 (en) System and method for storing data-network activity information
CN110737639A (en) Audit log method, device, computer equipment and storage medium
US20240256683A1 (en) Secure data collection from an air-gapped network
CN116185958A (en) Data auditing method, device, electronic equipment and readable storage medium
US10216951B2 (en) Self service portal for tracking application data file dissemination
AU2004272201A1 (en) Systems and methods for dynamically updating software in a protocol gateway
CN108833525B (en) Fiddler-based HTTPS flow content auditing method
CN112995277B (en) Access processing method and device and proxy server
KR102657165B1 (en) Data management device, data management method and a computer-readable storage medium for storing data management program
Tsai et al. Network Activity for Parental Monitoring
CN116260704A (en) Webpage running state monitoring method and device, storage medium and computer equipment
WO2023070196A1 (en) Tracking security analyst interactions with web-based services
Forte The state of the art in digital forensics
JP2005099893A (en) Data transfer system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination