CN110175083A - The monitoring method and device of operating system - Google Patents
The monitoring method and device of operating system Download PDFInfo
- Publication number
- CN110175083A CN110175083A CN201910301822.6A CN201910301822A CN110175083A CN 110175083 A CN110175083 A CN 110175083A CN 201910301822 A CN201910301822 A CN 201910301822A CN 110175083 A CN110175083 A CN 110175083A
- Authority
- CN
- China
- Prior art keywords
- parameter
- command
- instruction information
- monitoring data
- order
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 68
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000012502 risk assessment Methods 0.000 claims abstract description 30
- 238000013507 mapping Methods 0.000 claims abstract description 10
- 230000015654 memory Effects 0.000 claims description 19
- 238000004891 communication Methods 0.000 claims description 12
- 238000012549 training Methods 0.000 claims description 12
- 238000012806 monitoring device Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 241000208340 Araliaceae Species 0.000 description 6
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 6
- 235000003140 Panax quinquefolius Nutrition 0.000 description 6
- 235000008434 ginseng Nutrition 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 238000004422 calculation algorithm Methods 0.000 description 5
- 238000013528 artificial neural network Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 4
- 238000005314 correlation function Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000013527 convolutional neural network Methods 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 210000004027 cell Anatomy 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000000306 recurrent effect Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 230000001771 impaired effect Effects 0.000 description 1
- 230000007787 long-term memory Effects 0.000 description 1
- 210000005036 nerve Anatomy 0.000 description 1
- 210000002569 neuron Anatomy 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/004—Error avoidance
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/008—Reliability or availability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Debugging And Monitoring (AREA)
- Alarm Systems (AREA)
Abstract
This application provides a kind of monitoring method of operating system and devices, this method comprises: obtaining the monitoring data of user, which includes the command object that the user executes in the operating system and the parameter of the command object;According to the monitoring data, the command vector of the command object is determined, which includes order instruction information and parameter indicates that information, order instruction information are used to indicate the command object, and parameter instruction information is used to indicate the parameter type of the parameter;According to the command vector and risk analysis model, the risk class of the command object is determined, which is used to indicate the mapping relations between the command vector and the risk class, which includes risky operation or not dangerous operation.Using the monitoring method and device of operating system provided by the present application, the risk class for the order that user executes on an operating system can recognize that, be conducive to the safety for improving operating system.
Description
Technical field
This application involves intelligent decision fields, and more particularly, to the monitoring of operating system in intelligent decision field
Method and apparatus.
Background technique
With the continuous development of information technology, the more tired challenge brought by the system safety of operating system the severeer.In time
It notes abnormalities and logs in the risky operation of execution, it is impaired safely to can be avoided system.
The login log of user on an operating system is usually recorded by way of fort machine in the industry, but can not be mentioned
For the analysis based on this part of log.That is, existing method can not analyze which operation can generate safely prestige to system
The side of body, and safeguard measure is taken to operating system in time.
Therefore, lack effective monitoring currently for the sensitive instructions that user executes on an operating system.
Summary of the invention
The application provides the monitoring method and device of a kind of operating system, can recognize that user executes on an operating system
Order risk class, be conducive to improve operating system safety.
To achieve the above object, the application provides a kind of monitoring method of operating system, including the following contents:
The monitoring data of user is obtained, the monitoring data includes the target that the user executes in the operating system
The parameter of order and the command object;
According to the monitoring data, determine that the command vector of the command object, the command vector include order instruction
Information and parameter indicate that information, the order instruction information are used to indicate the command object, and the parameter instruction information is used for
Indicate the parameter type of the parameter;
According to the command vector and risk analysis model, the risk class of the command object, the risk point are determined
Analysis model is used to indicate the mapping relations between the command vector and the risk class, and the risk class includes dangerous behaviour
Work or not dangerous operation.
In one possible implementation, according to the monitoring data, command vector is determined, comprising: according to the ginseng
The total degree that number occurs in the monitoring data determines that the parameter type of the parameter, the parameter type include high frequency ginseng
Several or low-frequency parameter;According to the parameter type, the parameter instruction information is determined.
In one possible implementation, the total degree occurred in the monitoring data according to the parameter determines
The parameter type of the parameter, comprising: when the number that the parameter occurs in the monitoring data is greater than or equal to default time
When number, determine that the parameter is high-frequency parameter;Or the number occurred in the monitoring data when the parameter be less than it is described pre-
If when number, determining that the parameter is low-frequency parameter.
In one possible implementation, according to the parameter type, the parameter instruction information is determined, comprising: when
When the parameter is high-frequency parameter, determine that the parameter instruction information is the mark of the parameter;Or when the parameter is low frequency
When parameter, determine that the parameter instruction information is first identifier, the first identifier is for identifying all low-frequency parameters.
In one possible implementation, according to the monitoring data, command vector is determined, comprising: according to the ginseng
Several importance determines that the parameter type of the parameter, the parameter type include key parameter or non-key parameter;According to institute
Parameter type is stated, determines the parameter instruction information.
In one possible implementation, it according to the importance of the parameter, determines the parameter type of the parameter, wraps
It includes: when the severity level of the parameter is greater than or equal to pre-set level, determining that the parameter is key parameter;Or work as the ginseng
When several severity levels is less than the pre-set level, determine that the parameter is non-key parameter.
In one possible implementation, according to the parameter type, the parameter instruction information is determined, comprising: when
When the parameter is key parameter, determine that the parameter instruction information is the mark of the parameter;Or when the parameter is non-pass
When bond parameter, determine that the parameter instruction information is first identifier, the first identifier is for identifying all non-key parameters.
In one possible implementation, according to the command vector and risk analysis model, the target is determined
Before the risk class of order, the method also includes: it obtains every in multiple orders that user executes in the operating system
The risk class of the command vector of a order and each order;By the command vector of each order and each life
The risk class of order is input in LSTM network, and training obtains the risk analysis model.
To achieve the above object, the application also provides a kind of monitoring device of operating system, which specifically includes:
Acquiring unit, for obtaining the monitoring data of user, the monitoring data includes that the user is in the operation
The parameter of the command object and the command object that are executed on system;
Determination unit, for determining the command vector of the command object, the command vector according to the monitoring data
Indicate that information, the order instruction information are used to indicate the command object, the parameter including order instruction information and parameter
Indicate that information is used to indicate the parameter type of the parameter;According to the command vector and risk analysis model, the mesh is determined
The risk class of order is marked, the risk analysis model is used to indicate the mapping between the command vector and the risk class
Relationship, the risk class include risky operation or not dangerous operation.
In one possible implementation, the determination unit is specifically used for according to the parameter in the monitoring data
The total degree of middle appearance determines that the parameter type of the parameter, the parameter type include high-frequency parameter or low-frequency parameter;According to
The parameter type determines the parameter instruction information.
In one possible implementation, the determination unit is specifically used for when the parameter is in the monitoring data
When the number of appearance is greater than or equal to preset times, determine that the parameter is high-frequency parameter;Or when the parameter is in the monitoring
When the number occurred in data is less than the preset times, determine that the parameter is low-frequency parameter.
In one possible implementation, the determination unit is specifically used for when the parameter is high-frequency parameter, really
The fixed parameter instruction information is the mark of the parameter;Or when the parameter is low-frequency parameter, the parameter instruction is determined
Information is first identifier, and the first identifier is for identifying all low-frequency parameters.
In one possible implementation, the determination unit is specifically used for the importance according to the parameter, determines
The parameter type of the parameter, the parameter type include key parameter or non-key parameter;According to the parameter type, determine
The parameter indicates information.
In one possible implementation, the determination unit be specifically used for when the parameter severity level be greater than or
When equal to pre-set level, determine that the parameter is key parameter;Or when the severity level of the parameter is less than the pre-set level
When, determine that the parameter is non-key parameter.
In one possible implementation, the determination unit is specifically used for when the parameter is key parameter, really
The fixed parameter instruction information is the mark of the parameter;Or when the parameter is non-key parameter, determine that the parameter refers to
Show that information is first identifier, the first identifier is for identifying all non-key parameters.
In one possible implementation, described device further includes training unit, and the acquiring unit is also used in root
According to the command vector and risk analysis model, before the risk class for determining the command object, user is obtained in the behaviour
Make the risk class of the command vector of each order and each order in the multiple orders executed in system;The training is single
Member is used to for the risk class of the command vector of each order and each order being input in LSTM network, trained
To the risk analysis model.
To achieve the above object, the application also provides a kind of computer equipment, including memory, processor, communication interface
And it is stored in the computer program that can be run on the memory and on the processor, wherein the memory, described
It is communicated with each other between processor and the communication interface by internal connecting path, the processor executes the computer journey
The following steps of the above method are realized when sequence:
The monitoring data of user is obtained, the monitoring data includes the target that the user executes in the operating system
The parameter of order and the command object;
According to the monitoring data, determine that the command vector of the command object, the command vector include order instruction
Information and parameter indicate that information, the order instruction information are used to indicate the command object, and the parameter instruction information is used for
Indicate the parameter type of the parameter;
According to the command vector and risk analysis model, the risk class of the command object, the risk point are determined
Analysis model is used to indicate the mapping relations between the command vector and the risk class, and the risk class includes dangerous behaviour
Work or not dangerous operation.
To achieve the above object, the application also provides computer readable storage medium, is stored thereon with computer program, institute
State the following steps that the above method is realized when computer program is executed by processor:
The monitoring data of user is obtained, the monitoring data includes the target that the user executes in the operating system
The parameter of order and the command object;
According to the monitoring data, determine that the command vector of the command object, the command vector include order instruction
Information and parameter indicate that information, the order instruction information are used to indicate the command object, and the parameter instruction information is used for
Indicate the parameter type of the parameter;
According to the command vector and risk analysis model, the risk class of the command object, the risk point are determined
Analysis model is used to indicate the mapping relations between the command vector and the risk class, and the risk class includes dangerous behaviour
Work or not dangerous operation.
Using the monitoring method of operating system provided by the present application, device, computer equipment and computer-readable storage medium
Matter, can recognize that the risk class for the order that user executes on an operating system, to improve the safety of operating system.
Detailed description of the invention
Fig. 1 is the schematic flow chart of the monitoring method of operating system provided by the embodiments of the present application;
Fig. 2 is the schematic flow chart of the monitoring method of another operating system provided by the embodiments of the present application;
Fig. 3 is the schematic block diagram of the monitoring device of operating system provided by the embodiments of the present application;
Fig. 4 is the monitoring device schematic block diagram of another operating system provided by the embodiments of the present application.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the application, not
For limiting the application.Based on the embodiment in the application, those of ordinary skill in the art are not before making creative work
Every other embodiment obtained is put, shall fall in the protection scope of this application.
Fig. 1 shows the schematic flow chart of the monitoring method 100 of operating system provided by the embodiments of the present application.Ying Li
Solution, this method 100 can be executed by the monitoring device of operating system.
Optionally, which can be computer, or can be the functional module in computer, and the application is implemented
Example is not construed as limiting this.
S110, obtains the monitoring data of user, and the monitoring data includes that the user executes in the operating system
Command object and the command object parameter.
Specifically, the user executes in the operating system in the monitoring device available preset period
The parameter of each order, at least one described order include that the target is ordered at least one order and at least one described order
It enables;The parameter of the command object and the command object is obtained from the monitoring data.
Optionally, which can any order in this at least one order.
Such as: within the preset period, which obtains the command list (CLIST) that user executes, as shown in Table 1,
The command list (CLIST) includes the parameter of all orders that user executes and each order.The monitoring device can be successively by the order
Each of list order is used as command object.
Command parameter
cd/home/wls81
ls/home/wls81
ls-trlah
vimy.cnf
service mysqld restart
…………
Table one
S120 determines that the command vector of the command object, the command vector include order according to the monitoring data
Indicate that information and parameter indicate that information, the order instruction information are used to indicate the command object, the parameter indicates information
It is used to indicate the parameter type of the parameter.
In one possible implementation, which can occur in the monitoring data according to the parameter
Total degree, determine that the parameter type of the parameter, the parameter type include high-frequency parameter or low-frequency parameter;According to the ginseng
Several classes of types determine the parameter instruction information.(including the case where at least one parameter in monitoring data)
Such as :/home/wls81 occurs 1100 times, and mysql.cnf occurs 1200 times, and mysqld restart occurs 1233
Secondary ,-trlah occurs 82 times.
It follows that frequency of occurrence arrange the first two be followed successively by mysqld restart and mysql.cnf, as high frequency is joined
Number;Frequency of occurrence is after the first two/home/wls81 and-trlah, as low-frequency parameter.
Optionally, when the number that the parameter occurs in the monitoring data is greater than or equal to preset times, the prison
Control device determines that the parameter is high-frequency parameter;Or the number occurred in the monitoring data when the parameter be less than it is described pre-
If when number, which determines that the parameter is low-frequency parameter.
Such as: mysqld restart occurs 1233 times, and mysql.cnf occurs 1200 times, and/home/wls81 occurs 1100
Secondary ,-trlah occurs 82 times, and preset times are 1200 times.
It follows that the number that mysqld restart and mysql.cnf occur is all larger than or is equal to preset times 1200
It is secondary, as high-frequency parameter;The number that/home/wls81 and-trlah occurs is respectively less than preset times 1200 times, and as low frequency is joined
Number.
In alternatively possible implementation, which can be according to the importance of the parameter, described in determination
The parameter type of parameter, the parameter type include key parameter or non-key parameter;According to the parameter type, determine described in
Parameter indicates information.
Such as: the severity level of mysql.cnf and mysqld restart is important ,/home/wls81 and-trlah
Severity level be it is inessential.
It follows that mysql.cnf and mysqld restart is key parameter ,/home/wls81 and-trlah are non-
Key parameter.
Optionally, when the severity level of the parameter is greater than or equal to pre-set level, which determines the ginseng
Number is key parameter;Or when the severity level of the parameter is less than the pre-set level, which determines the parameter
For non-key parameter.
Such as: the severity level that the severity level of mysqld restart is 4, mysql.cnf is 3 ,/home/wls81's
Severity level is 1, and the severity level of-trlah is 0, pre-set level 2.
It follows that the severity level of mysqld restart and mysql.cnf are all larger than or are equal to pre-set level 2, i.e.,
For key parameter;The severity level of/home/wls81 and-trlah is respectively less than pre-set level 2, as non-key parameter.
Optionally, according to the parameter type, the parameter instruction information is determined, it can be with are as follows: when the parameter is high frequency
When parameter or key parameter, which determines that the parameter instruction information is the mark of the parameter;Or work as the parameter
When for low-frequency parameter or non-key parameter, which determines that the parameter instruction information is first identifier, first mark
Know for identifying all low-frequency parameters or non-key parameter.
For example, mysql.cnf and mysqld restart is high-frequency parameter/key parameter ,/home/wls81 and-trlah
For low-frequency parameter/non-key parameter, wherein mysqld restart be identified as 1, mysql.cnf be identified as 2, the first mark
Knowing is 0, and first identifier is for identifying low-frequency parameter/non-key parameter.
It follows that the parameter instruction information that the parameter instruction information of mysqld restart is 1, mysql.cnf is 2,
The parameter instruction information of home/wls81 and-trlah is 0.
Optionally, the order instruction information in command vector is the mark of the command object.
Such as: the mark 1 of cd, ls be identified as 2, vi be identified as 3, service be identified as 4.
It follows that the order instruction information that the order instruction information that the order instruction information of cd is 1, ls is 2, vi is 3,
The order instruction information of service is 4.
In conclusion the available corresponding vector of every a line in mentioned order list, as shown in Table 2.
Command parameter vector
cd/home/wls81<1,0>
ls/home/wls81<2,0>
ls-trlah<2,0>
vimy.cnf<3,2>
service mysqld restart<4,1>
………………
Table two
S130 determines the risk class of the command object, the wind according to the command vector and risk analysis model
Dangerous analysis model is used to indicate the mapping relations between the command vector and the risk class, and the risk class includes danger
Danger operation or not dangerous operation.
Optionally, the method also includes: output risk class indicates information, and risk class instruction information is for referring to
Show the risk class of the command object.
For example, risky operation output 1, not dangerous operation output 0.
Optionally, risky operation may include quiescing or high-risk operation, and not dangerous operation may include normal operations
It is operated with low danger.
For example, normal operations: reading file;Low danger operation: written document;High-risk operation: shutdown;Quiescing: service is deleted
Operating system file on device.
In another example normal operations output 0, low danger operation output 1, high-risk operation output 2, quiescing output 3.
Optionally, the method also includes: when the command object is risky operation, it is logical to send alarm to staff
Know.
For example, being sent and being accused to staff by way of mail or short message when the command object is high-risk operation
Alert notice;When the command object is quiescing, alarm notification is sent to staff by phone or forbids executing institute
State command object.
Using the monitoring method of operating system provided by the present application, staff is notified in time, can effectively avoid system
Safety is on the hazard.
Optionally, before S130, the method also includes the training risk analysis models.
Specifically, the command vector of each order and institute in multiple orders that user executes in the operating system are obtained
State the risk class of each order;The risk class of the command vector of each order and each order is input to
In LSTM network, training obtains the risk analysis model.
It should be noted that the risk analysis model is for the command vector of each order in multiple orders and described every
The risk class of a order, by LSTM model algorithm one optimal models of training, this model belongs to the set of some function,
The output closest to actual result can be obtained according to input by being optimally represented under the criterion of some evaluation, be allowed to through this
The risk class for the order that the command vector of the order of input is mapped as accordingly exporting by risk analysis model.
Optionally, which can be based on a kind of or coding-decoded model frame, such as can be based on
LSTM model or can based on convolutional neural networks (convolutional neural networks, CNN), circulation nerve
Network (recurrent neural networks, RNN), bidirectional circulating neural network (Bidirectional recurrent
Neural networks, BiRNN), gating cycle neuron (gatedrecurrent units, GRU) model etc., the present invention
Embodiment is without being limited thereto.
