CN108762908A - System calls method for detecting abnormality and device - Google Patents
System calls method for detecting abnormality and device Download PDFInfo
- Publication number
- CN108762908A CN108762908A CN201810551048.XA CN201810551048A CN108762908A CN 108762908 A CN108762908 A CN 108762908A CN 201810551048 A CN201810551048 A CN 201810551048A CN 108762908 A CN108762908 A CN 108762908A
- Authority
- CN
- China
- Prior art keywords
- subgraph
- abnormal
- frequent tree
- history
- tree mining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/48—Program initiating; Program switching, e.g. by interrupt
- G06F9/4806—Task transfer initiation or dispatching
- G06F9/4843—Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
- G06F9/4881—Scheduling strategies for dispatcher, e.g. round robin, multi-level priority queues
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2209/00—Indexing scheme relating to G06F9/00
- G06F2209/48—Indexing scheme relating to G06F9/48
- G06F2209/481—Exception handling
Abstract
A kind of system of this specification embodiment offer calls method for detecting abnormality and device, in system calls method for detecting abnormality, according to the call relation between current time application system, generates corresponding call graph.According to predefined matching rule, the Matching sub-image of the history Frequent tree mining in history Frequent tree mining set is obtained from the call graph.Calculate the target range between history Frequent tree mining and Matching sub-image.According to target range, whether identification Matching sub-image is abnormal subgraph.If it is abnormal subgraph, then according to abnormal subgraph, the exception call relationship in the call relation between current time application system is determined.
Description
Technical field
This specification one or more embodiment is related to field of computer technology more particularly to a kind of system calls abnormal inspection
Survey method and device.
Background technology
Traditional system calls the method for detecting abnormality to be:It will be between the call relation and legacy system between current system
Call relation is compared, to identify the non-call relation frequently occurred.Later, which is known
It Wei not exception call.
Accordingly, it is desirable to provide a kind of more accurately system calls abnormality detection scheme.
Invention content
This specification one or more embodiment describes a kind of system and calls method for detecting abnormality and device, can be more accurate
True ground detecting system is called abnormal.
In a first aspect, a kind of system calling method for detecting abnormality is provided, including:
According to the call relation between current time application system, corresponding call graph is generated;
According to predefined matching rule, it is frequent to obtain the history in history Frequent tree mining set from the call graph
The Matching sub-image of subgraph;The history Frequent tree mining is corresponding according to the call relation between application system described in last time
What call graph determined, the history Frequent tree mining refers to the subgraph that occurrence number reaches preset times;
Calculate the target range between the history Frequent tree mining and the Matching sub-image;
According to the target range, identify whether the Matching sub-image is abnormal subgraph;
If it is abnormal subgraph, then according to the abnormal subgraph, the call relation between current time application system is determined
In exception call relationship.
Second aspect provides a kind of system calling abnormal detector, including:
Generation unit, for according to the call relation between current time application system, generating corresponding call graph;
Acquiring unit, the call graph for according to predefined matching rule, being generated from the generation unit
Obtain the Matching sub-image of the history Frequent tree mining in history Frequent tree mining set;The history Frequent tree mining is according to last time
What the corresponding call graph of call relation between the application system determined, the history Frequent tree mining refers to occurrence number
Reach the subgraph of preset times;
Computing unit, for calculating between the history Frequent tree mining and the Matching sub-image of acquiring unit acquisition
Target range;
Whether recognition unit, the target range for being calculated according to the computing unit, identify the Matching sub-image
For abnormal subgraph;
Determination unit, if being abnormal subgraph for recognition unit identification, according to the abnormal subgraph, determination is worked as
The exception call relationship in call relation between preceding moment application system.
The system that this specification one or more embodiment provides calls method for detecting abnormality and device, according to current time
Call relation between application system generates corresponding call graph.According to predefined matching rule, from the call relation
Figure obtains the Matching sub-image of the history Frequent tree mining in history Frequent tree mining set.Calculate history Frequent tree mining and Matching sub-image it
Between target range.According to target range, whether identification Matching sub-image is abnormal subgraph.If it is abnormal subgraph, then according to different
Chang Zitu determines the exception call relationship in the call relation between current time application system.Namely this specification embodiment
In, it whether there is come detecting system calling by way of it whether there is abnormal subgraph in the call graph for identifying current time
It is abnormal, thus, it is possible to improve the accuracy that system calls abnormality detection.
