CN103888506A - Computer-implemented method and system for extracting rule of monitoring command-response pairs - Google Patents
Computer-implemented method and system for extracting rule of monitoring command-response pairs Download PDFInfo
- Publication number
- CN103888506A CN103888506A CN201310627149.8A CN201310627149A CN103888506A CN 103888506 A CN103888506 A CN 103888506A CN 201310627149 A CN201310627149 A CN 201310627149A CN 103888506 A CN103888506 A CN 103888506A
- Authority
- CN
- China
- Prior art keywords
- request
- response
- group
- changing unit
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Debugging And Monitoring (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a computer-implemented method for extracting the rule of monitoring command-response pairs. The method comprises the steps of preparing a test set containing a plurality of command-response pairs; grouping a plurality of commands through clustering based on similarity; forming a group of responses for the plurality of commands of particular values within given parameters in the given test set; judging whether elements within the group of responses fall in a preset similarity range; and extracting the rule of monitoring the command-response pairs based on the relation between concentrated responses and commands, if the elements within the group of responses fall in the preset similarity range.
Description
Technical field
The relate generally to information processing technology of the present invention, and more specifically, relate to for extracting in order to monitoring and ask-respond right regular computer implemented method, program and system.
Background technology
Request-responding system is widely used, and in described request-responding system, sends a request to server and receives the response for this request from server from client terminal.Conventionally,, in response to business demand etc., request-responding system stands the version updating of the program using in the change of system setting and system.In the time having this change, be often such situation, before normal delivery system uses for user, test macro with check system environment whether according to expectedly working.The background technology relevant to request-responding system comprises following patent literature and non-patent literature.
Reference listing
Patent documentation
[patent documentation 1] JP2011-227595A
[patent documentation 2] JP2005-332139A
[patent documentation 3] JP2002-007232A
[patent documentation 4] JP2000-029707A
[non-patent literature]
The people such as [non-patent literature 1] Xiaowei Li, " BLOCK:A Black-boxApproach for Detection of State Violation Attacks Towards WebApplications ", Proceeding ACSAC11Proceedings of the27th AnnualComputer Security Applications Conference, 247-256 page, 2011
[summary of the invention]
[technical problem]
In the time that request-responding system has any variation, may affect unexpected part.In order to process this situation, spend plenty of time and work to locate part, the establishment test case that may affect and to test at every turn.Equally, though the technology adopting relates to project that predefine will test and in the situation that system changes test event, also still spended time and work maintain and manage the project that will test and test.If every subsystem makes a change all tested by people, so this be trouble and may be problematic from timeliness angle.
Therefore, one of target of the present invention is will be by request-response to the regular computer implemented method, program and the system that meet in order to be provided for automatic extraction.
[solution of problem]
In order to reach above-mentioned target, the invention provides the right regular computer implemented method of request-respond generating at request-responding system in order to monitoring for extracting.Method comprises prepares to comprise multiple requests and the corresponding step that responds right test set; The step of multiple requests being divided into groups by the cluster based on similitude; Judge for the member in one group of response of multiple requests whether drop on the step within the scope of predetermined similitude, wherein multiple requests are included in given request group, and have particular value in one or more given changing unit; And according to the result of judgement, associated between the response based on being included in response collection and request, extracts and is used for monitoring the right regular step of the request that generates in system-respond.
Preferably, computer implemented method further comprises that other value to can be used for one or more given changing unit repeats the step of determining step.More preferably, to being included in the step of other changing unit repetition determining step in request.Equally, can repeat determining step and extraction step to other request group.
Preferably, computer implemented method further comprises one group of regular and the give a warning step that is applied in extraction step extraction.
Although the present invention has been summarized as above for extraction will be by request-response to the regular computer implemented method meeting automatically, the present invention can also be counted as program, program product, software, software product, system, device etc.
Program product or software product can comprise for example having and be stored in the storage medium of above-described program wherein or software or the medium for transmission procedure or software.Program can make computer carry out the step of above-described method.
The summary that it should be noted that above-described invention is not enumerated all essential feature of the present invention, and combination or the sub-portfolio of assembly also can form invention above.
[accompanying drawing summary]
Fig. 1 is for explaining total view of total summary of request-responding system according to embodiments of the invention;
Fig. 2 is the functional block diagram of the management server of ask according to an embodiment of the invention-responding system;
Fig. 3 shows in an embodiment of the present invention for extracting by the flow chart of asking and respond satisfied regular process;
Fig. 4 shows the flow chart with the process giving a warning for application rule in an embodiment of the present invention;
Fig. 5 is in an embodiment of the present invention for explaining the diagram of the example that similar request is divided into groups;
Fig. 6 identifies changing unit and constant part and forms the diagram of the example of template for explaining in request in an embodiment of the present invention;
Fig. 7 is in an embodiment of the present invention for explaining the diagram of example of one group of request response forming for have identical value in given changing unit;
Fig. 8 is in an embodiment of the present invention for explaining the diagram of assessing the example of similitude between the member of response collection;
Fig. 9 is in an embodiment of the present invention for explaining the diagram of the assessment to response collection;
Figure 10 is in an embodiment of the present invention for explaining that extraction will be by the diagram of ask-response to the regular example meeting; And
Figure 11 shows the diagram that is suitable for the example of the hardware configuration of the information processor of realizing client, server and operator's terminal (as the assembly of information processing system) according to embodiments of the invention.
[embodiment]
Describe below with reference to the accompanying drawings embodiments of the invention in detail.But, it should be noted that all combinations that embodiment described below is not intended to limit the feature of describing in claimed invention and embodiment are for solving means of the present invention all not necessarily.
In addition, the present invention can be embodied in many different aspects, and should only not explain according to the description of embodiment.In the description of whole embodiment, identical Reference numeral refers to identical assembly conventionally.
According to embodiments of the invention, in system, analyze the right information processing of one group of request-respond by relating to, extract for asking-respond right rule in the monitoring of request-responding system.In addition, according to embodiments of the invention, in order to pinpoint the problems in early days and to suppress the impact of fault, in real time by one group of rule application of extracting in appear at during operation in system request-it is right to respond, and if judgement exist do not meet be included in each rule in rule set any one request-it is right to respond, and sends warning so to keeper.
Be designed so that according to the request-responding system of the embodiment of the present invention application server will return to response from multiple client requests and to each of asking.According to embodiments of the invention, request with response between exist corresponding one by one, that is, and suppose need only in system environments do not have variation, return to identical response to identical request so.Equally, according to embodiments of the invention, suppose that request and response are text formatting in principle.
According to embodiments of the invention, in storage system, recording occurring continuously is sent to the request of application server and the pairing of its response from client.Will be by request-response to the rule of observing in order to extract, similar request is divided into groups and please be sought template for each group of generation being stored in right some or all in storage system.Template is included in variation and the constant part in template, distinguished.
Then, be formed on one group of request in given changing unit with identical value.Then, judge corresponding to the member of the response collection that forms the member who asks collection and whether drop in predetermined similar scope.For other value duplication similarity process of changing unit.Based on the judged result obtaining due to repetition, judge whether changing unit and response are associated.In the time judging that they are associated, determine and extract by the request-response that relates to changing unit the rule meeting and associated with the form extraction of this rule.
Other changing unit is repeated to said process, then other request group is repeated to said process, forming thus will be by request-response to the one group of rule meeting.According to embodiments of the invention, rule set be applied in real time in the system of appearing at request-it is right to respond, and if detect meet be included in the each rule in rule set any one request-it is right to respond, and sends warning so to keeper.
Below with reference to the present invention of Fig. 1 to 11 detailed description.
Fig. 1 is for explaining total view of total summary of request-responding system according to embodiments of the invention.Comprise client 105-1 and 105-2 according to the request responding system 100 of the embodiment of the present invention ... (being sometimes referred to as hereinafter " one or more client 105 "), application server 115, management server 117, the administrator terminal 120 being operated by keeper 125 and storage system 130.
According to embodiments of the invention, client 105 sends to application server 115 request that requires service by network 110.In response to receiving request, application server 115 uses the application of installing to carry out information processing, sends it back client 105, thereby service is provided by network 110 using result as response.According to embodiments of the invention, these exchanges are constantly monitored and are caught by storage system 130.Therefore, in storage system 130, store continuously between client 105 and application server 115 exchange one group of client/it is right to respond.
According to embodiments of the invention, use the client/response being stored in storage system 130 to collection, management server 117 extracts will be by client and the satisfied rule of response.Then, management server 117 in real time by receive one group of rule application being extracted in the request being obtained by continuous monitoring-it is right to respond, and if judgement does not meet any one in the each rule being included in rule set, management server 117 sends warning to administrator terminal 120 so.Keeper 125 verifies the warning being received by administrator terminal 120 and takes handling failure or the needed action of the problem that prevents.
Fig. 2 is according to the functional block diagram of the management server 117 of the request-responding system of the embodiment of the present invention.Such as, by computer program (operating system and application program) is loaded on main storage 4 from hard disk drive 13 etc., make host CPU 1 read computer program, and then make hardware resource and software cooperate with each other, thereby in the information processor of hardware configuration that can be shown in Figure 11, realize the piece element showing in the functional block diagram of Fig. 2.
Comprise that according to the management server 117 of the embodiment of the present invention I/O unit 205, requests classification unit 210, changing unit identification unit 215, request similitude judging unit 220, assessment objective test are to database 225, response similitude judging unit 230, judged result assessment unit 235, Rule Extraction unit 240, rale store unit 245 and rule application unit 250.
About according to the I/O unit 205 of the embodiment of the present invention, I/O unit 205 provides and the interactive input/output interface of management server 117 to user and/or other computer system.According to embodiments of the invention, for example, can from the test set memory cell of storage system 130 receive one group of request-response to and by this group request-response to being transferred to requests classification unit 210.In addition the exchange (, request and response) that, I/O unit 205 is caught between reception server and the client in real time and exchange of catching is transferred to rule application unit 250.For the electronics warning of being sent by rule application unit 250 is sent to administrator terminal 120, I/O unit 205 can be issued to network by electronics warning.
According to similitude, request to be divided into groups by network 110 according to the requests classification unit 210 of the embodiment of the present invention, described request is included in the request-response receiving from storage system 130 to concentrating.This about the step 315 in the flow chart 300 of Fig. 3 and about the grouping of Fig. 5 etc. by describing in detail subsequently.
Identify the changing unit in the request of being divided into groups by requests classification unit 210 and remainder is identified as to constant part (standing part) according to the changing unit identification unit 215 of the embodiment of the present invention, and changing unit and the constant part in identification request thus.Form each the template of request that belongs to request group according to the template forming unit 220 of the embodiment of the present invention, form described request group about the identification information of changing unit and constant part and based on out of Memory by requests classification unit 210 based on 215 identifications of changing unit identification unit.To describe in detail about the step 317 in the flow chart 300 of Fig. 3 and about changing unit identification unit 215 and the template forming unit 220 of Fig. 6 etc. subsequently.
By asking-respond right each and grouping information from response taxonomy unit 210, be associated from changing unit/constant part identification information of changing unit identification unit 215 and the template of carrying out self-template forming unit 220, according to the assessment objective test of the embodiment of the present invention to database 225 store receive from storage system 130 request-it is right to respond.Canned data is used to extract in order to monitoring asks-responds right rule.
Receive according to the response similitude judging unit 230 of the embodiment of the present invention the given request group and the corresponding response group that come from assessment objective database 225.Consider the request being included in request group, response similitude assessment unit 235 forms request collection and corresponding response collection, and the member of described request collection has identical value in given changing unit.Response similitude judging unit 230 judges whether the response collection forming drops within the scope of predetermined similitude.According to embodiments of the invention, for can be used for the processing of other value duplicate responses similitude judging unit 230 of other changing unit, then other changing unit being included in request is repeated to this repetition.In addition, other request group is carried out to similar processing.To describe in detail about the step 320 in the flow chart 300 of Fig. 3 to 355 and the operation of the response similitude judging unit 230 of Fig. 7, Fig. 8 etc. subsequently.
According to the judged result assessment unit 235 of the embodiment of the present invention assess made by response similitude judging unit 230 whether drop on the result of the judgement within the scope of predetermined similitude about response collection, and want the changing unit of the request of extracting rule based on associated definite between request and corresponding response for it.According to embodiments of the invention, in the time that the member of all response collection that form for given changing unit drops within the scope of predetermined similitude, determine the rule of extracting for changing unit.Subsequently by the judged result assessment unit 235 of describing in detail about the step 360 in the flow chart 300 of Fig. 3 and Fig. 9.
By carrying out the processing similar with the processing of template forming unit 220 to changing unit identification unit 215, form the template of wanting the response group of extracting rule for it according to the Rule Extraction unit 240 of the embodiment of the present invention.Particularly, recording changing unit in the request being judged by judged result assessment unit 235 according to the Rule Extraction unit 240 of the embodiment of the present invention is to have very strong associated with response, for the changing unit in request creates conditional expression with associated part, and extracting rule, if this rule predetermining meets corresponding to the regular expression of changing unit and the combination of conditional expression that are present in request and in please seeking template, give so certain portions effective.Equally, from having the constant part extracting rule belonging to the common content of all responses of provisioning response group, if this rule predetermining constant part has this content, the content of constant part is effective so.Finally, the rule set being extracted by Rule Extraction unit 240 is stored in rale store unit 245.Subsequently by the operation of describing in detail about the above-mentioned Rule Extraction unit 240 of the step 360 in the flow chart 300 of Fig. 3 and Figure 10.
According to embodiments of the invention, in system, analyze the right information processing of one group of request-respond by relating to, extract for asking-respond right rule in the monitoring of request-responding system.In addition, according to embodiments of the invention, for stage in early days pinpoints the problems and suppresses the impact of fault, in real time by one group of rule application of extracting in appear at during operation in system request-it is right to respond, and if judgement have meet in the each rule being included in rule set any one request-it is right to respond, and sends warning so to keeper.
According to the rule application unit 250 of the embodiment of the present invention, the request-response obtaining by I/O unit 205 is in real time included in to the rule in the rule set being stored in rale store unit 245 to application, and if request-response is not to meeting any one in each rule, rule application unit 250 gives a warning to transmit to network 110 by I/O unit 205 and warns to administrator terminal 120 so.The operation about the rule application unit 250 of flow chart 400 grades of Fig. 4 by detailed description subsequently.
Fig. 3 shows in embodiments of the present invention will be by the flow chart of asking and respond satisfied regular processing for extracting.Process and start from step 305, and at the right test set of step 310 preparation request-respond.As has been described, according to embodiments of the invention, storage system 130 request that constantly monitoring is received from client 105 by application server 115 and the response for request, and catch and Coutinuous store request and response.When management server 117 is accessed storage system 130 by network 110 and obtains as required thus while being stored in data in storage system 130 all or part of, the right test set of preparation request-respond.
Then,, in step 315, calculate the request-response that is included in preparation to the similitude between the each request in test set, and divide into groups to being judged as similar request.According to editing distance, carry out the grouping of request by the similar request of cluster.Editing distance (also can be called Levenshtein distance) is well-known as being used for expressing two how different technology of text fragments in field of information processing.This allows those skilled in the art optionally to realize cluster based on editing distance, and therefore the realization of this cluster will not carried out any more detailed description at this.Equally, form response group, described response group comprises the response for the member separately of the request group forming simultaneously.
Fig. 5 is in an embodiment of the present invention for explaining the diagram of the example that similar request is divided into groups.Due to the request 1(505-1 shown in Fig. 5) and 2(505-2) comprise the identical information except the value of parameter " page_id " and " UnicaNIODID ", therefore the editing distance between two requests is relatively short.Therefore, request 1(505-1) and 2(505-2) by cluster to same request group Qn(510) in.On the other hand, corresponding to request 1(505-1) and response 1(515-1 2(505-2)) and 2(515-2) have in terms of content a great difference.But, response 1(515-1) and 2(515-2) be grouped into corresponding to request group Qk(510) response group Rn(520) member.
Processing forwards step 317 to the each request group identification variation for forming in step 315 and constant part and formation template.Fig. 6 is in an embodiment of the present invention for explaining the diagram of the changing unit of identification request and the example of constant part and drawing template establishment.Example Identification display is present in the processing of changing unit and constant part and drawing template establishment in the GET statements 610,612,614 and 616 in four HTTP request.
First, the algorithm that is used for solving longest common subsequence (being abbreviated as LCS) find difference between GET statement 610 and 612 and between GET statement 614 and 616 and with symbol "? " the candidate who is changing unit by the position mark of difference.Then, GET statement is merged into and summarizes GET statement 620 and 622.Longest common subsequence and be well-known in field of information processing for the algorithm that solves longest common subsequence.This realization that allows those skilled in the art optionally to realize candidate's identification and therefore this identification for changing unit will not carried out any more detailed description at this.According to embodiments of the invention, suppose with symbol "? " after the candidate of mark for changing unit, store its original character string 624 and 626.
Then, duplication similarity is processed further to merge and is summarized GET statement 620 and 622 until obtain the GET statement of a summary.In the time of the GET statement 630 of a summary of last acquisition, form the original character trail 634 corresponding to the candidate for changing unit by the character string 632 of each place of repetition storage.When the string length of original character trail 634 and the deviation that occurs character are than predetermined value hour, be finally adopted to changing unit for the candidate of changing unit.This is too large because if can be used for candidate's the deviation of value for given changing unit, and the not talkative so candidate for given changing unit is orderly to a certain extent and can says is only to have summarized by accident without preamble section.Suppose that the each several part except being finally adopted to the part of changing unit is recognized as constant part.Note, although described a part for GET statement in the example of Fig. 6, but carry out and process by the other parts in request, realize the variation of request and the identification of constant part and be possible for each the formation of template of the request group forming in step 315.
Discussion is back to the flow chart 300 of Fig. 3.Then, in step 320, take out in the request group forming in step 315, then by reference to the template of the request in the group of taking out, in step 325, use pre-defined algorithm to select the changing unit in request.At this, can select the combination of single changing unit, multiple changing units or above combination.
Processing is advanced further to step 330 to form corresponding to one group of response in the changing unit of selecting in step 325 with each collection of multiple requests of identical value.Fig. 7 is in an embodiment of the present invention for explaining the diagram of example of one group of request response forming for have identical value in given changing unit.In this example, do request 705-1, the 705-2 and the 705-3 that belong to same request group have at representative/us/en/? identical value " 121 " in the given changing unit of the value of page_id.Suppose that one group of response 710-1,710-2 and 710-3 are formed as the response for three requests.
Processing forwards step 335 to be evaluated at the concentrated similitude responding between the each member who collects of response forming in step 330.According to embodiments of the invention, find out similitude by using following formula to calculate Dv.Note figure 8 illustrates the example of the similitude between the each member who assesses the response collection in the embodiment of the present invention.
Dv={L(r,r′)|r∈Rv,r′∈Rv,r!=r′}
Wherein
RV: for one group of response of request in given changing unit with particular value v
L (r, r '): two editing distances that respond between r and r '
Then,, in step 340, judge based on assessment whether the member of response collection drops within the scope of predetermined similitude.According to embodiments of the invention, when T<avg (Dv) (wherein T is predetermined threshold value and avg(Dv) is the mean value of Dv) time, the member of judgement response collection drops within the scope of predetermined similitude.
According to embodiments of the invention, suppose that the assessment result producing is recorded together with the judged result producing in step 335, and do not consider the judged result of step 340 in step 340.If judge that in step 340 member who responds collection drops within the scope of predetermined similitude, process so along the arrow of YES and forward step 345 to and for corresponding record adds mark, drop within the scope of predetermined similitude thereby indicate to respond.Then, process and forward step 350 to.On the other hand, if the member of judgement response collection does not drop within the scope of predetermined similitude in step 340, need not drop on the mark within the scope of predetermined similitude and process and forward step 350 to along the arrow of NO for response collection adds instruction response so.Then, process another changing unit.
Fig. 9 is the example of relevant with response collection in an embodiment of the present invention record.In this example, in table " the first request collection " and unit instruction member's of corresponding response collection with " request that its changing unit 1 value is " 121 " " at " changing unit 1 " common factor place avg(Dv) be " 0.8 ".Equally, in this example, should be noted that if T(predetermined threshold value) be " 0.6 ", so because the Dv of unit is greater than T, therefore response collection highlights to indicate response colony within the scope of predetermined similitude by shade.Note under many circumstances for example, not thering is identical member corresponding to each request collection or each response collection of the each unit that belongs to given hurdle (, the hurdle of " the first request collection ").
In step 350, judge whether concentrated any one of each response forming still has pending in step 330.If it is pending to judge that in step 350 any response collection still has, processes and be back to step 330 so.Subsequently, as long as there have any response collection to still have to be pending, just similarly perform step 335,340,345 and 350 processing.
If judgement does not respond collection and still has pendingly in step 350, process and forward step 355 to so.In step 355, judge that in the current group of assessing, whether to have any changing unit to still have to be assessed.If to have any changing unit to still have to be assessed in judgement in step 355, process so along the arrow of YES and be back to step 325, selecting has changing unit to be assessed, and similarly carries out processing subsequently.
If not have changing unit to have to be assessed in judgement in step 355, process so along the arrow of NO and forward step 360 to.In step 360, extraction will be by request-response to satisfied rule, and described request-response is to coming from the request group of taking-up in step 320 and corresponding response group.
Figure 10 is in an embodiment of the present invention for explaining that extraction will the diagram to the regular example meeting by request-response.As has been described, according to embodiments of the invention, for the response group of wanting extracting rule for it forms template, record is judged as and responds the changing unit having in very strongly connected request, create the conditional expression with associated part for the changing unit in request, and extracting rule, if this rule predetermining meet be present in ask and response template in the corresponding regular expression of changing unit and the combination of conditional expression, be effective to certain portions so.In the example of Figure 10, suppose the member of changing unit 1015-1 to the 1015-3(given request group of request in 1005-1 to 1005-3) be judged as with respond have very strong associated.In this case, in the time that the changing unit 1015 of request is " 121 ", the changing unit 1025 being clipped in the middle by label <title> in response is " XXX ", and in the time that changing unit 1015 is " 124 ", for " CCC ", thereby instruction is associated, therefore uses this association as conditional expression extracting rule.About the changing unit 1030 being clipped in the middle by label <ad> in response, owing to can not converting conditional expression to the relation of the changing unit 1015 of asking, therefore this relation is not formulated to rule.Equally, from having the constant part extracting rule of the content that belongs to common to all responses of provisioning response group, if this rule predetermining constant part has this content, the content of constant part is effective so.For example, in the example of Figure 10, because the constant part 1020 of response has value " HTTP200OK " always, if therefore constant part is " HTTP200OK ", extracts so and specify effectively rule of this content.Finally, create the rule set for monitoring request and response with the form of regular expression and conditional expression combination.
In step 365, judge whether that any request group still has pending.If to have any request group to still have pending in judgement in step 365, process so along the arrow of YES and be back to step 320 and carry out subsequently similar processing.If it is pending to judge that in step 365 not request group still has, processes so and forward step 370 to and finish.
Fig. 4 shows the flow chart with the flow process giving a warning for application rule in an embodiment of the present invention.Process and start at step 405 place, and constantly monitor the request being received by server in step 410.Then,, in step 420, whether judgement constantly monitoring will continue.If judge that in step 420 continuous monitoring will can not continue, process so along the arrow of NO and forward step 450 to and finish.
If judgement is constantly monitored and will be continued in step 420, process and forward step 425 to so, in step 425, judge due to continuous monitoring, whether any request being received by server is detected.If request do not detected in step 425, process so along the arrow of NO and be back to step 410, and the monitoring that keeps.
If request detected in step 425, process so along the arrow of YES and forward step 430 to obtain request and its response of a pair of detection.Then, in step 435, according to the flow chart of Fig. 3 extract obtain request-it is right to respond, and whether checking request-response to meeting any one in the each rule being included in the rule set being stored in management server 117.Particularly, the request and the template that are included in request-response pair are compared, then judge request-response meets any regular that rule set that the group corresponding with any matching template be associated comprises to whether.
Then, if the each regular neither one that judgement is included in rule set in step 440 is satisfied, process so along the arrow of NO and forward step 445 to send request-to respond to and to comprise the warning about the additional information of the result to keeper as required, then process and be back to step 410.If any one that judgement is included in the each rule in rule set in step 440 is satisfied, processes so along the arrow of YES and be back to step 410.After being back to step 410, along the arrow of NO from step 420, reprocessing until process in step 450 finishes.
Figure 11 shows the diagram that is suitable for the example of the hardware configuration that realizes the information processor that is included in the computing element (, client 105, application server 115, management server 117, administrator terminal 120 and storage system 130) in request-responding system according to embodiments of the invention.Information processor comprises CPU(CPU) 1 and be connected to the main storage 4 of bus 2.Hard disk drive 13 and 30 and removable storage (the interchangeable external storage system of its recording medium) (such as CD-ROM equipment 26 and 29, floppy disk 20, MO equipment 28 and DVD equipment 31) be connected to bus 2 by soft (R) disk controller 19, IDE controller 25, scsi controller 27 etc.
Storage medium (for example floppy disk, MO, CD-ROM or DVD-ROM) is inserted in removable memory.The code that is configured to provide instruction to cooperate with operating system to CPU etc. and realizes computer program of the present invention can be recorded in storage medium, hard disk drive 13 and 30 and ROM14 in.Computer program is performed in the time being loaded into main storage 4.Computer program can or be recorded in multiple media by being divided into multiple parts with the form of compression.
Information processor for example, receives input from input equipment keyboard 6 and the mouse 7 of keyboard/mouse controller 5 (via).Information processor is connected to display device 11 to present viewdata to user via DAC/LCDC10.
Messaging device is via network adapter 18(Ethernet (R) etc.) be connected to network and be configured to and can communicate by letter with other computers etc.Although do not illustrate, messaging device can be connected to printer or be connected to modulator-demodulator by serial port by parallel port.
Easily understand from above-mentioned explanation, information processor can be realized (for example typical personal computer, work station or large-scale computer or its combination) for realizing the information processor being included according to the computing element of the request-responding system of the embodiment of the present invention.But these assemblies are only illustrated by way of example, and all these is not the requisite assembly of the present invention.
Needless to say, for a person skilled in the art, various changes will be all apparent, for example, by function being distributed to the nextport hardware component NextPort of realizing the information processor using in an embodiment of the present invention on the multiple machines that are used in combination.These changes are the concepts that are included in thought of the present invention.
The assembly of request-responding system uses and supports GUI(graphic user interface according to an embodiment of the invention) operating system of multi-windowed environment, the Windows(R for example being provided by Microsoft) operating system, the MacOS(R that provided by Apple) or based on Unix(R) system (AIX(R for example being provided by International Business Machines Corporation)).
Therefore the assembly that, is appreciated that the request-responding system using in embodiments of the invention is not limited to specific operating system environment.
Those skilled in the art will appreciate that the present invention can be implemented as system, method or computer program.Therefore, the present invention can adopt the form of the embodiment (being commonly referred to " circuit ", " module " or " system ") of complete hardware implementation example, completely implement software example (comprising firmware, resident software, microcode etc.) or integration software and hardware.In addition, the present invention can show as the form of computer program, and described computer program is embedded in the tangible medium of expression and comprises the computer usable program code of embedding medium.
Can use the computer can be with the combination of/computer-readable medium.Computer can include but not limited to by the example of/computer-readable medium: electricity, magnetic, optics, electromagnetism, infrared or semiconductor system, device, equipment or propagation medium.The non exhaustive list of the example more specifically of computer-readable medium comprises: via transmission medium and the magnetic storage apparatus of electrical connection, portable computer diskette, hard disk, random-access memory (ram), read-only memory (ROM), Erasable Programmable Read Only Memory EPROM (EPROM or flash memory), optical fiber, portable optic disk read-only memory (CD-ROM), light storage device, support internet and the in-house network of electric conductor.
Program (is for example obtained in the mode of electronics, by optical scanner paper or other media), then compile as required and explain, process and be kept in computer storage by other suitable methods, and therefore it should be noted that computer can with/computer-readable medium can be paper or other the suitable medium that is printed on program on it.Computer can with/computer-readable medium can be any medium, it can comprise preservation, communication, propagate or transmission is used or relevant program by instruction execution system, device or equipment.Computer usable medium can be included in base band to be propagated or as the data-signal of the part of carrier wave, wherein data-signal comprises the computer usable program code combining.Computer usable program code can be used suitable medium transmission, and described medium includes but not limited to: wireless, wired, optical cable, RF etc.
For example can use, from OO programming language (JAVA(R), Smalltalk and C++), and the combination of a kind of programming language of for example, selecting in traditional processing programming language (C) and other similar programming languages or multiple programming language description realizes computer program code of the present invention.Program code can fully be carried out on subscriber computer, or partly on subscriber computer, carry out, or as software kit independently, part part on subscriber computer is carried out on remote computer, or on remote computer or server, carries out completely.In the situation that relates to remote computer, remote computer can for example, be connected to subscriber computer by the network of any type (local area network (LAN) (LAN) or wide area network (WAN)), or is connected to outer computer (for example utilizing ISP to pass through Internet connection).
With reference to flow chart and/or the block diagram of illustration method, device (system) and computer program, embodiments of the invention are described above.To understand, computer program instructions can realization flow figure and/or each square frame of block diagram and flow chart and/or block diagram in the combination of each square frame.These computer program instructions can offer the processor of all-purpose computer, special-purpose computer or other programmable data processing unit, thereby produce machine, the computer program instructions that these processors that pass through computer or other programmable data processing unit are carried out, the function/action specifying in one or more square frames of establishment instrument for realization flow figure and/or block diagram.
Also these computer program instructions can be stored in computer-readable medium, these instructions make computer or other programmable data processing unit with ad hoc fashion work, thereby the instruction being stored in computer-readable medium just produces the manufacture of the instruction of the function/action specifying in the one or more square frames that comprise in realization flow figure and/or block diagram.
Also computer program instructions can be loaded on computer or other programmable data processing unit to make carrying out sequence of operations step on computer or other programmable data processing unit, to produce computer realization processing, the processing of function/action that the instruction that makes to carry out on computer or other programmable data processing unit specifies in being provided for one or more square frame in realization flow figure and/or block diagram.
Flow chart in accompanying drawing and block diagram show system according to various embodiments of the present invention, method and computer program product architecture, function and can executable operations.Thus, each square frame of flow chart or block diagram can represent comprise one or more for carrying out module, fragment or the code section of executable instruction of specific logical function.It should be noted that in certain interchangeable realization, can carry out the function shown in square frame with the order that is different from the order shown in figure.For example, according to relevant function, the in fact almost while or in reverse order two square frames shown in execution sequence.Can be by being suitable for carrying out special function or the movable main system being formed by specialized hardware or realizing the each square frame shown in block diagram and/or flow chart and the combination of square frame by the combination of specialized hardware item.
It will be apparent to those skilled in the art that and can carry out various changes or improvement to above-described embodiment.Therefore, being appreciated that embodiments of the invention make automatically to extract for monitoring the request that generates at request-responding system-respond right rule becomes possibility.In addition, be appreciated that rule that embodiments of the invention make to apply such extraction to the request of catching in real time and response and give a warning in real time and become possibility.
As the application example of the embodiment of the present invention, for example can be input to audit program and carry out under the situation checking and utilize the present invention in test environment etc. in the project that will verify, change or prepare respectively described trace routine when program updates arranging.This allows keeper to know any change.As another situation, it is contemplated that request in supervisory control system in operation and response and constantly check the region being affected by program updates.This also makes to find that the system failure or security incident become possibility.
Claims (16)
1. a computer implemented method, for extracting the request that generates in order to monitoring request-responding system-respond right rule, comprising:
Preparation comprises multiple requests and the corresponding step that responds right test set;
Based on the similitude between each request, the step of described multiple requests being divided into groups by cluster;
Judge for one group of member who responds of multiple requests whether drop on the step within the scope of predetermined similitude, wherein said multiple requests are included in given request group and in one or more given changing unit has particular value; And
Based on being included in associated between described response that described response concentrates and described request, extract the right regular step of the described request that generates in order to monitoring-respond according to the result of described judgement in described system.
2. method according to claim 1, wherein said determining step comprises:
Calculate Dv={L (r, r ') | r ∈ Rv, r ' ∈ Rv, r unequal to r ' } step
Wherein:
RV is for one group of response of request in one or more given changing unit with particular value v, and
L (r, r ') is the editing distance between two response r and r ', and
If T<avg (Dv), judges that member drops on the step within the scope of predetermined similitude so, wherein T is predetermined threshold value and avg(Dv) be the mean value of Dv.
3. method according to claim 1, further comprises the step that repeats described determining step for other value that can be used for one or more given changing unit.
4. method according to claim 3, wherein for other changing unit being included in described request, the described step that repeats described determining step is repeated.
5. method according to claim 1, wherein repeats described determining step and described extraction step to other request group.
6. method according to claim 1, wherein said extraction step extracts associated between described response and request with the regular form that only relates to changing unit from being included in described multiple changing units described response, and described changing unit changes with the change in described one or more given changing unit of described request.
7. method according to claim 1, the described rule of wherein extracting in described extraction step is reduction formula, static relation or its combination.
8. method according to claim 1, further comprises and is applied in regular group and the step giving a warning in described extraction step, extracting.
9. for extracting the request-respond a right regular system generating at request-responding system in order to monitoring, comprising:
Be arranged to and prepare to comprise multiple requests and the corresponding module that responds right test set;
Be arranged to the similitude based between each request, the module of described multiple requests being divided into groups by cluster;
Be arranged to the one group of member who responds who judges for multiple requests and whether drop on the module within the scope of predetermined similitude, wherein said multiple requests are included in given request group and in one or more given changing unit has particular value; And
Be arranged to based on being included in associated between described response that described response concentrates and described request, extract the right regular module of the described request that generates in order to monitoring-respond according to the result of described judgement in described system.
10. system according to claim 9, is wherein arranged to and judges that the described module whether dropping within the scope of predetermined similitude for one group of member who responds of multiple requests comprises:
Be used for calculating Dv={L (r, r ') | r ∈ Rv, r ' ∈ Rv, r unequal to r ' module,
Wherein:
RV is for one group of response of request in one or more given changing unit with particular value v, and
L (r, r ') is the editing distance between two response r and r ', and
If for judgement T<avg (Dv), member drops on the module within the scope of predetermined similitude so, wherein T is predetermined threshold value and avg(Dv) be the mean value of Dv.
11. systems according to claim 9, further comprise for other value that can be used for described one or more given changing unit being reused be arranged to and judge the module that whether drops on the described module within the scope of predetermined similitude for one group of member who responds of multiple requests.
12. systems according to claim 11, are wherein arranged to other changing unit repeated using to being included in described request and are arranged to the member who judges for one group of response of multiple requests and whether drop on the described module within the scope of predetermined similitude for reusing the described module of described module.
13. systems according to claim 9, comprise for other request group being reused be arranged to and judge whether to drop on the described module within the scope of predetermined similitude and be arranged to extract in order to monitoring for the member of one group of multiple requests response and generate described request-the respond module of right regular described module in described system.
14. systems according to claim 9, wherein be arranged to and extract regular form that the right regular described module of described request-respond generating in order to monitoring is arranged to only to relate to changing unit from being included in associated between extracting described response and asking of described multiple changing units described response in described system, described changing unit changes with the change in described one or more given changing unit of described request.
15. systems according to claim 9, wherein by being arranged to, to extract the described rule that the right regular described module of described request-respond that generates in described system in order to monitoring extracts be reduction formula, static relation or its combination.
16. systems according to claim 9, further comprise for applying by being arranged to and extract regular group and the module giving a warning that the right regular described module of described request-respond that generates in described system in order to monitoring is extracted.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP2012278093A JP2014123198A (en) | 2012-12-20 | 2012-12-20 | Computer mounting method, program, and system for extracting rule for monitoring pair of request and response |
| JP2012-278093 | 2012-12-20 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103888506A true CN103888506A (en) | 2014-06-25 |
Family
ID=50957224
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310627149.8A Pending CN103888506A (en) | 2012-12-20 | 2013-11-29 | Computer-implemented method and system for extracting rule of monitoring command-response pairs |
Country Status (2)
| Country | Link |
|---|---|
| JP (1) | JP2014123198A (en) |
| CN (1) | CN103888506A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111274121A (en) * | 2018-12-05 | 2020-06-12 | 北京奇虎科技有限公司 | Testing method and device applying monitoring rules |
| CN111382057A (en) * | 2018-12-29 | 2020-07-07 | 北京字节跳动网络技术有限公司 | Test case generation method, test method and device, server and storage medium |
| CN111382056A (en) * | 2018-12-29 | 2020-07-07 | 北京字节跳动网络技术有限公司 | Service testing method and device, server and storage medium |
| CN111382058A (en) * | 2018-12-29 | 2020-07-07 | 北京字节跳动网络技术有限公司 | Service testing method and device, server and storage medium |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6024560B2 (en) * | 2013-03-28 | 2016-11-16 | 富士通株式会社 | Information processing apparatus, information processing system, verification control method, and program |
| JP6751960B1 (en) * | 2020-03-09 | 2020-09-09 | 株式会社シンカー | Information processing system and information processing method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0924607A2 (en) * | 1997-12-18 | 1999-06-23 | Sun Microsystems, Inc. | Method and apparatus for fast local CORBA object references |
| CN100428169C (en) * | 2005-11-10 | 2008-10-22 | 国际商业机器公司 | Method, device and system for provisioning resources |
| CN100470533C (en) * | 2002-09-13 | 2009-03-18 | 富士施乐株式会社 | Text statement comparing unit |
| US7530107B1 (en) * | 2007-12-19 | 2009-05-05 | International Business Machines Corporation | Systems, methods and computer program products for string analysis with security labels for vulnerability detection |
| CN102063510A (en) * | 2011-01-17 | 2011-05-18 | 珠海全志科技有限公司 | Method for searching matched character string |
-
2012
- 2012-12-20 JP JP2012278093A patent/JP2014123198A/en active Pending
-
2013
- 2013-11-29 CN CN201310627149.8A patent/CN103888506A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0924607A2 (en) * | 1997-12-18 | 1999-06-23 | Sun Microsystems, Inc. | Method and apparatus for fast local CORBA object references |
| CN100470533C (en) * | 2002-09-13 | 2009-03-18 | 富士施乐株式会社 | Text statement comparing unit |
| CN100428169C (en) * | 2005-11-10 | 2008-10-22 | 国际商业机器公司 | Method, device and system for provisioning resources |
| US7530107B1 (en) * | 2007-12-19 | 2009-05-05 | International Business Machines Corporation | Systems, methods and computer program products for string analysis with security labels for vulnerability detection |
| CN102063510A (en) * | 2011-01-17 | 2011-05-18 | 珠海全志科技有限公司 | Method for searching matched character string |
Non-Patent Citations (1)
| Title |
|---|
| XIAOWEI LI 等: "《BlOCK:A Black-box Approach for Detection of State Violation Attacks Towards Web Applications》", 《PROCEEDING ACSAC 11 PROCEEDINGS OF THE 27TH ANNUALCOMPUTER SECURITY APPLICATION CONFERENCE》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111274121A (en) * | 2018-12-05 | 2020-06-12 | 北京奇虎科技有限公司 | Testing method and device applying monitoring rules |
| CN111274121B (en) * | 2018-12-05 | 2024-04-05 | 三六零科技集团有限公司 | Test method and device for applying monitoring rule |
| CN111382057A (en) * | 2018-12-29 | 2020-07-07 | 北京字节跳动网络技术有限公司 | Test case generation method, test method and device, server and storage medium |
| CN111382056A (en) * | 2018-12-29 | 2020-07-07 | 北京字节跳动网络技术有限公司 | Service testing method and device, server and storage medium |
| CN111382058A (en) * | 2018-12-29 | 2020-07-07 | 北京字节跳动网络技术有限公司 | Service testing method and device, server and storage medium |
| CN111382058B (en) * | 2018-12-29 | 2024-02-02 | 北京字节跳动网络技术有限公司 | Service testing method and device, server and storage medium |
| CN111382056B (en) * | 2018-12-29 | 2024-02-02 | 北京字节跳动网络技术有限公司 | Service testing method and device, server and storage medium |
| CN111382057B (en) * | 2018-12-29 | 2024-02-02 | 北京字节跳动网络技术有限公司 | Test case generation method, test method and device, server and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| JP2014123198A (en) | 2014-07-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11928144B2 (en) | Clustering of log messages | |
| CN108683562B (en) | Anomaly detection positioning method and device, computer equipment and storage medium | |
| CN103888506A (en) | Computer-implemented method and system for extracting rule of monitoring command-response pairs | |
| US10243982B2 (en) | Log analyzing device, attack detecting device, attack detection method, and program | |
| CN107577947B (en) | Vulnerability detection method and system for information system, storage medium and electronic equipment | |
| US20210021644A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| US20190163553A1 (en) | Automated problem diagnosis on logs using anomalous telemetry analysis | |
| CN107332765B (en) | Method and apparatus for repairing router failures | |
| CN111026653B (en) | Abnormal program behavior detection method and device, electronic equipment and storage medium | |
| CN112019401B (en) | Internet of vehicles application safety testing method, device and system and electronic equipment | |
| CN106874135B (en) | Method, device and equipment for detecting machine room fault | |
| US20220210202A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| US20230050771A1 (en) | Method for determining risk level of instance on cloud server, and electronic device | |
| US20170149800A1 (en) | System and method for information security management based on application level log analysis | |
| CN110210228A (en) | A kind of host equipment vulnerability scanning method and system | |
| CN114968754A (en) | Application program interface API test method and device | |
| CN113259197A (en) | Asset detection method and device and electronic equipment | |
| CN110941823A (en) | Threat information acquisition method and device | |
| CN110166440B (en) | Printing protocol vulnerability analysis method and system | |
| CN113836237A (en) | Method and device for auditing data operation of database | |
| WO2021130897A1 (en) | Analysis device, analysis method, and non-transitory computer-readable medium storing analysis program | |
| CN111045915A (en) | Safety test method and device based on product function test case | |
| CN113032341A (en) | Log processing method based on visual configuration | |
| CN112650557A (en) | Command execution method and device | |
| CN111865699A (en) | Fault identification method and device, computing equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140625 |