CN110175083A - The monitoring method and device of operating system - Google Patents

The monitoring method and device of operating system Download PDF

Info

Publication number
CN110175083A
CN110175083A CN201910301822.6A CN201910301822A CN110175083A CN 110175083 A CN110175083 A CN 110175083A CN 201910301822 A CN201910301822 A CN 201910301822A CN 110175083 A CN110175083 A CN 110175083A
Authority
CN
China
Prior art keywords
parameter
command
instruction information
monitoring data
order
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910301822.6A
Other languages
Chinese (zh)
Inventor
秦天欢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201910301822.6A priority Critical patent/CN110175083A/en
Publication of CN110175083A publication Critical patent/CN110175083A/en
Priority to PCT/CN2019/103404 priority patent/WO2020211251A1/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/004Error avoidance
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/008Reliability or availability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system

Abstract

This application provides a kind of monitoring method of operating system and devices, this method comprises: obtaining the monitoring data of user, which includes the command object that the user executes in the operating system and the parameter of the command object;According to the monitoring data, the command vector of the command object is determined, which includes order instruction information and parameter indicates that information, order instruction information are used to indicate the command object, and parameter instruction information is used to indicate the parameter type of the parameter;According to the command vector and risk analysis model, the risk class of the command object is determined, which is used to indicate the mapping relations between the command vector and the risk class, which includes risky operation or not dangerous operation.Using the monitoring method and device of operating system provided by the present application, the risk class for the order that user executes on an operating system can recognize that, be conducive to the safety for improving operating system.

Description

The monitoring method and device of operating system
Technical field
This application involves intelligent decision fields, and more particularly, to the monitoring of operating system in intelligent decision field Method and apparatus.
Background technique
With the continuous development of information technology, the more tired challenge brought by the system safety of operating system the severeer.In time It notes abnormalities and logs in the risky operation of execution, it is impaired safely to can be avoided system.
The login log of user on an operating system is usually recorded by way of fort machine in the industry, but can not be mentioned For the analysis based on this part of log.That is, existing method can not analyze which operation can generate safely prestige to system The side of body, and safeguard measure is taken to operating system in time.
Therefore, lack effective monitoring currently for the sensitive instructions that user executes on an operating system.
Summary of the invention
The application provides the monitoring method and device of a kind of operating system, can recognize that user executes on an operating system Order risk class, be conducive to improve operating system safety.
To achieve the above object, the application provides a kind of monitoring method of operating system, including the following contents:
The monitoring data of user is obtained, the monitoring data includes the target that the user executes in the operating system The parameter of order and the command object;
According to the monitoring data, determine that the command vector of the command object, the command vector include order instruction Information and parameter indicate that information, the order instruction information are used to indicate the command object, and the parameter instruction information is used for Indicate the parameter type of the parameter;
According to the command vector and risk analysis model, the risk class of the command object, the risk point are determined Analysis model is used to indicate the mapping relations between the command vector and the risk class, and the risk class includes dangerous behaviour Work or not dangerous operation.
In one possible implementation, according to the monitoring data, command vector is determined, comprising: according to the ginseng The total degree that number occurs in the monitoring data determines that the parameter type of the parameter, the parameter type include high frequency ginseng Several or low-frequency parameter;According to the parameter type, the parameter instruction information is determined.
In one possible implementation, the total degree occurred in the monitoring data according to the parameter determines The parameter type of the parameter, comprising: when the number that the parameter occurs in the monitoring data is greater than or equal to default time When number, determine that the parameter is high-frequency parameter;Or the number occurred in the monitoring data when the parameter be less than it is described pre- If when number, determining that the parameter is low-frequency parameter.
In one possible implementation, according to the parameter type, the parameter instruction information is determined, comprising: when When the parameter is high-frequency parameter, determine that the parameter instruction information is the mark of the parameter;Or when the parameter is low frequency When parameter, determine that the parameter instruction information is first identifier, the first identifier is for identifying all low-frequency parameters.
In one possible implementation, according to the monitoring data, command vector is determined, comprising: according to the ginseng Several importance determines that the parameter type of the parameter, the parameter type include key parameter or non-key parameter;According to institute Parameter type is stated, determines the parameter instruction information.
In one possible implementation, it according to the importance of the parameter, determines the parameter type of the parameter, wraps It includes: when the severity level of the parameter is greater than or equal to pre-set level, determining that the parameter is key parameter;Or work as the ginseng When several severity levels is less than the pre-set level, determine that the parameter is non-key parameter.
In one possible implementation, according to the parameter type, the parameter instruction information is determined, comprising: when When the parameter is key parameter, determine that the parameter instruction information is the mark of the parameter;Or when the parameter is non-pass When bond parameter, determine that the parameter instruction information is first identifier, the first identifier is for identifying all non-key parameters.
In one possible implementation, according to the command vector and risk analysis model, the target is determined Before the risk class of order, the method also includes: it obtains every in multiple orders that user executes in the operating system The risk class of the command vector of a order and each order;By the command vector of each order and each life The risk class of order is input in LSTM network, and training obtains the risk analysis model.
To achieve the above object, the application also provides a kind of monitoring device of operating system, which specifically includes:
Acquiring unit, for obtaining the monitoring data of user, the monitoring data includes that the user is in the operation The parameter of the command object and the command object that are executed on system;
Determination unit, for determining the command vector of the command object, the command vector according to the monitoring data Indicate that information, the order instruction information are used to indicate the command object, the parameter including order instruction information and parameter Indicate that information is used to indicate the parameter type of the parameter;According to the command vector and risk analysis model, the mesh is determined The risk class of order is marked, the risk analysis model is used to indicate the mapping between the command vector and the risk class Relationship, the risk class include risky operation or not dangerous operation.
In one possible implementation, the determination unit is specifically used for according to the parameter in the monitoring data The total degree of middle appearance determines that the parameter type of the parameter, the parameter type include high-frequency parameter or low-frequency parameter;According to The parameter type determines the parameter instruction information.
In one possible implementation, the determination unit is specifically used for when the parameter is in the monitoring data When the number of appearance is greater than or equal to preset times, determine that the parameter is high-frequency parameter;Or when the parameter is in the monitoring When the number occurred in data is less than the preset times, determine that the parameter is low-frequency parameter.
In one possible implementation, the determination unit is specifically used for when the parameter is high-frequency parameter, really The fixed parameter instruction information is the mark of the parameter;Or when the parameter is low-frequency parameter, the parameter instruction is determined Information is first identifier, and the first identifier is for identifying all low-frequency parameters.
In one possible implementation, the determination unit is specifically used for the importance according to the parameter, determines The parameter type of the parameter, the parameter type include key parameter or non-key parameter;According to the parameter type, determine The parameter indicates information.
In one possible implementation, the determination unit be specifically used for when the parameter severity level be greater than or When equal to pre-set level, determine that the parameter is key parameter;Or when the severity level of the parameter is less than the pre-set level When, determine that the parameter is non-key parameter.
In one possible implementation, the determination unit is specifically used for when the parameter is key parameter, really The fixed parameter instruction information is the mark of the parameter;Or when the parameter is non-key parameter, determine that the parameter refers to Show that information is first identifier, the first identifier is for identifying all non-key parameters.
In one possible implementation, described device further includes training unit, and the acquiring unit is also used in root According to the command vector and risk analysis model, before the risk class for determining the command object, user is obtained in the behaviour Make the risk class of the command vector of each order and each order in the multiple orders executed in system;The training is single Member is used to for the risk class of the command vector of each order and each order being input in LSTM network, trained To the risk analysis model.
To achieve the above object, the application also provides a kind of computer equipment, including memory, processor, communication interface And it is stored in the computer program that can be run on the memory and on the processor, wherein the memory, described It is communicated with each other between processor and the communication interface by internal connecting path, the processor executes the computer journey The following steps of the above method are realized when sequence:
The monitoring data of user is obtained, the monitoring data includes the target that the user executes in the operating system The parameter of order and the command object;
According to the monitoring data, determine that the command vector of the command object, the command vector include order instruction Information and parameter indicate that information, the order instruction information are used to indicate the command object, and the parameter instruction information is used for Indicate the parameter type of the parameter;
According to the command vector and risk analysis model, the risk class of the command object, the risk point are determined Analysis model is used to indicate the mapping relations between the command vector and the risk class, and the risk class includes dangerous behaviour Work or not dangerous operation.
To achieve the above object, the application also provides computer readable storage medium, is stored thereon with computer program, institute State the following steps that the above method is realized when computer program is executed by processor:
The monitoring data of user is obtained, the monitoring data includes the target that the user executes in the operating system The parameter of order and the command object;
According to the monitoring data, determine that the command vector of the command object, the command vector include order instruction Information and parameter indicate that information, the order instruction information are used to indicate the command object, and the parameter instruction information is used for Indicate the parameter type of the parameter;
According to the command vector and risk analysis model, the risk class of the command object, the risk point are determined Analysis model is used to indicate the mapping relations between the command vector and the risk class, and the risk class includes dangerous behaviour Work or not dangerous operation.
Using the monitoring method of operating system provided by the present application, device, computer equipment and computer-readable storage medium Matter, can recognize that the risk class for the order that user executes on an operating system, to improve the safety of operating system.
Detailed description of the invention
Fig. 1 is the schematic flow chart of the monitoring method of operating system provided by the embodiments of the present application;
Fig. 2 is the schematic flow chart of the monitoring method of another operating system provided by the embodiments of the present application;
Fig. 3 is the schematic block diagram of the monitoring device of operating system provided by the embodiments of the present application;
Fig. 4 is the monitoring device schematic block diagram of another operating system provided by the embodiments of the present application.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood The application is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the application, not For limiting the application.Based on the embodiment in the application, those of ordinary skill in the art are not before making creative work Every other embodiment obtained is put, shall fall in the protection scope of this application.
Fig. 1 shows the schematic flow chart of the monitoring method 100 of operating system provided by the embodiments of the present application.Ying Li Solution, this method 100 can be executed by the monitoring device of operating system.
Optionally, which can be computer, or can be the functional module in computer, and the application is implemented Example is not construed as limiting this.
S110, obtains the monitoring data of user, and the monitoring data includes that the user executes in the operating system Command object and the command object parameter.
Specifically, the user executes in the operating system in the monitoring device available preset period The parameter of each order, at least one described order include that the target is ordered at least one order and at least one described order It enables;The parameter of the command object and the command object is obtained from the monitoring data.
Optionally, which can any order in this at least one order.
