CN110855747A - Method for collecting behavior audit data of user access application - Google Patents
Method for collecting behavior audit data of user access application Download PDFInfo
- Publication number
- CN110855747A CN110855747A CN201910971869.3A CN201910971869A CN110855747A CN 110855747 A CN110855747 A CN 110855747A CN 201910971869 A CN201910971869 A CN 201910971869A CN 110855747 A CN110855747 A CN 110855747A
- Authority
- CN
- China
- Prior art keywords
- audit
- data
- information
- application
- dll
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/951—Indexing; Web crawling techniques
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention provides a method for acquiring behavior audit data of user access application, which relates to the technical field of audit and communication, can obtain the audit data with uniform and complete format, does not need to modify the application, only needs to update software on a client, and avoids large workload for modifying the application; the method comprises the following steps: s1, starting a browser; s2, loading an audit DLL; s3, the audit DLL waits for the request and response of HTTPs; s4, acquiring window content; s5, acquiring digital certificate information, client address information and current time information; s6, generating behavior audit information of the user accessing the application according to the data acquired in S4 and the data acquired in S5; and S7, reporting the behavior audit information to an audit system for auditing. The technical scheme provided by the invention is suitable for the behavior audit data acquisition process.
Description
[ technical field ] A method for producing a semiconductor device
The invention relates to the technical field of auditing and communication, in particular to a method for acquiring behavior audit data of user access application.
[ background of the invention ]
In the public security industry, access of application services is based on certificate login access, and based on audit information collection of access of HTTPS application services, audit is generally performed on the application service level. Under the current auditing mode, the national application service modification cost is high, the formats of the application service auditing data are different, and the application modification affairs and the supervision implementation difficulty are high.
Currently, there are two techniques for end user behavioral auditing: one method is to audit through a server, but the method relates to the transformation of each application server, and the related aspects are wide and the application of audit data formats is not uniform; the other method is to capture and analyze data in a client transmission layer based on statistics of the client to obtain audit data, but the method can realize audit on access of http application, but for access of https application, encrypted data is captured and cannot be used for audit.
Accordingly, there is a need for a new method for collecting behavioral audit data of user access applications that solves or alleviates one or more of the problems set forth above.
[ summary of the invention ]
In view of this, the invention provides a method for acquiring behavior audit data of a user accessing an application, which can obtain audit data with a uniform and complete format, and only needs to update software on a client side without modifying the application, thereby avoiding a large workload for modifying the application.
On one hand, the invention provides a method for acquiring behavior audit data of user access application, which is characterized in that the acquisition method captures data from a terminal data display layer for realizing the acquisition of the behavior audit data of the user access application.
The above-described aspect and any possible implementation manner further provide an implementation manner, and the specific steps of the acquisition method include:
s1, starting a browser;
s2, loading an audit DLL;
s3, the audit DLL waits for the request and response of HTTPs;
s4, acquiring window content;
s5, acquiring digital certificate information, client address information and current time information;
s6, generating behavior audit information of the user accessing the application according to the data acquired in S4 and the data acquired in S5;
and S7, reporting the behavior audit information to an audit system for auditing.
The above-described aspect and any possible implementation further provide an implementation, and the audit DLL file is injected into the browser process to be monitored when the audit DLL is loaded in S2.
The above-described aspects and any possible implementation further provide an implementation in which the audit DLL monitors interaction windows in all browser windows that are http protocols.
The above-described aspects and any possible implementations further provide an implementation in which the content monitored by the audit DLL includes creation and destruction of an IE window.
The above-described aspects and any possible implementation further provide an implementation that requires the user to insert a digital certificate and initiate an http request before proceeding to S3.
The above-mentioned aspect and any possible implementation manner further provide an implementation manner, where the window content in S4 includes: HTTPs HTML content requested and HTML content returned.
The above-described aspect and any possible implementation manner further provide an implementation manner, and the digital certificate information in S5 includes person information in the digital certificate.
In the above-described aspect and any possible implementation manner, there is further provided an implementation manner, where the client address information in S5 includes an IP and a MAC of the PC.
As for the above-mentioned aspects and any possible implementation manner, there is further provided an implementation manner in which a listener is mounted on an IE window created when the creation of the IE window is monitored; and unloading the listener from the IE window to be destroyed when monitoring the destruction of the IE window.
Compared with the prior art, the invention can obtain the following technical effects: the audit data with uniform format can be obtained only by modifying the client, so that inconvenience caused by large workload for modifying the application and non-uniformity of the audit data is avoided; the method can realize the input of the user accessing the application system and the accurate audit of the query data without application transformation, and solves the problem that the application transformation is required for the public security application access audit.
Of course, it is not necessary for any one product in which the invention is practiced to achieve all of the above-described technical effects simultaneously.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a method for collecting behavior audit data of a user access application according to an embodiment of the present invention.
[ detailed description ] embodiments
For better understanding of the technical solutions of the present invention, the following detailed descriptions of the embodiments of the present invention are provided with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the examples of the present invention and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to solve the defects of the prior art, the invention captures data from the terminal data display layer, realizes the input of the user accessing the application system and the accurate audit of the query data, does not need application transformation, and solves the problem that the application transformation is needed for the public security application access audit. The terminal data display layer refers to a link of displaying data by a user side browser, and the method is switched in from the link to capture audit data.
The method has the advantages that the interface input and output information is obtained when a user uses a browser to access HTTPS and the audit module is installed on the user PC based on the PC end, after the two problems are solved, the accurate audit of the access application behavior of the user can be realized, and the audit modification is not needed when the new application is added.
The invention provides a behavior auditing technology based on PC end user access application, in a public security network, a user accesses https application, and all user behavior information and viewed contents need to be audited. And utilizing a windows hook mechanism to realize an audited DLL, and intercepting interactive data between a user and an application service on a browser by using a hook. And (4) injecting the DLL file into each browser process by Windows Hook, and injecting the audit DLL file into all the processes.
When a browser is started, entering a monitoring flow, loading an audit DLL file, injecting the audit DLL file into a browser process to be monitored, monitoring interactive windows of an HTTPS protocol in all browser windows by the audit DLL, including creation and destruction of IE windows, and waiting for HTTPS requests and responses by the DLL; and mounting/dismounting the listener on/from the created IE window, and acquiring html content requested by https and html content returned by the request.
And combining the acquired window content with the acquired digital certificate information (including personnel information therein) currently inserted into the computer, the address information (including IP and MAC) of the current environment (namely the current PC) and the time information to form a complete behavior audit message of the user access application, and reporting the complete behavior audit message to a certificate application audit system on the server. The audit message comprises information input by a user and an obtained query result, and the information and the obtained query result are combined to form record information of user behaviors. The information input by the user is the information input by the user on the inquiry page in the browser interface when the user accesses the application system through the browser. The obtained query result is result data which is displayed by the application system and returned to the browser by the user accessing the application system through the browser.
Fig. 1 is a flowchart of a method for collecting behavior audit data of a user accessing an application according to an embodiment of the present invention. As shown in fig. 1, the method for acquiring the behavior audit data of the user access application includes the following specific steps:
step 1, starting a browser;
step 2, loading an audit DLL;
step 3, the DLL waits for the request and the response of the HTTPs;
before step 3, a user inserts a digital certificate and initiates an HTTPs request;
step 4, acquiring HTML content requested by HTTPs;
step 5, obtaining returned HTML content;
step 6, acquiring personnel information, client address information (IP and MAC of PC) and current time information in the digital certificate;
step 7, generating complete behavior audit information of the user access application;
and 8, reporting behavior audit information of the user accessing the HTTPs application.
The auditing function is integrated in the public security digital certificate driver, the public security digital certificate driver is installed before a user uses a digital certificate, the operation of the user using the digital certificate is kept unchanged, the functions of capturing and reporting auditing information can be completed, and the auditing is realized by completely decoupling a service system. Meanwhile, audit data are reported by the client side in a unified mode, the format is unified, and unified audit data query can be conveniently carried out by the upper layer.
The invention only relates to the updating of client software, does not need to modify the application of the client software, and solves the problems of large modification workload, inconsistent audit data formats, incomplete audit data and the like. It should be noted that the reason why the audit data is incomplete in the prior art is that the user behavior is not audited.
The method for acquiring the behavior audit data of the user access application provided by the embodiment of the application is described in detail above. The above description of the embodiments is only for the purpose of helping to understand the method of the present application and its core ideas; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
As used in the specification and claims, certain terms are used to refer to particular components. As one skilled in the art will appreciate, manufacturers may refer to a component by different names. This specification and claims do not intend to distinguish between components that differ in name but not function. In the following description and in the claims, the terms "include" and "comprise" are used in an open-ended fashion, and thus should be interpreted to mean "include, but not limited to. "substantially" means within an acceptable error range, and a person skilled in the art can solve the technical problem within a certain error range to substantially achieve the technical effect. The description which follows is a preferred embodiment of the present application, but is made for the purpose of illustrating the general principles of the application and not for the purpose of limiting the scope of the application. The protection scope of the present application shall be subject to the definitions of the appended claims.