It should be understood that LSTM (Long Short-Term Memory) is shot and long term memory network, it is a kind of time recurrence mind
Through network, it is suitable for being spaced and postpone relatively long critical event in processing and predicted time sequence.LSTM adds in the algorithm
" processor " judged whether information is useful is entered, the structure of this processor effect is referred to as cell.One cell works as
In be placed three fan doors, be called input gate respectively, forget door and out gate.One information enters in the network of LSTM, can
With according to rule to determine whether useful.The information for only meeting algorithm certification can just leave, and the information not being inconsistent then passes through forgetting
Door passes into silence.LSTM model uses the working principle of one-in-and-two-out, can solve to deposit for a long time in neural network under operation repeatedly
Big problem.
Fig. 2 shows the schematic flow charts of the monitoring method 200 of operating system provided by the embodiments of the present application.Ying Li
Solution, this method 200 can be executed by the monitoring device of operating system.
S210 obtains in multiple orders for executing on an operating system of user the command vector of each order and described each
The risk class of order, the command vector of each order include that the first order instruction information and the first parameter indicate information,
The first order instruction information is used to indicate each order, and the first parameter instruction information is used to indicate described each
The parameter type of the parameter of order, the risk class include risky operation or not dangerous operation.
The risk class of the command vector of each order and each order is input to LSTM network by S220
In, training obtains risk analysis model.
It should be noted that the risk analysis model is for the command vector of each order in multiple orders and described every
The risk class of a order, by LSTM model algorithm one optimal models of training, this model belongs to the set of some function,
The output closest to actual result can be obtained according to input by being optimally represented under the criterion of some evaluation, be allowed to through this
The risk class for the order that the command vector of the order of input is mapped as accordingly exporting by risk analysis model.
S230, obtains the monitoring data of user, and the monitoring data includes that the user executes in the operating system
Command object and the command object parameter.
S240 determines the command vector of the command object according to the monitoring data, the order of the command object to
Amount includes the second order instruction information and the second parameter indicates that information, the second order instruction information are used to indicate the target
Order, the second parameter instruction information are used to indicate the parameter type of the parameter.
S250 determines the command object according to the command vector of the command object and the risk analysis model
Risk class, the risk analysis model are used to indicate the mapping relations between the command vector and the risk class.
Optionally, the method also includes: output risk class indicates information, and risk class instruction information is for referring to
Show the risk class of the command object.
Optionally, the method also includes: when the command object is risky operation, it is logical to send alarm to staff
Know.
The monitoring method that operating system provided by the embodiments of the present application is described above in conjunction with Fig. 1 and Fig. 2, below in conjunction with
Fig. 3 and Fig. 4 introduces the monitoring device of operating system provided by the embodiments of the present application.
Fig. 3 shows the schematic block diagram of the monitoring device 300 of operating system provided by the embodiments of the present application.The device
300 include:
Acquiring unit 310, for obtaining the monitoring data of user, the monitoring data includes the user in the operation
The parameter of the command object and the command object that are executed in system;
Determination unit 320, for determining the command vector of the command object, the order according to the monitoring data
Vector includes order instruction information and parameter indicates information, and the order instruction information is used to indicate the command object, described
Parameter instruction information is used to indicate the parameter type of the parameter;According to the command vector and risk analysis model, institute is determined
The risk class of command object is stated, the risk analysis model is for indicating between the command vector and the risk class
Mapping relations, the risk class include risky operation or not dangerous operation.
Optionally, the determination unit is specifically used for the total degree occurred in the monitoring data according to the parameter,
Determine that the parameter type of the parameter, the parameter type include high-frequency parameter or low-frequency parameter;According to the parameter type, really
The fixed parameter indicates information.
Optionally, the number that the determination unit is specifically used for occurring in the monitoring data when the parameter be greater than or
When equal to preset times, determine that the parameter is high-frequency parameter;Or the number occurred in the monitoring data when the parameter
When less than the preset times, determine that the parameter is low-frequency parameter.
Optionally, the determination unit is specifically used for when the parameter is high-frequency parameter, determines the parameter instruction letter
Breath is the mark of the parameter;Or when the parameter is low-frequency parameter, determine that the parameter instruction information is first identifier, institute
First identifier is stated for identifying all low-frequency parameters.
Optionally, the determination unit is specifically used for the importance according to the parameter, determines the parameter class of the parameter
Type, the parameter type include key parameter or non-key parameter;According to the parameter type, the parameter instruction letter is determined
Breath.
Optionally, the determination unit is specifically used for when the severity level of the parameter is greater than or equal to pre-set level,
Determine that the parameter is key parameter;Or when the severity level of the parameter is less than the pre-set level, determine the parameter
For non-key parameter.