Such as: within the preset period, which obtains the command list (CLIST) that user executes, as shown in Table 1, The command list (CLIST) includes the parameter of all orders that user executes and each order.The monitoring device can be successively by the order Each of list order is used as command object.
Command parameter
cd/home/wls81
ls/home/wls81
ls-trlah
vimy.cnf
service mysqld restart
…………
Table one
S120 determines that the command vector of the command object, the command vector include order according to the monitoring data Indicate that information and parameter indicate that information, the order instruction information are used to indicate the command object, the parameter indicates information It is used to indicate the parameter type of the parameter.
In one possible implementation, which can occur in the monitoring data according to the parameter Total degree, determine that the parameter type of the parameter, the parameter type include high-frequency parameter or low-frequency parameter;According to the ginseng Several classes of types determine the parameter instruction information.(including the case where at least one parameter in monitoring data)
Such as :/home/wls81 occurs 1100 times, and mysql.cnf occurs 1200 times, and mysqld restart occurs 1233 Secondary ,-trlah occurs 82 times.
It follows that frequency of occurrence arrange the first two be followed successively by mysqld restart and mysql.cnf, as high frequency is joined Number;Frequency of occurrence is after the first two/home/wls81 and-trlah, as low-frequency parameter.
Optionally, when the number that the parameter occurs in the monitoring data is greater than or equal to preset times, the prison Control device determines that the parameter is high-frequency parameter;Or the number occurred in the monitoring data when the parameter be less than it is described pre- If when number, which determines that the parameter is low-frequency parameter.
Such as: mysqld restart occurs 1233 times, and mysql.cnf occurs 1200 times, and/home/wls81 occurs 1100 Secondary ,-trlah occurs 82 times, and preset times are 1200 times.
It follows that the number that mysqld restart and mysql.cnf occur is all larger than or is equal to preset times 1200 It is secondary, as high-frequency parameter;The number that/home/wls81 and-trlah occurs is respectively less than preset times 1200 times, and as low frequency is joined Number.
In alternatively possible implementation, which can be according to the importance of the parameter, described in determination The parameter type of parameter, the parameter type include key parameter or non-key parameter;According to the parameter type, determine described in Parameter indicates information.
Such as: the severity level of mysql.cnf and mysqld restart is important ,/home/wls81 and-trlah Severity level be it is inessential.
It follows that mysql.cnf and mysqld restart is key parameter ,/home/wls81 and-trlah are non- Key parameter.
Optionally, when the severity level of the parameter is greater than or equal to pre-set level, which determines the ginseng Number is key parameter;Or when the severity level of the parameter is less than the pre-set level, which determines the parameter For non-key parameter.
Such as: the severity level that the severity level of mysqld restart is 4, mysql.cnf is 3 ,/home/wls81's Severity level is 1, and the severity level of-trlah is 0, pre-set level 2.
It follows that the severity level of mysqld restart and mysql.cnf are all larger than or are equal to pre-set level 2, i.e., For key parameter;The severity level of/home/wls81 and-trlah is respectively less than pre-set level 2, as non-key parameter.
Optionally, according to the parameter type, the parameter instruction information is determined, it can be with are as follows: when the parameter is high frequency When parameter or key parameter, which determines that the parameter instruction information is the mark of the parameter;Or work as the parameter When for low-frequency parameter or non-key parameter, which determines that the parameter instruction information is first identifier, first mark Know for identifying all low-frequency parameters or non-key parameter.
For example, mysql.cnf and mysqld restart is high-frequency parameter/key parameter ,/home/wls81 and-trlah For low-frequency parameter/non-key parameter, wherein mysqld restart be identified as 1, mysql.cnf be identified as 2, the first mark Knowing is 0, and first identifier is for identifying low-frequency parameter/non-key parameter.
It follows that the parameter instruction information that the parameter instruction information of mysqld restart is 1, mysql.cnf is 2, The parameter instruction information of home/wls81 and-trlah is 0.
Optionally, the order instruction information in command vector is the mark of the command object.
Such as: the mark 1 of cd, ls be identified as 2, vi be identified as 3, service be identified as 4.
It follows that the order instruction information that the order instruction information that the order instruction information of cd is 1, ls is 2, vi is 3, The order instruction information of service is 4.
In conclusion the available corresponding vector of every a line in mentioned order list, as shown in Table 2.
Command parameter vector
cd/home/wls81<1,0>
ls/home/wls81<2,0>
ls-trlah<2,0>
vimy.cnf<3,2>
service mysqld restart<4,1>
………………
Table two
S130 determines the risk class of the command object, the wind according to the command vector and risk analysis model Dangerous analysis model is used to indicate the mapping relations between the command vector and the risk class, and the risk class includes danger Danger operation or not dangerous operation.
Optionally, the method also includes: output risk class indicates information, and risk class instruction information is for referring to Show the risk class of the command object.
For example, risky operation output 1, not dangerous operation output 0.
Optionally, risky operation may include quiescing or high-risk operation, and not dangerous operation may include normal operations It is operated with low danger.
For example, normal operations: reading file;Low danger operation: written document;High-risk operation: shutdown;Quiescing: service is deleted Operating system file on device.
In another example normal operations output 0, low danger operation output 1, high-risk operation output 2, quiescing output 3.
Optionally, the method also includes: when the command object is risky operation, it is logical to send alarm to staff Know.
For example, being sent and being accused to staff by way of mail or short message when the command object is high-risk operation Alert notice;When the command object is quiescing, alarm notification is sent to staff by phone or forbids executing institute State command object.
