The Key Technology Research Of File Security Auditing System Based On The Kernel Mechanism

As the computer network technology are developing continuously, the informationize popularity of enterprises is greatly improved. More and more electronic files are taking the place of the traditional paper-based files in intranet, while this change brings conveniency, the data security problem of intranet becoming increasingly prominent. For instance, illegal invaders do some unauthorized access to sensitive datas after they acquire users' permissions, that causes information perfidy sekreton,theft and destruction. How to establish an effective file security auditing system becomes enterprises' preoccupation. From realizing perspective, most functions of the existing file security auditing systems at home and abroad are realized in the application layer. In practical application, they betray many defects. For instance, encryption from the application layer brings much inconvenience to users. Plaintext stored in hard disk in file decrypting process is visited by illegal processes. Their safety only relies on cryptography mechanism and has no protection of operating system kernel mechanism. The real-time fiels monitoring based on the application layer often appears missed alarms. What is more, the auditing accuracy about abnomal files is not high. To solve these problems, we need to study and improve the related key technology, which is just the starting point of my subject in this paper.This paper puts forward a method that file security auditing system is realized based on kernel-mode mechanism by thorough study and analysis of Windows NT file system and development technology about filter driver. Aiming at research of key technologies of file security auditing system, this paper mainly obtains the following results:This paper focuses on using windows filter driver of file system to implement confidential file encryption function, and verifies this technology is transparent real-time and efficient in data encryption. This technology can effectively coordinate the contradiction between user-friendly and data security.This paper realizes the file real-time monitoring by intercepting IRP sent to the file system. This method is accurate and efficient in monitoring files.This paper proposes a new method for detecting abnormal PE files based on file real-time monitoring in kernel mechanism. This method judges abnormal PE files by combining file attributes and log audit for files'behavior log from file real-time monitoring. This method has a high precision in identifying novel PE files. It can promptly discover abnormal files, rise to initiative host defense role.