CN106055453A - Equipment monitoring method and device - Google Patents

Equipment monitoring method and device Download PDF

Info

Publication number
CN106055453A
CN106055453A CN201610380425.9A CN201610380425A CN106055453A CN 106055453 A CN106055453 A CN 106055453A CN 201610380425 A CN201610380425 A CN 201610380425A CN 106055453 A CN106055453 A CN 106055453A
Authority
CN
China
Prior art keywords
equipment
monitored
user
mark
space
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610380425.9A
Other languages
Chinese (zh)
Inventor
彭振翼
吴教仁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201610380425.9A priority Critical patent/CN106055453A/en
Publication of CN106055453A publication Critical patent/CN106055453A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3051Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses an equipment monitoring method and device. One specific embodiment of the method comprises the following steps of receiving operating commands for to-be-monitored equipment from a user space through a preset interactive interface, wherein the operating commands include an identifier and an operation type of the to-be-monitored equipment; intercepting an operation for calling a path where a drive of the to-be-monitored equipment indicated by the identifier is located; recording operation information of the interrupted operation in a preset operation information list and executing the intercepted operation; and returning the recorded operation information to the user space in order to monitor the operations of the to-be-monitored equipment under the user space. According to the embodiments, the detailed operation condition of the equipment during the past period of time can be determined, and meanwhile, the method and the device do not depend on the interface provided by an equipment manufacturer and the monitoring of the equipment is realized.