Using the monitoring method of operating system provided by the present application, staff is notified in time, can effectively avoid system Safety is on the hazard.
Optionally, before S130, the method also includes the training risk analysis models.
Specifically, the command vector of each order and institute in multiple orders that user executes in the operating system are obtained State the risk class of each order;The risk class of the command vector of each order and each order is input to In LSTM network, training obtains the risk analysis model.
It should be noted that the risk analysis model is for the command vector of each order in multiple orders and described every The risk class of a order, by LSTM model algorithm one optimal models of training, this model belongs to the set of some function, The output closest to actual result can be obtained according to input by being optimally represented under the criterion of some evaluation, be allowed to through this The risk class for the order that the command vector of the order of input is mapped as accordingly exporting by risk analysis model.
Optionally, which can be based on a kind of or coding-decoded model frame, such as can be based on LSTM model or can based on convolutional neural networks (convolutional neural networks, CNN), circulation nerve Network (recurrent neural networks, RNN), bidirectional circulating neural network (Bidirectional recurrent Neural networks, BiRNN), gating cycle neuron (gatedrecurrent units, GRU) model etc., the present invention Embodiment is without being limited thereto.
It should be understood that LSTM (Long Short-Term Memory) is shot and long term memory network, it is a kind of time recurrence mind Through network, it is suitable for being spaced and postpone relatively long critical event in processing and predicted time sequence.LSTM adds in the algorithm " processor " judged whether information is useful is entered, the structure of this processor effect is referred to as cell.One cell works as In be placed three fan doors, be called input gate respectively, forget door and out gate.One information enters in the network of LSTM, can With according to rule to determine whether useful.The information for only meeting algorithm certification can just leave, and the information not being inconsistent then passes through forgetting Door passes into silence.LSTM model uses the working principle of one-in-and-two-out, can solve to deposit for a long time in neural network under operation repeatedly Big problem.
Fig. 2 shows the schematic flow charts of the monitoring method 200 of operating system provided by the embodiments of the present application.Ying Li Solution, this method 200 can be executed by the monitoring device of operating system.
S210 obtains in multiple orders for executing on an operating system of user the command vector of each order and described each The risk class of order, the command vector of each order include that the first order instruction information and the first parameter indicate information, The first order instruction information is used to indicate each order, and the first parameter instruction information is used to indicate described each The parameter type of the parameter of order, the risk class include risky operation or not dangerous operation.
The risk class of the command vector of each order and each order is input to LSTM network by S220 In, training obtains risk analysis model.
It should be noted that the risk analysis model is for the command vector of each order in multiple orders and described every The risk class of a order, by LSTM model algorithm one optimal models of training, this model belongs to the set of some function, The output closest to actual result can be obtained according to input by being optimally represented under the criterion of some evaluation, be allowed to through this The risk class for the order that the command vector of the order of input is mapped as accordingly exporting by risk analysis model.
S230, obtains the monitoring data of user, and the monitoring data includes that the user executes in the operating system Command object and the command object parameter.
S240 determines the command vector of the command object according to the monitoring data, the order of the command object to Amount includes the second order instruction information and the second parameter indicates that information, the second order instruction information are used to indicate the target Order, the second parameter instruction information are used to indicate the parameter type of the parameter.
S250 determines the command object according to the command vector of the command object and the risk analysis model Risk class, the risk analysis model are used to indicate the mapping relations between the command vector and the risk class.
Optionally, the method also includes: output risk class indicates information, and risk class instruction information is for referring to Show the risk class of the command object.
Optionally, the method also includes: when the command object is risky operation, it is logical to send alarm to staff Know.
The monitoring method that operating system provided by the embodiments of the present application is described above in conjunction with Fig. 1 and Fig. 2, below in conjunction with Fig. 3 and Fig. 4 introduces the monitoring device of operating system provided by the embodiments of the present application.
Fig. 3 shows the schematic block diagram of the monitoring device 300 of operating system provided by the embodiments of the present application.The device 300 include:
Acquiring unit 310, for obtaining the monitoring data of user, the monitoring data includes the user in the operation The parameter of the command object and the command object that are executed in system;
Determination unit 320, for determining the command vector of the command object, the order according to the monitoring data Vector includes order instruction information and parameter indicates information, and the order instruction information is used to indicate the command object, described Parameter instruction information is used to indicate the parameter type of the parameter;According to the command vector and risk analysis model, institute is determined The risk class of command object is stated, the risk analysis model is for indicating between the command vector and the risk class Mapping relations, the risk class include risky operation or not dangerous operation.
Optionally, the determination unit is specifically used for the total degree occurred in the monitoring data according to the parameter, Determine that the parameter type of the parameter, the parameter type include high-frequency parameter or low-frequency parameter;According to the parameter type, really The fixed parameter indicates information.