Description of the drawings
It is required in being described below to embodiment to make in order to illustrate more clearly of the technical solution of this specification embodiment
Attached drawing is briefly described, it should be apparent that, the accompanying drawings in the following description is only some embodiments of this specification, right
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings
Its attached drawing.
Fig. 1 is the call relation schematic diagram between the application system that this specification provides;
Fig. 2 is the determination method flow diagram for the history Frequent tree mining set that this specification provides;
Fig. 3 is the call graph schematic diagram that this specification provides;
Fig. 4 is that the system that this specification one embodiment provides calls method for detecting abnormality flow chart;
Fig. 5 is that the system that this specification one embodiment provides calls abnormal detector schematic diagram.
Specific implementation mode
Below in conjunction with the accompanying drawings, the scheme provided this specification is described.
The call relation that the system that this specification provides calls method for detecting abnormality to be suitable between application system carries out
The scene of abnormality detection.Such as, it is carried out abnormality detection suitable for the call relation between application system as shown in Figure 1.Fig. 1
In, each application system can externally provide corresponding application programming interface (Application Programming
Interface, API).Specifically, the call relation between any two application system can be by call corresponding API come
It realizes.
Optionally, it before executing the system that this specification embodiment provides and calling method for detecting abnormality, can first carry out
The determination method (also referred to as training process) of history Frequent tree mining set as shown in Figure 2.This method may include steps of:
Step 210, the corresponding N number of call graph of call relation between N number of moment application system in the past is obtained.
N number of moment herein can be expressed as:T1 ... Tn, N number of call graph can be expressed as:G1,…
Gn.It should be noted that the call graph in this specification can be directed acyclic graph (Directed Acyclic
Graph, DAG).
Assuming that the call relation between application system is as shown in Figure 1, then its corresponding call graph at a certain time in the past
It can be as shown in Figure 3.In Fig. 3, node A-E respectively with the first application system, the second application system, third application system, the 4th
Application system and the 5th application system are corresponding.In one example, Fig. 3 can be expressed as:G={ nodes:[side 1, side
2 ..., side n] } form.It can be expressed as:
G=
A:[B,C]
B:[A,C]
C:[D]
D:[]
A:[B,C]
B:[C]
C:[E]
E:[]
}
Step 220, to each call graph in N number of call graph, according to gSpan subgraph mining algorithms, from tune
At least one subgraph for reaching preset times with occurrence number is excavated in relational graph.
In the present specification, above-mentioned occurrence number is referred to as support (Supp).Correspondingly, above-mentioned preset times
It is properly termed as minimum support (minSupp).In addition, above-mentioned subgraph can refer to a part for full figure (i.e. call graph),
Contain only part of nodes and the side of full figure.
For by taking call graph shown in Fig. 3 as an example, it is assumed that preset times (or minimum support) are 2.According to
GSpan subgraph mining algorithms can excavate to obtain following Result:
Subgraph I1
{
A:[B,C]
B:[C]
C:[]
Support be 2
Subgraph I2
{
A:[B]
B:[]
Support be 2
Subgraph I3
{
A:[C]
C:[]
Support be 2
Subgraph I4
{
B:[C]
C:[]
Support be 2
From the above, it is seen that Result may include:Sub-picture content and support.Wherein, sub-picture content can
To refer to node and side that subgraph is included.
Step 230, history Frequent tree mining is screened from least one subgraph, it is corresponding with the call graph to obtain
History Frequent tree mining.
In one implementation, above-mentioned screening process is specifically as follows:Removal has and is wrapped from least one subgraph
Subgraph containing relationship obtains at least one subgraph to be selected.The target length of at least one subgraph to be selected is calculated, which can
Being determined according to the occurrence number and number of nodes of subgraph to be selected.According to target length, sieved from least one subgraph to be selected
Select history Frequent tree mining.