Optionally, the determination unit is specifically used for when the parameter is key parameter, determines the parameter instruction letter
Breath is the mark of the parameter;Or when the parameter is non-key parameter, determine that the parameter instruction information is first identifier,
The first identifier is for identifying all non-key parameters.
Optionally, described device further includes training unit, the acquiring unit be also used to according to the command vector and
Risk analysis model, before the risk class for determining the command object, obtain user executed in the operating system it is more
The risk class of the command vector of each order and each order in a order;The training unit is used for will be described each
The command vector of order and the risk class of each order are input in LSTM network, and training obtains the risk analysis mould
Type.
Fig. 4 shows the schematic block diagram of the monitoring device 400 of operating system provided by the embodiments of the present application.The device
400 can use hardware structure as shown in Figure 4 for device 400 described in Fig. 4, the device 400.The device 400 can
To include processor 410, communication interface 420 and memory 430, the processor 410, communication interface 420 and memory 430 pass through
Internal connecting path communicates with each other.The correlation function that determination unit 320 in Fig. 3 is realized can realize by processor 410,
The correlation function that acquiring unit 310 in Fig. 3 is realized can control communication interface 420 by processor 410 to realize.
The processor 410 may include be one or more processors, for example including one or more central processing unit
(central processing unit, CPU), in the case where processor is a CPU, which can be monokaryon CPU,
It can be multi-core CPU.
The communication interface 420 is for inputting and/or outputting data.The communication interface may include that transmission interface and reception connect
Mouthful, transmission interface is used for output data, and receiving interface is used for input data.
The memory 430 include but is not limited to be random access memory (random access memory, RAM), only
Read memory (read-only memory, ROM), erasable and programable memory (erasable programmable read
Only memory, EPROM), CD-ROM (compact disc read-only memory, CD-ROM), the memory 430
For storing dependent instruction and data.
Memory 430 is used to store the program code and data of the device, for individual device or can be integrated in processing
In device 410.
Specifically, the processor 410 is used to control communication interface 420 and calls the code command stored in memory 430
And execute the code command.For details, reference can be made to the descriptions in embodiment of the method, and details are not described herein.
It is designed it is understood that Fig. 4 illustrate only simplifying for device.In practical applications, which can be with
Necessary other elements are separately included, including but not limited to any number of communication interface, processor, controller, memory etc.,
And all devices that the application may be implemented are all within the scope of protection of this application.
In a kind of possible design, which may alternatively be chip apparatus, such as can be that can be used for the dress
Chip in setting, for realizing the correlation function of processor 410 in the device.The chip apparatus can be realization correlation function
Field programmable gate array, special integrated chip, System on Chip/SoC, central processing unit, network processing unit, Digital Signal Processing electricity
Road, microcontroller can also use programmable controller or other integrated chips.It optionally may include one in the chip
Or multiple memories, for storing program code, when the code is performed, so that processor realizes corresponding function.
Those of ordinary skill in the art may be aware that list described in conjunction with the examples disclosed in the embodiments of the present disclosure
Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually
It is implemented in hardware or software, the specific application and design constraint depending on technical solution.Professional technician
Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed
Scope of the present application.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with
It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit
It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components
It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or
The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit
It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product
It is stored in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially in other words
The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a
People's computer, server or network equipment etc.) execute each embodiment the method for the application all or part of the steps.
And storage medium above-mentioned includes: that USB flash disk, mobile hard disk, ROM, RAM, magnetic or disk etc. are various can store program code
Medium.
The above, the only specific embodiment of the application, but the protection scope of the application is not limited thereto, it is any
Those familiar with the art within the technical scope of the present application, can easily think of the change or the replacement, and should all contain
Lid is within the scope of protection of this application.Therefore, the protection scope of the application should be based on the protection scope of the described claims.
Claims (10)
1. a kind of monitoring method of operating system characterized by comprising
The monitoring data of user is obtained, the monitoring data includes the command object that the user executes in the operating system
With the parameter of the command object;
According to the monitoring data, determine that the command vector of the command object, the command vector include order instruction information
Indicate that information, the order instruction information are used to indicate the command object with parameter, the parameter instruction information is used to indicate
The parameter type of the parameter;
According to the command vector and risk analysis model, the risk class of the command object, the risk analysis mould are determined
Type is used to indicate mapping relations between the command vector and the risk class, the risk class include risky operation or
Not dangerous operation.
2. the method according to claim 1, wherein determining command vector according to the monitoring data, comprising:
According to the total degree that the parameter occurs in the monitoring data, the parameter type of the parameter, the parameter are determined
Type includes high-frequency parameter or low-frequency parameter;
According to the parameter type, the parameter instruction information is determined.
