CN105574099A - Method for solving semantic gap of file data blocks on basis of memory information - Google Patents
Method for solving semantic gap of file data blocks on basis of memory information Download PDFInfo
- Publication number
- CN105574099A CN105574099A CN201510921473.XA CN201510921473A CN105574099A CN 105574099 A CN105574099 A CN 105574099A CN 201510921473 A CN201510921473 A CN 201510921473A CN 105574099 A CN105574099 A CN 105574099A
- Authority
- CN
- China
- Prior art keywords
- file
- virtual machine
- mapping
- disk block
- disk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000013507 mapping Methods 0.000 claims abstract description 76
- 238000010276 construction Methods 0.000 claims abstract description 18
- 238000012217 deletion Methods 0.000 claims description 2
- 230000037430 deletion Effects 0.000 claims description 2
- 230000001360 synchronised effect Effects 0.000 abstract description 3
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 238000001514 detection method Methods 0.000 abstract description 2
- 238000011160 research Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000004883 computer application Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000004904 shortening Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/188—Virtual file systems
- G06F16/196—Specific adaptations of the file system to access devices and non-file objects via standard file system access operations, e.g. pseudo file systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention relates to a method for solving the semantic gap of file data blocks on the basis of memory information. The method comprises the following steps: constructing mapping between an internal file of a virtual machine and a disk block of the virtual machine, dynamically updating the mapping between the internal file of the virtual machine and the disk block of the virtual machine, and constructing corresponding relationship between the operation of the disk block of the virtual machine and the operation of the internal file of the virtual machine. According to the method, a necessary mapping set during the running period of a system is rapidly constructed as required according to the opened file information in the memory of the system, so that the construction time is shortened and the use efficiency of the mapping set is improved at the same time; and the method focuses on the agent-free detection of the file event of the virtual machine, and through constructing the mapping between the disk data block and the file, the problem of semantic gap between the original disk read-write data and file content detected by an external agent-free module of the virtual machine is solved. The method disclosed in the invention has the beneficial effects that the search efficiency in the follow-up using process is high, the access speed is high, the construction time is short and the method is synchronous with the real running state of the system.
Description
Technical Field
The invention relates to a method for solving a huge semantic gap between a disk block and a file, in particular to a method for solving the semantic gap of a file data block based on memory information, and belongs to the field of computer application.
Background
The current trend of virtual machine security is more and more oriented to the agent-less mode, so as to obtain better performance and more convenient deployment mode. However, in the process of realizing a specific technology, especially for the running state of a system, the agent-free monitoring and control have great challenges that events and data which can be intercepted outside a virtual machine do not contain clear semantic information, and what is needed for safety is just clear system semantics, so how to solve the gap between the events and the data becomes the problem of agent-free technology application.
The current scientific research community makes more researches on solving the semantic information of the memory, but the recovery of the semantic information of file operation is relatively less, some existing methods are to analyze and construct mapping by reading the metadata of a disk file system, and the method has the following problems: 1. the access speed of the disk is far slower than that of the memory, and the construction of the mapping takes long time; 2. the data on the disk is a corpus; 3. there is a cache between the disk and the memory.
However, in practical use, the applicant found that: the data in the memory information is a file opened during the operation of the system; the timeliness of the memory data is stronger.
Therefore, how to provide a method for solving the semantic gap of the file data block based on the memory information is the research object of the invention.
Disclosure of Invention
In order to solve the defects of the prior art, the invention provides a method for solving the semantic gap of a file data block based on memory information, and the method combines the opened file information in the system memory to quickly construct a mapping set necessary during the operation of the system as required, thereby shortening the construction time and improving the use efficiency of the mapping set; the invention focuses on the agent-free detection of the file event of the virtual machine, and solves the semantic gap problem of the read-write data of the original disk block and the file content detected by the agent-free module outside the virtual machine by constructing the mapping between the disk data block and the file.
