CN111131191A - Method and system for auditing cloud storage service operation and cloud storage system - Google Patents
Method and system for auditing cloud storage service operation and cloud storage system Download PDFInfo
- Publication number
- CN111131191A CN111131191A CN201911255528.2A CN201911255528A CN111131191A CN 111131191 A CN111131191 A CN 111131191A CN 201911255528 A CN201911255528 A CN 201911255528A CN 111131191 A CN111131191 A CN 111131191A
- Authority
- CN
- China
- Prior art keywords
- user
- cloud storage
- operation information
- storage service
- storage system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 230000001960 triggered effect Effects 0.000 claims description 4
- 238000012795 verification Methods 0.000 claims description 3
- 238000012550 audit Methods 0.000 description 11
- 239000002184 metal Substances 0.000 description 8
- 238000012545 processing Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000008602 contraction Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method and a system for auditing cloud storage service operation and a cloud storage system, wherein the method is applied to the cloud storage system and comprises the following steps: a1: determining cloud storage service operation of a user; a2: judging whether the user has the authority to execute the cloud storage service operation, if so, allowing the user to execute the cloud storage service operation, and executing A3, otherwise, forbidding the user to execute the cloud storage service operation, and executing A3; a3: acquiring operation information of a user for cloud storage service operation, which is recorded by a user side of the user; a4: saving operation information for cloud storage service operation into a blockchain; a5: when the user needs to be checked, acquiring at least one piece of operation information of the user from the block chain; a6: and auditing the user according to at least one piece of operation information of the user. The scheme can track credible user operation information.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a system for auditing cloud storage service operation and a cloud storage system.
Background
With the advent of the big data age, cloud storage has become a new choice for more businesses and individuals. The cloud storage is a storage service with elastic expansion and contraction capacity realized on the basis of cloud computing, and the dynamic allocation of resources is realized by means of a virtualization technology. In order to realize safety protection of data stored on the cloud storage system by a user, cloud storage auditing plays a vital role.
The existing cloud storage auditing method is to record all operation behaviors of a user in a cloud storage system in the form of an auditing log, and the auditing log can monitor the illegal behaviors of the user.
As can be seen from the above description, in the prior art, there is a certain potential safety hazard in monitoring the operation behavior of the user through the audit log, and the audit log is easily tampered and damaged, so that the trusted operation information of the user cannot be tracked.
Disclosure of Invention
The embodiment of the invention provides a method and a system for auditing cloud storage service operation and a cloud storage system, which can track credible operation information of a user.
In a first aspect, the present invention provides a method for auditing cloud storage service operations, which is applied to a cloud storage system, and includes:
a1: determining cloud storage service operation of a user;
a2: judging whether the user has the authority to execute the cloud storage service operation, if so, allowing the user to execute the cloud storage service operation, and executing A3, otherwise, forbidding the user to execute the cloud storage service operation, and executing A3;
a3: acquiring operation information of the user for the cloud storage service operation, recorded by a user side of the user;
a4: saving operation information for the cloud storage service operation into a blockchain;
a5: when the user needs to be examined, acquiring at least one piece of operation information of the user from the block chain;
a6: and auditing the user according to at least one piece of operation information of the user.
Preferably, the first and second electrodes are formed of a metal,
the A6, comprising:
judging whether the user executes the unauthorized cloud storage service operation for N times within a preset time length or not according to at least one piece of operation information of the user, and if so, marking the user as a malicious user;
wherein, N is a preset value and is a positive integer.
Preferably, the first and second electrodes are formed of a metal,
the operation information includes: a user identification;
the A5, comprising:
determining a target user identification of the user;
acquiring operation information containing the target user identification from the block chain;
and marking the operation information containing the target user identification as the operation information of the user.
Preferably, the first and second electrodes are formed of a metal,
the operation information includes: an operation identifier;
acquiring the operation information of the user in a preset time period from the block chain;
the A6, comprising:
determining a target operation identifier to be counted;
and counting the number of the operation information containing the target operation identifier from the operation information of the user in a preset time period.
Preferably, the first and second electrodes are formed of a metal,
before a1, further comprising:
b1: receiving a user name and a password input by the user;
b2: judging whether the user name input by the user exists, if so, executing B3, otherwise, prohibiting the user from logging in the cloud storage system, and executing B4;
b3: judging whether the password corresponding to the user name stored in the cloud storage system is the same as the password input by the user, if so, allowing the user to log in the cloud storage system, and executing B4, otherwise, forbidding the user to log in the cloud storage system, and executing B4;
b4: and storing the operation information of the user logging in the cloud storage system in a block chain.
In a second aspect, the present invention provides a cloud storage system, comprising:
the first determination module is used for determining the cloud storage service operation of the user;
the first judging module is used for judging whether the user has the authority of executing the cloud storage service operation determined by the first determining module, if so, the user is allowed to execute the cloud storage service operation and a first obtaining module is triggered, otherwise, the user is forbidden to execute the cloud storage service operation and the first obtaining module is triggered;
the first obtaining module is configured to obtain operation information, recorded at a user side of the user, of the user for the cloud storage service operation;
the saving module is used for saving the operation information of the cloud storage service operation acquired by the first acquiring module into a block chain;
a second obtaining module, configured to obtain at least one piece of operation information of the user from the operation information in the block chain when the user needs to be reviewed;
and the auditing module is used for auditing the user according to the at least one piece of operation information of the user acquired by the second acquiring module.
Preferably, the first and second electrodes are formed of a metal,
the auditing module is used for judging whether the user executes the unauthorized cloud storage service operation for N times within a preset time length according to at least one piece of operation information of the user, and if so, marking the user as a malicious user;
wherein, N is a preset value and is a positive integer.
Preferably, the first and second electrodes are formed of a metal,
the operation information includes: a user identification;
the second obtaining module is configured to determine a target user identifier of the user, obtain operation information including the target user identifier from the blockchain, and mark the operation information including the target user identifier as the operation information of the user.
Preferably, the first and second electrodes are formed of a metal,
the operation information includes: an operation identifier;
the second obtaining module is configured to obtain operation information of the user within a preset time period from the block chain;
the auditing module is used for determining a target operation identifier to be counted and counting the number of operation information containing the target operation identifier from the operation information of the user in a preset time period;
preferably, the first and second electrodes are formed of a metal,
before a1, further comprising:
a verification module to perform:
b1: receiving a user name and a password input by the user;
b2: judging whether the user name input by the user exists, if so, executing B3, otherwise, prohibiting the user from logging in the cloud storage system, and executing B4;
b3: judging whether the password corresponding to the user name stored in the cloud storage system is the same as the password input by the user, if so, allowing the user to log in the cloud storage system, and executing B4, otherwise, forbidding the user to log in the cloud storage system, and executing B4;
b4: and storing the operation information of the user logging in the cloud storage system in a block chain.
In a third aspect, the present invention provides a system for auditing cloud storage service operations, including: at least one user side and at least one cloud storage system according to any one of the second aspects;
and the user side is used for sending the operation information of the user for the cloud storage service operation to the cloud storage system.
The embodiment of the invention provides a method and a system for auditing cloud storage service operation and a cloud storage system. And executing corresponding processing operation according to the operation authority of the user for accessing the cloud storage service. For the access of the user with the operation authority, the user can be allowed to continue to execute the subsequent cloud storage service operation, and for the cloud storage service operation of which the user does not have the operation authority, the user is prohibited from continuing to access the service of the cloud storage system, so that the operation is terminated. Based on the operation information of the user for the cloud storage service, the block chain of the server side can record corresponding user operation information. Due to the distributed and decentralized characteristics of the blockchain, individual tampering cannot be approved by the whole network, and data information stored on the blockchain cannot be tampered. When the user needs to be checked, the credible user operation information needing to be searched can be obtained from the block chain. In conclusion, the operation method for auditing the cloud storage service provided by the invention does not need to record the operation information of the user accessing the cloud storage service in the form of the audit log, so that the operation information of the user can be prevented from being tampered, and the credible operation information of the user accessing the cloud storage service can be tracked.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a method for auditing operation of a cloud storage service according to an embodiment of the present invention;
FIG. 2 is a flow diagram of a method of auditing cloud storage service operations provided by another embodiment of the invention;
FIG. 3 is a flow diagram of a method of auditing cloud storage service operations provided by yet another embodiment of the present invention;
fig. 4 is a schematic structural diagram of a cloud storage system according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a system for auditing operation of a cloud storage service according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As shown in fig. 1, an embodiment of the present invention provides a method for auditing cloud storage service operations, which is applied to a cloud storage system, and the method may include the following steps:
step 101: determining cloud storage service operation of a user;
step 102: judging whether the user has the authority to execute the cloud storage service operation, if so, executing step 103, otherwise, executing step 108;
step 103: allowing a user to perform cloud storage service operations;
step 104: acquiring operation information of a user for cloud storage service operation, which is recorded by a user side of the user;
step 105: saving operation information for cloud storage service operation into a blockchain;
step 106: when the user needs to be checked, acquiring at least one piece of operation information of the user from the block chain;
step 107: and auditing the user according to at least one piece of operation information of the user.
Step 108: and forbidding the user to execute the cloud storage service operation, and returning to the step 103.
In the embodiment of the invention, the cloud storage service operation information of the user can be obtained by determining the cloud storage service operation of the user, and then whether the user has the operation authority for accessing the cloud storage service is judged. And executing corresponding processing operation according to the operation authority of the user for accessing the cloud storage service. For the access of the user with the operation authority, the user can be allowed to continue to execute the subsequent cloud storage service operation, and for the cloud storage service operation of which the user does not have the operation authority, the user is prohibited from continuing to access the service of the cloud storage system, so that the operation is terminated. Based on the operation information of the user for the cloud storage service, the block chain of the server side can record corresponding user operation information. Due to the distributed and decentralized characteristics of the blockchain, individual tampering cannot be approved by the whole network, and data information stored on the blockchain cannot be tampered. When the user needs to be checked, the credible user operation information needing to be searched can be obtained from the block chain. In conclusion, the operation method for auditing the cloud storage service provided by the invention does not need to record the operation information of the user accessing the cloud storage service in the form of the audit log, so that the operation information of the user can be prevented from being tampered, and the credible operation information of the user accessing the cloud storage service can be tracked.
In order to determine a user who maliciously accesses the cloud storage service, in an embodiment of the present invention, the auditing the user according to at least one piece of operation information of the user includes:
judging whether the user executes the unauthorized cloud storage service operation for N times within a preset time length or not according to at least one piece of operation information of the user, and if so, marking the user as a malicious user;
wherein, N is a preset value and is a positive integer.
In the embodiment of the invention, corresponding processing is performed according to whether the user has the operation authority to execute the corresponding cloud storage service. If the cloud storage service executed by the user has the access right, allowing the user to continue accessing; if the user does not have the access right, the user is prohibited from continuing to execute the operation of accessing the cloud storage service, and the operation information of each user is recorded in the blockchain, so that the follow-up audit is conducted on the operation information of the user accessing the cloud storage service. If the user continuously executes the unauthorized access operation for N times (for example, more than 10 times) within a preset time (for example, 5 to 10 minutes), the user can be judged to be a malicious user according to the user operation information stored in the block chain, so that the access operation of the user is terminated, and the security of the cloud storage data is ensured.
In order to audit operation information of a user, in an embodiment of the present invention, the operation information includes: a user identification;
when the user needs to be audited, acquiring at least one piece of operation information of the user from the block chain includes:
determining a target user identification of the user;
acquiring operation information containing the target user identification from the block chain;
and marking the operation information containing the target user identification as the operation information of the user.
In the embodiment of the present invention, because the operation information of the user accessing the cloud storage service is recorded in the block chain, the user containing the target user identifier (e.g., xiaoming) can be found out according to all the operation information of the user stored in the block chain, and the operation information containing the target user identifier is screened out from the block chain, and these operation information are the operation information of the target user accessing the cloud storage service. When the operation information of the user needs to be audited, the required operation information can be searched by adopting the mode.
In order to count the number of operation information of a user, in an embodiment of the present invention, the operation information includes: an operation identifier;
acquiring the operation information of the user in a preset time period from the block chain;
the auditing the user according to at least one piece of operation information of the user comprises the following steps:
determining a target operation identifier to be counted;
and counting the number of the operation information containing the target operation identifier from the operation information of the user in a preset time period.
In the embodiment of the present invention, when the operation information amount of the user needs to be counted, a target user identifier (e.g., xiaoming) and an operation identifier (e.g., 01 for opening the file a) need to be determined first. Because the operation information of the user is recorded on the block chain, the operation information of the user in a preset time period (for example, 12 months 3 days to 12 months 5 days) can be searched according to the user identification of the user, and the operation information quantity is counted, so that the operation information quantity in the preset time period of the user is counted.
For the user authentication, in an embodiment of the present invention, before determining the cloud storage service operation of the user, the method further includes:
b1: receiving a user name and a password input by the user;
b2: judging whether the user name input by the user exists, if so, executing B3, otherwise, prohibiting the user from logging in the cloud storage system, and executing B4;
b3: judging whether the password corresponding to the user name stored in the cloud storage system is the same as the password input by the user, if so, allowing the user to log in the cloud storage system, and executing B4, otherwise, forbidding the user to log in the cloud storage system, and executing B4;
b4: and storing the operation information of the user logging in the cloud storage system in a block chain.
In the embodiment of the invention, when a user logs in the cloud storage system, the identity of the user needs to be checked firstly, the user accessing the user is determined to be the registered user, and the identity of the user is ensured to be real and effective. The user name and the password during initial registration of the user are recorded in the cloud storage system, when the user logs in the cloud storage system again and inputs the user name and the password of the user, the cloud storage system firstly determines whether the user name exists according to the user name input by the user, and if the user name exists, the user can perform subsequent operation; if the user name does not exist, the user cannot log in the cloud storage system. Under the condition that the user name exists, the user needs to input a corresponding password, and the cloud storage system judges whether the password input by the user is the same as the password corresponding to the initially registered user name or not according to the password input by the user, so that corresponding operation is executed. If the passwords are the same, the user can log in the cloud storage system; if the passwords are not the same, the user is prohibited from logging into the cloud storage system. The block chain records all operation information of the user accessing the cloud storage service, so that the operation information of the user can be stored in the block chain, and the follow-up audit on the operation information of the user is facilitated.
As shown in fig. 2, in order to more clearly illustrate the technical solution and advantages of the present invention, the following describes in detail a method for auditing cloud storage service operations provided by the present invention, and specifically may include the following steps:
step 201: receiving a user name and a password input by a user;
step 202: judging whether the user name input by the user exists, if so, executing step 214, otherwise, executing step 218;
step 203: allowing a user to log in the cloud storage system;
step 204: judging whether a password corresponding to a user name stored in the cloud storage system is the same as the password input by the user, if so, executing the step 205, otherwise, executing the step 218;
specifically, in order to verify the identity of the user, the user accessing the cloud storage system is determined to be the user which is registered and confirmed by the cloud storage system, and the identity of the user is ensured to be real and valid. Firstly, whether the user name and the password input by the user in the login are the same as the initially registered user name and the initially registered password or not needs to be judged, and the user can log in the cloud storage system only if the user name and the password input by the user in the login are completely the same.
For example, the login name and the password for the first registration confirmation of the user are xiaoming and xm123, respectively, and the user can log in the cloud storage system and perform subsequent operations only by inputting the identical user name and password.
Step 206: determining cloud storage service operation of a user;
step 207: judging whether the user has the authority to execute the cloud storage service operation, if so, executing step 208, otherwise, executing step 217;
step 208: allowing a user to perform cloud storage service operations;
specifically, when a user logs in a cloud storage system and needs to perform subsequent operations, it is first determined whether the user has permission to perform the operations, if so, the user may continue to perform access, and if not, the user is prohibited from accessing.
For example, if a registered user of the cloud storage system has little access right to a file a and a file B, but does not have access right to a file C, the user can only open the file a and the file B, but cannot open the file C.
specifically, according to the scheme, the operation of accessing the cloud storage service by the user is recorded in real time based on the blockchain, and due to the distributed and decentralized characteristics of the blockchain, individual tampering cannot be approved by the whole network, data information stored on the blockchain cannot be tampered, and the safety of user data can be guaranteed.
wherein, N is a preset value and is a positive integer.
specifically, when the operation information of the user needs to be examined and whether a malicious user exists is judged, firstly, according to the user identification of the user and the preset time length, the operation information of the user in the preset time length is found out, whether the user executes the cloud storage service operation for N times without permission is judged according to the operation identification, and if the operation information exists, the operation information is marked as the malicious user.
For example, assume that the user is Xiaoming and the user identifier is xiaoming;
the preset time is set to be 5-10 minutes;
the preset value is set to be more than 10 times.
Assuming that Ming is 5 minutes, and file A is opened up to 15 times in succession, Ming is marked as a malicious user.
Step 217: forbidding the user to execute the cloud storage service operation, and returning to the step 209;
step 218: and forbidding the user to log in the cloud storage system, and returning to the step 209.
As shown in fig. 3, an embodiment of the present invention further provides another method for auditing cloud storage service operations, which may specifically include the following steps:
step 301: receiving a user name and a password input by a user;
step 302: judging whether a user name input by a user exists, if so, executing a step 303, otherwise, executing a step 318;
step 303: allowing a user to log in the cloud storage system;
step 304: judging whether a password corresponding to a user name stored in the cloud storage system is the same as the password input by the user, if so, executing the step 305, otherwise, executing the step 318;
step 305: allowing a user to log in the cloud storage system;
step 306: determining cloud storage service operation of a user;
step 307: judging whether the user has the authority to execute the cloud storage service operation, if so, executing step 308, otherwise, executing step 317;
step 308: allowing a user to perform cloud storage service operations;
309, acquiring operation information of the user for the cloud storage service operation, which is recorded by the user side of the user;
311, when the user needs to be examined, determining the target user identification and the operation identification of the user;
and step 313, marking the operation information containing the target user identification as the operation information of the user.
and step 316, counting the number of the operation information containing the target operation identification from the operation information of the user in the preset time period.
Specifically, when the number of pieces of operation information in the preset time of the user needs to be counted, a target user identifier of the target user needs to be determined first, and then the number of times of counting the pieces of operation information in the preset time is counted.
For example, if the operation identifier of the minor open file a is 01, the preset time is 5 minutes, and the number of the minor open files a in 5 minutes in the statistical operation information is the statistical number
Step 317: forbidding the user to execute the cloud storage service operation, and returning to the step 309;
step 318: and forbidding the user to log in the cloud storage system, and returning to the step 309.
As shown in fig. 4, an embodiment of the present invention provides a cloud storage system, including:
a first determining module 401, configured to determine a cloud storage service operation of the user;
a first determining module 402, configured to determine whether the user has a right to execute the cloud storage service operation determined by the first determining module 301, if so, allow the user to execute the cloud storage service operation, and trigger a first obtaining module 403, otherwise, prohibit the user from executing the cloud storage service operation, and trigger the first obtaining module 403;
the first obtaining module 403 is configured to obtain operation information, recorded at a user side of the user, of the user for the cloud storage service operation;
a saving module 404, configured to save the operation information of the cloud storage service operation acquired by the first acquiring module 403 into a blockchain;
a second obtaining module 405, configured to obtain at least one piece of operation information of the user from the operation information in the block chain when the user needs to be reviewed;
an auditing module 406, configured to audit the user according to the at least one piece of operation information of the user acquired by the second acquiring module 405.
In the embodiment of the invention, the cloud storage service operation information of the user can be acquired by determining the cloud storage service operation of the user, and then the first judging module judges whether the user has the operation authority of executing the cloud storage service determined by the first determining module. And executing corresponding processing operation according to the operation authority of the user for accessing the cloud storage service. For the access of the user with the operation authority, the user can be allowed to continue to execute the subsequent cloud storage service operation, and for the cloud storage service operation of which the user does not have the operation authority, the user is prohibited from continuing to access the service of the cloud storage system, so that the operation is terminated. The cloud storage system acquires the operation information of the user, which is recorded by the user side and is obtained by the first acquisition module, for the cloud storage service operation, and stores the operation information in the block chain. Due to the distributed and decentralized characteristics of the blockchain, individual tampering cannot be approved by the whole network, and data information stored on the blockchain cannot be tampered. When the user needs to be audited, the user can be audited according to the user operation information acquired by the second acquisition module. In conclusion, the operation method for auditing the cloud storage service provided by the invention does not need to record the operation information of the user accessing the cloud storage service in the form of the audit log, so that the operation information of the user can be prevented from being tampered, and the credible operation information of the user accessing the cloud storage service can be tracked.
In an embodiment of the present invention, the auditing module 406 is configured to determine, according to at least one piece of operation information of the user, whether the user performs the cloud storage service operation without permission for N times within a preset time period, and if so, mark the user as a malicious user;
wherein, N is a preset value and is a positive integer.
In an embodiment of the present invention, the operation information includes: a user identification;
the second obtaining module 405 is configured to determine a target user identifier of the user, obtain operation information including the target user identifier from the blockchain, and mark the operation information including the target user identifier as the operation information of the user.
In an embodiment of the present invention, the operation information includes: an operation identifier;
the second obtaining module 405 is configured to obtain operation information of the user within a preset time period from the block chain;
the auditing module 406 is configured to determine a target operation identifier to be counted, and count the number of operation information including the target operation identifier from the operation information of the user in a preset time period;
in an embodiment of the present invention, before the first determining module, the method further includes:
a verification module 407 configured to perform:
b1: receiving a user name and a password input by the user;
b2: judging whether the user name input by the user exists, if so, executing B3, otherwise, prohibiting the user from logging in the cloud storage system, and executing B4;
b3: judging whether the password corresponding to the user name stored in the cloud storage system is the same as the password input by the user, if so, allowing the user to log in the cloud storage system, and executing B4, otherwise, forbidding the user to log in the cloud storage system, and executing B4;
b4: and storing the operation information of the user logging in the cloud storage system in a block chain.
An embodiment of the present invention further provides a cloud storage system, including: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor is used for calling the machine readable program to execute the method for auditing the operation of the cloud storage service in any embodiment of the invention.
An embodiment of the present invention further provides a computer-readable medium, where computer instructions are stored on the computer-readable medium, and when executed by a processor, the computer instructions cause the processor to execute the method for auditing cloud storage service operations in any embodiment of the present invention. Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion unit connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion unit to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
As shown in fig. 5, an embodiment of the present invention further provides a system for auditing cloud storage service operations, including: at least one user terminal 501 and a cloud storage system 502;
and the user side is used for sending the operation information of the user for the cloud storage service operation to the cloud storage system.
In this embodiment, all the operation information of the user accessing the cloud storage system is written into the block chain of the user side first. Based on the distributed and decentralized characteristics of the block chain, the operation information of the user recorded by the user side and the operation information of the server side can be synchronized, so that the operation information of the user for the cloud storage service operation is sent to the cloud storage system, and the safety of the data is guaranteed.
It is to be understood that the illustrated structure of the embodiment of the present invention does not constitute a specific limitation to the cloud storage system. In other embodiments of the invention, the cloud storage system may include more or fewer components than illustrated, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the information interaction, execution process, and other contents between the units in the device are based on the same concept as the method embodiment of the present invention, specific contents may refer to the description in the method embodiment of the present invention, and are not described herein again.
The embodiments of the invention have at least the following beneficial effects:
1. in an embodiment of the invention, by determining the cloud storage service operation of the user, the cloud storage service operation information of the user can be acquired, and then whether the user has the operation authority for accessing the cloud storage service is judged. And executing corresponding processing operation according to the operation authority of the user for accessing the cloud storage service. For the access of the user with the operation authority, the user can be allowed to continue to execute the subsequent cloud storage service operation, and for the cloud storage service operation of which the user does not have the operation authority, the user is prohibited from continuing to access the service of the cloud storage system, so that the operation is terminated. Based on the operation information of the user for the cloud storage service, the block chain of the server side can record corresponding user operation information. Due to the distributed and decentralized characteristics of the blockchain, individual tampering cannot be approved by the whole network, and data information stored on the blockchain cannot be tampered. When the user needs to be checked, the credible user operation information needing to be searched can be obtained from the block chain. In conclusion, the operation method for auditing the cloud storage service provided by the invention does not need to record the operation information of the user accessing the cloud storage service in the form of the audit log, so that the operation information of the user can be prevented from being tampered, and the credible operation information of the user accessing the cloud storage service can be tracked.
2. In an embodiment of the present invention, corresponding processing is performed according to whether a user has an operation right to execute a corresponding cloud storage service. If the cloud storage service executed by the user has the access right, allowing the user to continue accessing; if the user does not have the access right, the user is prohibited from continuing to execute the operation of accessing the cloud storage service, and the operation information of each user is recorded in the blockchain, so that the follow-up audit is conducted on the operation information of the user accessing the cloud storage service. If the user continuously executes the unauthorized access operation for N times within the preset time, the user can be judged to be a malicious user according to the user operation information stored in the block chain, so that the access operation of the user is terminated, and the safety of the cloud storage data is ensured.
3. In the embodiment of the invention, when the number of the operation information of the user needs to be counted, the target user identifier and the operation identifier need to be determined first. Because the operation information of the user is recorded on the block chain, the operation information of the user in the preset time period can be searched according to the user identification of the user, and the operation information quantity is counted, so that the operation information quantity in the preset time period of the user is counted.
It should be noted that not all steps and modules in the above flows and system structure diagrams are necessary, and some steps or modules may be omitted according to actual needs. The execution order of the steps is not fixed and can be adjusted as required. The system structure described in the above embodiments may be a physical structure or a logical structure, that is, some modules may be implemented by the same physical entity, or some modules may be implemented by a plurality of physical entities, or some components in a plurality of independent devices may be implemented together.
In the above embodiments, the hardware unit may be implemented mechanically or electrically. For example, a hardware element may comprise permanently dedicated circuitry or logic (such as a dedicated processor, FPGA or ASIC) to perform the corresponding operations. The hardware elements may also comprise programmable logic or circuitry, such as a general purpose processor or other programmable processor, that may be temporarily configured by software to perform the corresponding operations. The specific implementation (mechanical, or dedicated permanent, or temporarily set) may be determined based on cost and time considerations.
While the invention has been shown and described in detail in the drawings and in the preferred embodiments, it is not intended to limit the invention to the embodiments disclosed, and it will be apparent to those skilled in the art that various combinations of the code auditing means in the various embodiments described above may be used to obtain further embodiments of the invention, which are also within the scope of the invention.
Claims (10)
1. The method for auditing the operation of the cloud storage service is applied to a cloud storage system and comprises the following steps:
a1: determining cloud storage service operation of a user;
a2: judging whether the user has the authority to execute the cloud storage service operation, if so, allowing the user to execute the cloud storage service operation, and executing A3, otherwise, forbidding the user to execute the cloud storage service operation, and executing A3;
a3: acquiring operation information of the user for the cloud storage service operation, recorded by a user side of the user;
a4: saving operation information for the cloud storage service operation into a blockchain;
a5: when the user needs to be examined, acquiring at least one piece of operation information of the user from the block chain;
a6: and auditing the user according to at least one piece of operation information of the user.
2. The method of auditing cloud storage service operations of claim 1,
the A6, comprising:
judging whether the user executes the unauthorized cloud storage service operation for N times within a preset time length or not according to at least one piece of operation information of the user, and if so, marking the user as a malicious user;
wherein, N is a preset value and is a positive integer.
3. The method of auditing cloud storage service operations of claim 1,
the operation information includes: a user identification;
the A5, comprising:
determining a target user identification of the user;
acquiring the operation information containing the target user identification from the block chain;
and marking the operation information containing the target user identification as the operation information of the user.
4. The method of auditing cloud storage service operations of claim 1,
the operation information includes: an operation identifier;
acquiring the operation information of the user in a preset time period from the block chain;
the A6, comprising:
determining a target operation identifier to be counted;
and counting the number of the operation information containing the target operation identification from the operation information of the user in a preset time period.
5. The method of auditing cloud storage service operations of any of claims 1-4,
before a1, further comprising:
b1: receiving a user name and a password input by the user;
b2: judging whether the user name input by the user exists, if so, executing B3, otherwise, prohibiting the user from logging in the cloud storage system, and executing B4;
b3: judging whether the password corresponding to the user name stored in the cloud storage system is the same as the password input by the user, if so, allowing the user to log in the cloud storage system, and executing B4, otherwise, forbidding the user to log in the cloud storage system, and executing B4;
b4: and storing the operation information of the user logging in the cloud storage system in the block chain.
6. A cloud storage system, comprising:
the first determination module is used for determining the cloud storage service operation of the user;
the first judging module is used for judging whether the user has the authority of executing the cloud storage service operation determined by the first determining module, if so, the user is allowed to execute the cloud storage service operation and a first obtaining module is triggered, otherwise, the user is forbidden to execute the cloud storage service operation and the first obtaining module is triggered;
the first obtaining module is configured to obtain operation information, recorded at a user side of the user, of the user for the cloud storage service operation;
the saving module is used for saving the operation information of the cloud storage service operation acquired by the first acquiring module into a block chain;
a second obtaining module, configured to obtain at least one piece of operation information of the user from the operation information in the block chain when the user needs to be reviewed;
and the auditing module is used for auditing the user according to the at least one piece of operation information of the user acquired by the second acquiring module.
7. The cloud storage system of claim 6,
the auditing module is used for judging whether the user executes the unauthorized cloud storage service operation for N times within a preset time length according to at least one piece of operation information of the user, and if so, marking the user as a malicious user;
wherein, N is a preset value and is a positive integer.
8. The cloud storage system of claim 6,
the operation information includes: a user identification;
the second obtaining module is configured to determine a target user identifier of the user, obtain operation information including the target user identifier from the blockchain, and mark the operation information including the target user identifier as the operation information of the user.
9. The cloud storage system of any of claims 6-8,
the operation information includes: an operation identifier;
the second obtaining module is configured to obtain operation information of the user within a preset time period from the block chain;
the auditing module is used for determining a target operation identifier to be counted and counting the number of operation information containing the target operation identifier from the operation information of the user in a preset time period;
and/or the presence of a gas in the gas,
further comprising:
a verification module to perform:
b1: receiving a user name and a password input by the user;
b2: judging whether the user name input by the user exists, if so, executing B3, otherwise, prohibiting the user from logging in the cloud storage system, and executing B4;
b3: judging whether the password corresponding to the user name stored in the cloud storage system is the same as the password input by the user, if so, allowing the user to log in the cloud storage system, and executing B4, otherwise, forbidding the user to log in the cloud storage system, and executing B4;
b4: and storing the operation information of the user logging in the cloud storage system in a block chain.
10. A system for auditing cloud storage service operations, comprising: at least one user side and at least one cloud storage system according to any one of claims 5-9;
and the user side is used for sending the operation information of the user for the cloud storage service operation to the cloud storage system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911255528.2A CN111131191A (en) | 2019-12-10 | 2019-12-10 | Method and system for auditing cloud storage service operation and cloud storage system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911255528.2A CN111131191A (en) | 2019-12-10 | 2019-12-10 | Method and system for auditing cloud storage service operation and cloud storage system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111131191A true CN111131191A (en) | 2020-05-08 |
Family
ID=70497850
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911255528.2A Pending CN111131191A (en) | 2019-12-10 | 2019-12-10 | Method and system for auditing cloud storage service operation and cloud storage system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111131191A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109190410A (en) * | 2018-09-26 | 2019-01-11 | 华中科技大学 | A kind of log behavior auditing method based on block chain under cloud storage environment |
| CN109189857A (en) * | 2018-09-17 | 2019-01-11 | 北京京东尚科信息技术有限公司 | Data-sharing systems, method and apparatus based on block chain |
| CN109241181A (en) * | 2018-08-08 | 2019-01-18 | 北京百度网讯科技有限公司 | Database operation method and device |
| CN109347941A (en) * | 2018-10-10 | 2019-02-15 | 南京简诺特智能科技有限公司 | A kind of data sharing platform and its implementation based on block chain |
| CN109741162A (en) * | 2018-09-03 | 2019-05-10 | 上海奥若拉信息科技集团有限公司 | The storage of personal collage-credit data, processing, sharing method and system based on block chain |
-
2019
- 2019-12-10 CN CN201911255528.2A patent/CN111131191A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109241181A (en) * | 2018-08-08 | 2019-01-18 | 北京百度网讯科技有限公司 | Database operation method and device |
| CN109741162A (en) * | 2018-09-03 | 2019-05-10 | 上海奥若拉信息科技集团有限公司 | The storage of personal collage-credit data, processing, sharing method and system based on block chain |
| CN109189857A (en) * | 2018-09-17 | 2019-01-11 | 北京京东尚科信息技术有限公司 | Data-sharing systems, method and apparatus based on block chain |
| CN109190410A (en) * | 2018-09-26 | 2019-01-11 | 华中科技大学 | A kind of log behavior auditing method based on block chain under cloud storage environment |
| CN109347941A (en) * | 2018-10-10 | 2019-02-15 | 南京简诺特智能科技有限公司 | A kind of data sharing platform and its implementation based on block chain |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106230851B (en) | Data security method and system based on block chain | |
| US11418499B2 (en) | Password security | |
| CN111274046A (en) | Service call validity detection method and device, computer equipment and computer storage medium | |
| CN115225350B (en) | Government cloud encryption login verification method based on national secret certificate and storage medium | |
| US20180176206A1 (en) | Dynamic Data Protection System | |
| CN112163199B (en) | Login authentication method, device, equipment and storage medium using public account | |
| US10594693B2 (en) | Electronic device identification | |
| CN112800404A (en) | Cross-link access control method and device | |
| CN116074843B (en) | Zero trust security trusted audit method for 5G dual-domain private network | |
| CN110049028B (en) | Method and device for monitoring domain control administrator, computer equipment and storage medium | |
| CN117118750A (en) | Data sharing method and device based on white-box password, electronic equipment and medium | |
| CN111191240B (en) | Method, device and equipment for collecting Internet electronic evidence | |
| CN110807187B (en) | Block chain-based network market illegal information evidence storing method and platform terminal | |
| CN111783047A (en) | RPA (resilient packet Access) automatic safety protection method and device | |
| CN113065122A (en) | Temporary authority management method, device and computer readable medium | |
| CN110677483B (en) | Information processing system and trusted security management system | |
| CN111131191A (en) | Method and system for auditing cloud storage service operation and cloud storage system | |
| CN110958236A (en) | Dynamic authorization method of operation and maintenance auditing system based on risk factor insight | |
| CN111953637B (en) | Application service method and device | |
| CN110334514B (en) | Method and device for verifying measurement report based on trusted computing platform | |
| CN115906109A (en) | Data audit method, device and storage medium | |
| CN117040927B (en) | Password service monitoring system and method | |
| Banas | Cloud forensic framework for iaas with support for volatile memory | |
| CN114186141A (en) | Illegal client detection method, device, equipment and medium | |
| CN118413366B (en) | Method, product, equipment and medium for preventing database from being attacked |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200508 |
|
| RJ01 | Rejection of invention patent application after publication |