It is also noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a good or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such good or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a commodity or system that includes the element.
It should be understood that the term "and/or" as used herein is merely one type of association that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
The foregoing description shows and describes several preferred embodiments of the present application, but as aforementioned, it is to be understood that the application is not limited to the forms disclosed herein, but is not to be construed as excluding other embodiments and is capable of use in various other combinations, modifications, and environments and is capable of changes within the scope of the application as described herein, commensurate with the above teachings, or the skill or knowledge of the relevant art. And that modifications and variations may be effected by those skilled in the art without departing from the spirit and scope of the application, which is to be protected by the claims appended hereto.
Claims (10)
1. The method for acquiring the behavior audit data of the user access application is characterized by grabbing the data from a terminal data display layer for acquiring the behavior audit data of the user access application.
2. The method for collecting the behavioral audit data of the user accessing the application according to claim 1, wherein the specific steps of the collection method include:
s1, starting a browser;
s2, loading an audit DLL;
s3, the audit DLL waits for the request and response of HTTPs;
s4, acquiring window content;
s5, acquiring digital certificate information, client address information and current time information;
s6, generating behavior audit information of the user accessing the application according to the data acquired in S4 and the data acquired in S5;
and S7, reporting the behavior audit information to an audit system for auditing.
3. The method for collecting behavioral audit data of a user accessing an application according to claim 2, wherein the audit DLL file is injected into the browser process to be monitored when the audit DLL is loaded in S2.
4. The method of claim 3, wherein the audit DLL monitors all browser windows for interaction windows in the HTTPs protocol.
5. The method of claim 4, wherein the audit DLL monitored content includes creation and destruction of IE windows.
6. The method for collecting audit data of user access application according to claim 2 wherein the user inserts digital certificate and initiates http request before proceeding to S3.
7. The method for collecting behavioral audit data of users accessing applications according to claim 2, wherein the window content in S4 includes: HTTPs HTML content requested and HTML content returned.
8. The method for collecting behavioral audit data of a user accessing an application according to claim 2, wherein the digital certificate information in S5 includes personnel information in the digital certificate.
9. The method for collecting behavioral audit data of a user accessing an application according to claim 2, wherein the client address information in S5 includes IP and MAC of a PC.
10. The method for collecting behavioral audit data of a user accessing an application according to claim 5, wherein a listener is mounted on an IE window created while monitoring creation of the IE window; and unloading the listener from the IE window to be destroyed when monitoring the destruction of the IE window.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910971869.3A CN110855747A (en) | 2019-10-14 | 2019-10-14 | Method for collecting behavior audit data of user access application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910971869.3A CN110855747A (en) | 2019-10-14 | 2019-10-14 | Method for collecting behavior audit data of user access application |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110855747A true CN110855747A (en) | 2020-02-28 |
Family
ID=69596328
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910971869.3A Pending CN110855747A (en) | 2019-10-14 | 2019-10-14 | Method for collecting behavior audit data of user access application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110855747A (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1492336A (en) * | 2003-09-04 | 2004-04-28 | 上海格尔软件股份有限公司 | Information system auditing method based on data storehouse |
| CN1556490A (en) * | 2004-01-08 | 2004-12-22 | 上海复旦光华信息科技股份有限公司 | Multi surce audit data business uniformity judging method based on state conversion table |
| US20080016314A1 (en) * | 2006-07-12 | 2008-01-17 | Lixin Li | Diversity-based security system and method |
| CN103336820A (en) * | 2013-07-01 | 2013-10-02 | 广东科学技术职业学院 | Key data auditing method of information system |
| CN106325945A (en) * | 2016-08-26 | 2017-01-11 | 北京北信源软件股份有限公司 | Method for collecting network data by using IE browser of window operation system |
| CN107945092A (en) * | 2017-12-13 | 2018-04-20 | 成都市审计局 | Big data integrated management approach and system for audit field |
| CN108021458A (en) * | 2017-12-01 | 2018-05-11 | 天津麒麟信息技术有限公司 | A kind of multi-tenant audit indexing means based on message trigger |
| CN108924106A (en) * | 2018-06-21 | 2018-11-30 | 上海鹏越惊虹信息技术发展有限公司 | A kind of terminal online auditing method and system based on network interface card packet capturing |
| CN109409080A (en) * | 2018-10-09 | 2019-03-01 | 北京北信源信息安全技术有限公司 | A kind of browser HTTPS auditing method and device |
| CN109743302A (en) * | 2018-12-24 | 2019-05-10 | 中电福富信息科技有限公司 | A kind of audit playback system of https/http agreement |
| CN109977689A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团广东有限公司 | A kind of Method of Database Secure Audit method, apparatus and electronic equipment |
-
2019
- 2019-10-14 CN CN201910971869.3A patent/CN110855747A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1492336A (en) * | 2003-09-04 | 2004-04-28 | 上海格尔软件股份有限公司 | Information system auditing method based on data storehouse |
| CN1556490A (en) * | 2004-01-08 | 2004-12-22 | 上海复旦光华信息科技股份有限公司 | Multi surce audit data business uniformity judging method based on state conversion table |
| US20080016314A1 (en) * | 2006-07-12 | 2008-01-17 | Lixin Li | Diversity-based security system and method |
| CN103336820A (en) * | 2013-07-01 | 2013-10-02 | 广东科学技术职业学院 | Key data auditing method of information system |
| CN106325945A (en) * | 2016-08-26 | 2017-01-11 | 北京北信源软件股份有限公司 | Method for collecting network data by using IE browser of window operation system |
| CN108021458A (en) * | 2017-12-01 | 2018-05-11 | 天津麒麟信息技术有限公司 | A kind of multi-tenant audit indexing means based on message trigger |
| CN107945092A (en) * | 2017-12-13 | 2018-04-20 | 成都市审计局 | Big data integrated management approach and system for audit field |
| CN109977689A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团广东有限公司 | A kind of Method of Database Secure Audit method, apparatus and electronic equipment |
| CN108924106A (en) * | 2018-06-21 | 2018-11-30 | 上海鹏越惊虹信息技术发展有限公司 | A kind of terminal online auditing method and system based on network interface card packet capturing |
| CN109409080A (en) * | 2018-10-09 | 2019-03-01 | 北京北信源信息安全技术有限公司 | A kind of browser HTTPS auditing method and device |
| CN109743302A (en) * | 2018-12-24 | 2019-05-10 | 中电福富信息科技有限公司 | A kind of audit playback system of https/http agreement |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12105724B1 (en) | Tokenized HTTP event collector | |
| US9491077B2 (en) | Network metric reporting system | |
| US6490617B1 (en) | Active self discovery of devices that participate in a network | |
| US20100235494A1 (en) | Flexible logging, such as for a web server | |
| US11386113B2 (en) | Data source tokens | |
| US11093476B1 (en) | HTTP events with custom fields | |
| CN105868040A (en) | Log collection method and collection terminal | |
| CN102377617A (en) | Systems, methods, and apparatus to monitor and authenticate mobile internet activity | |
| WO2005071560A1 (en) | Method and system for application performance management | |
| US20100211861A1 (en) | Content distribution management device, communication terminal, program, and content distribution system | |
| US20050210135A1 (en) | System for ubiquitous network presence and access without cookies | |
| CN103685354A (en) | Method and device for testing based on RMI protocol | |
| CN107147662B (en) | Domain name hijacking discovery method | |
| WO2012075833A1 (en) | Method for instant communication using home gateway, and home gateway | |
| US20120078577A1 (en) | Remotely collecting and managing diagnostic information | |
| CN103368783B (en) | Method, system and equipment for network communication process monitoring | |
| CN114039961A (en) | Message pushing method, device, server and storage medium based on WebSocket | |
| CN110855747A (en) | Method for collecting behavior audit data of user access application | |
| CN101527646A (en) | System and method for WEB network management | |
| KR100683901B1 (en) | Monitoring method of an web contents, computer readable medium storing the same, and monitoring system for the performing the same | |
| CN113542185B (en) | Method and device for preventing hijacking of page, electronic equipment and storage medium | |
| JP3279517B2 (en) | Event processing method in network management system, network management system | |
| JP2003345711A (en) | System and program for data collection | |
| CN107733697B (en) | Log collection method and system and router | |
| CN107612768B (en) | Windows-based local database access flow acquisition method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200228 |