3. according to the method described in claim 2, it is characterized in that, being occurred in the monitoring data according to the parameter total
Number determines the parameter type of the parameter, comprising:
When the number that the parameter occurs in the monitoring data is greater than or equal to preset times, determine the parameter for height
Frequency parameter;Or
When the number that the parameter occurs in the monitoring data is less than the preset times, determine that the parameter is low frequency
Parameter.
4. according to the method described in claim 3, it is characterized in that, determining the parameter instruction letter according to the parameter type
Breath, comprising:
When the parameter is high-frequency parameter, determine that the parameter instruction information is the mark of the parameter;Or
When the parameter is low-frequency parameter, determine that the parameter instruction information is first identifier, the first identifier is for marking
Know all low-frequency parameters.
5. the method according to claim 1, wherein determining command vector according to the monitoring data, comprising:
According to the importance of the parameter, the parameter type of the parameter is determined, the parameter type includes key parameter or non-
Key parameter;
According to the parameter type, the parameter instruction information is determined.
6. according to the method described in claim 5, it is characterized in that, determining the parameter according to the importance of the parameter
Parameter type, comprising:
When the severity level of the parameter is greater than or equal to pre-set level, determine that the parameter is key parameter;Or
When the severity level of the parameter is less than the pre-set level, determine that the parameter is non-key parameter.
7. method according to any one of claim 1 to 6, which is characterized in that according to the command vector and risk
Analysis model, before the risk class for determining the command object, the method also includes:
Obtain the command vector of each order and each order in multiple orders that user executes in the operating system
Risk class;
The risk class of the command vector of each order and each order is input in LSTM network, training obtains
The risk analysis model.
8. a kind of monitoring device of operating system characterized by comprising
Acquiring unit, for obtaining the monitoring data of user, the monitoring data includes the user in the operating system
The parameter of the command object of execution and the command object;
Determination unit, for determining that the command vector of the command object, the command vector include according to the monitoring data
Order instruction information and parameter indicate that information, the order instruction information are used to indicate the command object, the parameter instruction
Information is used to indicate the parameter type of the parameter;According to the command vector and risk analysis model, the target life is determined
The risk class of order, the risk analysis model are used to indicate that the mapping between the command vector and the risk class to be closed
System, the risk class includes risky operation or not dangerous operation.
9. a kind of computer equipment, including memory, processor, communication interface and it is stored on the memory and can be in institute
State the computer program run on processor, wherein pass through between the memory, the processor and the communication interface
Internal connecting path communicates with each other, which is characterized in that realizes that aforesaid right is wanted when the processor executes the computer program
The step of method described in asking any one of 1 to 7.
10. a kind of computer readable storage medium, for storing computer program, which is characterized in that the computer program quilt
The step of method described in any one of the claims 1 to 7 is realized when processor executes.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910301822.6A CN110175083A (en) | 2019-04-16 | 2019-04-16 | The monitoring method and device of operating system |
| PCT/CN2019/103404 WO2020211251A1 (en) | 2019-04-16 | 2019-08-29 | Monitoring method and apparatus for operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910301822.6A CN110175083A (en) | 2019-04-16 | 2019-04-16 | The monitoring method and device of operating system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110175083A true CN110175083A (en) | 2019-08-27 |
Family
ID=67689451
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910301822.6A Pending CN110175083A (en) | 2019-04-16 | 2019-04-16 | The monitoring method and device of operating system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN110175083A (en) |
| WO (1) | WO2020211251A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020211251A1 (en) * | 2019-04-16 | 2020-10-22 | 平安科技(深圳)有限公司 | Monitoring method and apparatus for operating system |
| CN111897709A (en) * | 2020-07-31 | 2020-11-06 | 上海连尚网络科技有限公司 | Method, device, electronic equipment and medium for monitoring user |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160232353A1 (en) * | 2015-02-09 | 2016-08-11 | Qualcomm Incorporated | Determining Model Protection Level On-Device based on Malware Detection in Similar Devices |
| CN106992994A (en) * | 2017-05-24 | 2017-07-28 | 腾讯科技(深圳)有限公司 | A kind of automatically-monitored method and system of cloud service |
| CN108304308A (en) * | 2018-02-07 | 2018-07-20 | 平安普惠企业管理有限公司 | User behavior monitoring method, device, computer equipment and storage medium |
| CN109033813A (en) * | 2018-07-09 | 2018-12-18 | 携程旅游信息技术(上海)有限公司 | The auditing system and method for Linux operation log |
| CN109344615A (en) * | 2018-07-27 | 2019-02-15 | 北京奇虎科技有限公司 | A kind of method and device detecting malicious commands |
| CN109492945A (en) * | 2018-12-14 | 2019-03-19 | 深圳壹账通智能科技有限公司 | Business risk identifies monitoring method, device, equipment and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090038010A1 (en) * | 2007-07-31 | 2009-02-05 | Microsoft Corporation | Monitoring and controlling an automation process |
| CN103516563A (en) * | 2013-10-18 | 2014-01-15 | 北京奇虎科技有限公司 | Equipment and method for monitoring abnormal or normal command |
| CN109495479B (en) * | 2018-11-20 | 2021-12-24 | 华青融天(北京)软件股份有限公司 | User abnormal behavior identification method and device |
| CN110175083A (en) * | 2019-04-16 | 2019-08-27 | 平安科技(深圳)有限公司 | The monitoring method and device of operating system |
-
2019
- 2019-04-16 CN CN201910301822.6A patent/CN110175083A/en active Pending
- 2019-08-29 WO PCT/CN2019/103404 patent/WO2020211251A1/en active Application Filing
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160232353A1 (en) * | 2015-02-09 | 2016-08-11 | Qualcomm Incorporated | Determining Model Protection Level On-Device based on Malware Detection in Similar Devices |
| CN106992994A (en) * | 2017-05-24 | 2017-07-28 | 腾讯科技(深圳)有限公司 | A kind of automatically-monitored method and system of cloud service |
| CN108304308A (en) * | 2018-02-07 | 2018-07-20 | 平安普惠企业管理有限公司 | User behavior monitoring method, device, computer equipment and storage medium |
| CN109033813A (en) * | 2018-07-09 | 2018-12-18 | 携程旅游信息技术(上海)有限公司 | The auditing system and method for Linux operation log |
| CN109344615A (en) * | 2018-07-27 | 2019-02-15 | 北京奇虎科技有限公司 | A kind of method and device detecting malicious commands |
| CN109492945A (en) * | 2018-12-14 | 2019-03-19 | 深圳壹账通智能科技有限公司 | Business risk identifies monitoring method, device, equipment and storage medium |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020211251A1 (en) * | 2019-04-16 | 2020-10-22 | 平安科技(深圳)有限公司 | Monitoring method and apparatus for operating system |
| CN111897709A (en) * | 2020-07-31 | 2020-11-06 | 上海连尚网络科技有限公司 | Method, device, electronic equipment and medium for monitoring user |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2020211251A1 (en) | 2020-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108052528B (en) | A kind of storage equipment timing classification method for early warning | |
| CN109586952B (en) | Server capacity expansion method and device | |
| CN109491850A (en) | A kind of disk failure prediction technique and device | |
| CN111353911A (en) | Power equipment operation and maintenance method, system, equipment and storage medium | |
| CN109597398A (en) | Failure automatic processing method, device, equipment and the storage medium of household electrical appliance | |
| CN110826071A (en) | Software vulnerability risk prediction method, device, equipment and storage medium | |
| CN110262939A (en) | Algorithm model operation and monitoring method, device, computer equipment and storage medium | |
| CN107426022A (en) | Security incident monitoring method and device, electronic equipment, storage medium | |
| CN109446017A (en) | A kind of alarm algorithm generation method, monitoring system and terminal device | |
| CN111143167B (en) | Alarm merging method, device, equipment and storage medium for multiple platforms | |
| CN103746829A (en) | Cluster-based fault perception system and method thereof | |
| CN113286315B (en) | Load balance judging method, device, equipment and storage medium | |
| CN113949652B (en) | User abnormal behavior detection method and device based on artificial intelligence and related equipment | |
| CN107579861A (en) | Website Usability alarm method, device and electronic equipment based on multi-line monitoring | |
| CN111123223A (en) | General development platform, management system and method for radar health management | |
| CN110175083A (en) | The monitoring method and device of operating system | |
| CN110288146A (en) | A kind of energy resources information collecting method, device and readable storage medium storing program for executing | |
| CN113037589A (en) | Pressure testing method and device of gateway equipment, testing platform and storage medium | |
| CN115145788A (en) | Detection data generation method and device for intelligent operation and maintenance system | |
| CN113505044A (en) | Database warning method, device, equipment and storage medium | |
| CN117093465B (en) | Server log collection method, device, communication equipment and storage medium | |
| CN113657536A (en) | Object classification method and device based on artificial intelligence | |
| CN110851316B (en) | Abnormality early warning method, abnormality early warning device, abnormality early warning system, electronic equipment and storage medium | |
| JP2020035297A (en) | Apparatus state monitor and program | |
| CN112307271A (en) | Safety monitoring method and device for remote control service of power distribution automation system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190827 |