For by taking call graph shown in Fig. 3 and corresponding history Frequent tree mining (I1, I2, I3 and I4) as an example,
Because I2, I3 and I4 have with I1 by inclusion relation, it is possible to I2, I3 and I4 are removed, so as to only retain I1.
The target length of I1 can be calculated later.In one implementation, the calculation formula of target length can be:M (I1, G)=
DL1 (G | I1)+DL2 (I1), wherein DL1 (G | I1) it is occurrence numbers of the subgraph I1 in full figure G, DL2 (I1) is subgraph I1's
Number of nodes.It in one example, then can be using I1 as the history Frequent tree mining of G if M (I1, G) is less than predetermined threshold value.
Certainly, in practical applications, during screening history Frequent tree mining, removal inclusion relation can also be only carried out
The step of (such as previous example does not calculate the target length of I1, directly using I1 as history Frequent tree mining), or only carry out basis
(such as previous example directly calculates the target length of I1, I2, I3 and I4, then judges that target is long the step of target length is screened
Whether degree screens history Frequent tree mining less than predetermined threshold value), this specification is not construed as limiting this.
Step 240, history Frequent tree mining corresponding with N number of call graph constitutes history Frequent tree mining set.
After filtering out history Frequent tree mining corresponding with each call graph (i.e. G1 ... Gn), so that it may to obtain
Following history Frequent tree mining set:C={ I1 ... Is }, wherein S is the number of history Frequent tree mining.
After getting above-mentioned history Frequent tree mining set, so that it may call method for detecting abnormality to execute following system
(also referred to as predicting process).
Fig. 4 is that the system that this specification one embodiment provides calls method for detecting abnormality flow chart.As shown in figure 4, institute
The method of stating can specifically include:
Step 410, according to the call relation between current time application system, corresponding call graph is generated.
The call graph is referred to shown in Fig. 3, not repeat again herein.
Step 420, according to predefined matching rule, going through in history Frequent tree mining set is obtained from the call graph
The Matching sub-image of history Frequent tree mining.
Herein, predefined matching rule can refer to that the number of nodes between subgraph is mutually same.It is with history Frequent tree mining
For for above-mentioned subgraph I1, the subgraph that can be 3 from the call graph at current time acquisition node number is as above-mentioned
Matching sub-image.
It is understood that when the number of the history Frequent tree mining in history Frequent tree mining set is multiple, it is above-mentioned to obtain
Take the process of Matching sub-image that can carry out successively.In addition, to each history Frequent tree mining, of the Matching sub-image got
Number can be multiple.
Step 430, the target range between history Frequent tree mining and Matching sub-image is calculated.
When the number of Matching sub-image is multiple, the meter of the target range between history Frequent tree mining and each Matching sub-image
Calculation method is similar.Here, for for calculating the target range between a Matching sub-image, which may include
Following steps:
Step A calculates the editing distance between history Frequent tree mining and Matching sub-image.
In one implementation, the volume between history Frequent tree mining and Matching sub-image can be calculated by following formula
Collect distance:∑ [insert (S | I)+delete (S | I)+modify (S | I)], wherein S is Matching sub-image, and I is that history is frequently sub
Figure.Insert (S | I) is by the number of operations that I variations are the insertion operation needed for S, and delete (S | I) is that change I be S institutes
The number of operations of the delete operation needed, modify (S | I) are by number of operations that I variations are modification operation needed for S.It is above-mentioned to insert
It can refers to the operation for node and/or side to enter, delete and change operation.
As an example it is assumed that history Frequent tree mining I is above-mentioned subgraph I1, Matching sub-image S is:
{
A:[B,D]
B:[D]
D:[]
}
I1 is compared with S, it may be determined that I1 variations are needed into 3 modify operations for S.It, can according to above-mentioned formula
It is with the editing distance obtained between I1 and S:Modify (S | I1)=3.
Certainly, in practical applications, the formula of above-mentioned editing distance can also be transformed to other forms, be different behaviour e.g.
The number of operations of work assigns different weighted values, and this specification is not construed as limiting this.
In addition it is also necessary to explanation, this specification can record operation road simultaneously during calculating editing distance
Diameter R.Such as previous example, modify operations changed node or side every time can be sequentially recorded in 3 modify operations.