Optionally, the number that the determination unit is specifically used for occurring in the monitoring data when the parameter be greater than or When equal to preset times, determine that the parameter is high-frequency parameter;Or the number occurred in the monitoring data when the parameter When less than the preset times, determine that the parameter is low-frequency parameter.
Optionally, the determination unit is specifically used for when the parameter is high-frequency parameter, determines the parameter instruction letter Breath is the mark of the parameter;Or when the parameter is low-frequency parameter, determine that the parameter instruction information is first identifier, institute First identifier is stated for identifying all low-frequency parameters.
Optionally, the determination unit is specifically used for the importance according to the parameter, determines the parameter class of the parameter Type, the parameter type include key parameter or non-key parameter;According to the parameter type, the parameter instruction letter is determined Breath.
Optionally, the determination unit is specifically used for when the severity level of the parameter is greater than or equal to pre-set level, Determine that the parameter is key parameter;Or when the severity level of the parameter is less than the pre-set level, determine the parameter For non-key parameter.
Optionally, the determination unit is specifically used for when the parameter is key parameter, determines the parameter instruction letter Breath is the mark of the parameter;Or when the parameter is non-key parameter, determine that the parameter instruction information is first identifier, The first identifier is for identifying all non-key parameters.
Optionally, described device further includes training unit, the acquiring unit be also used to according to the command vector and Risk analysis model, before the risk class for determining the command object, obtain user executed in the operating system it is more The risk class of the command vector of each order and each order in a order;The training unit is used for will be described each The command vector of order and the risk class of each order are input in LSTM network, and training obtains the risk analysis mould Type.
Fig. 4 shows the schematic block diagram of the monitoring device 400 of operating system provided by the embodiments of the present application.The device 400 can use hardware structure as shown in Figure 4 for device 400 described in Fig. 4, the device 400.The device 400 can To include processor 410, communication interface 420 and memory 430, the processor 410, communication interface 420 and memory 430 pass through Internal connecting path communicates with each other.The correlation function that determination unit 320 in Fig. 3 is realized can realize by processor 410, The correlation function that acquiring unit 310 in Fig. 3 is realized can control communication interface 420 by processor 410 to realize.
The processor 410 may include be one or more processors, for example including one or more central processing unit (central processing unit, CPU), in the case where processor is a CPU, which can be monokaryon CPU, It can be multi-core CPU.
The communication interface 420 is for inputting and/or outputting data.The communication interface may include that transmission interface and reception connect Mouthful, transmission interface is used for output data, and receiving interface is used for input data.
The memory 430 include but is not limited to be random access memory (random access memory, RAM), only Read memory (read-only memory, ROM), erasable and programable memory (erasable programmable read Only memory, EPROM), CD-ROM (compact disc read-only memory, CD-ROM), the memory 430 For storing dependent instruction and data.
Memory 430 is used to store the program code and data of the device, for individual device or can be integrated in processing In device 410.
Specifically, the processor 410 is used to control communication interface 420 and calls the code command stored in memory 430 And execute the code command.For details, reference can be made to the descriptions in embodiment of the method, and details are not described herein.
It is designed it is understood that Fig. 4 illustrate only simplifying for device.In practical applications, which can be with Necessary other elements are separately included, including but not limited to any number of communication interface, processor, controller, memory etc., And all devices that the application may be implemented are all within the scope of protection of this application.
In a kind of possible design, which may alternatively be chip apparatus, such as can be that can be used for the dress Chip in setting, for realizing the correlation function of processor 410 in the device.The chip apparatus can be realization correlation function Field programmable gate array, special integrated chip, System on Chip/SoC, central processing unit, network processing unit, Digital Signal Processing electricity Road, microcontroller can also use programmable controller or other integrated chips.It optionally may include one in the chip Or multiple memories, for storing program code, when the code is performed, so that processor realizes corresponding function.
Those of ordinary skill in the art may be aware that list described in conjunction with the examples disclosed in the embodiments of the present disclosure Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually It is implemented in hardware or software, the specific application and design constraint depending on technical solution.Professional technician Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed Scope of the present application.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed systems, devices and methods, it can be with It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.
It, can be with if the function is realized in the form of SFU software functional unit and when sold or used as an independent product It is stored in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially in other words The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a People's computer, server or network equipment etc.) execute each embodiment the method for the application all or part of the steps. And storage medium above-mentioned includes: that USB flash disk, mobile hard disk, ROM, RAM, magnetic or disk etc. are various can store program code Medium.
The above, the only specific embodiment of the application, but the protection scope of the application is not limited thereto, it is any Those familiar with the art within the technical scope of the present application, can easily think of the change or the replacement, and should all contain Lid is within the scope of protection of this application.Therefore, the protection scope of the application should be based on the protection scope of the described claims.