In order to solve the problems of the prior art, the technical scheme adopted by the invention is as follows: a method for solving semantic gap of file data block based on memory information comprises three parts of mapping construction of internal file of virtual machine and disk block of virtual machine, dynamic updating of mapping of internal file of virtual machine and disk block of virtual machine, and corresponding relation between operation of disk block of virtual machine and operation of internal file;
the mapping construction of the internal file of the virtual machine and the disk block of the virtual machine comprises the following steps:
firstly, the file disk block mapping interface module obtains the physical memory page of the user virtual machine existing in the host machine, finds the first address of the process structure body linked list, executes the next step after traversing each process structure body according to the linked list,
finding out all file information opened by the process in the process structure, finding out address space description information for each opened file, finding out disk block distribution information corresponding to the file from the structure of the part,
thirdly, the found distribution information of the disk blocks constructs the mapping relation between the file and the disk blocks and stores the mapping relation into a file disk block mapping set;
the dynamic updating of the mapping between the internal file of the virtual machine and the disk block of the virtual machine comprises the following steps:
firstly, the internal system call interception module of the virtual machine finds the physical memory page where the internal file operating system of the virtual machine calls, sets the page as non-executable, intercepts the internal file system call of the virtual machine,
transmitting the file structure body corresponding to the virtual machine internal system calling interception module to a file disk block mapping construction module, and analyzing corresponding disk block distribution information from the file structure body by the module so as to update a mapping relation to a file disk block mapping set;
the corresponding relation between the disk block operation of the virtual machine and the internal file operation comprises the following steps:
firstly, a disk block operation interception module of a virtual machine intercepts IO read-write operation driven by the rear end of block equipment and transmits disk block numbers of the virtual machine to a file disk block mapping interface module,
and secondly, the file disk block mapping interface module inquires a file disk block mapping set and returns a file path corresponding to the specified disk block number.
Furthermore, in the first step constructed by mapping the internal file of the virtual machine and the disk block of the virtual machine, the process structure is task _ struct under Linux, and is EPROCESS under Windows.
Furthermore, in the step of mapping and constructing the internal file of the virtual machine and the disk block of the virtual machine, the space description information is an address _ space structure under Linux.
Further, a control method of a virtual machine monitor is characterized by comprising the following steps:
1) installing a virtual machine file and disk block mapping construction module, a file system calling and capturing module and an interface providing module in a virtual machine monitor management domain;
2) the file and disk block mapping module constructs a mapping set based on the memory information of the virtual machine;
3) the file system calls the capture module to capture file creation, writing and deletion events, and informs the mapping construction module to update the mapping set;
4) the interface providing module provides interfaces for other components, searches the mapping set, and gives a disk block set of a specified file or gives a file to which the specified disk block belongs.
The invention has the beneficial effects that: the searching efficiency in the subsequent use process is high; the access speed is high, and the construction time is short; keeping the system synchronous with the real running state of the system.
Drawings
FIG. 1 is a flow chart of the steps of the present invention.
Detailed Description
The invention will be further analyzed with reference to fig. 1.
The core of the invention is to integrate the memory information and the storage information of the system, search the process to open the data block position information of the file located in the disk based on the memory data of the virtual machine, and construct the mapping of the opened file and the disk data block, which specifically comprises the following steps:
1. searching for opened files in the system. Reading the memory of the appointed virtual machine, searching an inlet of a process structure linked list from the memory, traversing the processes in the system, and searching a file opened by each process;
2. and opening file disk block information to obtain. Each opened file has a structure in the system, which records the representation of the file in the memory, and also records the block device for storing the file and the position information of the data block on the block device. Analyzing the memory data, and finding out block equipment information and data block position information in the file structure;
3. the build system opens a mapping of files and disk blocks. According to the results of the two steps, a Hash table is adopted to store < file, disk block combination >, and the mapping of the currently opened file and the disk block of the system can be successfully constructed;
4. the mapping set is dynamically updated. The memory pages where the code entries for creating the file, writing the file and deleting the file system call are located are set as the non-executable attributes, and once the two system calls are executed, the two system calls are captured by the virtual machine monitor. The agent-less detection program finds the corresponding file and disk block information and updates the mapping set.
Specifically, as shown in fig. 1, the method for solving the semantic gap of the file data block based on the memory information provided by the present invention includes three steps, i.e., mapping and constructing the internal file of the virtual machine and the disk block of the virtual machine, dynamically updating the mapping between the internal file of the virtual machine and the disk block of the virtual machine, and operating the corresponding relationship between the disk block of the virtual machine and the internal file; wherein,
1. the method comprises the following steps of mapping and constructing internal files of a virtual machine and disk blocks of the virtual machine:
1.1, a file disk block mapping module acquires a physical memory page of a user virtual machine in a host, finds a first address of a linked list of process structures (task _ struct under Linux and EPROCESS under Windows), and traverses each process structure according to the linked list to execute the step 1.2;
1.2 finding all file information opened by the process in the process structure, finding address space description information (address _ space structure under Linux) for each opened file, and finding disc block distribution information corresponding to the file from the structure of the part;
1.3, according to the disk block distribution information found in the step 1.2, constructing a mapping relation between a file and a disk block, and storing the mapping relation into a file disk block mapping set;
2. dynamic update of mapping between internal file of virtual machine and disk block of virtual machine
2.1 the virtual machine system call interception module finds a physical memory page where the internal file operating system of the virtual machine calls, sets the page as unexecutable, and intercepts the internal file system call of the virtual machine;
2.2 the system call interception module transmits the corresponding file structure body to the file disk block mapping construction module, and the module analyzes the corresponding disk block distribution information from the file structure body, so as to update the mapping relation to the file disk block mapping set;
3. correspondence between virtual machine disk block operation and internal file operation
3.1 the disk block operation interception module of the virtual machine intercepts IO read-write operation of a back-end drive and transmits the disk block number of the virtual machine to the disk block mapping interface module of the file;
3.2 the file disk block mapping interface module inquires the file disk block mapping set and returns the file path corresponding to the specified disk block number.
According to the invention, the disk block mapping of the file (namely the used file) is opened in the construction system, the set only contains necessary file information, and the searching efficiency is high in the subsequent use process; the information construction set is obtained from the memory, the access speed is high, and the construction time is short; and (4) combining a file system calling event of the system, dynamically updating the mapping set, and always keeping the mapping set synchronous with the real running state of the system.
The technical solutions provided by the present application are introduced in detail, and the principles and embodiments of the present application are explained herein by applying embodiments, and the descriptions of the embodiments are only used to help understand the method and the core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (4)
1. A method for solving the semantic gap of a file data block based on memory information is characterized by comprising the following steps: the method comprises the following steps:
1) mapping and constructing internal files of the virtual machine and disk blocks of the virtual machine;
2) dynamically updating the mapping between the internal file of the virtual machine and the disk block of the virtual machine;
3) the corresponding relation between the virtual machine disk block operation and the internal file operation is obtained; wherein,
the mapping construction of the internal file of the virtual machine and the disk block of the virtual machine comprises the following steps:
firstly, the file disk block mapping interface module obtains the physical memory page of the user virtual machine existing in the host machine, finds the first address of the process structure body linked list, executes the next step after traversing each process structure body according to the linked list,
finding out all file information opened by the process in the process structure, finding out address space description information for each opened file, finding out disk block distribution information corresponding to the file from the structure of the part,
thirdly, the found distribution information of the disk blocks constructs the mapping relation between the file and the disk blocks and stores the mapping relation into a file disk block mapping set;
the dynamic updating of the mapping between the internal file of the virtual machine and the disk block of the virtual machine comprises the following steps:
firstly, the internal system call interception module of the virtual machine finds the physical memory page where the internal file operating system of the virtual machine calls, sets the page as non-executable, intercepts the internal file system call of the virtual machine,
transmitting the file structure body corresponding to the virtual machine internal system calling interception module to a file disk block mapping construction module, and analyzing corresponding disk block distribution information from the file structure body by the module so as to update a mapping relation to a file disk block mapping set;
the corresponding relation between the disk block operation of the virtual machine and the internal file operation comprises the following steps:
firstly, a disk block operation interception module of a virtual machine intercepts IO read-write operation driven by the rear end of block equipment and transmits disk block numbers of the virtual machine to a file disk block mapping interface module,
and secondly, the file disk block mapping interface module inquires a file disk block mapping set and returns a file path corresponding to the specified disk block number.
2. The method according to claim 1, wherein the method for solving semantic gap of file data block based on memory information comprises: in the first step constructed by mapping the internal file of the virtual machine and the disk block of the virtual machine, the process structure is task _ struct under Linux and EPROCESS under Windows.
3. The method according to claim 1, wherein the method for solving semantic gap of file data block based on memory information comprises: in the second step of mapping and constructing the internal file of the virtual machine and the disk block of the virtual machine, the space description information is an address _ space structure under Linux.
4. A control method of a virtual machine monitor, characterized by comprising the steps of:
1) installing a virtual machine file and disk block mapping construction module, a file system calling and capturing module and an interface providing module in a virtual machine monitor management domain;
2) the file and disk block mapping module constructs a mapping set based on the memory information of the virtual machine;
3) the file system calls the capture module to capture file creation, writing and deletion events, and informs the mapping construction module to update the mapping set;
4) the interface providing module provides interfaces for other components, searches the mapping set, and gives a disk block set of a specified file or gives a file to which the specified disk block belongs.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510921473.XA CN105574099A (en) | 2015-12-14 | 2015-12-14 | Method for solving semantic gap of file data blocks on basis of memory information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510921473.XA CN105574099A (en) | 2015-12-14 | 2015-12-14 | Method for solving semantic gap of file data blocks on basis of memory information |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105574099A true CN105574099A (en) | 2016-05-11 |
Family
ID=55884230
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510921473.XA Pending CN105574099A (en) | 2015-12-14 | 2015-12-14 | Method for solving semantic gap of file data blocks on basis of memory information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105574099A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109558375A (en) * | 2018-12-05 | 2019-04-02 | 武汉斗鱼网络科技有限公司 | A kind of file memory method of optimization, storage medium, equipment and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101699443A (en) * | 2009-11-04 | 2010-04-28 | 北京东方广视科技有限责任公司 | Method and device for managing network files |
| CN101727456A (en) * | 2008-10-24 | 2010-06-09 | 国际商业机器公司 | Disk physical block allocation method for host machine system with virtual machine and equipment |
| CN101866408A (en) * | 2010-06-30 | 2010-10-20 | 华中科技大学 | Transparent trust chain constructing system based on virtual machine architecture |
| CN103699334A (en) * | 2012-09-27 | 2014-04-02 | 伊姆西公司 | Method and system for managing virtual machine disk |
| CN104850451A (en) * | 2015-05-15 | 2015-08-19 | 北京北信源软件股份有限公司 | Method for realizing inter-process communication between virtual machine and administrative domain |
-
2015
- 2015-12-14 CN CN201510921473.XA patent/CN105574099A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101727456A (en) * | 2008-10-24 | 2010-06-09 | 国际商业机器公司 | Disk physical block allocation method for host machine system with virtual machine and equipment |
| CN101699443A (en) * | 2009-11-04 | 2010-04-28 | 北京东方广视科技有限责任公司 | Method and device for managing network files |
| CN101866408A (en) * | 2010-06-30 | 2010-10-20 | 华中科技大学 | Transparent trust chain constructing system based on virtual machine architecture |
| CN103699334A (en) * | 2012-09-27 | 2014-04-02 | 伊姆西公司 | Method and system for managing virtual machine disk |
| CN104850451A (en) * | 2015-05-15 | 2015-08-19 | 北京北信源软件股份有限公司 | Method for realizing inter-process communication between virtual machine and administrative domain |
Non-Patent Citations (2)
| Title |
|---|
| XUXIAN JIANG ET.AL: "《Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction》", 《PROCEEDINGS OF THE 14TH ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY》 * |
| 周刚: "《云计算环境中面向取证的现场迁移技术研究》", 《中国博士学位论文全文数据库 信息科技辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109558375A (en) * | 2018-12-05 | 2019-04-02 | 武汉斗鱼网络科技有限公司 | A kind of file memory method of optimization, storage medium, equipment and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11741053B2 (en) | Data management system, method, terminal and medium based on hybrid storage | |
| US9672245B2 (en) | Memory storage apparatus, method of supporting transaction function for database, and memory system | |
| US12067236B2 (en) | Data stability in data storage system | |
| US20150378870A1 (en) | Time travel debugging in managed runtime | |
| US20110276578A1 (en) | Obtaining file system view in block-level data storage systems | |
| US10754825B2 (en) | Path resolver for client access to distributed file systems | |
| WO2016115957A1 (en) | Method and device for accelerating computers and intelligent devices for users and applications | |
| CN103150395B (en) | Directory path analysis method of solid state drive (SSD)-based file system | |
| CN102298617A (en) | Method for obtaining target page and equipment | |
| US20180075159A1 (en) | Efficient property graph storage for streaming / multi-versioning graphs | |
| CN102929958A (en) | Metadata processing method, agenting and forwarding equipment, server and computing system | |
| US8489652B2 (en) | Tracking object fields using relocatable object watchpoints | |
| CN114416431A (en) | Agent-free continuous data protection method, system and storage medium based on KVM | |
| CN107193754B (en) | Method and apparatus for data storage for searching | |
| US20150268878A1 (en) | Efficient serialization of journal data | |
| CN114579404A (en) | Cold and hot page statistical method and device | |
| CN103207817A (en) | Automatic reduction method for virtual machine | |
| CN109165078B (en) | Virtual distributed server and access method thereof | |
| WO2014163852A1 (en) | Grouping files for optimized file operations | |
| US20170329705A1 (en) | Determining a Data Layout in a Log Structured Storage System | |
| CN108763050A (en) | A kind of detection method and device of application memory leakage | |
| CN107391555B (en) | Spark-Sql retrieval-oriented metadata real-time updating method | |
| CN102279892A (en) | Method and system for cleaning up temporary files | |
| CN105574099A (en) | Method for solving semantic gap of file data blocks on basis of memory information | |
| CN107291524B (en) | Remote command processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160511 |
|
| RJ01 | Rejection of invention patent application after publication |