Step B, the number of nodes for being included according to editing distance, history Frequent tree mining and number of edges calculate target range;Or
Person, the number of nodes for being included according to editing distance, Matching sub-image and number of edges calculate target range.
In one implementation, the calculation formula of target range can be as follows:MatchScore (S | I)=Σ
[insert(S|I)+modify(S|I)+delete(S|I)]/Max(Node_Size(S)+Edge_Size(S),Node_Size
(I)+Edge_Size (I)), wherein MatchScore is target range, and Node_Size is number of nodes, and Edge_Size is side
Number.
It is understood that the target range being calculated by above-mentioned target range calculation formula is between 0 to 1.
It should be noted that in practical applications, the calculation formula of above-mentioned target range can also carry out equivalents
Variation e.g. increases constant or inverted etc., this specification is not construed as limiting this.
Step 440, according to target range, whether identification Matching sub-image is abnormal subgraph.
Herein, can identify whether the Matching sub-image is abnormal according to target range corresponding with each Matching sub-image
Subgraph.
In one implementation, matching threshold Tm can be preset.It should be noted that given enough steps
It suddenly, centainly can be by changing to S from I.Herein, the purpose for setting Tm is above-mentioned change procedure being limited in certain step
It is interior.
After setting Tm, corresponding pre-set interval, e.g., [0, Tm] can be set according to Tm.Specifically, when target range exists
When in [0, Tm] range, which can be identified as to abnormal subgraph.
It is understood that when history Frequent tree mining set includes multiple history Frequent tree minings, above-mentioned steps 420-
Step 440 can repeat.Until recognizing abnormal subgraph or matching corresponding with whole history Frequent tree minings
Figure identification is completed.
Step 450, if it is abnormal subgraph, then according to abnormal subgraph, the calling between current time application system is determined
Exception call relationship in relationship.
Optionally, in order to improve the accuracy of system anomaly detection, this specification when recognizing multiple abnormal subgraphs,
I.e. when the target range between some history Frequent tree mining and corresponding multiple Matching sub-images is in [0, Tm] range, Ke Yicong
Target exception subgraph is chosen in multiple exception subgraphs.Later according to target exception subgraph, determine between current time application system
Call relation in exception call relationship.
In one example, the selection condition of above-mentioned target exception subgraph may include:It is from the variation of history Frequent tree mining
The number of operations of edit operation needed for target exception subgraph is minimum.
It should be noted that may include following several types by the abnormal subgraph that this specification embodiment recognizes:
A, a unexpected node are present in subgraph.
B, a unexpected side are present in subgraph.
C, attribute and the expectation of some node are not inconsistent.
D, attribute and the expectation on some side are not inconsistent.
E, a desired node disappear.
F, a desired side disappear.
It should be noted that after identifying abnormal subgraph, the judgement of following alert if can also be performed:Statistics is worked as
The abnormal subgraph accounting at preceding moment, and count the abnormal subgraph of each historical juncture in preset time period (e.g., 30 minutes) and account for
Than.Abnormal subgraph accounting herein can refer to number and whole subgraphs (including the abnormal subgraph and just of certain moment exception subgraph
The ratio of number Chang Zitu).According to the abnormal subgraph accounting at current time and the abnormal subgraph accounting of each historical juncture,
Calculate abnormal score.In one example, the calculation formula of the exception score can be:Zscore=(x-μ)/σ.Wherein,
Zscore is abnormal score, and x is the abnormal subgraph accounting at current time, and μ is the equal of the abnormal subgraph accounting of each historical juncture
Value, σ are the variance of the abnormal subgraph accounting of each historical juncture.If abnormal score is more than default score value (e.g., 3), then judge full
Sufficient alert if carries out abnormal alarm.
To sum up, the scheme provided by this specification embodiment can not only identify abnormal subgraph, can also obtain exception
Score and abnormal occurrence cause (being determined according to the courses of action R of record), these be all in practical applications to accurately identifying,
The failure that quickly positioning occurs is in demand.
In addition, by the abnormal subgraph in identifying call relational graph, can abnormal carry out accurately and efficiently be called to system
Detection.