Claims (10)

1. a kind of monitoring method of operating system characterized by comprising
The monitoring data of user is obtained, the monitoring data includes the command object that the user executes in the operating system With the parameter of the command object;
According to the monitoring data, determine that the command vector of the command object, the command vector include order instruction information Indicate that information, the order instruction information are used to indicate the command object with parameter, the parameter instruction information is used to indicate The parameter type of the parameter;
According to the command vector and risk analysis model, the risk class of the command object, the risk analysis mould are determined Type is used to indicate mapping relations between the command vector and the risk class, the risk class include risky operation or Not dangerous operation.
2. the method according to claim 1, wherein determining command vector according to the monitoring data, comprising:
According to the total degree that the parameter occurs in the monitoring data, the parameter type of the parameter, the parameter are determined Type includes high-frequency parameter or low-frequency parameter;
According to the parameter type, the parameter instruction information is determined.
3. according to the method described in claim 2, it is characterized in that, being occurred in the monitoring data according to the parameter total Number determines the parameter type of the parameter, comprising:
When the number that the parameter occurs in the monitoring data is greater than or equal to preset times, determine the parameter for height Frequency parameter;Or
When the number that the parameter occurs in the monitoring data is less than the preset times, determine that the parameter is low frequency Parameter.
4. according to the method described in claim 3, it is characterized in that, determining the parameter instruction letter according to the parameter type Breath, comprising:
When the parameter is high-frequency parameter, determine that the parameter instruction information is the mark of the parameter;Or
When the parameter is low-frequency parameter, determine that the parameter instruction information is first identifier, the first identifier is for marking Know all low-frequency parameters.
5. the method according to claim 1, wherein determining command vector according to the monitoring data, comprising:
According to the importance of the parameter, the parameter type of the parameter is determined, the parameter type includes key parameter or non- Key parameter;
According to the parameter type, the parameter instruction information is determined.
6. according to the method described in claim 5, it is characterized in that, determining the parameter according to the importance of the parameter Parameter type, comprising:
When the severity level of the parameter is greater than or equal to pre-set level, determine that the parameter is key parameter;Or
When the severity level of the parameter is less than the pre-set level, determine that the parameter is non-key parameter.
7. method according to any one of claim 1 to 6, which is characterized in that according to the command vector and risk Analysis model, before the risk class for determining the command object, the method also includes:
Obtain the command vector of each order and each order in multiple orders that user executes in the operating system Risk class;
The risk class of the command vector of each order and each order is input in LSTM network, training obtains The risk analysis model.
8. a kind of monitoring device of operating system characterized by comprising
Acquiring unit, for obtaining the monitoring data of user, the monitoring data includes the user in the operating system The parameter of the command object of execution and the command object;
Determination unit, for determining that the command vector of the command object, the command vector include according to the monitoring data Order instruction information and parameter indicate that information, the order instruction information are used to indicate the command object, the parameter instruction Information is used to indicate the parameter type of the parameter;According to the command vector and risk analysis model, the target life is determined The risk class of order, the risk analysis model are used to indicate that the mapping between the command vector and the risk class to be closed System, the risk class includes risky operation or not dangerous operation.
9. a kind of computer equipment, including memory, processor, communication interface and it is stored on the memory and can be in institute State the computer program run on processor, wherein pass through between the memory, the processor and the communication interface Internal connecting path communicates with each other, which is characterized in that realizes that aforesaid right is wanted when the processor executes the computer program The step of method described in asking any one of 1 to 7.
10. a kind of computer readable storage medium, for storing computer program, which is characterized in that the computer program quilt The step of method described in any one of the claims 1 to 7 is realized when processor executes.
CN201910301822.6A 2019-04-16 2019-04-16 The monitoring method and device of operating system Pending CN110175083A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201910301822.6A CN110175083A (en) 2019-04-16 2019-04-16 The monitoring method and device of operating system
PCT/CN2019/103404 WO2020211251A1 (en) 2019-04-16 2019-08-29 Monitoring method and apparatus for operating system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910301822.6A CN110175083A (en) 2019-04-16 2019-04-16 The monitoring method and device of operating system

Publications (1)

Publication Number Publication Date
CN110175083A true CN110175083A (en) 2019-08-27

Family

ID=67689451

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910301822.6A Pending CN110175083A (en) 2019-04-16 2019-04-16 The monitoring method and device of operating system

Country Status (2)

Country Link
CN (1) CN110175083A (en)
WO (1) WO2020211251A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020211251A1 (en) * 2019-04-16 2020-10-22 平安科技(深圳)有限公司 Monitoring method and apparatus for operating system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160232353A1 (en) * 2015-02-09 2016-08-11 Qualcomm Incorporated Determining Model Protection Level On-Device based on Malware Detection in Similar Devices
CN106992994A (en) * 2017-05-24 2017-07-28 腾讯科技(深圳)有限公司 A kind of automatically-monitored method and system of cloud service
CN108304308A (en) * 2018-02-07 2018-07-20 平安普惠企业管理有限公司 User behavior monitoring method, device, computer equipment and storage medium
CN109033813A (en) * 2018-07-09 2018-12-18 携程旅游信息技术(上海)有限公司 The auditing system and method for Linux operation log
CN109344615A (en) * 2018-07-27 2019-02-15 北京奇虎科技有限公司 A kind of method and device detecting malicious commands
CN109492945A (en) * 2018-12-14 2019-03-19 深圳壹账通智能科技有限公司 Business risk identifies monitoring method, device, equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090038010A1 (en) * 2007-07-31 2009-02-05 Microsoft Corporation Monitoring and controlling an automation process
CN103516563A (en) * 2013-10-18 2014-01-15 北京奇虎科技有限公司 Equipment and method for monitoring abnormal or normal command
CN109495479B (en) * 2018-11-20 2021-12-24 华青融天(北京)软件股份有限公司 User abnormal behavior identification method and device
CN110175083A (en) * 2019-04-16 2019-08-27 平安科技(深圳)有限公司 The monitoring method and device of operating system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160232353A1 (en) * 2015-02-09 2016-08-11 Qualcomm Incorporated Determining Model Protection Level On-Device based on Malware Detection in Similar Devices
CN106992994A (en) * 2017-05-24 2017-07-28 腾讯科技(深圳)有限公司 A kind of automatically-monitored method and system of cloud service
CN108304308A (en) * 2018-02-07 2018-07-20 平安普惠企业管理有限公司 User behavior monitoring method, device, computer equipment and storage medium
CN109033813A (en) * 2018-07-09 2018-12-18 携程旅游信息技术(上海)有限公司 The auditing system and method for Linux operation log
CN109344615A (en) * 2018-07-27 2019-02-15 北京奇虎科技有限公司 A kind of method and device detecting malicious commands
CN109492945A (en) * 2018-12-14 2019-03-19 深圳壹账通智能科技有限公司 Business risk identifies monitoring method, device, equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020211251A1 (en) * 2019-04-16 2020-10-22 平安科技(深圳)有限公司 Monitoring method and apparatus for operating system

Also Published As

Publication number Publication date
WO2020211251A1 (en) 2020-10-22

Similar Documents

Publication Publication Date Title
CN108052528B (en) A kind of storage equipment timing classification method for early warning
CN110378487B (en) Method, device, equipment and medium for verifying model parameters in horizontal federal learning
CN109597398A (en) Failure automatic processing method, device, equipment and the storage medium of household electrical appliance
CN109491850A (en) A kind of disk failure prediction technique and device
CN107579861A (en) Website Usability alarm method, device and electronic equipment based on multi-line monitoring
CN111353911A (en) Power equipment operation and maintenance method, system, equipment and storage medium
CN110826071A (en) Software vulnerability risk prediction method, device, equipment and storage medium
CN109586952B (en) Server capacity expansion method and device
CN110262939A (en) Algorithm model operation and monitoring method, device, computer equipment and storage medium
CN110175083A (en) The monitoring method and device of operating system
CN114462897B (en) Comprehensive performance evaluation method and device for highway electromechanical system and storage medium
CN111241059A (en) Database optimization method and device based on database
CN110288146A (en) A kind of energy resources information collecting method, device and readable storage medium storing program for executing
CN109446017A (en) A kind of alarm algorithm generation method, monitoring system and terminal device
CN113286315B (en) Load balance judging method, device, equipment and storage medium
CN113037589B (en) Pressure testing method and device of gateway equipment, testing platform and storage medium
CN114635893A (en) Cylinder switching method and device, computer equipment and storage medium
CN113949652A (en) User abnormal behavior detection method and device based on artificial intelligence and related equipment
CN113657536A (en) Object classification method and device based on artificial intelligence
CN110401582B (en) Detection method and device for storage health distress of cloud computing system and storage medium
CN105897503A (en) Hadoop cluster bottleneck detection algorithm based on resource information gain
CN108255710B (en) Script abnormity detection method and terminal thereof
CN110275809A (en) A kind of data fluctuations recognition methods, device and storage medium
CN111563014A (en) Interface service performance test method, device, equipment and storage medium
CN111143167B (en) Alarm merging method, device, equipment and storage medium for multiple platforms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination