CN103532760B - Analytical equipment, system and method for analyzing the order executed on each host - Google Patents

Abstract

The invention discloses the analytical equipments, system and method for analyzing the order executed on each host, wherein the analytical equipment for analyzing the order executed on each host includes：Intensive data recover is configured as at least collecting each host terminal the current command and affiliated host identification by network transmission；Command analyzer is configured as that the current command that the intensive data recover is collected into is identified, at least identifies aberrant commands and normal command；And alarm device, it is configured as being judged whether to meet alarm conditions according to the recognition result of the command analyzer, if it is satisfied, then sending out respective host has abnormal warning information.Through the invention can be in time to what is inputted on each host in network system, the aberrant commands with certain risk are alerted, and the safety of system is improved.

Description

Analytical equipment, system and method for analyzing the order executed on each host

Technical field

The present invention relates to field of computer technology, more particularly to a kind of for analyzing the order executed on each host Analytical equipment, system and method.

Background technology

With the fast development of network, occur needing the network system for a large number of users service.These network systems are logical It is often distributed on a large amount of server, such as Linux, Unix etc., then system operator can be by inputting order to this A little servers are operated, but these administrators may not be well understood by the service provided on these servers, so these Operational order may result in server cisco unity malfunction, even cause serious consequence.In addition, increasing with server, Some servers may be invaded by hacker, these hackers may execute some malicious operations to destroy the normal of server Operation.

Certain the above situation not only exists only in server, it is also possible to be present on other similar host equipments.Therefore, How the order executed on the host equipments such as server is monitored, it is to be badly in need of at present that can be alerted in time when occurring abnormal It solves the problems, such as.

Invention content

In view of the above problems, it is proposed that the present invention overcoming the above problem in order to provide one kind or solves at least partly State problem for analyze the analytical equipment of the order executed on each host, system and it is corresponding for analysis in each host The analysis method of the order of execution.

The embodiment of the invention discloses a kind of analytical equipments for analyzing the order executed on each host, including：Collection Middle Data Recovery Vehicle is configured as at least collecting each host terminal the current command and affiliated host identification by network transmission； Command analyzer is configured as that the current command that the intensive data recover is collected into is identified, at least identifies different Often order and normal command；Alarm device is configured as being judged whether to meet alarm according to the recognition result of the command analyzer Condition, if it is satisfied, then sending out respective host has abnormal warning information.

Optionally, the command analyzer includes filtering module, is configured as being collected into the intensive data recover The current command be filtered using preset suspicious rule, will by it is described it is suspicious rule hit the current command be identified as exception Order, and export by the alarm weights of the aberrant commands of the suspicious rule hit, the alarm weights are based on the suspicious rule of this Then the overall hit of order is obtained；The alarm device is specifically configured to be judged according to the alarm weights of the aberrant commands Whether alarm conditions are met.

Optionally, the alarm weights of the aberrant commands of the filtering module output are obtained by following manner：By with this Monotonic decreasing function of the suspicious rule of item to the overall hit of established command as independent variable, obtains and is ordered by the suspicious rule of this In aberrant commands alarm weights.

Optionally, the alarm device was specifically configured in one alarm period of statistics, the command analyzer identifies A certain host on all aberrant commands, the corresponding alarm weights of these aberrant commands are subjected to synthesization processing, root According to synthesization, treated that value judges whether to meet preset alarm conditions.

Optionally, the command analyzer includes：Sort module is configured as according to the training sample for having disaggregated model Collection, the current command received to the intensive data recover are classified, and it is normal command respectively to obtain the current command The probability of probability and aberrant commands, and then identify whether the current command belongs to aberrant commands.

Optionally, the alarm device was specifically configured in one alarm period of statistics, the command analyzer identifies A certain host on all aberrant commands, the corresponding aberrant commands probability of these aberrant commands is carried out at synthesization Reason, according to synthesization, treated that value judges whether to meet preset alarm conditions.

Optionally, the command analyzer includes：Filtering module is configured as receiving the intensive data recover The current command be filtered using preset suspicious rule, will by it is described it is suspicious rule hit the current command export to classification Module, and export by the alarm weights of the current command of the suspicious rule hit, the alarm weights are based on the suspicious rule of this Then the overall hit of order is obtained；Sort module is configured as according to the training sample set for having disaggregated model, to from institute The current command for stating filtering module input is further classified, and probability and aberrant commands that the current command is normal command respectively are obtained Probability, and then identify whether the current command is aberrant commands.

Optionally, the command analyzer further includes：Study module is configured as the current command that will be increased newly and existing instruction Practice after sample set merges and carry out machine learning, updates the existing training sample set that the sort module uses.

Optionally, the alarm device was specifically configured in one alarm period of statistics, the command analyzer identifies A certain host on all aberrant commands, the corresponding aberrant commands probability of each aberrant commands is multiplied acquisition with alarm weights The alarm indexes of these aberrant commands is carried out synthesization processing by corresponding alarm index, and according to synthesization, treated that value is sentenced It is disconnected whether to meet preset alarm conditions.

The embodiment of the invention also discloses a kind of systems for analyzing the order executed on each host, including as above The analytical equipment and several host terminals；Several host terminals are configured as the current life on each host at least It enables and affiliated host identification is transmitted through the network to intensive data recover.

Optionally, the host terminal includes：Order sending module is configured as the command analysis device to each host Shell is transformed, and increases host the current command and host ip that the shell is received being transmitted to the intensive data time Receive the function of device.

Optionally, further include：Monitor is configured as carrying out the deployment scenario of order sending module described in each host Monitoring, when discovery has newly-increased host not dispose the order sending module or finds have the order sending module on host to lose When effect, by the non-deployment order sending module or the host ip automated log on to the host of order sending module failure, being It disposes the order sending module.

The embodiment of the invention also discloses a kind of methods for analyzing the order executed on each host, including：It collects The current command and affiliated host identification of each host by network transmission；Described the current command being collected into is known Not, aberrant commands and normal command are at least identified；Judge whether to meet alarm conditions according to above-mentioned recognition result, if full Foot then sends out respective host and there is abnormal warning information.

Optionally, the step of described pair of the current command being collected into is identified include：The current command being collected into is adopted It is filtered with preset suspicious rule, will aberrant commands be identified as by the current command of the suspicious rule hit, and obtain By the alarm weights of the aberrant commands of the suspicious rule hit, the alarm weights are based on the suspicious rule of this to the total of order Body hit rate obtains；Described the step of judging whether to meet alarm conditions according to above-mentioned recognition result includes：According to the exception The alarm weights of order judge whether to meet alarm conditions.

Optionally, the alarm weights of the aberrant commands are obtained by following manner：By suspicious regular to this There is monotonic decreasing function of the overall hit as independent variable of order, obtains by the aberrant commands of the suspicious rule hit of this Alert weights.

Optionally, all aberrant commands on a certain host that an alarm period is interior, identifies are counted, by these exceptions Corresponding alarm weights are ordered to carry out synthesization processing, treated that value judges whether to meet preset announcement according to synthesization Alert condition.

Optionally, described pair of the current command being collected into be identified including：According to the training sample of existing disaggregated model Collection, classify to the current command received, obtain the current command be normal command probability and be aberrant commands probability, And then identify whether the current command belongs to aberrant commands.

Optionally, described the step of judging whether to meet alarm conditions according to recognition result, includes：One alarm week of statistics All aberrant commands in phase, on a certain host that identifies, by the corresponding aberrant commands probability of these aberrant commands into Row synthesization is handled, and according to synthesization, treated that value judges whether to meet preset alarm conditions.

Optionally, described pair of the current command being collected into be identified including：The current command received is used preset Suspicious rule be filtered, filter out by it is described it is suspicious rule hit the current command, and export by it is described it is suspicious rule order In the current command alarm weights, the alarm weights obtain the overall hit of order based on the suspicious rule of this；Root According to the training sample set of existing disaggregated model, further classify to the above-mentioned the current command filtered out, it is just to obtain the current command The probability often ordered and it is the probability of aberrant commands, and then identifies whether the current command is aberrant commands.

Optionally, further include：Machine learning is carried out after newly-increased the current command is merged with existing training sample set, is updated The existing training sample set used when being classified.

Optionally, described the step of judging whether to meet alarm conditions according to recognition result, includes：One alarm week of statistics All aberrant commands on a certain host that phase is interior, identifies, by the corresponding aberrant commands probability of each aberrant commands and alarm Weights, which are multiplied, obtains corresponding alarm index, the alarm index of these aberrant commands is carried out synthesization processing, according to synthesization Value that treated judges whether to meet preset alarm conditions.

Optionally, the step of the current command and affiliated host identification for collecting each host by network transmission wraps It includes：The command analysis device shell of each host is transformed, is increased shell host the current commands received and master Machine IP is transmitted through the network to the function of designated equipment, and the current command and the institute owner of each host are collected using the function Machine identifies.

Optionally, further include：The event that the current command and affiliated host identification are transmitted to each host is monitored, and works as discovery When thering is newly-increased host not carry out above-mentioned shell transformations or transformation failure, by being in the host ip automated log on to the host It disposes the transformation of above-mentioned shell.

Analytical equipment according to the present invention for analyzing the order executed on each host, can be including several hosts Network system in, collect mark of each host by the current command and the current command institute generic of network transmission, to collect To the current command in effectively identified with the orders of certain operational hazards, judge that the order inputted on host is Aberrant commands or normal command, and when host has aberrant commands to input and meets alarm conditions, corresponding master is sent out in time There is abnormal warning information in machine, thus solve due to the reasons such as administrator's maloperation, hacker attack cause in systems When inputting dangerous order on host, harmful effect is caused to the stable operation of host or even whole system, in time to network system The dangerous order inputted on each host in system is alerted, and the safety of system is improved.

Above description is only the general introduction of technical solution of the present invention, in order to better understand the technical means of the present invention, And can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can It is clearer and more comprehensible, below the special specific implementation mode for lifting the present invention.

Description of the drawings

By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit are common for this field Technical staff will become clear.Attached drawing only for the purpose of illustrating preferred embodiments, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings：

Fig. 1 shows the analysis system according to an embodiment of the invention for analyzing the order executed on each host Schematic diagram；

Fig. 2 shows the analysis methods according to an embodiment of the invention for analyzing the order executed on each host Flow chart；And

Fig. 3 shows concrete application schematic diagram according to an embodiment of the invention.

Specific implementation mode

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in attached drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Completely it is communicated to those skilled in the art.

Fig. 1 is referred to, Fig. 1 shows according to an embodiment of the invention for analyzing the order executed on each host System, which includes several host terminals 210 and the analytical equipment 100 for analyzing the order executed on each host. Wherein, analytical equipment 100 specifically includes intensive data recover 110, command analyzer 120 and alarm device 130, each host Terminal 210 includes order sending module 2102, and each host terminal 210 is coupled to intensive data recover 110.This is used for below The specific implementation of the analytical equipment and the progress of each component part of analyzing the order executed on each host carries out specific It introduces.

One network system is usually made of multiple main frames terminal 210, and host terminal 210 can be computer entity, The virtual machine that can be operate on computer equipment.Multiple main frames terminal can complete the different division of labor, on each terminal A variety of orders can be run, to carry out such as switching on and shutting down to system, file operation, system configuration, installation/uninstall etc. Operation, there may be the order that potential hazard is caused to system operation in the order inputted, it is therefore desirable to be set by analysis Standby these orders of 100 identification may cause the order of potential hazard, preferred the current command for just needing to execute on each host and Affiliated host identification passes through network transmission to analytical equipment 100, wherein host identification can be the master of each host in network system Machine name and/or IP address etc., analytical equipment 100 obtain the purpose of host identification, primarily to judging the order currently inputted It is which host is sent out, once in order to which there are risks for the order, warning information can be sent out under certain condition.For reality The order executed on each host accurately, is comprehensively now transferred to analytical equipment 110, needs to be arranged in each host terminal 210 Order sending module 2102.

First, order sending module 2102 by each host the current command and affiliated host identification be transmitted through the network to Intensive data recover 110.For example, order sending module 2102 is transformed the command analysis device shell of each host, increase Command analysis device shell host the current commands received and host ip are transmitted to designated equipment（Such as intensive data recover 110）Function.Such as in class UNIX operating system, common shell has bash, csh, tcsh etc., can by taking bash as an example To be transformed to add_history functions therein, can specifically increase wherein to talker (char*host, char* Message) the calling of function is realized the current command message transmission that will be inputted in current hosts host by talker functions To intensive data recover 110.The transmission of this current command to input can be real-time, i.e., when monitored host is whole Once order input occurs on end 210, the order of input is just transferred to intensive data recover 110, in addition it can will be by The order inputted in monitoring host computer terminal 210 is stored as the form of daily record shell_log, in the case where reaching certain condition by shell_ Log log transmissions are to intensive data recover 110, such as are reaching period regular hour, or in shell_log files Shell_log files are transferred to intensive data recover 110 when having reached certain size.

When each host terminal 210 by order sending module 2102 by the order executed on each host and institute's generic mark Know, by network transmission to after several Data Recovery Vehicles 110, intensive data recover 110 can be collected into current each master The order inputted in machine terminal 210, and be the order inputted on which host, optionally, it can be received all Order preserve to a database, and then for the current command carry out analysis carry out data preparation, command analyzer 120 is coupled to Intensive data recover 110, the work subsequently made a concrete analysis of mainly are completed by command analyzer 120.

The current command that command analyzer 120 is collected into intensive data recover 110 is identified, and at least identifies different Often order and normal command.Wherein, aberrant commands are the order that possible have to system normal operation potential threat, normal command It is the order not threatened system operation.Specifically realize command analyzer 120 to order be identified when, can there are many Realization method is separately below described in detail several realization methods of command analyzer 120.

Realization method one：

Command analyzer 120 may include filtering module 1202, by filtering module 1202 to intensive data recover 110 The current command received is filtered using preset suspicious rule, will be identified as by the current command of suspicious rule hit different Often order, and export by the alarm weights of the aberrant commands of suspicious rule hit, here, alarm weights are based on the suspicious rule of this The overall hit of order is obtained.Preset suspicious rule can be generated previously according to the feature of common risky operation, Every suspicious rule includes the signature identification of at least one risky operation, and the signature identification of risky operation has very according to actual conditions It is a variety of, for example following situations is one or more：Add account；Opening, modification or the determinant attribute for deleting sensitive document；It checks Or the password of modification sensitive document；Change network settings；Promote user right；Change fire wall setting；Check system log；It compiles Translate code；There is sensitive word；Change file permission and attribute；It shuts down/restarts；Show specific file content；Establish network linking simultaneously Download the file etc. for specifying address.The mode of regular expression may be used in specific implementation for suspicious rule, i.e., in canonical The signature identification information that risky operation is embodied in expression formula, to provide these by preset regular expression rule-based filtering Regular expression rule is matched with the current command being collected into, will wherein be ordered by the order of risky operation signature identification In the aberrant commands of suspicious rule filter out, and normal command can be considered as by the order of suspicious rule hit.In addition, every One regular expression, it may only be possible to the order for specific format or specific content is filtered, therefore in practical application, It is more to be filtered it may is that carrying out more wheels using a plurality of regular expression, any one will have been hit in suspicious regular group The order of suspicious rule is determined as suspicious order and is filtered, and the order of miss strictly all rules is determined as normal command.

During the filtration process, can also the overall hit of rule suspicious to every count, so-called suspicious rule Overall hit, refer to every it is suspicious rule in all orders hit exception order item number or number, account for all orders Ratio.As may be usually a kind of ultra vires act that view illegally obtains password to checking that the behavior of password can be understood as, And to the acquisition of password, cryptogam can be opened by number order to realize, such as in (SuSE) Linux OS, password is literary Part is typically stored under specific path, and is named with specific filename, and is provided in (SuSE) Linux OS pair The order that the content of specific file is checked, this just provides possible approach to illegal acquisition password.Such as when there is foot When enough permissions, order is executed：Cat/etc/passwd can realize the code content to being preserved in cryptogam passwd It is checked.In order to be filtered to this order, regular expression may be used：

.* [s W]+passwd.* | ^passwd.* and,

.*passwd.*

By the suspicious rule of the two regular expression forms, it includes sensitive content keyword that can filter out all The order of " passwd ".

Assuming that wherein one suspicious rule has filtered 4651629 orders in total, and has hit 7915 orders therein, Then be hit this 7915 orders can serve as suspicious order, and the corresponding overall hit of this suspicious rule can lead to It crosses：All orders of suspicious order/its detection of the suspicious rule hit obtain, such as in this example, the suspicious rule of this Overall hit is then：

7915/4651629≈0.001702

After overall hit comes out, the output of filtering module 1202 is weighed by the alarm of the aberrant commands of suspicious rule hit Value, alarm weights can obtain the overall hit of order based on the suspicious rule of this.Suspicious rule is specifically based on to order Overall hit when obtaining alarm weights, can be by being used as oneself to the overall hit of established command using the suspicious rule of this The monotonic decreasing function of variable is obtained by the alarm weights of the aberrant commands of the suspicious rule hit of this.For example, by overall hits Rate is denoted as Pa, and monotonic decreasing function (1-Pa) the * D of independent variable can be used as by overall hit, suspicious by this to obtain The alarm weights of the aberrant commands of rule hit, wherein D are a constant.Such as certain hit that can be regular in the examples described above Rate Pa is 0.001702, can basis

(1-Pa)*D=(1-0.001702)*100≈99.8

Wherein D takes 100, then being about 99.8 by the alarm weights of the aberrant commands of the suspicious rule hit of this.

Overall hit why is used as the monotonic decreasing function of independent variable, is one because in practical applications The practical aberrant commands of suspicious rule hit are the order with suspicious danger, if time of a suspicious rule hit order Number is relatively more or frequency is relatively high, illustrates the order that the order of the suspicious rule hit may be relatively common, and based on real Real aberrant commands are a small number of after all in the situation of border, so logically, if time of certain suspicious rule hit order Number more or frequencies it is higher, then by this it is suspicious rule hit order be real aberrant commands possibility it is relatively low, Why hit by suspicious rule, then it is to compare the rule of " severe " to be likely due to the suspicious rule of this, and then it can be with Think that the order danger of rule hit is smaller, thus, it can take a smaller alarm weights by the aberrant commands of its hit.

The alarm weights that filtering module 1202 exports can obtain the foundation of alarm weights as alarm device 130, about this Partial content can describe in detail in the content of follow-up alarm device 130.

Realization method two：

Command analyzer 120 may include study module 1206 and sort module 1204.

Study module 1206 mainly carries out machine learning to training sample set, is then provided for sort module 1204 required Various Study firsts.Since sort module 1204 can be more based on Bayes, logistic regression, Partial Least Squares or decision tree etc. Principle of classification is planted to realize, therefore correspondingly, study module is also required to provide different according to the difference of sort module 1204 Study first.It is realized below based on Bayes principle with sort module 1204, study module 1206 is that sort module 1204 provides For required various prior probabilities, the two modules are described in detail.

Study module 1206 carries out machine learning to known training sample set.Training sample set include it is a certain number of It understands the Decree of Heaven order, and whether these known orders are aberrant commands.The known command that training sample is concentrated is segmented Field can be regarded as and order related Feature Words, these Feature Words can be command string itself, such as cat, wget etc., It can also include the content gone out from the parameter extraction of order.It such as will order：

wget-o http://www.sina.com/dasd/hahah/tad.tgz/usr/loca/dasd/etc/ Passwd is segmented, and following feature set of words can be obtained：

{'wget','-o','http','www.sina.com','dasd','hahah','tad.tgz','usr',' loca','dasd','etc','passwd','www','sina','com'}

Specifically when being segmented to obtain Feature Words to order, regular expression tool can be used, can be used for example

[_\$]*[a-zA-Z\d\._\-]+[^\w\(/;=\-\)\[\]\{\}:>&\?\.\\\s,\d'"\%<]*

Cutting is carried out to order, regular expression can also be used

((\w+\.){1,6}(?:net|cn|com|gov|edu|asia|me|co))

Network address in recognition command obtains so as to carry out cutting to such as mentioned order example based on the order Feature set of words.

Due to being concentrated in training sample, whether exception is known for order, and the probability that aberrant commands occur can pass through（It is different Normal order number/training sample concentrates order total amount）It obtains, the probability that normal command occurs can pass through（Normal command quantity/ Training sample concentrates order total amount）It obtains.In addition, by being segmented to the order that training sample is concentrated, each Feature Words go out Existing probability in aberrant commands and the probability for appearing in normal command are also that can count, therefore study module 1206 can obtain the above prior probability.Then, it is supplied to sort module 1204 to use these priori probability datas, with Just sort module 1204 classifies to current order to be analyzed.

As it can be seen that training sample set of the sort module 1204 according to existing disaggregated model（Specifically study module 1206 is to It is supplied to some prior probabilities of sort module 1204 after thering is the training sample set of disaggregated model to carry out machine learning）, to concentrating number The current command received according to recover 110 is classified, and probability and abnormal life that the current command is normal command respectively are obtained The probability of order, and then identify whether the current command belongs to aberrant commands.

Below by taking bayes classification method as an example, sort module 1204 is specifically introduced.

Bayes classification method is a kind of statistical classification method, it is a kind of algorithm classified using probability statistics. In numerous applications, naive Bayes classifier can obtain very accurate classification results, and bayes classification method sheet Body also has the characteristics that be easily achieved, classification accuracy is high, fireballing, and the principle of bayes classification method is the elder generation by object Probability is tested, calculates its posterior probability using Bayesian formula, i.e. the object belongs to certain a kind of probability, after selection has maximum The class of probability is tested as the class belonging to the object.In the embodiment of the present invention, sort module 1204 can utilize Bayes's classification side Method realizes whether aberrant commands are identified to the current command, its process realized is described in detail below.

Sort module 1204 is realized using bayes classification method, known to realizing and concentrate using training sample The probability and segmented to obtain according to known command whether abnormal order, aberrant commands and normal command occurs respectively The probability that occurs in aberrant commands and normal command of each field give what order occurred to obtain when a given order It is specific some/certain fields when, the order be normal command probability and the order be aberrant commands probability, and then determine The affiliated classification of the order.This process is to train sort module 1204 according to training sample set, makes classification mould by training Block 1204 obtains prior probability, and then can identify which classification the current command belongs to according to bayes classification method, that is, belongs to Aberrant commands still fall within the ability of normal command.

When giving the current command of a unknown classification, judges that it is to belong to aberrant commands or normal command, to apply Bayes classification method classifies to it, it is necessary first to the current command segmented, when being segmented to the current command, It can also use regular expression realization.If

x={w₁,w₂,w₃,…,w_nIt is the feature set of words that the current command of the unknown classification is obtained by participle；

y={y₁=good,y₂=bad } it is category set, wherein y₁=good represents the classification of normal command, y₂=bad is represented The classification of aberrant commands；Next it needs to obtain P (y₁|x)、P(y₂| x), wherein P (y₁| it x) indicates to contain set in the current command When each Feature Words in x, belong to the probability of normal command, P (y₂| x) indicate each in the current command contains set x When Feature Words, belong to the probability of aberrant commands.Compare P (y₁| x) with P (y₂| value x) determines current according to the result of the comparison The classification of order.Such as classification of the numerical value the greater as the current command among the two is taken, or reach one in the difference of the two When fixed threshold value, using the greater therein as the classification of the current command.Below P (y how are obtained to introduce₁| x) with P (y₂| x)。

According to bayes classification method, there are following acquisition methods：

P(y₁|x)=P(x|y₁)*P(y₁)/P(x)

P(y₂|x)=P(x|y₂)*P(y₂)/P(x)

Wherein P (x) is for y₁=good and y₂Equal constant for the classification of=bad two, therefore, a demand go out P (x | y₁)*P(y₁) and P (x | y₂)*P(y₂).

And probability P (the y that wherein normal command occurs₁) and aberrant commands occur probability P (y₂), it can be according to training Normal command and aberrant commands occur in sample set frequency determines.Such as it concentrates in training sample and acquires altogether 4651629 orders, and the aberrant commands wherein occurred have 68440, then probability P (the y that aberrant commands occur₂) be：

68440/4651629≈0.014713

And the probability that corresponding normal command occurs is then P (y₁)≈（1-P(y₂)）=0.985287.

Due to P (x | y₁)=P([w₁,w₂,w₃,…,w_n]|y₁), and w₁,w₂,w₃,…,w_nConditional sampling is may be considered, It can be by P ([w₁,w₂,w₃,…,w_n]|y₁) be decomposed into：

P(w₁|y₁)*P(w₂|y₁)*P(w₃|y₁)*…*P(w_n|y₁)

And wherein P (w₁|y₁), P (w₂|y₁), P (w₃|y₁) ..., P (w_n|y₁) every, indicate that each Feature Words exist in set x The probability occurred in normal command, the probability numbers representated by these can be concentrated in normal command by training sample The probability statistics of existing target signature word come out.P(x|y₂) acquisition principle and P (x | y₁) acquisition methods it is similar, it is no longer superfluous herein It states.It should be noted that obtaining P (w₁|y₁), P (w₂|y₁), P (w₃|y₁) ..., P (w_n|y₁) every product when, due to wherein Every numerical value belongs to (0,1) section, cause it is every even multiply after obtained result often level off to 0, or even due to having exceeded The floating number range accuracy that computer can express causes possibility result of calculation to be equal to 0, at this time optionally, can also incite somebody to action：

P(w₁|y₁)*P(w₂|y₁)*P(w₃|y₁)*…*P(w_n|y₁) it is converted into the form of logarithm sum, such as be converted into：

So far, P (x | y₁)*P(y₁Every and P in)/P (x) (x | y₂)*P(y₂Items in)/P (x) can pass through The above method obtains, namely has got P (y₁| x) and P (y₂| value x), and then can be according to P (y₁| x) and P (y₂|x) Value determine in each Feature Words during the current command contains set x, belong to normal command or aberrant commands.

The sort module 1204 realized with bayes classification method is described above, in practical applications, this method is real Existing sort module can be learnt based on training sample set, and very accurate classification can be obtained to the current command of input As a result, sorting technique itself is easily achieved, classification accuracy is high, speed is fast.

It should be noted that in addition to using bayes classification method to classify the order of input, can also use patrol It volume returns, Partial Least Squares, decision tree etc. realizes sort module 1204.The sort module realized using different methods 1204, data training study and the process identified can be different due to the difference of method, but equally can be very accurately to defeated The current command entered is classified, and identifies that the current command is normal command or aberrant commands.Such as real using decision tree In existing sort module 1204, the data concentrated first according to training sample is needed to be trained, generation is a decision tree Model can first segment the current command, when needing to judge the classification of the current command of input by each feature of acquisition Word is updated in the decision-tree model, calculates which classification it belongs to, and then determines that the current command is normal command, or Aberrant commands.Other implementation methods of sort module 1204 can be divided into according to training sample set learning training, and production judges Model, and then the process judged the current command of input using judgment models, are not just repeated herein in citing.

In addition, in practical applications, using bayes classification method, logistic regression, Partial Least Squares or decision tree etc. Realize sort module 1204, output the result is that the approximation of an approaching to reality situation, this approximation is only when instruction After practicing the quantity size that the training sample in sample set reaches certain, ideal levels of precision is can be only achieved, it in other words, can The training sample being collected into is more, then the sort module 1204 trained is more reliable, and the result of output more approaches reality The case where.So actual in use, needing constantly to expand the data of training sample set, by study module 1206 Also it regard newly-increased the current command as a part of training sample, machine learning is carried out after merging with existing training sample set, to The various Study firsts of the offer of sort module 1204 are provided, and then sort module 1204 is enable to utilize abundanter training Sample is learnt and is trained, and the accuracy of identification of sort module 1204 is further increased, and makes its identification to currently inputting order As a result more accurate.

Realization method three：

It may include filtering module 1202, sort module 1204 and study module 1206 in command analyzer 120, pass through The order that filtering module 1202 receives intensive data recover 110 is filtered using preset suspicious rule, will be by can The order for doubting rule hit is exported to sort module 1204, and is exported by the alarm weights of the order of suspicious rule hit, alarm Weights obtain the overall hit of order based on the suspicious rule of this；Sort module 1204 is coupled to filtering module 1202, root According to the training sample set of existing disaggregated model, further classify to the current command inputted from filtering module 1202, obtains current Order is respectively the probability of the probability and aberrant commands of normal command, and then identifies whether the current command is aberrant commands. The study module 1206 of two kinds of study module 1206 in this realization method and specific implementation is similar, is still to having sample This training sample set carries out machine learning, and when there is newly-increased order, after newly-increased order is merged with existing training sample set Machine learning is carried out again, to provide required various Study firsts for sort module 1204.

Realization method combines the implementation method of realization method one and realization method two in this, passes through filtering module first The current command that 1202 pairs of intensive data recovers 110 receive is filtered using preset suspicious rule, preset suspicious rule Then, can be preset regular expression rule, by preset regular expression rule, with by the current command being collected into Row batch matches, and the aberrant commands for wherein hitting suspicious rule are filtered out, and the order that do not hit by suspicious rule can be with It is considered as normal command.And export by the alarm weights of the current command of suspicious rule hit, alarm weights are based on the suspicious rule of this Then the overall hit of order is obtained, the method for obtaining alarm weights to the overall hit of order according to suspicious rule can be with With reference to realization method one, details are not described herein again.

Further, filtering module 1202 will be exported by the order of suspicious rule hit to sort module 1204, by classifying Module 1204 is further to the order of suspicious rule hit to be judged, identifies that the current command is normal command or abnormal life It enables.Wherein, the sort module 1204 of two kinds of the specific implementation of sort module 1204 and front realization method is similar, thus this Place repeats no more.Under this realization method, by the order of the suspicious rule hit of filtering module 1202, and it is input to classification Module 1204 is further to be judged so as to currently input order whether aberrant commands judgement it is more accurate, can Largely further avoid the generation of erroneous judgement.

After command analyzer 120 identifies aberrant commands by above-mentioned various ways, it is supplied to alarm module 130.It accuses Alert module 130 judges whether to meet alarm conditions according to the recognition result of command analyzer 120, if it is satisfied, then sending out corresponding There is abnormal warning information in host.The mode for sending out warning information is varied, for example, it may be to reserved Email Address sends the Email that there is abnormal warning information containing host, then for example can also be to be sent out to reserved telephone number It send and there is the abnormal mode of message of warning information etc. containing host.As before, the order executed on each host is held with it There are correspondences for capable host, when meeting alarm conditions, can send out the respective host for executing aberrant commands and exist Abnormal warning information, to handle in time corresponding host.

Specifically when realizing alarm device 130, alarm device 130 can count each host and be ordered extremely within period regular hour The number occurred is enabled, judges whether the period indegree reaches preset threshold value, is sent out if reaching and executes aberrant commands There is abnormal warning information in respective host.Such as preset setting is that certain host occurred 10 or more within 5 minutes time Aberrant commands are issued by warning information, and certain host was detected within 5 minutes time cycles and has input 11 aberrant commands, It then sends out the host and there is abnormal warning information.Other than this alarm mode, in order to realize more flexible and accurate announcement Alert, alarm device 130 can also be realized in other manners.Below to realizing that the other manner of alarm device 130 is introduced.

Alarm device 130, which can correspond to the different realization method of command analyzer 120, different realizations.Before such as corresponding to The realization method one for the command analyzer 120 stated, alarm device 130 can be hit when aberrant commands occur according to suspicious rule The alarm weights that determine of the corresponding overall hit of the order, judge whether to meet alarm conditions, and meeting alarm conditions When send out respective host and there is abnormal warning information.When specific implementation, alarm device 130 can also count an alarm period All aberrant commands on a certain host that interior, command analyzer 120 identifies, by the corresponding alarm of these aberrant commands Weights carry out synthesization processing, and according to synthesization, treated that value judges whether to meet preset alarm conditions.Such as order point The output of parser 120 is as follows by the correspondence of the aberrant commands of each suspicious rule hit and corresponding alarm weights：

cmd001——99.8

cmd003——30.0

cmd004——95.3

cmd005——99.8

Within the preset time cycle, preset alarm conditions are that the summation of the alarm weights of each aberrant commands occurred reaches It is in the time cycle in 5 minutes such as preset alarm conditions, the summation for alerting weights reaches to preset alarm threshold 1000 send out warning information, and the number that above-mentioned each aberrant commands occur in 5 minutes is as follows：

Cmd001 --- 2 times

Cmd003 --- 1 time

Cmd004 --- 3 times

Cmd005 --- 5 times

Obtaining the alarm weights summation in this 5 minutes according to the alarm weights and occurrence number of above-mentioned each aberrant commands is 1014.5, it is seen that the alarm weights summation in this 5 minutes has been over preset alarm threshold, then sends out respective host presence Abnormal warning information.

As it can be seen that " the synthesization processing " of alarm weights corresponding to aberrant commands can be according to specific alarm mode It is different and different, can be the product of number and corresponding alarm weights that each aberrant commands occur in above-mentioned example It is cumulative or the alarm weights of each aberrant commands are directly cumulative（If certain order alerts repeatedly to go out in the period at one It is existing, then by the alarm weights of the cumulative repeatedly order）If the final result, which reaches preset threshold value, is issued by warning information. It should be noted why being alerted in the period to one, the corresponding alarm of all aberrant commands of a certain host mulberry is weighed Value carries out synthesization processing and then judges whether to need to alert, primarily to wrong report is reduced as far as possible, because often going out When now really there is dangerous order, multiple aberrant commands may be will appear in a short time, so relatively good mode is pair In certain time（In i.e. one alarm period）All aberrant commands comprehensive analysis their alarm weights, rather than just list Solely see the alarm weights of some aberrant commands.It will therefore be appreciated that the mode of synthesization processing is varied, before can taking The mode that multiple alarm weights that face is mentioned add up can also take multiple alarm weights multiplications to take the modes such as logarithm, this is completely Depending on actual needs, these feasible modes are all within the scope of the present invention.Moreover, for command analyzer 120 The final numerical expression of different realization methods, acquisition modes and alarm weights due to its alarm weights can not Together, therefore, " the synthesization processing " of alarm weights corresponding to aberrant commands can also correspond to different.

When command analyzer 120 is realized in a manner of realization method two, sort module that command analyzer 120 includes It is the probability of normal command and aberrant commands that 1204, which can obtain the current command respectively, at this point, alarm device 130 can count one All aberrant commands in the alarm period, on a certain host that command analyzer 120 identifies, these aberrant commands are respectively right The aberrant commands probability answered carries out synthesization processing, and according to synthesization, treated that value judges whether to meet preset alarm bar Part.Such as within preset 5 minutes time cycles, in time that aberrant commands, each aberrant commands of the input of a certain host occur Number and each aberrant commands are that the probability of aberrant commands is as follows：

Cmd001 --- 2 times --- 0.95

Cmd003 --- 1 time --- 0.89

Cmd004 --- 3 times --- 0.98

Cmd005 --- 5 times --- 0.90

It, can be by each abnormal life when the corresponding aberrant commands probability of these aberrant commands is carried out synthesization processing The probability of order and the product of occurrence number and（Multiply in other words by the probability of each aberrant commands is tired, if occurring repeatedly it is tired multiply it is more It is secondary）, as whether the reference data alerted.If the reference data in this example, obtained is 10.23, if preset alarm bar Part is that the reference data is higher than 10, then judges that the result of synthesization processing reaches preset alarm conditions, send out respective host and deposit In abnormal warning information.Can be similar there are many situation with the specific implementation of above-mentioned synthesization processing, originally show Synthesization processing can also be there are many specific implementation in example, the concrete mode that can be handled synthesization according to actual conditions It is adjusted, as long as it is whether the probabilistic determinations of comprehensive multiple aberrant commands alerts that can embody.

In the command analyzer 120 realized with realization method three, intensive data can be recycled by filtering module 1202 The current command that device 110 receives is filtered using preset suspicious rule, and is exported by the current command of suspicious rule hit Alarm weights and sort module 1204 is further to the current command of suspicious rule hit is judged, identify current Order is normal command or aberrant commands, at the same obtain the current command respectively and be normal command probability and aberrant commands it is general Rate.Under this realization method, alarm device 130 can count in an alarm period, command analyzer 120 is known when realizing The corresponding aberrant commands probability of each aberrant commands is multiplied by all aberrant commands on a certain host not gone out with alarm weights Corresponding alarm index is obtained, the alarm index of these aberrant commands is subjected to synthesization processing, treated according to synthesization Value judges whether to meet preset alarm conditions.Such as within preset 5 minutes time cycles, the exception of a certain host input Order, the corresponding aberrant commands probability of each aberrant commands and alarm weights and the number of appearance are as shown in table 1：

Table 1

Aberrant commands	Aberrant commands probability	Alert weights	Alert index	Occurrence number
					cmd001	0.95	99.8	98.41	2
cmd003	0.89	90.0	80.10	1
					cmd004	0.98	95.3	93.39	3
cmd005	0.90	99.8	89.82	5

At this point, when the alarm index to aberrant commands carries out synthesization processing, it can be by the corresponding announcement of each aberrant commands Alert index adds up, and if some aberrant commands occurs repeatedly, then the corresponding alarm index of the aberrant commands repeatedly adds up i.e. Can, take in other words the product of the corresponding alarm index of each aberrant commands and occurrence number and, as whether sending out warning information Reference data.Such as in upper table, carrying out the reference value that synthesization processing obtains in the alarm index to aberrant commands is 1006.19, if preset alarm conditions be a preset alarm threshold 1000, and reference value be higher than the alarm threshold when send out Warning information, then the reference value for carrying out synthesization processing acquisition to the alarm index of aberrant commands in this example is 1006.19, it is higher than preset alarm threshold, meets the prerequisite for sending out warning information, then sends out respective host and there is exception Warning information.

So far, the previously described system for analyzing the order executed on each host can be completed preferably to each host The analysis and alarm of the order of upper execution.In order to realize the closed loop monitoring to each host terminal, the peace of whole network system is improved Quan Xing, which can also include monitor 220, by monitor 220 to the portion of the order sending module 2102 in each host Administration's situation is monitored.Specifically, one side monitor 220 can know the information for each host terminal disposed in system, For example the host ip of each host terminal, another aspect monitor 220 can know that it has received from intensive data recover 110 The order executed on which host, in this way by comparison, monitor 220 is not it is known that the order executed on which host has It is successfully transmitted to intensive data recover 110.

Intensive data is not transmitted commands to correctly if it is the host terminal for having deployed order sending module 2102 Recover 110, then just illustrating that the order sending module 2102 on the host terminal fails；If the host of system is newly added The order executed thereon is not transferred to intensive data recover 110 by terminal, then just illustrating on the host terminal not yet Deployment order sending module 2102.After monitor 220 finds both of the above situation, you can timely processing, for example, when finding have The non-deployment order sending module 2102 of newly-increased host or when finding to have the order sending module 2102 on host to fail, can pass through It is its portion in the host ip automated log on to the host that non-deployment order sending module 2102 or order sending module 2102 fail Affix one's name to order sending module 2102.As can be seen that being carried out in real time to the order sending module 2102 on each host by monitor 220 Monitoring, can timely find the order sending module 2102 being not normally functioning, or be newly added non-deployment order hair The case where sending the host of module 2102, and then can be when noting abnormalities timely to being not normally functioning order sending module 2102 host is adjusted, or deployment order sends mould on the host for the non-deployment order sending module 2102 being newly added Block 2102.To ensure that whole system can realize that closed loop monitors, voluntarily pinpoints the problems and solve the problems, such as, preferably ensure that life Enable precision of analysis and the accuracy of alarm.

Be described above it is provided in an embodiment of the present invention for analyze the order executed on each host analytical equipment and System.It is corresponding with the analytical equipment provided in an embodiment of the present invention for analyzing the order executed on each host and system, The embodiment of the present invention additionally provides a kind of analysis method for analyzing the order executed on each host.

Refer to Fig. 2, this method starts from step S210, first choice collect each host by the current command of network transmission and Affiliated host identification.It, can be with when the current command and the affiliated host identification of each host by network transmission are collected in specific implementation The command analysis device shell of each host is transformed, increase passes through host the current command and host ip that shell is received Network transmission collects the current command of each host and affiliated host identification to the function of designated equipment using function.Step S210 It can be executed by intensive data recover 110 above, relevant technical characteristic can refer to hereinbefore about concentration number According to the description of recover 110 in embodiment, details are not described herein again.Further, it is also possible to transmit the current command and institute to each host The event of generic mark is monitored, and when finding to have newly-increased host not carry out above-mentioned shell transformations or transformation failure, is led to It crosses in the host ip automated log on to the host and disposes the transformation of above-mentioned shell for it, in order to find normally to pass in time The host of defeated order or host identification, or the host for being not added with transfer function that is newly added, carry out timely these hosts Adjustment improves the safety of whole network system to realize that the closed loop to each host monitors.

Each host the current command and affiliated host identification are had collected in step S210, next can execute step S220 is identified the current command being collected into, at least identifies aberrant commands and normal command.Specifically in the current life of identification When enabling, it is possibility to have a variety of realization methods：

First way is filtered the current command being collected into using preset suspicious rule, will be by suspicious rule The current command of hit is identified as aberrant commands, and obtains by the alarm weights of the aberrant commands of suspicious rule hit, alarm power It is worth and the overall hit of order is obtained based on this suspicious rule, wherein suspicious rule can be regular expression rule.This Kind realization method can be realized by command analyzer 120 in system embodiment above, can specifically pass through filtering module 1202 are achieved, therefore the relevant technologies technical characteristic can refer to the associated description of filtering module 1202 above, herein no longer It repeats.Equally, other than going out aberrant commands according to suspicious rule-based filtering, the alarm weights of aberrant commands can also be obtained, equally Can be by using the suspicious regular overall hit to established command of this as the monotonic decreasing function of independent variable, obtaining quilt The alarm weights of the aberrant commands of the suspicious rule hit of this, the relevant technologies feature can also refer to mistake in previous systems embodiment The description as described in alarm weights in module 1202 is filtered, details are not described herein again.

Second of realization method, specifically according to the training sample set for having disaggregated model, to the current command received Classify, obtains the probability and be the probability of aberrant commands that the current command is normal command, and then identify the current command Whether aberrant commands are belonged to.Under this realization method, disaggregated model can be based on bayes classification method, logistic regression, partially The methods of least square method or decision tree realize that the realization process can training sample set is primarily based on, with one kind Sorting technique is trained and learns, and then when needing to judge the classification of the current command of input, can be first by the current command It is segmented, each Feature Words of acquisition is updated in trained model, calculate which classification it belongs to, and then determined The current command is normal command or aberrant commands.Certainly, in order to improve the accuracy of classification, training sample of enriching constantly is needed Data of concentration, therefore machine learning is carried out after can merging newly-increased the current command with existing training sample set, update into The existing training sample set used when row classification.This realization method can pass through command analyzer in system embodiment above 120 execute, and are executed particular by sort module 1204 and study module 1206, i.e. the second of command analyzer 120 Kind realization method, therefore the relevant technologies feature can refer to the description of sort module 1204 in embodiment, details are not described herein again.

The third realization method, it can be understood as be combined two kinds of front realization method, i.e., first to receiving The current command is filtered using preset suspicious rule, is filtered out by the current command of suspicious rule hit, and export by can Doubt the alarm weights of the current command of rule hit, wherein alarm weights are based on the suspicious rule of this to the overall hits of order Rate obtains；Then, further according to the training sample set of existing disaggregated model, further classify to the above-mentioned the current command filtered out, The probability and be the probability of aberrant commands that the current command is normal command are obtained, and then identifies whether the current command is abnormal Order.To obtain more accurately to the current command whether the recognition result of aberrant commands.This realization method can pass through In previous systems embodiment, the command analyzer of the third mode 120 execute, therefore the relevant technologies feature can be with reference command The associated description of filtering module 1202 in analyzer 120, sort module 1204 and study module 1206, details are not described herein again.

Classify in the current command inputted to each host by step S220, that is, step is executed after identifying aberrant commands Rapid 230, i.e., judged whether to meet alarm conditions according to recognition result, if it is satisfied, then sending out respective host has abnormal announcement Alert information.Specifically when sending respective host and there is abnormal warning information, order that each host is inputted can be counted one It is identified as the number of aberrant commands appearance in the fixed time cycle, judges occur whether aberrant commands number reaches in the period There is abnormal warning information in preset threshold value, the respective host sent out if reaching.Such as preset setting is at 5 minutes Time in there are 10 or 10 or more orders and be issued by warning information, if certain host is defeated within 5 minutes time cycles In the order entered, 11 aberrant commands are had identified, then sends out the host and there is abnormal warning information.In addition to this alarm side Outside formula, in order to realize more flexible and accurate alarm, step S230 can also with according to the different realization methods of step 220, There is corresponding different realization method.Such as when step S220 goes out aberrant commands by preset suspicious rule-based filtering, and export When the alarm weights of the aberrant commands hit by suspicious rule, step S230 can be according to the judgement of the alarm weights of aberrant commands It is no to meet alarm conditions, warning information is sent out if meeting, the specific can be that in one alarm period of statistics, identifying The corresponding alarm weights of these aberrant commands are carried out synthesization processing by all aberrant commands on a certain host, according to Treated that value judges whether meets preset alarm conditions, the corresponding alarm power of the aberrant commands such as occurred to each time for synthesization Value is done cumulative, judges whether cumulative alarm weights reach preset threshold value within the period, corresponding master is sent out if reaching There is abnormal warning information in machine.

For another example when S220 be according to have disaggregated model training sample set, classify to the current command received, The probability and be the probability of aberrant commands that the current command is normal command are obtained, and then identifies whether the current command belongs to different Often when order, the realization of S230 can be all abnormal lives counted on a certain host that an alarm period is interior, identifies It enables, the corresponding aberrant commands probability of these aberrant commands is subjected to synthesization processing, treated that value is sentenced according to synthesization It is disconnected whether to meet preset alarm conditions.The corresponding aberrant commands probability of these aberrant commands is being subjected to synthesization processing When, can by the product of the probability of each aberrant commands and occurrence number and, as whether the reference data alerted, specifically may be used To be that the reference data obtained compares with preset alarm threshold, if being higher than preset alarm threshold, phase is sent out Host is answered to there is abnormal warning information.

For another example when step S220 is filtered using preset suspicious rule to the current command received, filter out by The current command of suspicious rule hit, and export by the alarm weights of the current command of suspicious rule hit；Then according to existing The training sample set of disaggregated model further classifies to the above-mentioned the current command filtered out, and it is normal command to obtain the current command Probability and be the probability of aberrant commands, and then identify whether the current command is aberrant commands.At this point, alarm weights can be with The overall hit of order is obtained based on this suspicious rule.It can be one alarm week of statistics when realizing step S230 All aberrant commands on a certain host that phase is interior, identifies, by the corresponding aberrant commands probability of each aberrant commands and alarm Weights, which are multiplied, obtains corresponding alarm index, the alarm index of these aberrant commands is carried out synthesization processing, according to synthesization Value that treated judges whether to meet preset alarm conditions.Synthesization processing therein, can be that each aberrant commands is taken to correspond to Alarm index and the product of occurrence number after be added again take and, as whether the reference data of warning information is sent out, later will The reference data is compared with preset alarm threshold, if the reference data has exceeded preset alarm threshold, is sent out There is abnormal warning information in respective host.

The step S230 with a variety of specific implementations can pass through the alarm device 130 in previous systems embodiment above It executes, therefore the relevant technologies feature can refer to the description of front alarm device 130, details are not described herein again.

Analytical equipment according to an embodiment of the invention, system and method are described in detail above, in order to more Good is easy to understand, and the concrete application citing of the embodiment of the present invention is provided again below, referring to Fig. 3, Fig. 3 shows basis The concrete application schematic diagram of one embodiment of the invention, in figure, Linux/Unix/BSD Server are the masters in network system Machine can have the host of several carrying Linux/Unix/BSD, pass through the command analysis to host in a network system Device shell is transformed, and makes it have transmission input order（Send shell_log）To Receive Server（Receive clothes Business device, is equivalent to intensive data recover 110 hereinbefore）Ability, the shell_log that Receive Server will be received Database is recorded in the form of daily record（database）In.By will respectively order affiliated host in database database IP information is compared with each host ip disposed in system, and then it is known that whether All hosts will all have been held thereon Capable order accurate delivery has given Receive Server, to ensure that all Linux/Unix/BSD Server orders are sent just Often, when having failure or network system is added in newly-increased host, mould can be sent to failing or increasing newly host deployments order automatically Block.

During specifically analyzing order, can the data based on Database by on-line study function, Machine learning is carried out to the existing data of lane database, generates identification model.It is needing that the order currently inputted is identified When, the model generated can be utilized to monitor order and the identification of input in real time, recognize aberrant commands and meeting alarm conditions Shi Jinhang is alerted.In alarm, the mail for including warning information can be sent to preset mail address by E-mail, or By SMS information centres the message for including warning information is sent to preset telephone number.

The analysis provided in an embodiment of the present invention for analyzing the order executed on each host is described in detail above to set Standby, system and method are used to analyze the analytical equipment, system or method of the order executed on each host by this, can In the network system including several hosts, to collect the current command and the current command institute owner of each host by network transmission The mark of machine effectively identifies the order with certain operational hazards in the current command for being collected into, is judged in master The order inputted on machine is that aberrant commands or normal command are sent out when the aberrant commands of host input meet alarm conditions There is abnormal warning information in respective host, so as in time to it is being inputted on each host in network system, there is certain danger Dangerous aberrant commands are alerted, and the safety of system is improved.Thus it solves because of administrator's maloperation, hacker attack etc. When reason causes and inputs dangerous order on host in systems, the stable operation of host or even whole system is caused not Good influence in time alerts the dangerous order inputted on each host in network system, improves the safety of system.

Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with teaching based on this.As described above, it constructs required by this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that can utilize various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.

In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice without these specific details.In some instances, well known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.

Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention：It is i.e. required to protect Shield the present invention claims the more features of feature than being expressly recited in each claim.More precisely, as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific implementation mode are expressly incorporated in the specific implementation mode, wherein each claim itself All as a separate embodiment of the present invention.

Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment Change and they are arranged in the one or more equipment different from the embodiment.It can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it may be used any Combination is to this specification（Including adjoint claim, abstract and attached drawing）Disclosed in all features and so disclosed appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification（Including adjoint power Profit requirement, abstract and attached drawing）Disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation It replaces.

In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included certain features rather than other feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed One of meaning mode can use in any combination.

The all parts embodiment of the present invention can be with hardware realization, or to run on one or more processors Software module realize, or realized with combination thereof.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor（DSP）Come realize it is according to the ... of the embodiment of the present invention for analyze executed on each host Order analytical equipment in some or all components some or all functions.The present invention is also implemented as being used for Execute some or all equipment or program of device of method as described herein（For example, computer program and calculating Machine program product）.It is such to realize that the program of the present invention may be stored on the computer-readable medium, or there are one can having Or the form of multiple signals.Such signal can be downloaded from internet website and be obtained, or be provided on carrier signal, Or it provides in any other forms.

It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference mark between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real It is existing.In the unit claims listing several devices, several in these devices can be by the same hardware branch To embody.The use of word first, second, and third does not indicate that any sequence.These words can be explained and be run after fame Claim.

The invention discloses A1, a kind of analytical equipments for analyzing the order executed on each host, including：

Intensive data recover is configured as at least collecting each host terminal and passes through the current command of network transmission and affiliated Host identification；

Command analyzer is configured as that the current command that the intensive data recover is collected into is identified, at least Identify aberrant commands and normal command；

Alarm device is configured as being judged whether to meet alarm conditions according to the recognition result of the command analyzer, if Meet, then sends out respective host and there is abnormal warning information.

A2, the analytical equipment as described in A1, the command analyzer include filtering module, are configured as to the concentration number The current command being collected into according to recover is filtered using preset suspicious rule, will be by the current of the suspicious rule hit Command recognition is aberrant commands, and is exported by the alarm weights of the aberrant commands of the suspicious rule hit, the alarm weights The overall hit of order is obtained based on this suspicious rule；

The alarm device is specifically configured to judge whether to meet alarm conditions according to the alarm weights of the aberrant commands.

The alarm weights of A3, the analytical equipment as described in A2, the aberrant commands of the filtering module output pass through following sides Formula obtains：By using the suspicious regular overall hit to established command of this as the monotonic decreasing function of independent variable, obtaining By the alarm weights of the aberrant commands of the suspicious rule hit of this.

A4, the analytical equipment as described in A2 or A3, the alarm device be specifically configured to statistics one alarm the period in, institute All aberrant commands on a certain host that command analyzer identifies are stated, by the corresponding alarm weights of these aberrant commands Synthesization processing is carried out, treated that value judges whether to meet preset alarm conditions according to synthesization.

A5, the analytical equipment as described in A1, the command analyzer include：

Sort module is configured as, according to the training sample set for having disaggregated model, connecing the intensive data recover The current command received is classified, and it is the probability of normal command and the probability of aberrant commands respectively to obtain the current command, in turn Identify whether the current command belongs to aberrant commands.

A6, the analytical equipment as described in A5, the alarm device is specifically configured in one alarm period of statistics, the life All aberrant commands on a certain host that analyzer identifies are enabled, by the corresponding aberrant commands probability of these aberrant commands Synthesization processing is carried out, treated that value judges whether to meet preset alarm conditions according to synthesization.

A7, the analytical equipment as described in A1, the command analyzer include：

Filtering module is configured as using preset suspicious rule to the current command that the intensive data recover receives It is then filtered, will be exported to sort module by the current command of the suspicious rule hit, and export by the suspicious rule The alarm weights of the current command of hit, the alarm weights obtain the overall hit of order based on the suspicious rule of this；

Sort module is configured as according to the training sample set for having disaggregated model, to what is inputted from the filtering module The current command is further classified, and it is the probability of normal command and the probability of aberrant commands respectively to obtain the current command, and then is identified Go out whether the current command is aberrant commands.

A8, the analytical equipment as described in A5 or A7, the command analyzer further include：

Study module is configured as carrying out machine learning after the current command that will be increased newly merges with existing training sample set, Update the existing training sample set that the sort module uses.

A9, the analytical equipment as described in A7, the alarm device is specifically configured in one alarm period of statistics, the life All aberrant commands on a certain host that analyzer identifies are enabled, by the corresponding aberrant commands probability of each aberrant commands and announcement Alert weights, which are multiplied, obtains corresponding alarm index, the alarm index of these aberrant commands is carried out synthesization processing, according to synthesis Change that treated that value judges whether to meet preset alarm conditions.

A kind of point described in any one of B10, system, including B1 to B9 for analyzing the order executed on each host Desorption device and several host terminals；

Several host terminals, be configured as at least by each host the current command and affiliated host identification pass through net Network is transmitted to intensive data recover.

B11, the system as described in B10, the host terminal include：

Order sending module is configured as being transformed the command analysis device shell of each host, and increase will be described Host the current command and host ip that shell is received are transmitted to the function of the intensive data recover.

B12, the system as described in B11 further include：

Monitor is configured as being monitored the deployment scenario of order sending module described in each host, when discovery has When newly-increased host does not dispose the order sending module or finds to have the order sending module failure on host, not by this On deployment order sending module or the host ip automated log on to the host of order sending module failure, the order is disposed for it Sending module.

C13, a kind of method for analyzing the order executed on each host, including：

Collect the current command and affiliated host identification of each host by network transmission；

Described the current command being collected into is identified, at least identifies aberrant commands and normal command；

Judge whether to meet alarm conditions according to above-mentioned recognition result, if it is satisfied, then sending out respective host has exception Warning information.

The step of C14, method as described in C13, described pair of the current command being collected into is identified includes：

The current command being collected into is filtered using preset suspicious rule, by working as by the suspicious rule hit Preceding command recognition is aberrant commands, and is obtained by the alarm weights of the aberrant commands of the suspicious rule hit, the alarm power It is worth and the overall hit of order is obtained based on this suspicious rule；

Described the step of judging whether to meet alarm conditions according to above-mentioned recognition result includes：According to the aberrant commands Alarm weights judge whether to meet alarm conditions.

The alarm weights of C15, the method as described in C14, the aberrant commands are obtained by following manner：

By using the suspicious regular overall hit to established command of this as the monotonic decreasing function of independent variable, obtaining By the alarm weights of the aberrant commands of the suspicious rule hit of this.

C16, the method as described in C14, described the step of judging whether to meet alarm conditions according to recognition result include：

All aberrant commands on a certain host that one alarm period of statistics is interior, identifies, these aberrant commands are each Self-corresponding alarm weights carry out synthesization processing, and according to synthesization, treated that value judges whether to meet preset alarm bar Part.

C17, the method as described in C11, described pair of the current command being collected into be identified including：

According to the training sample set of existing disaggregated model, classify to the current command received, obtains the current command It is the probability of normal command and is the probability of aberrant commands, and then identifies whether the current command belongs to aberrant commands.

C18, the method as described in C17, described the step of judging whether to meet alarm conditions according to recognition result include：

All aberrant commands on a certain host that one alarm period of statistics is interior, identifies, these aberrant commands are each Self-corresponding aberrant commands probability carries out synthesization processing, and according to synthesization, treated that value judges whether to meet preset alarm Condition.

C19, the method as described in C13, described pair of the current command being collected into be identified including：

The current command received is filtered using preset suspicious rule, is filtered out by the suspicious rule hit The current command, and export by it is described it is suspicious rule hit the current command alarm weights, the alarm weights based on this Suspicious rule obtains the overall hit of order；

According to the training sample set of existing disaggregated model, further classifies to the above-mentioned the current command filtered out, worked as Preceding order is the probability of normal command and is the probability of aberrant commands, and then identifies whether the current command is aberrant commands.

C20, the method as described in C17 or C19 further include：

Machine learning is carried out after newly-increased the current command is merged with existing training sample set, update uses when being classified Existing training sample set.

C21, the method as described in C19, described the step of judging whether to meet alarm conditions according to recognition result include：

All aberrant commands on a certain host that one alarm period of statistics is interior, identifies, by each aberrant commands pair The aberrant commands probability answered is multiplied with alarm weights obtains corresponding alarm index, and the alarm index of these aberrant commands is carried out Synthesization is handled, and according to synthesization, treated that value judges whether to meet preset alarm conditions.

C22, the method as described in C13-21, it is described to collect each host and pass through the current command of network transmission and affiliated The step of host identification includes：

The command analysis device shell of each host is transformed, the host the current command for receiving the shell is increased It is transmitted through the network to the function of designated equipment with host ip, the current command and the institute of each host are collected using the function Generic identifies.

C23, the method as described in C22 further include：

The event that the current command and affiliated host identification are transmitted to each host is monitored, when find have newly-increased host not into When the above-mentioned shell transformations of row or transformation failure, by disposing above-mentioned shell in the host ip automated log on to the host for it Transformation.

Claims (19)

1. a kind of analytical equipment for analyzing the order executed on each host, including：

Intensive data recover is configured as at least collecting each host terminal and passes through the current command of network transmission and described current Host identification belonging to order, wherein described the current command is the order currently inputted on each host terminal；

Command analyzer is configured as the life currently inputted on each host terminal being collected into the intensive data recover Order is identified, and at least identifies aberrant commands and normal command；

Alarm device is configured as being judged whether to meet alarm conditions according to the recognition result of the command analyzer, if it is satisfied, It then sends out respective host and there is abnormal warning information；

The command analyzer includes filtering module, is configured as adopting the current command that the intensive data recover is collected into It is filtered with preset suspicious rule, will aberrant commands be identified as by the current command of the suspicious rule hit, and export By the alarm weights of the aberrant commands of the suspicious rule hit, the alarm weights are based on the suspicious rule of this to the total of order Body hit rate obtains；

The alarm weights of the aberrant commands of the filtering module output are obtained by following manner：By right with the suspicious rule of this Monotonic decreasing function of the overall hit of established command as independent variable is obtained by the aberrant commands of the suspicious rule hit of this Alarm weights；

The alarm device is specifically configured to judge whether to meet alarm conditions according to the alarm weights of the aberrant commands.

2. analytical equipment as described in claim 1, the alarm device is specifically configured in one alarm period of statistics, is described All aberrant commands on a certain host that command analyzer identifies, by the corresponding alarm weights of these aberrant commands into Row synthesization is handled, and according to synthesization, treated that value judges whether to meet preset alarm conditions.

3. analytical equipment as described in claim 1, the command analyzer include：

Sort module is configured as, according to the training sample set for having disaggregated model, receiving the intensive data recover The current command classify, it is the probability of normal command and the probability of aberrant commands respectively to obtain the current command, and then is identified Go out whether the current command belongs to aberrant commands.

4. analytical equipment as claimed in claim 3, the alarm device is specifically configured in one alarm period of statistics, is described All aberrant commands on a certain host that command analyzer identifies, the corresponding aberrant commands of these aberrant commands are general Rate carries out synthesization processing, and according to synthesization, treated that value judges whether to meet preset alarm conditions.

5. analytical equipment as described in claim 1, the command analyzer include：

Filtering module, be configured as the current command that the intensive data recover is received using preset suspicious rule into Row filtering will be exported to sort module by the current command of the suspicious rule hit, and export and be hit by the suspicious rule The current command alarm weights, the alarm weights obtain the overall hit of order based on the suspicious rule of this；

Sort module is configured as according to the training sample set for having disaggregated model, current to being inputted from the filtering module Order further classification, it is the probability of normal command and the probability of aberrant commands respectively to obtain the current command, and then identifies this Whether the current command is aberrant commands.

6. the analytical equipment as described in claim 3 or 5, the command analyzer further include：

Study module is configured as carrying out machine learning after the current command that will be increased newly merges with existing training sample set, update The existing training sample set that the sort module uses.

7. analytical equipment as claimed in claim 6, the alarm device is specifically configured in one alarm period of statistics, is described All aberrant commands on a certain host that command analyzer identifies, by the corresponding aberrant commands probability of each aberrant commands and It alerts weights multiplication and obtains corresponding alarm index, the alarm index of these aberrant commands is subjected to synthesization processing, according to comprehensive Treated that value judges whether to meet preset alarm conditions for combination.

8. a kind of system for analyzing the order executed on each host includes as described in any one of claim 1 to 7 Analytical equipment and several host terminals；

Several host terminals, be configured as at least by each host the current command and affiliated host identification passed by network Transport to intensive data recover.

9. system as claimed in claim 8, the host terminal include：

Order sending module is configured as being transformed the command analysis device shell of each host, and increase meets the shell The host the current command and host ip received is transmitted to the function of the intensive data recover.

10. system as claimed in claim 9, further including：

Monitor is configured as being monitored the deployment scenario of order sending module described in each host, newly-increased when finding to have When host does not dispose the order sending module or finds to have the order sending module failure on host, do not disposed by this On order sending module or the host ip automated log on to the host of order sending module failure, disposes the order for it and send Module.

11. a kind of method for analyzing the order executed on each host, including：

Collect each host the current command and the affiliated host identification of described the current command by network transmission, wherein described The current command is the order currently inputted on each host terminal；

The order currently inputted on each host terminal being collected into is identified, at least identifies aberrant commands and just Often order；

Judge whether to meet alarm conditions according to above-mentioned recognition result, if it is satisfied, then sending out respective host has abnormal announcement Alert information；

The step of described pair of the current command being collected into is identified include：

The current command being collected into is filtered using preset suspicious rule, it will be by the current life of the suspicious rule hit Order is identified as aberrant commands, and obtains by the alarm weights of the aberrant commands of the suspicious rule hit, the alarm weights base The overall hit of order is obtained in this suspicious rule；

The alarm weights of the aberrant commands are obtained by following manner：

By using the suspicious regular overall hit to established command of this as the monotonic decreasing function of independent variable, obtaining by this The alarm weights of the aberrant commands of the suspicious rule hit of item；

Described the step of judging whether to meet alarm conditions according to above-mentioned recognition result includes：According to the alarm of the aberrant commands Weights judge whether to meet alarm conditions.

12. method as claimed in claim 11, described the step of judging whether to meet alarm conditions according to recognition result, include：

All aberrant commands on a certain host that one alarm period of statistics is interior, identifies, these aberrant commands are respectively right The alarm weights answered carry out synthesization processing, and according to synthesization, treated that value judges whether to meet preset alarm conditions.

13. method as claimed in claim 11, described pair of the current command being collected into be identified including：

According to the training sample set of existing disaggregated model, classify to the current command received, it is just to obtain the current command The probability often ordered and it is the probability of aberrant commands, and then identifies whether the current command belongs to aberrant commands.

14. method as claimed in claim 13, described the step of judging whether to meet alarm conditions according to recognition result, include：

All aberrant commands on a certain host that one alarm period of statistics is interior, identifies, these aberrant commands are respectively right The aberrant commands probability answered carries out synthesization processing, and according to synthesization, treated that value judges whether to meet preset alarm bar Part.

15. method as claimed in claim 12, described pair of the current command being collected into be identified including：

The current command received is filtered using preset suspicious rule, filters out working as by the suspicious rule hit Preceding order, and export by the alarm weights of the current command of the suspicious rule hit, it is suspicious that the alarm weights are based on this Rule obtains the overall hit of order；

According to the training sample set of existing disaggregated model, further classify to the above-mentioned the current command filtered out, obtains current life Order is the probability of normal command and is the probability of aberrant commands, and then identifies whether the current command is aberrant commands.

16. the method as described in claim 13 or 15, further includes：

Machine learning is carried out after newly-increased the current command is merged with existing training sample set, update uses when being classified There is training sample set.

17. method as claimed in claim 15, described the step of judging whether to meet alarm conditions according to recognition result, include：

All aberrant commands on a certain host that one alarm period of statistics is interior, identifies, each aberrant commands are corresponding Aberrant commands probability is multiplied with alarm weights obtains corresponding alarm index, and the alarm index of these aberrant commands is integrated Change is handled, and according to synthesization, treated that value judges whether to meet preset alarm conditions.

18. the method as described in any claim in claim 11-15 and 17, collection each host passes through network The step of the current command of transmission and affiliated host identification includes：

The command analysis device shell of each host is transformed, is increased shell host the current commands received and master Machine IP is transmitted through the network to the function of designated equipment, and the current command and the institute owner of each host are collected using the function Machine identifies.

19. method as claimed in claim 18, further includes：

The event that the current command and affiliated host identification are transmitted to each host is monitored, when discovery has newly-increased host not carry out When stating shell transformations or transformation failure, by disposing changing for above-mentioned shell in the host ip automated log on to the host for it It makes.