Specific implementation mode
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
Fig. 1 is referred to, Fig. 1 shows according to an embodiment of the invention for analyzing the order executed on each host
System, which includes several host terminals 210 and the analytical equipment 100 for analyzing the order executed on each host.
Wherein, analytical equipment 100 specifically includes intensive data recover 110, command analyzer 120 and alarm device 130, each host
Terminal 210 includes order sending module 2102, and each host terminal 210 is coupled to intensive data recover 110.This is used for below
The specific implementation of the analytical equipment and the progress of each component part of analyzing the order executed on each host carries out specific
It introduces.
One network system is usually made of multiple main frames terminal 210, and host terminal 210 can be computer entity,
The virtual machine that can be operate on computer equipment.Multiple main frames terminal can complete the different division of labor, on each terminal
A variety of orders can be run, to carry out such as switching on and shutting down to system, file operation, system configuration, installation/uninstall etc.
Operation, there may be the order that potential hazard is caused to system operation in the order inputted, it is therefore desirable to be set by analysis
Standby these orders of 100 identification may cause the order of potential hazard, preferred the current command for just needing to execute on each host and
Affiliated host identification passes through network transmission to analytical equipment 100, wherein host identification can be the master of each host in network system
Machine name and/or IP address etc., analytical equipment 100 obtain the purpose of host identification, primarily to judging the order currently inputted
It is which host is sent out, once in order to which there are risks for the order, warning information can be sent out under certain condition.For reality
The order executed on each host accurately, is comprehensively now transferred to analytical equipment 110, needs to be arranged in each host terminal 210
Order sending module 2102.
First, order sending module 2102 by each host the current command and affiliated host identification be transmitted through the network to
Intensive data recover 110.For example, order sending module 2102 is transformed the command analysis device shell of each host, increase
Command analysis device shell host the current commands received and host ip are transmitted to designated equipment(Such as intensive data recover
110)Function.Such as in class UNIX operating system, common shell has bash, csh, tcsh etc., can by taking bash as an example
To be transformed to add_history functions therein, can specifically increase wherein to talker (char*host, char*
Message) the calling of function is realized the current command message transmission that will be inputted in current hosts host by talker functions
To intensive data recover 110.The transmission of this current command to input can be real-time, i.e., when monitored host is whole
Once order input occurs on end 210, the order of input is just transferred to intensive data recover 110, in addition it can will be by
The order inputted in monitoring host computer terminal 210 is stored as the form of daily record shell_log, in the case where reaching certain condition by shell_
Log log transmissions are to intensive data recover 110, such as are reaching period regular hour, or in shell_log files
Shell_log files are transferred to intensive data recover 110 when having reached certain size.
When each host terminal 210 by order sending module 2102 by the order executed on each host and institute's generic mark
Know, by network transmission to after several Data Recovery Vehicles 110, intensive data recover 110 can be collected into current each master
The order inputted in machine terminal 210, and be the order inputted on which host, optionally, it can be received all
Order preserve to a database, and then for the current command carry out analysis carry out data preparation, command analyzer 120 is coupled to
Intensive data recover 110, the work subsequently made a concrete analysis of mainly are completed by command analyzer 120.
The current command that command analyzer 120 is collected into intensive data recover 110 is identified, and at least identifies different
Often order and normal command.Wherein, aberrant commands are the order that possible have to system normal operation potential threat, normal command
It is the order not threatened system operation.Specifically realize command analyzer 120 to order be identified when, can there are many
Realization method is separately below described in detail several realization methods of command analyzer 120.
Realization method one:
Command analyzer 120 may include filtering module 1202, by filtering module 1202 to intensive data recover 110
The current command received is filtered using preset suspicious rule, will be identified as by the current command of suspicious rule hit different
Often order, and export by the alarm weights of the aberrant commands of suspicious rule hit, here, alarm weights are based on the suspicious rule of this
The overall hit of order is obtained.Preset suspicious rule can be generated previously according to the feature of common risky operation,
Every suspicious rule includes the signature identification of at least one risky operation, and the signature identification of risky operation has very according to actual conditions
It is a variety of, for example following situations is one or more:Add account;Opening, modification or the determinant attribute for deleting sensitive document;It checks
Or the password of modification sensitive document;Change network settings;Promote user right;Change fire wall setting;Check system log;It compiles
Translate code;There is sensitive word;Change file permission and attribute;It shuts down/restarts;Show specific file content;Establish network linking simultaneously
Download the file etc. for specifying address.The mode of regular expression may be used in specific implementation for suspicious rule, i.e., in canonical
The signature identification information that risky operation is embodied in expression formula, to provide these by preset regular expression rule-based filtering
Regular expression rule is matched with the current command being collected into, will wherein be ordered by the order of risky operation signature identification
In the aberrant commands of suspicious rule filter out, and normal command can be considered as by the order of suspicious rule hit.In addition, every
One regular expression, it may only be possible to the order for specific format or specific content is filtered, therefore in practical application,
It is more to be filtered it may is that carrying out more wheels using a plurality of regular expression, any one will have been hit in suspicious regular group
The order of suspicious rule is determined as suspicious order and is filtered, and the order of miss strictly all rules is determined as normal command.
During the filtration process, can also the overall hit of rule suspicious to every count, so-called suspicious rule
Overall hit, refer to every it is suspicious rule in all orders hit exception order item number or number, account for all orders
Ratio.As may be usually a kind of ultra vires act that view illegally obtains password to checking that the behavior of password can be understood as,
And to the acquisition of password, cryptogam can be opened by number order to realize, such as in (SuSE) Linux OS, password is literary
Part is typically stored under specific path, and is named with specific filename, and is provided in (SuSE) Linux OS pair
The order that the content of specific file is checked, this just provides possible approach to illegal acquisition password.Such as when there is foot
When enough permissions, order is executed:Cat/etc/passwd can realize the code content to being preserved in cryptogam passwd
It is checked.In order to be filtered to this order, regular expression may be used:
.* [s W]+passwd.* | ^passwd.* and,
.*passwd.*
By the suspicious rule of the two regular expression forms, it includes sensitive content keyword that can filter out all
The order of " passwd ".
Assuming that wherein one suspicious rule has filtered 4651629 orders in total, and has hit 7915 orders therein,
Then be hit this 7915 orders can serve as suspicious order, and the corresponding overall hit of this suspicious rule can lead to
It crosses:All orders of suspicious order/its detection of the suspicious rule hit obtain, such as in this example, the suspicious rule of this
Overall hit is then:
7915/4651629≈0.001702
After overall hit comes out, the output of filtering module 1202 is weighed by the alarm of the aberrant commands of suspicious rule hit
Value, alarm weights can obtain the overall hit of order based on the suspicious rule of this.Suspicious rule is specifically based on to order
Overall hit when obtaining alarm weights, can be by being used as oneself to the overall hit of established command using the suspicious rule of this
The monotonic decreasing function of variable is obtained by the alarm weights of the aberrant commands of the suspicious rule hit of this.For example, by overall hits
Rate is denoted as Pa, and monotonic decreasing function (1-Pa) the * D of independent variable can be used as by overall hit, suspicious by this to obtain
The alarm weights of the aberrant commands of rule hit, wherein D are a constant.Such as certain hit that can be regular in the examples described above
Rate Pa is 0.001702, can basis
(1-Pa)*D=(1-0.001702)*100≈99.8
Wherein D takes 100, then being about 99.8 by the alarm weights of the aberrant commands of the suspicious rule hit of this.
Overall hit why is used as the monotonic decreasing function of independent variable, is one because in practical applications
The practical aberrant commands of suspicious rule hit are the order with suspicious danger, if time of a suspicious rule hit order
Number is relatively more or frequency is relatively high, illustrates the order that the order of the suspicious rule hit may be relatively common, and based on real
Real aberrant commands are a small number of after all in the situation of border, so logically, if time of certain suspicious rule hit order
Number more or frequencies it is higher, then by this it is suspicious rule hit order be real aberrant commands possibility it is relatively low,
Why hit by suspicious rule, then it is to compare the rule of " severe " to be likely due to the suspicious rule of this, and then it can be with
Think that the order danger of rule hit is smaller, thus, it can take a smaller alarm weights by the aberrant commands of its hit.
The alarm weights that filtering module 1202 exports can obtain the foundation of alarm weights as alarm device 130, about this
Partial content can describe in detail in the content of follow-up alarm device 130.
Realization method two:
Command analyzer 120 may include study module 1206 and sort module 1204.
Study module 1206 mainly carries out machine learning to training sample set, is then provided for sort module 1204 required
Various Study firsts.Since sort module 1204 can be more based on Bayes, logistic regression, Partial Least Squares or decision tree etc.
Principle of classification is planted to realize, therefore correspondingly, study module is also required to provide different according to the difference of sort module 1204
Study first.It is realized below based on Bayes principle with sort module 1204, study module 1206 is that sort module 1204 provides
For required various prior probabilities, the two modules are described in detail.
Study module 1206 carries out machine learning to known training sample set.Training sample set include it is a certain number of
It understands the Decree of Heaven order, and whether these known orders are aberrant commands.The known command that training sample is concentrated is segmented
Field can be regarded as and order related Feature Words, these Feature Words can be command string itself, such as cat, wget etc.,
It can also include the content gone out from the parameter extraction of order.It such as will order:
wget-o http://www.sina.com/dasd/hahah/tad.tgz/usr/loca/dasd/etc/
Passwd is segmented, and following feature set of words can be obtained:
{'wget','-o','http','www.sina.com','dasd','hahah','tad.tgz','usr','
loca','dasd','etc','passwd','www','sina','com'}
Specifically when being segmented to obtain Feature Words to order, regular expression tool can be used, can be used for example
[_\$]*[a-zA-Z\d\._\-]+[^\w\(/;=\-\)\[\]\{\}:>&\?\.\\\s,\d'"\%<]*
Cutting is carried out to order, regular expression can also be used
((\w+\.){1,6}(?:net|cn|com|gov|edu|asia|me|co))
Network address in recognition command obtains so as to carry out cutting to such as mentioned order example based on the order
Feature set of words.
Due to being concentrated in training sample, whether exception is known for order, and the probability that aberrant commands occur can pass through(It is different
Normal order number/training sample concentrates order total amount)It obtains, the probability that normal command occurs can pass through(Normal command quantity/
Training sample concentrates order total amount)It obtains.In addition, by being segmented to the order that training sample is concentrated, each Feature Words go out
Existing probability in aberrant commands and the probability for appearing in normal command are also that can count, therefore study module
1206 can obtain the above prior probability.Then, it is supplied to sort module 1204 to use these priori probability datas, with
Just sort module 1204 classifies to current order to be analyzed.
As it can be seen that training sample set of the sort module 1204 according to existing disaggregated model(Specifically study module 1206 is to
It is supplied to some prior probabilities of sort module 1204 after thering is the training sample set of disaggregated model to carry out machine learning), to concentrating number
The current command received according to recover 110 is classified, and probability and abnormal life that the current command is normal command respectively are obtained
The probability of order, and then identify whether the current command belongs to aberrant commands.
Below by taking bayes classification method as an example, sort module 1204 is specifically introduced.
Bayes classification method is a kind of statistical classification method, it is a kind of algorithm classified using probability statistics.
In numerous applications, naive Bayes classifier can obtain very accurate classification results, and bayes classification method sheet
Body also has the characteristics that be easily achieved, classification accuracy is high, fireballing, and the principle of bayes classification method is the elder generation by object
Probability is tested, calculates its posterior probability using Bayesian formula, i.e. the object belongs to certain a kind of probability, after selection has maximum
The class of probability is tested as the class belonging to the object.In the embodiment of the present invention, sort module 1204 can utilize Bayes's classification side
Method realizes whether aberrant commands are identified to the current command, its process realized is described in detail below.
Sort module 1204 is realized using bayes classification method, known to realizing and concentrate using training sample
The probability and segmented to obtain according to known command whether abnormal order, aberrant commands and normal command occurs respectively
The probability that occurs in aberrant commands and normal command of each field give what order occurred to obtain when a given order
It is specific some/certain fields when, the order be normal command probability and the order be aberrant commands probability, and then determine
The affiliated classification of the order.This process is to train sort module 1204 according to training sample set, makes classification mould by training
Block 1204 obtains prior probability, and then can identify which classification the current command belongs to according to bayes classification method, that is, belongs to
Aberrant commands still fall within the ability of normal command.
When giving the current command of a unknown classification, judges that it is to belong to aberrant commands or normal command, to apply
Bayes classification method classifies to it, it is necessary first to the current command segmented, when being segmented to the current command,
It can also use regular expression realization.If
x={w1,w2,w3,…,wnIt is the feature set of words that the current command of the unknown classification is obtained by participle;
y={y1=good,y2=bad } it is category set, wherein y1=good represents the classification of normal command, y2=bad is represented
The classification of aberrant commands;Next it needs to obtain P (y1|x)、P(y2| x), wherein P (y1| it x) indicates to contain set in the current command
When each Feature Words in x, belong to the probability of normal command, P (y2| x) indicate each in the current command contains set x
When Feature Words, belong to the probability of aberrant commands.Compare P (y1| x) with P (y2| value x) determines current according to the result of the comparison
The classification of order.Such as classification of the numerical value the greater as the current command among the two is taken, or reach one in the difference of the two
When fixed threshold value, using the greater therein as the classification of the current command.Below P (y how are obtained to introduce1| x) with P (y2|
x)。
According to bayes classification method, there are following acquisition methods:
P(y1|x)=P(x|y1)*P(y1)/P(x)
P(y2|x)=P(x|y2)*P(y2)/P(x)
Wherein P (x) is for y1=good and y2Equal constant for the classification of=bad two, therefore, a demand go out P (x |
y1)*P(y1) and P (x | y2)*P(y2).
And probability P (the y that wherein normal command occurs1) and aberrant commands occur probability P (y2), it can be according to training
Normal command and aberrant commands occur in sample set frequency determines.Such as it concentrates in training sample and acquires altogether
4651629 orders, and the aberrant commands wherein occurred have 68440, then probability P (the y that aberrant commands occur2) be:
68440/4651629≈0.014713
And the probability that corresponding normal command occurs is then P (y1)≈(1-P(y2))=0.985287.
Due to P (x | y1)=P([w1,w2,w3,…,wn]|y1), and w1,w2,w3,…,wnConditional sampling is may be considered,
It can be by P ([w1,w2,w3,…,wn]|y1) be decomposed into:
P(w1|y1)*P(w2|y1)*P(w3|y1)*…*P(wn|y1)
And wherein P (w1|y1), P (w2|y1), P (w3|y1) ..., P (wn|y1) every, indicate that each Feature Words exist in set x
The probability occurred in normal command, the probability numbers representated by these can be concentrated in normal command by training sample
The probability statistics of existing target signature word come out.P(x|y2) acquisition principle and P (x | y1) acquisition methods it is similar, it is no longer superfluous herein
It states.It should be noted that obtaining P (w1|y1), P (w2|y1), P (w3|y1) ..., P (wn|y1) every product when, due to wherein
Every numerical value belongs to (0,1) section, cause it is every even multiply after obtained result often level off to 0, or even due to having exceeded
The floating number range accuracy that computer can express causes possibility result of calculation to be equal to 0, at this time optionally, can also incite somebody to action:
P(w1|y1)*P(w2|y1)*P(w3|y1)*…*P(wn|y1) it is converted into the form of logarithm sum, such as be converted into:
So far, P (x | y1)*P(y1Every and P in)/P (x) (x | y2)*P(y2Items in)/P (x) can pass through
The above method obtains, namely has got P (y1| x) and P (y2| value x), and then can be according to P (y1| x) and P (y2|x)
Value determine in each Feature Words during the current command contains set x, belong to normal command or aberrant commands.
The sort module 1204 realized with bayes classification method is described above, in practical applications, this method is real
Existing sort module can be learnt based on training sample set, and very accurate classification can be obtained to the current command of input
As a result, sorting technique itself is easily achieved, classification accuracy is high, speed is fast.
It should be noted that in addition to using bayes classification method to classify the order of input, can also use patrol
It volume returns, Partial Least Squares, decision tree etc. realizes sort module 1204.The sort module realized using different methods
1204, data training study and the process identified can be different due to the difference of method, but equally can be very accurately to defeated
The current command entered is classified, and identifies that the current command is normal command or aberrant commands.Such as real using decision tree
In existing sort module 1204, the data concentrated first according to training sample is needed to be trained, generation is a decision tree
Model can first segment the current command, when needing to judge the classification of the current command of input by each feature of acquisition
Word is updated in the decision-tree model, calculates which classification it belongs to, and then determines that the current command is normal command, or
Aberrant commands.Other implementation methods of sort module 1204 can be divided into according to training sample set learning training, and production judges
Model, and then the process judged the current command of input using judgment models, are not just repeated herein in citing.
In addition, in practical applications, using bayes classification method, logistic regression, Partial Least Squares or decision tree etc.
Realize sort module 1204, output the result is that the approximation of an approaching to reality situation, this approximation is only when instruction
After practicing the quantity size that the training sample in sample set reaches certain, ideal levels of precision is can be only achieved, it in other words, can
The training sample being collected into is more, then the sort module 1204 trained is more reliable, and the result of output more approaches reality
The case where.So actual in use, needing constantly to expand the data of training sample set, by study module 1206
Also it regard newly-increased the current command as a part of training sample, machine learning is carried out after merging with existing training sample set, to
The various Study firsts of the offer of sort module 1204 are provided, and then sort module 1204 is enable to utilize abundanter training
Sample is learnt and is trained, and the accuracy of identification of sort module 1204 is further increased, and makes its identification to currently inputting order
As a result more accurate.
Realization method three:
It may include filtering module 1202, sort module 1204 and study module 1206 in command analyzer 120, pass through
The order that filtering module 1202 receives intensive data recover 110 is filtered using preset suspicious rule, will be by can
The order for doubting rule hit is exported to sort module 1204, and is exported by the alarm weights of the order of suspicious rule hit, alarm
Weights obtain the overall hit of order based on the suspicious rule of this;Sort module 1204 is coupled to filtering module 1202, root
According to the training sample set of existing disaggregated model, further classify to the current command inputted from filtering module 1202, obtains current
Order is respectively the probability of the probability and aberrant commands of normal command, and then identifies whether the current command is aberrant commands.
The study module 1206 of two kinds of study module 1206 in this realization method and specific implementation is similar, is still to having sample
This training sample set carries out machine learning, and when there is newly-increased order, after newly-increased order is merged with existing training sample set
Machine learning is carried out again, to provide required various Study firsts for sort module 1204.
Realization method combines the implementation method of realization method one and realization method two in this, passes through filtering module first
The current command that 1202 pairs of intensive data recovers 110 receive is filtered using preset suspicious rule, preset suspicious rule
Then, can be preset regular expression rule, by preset regular expression rule, with by the current command being collected into
Row batch matches, and the aberrant commands for wherein hitting suspicious rule are filtered out, and the order that do not hit by suspicious rule can be with
It is considered as normal command.And export by the alarm weights of the current command of suspicious rule hit, alarm weights are based on the suspicious rule of this
Then the overall hit of order is obtained, the method for obtaining alarm weights to the overall hit of order according to suspicious rule can be with
With reference to realization method one, details are not described herein again.
Further, filtering module 1202 will be exported by the order of suspicious rule hit to sort module 1204, by classifying
Module 1204 is further to the order of suspicious rule hit to be judged, identifies that the current command is normal command or abnormal life
It enables.Wherein, the sort module 1204 of two kinds of the specific implementation of sort module 1204 and front realization method is similar, thus this
Place repeats no more.Under this realization method, by the order of the suspicious rule hit of filtering module 1202, and it is input to classification
Module 1204 is further to be judged so as to currently input order whether aberrant commands judgement it is more accurate, can
Largely further avoid the generation of erroneous judgement.
After command analyzer 120 identifies aberrant commands by above-mentioned various ways, it is supplied to alarm module 130.It accuses
Alert module 130 judges whether to meet alarm conditions according to the recognition result of command analyzer 120, if it is satisfied, then sending out corresponding
There is abnormal warning information in host.The mode for sending out warning information is varied, for example, it may be to reserved Email
Address sends the Email that there is abnormal warning information containing host, then for example can also be to be sent out to reserved telephone number
It send and there is the abnormal mode of message of warning information etc. containing host.As before, the order executed on each host is held with it
There are correspondences for capable host, when meeting alarm conditions, can send out the respective host for executing aberrant commands and exist
Abnormal warning information, to handle in time corresponding host.
Specifically when realizing alarm device 130, alarm device 130 can count each host and be ordered extremely within period regular hour
The number occurred is enabled, judges whether the period indegree reaches preset threshold value, is sent out if reaching and executes aberrant commands
There is abnormal warning information in respective host.Such as preset setting is that certain host occurred 10 or more within 5 minutes time
Aberrant commands are issued by warning information, and certain host was detected within 5 minutes time cycles and has input 11 aberrant commands,
It then sends out the host and there is abnormal warning information.Other than this alarm mode, in order to realize more flexible and accurate announcement
Alert, alarm device 130 can also be realized in other manners.Below to realizing that the other manner of alarm device 130 is introduced.
Alarm device 130, which can correspond to the different realization method of command analyzer 120, different realizations.Before such as corresponding to
The realization method one for the command analyzer 120 stated, alarm device 130 can be hit when aberrant commands occur according to suspicious rule
The alarm weights that determine of the corresponding overall hit of the order, judge whether to meet alarm conditions, and meeting alarm conditions
When send out respective host and there is abnormal warning information.When specific implementation, alarm device 130 can also count an alarm period
All aberrant commands on a certain host that interior, command analyzer 120 identifies, by the corresponding alarm of these aberrant commands
Weights carry out synthesization processing, and according to synthesization, treated that value judges whether to meet preset alarm conditions.Such as order point
The output of parser 120 is as follows by the correspondence of the aberrant commands of each suspicious rule hit and corresponding alarm weights:
cmd001——99.8
cmd003——30.0
cmd004——95.3
cmd005——99.8
Within the preset time cycle, preset alarm conditions are that the summation of the alarm weights of each aberrant commands occurred reaches
It is in the time cycle in 5 minutes such as preset alarm conditions, the summation for alerting weights reaches to preset alarm threshold
1000 send out warning information, and the number that above-mentioned each aberrant commands occur in 5 minutes is as follows:
Cmd001 --- 2 times
Cmd003 --- 1 time
Cmd004 --- 3 times
Cmd005 --- 5 times
Obtaining the alarm weights summation in this 5 minutes according to the alarm weights and occurrence number of above-mentioned each aberrant commands is
1014.5, it is seen that the alarm weights summation in this 5 minutes has been over preset alarm threshold, then sends out respective host presence
Abnormal warning information.
As it can be seen that " the synthesization processing " of alarm weights corresponding to aberrant commands can be according to specific alarm mode
It is different and different, can be the product of number and corresponding alarm weights that each aberrant commands occur in above-mentioned example
It is cumulative or the alarm weights of each aberrant commands are directly cumulative(If certain order alerts repeatedly to go out in the period at one
It is existing, then by the alarm weights of the cumulative repeatedly order)If the final result, which reaches preset threshold value, is issued by warning information.
It should be noted why being alerted in the period to one, the corresponding alarm of all aberrant commands of a certain host mulberry is weighed
Value carries out synthesization processing and then judges whether to need to alert, primarily to wrong report is reduced as far as possible, because often going out
When now really there is dangerous order, multiple aberrant commands may be will appear in a short time, so relatively good mode is pair
In certain time(In i.e. one alarm period)All aberrant commands comprehensive analysis their alarm weights, rather than just list
Solely see the alarm weights of some aberrant commands.It will therefore be appreciated that the mode of synthesization processing is varied, before can taking
The mode that multiple alarm weights that face is mentioned add up can also take multiple alarm weights multiplications to take the modes such as logarithm, this is completely
Depending on actual needs, these feasible modes are all within the scope of the present invention.Moreover, for command analyzer 120
The final numerical expression of different realization methods, acquisition modes and alarm weights due to its alarm weights can not
Together, therefore, " the synthesization processing " of alarm weights corresponding to aberrant commands can also correspond to different.
When command analyzer 120 is realized in a manner of realization method two, sort module that command analyzer 120 includes
It is the probability of normal command and aberrant commands that 1204, which can obtain the current command respectively, at this point, alarm device 130 can count one
All aberrant commands in the alarm period, on a certain host that command analyzer 120 identifies, these aberrant commands are respectively right
The aberrant commands probability answered carries out synthesization processing, and according to synthesization, treated that value judges whether to meet preset alarm bar
Part.Such as within preset 5 minutes time cycles, in time that aberrant commands, each aberrant commands of the input of a certain host occur
Number and each aberrant commands are that the probability of aberrant commands is as follows:
Cmd001 --- 2 times --- 0.95
Cmd003 --- 1 time --- 0.89
Cmd004 --- 3 times --- 0.98
Cmd005 --- 5 times --- 0.90
It, can be by each abnormal life when the corresponding aberrant commands probability of these aberrant commands is carried out synthesization processing
The probability of order and the product of occurrence number and(Multiply in other words by the probability of each aberrant commands is tired, if occurring repeatedly it is tired multiply it is more
It is secondary), as whether the reference data alerted.If the reference data in this example, obtained is 10.23, if preset alarm bar
Part is that the reference data is higher than 10, then judges that the result of synthesization processing reaches preset alarm conditions, send out respective host and deposit
In abnormal warning information.Can be similar there are many situation with the specific implementation of above-mentioned synthesization processing, originally show
Synthesization processing can also be there are many specific implementation in example, the concrete mode that can be handled synthesization according to actual conditions
It is adjusted, as long as it is whether the probabilistic determinations of comprehensive multiple aberrant commands alerts that can embody.
In the command analyzer 120 realized with realization method three, intensive data can be recycled by filtering module 1202
The current command that device 110 receives is filtered using preset suspicious rule, and is exported by the current command of suspicious rule hit
Alarm weights and sort module 1204 is further to the current command of suspicious rule hit is judged, identify current
Order is normal command or aberrant commands, at the same obtain the current command respectively and be normal command probability and aberrant commands it is general
Rate.Under this realization method, alarm device 130 can count in an alarm period, command analyzer 120 is known when realizing
The corresponding aberrant commands probability of each aberrant commands is multiplied by all aberrant commands on a certain host not gone out with alarm weights
Corresponding alarm index is obtained, the alarm index of these aberrant commands is subjected to synthesization processing, treated according to synthesization
Value judges whether to meet preset alarm conditions.Such as within preset 5 minutes time cycles, the exception of a certain host input
Order, the corresponding aberrant commands probability of each aberrant commands and alarm weights and the number of appearance are as shown in table 1:
Table 1
Aberrant commands |
Aberrant commands probability |
Alert weights |
Alert index |
Occurrence number |
cmd001 |
0.95 |
99.8 |
98.41 |
2 |
cmd003 |
0.89 |
90.0 |
80.10 |
1 |
cmd004 |
0.98 |
95.3 |
93.39 |
3 |
cmd005 |
0.90 |
99.8 |
89.82 |
5 |
At this point, when the alarm index to aberrant commands carries out synthesization processing, it can be by the corresponding announcement of each aberrant commands
Alert index adds up, and if some aberrant commands occurs repeatedly, then the corresponding alarm index of the aberrant commands repeatedly adds up i.e.
Can, take in other words the product of the corresponding alarm index of each aberrant commands and occurrence number and, as whether sending out warning information
Reference data.Such as in upper table, carrying out the reference value that synthesization processing obtains in the alarm index to aberrant commands is
1006.19, if preset alarm conditions be a preset alarm threshold 1000, and reference value be higher than the alarm threshold when send out
Warning information, then the reference value for carrying out synthesization processing acquisition to the alarm index of aberrant commands in this example is
1006.19, it is higher than preset alarm threshold, meets the prerequisite for sending out warning information, then sends out respective host and there is exception
Warning information.
So far, the previously described system for analyzing the order executed on each host can be completed preferably to each host
The analysis and alarm of the order of upper execution.In order to realize the closed loop monitoring to each host terminal, the peace of whole network system is improved
Quan Xing, which can also include monitor 220, by monitor 220 to the portion of the order sending module 2102 in each host
Administration's situation is monitored.Specifically, one side monitor 220 can know the information for each host terminal disposed in system,
For example the host ip of each host terminal, another aspect monitor 220 can know that it has received from intensive data recover 110
The order executed on which host, in this way by comparison, monitor 220 is not it is known that the order executed on which host has
It is successfully transmitted to intensive data recover 110.
Intensive data is not transmitted commands to correctly if it is the host terminal for having deployed order sending module 2102
Recover 110, then just illustrating that the order sending module 2102 on the host terminal fails;If the host of system is newly added
The order executed thereon is not transferred to intensive data recover 110 by terminal, then just illustrating on the host terminal not yet
Deployment order sending module 2102.After monitor 220 finds both of the above situation, you can timely processing, for example, when finding have
The non-deployment order sending module 2102 of newly-increased host or when finding to have the order sending module 2102 on host to fail, can pass through
It is its portion in the host ip automated log on to the host that non-deployment order sending module 2102 or order sending module 2102 fail
Affix one's name to order sending module 2102.As can be seen that being carried out in real time to the order sending module 2102 on each host by monitor 220
Monitoring, can timely find the order sending module 2102 being not normally functioning, or be newly added non-deployment order hair
The case where sending the host of module 2102, and then can be when noting abnormalities timely to being not normally functioning order sending module
2102 host is adjusted, or deployment order sends mould on the host for the non-deployment order sending module 2102 being newly added
Block 2102.To ensure that whole system can realize that closed loop monitors, voluntarily pinpoints the problems and solve the problems, such as, preferably ensure that life
Enable precision of analysis and the accuracy of alarm.
Be described above it is provided in an embodiment of the present invention for analyze the order executed on each host analytical equipment and
System.It is corresponding with the analytical equipment provided in an embodiment of the present invention for analyzing the order executed on each host and system,
The embodiment of the present invention additionally provides a kind of analysis method for analyzing the order executed on each host.
Refer to Fig. 2, this method starts from step S210, first choice collect each host by the current command of network transmission and
Affiliated host identification.It, can be with when the current command and the affiliated host identification of each host by network transmission are collected in specific implementation
The command analysis device shell of each host is transformed, increase passes through host the current command and host ip that shell is received
Network transmission collects the current command of each host and affiliated host identification to the function of designated equipment using function.Step S210
It can be executed by intensive data recover 110 above, relevant technical characteristic can refer to hereinbefore about concentration number
According to the description of recover 110 in embodiment, details are not described herein again.Further, it is also possible to transmit the current command and institute to each host
The event of generic mark is monitored, and when finding to have newly-increased host not carry out above-mentioned shell transformations or transformation failure, is led to
It crosses in the host ip automated log on to the host and disposes the transformation of above-mentioned shell for it, in order to find normally to pass in time
The host of defeated order or host identification, or the host for being not added with transfer function that is newly added, carry out timely these hosts
Adjustment improves the safety of whole network system to realize that the closed loop to each host monitors.
Each host the current command and affiliated host identification are had collected in step S210, next can execute step
S220 is identified the current command being collected into, at least identifies aberrant commands and normal command.Specifically in the current life of identification
When enabling, it is possibility to have a variety of realization methods:
First way is filtered the current command being collected into using preset suspicious rule, will be by suspicious rule
The current command of hit is identified as aberrant commands, and obtains by the alarm weights of the aberrant commands of suspicious rule hit, alarm power
It is worth and the overall hit of order is obtained based on this suspicious rule, wherein suspicious rule can be regular expression rule.This
Kind realization method can be realized by command analyzer 120 in system embodiment above, can specifically pass through filtering module
1202 are achieved, therefore the relevant technologies technical characteristic can refer to the associated description of filtering module 1202 above, herein no longer
It repeats.Equally, other than going out aberrant commands according to suspicious rule-based filtering, the alarm weights of aberrant commands can also be obtained, equally
Can be by using the suspicious regular overall hit to established command of this as the monotonic decreasing function of independent variable, obtaining quilt
The alarm weights of the aberrant commands of the suspicious rule hit of this, the relevant technologies feature can also refer to mistake in previous systems embodiment
The description as described in alarm weights in module 1202 is filtered, details are not described herein again.
Second of realization method, specifically according to the training sample set for having disaggregated model, to the current command received
Classify, obtains the probability and be the probability of aberrant commands that the current command is normal command, and then identify the current command
Whether aberrant commands are belonged to.Under this realization method, disaggregated model can be based on bayes classification method, logistic regression, partially
The methods of least square method or decision tree realize that the realization process can training sample set is primarily based on, with one kind
Sorting technique is trained and learns, and then when needing to judge the classification of the current command of input, can be first by the current command
It is segmented, each Feature Words of acquisition is updated in trained model, calculate which classification it belongs to, and then determined
The current command is normal command or aberrant commands.Certainly, in order to improve the accuracy of classification, training sample of enriching constantly is needed
Data of concentration, therefore machine learning is carried out after can merging newly-increased the current command with existing training sample set, update into
The existing training sample set used when row classification.This realization method can pass through command analyzer in system embodiment above
120 execute, and are executed particular by sort module 1204 and study module 1206, i.e. the second of command analyzer 120
Kind realization method, therefore the relevant technologies feature can refer to the description of sort module 1204 in embodiment, details are not described herein again.
The third realization method, it can be understood as be combined two kinds of front realization method, i.e., first to receiving
The current command is filtered using preset suspicious rule, is filtered out by the current command of suspicious rule hit, and export by can
Doubt the alarm weights of the current command of rule hit, wherein alarm weights are based on the suspicious rule of this to the overall hits of order
Rate obtains;Then, further according to the training sample set of existing disaggregated model, further classify to the above-mentioned the current command filtered out,
The probability and be the probability of aberrant commands that the current command is normal command are obtained, and then identifies whether the current command is abnormal
Order.To obtain more accurately to the current command whether the recognition result of aberrant commands.This realization method can pass through
In previous systems embodiment, the command analyzer of the third mode 120 execute, therefore the relevant technologies feature can be with reference command
The associated description of filtering module 1202 in analyzer 120, sort module 1204 and study module 1206, details are not described herein again.
Classify in the current command inputted to each host by step S220, that is, step is executed after identifying aberrant commands
Rapid 230, i.e., judged whether to meet alarm conditions according to recognition result, if it is satisfied, then sending out respective host has abnormal announcement
Alert information.Specifically when sending respective host and there is abnormal warning information, order that each host is inputted can be counted one
It is identified as the number of aberrant commands appearance in the fixed time cycle, judges occur whether aberrant commands number reaches in the period
There is abnormal warning information in preset threshold value, the respective host sent out if reaching.Such as preset setting is at 5 minutes
Time in there are 10 or 10 or more orders and be issued by warning information, if certain host is defeated within 5 minutes time cycles
In the order entered, 11 aberrant commands are had identified, then sends out the host and there is abnormal warning information.In addition to this alarm side
Outside formula, in order to realize more flexible and accurate alarm, step S230 can also with according to the different realization methods of step 220,
There is corresponding different realization method.Such as when step S220 goes out aberrant commands by preset suspicious rule-based filtering, and export
When the alarm weights of the aberrant commands hit by suspicious rule, step S230 can be according to the judgement of the alarm weights of aberrant commands
It is no to meet alarm conditions, warning information is sent out if meeting, the specific can be that in one alarm period of statistics, identifying
The corresponding alarm weights of these aberrant commands are carried out synthesization processing by all aberrant commands on a certain host, according to
Treated that value judges whether meets preset alarm conditions, the corresponding alarm power of the aberrant commands such as occurred to each time for synthesization
Value is done cumulative, judges whether cumulative alarm weights reach preset threshold value within the period, corresponding master is sent out if reaching
There is abnormal warning information in machine.
For another example when S220 be according to have disaggregated model training sample set, classify to the current command received,
The probability and be the probability of aberrant commands that the current command is normal command are obtained, and then identifies whether the current command belongs to different
Often when order, the realization of S230 can be all abnormal lives counted on a certain host that an alarm period is interior, identifies
It enables, the corresponding aberrant commands probability of these aberrant commands is subjected to synthesization processing, treated that value is sentenced according to synthesization
It is disconnected whether to meet preset alarm conditions.The corresponding aberrant commands probability of these aberrant commands is being subjected to synthesization processing
When, can by the product of the probability of each aberrant commands and occurrence number and, as whether the reference data alerted, specifically may be used
To be that the reference data obtained compares with preset alarm threshold, if being higher than preset alarm threshold, phase is sent out
Host is answered to there is abnormal warning information.
For another example when step S220 is filtered using preset suspicious rule to the current command received, filter out by
The current command of suspicious rule hit, and export by the alarm weights of the current command of suspicious rule hit;Then according to existing
The training sample set of disaggregated model further classifies to the above-mentioned the current command filtered out, and it is normal command to obtain the current command
Probability and be the probability of aberrant commands, and then identify whether the current command is aberrant commands.At this point, alarm weights can be with
The overall hit of order is obtained based on this suspicious rule.It can be one alarm week of statistics when realizing step S230
All aberrant commands on a certain host that phase is interior, identifies, by the corresponding aberrant commands probability of each aberrant commands and alarm
Weights, which are multiplied, obtains corresponding alarm index, the alarm index of these aberrant commands is carried out synthesization processing, according to synthesization
Value that treated judges whether to meet preset alarm conditions.Synthesization processing therein, can be that each aberrant commands is taken to correspond to
Alarm index and the product of occurrence number after be added again take and, as whether the reference data of warning information is sent out, later will
The reference data is compared with preset alarm threshold, if the reference data has exceeded preset alarm threshold, is sent out
There is abnormal warning information in respective host.
The step S230 with a variety of specific implementations can pass through the alarm device 130 in previous systems embodiment above
It executes, therefore the relevant technologies feature can refer to the description of front alarm device 130, details are not described herein again.
Analytical equipment according to an embodiment of the invention, system and method are described in detail above, in order to more
Good is easy to understand, and the concrete application citing of the embodiment of the present invention is provided again below, referring to Fig. 3, Fig. 3 shows basis
The concrete application schematic diagram of one embodiment of the invention, in figure, Linux/Unix/BSD Server are the masters in network system
Machine can have the host of several carrying Linux/Unix/BSD, pass through the command analysis to host in a network system
Device shell is transformed, and makes it have transmission input order(Send shell_log)To Receive Server(Receive clothes
Business device, is equivalent to intensive data recover 110 hereinbefore)Ability, the shell_log that Receive Server will be received
Database is recorded in the form of daily record(database)In.By will respectively order affiliated host in database database
IP information is compared with each host ip disposed in system, and then it is known that whether All hosts will all have been held thereon
Capable order accurate delivery has given Receive Server, to ensure that all Linux/Unix/BSD Server orders are sent just
Often, when having failure or network system is added in newly-increased host, mould can be sent to failing or increasing newly host deployments order automatically
Block.
During specifically analyzing order, can the data based on Database by on-line study function,
Machine learning is carried out to the existing data of lane database, generates identification model.It is needing that the order currently inputted is identified
When, the model generated can be utilized to monitor order and the identification of input in real time, recognize aberrant commands and meeting alarm conditions
Shi Jinhang is alerted.In alarm, the mail for including warning information can be sent to preset mail address by E-mail, or
By SMS information centres the message for including warning information is sent to preset telephone number.
The analysis provided in an embodiment of the present invention for analyzing the order executed on each host is described in detail above to set
Standby, system and method are used to analyze the analytical equipment, system or method of the order executed on each host by this, can
In the network system including several hosts, to collect the current command and the current command institute owner of each host by network transmission
The mark of machine effectively identifies the order with certain operational hazards in the current command for being collected into, is judged in master
The order inputted on machine is that aberrant commands or normal command are sent out when the aberrant commands of host input meet alarm conditions
There is abnormal warning information in respective host, so as in time to it is being inputted on each host in network system, there is certain danger
Dangerous aberrant commands are alerted, and the safety of system is improved.Thus it solves because of administrator's maloperation, hacker attack etc.
When reason causes and inputs dangerous order on host in systems, the stable operation of host or even whole system is caused not
Good influence in time alerts the dangerous order inputted on each host in network system, improves the safety of system.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with teaching based on this.As described above, it constructs required by this kind of system
Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that can utilize various
Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:It is i.e. required to protect
Shield the present invention claims the more features of feature than being expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific implementation mode are expressly incorporated in the specific implementation mode, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment
Change and they are arranged in the one or more equipment different from the embodiment.It can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it may be used any
Combination is to this specification(Including adjoint claim, abstract and attached drawing)Disclosed in all features and so disclosed appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification(Including adjoint power
Profit requirement, abstract and attached drawing)Disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be with hardware realization, or to run on one or more processors
Software module realize, or realized with combination thereof.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor(DSP)Come realize it is according to the ... of the embodiment of the present invention for analyze executed on each host
Order analytical equipment in some or all components some or all functions.The present invention is also implemented as being used for
Execute some or all equipment or program of device of method as described herein(For example, computer program and calculating
Machine program product).It is such to realize that the program of the present invention may be stored on the computer-readable medium, or there are one can having
Or the form of multiple signals.Such signal can be downloaded from internet website and be obtained, or be provided on carrier signal,
Or it provides in any other forms.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference mark between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be by the same hardware branch
To embody.The use of word first, second, and third does not indicate that any sequence.These words can be explained and be run after fame
Claim.
The invention discloses A1, a kind of analytical equipments for analyzing the order executed on each host, including:
Intensive data recover is configured as at least collecting each host terminal and passes through the current command of network transmission and affiliated
Host identification;
Command analyzer is configured as that the current command that the intensive data recover is collected into is identified, at least
Identify aberrant commands and normal command;
Alarm device is configured as being judged whether to meet alarm conditions according to the recognition result of the command analyzer, if
Meet, then sends out respective host and there is abnormal warning information.
A2, the analytical equipment as described in A1, the command analyzer include filtering module, are configured as to the concentration number
The current command being collected into according to recover is filtered using preset suspicious rule, will be by the current of the suspicious rule hit
Command recognition is aberrant commands, and is exported by the alarm weights of the aberrant commands of the suspicious rule hit, the alarm weights
The overall hit of order is obtained based on this suspicious rule;
The alarm device is specifically configured to judge whether to meet alarm conditions according to the alarm weights of the aberrant commands.
The alarm weights of A3, the analytical equipment as described in A2, the aberrant commands of the filtering module output pass through following sides
Formula obtains:By using the suspicious regular overall hit to established command of this as the monotonic decreasing function of independent variable, obtaining
By the alarm weights of the aberrant commands of the suspicious rule hit of this.
A4, the analytical equipment as described in A2 or A3, the alarm device be specifically configured to statistics one alarm the period in, institute
All aberrant commands on a certain host that command analyzer identifies are stated, by the corresponding alarm weights of these aberrant commands
Synthesization processing is carried out, treated that value judges whether to meet preset alarm conditions according to synthesization.
A5, the analytical equipment as described in A1, the command analyzer include:
Sort module is configured as, according to the training sample set for having disaggregated model, connecing the intensive data recover
The current command received is classified, and it is the probability of normal command and the probability of aberrant commands respectively to obtain the current command, in turn
Identify whether the current command belongs to aberrant commands.
A6, the analytical equipment as described in A5, the alarm device is specifically configured in one alarm period of statistics, the life
All aberrant commands on a certain host that analyzer identifies are enabled, by the corresponding aberrant commands probability of these aberrant commands
Synthesization processing is carried out, treated that value judges whether to meet preset alarm conditions according to synthesization.
A7, the analytical equipment as described in A1, the command analyzer include:
Filtering module is configured as using preset suspicious rule to the current command that the intensive data recover receives
It is then filtered, will be exported to sort module by the current command of the suspicious rule hit, and export by the suspicious rule
The alarm weights of the current command of hit, the alarm weights obtain the overall hit of order based on the suspicious rule of this;
Sort module is configured as according to the training sample set for having disaggregated model, to what is inputted from the filtering module
The current command is further classified, and it is the probability of normal command and the probability of aberrant commands respectively to obtain the current command, and then is identified
Go out whether the current command is aberrant commands.
A8, the analytical equipment as described in A5 or A7, the command analyzer further include:
Study module is configured as carrying out machine learning after the current command that will be increased newly merges with existing training sample set,
Update the existing training sample set that the sort module uses.
A9, the analytical equipment as described in A7, the alarm device is specifically configured in one alarm period of statistics, the life
All aberrant commands on a certain host that analyzer identifies are enabled, by the corresponding aberrant commands probability of each aberrant commands and announcement
Alert weights, which are multiplied, obtains corresponding alarm index, the alarm index of these aberrant commands is carried out synthesization processing, according to synthesis
Change that treated that value judges whether to meet preset alarm conditions.
A kind of point described in any one of B10, system, including B1 to B9 for analyzing the order executed on each host
Desorption device and several host terminals;
Several host terminals, be configured as at least by each host the current command and affiliated host identification pass through net
Network is transmitted to intensive data recover.
B11, the system as described in B10, the host terminal include:
Order sending module is configured as being transformed the command analysis device shell of each host, and increase will be described
Host the current command and host ip that shell is received are transmitted to the function of the intensive data recover.
B12, the system as described in B11 further include:
Monitor is configured as being monitored the deployment scenario of order sending module described in each host, when discovery has
When newly-increased host does not dispose the order sending module or finds to have the order sending module failure on host, not by this
On deployment order sending module or the host ip automated log on to the host of order sending module failure, the order is disposed for it
Sending module.
C13, a kind of method for analyzing the order executed on each host, including:
Collect the current command and affiliated host identification of each host by network transmission;
Described the current command being collected into is identified, at least identifies aberrant commands and normal command;
Judge whether to meet alarm conditions according to above-mentioned recognition result, if it is satisfied, then sending out respective host has exception
Warning information.
The step of C14, method as described in C13, described pair of the current command being collected into is identified includes:
The current command being collected into is filtered using preset suspicious rule, by working as by the suspicious rule hit
Preceding command recognition is aberrant commands, and is obtained by the alarm weights of the aberrant commands of the suspicious rule hit, the alarm power
It is worth and the overall hit of order is obtained based on this suspicious rule;
Described the step of judging whether to meet alarm conditions according to above-mentioned recognition result includes:According to the aberrant commands
Alarm weights judge whether to meet alarm conditions.
The alarm weights of C15, the method as described in C14, the aberrant commands are obtained by following manner:
By using the suspicious regular overall hit to established command of this as the monotonic decreasing function of independent variable, obtaining
By the alarm weights of the aberrant commands of the suspicious rule hit of this.
C16, the method as described in C14, described the step of judging whether to meet alarm conditions according to recognition result include:
All aberrant commands on a certain host that one alarm period of statistics is interior, identifies, these aberrant commands are each
Self-corresponding alarm weights carry out synthesization processing, and according to synthesization, treated that value judges whether to meet preset alarm bar
Part.
C17, the method as described in C11, described pair of the current command being collected into be identified including:
According to the training sample set of existing disaggregated model, classify to the current command received, obtains the current command
It is the probability of normal command and is the probability of aberrant commands, and then identifies whether the current command belongs to aberrant commands.
C18, the method as described in C17, described the step of judging whether to meet alarm conditions according to recognition result include:
All aberrant commands on a certain host that one alarm period of statistics is interior, identifies, these aberrant commands are each
Self-corresponding aberrant commands probability carries out synthesization processing, and according to synthesization, treated that value judges whether to meet preset alarm
Condition.
C19, the method as described in C13, described pair of the current command being collected into be identified including:
The current command received is filtered using preset suspicious rule, is filtered out by the suspicious rule hit
The current command, and export by it is described it is suspicious rule hit the current command alarm weights, the alarm weights based on this
Suspicious rule obtains the overall hit of order;
According to the training sample set of existing disaggregated model, further classifies to the above-mentioned the current command filtered out, worked as
Preceding order is the probability of normal command and is the probability of aberrant commands, and then identifies whether the current command is aberrant commands.
C20, the method as described in C17 or C19 further include:
Machine learning is carried out after newly-increased the current command is merged with existing training sample set, update uses when being classified
Existing training sample set.
C21, the method as described in C19, described the step of judging whether to meet alarm conditions according to recognition result include:
All aberrant commands on a certain host that one alarm period of statistics is interior, identifies, by each aberrant commands pair
The aberrant commands probability answered is multiplied with alarm weights obtains corresponding alarm index, and the alarm index of these aberrant commands is carried out
Synthesization is handled, and according to synthesization, treated that value judges whether to meet preset alarm conditions.
C22, the method as described in C13-21, it is described to collect each host and pass through the current command of network transmission and affiliated
The step of host identification includes:
The command analysis device shell of each host is transformed, the host the current command for receiving the shell is increased
It is transmitted through the network to the function of designated equipment with host ip, the current command and the institute of each host are collected using the function
Generic identifies.
C23, the method as described in C22 further include:
The event that the current command and affiliated host identification are transmitted to each host is monitored, when find have newly-increased host not into
When the above-mentioned shell transformations of row or transformation failure, by disposing above-mentioned shell in the host ip automated log on to the host for it
Transformation.