Method for detecting abnormality is called with above system accordingly, a kind of system tune that this specification one embodiment also provides
With abnormal detector, as shown in figure 5, the device includes:
Generation unit 501, for according to the call relation between current time application system, generating corresponding call relation
Figure.
Acquiring unit 502, for according to predefined matching rule, the call graph generated from generation unit 501 to obtain
Take the Matching sub-image of the history Frequent tree mining in history Frequent tree mining set;The history Frequent tree mining is according to last time application
What the corresponding call graph of call relation between system determined, which refers to that occurrence number reaches default time
Several subgraphs.
Computing unit 503, for calculating the target between history Frequent tree mining and the Matching sub-image of the acquisition of acquiring unit 502
Distance.
Computing unit 503 specifically can be used for:
The editing distance between history Frequent tree mining and Matching sub-image is calculated, which is according to history is frequently sub
Figure variation is that the number of operations of the edit operation needed for Matching sub-image determines.
The number of nodes and number of edges for being included according to editing distance, history Frequent tree mining calculate target range;Alternatively,
The number of nodes and number of edges for being included according to editing distance, Matching sub-image calculate target range.
Whether recognition unit 504, the target range for being calculated according to computing unit 503, identification Matching sub-image are abnormal
Subgraph.
Recognition unit 504 specifically can be used for:
Judge target range whether in pre-set interval.
If it is, Matching sub-image is identified as abnormal subgraph.
Determination unit 505, according to abnormal subgraph, determines current if being abnormal subgraph for the identification of recognition unit 504
Exception call relationship in call relation between moment application system.
Optionally, acquiring unit 502 is additionally operable to,
Obtain the corresponding N number of call graph of call relation between N number of moment application system in the past.
To each call graph in N number of call graph, according to gSpan subgraph mining algorithms, from call graph
The middle at least one subgraph for excavating occurrence number and reaching preset times.
History Frequent tree mining is screened from least one subgraph;It is frequent to obtain history corresponding with the call graph
Subgraph.
History Frequent tree mining corresponding with N number of call graph constitutes history Frequent tree mining set.
Acquiring unit 502 specifically can be used for:
Removal has by the subgraph of inclusion relation from least one subgraph, obtains at least one subgraph to be selected.
The target length of at least one subgraph to be selected is calculated, target length is the occurrence number and node according to subgraph to be selected
Number determination.
According to target length, history Frequent tree mining is screened from least one subgraph to be selected.
Optionally, which can also include:
Statistic unit 506, the abnormal subgraph accounting for counting current time, and count each within a preset period of time and go through
The abnormal subgraph accounting at history moment.
Computing unit 503 is additionally operable to the abnormal subgraph accounting at the current time counted according to statistic unit 506 and each
The abnormal subgraph accounting of historical juncture calculates abnormal score.
Alarm unit 507 carries out abnormal report if being more than default score value for the abnormal score that computing unit 503 calculates
It is alert.
The function of each function module of this specification above-described embodiment device can pass through each step of above method embodiment
Rapid to realize, therefore, the specific work process for the device that this specification one embodiment provides does not repeat again herein.
The system that this specification one embodiment provides calls abnormal detector, and generation unit 501 is according to current time
Call relation between application system generates corresponding call graph.Acquiring unit 502 according to predefined matching rule,
The Matching sub-image of the history Frequent tree mining in history Frequent tree mining set is obtained from call graph.The calculating of computing unit 503 is gone through
Target range between history Frequent tree mining and Matching sub-image.Recognition unit 504 according to target range, identification Matching sub-image whether be
Abnormal subgraph.If it is abnormal subgraph, it is determined that unit 505 determines between current time application system according to abnormal subgraph
Exception call relationship in call relation.Thus, it is possible to accurately and efficiently call abnormal be detected to system.
Those skilled in the art are it will be appreciated that in said one or multiple examples, described in this specification
Function can be realized with hardware, software, firmware or their arbitrary combination.It when implemented in software, can be by these work(
Can storage in computer-readable medium or as on computer-readable medium one or more instructions or code passed
It is defeated.
Above-described specific implementation mode has carried out into one the purpose, technical solution and advantageous effect of this specification
Step is described in detail, it should be understood that the foregoing is merely the specific implementation mode of this specification, is not used to limit this
The protection domain of specification, all any modifications on the basis of the technical solution of this specification, made, change equivalent replacement
Into etc., it should all be included within the protection domain of this specification.
Claims (12)
1. a kind of system calls method for detecting abnormality, which is characterized in that including:
According to the call relation between current time application system, corresponding call graph is generated;
According to predefined matching rule, the history Frequent tree mining in history Frequent tree mining set is obtained from the call graph
Matching sub-image;The history Frequent tree mining is according to the corresponding calling of call relation between application system described in last time
What relational graph determined, the history Frequent tree mining refers to the subgraph that occurrence number reaches preset times;
Calculate the target range between the history Frequent tree mining and the Matching sub-image;
According to the target range, identify whether the Matching sub-image is abnormal subgraph;
If it is abnormal subgraph, then according to the abnormal subgraph, determine in the call relation between current time application system
Exception call relationship.
2. according to the method described in claim 1, it is characterized in that, further including:Obtain the step of the history Frequent tree mining set
Suddenly, including:
Obtain the corresponding N number of call graph of call relation between application system described in N number of moment in the past;
Each call graph in N number of call graph is closed according to gSpan subgraph mining algorithms from the calling
It is at least one subgraph for excavating occurrence number in figure and reaching the preset times;
History Frequent tree mining is screened from least one subgraph;To obtain history frequency corresponding with the call graph
Numerous subgraph;
With N number of call graph corresponding history Frequent tree mining composition history Frequent tree mining set.
3. according to the method described in claim 2, it is characterized in that, the screening history from least one subgraph is frequent
Subgraph, including:
Removal has by the subgraph of inclusion relation from least one subgraph, obtains at least one subgraph to be selected;
Calculate the target length of at least one subgraph to be selected;The target length is to go out occurrence according to the subgraph to be selected
What number and number of nodes determined;
According to the target length, history Frequent tree mining is screened from least one subgraph to be selected.
4. according to the method described in claim 1, it is characterized in that, the calculating history Frequent tree mining matches son with described
Target range between figure, including:
Calculate the editing distance between the history Frequent tree mining and the Matching sub-image;The editing distance is according to will be described
The variation of history Frequent tree mining is that the number of operations of the edit operation needed for the Matching sub-image determines;
The number of nodes and number of edges for being included according to the editing distance, the history Frequent tree mining, calculate the target range;
Alternatively,
The number of nodes and number of edges for being included according to the editing distance, the Matching sub-image, calculate the target range.
5. according to the method described in claim 1, it is characterized in that, described according to the target range, identification matching
Whether figure is abnormal subgraph, including:
Judge the target range whether in pre-set interval;
If it is, the Matching sub-image is identified as abnormal subgraph.
6. according to claim 1-5 any one of them methods, which is characterized in that further include:
The abnormal subgraph accounting at current time is counted, and the abnormal subgraph for counting each historical juncture within a preset period of time accounts for
Than;
According to the abnormal subgraph accounting at current time and the abnormal subgraph accounting of each historical juncture, abnormal obtain is calculated
Point;
If the exception score is more than default score value, abnormal alarm is carried out.
7. a kind of system calls abnormal detector, which is characterized in that including:
Generation unit, for according to the call relation between current time application system, generating corresponding call graph;
Acquiring unit, the call graph for according to predefined matching rule, being generated from the generation unit obtain
The Matching sub-image of history Frequent tree mining in history Frequent tree mining set;The history Frequent tree mining is according to described in last time
What the corresponding call graph of call relation between application system determined, the history Frequent tree mining refers to that occurrence number reaches
The subgraph of preset times;
Computing unit, for calculating the mesh between the history Frequent tree mining and the Matching sub-image of acquiring unit acquisition
Subject distance;
Recognition unit, the target range for being calculated according to the computing unit, identifies whether the Matching sub-image is different
Chang Zitu;
Determination unit, if being abnormal subgraph for recognition unit identification, according to the abnormal subgraph, when determining current
Carve the exception call relationship in the call relation between application system.