Description

Monitoring of equipment method and apparatus
Technical field
The application relates to computer control field, particularly relates to monitoring of equipment field, is specifically related to a kind of monitoring of equipment side Method and device.
Background technology
In (SuSE) Linux OS, it is possible to use management instrument manages and monitors character device.And existing Supervision Survey method mainly uses the interface provided that drives of equipment to realize the collection to facility information.This method significant portion is set Standby driving limits.When the driving of equipment does not provide interface, need the driving of equipment is revised accordingly.If set Standby driving is not increased income, and can cause the monitoring that cannot be carried out profound level.
Graphically as a example by processor (Graphics Processing Unit, GPU), it is possible to use manage instrument accordingly Interface (such as CUDA (Compute Unified Device Architecture, the unified meter provided by the manufacturer of equipment Calculation equipment framework) interface) check the temperature of GPU, utilization rate, the process name of operation, the information such as Program path.But cannot obtain Time in the past section operates the details of GPU every time, thus cannot know that equipment operated feelings in detail in a period of time in past Condition.
Summary of the invention
The purpose of the application is to propose a kind of monitoring of equipment method and apparatus, solves background section above and mentions Technical problem.
First aspect, this application provides a kind of monitoring of equipment method, and described method includes: connect alternately by default Mouthful, the operational order treating monitoring device is received from user's space, described operational order includes: the mark of described equipment to be monitored Knowledge, action type;Intercept the operation driving path, place calling the equipment to be monitored indicated by described mark;By intercepted The operation information record of operation is in default operation information list, and performs the operation of described interception;By the operation letter of record Breath returns to described user's space, in order to monitor the operation to described equipment to be monitored under described user's space.
In certain embodiments, described by default interactive interface, the behaviour treating monitoring device is received from user's space Order, including: load the kernel module preset, create virtual unit;By described virtual unit, connect from described user's space Receive the operational order to described equipment to be monitored.
In certain embodiments, the driving path, place of the equipment to be monitored indicated by described mark is called in described interception Operation, comprises determining that the structure at the facility information place of equipment to be monitored indicated by described mark;Determine described structure Middle system calls the path at function place;Intercept the operation calling the path that described system calls function place.
In certain embodiments, described the operation information of record is returned to described user's space, including: in response to from institute State default interactive interface and receive the information gathering order that described user's space sends, from described default operation information list Middle lookup to indicated by described mark equipment to be monitored operate operation information, described information gathering order includes: described in treat The mark of monitoring device;By described default interactive interface, the operation information found is returned to described user's space.
In certain embodiments, described the operation information of record is returned to described user's space, including: by described pre- If interactive interface, return in real time the operation information of described record.
In certain embodiments, the operation that described system calls the path at function place is called in described interception, including: pass through The Hook Function preset, intercepts the operation calling the path that described system calls function place.
In certain embodiments, described operation information include following at least one: the action type of the operation of described interception, Send the mark of the user of the operational order of the operation correspondence of described interception, to the process that the execution of described equipment to be monitored operates Mark, the execution time of operation.
Second aspect, the application provides a kind of monitoring of equipment device, and described device includes: receive unit, for by advance If interactive interface, receive from user's space and treat the operational order of monitoring device, described operational order includes: described to be monitored The mark of equipment, action type;Interception unit, for intercepting the driving place calling the equipment to be monitored indicated by described mark The operation in path;Record unit, for the operation information record of operation that will be intercepted in default operation information list, and Perform the operation of described interception;Return unit, for the operation information of record is returned to described user's space, in order to described The operation to described equipment to be monitored is monitored under user's space.
In certain embodiments, described reception unit includes: add subelements, for loading default kernel module, and wound Build virtual unit;Receive subelement, for by described virtual unit, receiving described equipment to be monitored from described user's space Operational order.
In certain embodiments, described interception unit includes: first determines subelement, is used for determining indicated by described mark The structure at facility information place of equipment to be monitored;Second determines subelement, is used for determining in described structure that system is adjusted Path with function place;Intercept subelement, for intercepting the operation calling the path that described system calls function place.
In certain embodiments, described interception unit includes: search subelement, in response to from described default mutual The information gathering order that interface sends to described user's space, searches described from described default operation information list The operation information of the equipment to be monitored operation indicated by mark, described information gathering order includes: the mark of described equipment to be monitored Know;First returns subelement, for by described default interactive interface, the operation information found is returned to described user Space.
In certain embodiments, described interception unit includes: second returns subelement, for by described default mutual Interface, returns the operation information of described record in real time.
In certain embodiments, described interception unit is configured to further: by default Hook Function, interception is called Described system calls the operation in the path at function place.
In certain embodiments, described operation information include following at least one: the action type of the operation of described interception, Send the mark of the user of the operational order of the operation correspondence of described interception, to the process that the execution of described equipment to be monitored operates Mark, the execution time of operation.
The monitoring of equipment method and apparatus that the application provides, by providing a default interface, for user's space with interior Nuclear space interacts, and will treat the operation note of monitoring device in default operation information list, will the operation of record Information returns to user's space, it may be determined that equipment, at the detailed operational circumstances of the past period, does not relies on again simultaneously and sets The interface that standby manufacturer provides, it is achieved that the monitoring to equipment.
Accompanying drawing explanation
By the detailed description that non-limiting example is made made with reference to the following drawings of reading, other of the application Feature, purpose and advantage will become more apparent upon:
Fig. 1 is the flow chart of an embodiment of the monitoring of equipment method according to the application;
Fig. 2 is the flow chart of another embodiment of the monitoring of equipment method according to the application;
Fig. 3 is the structural representation of an embodiment of the monitoring of equipment device according to the application;
Fig. 4 is the structural representation of another embodiment of the monitoring of equipment device according to the application;
Fig. 5 is adapted for the structural representation of the computer system for the terminal unit or server realizing the embodiment of the present application Figure.
Detailed description of the invention
With embodiment, the application is described in further detail below in conjunction with the accompanying drawings.It is understood that this place is retouched The specific embodiment stated is used only for explaining related invention, rather than the restriction to this invention.It also should be noted that, in order to It is easy to describe, accompanying drawing illustrate only the part relevant to about invention.
It should be noted that in the case of not conflicting, the embodiment in the application and the feature in embodiment can phases Combination mutually.Describe the application below with reference to the accompanying drawings and in conjunction with the embodiments in detail.
Fig. 1 is flow process Figure 100 of an embodiment of the monitoring of equipment method according to the application.As it is shown in figure 1, this enforcement The monitoring of equipment method of example comprises the following steps:
Step 101, by default interactive interface, receives the operational order treating monitoring device from user's space.
Self is divided by linux system, and a part of kernel software (such as the driving of equipment) is independent of common application Program, operates on higher privilege level, and they reside on protected memory headroom, has the institute of access hardware devices Having permission, linux system this will be referred to as kernel spacing.Relative, common applications is then run in the user space.
In the present embodiment, providing an interactive interface alternately for user's space and kernel spacing, user's space is installed Application program by the software in this interactive interface access kernel space, thus the manufacturer of equipment to be monitored can not relied on The interface of the device drives provided.The application program that user's space is installed is when operating equipment, it usually needs by setting Standby driving realizes the operation to equipment.Therefore, in the present embodiment, connect from user's space by above-mentioned default interactive interface Receive the operational order treating monitoring device.
Aforesaid operations order may include that the mark of equipment to be monitored, action type.
Step 102, intercepts the operation driving path, place calling the equipment to be monitored indicated by mark.
Driving the block code being mounted in operating system, it comprises the information about hardware device.Computer is the most logical Cross the communication of this information realization and equipment.Drive and be usually the configuration file that hardware device manufacturer writes according to operating system.Not yet Having driving, the hardware in computer just cannot work.
Due to the program of user's space treat monitoring device operate time, can first call the driving of equipment to be monitored. Therefore, when treating monitoring device and being monitored, only need to be to the equipment to be monitored indicated by the mark comprised in operational order The path driving place is monitored.When calling this path when there being operation to need, illustrate that this operation to control above-mentioned waiting and supervise Measurement equipment.In the present embodiment, intercept all operations in the path driving place calling the equipment to be monitored indicated by mark.
Step 103, by the operation information record of the operation of interception in default operation information list, and performs above-mentioned blocking The operation cut.
In the present embodiment, by the operation information record of the operation of interception in default operation information list.It is appreciated that , this operation information list may reside in kernel spacing, and existence form can be chain sheet form or other is executable Form.After intercepting aforesaid operations, still to perform the operation of above-mentioned interception, to ensure that the application program of user's space can be just Normal monitoring device for the treatment of operates.
In some optional implementations of the present embodiment, aforesaid operations information can include following at least one: institute The mark of the user of the operational order that operation that the action type of operation intercepted and transmission are intercepted is corresponding, set to be monitored The mark of process of standby execution operation, the execution time of operation.
Action type is to treat type or the content of the operation that monitoring device is carried out.Owing to operational order is that user's space is sent out Send, therefore can will send the mark of the user of aforesaid operations order.It is understood that perform treating monitoring device When stating the operation of interception, a process can be there is to perform aforesaid operations.In the present embodiment, can be right by sending the operation intercepted The type of the mark of process, the execution time of operation and operation that the mark of the user of the operational order answered, execution operate is all Record is in default operation information list.Needs when, the operation information of above-mentioned record can be returned to user.
Step 104, returns to user's space by the operation information of record, in order to monitors under user's space and supervises described treating The operation of measurement equipment.
In the present embodiment, the operation information of above-mentioned record can be returned to the system manager of user's space.User manages Reason person can judge duty and the operation history of equipment to be monitored according to above-mentioned information.
In some optional implementations of the present embodiment, above-mentioned steps 104 includes the following sub-step not shown in Fig. 1 Rapid:
The information gathering order that described user's space sends is received, from default behaviour in response to from default interactive interface Making to search the operation information to the equipment to be monitored operation indicated by mark in information list, information gathering order includes: wait to supervise The mark of measurement equipment;By default interactive interface, the operation information found is returned to user's space.
The application program of user's space or manager can send information gathering life to kernel spacing needs when Order.It is understood that above-mentioned information gathering order is sent to kernel spacing by the interactive interface preset.Kernel spacing is connecing After receiving above-mentioned information gathering order, search in default operation information list record to information gathering order in comprise The operation information of the equipment to be monitored operation indicated by mark.After finding aforesaid operations information, connect alternately by default The operation information found is returned to user's space by mouth.
In some optional implementations of the present embodiment, above-mentioned steps 104 includes the following sub-step not shown in Fig. 1 Rapid:
By default interactive interface, return the operation information of described record in real time.
By arranging, it is also possible to the operation information of record is returned in user's space in real time, monitors in real time for manager and treat Monitoring device, such that it is able to the abnormal condition of timely discovering device.
The monitoring of equipment method that above-described embodiment of the application provides, by providing a default interface, empty for user Between interact with kernel spacing, and by treating the operation note of monitoring device in default operation information list, by record Operation information return to user's space.May determine that the equipment detailed operational circumstances in the past period, disobey again simultaneously Rely the interface provided in equipment vendors, it is achieved that the monitoring to equipment.
With continued reference to Fig. 2, it is shown that according to flow process Figure 200 of another embodiment of the monitoring of equipment method of the application. The monitoring of equipment method of the present embodiment comprises the following steps:
Step 201, loads the kernel module preset, and creates virtual unit.
Kernel module can be understood as some code blocks that kernel can be allowed to be loaded into when needed and perform.Linux kernel Overall structure huge, have two kinds of methods can be included in the middle of kernel by the function of needs: all of function to be all compiled into Kernel or function is compiled into module, adds needs when dynamically.In the present embodiment, just module is become to add code compilation It is downloaded in kernel, a virtual unit can be created after loading is complete.
Step 202, by above-mentioned virtual unit, receives the operational order treating monitoring device from user's space
Above-mentioned virtual unit, may be used for the mutual of kernel spacing and user's space, and such user's space sets to be monitored Standby operational order can be received by above-mentioned virtual unit.It is understood that aforesaid operations order includes to be monitored The mark of equipment.
Step 203, determines the structure at the facility information place of equipment to be monitored.
Structure is to be had a same type or data acquisition system that different types of data are constituted by a series of.In Linux In core, the corresponding cdev structure of each equipment, this cdev structure includes all data of this equipment, such as, sets Standby number dev_t, the module struct module belonging to equipment, the file operation structure struct file_ of equipment Operations etc..In the present embodiment, can determine to be monitored according to the mark of equipment to be monitored in linux kernel space The cdev structure of equipment.
Step 204, determines that in above described structure, system calls the path at function place.
Having a pointer pointing to file_operations in cdev structure, the system in file_operations is adjusted Just can be used to function operate hardware.System is called function and be may include turn on (open), closes (close), reads (read) (write) etc., is write.
Step 205, intercepts the operation that calling system calls the path at function place.
Treat monitoring device when operating, the system in above-mentioned file_operations structure can be used to call letter Number, therefore can call said system and call the path at function place.In the present embodiment, intercept calling system and call function place The all operations in path.
In some optional implementations of the present embodiment, by adding Hook Function, aforesaid operations can be carried out Intercept.Hook Function is a program segment processing message, is called by system, it is linked into system.Whenever specifically disappearing Breath sends, and before not arriving purpose window, Hook Function the most first captures this message.At this moment Hook Function i.e. can be with processed This message, it is also possible to do not deal with and continue to transmit this message, it is also possible to force the transmission of end.
Step 206, by the operation information record of operation that intercepted in default operation information list, and performs above-mentioned The operation intercepted.
In the present embodiment, by operation information record corresponding for the operation that intercepted in default operation information list, Perform the operation of above-mentioned interception simultaneously.In practice, cdev structure will point to the pointer modified of file_operations, It is made to point to new file_operations structure.New file_operations structure includes that new system calls letter Number, these new systems call function can record the operation information of intercepted operation, performs these operations simultaneously.Can will remember The operation information of record is stored in list_head chained list, an one-tenth in list_head chained list also cdev structure Member.When follow-up equipment to be monitored is accessed, the action type of equipment to be monitored, user, process, time will can be accessed each time The information such as stamp are stored in above-mentioned chained list.
Step 207, returns to user's space by the operation information of record, in order to monitors under user's space and sets to be monitored Standby operation.
In the present embodiment, it can be to receive the collection of user's space that the operation information of record returns to user's space During order, the operation information operating above-mentioned equipment to be monitored is returned, it is also possible to be return at once after record, to present in real time Treat the operation information of the operation of monitoring device.
The monitoring of equipment method of the present embodiment, can be advantageously applied in safety service and audit call charge service.With GPU For as a example by, after system is by hacker attacks, hacker typically can select at certain time point being not easy to be found (such as half Night or morning) run oneself task, and also its running of task can be hidden and invisible at user's space.If The manager of system can't find this task, then can expend substantial amounts of resource.After using the monitoring of equipment method of the present embodiment, it is By checking the operation information to GPU, system manager can judge whether system is invaded, thus protect the safety of system. Equally, according to the above-mentioned operation information to GPU, system manager can determine that user uses the information such as the time number of times of resource, Such that it is able to be applied in call charge service.
The monitoring of equipment method that above-described embodiment of the application provides, does not relies on the existing interface and prison driving and providing Survey instrument, it is only necessary to be loaded in linux kernel by default kernel module, can complete the operation information of the operation to equipment Collection and record;Driving aspect at equipment completes collection and the record of operation information, is thus independent on concrete equipment and drives Dynamic source code, autgmentability is strong.
With continued reference to Fig. 3, it is shown that according to the structural representation of an embodiment of the monitoring of equipment device of the application 300.The monitoring of equipment device of the present embodiment includes: receives unit 301, interception unit 302, record unit 303 and returns unit 304。
Receive unit 301, for by default interactive interface, receiving the operation life treating monitoring device from user's space Order.
Wherein, operational order includes: the mark of equipment to be monitored, action type.
In the present embodiment, the interactive interface preset is mutual for user's space and kernel spacing.Therefore, user's space is sent out The operational order treating monitoring device sent is received by above-mentioned default interactive interface.
Interception unit 302, for intercepting the operation driving path, place calling the equipment to be monitored indicated by mark.
After reception unit 301 receives the operational order that user's space sends, interception unit 302 intercepts aforesaid operations life Order needs to call the operation driving path, place of the equipment to be monitored indicated by mark.
Record unit 303, for the operation information record of operation that interception unit 302 intercepted in default operation information In list, and perform the operation that interception unit 302 intercepts.
The operation information list preset can be stored in kernel spacing, reads when needed for user's space.
Return unit 304, for the operation information that record unit 303 records is returned to user's space, in order to user Under space, the operation of monitoring device is treated in monitoring.
The monitoring of equipment device that above-described embodiment of the application provides, by providing a default interface, empty for user Between interact with kernel spacing, and by treating the operation note of monitoring device in default operation information list, by record Operation information return to user's space.May determine that the equipment detailed operational circumstances in the past period, disobey again simultaneously Rely the interface provided in equipment vendors, it is achieved that the monitoring to equipment.
Fig. 4 shows the structural representation 400 of an embodiment of the monitoring of equipment device according to the application.The present embodiment Monitoring of equipment device include: receive unit 401, interception unit 402, record unit 403 and return unit 404.
Wherein, receive unit 401 to farther include add subelements 4011 and receive subelement 4012.Add subelements 4011, for loading default kernel module, create virtual unit.Receive subelement 4012, for by adding subelements 4011 virtual units created, receive the operational order treating monitoring device from user's space.
Interception unit 402 farther includes first to determine subelement 4021, second determine subelement 4022 and to intercept son single Unit 4023.Wherein first determines subelement 4021, for determining the facility information place of the equipment to be monitored indicated by mark Structure.Second determines subelement 4022, for determining that first determines that in the structure that subelement 4021 determines, system calls letter The path at number place.Intercept subelement 4023, call second for interception and determine that the system that subelement 4022 determines calls function The operation in the path at place.
Record unit 403 is for recording the operation information intercepting the operation that subelement 4023 intercepts, and performs aforesaid operations.
In some optional implementations of the present embodiment, operation information include following at least one: the behaviour intercepted The action type made, the mark of the user sending operational order corresponding to the operation intercepted, treat monitoring device and perform operation The mark of process, the execution time of operation.
Return unit 404 to farther include to search subelement 4041 and the first return subelement 4042.Wherein, son is searched single Unit 4041, for receiving, in response to from the virtual unit adding subelements 4011 establishment, the information gathering life that user's space sends Order, searches the equipment to be monitored operation indicated by mark from the operation information list preset of record unit 403 record Operation information.It is understood that information gathering order includes the mark of equipment to be monitored.First returns subelement 4042, uses In by adding the virtual unit that subelements 4011 creates, the operation information found is returned to user's space.
In some optional implementations of the present embodiment, interception unit 402 may be used for further: by default Hook Function, intercepts the operation calling the path that described system calls function place.
In some optional implementations of the present embodiment, return unit 404 can further include in Fig. 4 and do not shows The the second return unit gone out, for by default interactive interface, the operation information of real-time return recording.To realize to be monitored The real-time monitoring of equipment.
The monitoring of equipment device that above-described embodiment of the application provides, does not relies on the existing interface and prison driving and providing Survey instrument, it is only necessary to be loaded in linux kernel by default kernel module, can complete the operation information of the operation to equipment Collection and record;Driving aspect at equipment completes collection and the record of operation information, is thus independent on concrete equipment and drives Dynamic source code, autgmentability is strong.
Below with reference to Fig. 5, it illustrates the calculating be suitable to for the terminal unit or server realizing the embodiment of the present application The structural representation of machine system 500.
As it is shown in figure 5, computer system 500 includes CPU (CPU) 501, it can be read-only according to being stored in Program in memorizer (ROM) 502 or be loaded into the program random access storage device (RAM) 503 from storage part 508 and Perform various suitable action and process.In RAM 503, also storage has system 500 to operate required various programs and data. CPU 501, ROM 502 and RAM 503 are connected with each other by bus 504.Input/output (I/O) interface 505 is also connected to always Line 504.
It is connected to I/O interface 505: include the importation 506 of keyboard, mouse etc. with lower component;Penetrate including such as negative electrode The output part 507 of spool (CRT), liquid crystal display (LCD) etc. and speaker etc.;Storage part 508 including hard disk etc.; And include the communications portion 509 of the NIC of such as LAN card, modem etc..Communications portion 509 via such as because of The network of special net performs communication process.Driver 510 is connected to I/O interface 505 also according to needs.Detachable media 511, such as Disk, CD, magneto-optic disk, semiconductor memory etc., be arranged in driver 510, in order to read from it as required Computer program as required be mounted into storage part 508.
Especially, according to embodiment of the disclosure, the process described above with reference to flow chart may be implemented as computer Software program.Such as, embodiment of the disclosure and include a kind of computer program, it includes being tangibly embodied in machine readable Computer program on medium, described computer program comprises the program code for performing the method shown in flow chart.At this In the embodiment of sample, this computer program can be downloaded and installed from network by communications portion 509, and/or from removable Unload medium 511 to be mounted.When this computer program is performed by CPU (CPU) 501, perform in the present processes The above-mentioned functions limited.
Flow chart in accompanying drawing and block diagram, it is illustrated that according to system, method and the computer journey of the various embodiment of the application Architectural framework in the cards, function and the operation of sequence product.In this, each square frame in flow chart or block diagram can generation One module of table, program segment or a part for code, a part for described module, program segment or code comprises one or more For realizing the executable instruction of the logic function of regulation.It should also be noted that some as replace realization in, institute in square frame The function of mark can also occur to be different from the order marked in accompanying drawing.Such as, the square frame that two succeedingly represent is actual On can perform substantially in parallel, they can also perform sometimes in the opposite order, and this is depending on involved function.Also want It is noted that the combination of the square frame in each square frame in block diagram and/or flow chart and block diagram and/or flow chart, Ke Yiyong The special hardware based system of the function or operation that perform regulation realizes, or can refer to computer with specialized hardware The combination of order realizes.
It is described in the embodiment of the present application involved unit to realize by the way of software, it is also possible to by firmly The mode of part realizes.Described unit can also be arranged within a processor, for example, it is possible to be described as: a kind of processor bag Include reception unit, interception unit, record unit and return unit.Wherein, the title of these unit the most not structure The in pairs restriction of this unit itself, such as, interception unit is also described as that " driving of described equipment to be monitored is called in interception The unit of the operation in path, place ".
As on the other hand, present invention also provides a kind of nonvolatile computer storage media, this non-volatile calculating Machine storage medium can be the nonvolatile computer storage media described in above-described embodiment included in device;Can also be Individualism, is unkitted the nonvolatile computer storage media allocating in terminal.Above-mentioned nonvolatile computer storage media is deposited Contain one or more program, when one or more program is performed by an equipment so that described equipment: pass through The interactive interface preset, receives from user's space and treats the operational order of monitoring device, and described operational order includes: described in wait to supervise The mark of measurement equipment, action type;Intercept the operation driving path, place calling the equipment to be monitored indicated by described mark; By the operation information record of operation that intercepted in default operation information list, and perform the operation of described interception;Will note The operation information of record returns to described user's space, in order to monitor the behaviour to described equipment to be monitored under described user's space Make.
Above description is only the preferred embodiment of the application and the explanation to institute's application technology principle.People in the art Member should be appreciated that invention scope involved in the application, however it is not limited to the technology of the particular combination of above-mentioned technical characteristic Scheme, also should contain in the case of without departing from described inventive concept simultaneously, above-mentioned technical characteristic or its equivalent feature carry out Combination in any and other technical scheme of being formed.Such as features described above has similar merit with (but not limited to) disclosed herein The technical scheme that the technical characteristic of energy is replaced mutually and formed.

Claims (14)

1. a monitoring of equipment method, it is characterised in that described method includes:
By default interactive interface, receiving the operational order treating monitoring device from user's space, described operational order includes: The mark of described equipment to be monitored, action type;
Intercept the operation driving path, place calling the equipment to be monitored indicated by described mark;
By the operation information record of operation that intercepted in default operation information list, and perform the operation of described interception;
The operation information of record is returned to described user's space, in order to monitor under described user's space and to be monitored set described Standby operation.
Method the most according to claim 1, it is characterised in that described by default interactive interface, connects from user's space Receive the operational order treating monitoring device, including:
Load the kernel module preset, create virtual unit;
By described virtual unit, receive the operational order to described equipment to be monitored from described user's space.
Method the most according to claim 1, it is characterised in that what described interception was called indicated by described mark to be monitored sets The standby operation driving path, place, including:
Determine the structure at the facility information place of equipment to be monitored indicated by described mark;
Determine that in described structure, system calls the path at function place;
Intercept the operation calling the path that described system calls function place.
Method the most according to claim 1, it is characterised in that described that the operation information of record returns to described user is empty Between, including:
Receive, in response to from described default interactive interface, the information gathering order that described user's space sends, preset from described Operation information list in search to indicated by described mark equipment to be monitored operate operation information, described information gathering order Order includes: the mark of described equipment to be monitored;
By described default interactive interface, the operation information found is returned to described user's space.
Method the most according to claim 1, it is characterised in that described that the operation information of record returns to described user is empty Between, including:
By described default interactive interface, return the operation information of described record in real time.
Method the most according to claim 3, it is characterised in that described interception is called described system and called the road at function place The operation in footpath, including:
By default Hook Function, intercept the operation calling the path that described system calls function place.
Method the most according to claim 1, it is characterised in that described operation information include following at least one: described in block The action type of the operation cut, send the mark of the user of operational order corresponding to the operation of described interception, to described to be monitored Equipment performs the mark of process of operation, the execution time of operation.
8. a monitoring of equipment device, it is characterised in that described device includes:
Receive unit, for by default interactive interface, receive the operational order treating monitoring device from user's space, described Operational order includes: the mark of described equipment to be monitored, action type;
Interception unit, for intercepting the operation driving path, place calling the equipment to be monitored indicated by described mark;
Record unit, for the operation information record of operation that will be intercepted in default operation information list, and performs institute State the operation of interception;
Return unit, for the operation information of record is returned to described user's space, in order to monitor under described user's space Operation to described equipment to be monitored.
Device the most according to claim 8, it is characterised in that described reception unit includes:
Add subelements, for loading default kernel module, create virtual unit;
Receive subelement, for by described virtual unit, receiving the operation to described equipment to be monitored from described user's space Order.
Device the most according to claim 8, it is characterised in that described interception unit includes:
First determines subelement, for determining the structure at the facility information place of the equipment to be monitored indicated by described mark;
Second determines subelement, for determining that in described structure, system calls the path at function place;
Intercept subelement, for intercepting the operation calling the path that described system calls function place.
11. devices according to claim 8, it is characterised in that described return unit includes:
Search subelement, for receiving, in response to from described default interactive interface, the information gathering that described user's space sends Order, searches, from described default operation information list, the operation letter operating the equipment to be monitored indicated by described mark Breath, described information gathering order includes: the mark of described equipment to be monitored;
First returns subelement, for by described default interactive interface, the operation information found is returned to described use Space, family.
12. devices according to claim 8, it is characterised in that described return unit includes:
Second returns subelement, for by described default interactive interface, returning the operation information of described record in real time.
13. devices according to claim 10, it is characterised in that described interception unit is configured to further:
By default Hook Function, intercept the operation calling the path that described system calls function place.
14. devices according to claim 8, it is characterised in that described operation information include following at least one: described in block The action type of the operation cut, send the mark of the user of operational order corresponding to the operation of described interception, to described to be monitored Equipment performs the mark of process of operation, the execution time of operation.
CN201610380425.9A 2016-06-01 2016-06-01 Equipment monitoring method and device Pending CN106055453A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610380425.9A CN106055453A (en) 2016-06-01 2016-06-01 Equipment monitoring method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610380425.9A CN106055453A (en) 2016-06-01 2016-06-01 Equipment monitoring method and device

Publications (1)

Publication Number Publication Date
CN106055453A true CN106055453A (en) 2016-10-26

Family

ID=57172493

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610380425.9A Pending CN106055453A (en) 2016-06-01 2016-06-01 Equipment monitoring method and device

Country Status (1)

Country Link
CN (1) CN106055453A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112580066A (en) * 2019-09-30 2021-03-30 北京国双科技有限公司 Data protection method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102902909A (en) * 2012-10-10 2013-01-30 北京奇虎科技有限公司 System and method for preventing file from being tampered
CN103198255A (en) * 2013-04-03 2013-07-10 武汉大学 Method and system for monitoring and intercepting sensitive behaviour of Android software
CN104123194A (en) * 2014-07-16 2014-10-29 上海斐讯数据通信技术有限公司 Communication structure and method for kernel mode and user mode
CN105095741A (en) * 2014-05-13 2015-11-25 北京奇虎测腾科技有限公司 Behavior monitoring method and behavior monitoring system of application program
CN105184166A (en) * 2015-10-21 2015-12-23 南京大学 Kernel-based Android application real-time behavior analysis method and system
CN105607986A (en) * 2015-01-06 2016-05-25 北京志翔科技股份有限公司 Acquisition method and device of user behavior log data

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102902909A (en) * 2012-10-10 2013-01-30 北京奇虎科技有限公司 System and method for preventing file from being tampered
CN103198255A (en) * 2013-04-03 2013-07-10 武汉大学 Method and system for monitoring and intercepting sensitive behaviour of Android software
CN105095741A (en) * 2014-05-13 2015-11-25 北京奇虎测腾科技有限公司 Behavior monitoring method and behavior monitoring system of application program
CN104123194A (en) * 2014-07-16 2014-10-29 上海斐讯数据通信技术有限公司 Communication structure and method for kernel mode and user mode
CN105607986A (en) * 2015-01-06 2016-05-25 北京志翔科技股份有限公司 Acquisition method and device of user behavior log data
CN105184166A (en) * 2015-10-21 2015-12-23 南京大学 Kernel-based Android application real-time behavior analysis method and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112580066A (en) * 2019-09-30 2021-03-30 北京国双科技有限公司 Data protection method and device

Similar Documents

Publication Publication Date Title
US11652852B2 (en) Intrusion detection and mitigation in data processing
US20210160249A1 (en) Systems and methods for role-based computer security configurations
US9177145B2 (en) Modified file tracking on virtual machines
US8117104B2 (en) Virtual asset groups in a compliance management system
CN109873803A (en) The authority control method and device of application program, storage medium, computer equipment
CN102541634A (en) Probe insertion via background virtual machine
CN110546936B (en) Personalized threat protection
US10084637B2 (en) Automatic task tracking
US10986112B2 (en) Method for collecting cyber threat intelligence data and system thereof
US20100063950A1 (en) Computing environment climate dependent policy management
CN105453104B (en) System protection file security control device and management method
US20210373950A1 (en) Cloud resource audit system
CN106055453A (en) Equipment monitoring method and device
US9754109B1 (en) Systems and methods for managing access
US11709723B2 (en) Cloud service framework
CN113032647A (en) Data analysis system
CN102868690B (en) Method and system for WEB service isolation and detection
CN112612578A (en) Virtual machine monitoring method and device
JP2003099295A (en) Processing method for communication log, computer software program for implementing the same method on computer system and communication log processing system
CN106909838A (en) A kind of method and device of hooking system service call
US20140283042A1 (en) Detection of non-volatile changes to a resource
KR20200005137A (en) Method and apparatus for issueing threat ticket to handle security event
CN113852623B (en) Virus industrial control behavior detection method and device
US20240236130A9 (en) Detecting anomalous downloads
Wang et al. Constructing a Security System for Classified Computer Information Using Distributed Parallel Computing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20161026