8. device according to claim 7, which is characterized in that
The acquiring unit is additionally operable to,
Obtain the corresponding N number of call graph of call relation between application system described in N number of moment in the past;
Each call graph in N number of call graph is closed according to gSpan subgraph mining algorithms from the calling
It is at least one subgraph for excavating occurrence number in figure and reaching the preset times;
History Frequent tree mining is screened from least one subgraph;To obtain history frequency corresponding with the call graph
Numerous subgraph;
With N number of call graph corresponding history Frequent tree mining composition history Frequent tree mining set.
9. device according to claim 8, which is characterized in that the acquiring unit is specifically used for:
Removal has by the subgraph of inclusion relation from least one subgraph, obtains at least one subgraph to be selected;
Calculate the target length of at least one subgraph to be selected;The target length is to go out occurrence according to the subgraph to be selected
What number and number of nodes determined;
According to the target length, history Frequent tree mining is screened from least one subgraph to be selected.
10. device according to claim 7, which is characterized in that the computing unit is specifically used for:
Calculate the editing distance between the history Frequent tree mining and the Matching sub-image;The editing distance is according to will be described
The variation of history Frequent tree mining is that the number of operations of the edit operation needed for the Matching sub-image determines;
The number of nodes and number of edges for being included according to the editing distance, the history Frequent tree mining, calculate the target range;
Alternatively,
The number of nodes and number of edges for being included according to the editing distance, the Matching sub-image, calculate the target range.
11. device according to claim 7, which is characterized in that the recognition unit is specifically used for:
Judge the target range whether in pre-set interval;
If it is, the Matching sub-image is identified as abnormal subgraph.
12. according to claim 7-11 any one of them devices, which is characterized in that further include:
Statistic unit, the abnormal subgraph accounting for counting current time, and count each historical juncture within a preset period of time
Abnormal subgraph accounting;
The computing unit is additionally operable to the abnormal subgraph accounting at the current time counted according to the statistic unit and described each
The abnormal subgraph accounting of a historical juncture calculates abnormal score;
Alarm unit carries out abnormal alarm if the abnormal score for the computing unit to calculate is more than default score value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810551048.XA CN108762908B (en) | 2018-05-31 | 2018-05-31 | System call abnormity detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810551048.XA CN108762908B (en) | 2018-05-31 | 2018-05-31 | System call abnormity detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108762908A true CN108762908A (en) | 2018-11-06 |
| CN108762908B CN108762908B (en) | 2021-12-07 |
Family
ID=64001227
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810551048.XA Active CN108762908B (en) | 2018-05-31 | 2018-05-31 | System call abnormity detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108762908B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109933452A (en) * | 2019-03-22 | 2019-06-25 | 中国科学院软件研究所 | A kind of micro services intelligent monitoring method towards anomalous propagation |
| CN111640005A (en) * | 2020-05-28 | 2020-09-08 | 深圳壹账通智能科技有限公司 | Data analysis method and device, computer equipment and storage medium |
| CN112532408A (en) * | 2019-09-17 | 2021-03-19 | 华为技术有限公司 | Method, device and storage medium for extracting fault propagation conditions |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050044073A1 (en) * | 2003-08-18 | 2005-02-24 | International Business Machines Corporation | Frequent pattern mining apparatus, frequent pattern mining method, and program and recording medium therefor |
| CN101976313A (en) * | 2010-09-19 | 2011-02-16 | 四川大学 | Frequent subgraph mining based abnormal intrusion detection method |
| CN104102580A (en) * | 2014-07-10 | 2014-10-15 | 西安交通大学 | Graph-mining-based electronic tax system software fault location method |
| CN104536882A (en) * | 2014-11-28 | 2015-04-22 | 南京大学 | Error locating method based on frequent sub-graph mining |
| CN106682514A (en) * | 2016-12-15 | 2017-05-17 | 哈尔滨工程大学 | System call sequence characteristic mode set generation method based on subgraph mining |
| CN107666468A (en) * | 2016-07-29 | 2018-02-06 | 中国电信股份有限公司 | network security detection method and device |
| CN107992426A (en) * | 2017-12-26 | 2018-05-04 | 河南工业大学 | A kind of software error localization method excavated based on Frequent tree mining and processing unit |
-
2018
- 2018-05-31 CN CN201810551048.XA patent/CN108762908B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050044073A1 (en) * | 2003-08-18 | 2005-02-24 | International Business Machines Corporation | Frequent pattern mining apparatus, frequent pattern mining method, and program and recording medium therefor |
| CN101976313A (en) * | 2010-09-19 | 2011-02-16 | 四川大学 | Frequent subgraph mining based abnormal intrusion detection method |
| CN104102580A (en) * | 2014-07-10 | 2014-10-15 | 西安交通大学 | Graph-mining-based electronic tax system software fault location method |
| CN104536882A (en) * | 2014-11-28 | 2015-04-22 | 南京大学 | Error locating method based on frequent sub-graph mining |
| CN107666468A (en) * | 2016-07-29 | 2018-02-06 | 中国电信股份有限公司 | network security detection method and device |
| CN106682514A (en) * | 2016-12-15 | 2017-05-17 | 哈尔滨工程大学 | System call sequence characteristic mode set generation method based on subgraph mining |
| CN107992426A (en) * | 2017-12-26 | 2018-05-04 | 河南工业大学 | A kind of software error localization method excavated based on Frequent tree mining and processing unit |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109933452A (en) * | 2019-03-22 | 2019-06-25 | 中国科学院软件研究所 | A kind of micro services intelligent monitoring method towards anomalous propagation |
| CN109933452B (en) * | 2019-03-22 | 2020-06-19 | 中国科学院软件研究所 | Micro-service intelligent monitoring method facing abnormal propagation |
| CN112532408A (en) * | 2019-09-17 | 2021-03-19 | 华为技术有限公司 | Method, device and storage medium for extracting fault propagation conditions |
| CN112532408B (en) * | 2019-09-17 | 2022-05-24 | 华为技术有限公司 | Method, device and storage medium for extracting fault propagation condition |
| CN111640005A (en) * | 2020-05-28 | 2020-09-08 | 深圳壹账通智能科技有限公司 | Data analysis method and device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108762908B (en) | 2021-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110378487B (en) | Method, device, equipment and medium for verifying model parameters in horizontal federal learning | |
| CN108762908A (en) | System calls method for detecting abnormality and device | |
| CN107871190B (en) | Service index monitoring method and device | |
| CN107133265B (en) | Method and device for identifying user with abnormal behavior | |
| CN108960174A (en) | A kind of object detection results optimization method and device | |
| CN105208040A (en) | Network attack detection method and device | |
| US8140911B2 (en) | Dynamic software tracing | |
| CN101726357A (en) | Smoke detecting apparatus | |
| CN105468755A (en) | Video screening and storing method and device | |
| CN105843947A (en) | Abnormal behavior detection method and system based on big-data association rule mining | |
| CN106570478A (en) | Object loss determine method and device in visual tracking | |
| CN105468508B (en) | code detection method and device | |
| CN113572719B (en) | Domain name detection method, device, equipment and readable storage medium | |
| CN111160187B (en) | Method, device and system for detecting left-behind object | |
| CN109255360A (en) | A kind of objective classification method, apparatus and system | |
| CN112738003B (en) | Malicious address management method and device | |
| CN105825130A (en) | Information security early-warning method and device | |
| CN110704773A (en) | Abnormal behavior detection method and system based on frequent behavior sequence mode | |
| CN105930258B (en) | A kind of method and device of parameter filtering | |
| CN108229586B (en) | The detection method and system of a kind of exceptional data point in data | |
| CN115167846B (en) | Recommendation method of downstream operator, electronic device and computer-readable storage medium | |
| CN102982282A (en) | Program bug detection system and method | |
| CN116067359A (en) | Low-precision track data processing method and system based on delaunay triangle network | |
| CN113190715B (en) | Ecological environment intelligent monitoring alarm analysis method and system | |
| CN107292137B (en) | Method and device for determining object to be unlocked |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20200924 Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands Applicant after: Innovative advanced technology Co.,Ltd. Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands Applicant before: Advanced innovation technology Co.,Ltd. Effective date of registration: 20200924 Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands Applicant after: Advanced innovation technology Co.,Ltd. Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands Applicant before: Alibaba Group Holding Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |